Add tls to Postgresql
This PS provides the capability to enable tls for the Postgresql chart. Change-Id: Ie1ebd693dbf23f98bef832e3c57defe3a4e026bd
This commit is contained in:
parent
1e892660d0
commit
ce9d420ee5
@ -15,7 +15,7 @@ apiVersion: v1
|
||||
appVersion: v9.6
|
||||
description: OpenStack-Helm PostgreSQL
|
||||
name: postgresql
|
||||
version: 0.1.7
|
||||
version: 0.1.8
|
||||
home: https://www.postgresql.org
|
||||
sources:
|
||||
- https://github.com/postgres/postgres
|
||||
|
14
postgresql/templates/certificates.yaml
Normal file
14
postgresql/templates/certificates.yaml
Normal file
@ -0,0 +1,14 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
{{- if .Values.manifests.certificates -}}
|
||||
{{ dict "envAll" . "service" "postgresql" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
|
||||
{{- end -}}
|
@ -149,6 +149,13 @@ spec:
|
||||
/bin/chown {{ .Values.pod.security_context.server.pod.runAsUser }} {{ .Values.storage.mount.path }};
|
||||
/bin/chmod 700 {{ .Values.storage.mount.path }};
|
||||
/bin/chmod 700 {{ .Values.storage.mount.path }}/*;
|
||||
{{- if .Values.manifests.certificates }}
|
||||
/bin/cp /server_certs_temp/* /server_certs/.;
|
||||
/bin/chown {{ .Values.pod.security_context.server.pod.runAsUser }} /server_certs;
|
||||
/bin/chown {{ .Values.pod.security_context.server.pod.runAsUser }} /server_certs/*;
|
||||
/bin/chmod 700 /server_certs;
|
||||
/bin/chmod 600 /server_certs/*;
|
||||
{{- end }}
|
||||
{{ dict "envAll" $envAll "application" "server" "container" "set_volume_perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
|
||||
volumeMounts:
|
||||
- name: pod-tmp
|
||||
@ -156,6 +163,14 @@ spec:
|
||||
- name: postgresql-data
|
||||
mountPath: {{ .Values.storage.mount.path }}
|
||||
subPath: {{ .Values.storage.mount.subpath }}
|
||||
{{- if .Values.manifests.certificates }}
|
||||
- name: server-certs
|
||||
mountPath: /server_certs
|
||||
# server-cert-temp mountpoint is temp storage for secrets. We copy the
|
||||
# secrets to server-certs folder and set owner and permissions.
|
||||
# This is needed because the secrets are always created readonly.
|
||||
{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.postgresql.tls.server.internal "path" "/server_certs_temp" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
|
||||
{{- end }}
|
||||
containers:
|
||||
- name: postgresql
|
||||
{{ tuple $envAll "postgresql" | include "helm-toolkit.snippets.image" | indent 10 }}
|
||||
@ -234,6 +249,10 @@ spec:
|
||||
mountPath: /tmp/archive_cleanup.sh
|
||||
subPath: archive_cleanup.sh
|
||||
readOnly: true
|
||||
{{- end }}
|
||||
{{- if .Values.manifests.certificates }}
|
||||
- name: server-certs
|
||||
mountPath: /server_certs
|
||||
{{- end }}
|
||||
volumes:
|
||||
- name: pod-tmp
|
||||
@ -247,6 +266,11 @@ spec:
|
||||
secret:
|
||||
secretName: postgresql-bin
|
||||
defaultMode: 0555
|
||||
{{- if .Values.manifests.certificates }}
|
||||
- name: server-certs
|
||||
emptyDir: {}
|
||||
{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.postgresql.tls.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
|
||||
{{- end }}
|
||||
- name: postgresql-etc
|
||||
configMap:
|
||||
name: postgresql-etc
|
||||
|
@ -303,6 +303,11 @@ conf:
|
||||
max_worker_processes: '10'
|
||||
port: '5432'
|
||||
shared_buffers: '2GB'
|
||||
ssl: 'off'
|
||||
ssl_cert_file: '/server_certs/tls.crt'
|
||||
ssl_ca_file: '/server_certs/ca.crt'
|
||||
ssl_key_file: '/server_certs/tls.key'
|
||||
ssl_ciphers: 'TLSv1.2:!aNULL'
|
||||
tcp_keepalives_idle: '900'
|
||||
tcp_keepalives_interval: '100'
|
||||
timezone: 'UTC'
|
||||
@ -340,6 +345,9 @@ secrets:
|
||||
exporter: postgresql-exporter
|
||||
audit: postgresql-audit
|
||||
backup_restore: postgresql-backup-restore
|
||||
tls:
|
||||
server:
|
||||
internal: postgresql-tls-direct
|
||||
identity:
|
||||
admin: keystone-admin-user
|
||||
postgresql: postgresql-backup-user
|
||||
@ -441,6 +449,7 @@ endpoints:
|
||||
internal: 5000
|
||||
|
||||
manifests:
|
||||
certificates: false
|
||||
configmap_bin: true
|
||||
configmap_etc: true
|
||||
job_image_repo_sync: true
|
||||
|
26
postgresql/values_overrides/tls.yaml
Normal file
26
postgresql/values_overrides/tls.yaml
Normal file
@ -0,0 +1,26 @@
|
||||
---
|
||||
conf:
|
||||
postgresql:
|
||||
ssl: 'on'
|
||||
pod:
|
||||
security_context:
|
||||
server:
|
||||
container:
|
||||
perms:
|
||||
readOnlyRootFilesystem: false
|
||||
postgresql:
|
||||
runAsUser: 0
|
||||
allowPrivilegeEscalation: true
|
||||
readOnlyRootFilesystem: false
|
||||
endpoints:
|
||||
postgresql:
|
||||
host_fqdn_override:
|
||||
default:
|
||||
tls:
|
||||
secretName: postgresql-tls-direct
|
||||
issuerRef:
|
||||
name: ca-issuer
|
||||
kind: ClusterIssuer
|
||||
manifests:
|
||||
certificates: true
|
||||
...
|
Loading…
Reference in New Issue
Block a user