From ce9d420ee53618109bea464d8c162449810a83fb Mon Sep 17 00:00:00 2001 From: "anthony.bellino" Date: Thu, 24 Sep 2020 21:09:19 +0000 Subject: [PATCH] Add tls to Postgresql This PS provides the capability to enable tls for the Postgresql chart. Change-Id: Ie1ebd693dbf23f98bef832e3c57defe3a4e026bd --- postgresql/Chart.yaml | 2 +- postgresql/templates/certificates.yaml | 14 ++++++++++++++ postgresql/templates/statefulset.yaml | 24 ++++++++++++++++++++++++ postgresql/values.yaml | 9 +++++++++ postgresql/values_overrides/tls.yaml | 26 ++++++++++++++++++++++++++ 5 files changed, 74 insertions(+), 1 deletion(-) create mode 100644 postgresql/templates/certificates.yaml create mode 100644 postgresql/values_overrides/tls.yaml diff --git a/postgresql/Chart.yaml b/postgresql/Chart.yaml index c11a455ae..a4954b6a3 100644 --- a/postgresql/Chart.yaml +++ b/postgresql/Chart.yaml @@ -15,7 +15,7 @@ apiVersion: v1 appVersion: v9.6 description: OpenStack-Helm PostgreSQL name: postgresql -version: 0.1.7 +version: 0.1.8 home: https://www.postgresql.org sources: - https://github.com/postgres/postgres diff --git a/postgresql/templates/certificates.yaml b/postgresql/templates/certificates.yaml new file mode 100644 index 000000000..199c81bd5 --- /dev/null +++ b/postgresql/templates/certificates.yaml @@ -0,0 +1,14 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + http://www.apache.org/licenses/LICENSE-2.0 +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} +{{- if .Values.manifests.certificates -}} +{{ dict "envAll" . "service" "postgresql" "type" "internal" | include "helm-toolkit.manifests.certificates" }} +{{- end -}} diff --git a/postgresql/templates/statefulset.yaml b/postgresql/templates/statefulset.yaml index 082725197..7472cf4de 100644 --- a/postgresql/templates/statefulset.yaml +++ b/postgresql/templates/statefulset.yaml @@ -149,6 +149,13 @@ spec: /bin/chown {{ .Values.pod.security_context.server.pod.runAsUser }} {{ .Values.storage.mount.path }}; /bin/chmod 700 {{ .Values.storage.mount.path }}; /bin/chmod 700 {{ .Values.storage.mount.path }}/*; +{{- if .Values.manifests.certificates }} + /bin/cp /server_certs_temp/* /server_certs/.; + /bin/chown {{ .Values.pod.security_context.server.pod.runAsUser }} /server_certs; + /bin/chown {{ .Values.pod.security_context.server.pod.runAsUser }} /server_certs/*; + /bin/chmod 700 /server_certs; + /bin/chmod 600 /server_certs/*; +{{- end }} {{ dict "envAll" $envAll "application" "server" "container" "set_volume_perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }} volumeMounts: - name: pod-tmp @@ -156,6 +163,14 @@ spec: - name: postgresql-data mountPath: {{ .Values.storage.mount.path }} subPath: {{ .Values.storage.mount.subpath }} +{{- if .Values.manifests.certificates }} + - name: server-certs + mountPath: /server_certs + # server-cert-temp mountpoint is temp storage for secrets. We copy the + # secrets to server-certs folder and set owner and permissions. + # This is needed because the secrets are always created readonly. +{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.postgresql.tls.server.internal "path" "/server_certs_temp" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }} +{{- end }} containers: - name: postgresql {{ tuple $envAll "postgresql" | include "helm-toolkit.snippets.image" | indent 10 }} @@ -234,6 +249,10 @@ spec: mountPath: /tmp/archive_cleanup.sh subPath: archive_cleanup.sh readOnly: true +{{- end }} +{{- if .Values.manifests.certificates }} + - name: server-certs + mountPath: /server_certs {{- end }} volumes: - name: pod-tmp @@ -247,6 +266,11 @@ spec: secret: secretName: postgresql-bin defaultMode: 0555 +{{- if .Values.manifests.certificates }} + - name: server-certs + emptyDir: {} +{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.postgresql.tls.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }} +{{- end }} - name: postgresql-etc configMap: name: postgresql-etc diff --git a/postgresql/values.yaml b/postgresql/values.yaml index bd949c483..b012e2410 100644 --- a/postgresql/values.yaml +++ b/postgresql/values.yaml @@ -303,6 +303,11 @@ conf: max_worker_processes: '10' port: '5432' shared_buffers: '2GB' + ssl: 'off' + ssl_cert_file: '/server_certs/tls.crt' + ssl_ca_file: '/server_certs/ca.crt' + ssl_key_file: '/server_certs/tls.key' + ssl_ciphers: 'TLSv1.2:!aNULL' tcp_keepalives_idle: '900' tcp_keepalives_interval: '100' timezone: 'UTC' @@ -340,6 +345,9 @@ secrets: exporter: postgresql-exporter audit: postgresql-audit backup_restore: postgresql-backup-restore + tls: + server: + internal: postgresql-tls-direct identity: admin: keystone-admin-user postgresql: postgresql-backup-user @@ -441,6 +449,7 @@ endpoints: internal: 5000 manifests: + certificates: false configmap_bin: true configmap_etc: true job_image_repo_sync: true diff --git a/postgresql/values_overrides/tls.yaml b/postgresql/values_overrides/tls.yaml new file mode 100644 index 000000000..5ff3a2f51 --- /dev/null +++ b/postgresql/values_overrides/tls.yaml @@ -0,0 +1,26 @@ +--- +conf: + postgresql: + ssl: 'on' +pod: + security_context: + server: + container: + perms: + readOnlyRootFilesystem: false + postgresql: + runAsUser: 0 + allowPrivilegeEscalation: true + readOnlyRootFilesystem: false +endpoints: + postgresql: + host_fqdn_override: + default: + tls: + secretName: postgresql-tls-direct + issuerRef: + name: ca-issuer + kind: ClusterIssuer +manifests: + certificates: true +...