Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

adds support for kubernetes mounted private keys #1081

Merged
merged 1 commit into from
May 16, 2022
Merged

adds support for kubernetes mounted private keys #1081

merged 1 commit into from
May 16, 2022

Conversation

catj-cockroach
Copy link
Contributor

This PR adds support for using private keys mounted in Kubernetes. It should partially fix issue #825 at least in Kubernetes, with the use of fsGroup in the securityContext and defaultMode on the mounted secret.

@cbandy
Copy link
Contributor

cbandy commented May 6, 2022

PostgreSQL recently changed the permissions it allows. This driver should use logic similar to fe-secure-openssl.c here: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=a59c79564bdc209a5bc7b02d706f0d7352eb82fa

@catj-cockroach catj-cockroach force-pushed the add-kubernetes-secret-support branch from 65bf9f9 to 4d4470b Compare May 6, 2022 18:04
@catj-cockroach
Copy link
Contributor Author

Hi @cbandy! I've updated the PR to match the permission check in the PostgreSQL!

@catj-cockroach catj-cockroach force-pushed the add-kubernetes-secret-support branch 2 times, most recently from 401ffb4 to 7da0995 Compare May 6, 2022 18:24
@catj-cockroach
Copy link
Contributor Author

Sorry about the linter errors, I've fixed them now and just to be safe I ran the test suite again.

@catj-cockroach catj-cockroach marked this pull request as ready for review May 6, 2022 18:35
@catj-cockroach
Copy link
Contributor Author

Hey @rafiss! This is the PR we spoke about 1:1 :)

@rafiss rafiss self-requested a review May 11, 2022 04:56
rafiss
rafiss requested changes May 11, 2022
View reviewed changes
@catj-cockroach catj-cockroach force-pushed the add-kubernetes-secret-support branch from 7da0995 to d8917fa Compare May 11, 2022 17:40
@catj-cockroach catj-cockroach requested a review from rafiss May 11, 2022 18:30
@rafiss rafiss merged commit 8c6de56 into lib:master May 16, 2022
@catj-cockroach catj-cockroach deleted the add-kubernetes-secret-support branch May 16, 2022 18:28
@arjantop-cai
Copy link

@catj-cockroach This does not appear to resolve the k8s fsGroup issue, as soon as the container is running as non-root and you need to set fsGroup it does not work, as this PR only allows 0640 permission if the mounted secret is owned by root.

@catj-cockroach
Copy link
Contributor Author

catj-cockroach commented Jun 21, 2022
edited
Loading

@arjantop-cai you'll also need to set the defaultMode for the mounted secret to 288, which is 0640 in decimal. All Kubernetes secrets are mounted as root, so all we can do is adjust the group permissions.

@arjantop-cai
Copy link

@catj-cockroach my bad, skaffold just did not rebuild the image with the new pq version, all works as expected 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rafiss rafiss rafiss approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@catj-cockroach @cbandy @arjantop-cai @rafiss