Giters

reactive-tech / kubegres

Kubegres is a Kubernetes operator allowing to deploy one or many clusters of PostgreSql instances and manage databases replication, failover and backup.

Home Page:https://www.kubegres.io

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Certificate-based Authentication

hxtk opened this issue · comments

commented

I'm attempting to set up kubegres with certificate-based authentication, replacing password-based authentication entirely using the cert auth-method [1] [2] That is, I want my pg_hba.conf to look something like this:

hostssl    all             all             all                     cert clientcert=1

Much of the issues that must be overcome to accomplish this are similar to the issues described in #81. However, using the cert auth method for the replication role is forbidden in practice because the spec requires that we have POSTGRES_PASSWORD and POSTGRES_REPLICATION_PASSWORD environment variables set [3], and the replication role is created with a password in a the non-overridable primary_create_replication_role.sh script [4].

The POSTGRES_PASSWORD variable is understandable as it is required by the base image to be non-empty, so I understand you have a requirement for that; an acceptable tradeoff for me is to modify that account after initialization. The replication user, on the other hand, poses a concern for me that I'm not sure how best to overcome.

1: https://www.postgresql.org/docs/current/auth-pg-hba-conf.html

2: https://www.postgresql.org/docs/current/auth-cert.html

3:

kubegres/controllers/spec/checker/SpecChecker.go

Lines 140 to 148 in 5c49a73

if !r.doesEnvVarExist(ctx.EnvVarNameOfPostgresSuperUserPsw) {
specCheckResult.HasSpecFatalError = true
specCheckResult.FatalErrorMessage = r.createErrMsgSpecUndefined("spec.env.POSTGRES_PASSWORD")
}
if !r.doesEnvVarExist(ctx.EnvVarNameOfPostgresReplicationUserPsw) {
specCheckResult.HasSpecFatalError = true
specCheckResult.FatalErrorMessage = r.createErrMsgSpecUndefined("spec.env.POSTGRES_REPLICATION_PASSWORD")
}

4:

kubegres/controllers/spec/template/yaml/BaseConfigMapTemplate.yaml

Lines 172 to 185 in 7d751fe

primary_create_replication_role.sh: |
#!/bin/bash
set -e
dt=$(date '+%d/%m/%Y %H:%M:%S');
echo "$dt - Creating replication role...";
echo "$dt - Running: psql -v ON_ERROR_STOP=1 --username $POSTGRES_USER --dbname $POSTGRES_DB ... CREATE ROLE replication WITH REPLICATION PASSWORD ... GRANT EXECUTE ON FUNCTION pg_promote TO replication;";
psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" --dbname "$POSTGRES_DB" <<-EOSQL
CREATE ROLE replication WITH REPLICATION PASSWORD '$POSTGRES_REPLICATION_PASSWORD' LOGIN;
GRANT EXECUTE ON FUNCTION pg_promote TO replication;
EOSQL
echo "$dt - Replication role created";

commented

I've worked through this problem and gotten a working solution. It's not "clean" and requires manual changes, but I can now identify two distinct subtasks that will allow this to be completed with the standard tooling, so I am closing this ticket to create two precisely-targeted tickets for those specific changes.