Closed izgeri closed 5 years ago
Note: I tried to (but couldn't) reproduce this locally by running pg in a Docker container
docker run --name pg-reg -p 5433:5432 -e POSTGRES_PASSWORD=mypassword -e POSTGRES_USER=myuser -e POSTGRES_DB=mydb -d postgres
and then running ./bin/build_darwin
to have a local OSX secretless binary. I started Secretless by running
./dist/darwin/amd64/secretless-broker -f secretless-pg.yml
where secretless-pg.yml includes:
listeners:
- address: 0.0.0.0:5432
# caCertFiles: []
debug: true
name: pg_listener
protocol: pg
handlers:
- name: pg_handler
listener: pg_listener
debug: true
credentials:
- name: username
provider: literal
id: myuser
- name: password
provider: literal
id: mypassword
- name: sslmode
provider: literal
id: disable
- name: address
provider: literal
id: localhost:5433
Then, when I try to connect to pg via Secretless (psql -h localhost -p 5432 -d postgres
) it's able to proxy the connection appropriately.
@yserota I created a docs issue to make a minor correction to the docs for this - please see https://github.com/cyberark/secretless-docs/issues/183
Note that the only thing broken was my expectation that I can pass /dbname
in the address
field for the pg config. This is no longer the case, and that assumption was fixed in https://github.com/conjurdemos/kubernetes-conjur-demo/pull/74 and will be updated in the documentation as part of https://github.com/cyberark/secretless-docs/issues/183. In light of this, I'm closing the bug now.
Summary
Some recent changes post-1.0 have revised PostgreSQL configuration to enable
host
/port
(to be consistent with MySQL) and deprecatedaddress
. But thoughaddress
is still meant to be supported, you can't connect to a pg database via Secretless when using address-based config.Steps to Reproduce
Deploy an app with Secretless as a sidecar to OC 3.9. Use config of the form:
You will see the app is unable to start up. I reproduced this using
LOCAL_AUTHENTICATOR=true
with a local build of secretless / the kubernetes authenticator sidecar and running kubernetes-conjur-demo in OC 3.9.If you change the config to use host / port-based config, the app deploys as expected.
Expected Results
The app is deployed as usual, and can connect to pg via Secretless
Actual Results (including error logs, if applicable)
The app fails to start. The app logs show an error:
The Secretless logs show: