search

bitnami / charts

Bitnami Helm Charts
https://bitnami.com
Other
9.04k stars 9.22k forks source link

[bitnami/postgresql-ha] To use TLS on pgpool, why not mount the certificate files with mode 0600 instead of an initcontainer that runs as root? #30467

Open caspereijkens opened 1 week ago

caspereijkens commented 1 week ago

Name and Version

bitnami/postgresql-ha

What is the problem this feature will solve?

In our org, we have rather strict policies regarding the pod security context. To enable TLS, I see that the chart adds an init container that does some chmod'ing of certificate files. For that to happen, the securityContext of the init container is currently:

        securityContext:
          runAsGroup: 0
          runAsNonRoot: false
          runAsUser: 0
          seccompProfile:
            type: RuntimeDefault

In our org, we are not allowed to choose user/group 0 and cannot run containers as root either. My org wants:

    securityContext:                                                                                                    
      allowPrivilegeEscalation: false                                                                                   
      capabilities:                                                                                                     
        drop:                                                                                                           
        - ALL                                                                                                           
      readOnlyRootFilesystem: true                                                                                      
      runAsGroup: 1000                                                                                                  
      runAsNonRoot: true                                                                                                
      runAsUser: 100                                                                                                    
      seccompProfile:                                                                                                   
        type: RuntimeDefault

But this leads to

+ cp /tmp/certs/ca.crt /tmp/certs/tls.crt /tmp/certs/tls.key /opt/bitnami/pgpool/certs/                                 
+ chown -R 1001:1001 /opt/bitnami/pgpool/certs/                                                                         
chown: changing ownership of '/opt/bitnami/pgpool/certs/': Operation not permitted                                      
+ chmod 600 /opt/bitnami/pgpool/certs/tls.crt

What is the feature you are proposing to solve the problem?

Why not just directly mount the certificates with mode 0600?

I'm curious about the choice for the initContainer that does:

          cp /tmp/certs/* /opt/bitnami/pgpool/certs/
          chown -R 1001:1001 /opt/bitnami/pgpool/certs/
          chmod 600 /opt/bitnami/pgpool/certs/tls.crt