Closed catj-cockroach closed 2 years ago
PostgreSQL recently changed the permissions it allows. This driver should use logic similar to fe-secure-openssl.c
here: https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=a59c79564bdc209a5bc7b02d706f0d7352eb82fa
Hi @cbandy! I've updated the PR to match the permission check in the PostgreSQL!
Sorry about the linter errors, I've fixed them now and just to be safe I ran the test suite again.
Hey @rafiss! This is the PR we spoke about 1:1 :)
@catj-cockroach This does not appear to resolve the k8s fsGroup issue, as soon as the container is running as non-root and you need to set fsGroup it does not work, as this PR only allows 0640 permission if the mounted secret is owned by root.
@arjantop-cai you'll also need to set the defaultMode
for the mounted secret to 288
, which is 0640 in decimal. All Kubernetes secrets are mounted as root, so all we can do is adjust the group permissions.
@catj-cockroach my bad, skaffold just did not rebuild the image with the new pq version, all works as expected 👍
This PR adds support for using private keys mounted in Kubernetes. It should partially fix issue #825 at least in Kubernetes, with the use of
fsGroup
in thesecurityContext
anddefaultMode
on the mounted secret.