search

bitnami / charts

Bitnami Helm Charts
https://bitnami.com
Other
8.93k stars 9.18k forks source link

[bitnami/postgresql-ha] Use of Vault dynamic secrets and bitnami/postgresql-ha #11711

Closed regel closed 2 years ago

regel commented 2 years ago

Name and Version

bitnami/postgresql-ha-9.3.2 app version=14.4.0

What is the problem this feature will solve?

AS-IS:

Trying to leverage Hashicorp Vault dynamic secrets fails since the file /opt/bitnami/pgpool/conf/pool_passwd in pgpool pod is static and does not know about dynamic (ephemeral) secrets that Vault injects directly inside the database.

Example of this behavior:

$ kubectl run foo-postgresql-ha-client --rm --tty -i --restart='Never' --namespace default --image docker.io/bitnami/postgresql-repmgr:14.4.0-debian-11-r23 --env="PGPASSWORD=chP2RKxfBZDjw6TWr5e-"  --command -- psql -h foo-postgresql-ha-pgpool -p 5432 -U v-root-my-role-TzICi94HJy3SY64sqW6N-1660138635 -d hello
psql: error: connection to server at "foo-postgresql-ha-pgpool" (10.96.253.12), port 5432 failed: FATAL:  SCRAM authentication failed
DETAIL:  pool_passwd file does not contain an entry for "v-root-my-role-TzICi94HJy3SY64sqW6N-1660138635"
pod "foo-postgresql-ha-client" deleted
pod default/foo-postgresql-ha-client terminated (Error)

What is the feature you are proposing to solve the problem?

either: Less restrictive validation. Allow 'trust' authentication method in pgpool, and let the postgres database pod verify credentials. or: the ability to replace the file pool_hba.conf with custom content during helm install for this Chart.

What alternatives have you considered?

I considered editing the file /opt/bitnami/pgpool/conf/pool_hba.conf in pgpool pod, however it cannot be modified via the Helm Chart and still contains default values (scram-sha-256 for all users):

local    all             all                            trust
host     all             repmgr       all         trust
host     all             postgres       all         scram-sha-256
host     all             wide               all         trust
host     all             pop_user           all         trust
host     all             all                all         scram-sha-256

Finally, as a second alternative I try to set pgpool.authenticationMethod=trust in Helm install values results in the following validation error and the pgpool pod fails to start:

pgpool 14:08:06.17 Welcome to the Bitnami pgpool container
pgpool 14:08:06.18 Subscribe to project updates by watching https://github.com/bitnami/containers
pgpool 14:08:06.18 Submit issues and feature requests at https://github.com/bitnami/containers/issues
pgpool 14:08:06.18 
pgpool 14:08:06.18 INFO  ==> ** Starting Pgpool-II setup **
pgpool 14:08:06.22 INFO  ==> Validating settings in PGPOOL_* env vars...
pgpool 14:08:06.25 ERROR ==> The values allowed for PGPOOL_AUTHENTICATION_METHOD: md5,scram-sha-256
rafariossaa commented 2 years ago

Hi, Could you take a look to PGPOOL_USER_HBA_FILE environment variable in the image ? I think you use it in this case.

mimperatore commented 2 years ago

@rafariossaa, not quite sure how to apply your suggestion. Could you please provide an example of how to set both the PGPOOL_USER_HBA_FILE environment variable as well as the contents of the file pointed to both the env var, and pass both of those to the helm install/upgrade? Thx!

bitnami-bot commented 2 years ago

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

bitnami-bot commented 2 years ago

Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.

angrastuti commented 1 year ago

This issue was closed long time back but @mimperatore were you able to resolve this issue , without restarting the pods manually ?

radsto commented 11 months ago

@rafariossaa, not quite sure how to apply your suggestion. Could you please provide an example of how to set both the PGPOOL_USER_HBA_FILE environment variable as well as the contents of the file pointed to both the env var, and pass both of those to the helm install/upgrade? Thx!

Hi, just got same issue wanting the Postgres backend to process auth without having to sync users into PGpool. Just add in the values file : 

...
pgpool:
  extraEnvVars:
    - name: PGPOOL_ENABLE_POOL_HBA
      value: "no"
...

This will bypass entirely the pool_hba.conf file and is equivalent to trust for every connection.

You have all docker ENV settings here : https://hub.docker.com/r/bitnami/pgpool