search

lib / pq

Pure Go Postgres driver for database/sql
https://pkg.go.dev/github.com/lib/pq
MIT License
8.86k stars 908 forks source link

adds support for kubernetes mounted private keys #1081

Closed catj-cockroach closed 2 years ago

catj-cockroach commented 2 years ago

This PR adds support for using private keys mounted in Kubernetes. It should partially fix issue #825 at least in Kubernetes, with the use of fsGroup in the securityContext and defaultMode on the mounted secret.

cbandy commented 2 years ago

PostgreSQL recently changed the permissions it allows. This driver should use logic similar to fe-secure-openssl.c here: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=a59c79564bdc209a5bc7b02d706f0d7352eb82fa

catj-cockroach commented 2 years ago

Hi @cbandy! I've updated the PR to match the permission check in the PostgreSQL!

catj-cockroach commented 2 years ago

Sorry about the linter errors, I've fixed them now and just to be safe I ran the test suite again.

catj-cockroach commented 2 years ago

Hey @rafiss! This is the PR we spoke about 1:1 :)

arjantop-cai commented 2 years ago

@catj-cockroach This does not appear to resolve the k8s fsGroup issue, as soon as the container is running as non-root and you need to set fsGroup it does not work, as this PR only allows 0640 permission if the mounted secret is owned by root.

catj-cockroach commented 2 years ago

@arjantop-cai you'll also need to set the defaultMode for the mounted secret to 288, which is 0640 in decimal. All Kubernetes secrets are mounted as root, so all we can do is adjust the group permissions.

arjantop-cai commented 2 years ago

@catj-cockroach my bad, skaffold just did not rebuild the image with the new pq version, all works as expected 👍