search

zalando / postgres-operator

Postgres operator creates and manages PostgreSQL clusters running in Kubernetes
https://postgres-operator.readthedocs.io/
MIT License
4.38k stars 980 forks source link

Ability to provide imagepullsecrets for postgres cluster CRD #2721

Closed Falcondevils closed 3 months ago

Falcondevils commented 3 months ago

Please, answer some short questions which should help us to understand your problem / question better?

I have found serious critical/high severity CVEs in zalando spilo image as it's using ubuntu 22.04. I see the issue posted in the spilo issue page. https://github.com/zalando/spilo/issues/982 However it seems that's not a priority for the team to fix it.

So I wanted to fork the spilo repo, try it myself privately to modify and use it privately. Once i am successful, i would like to contribute to the project as well. However, then i do not see imagepullsecrets field for postgres CRD. Without this, I won't be able to use custom private spilo image with the operator.

So can someone add the feature to add imagePullSecrets field for postgres CRDs?

teimyBr commented 3 months ago 
postgres-operator:
  configKubernetes:
    pod_service_account_definition: |
      {
        "apiVersion": "v1",
        "imagePullSecrets": [
          {
            "name": "hello-registry"
          }
        ],
        "kind": "ServiceAccount",
        "metadata": {
          "name": "postgres-pod"
        }
      }
    secret_name_template: "{username}.{cluster}"
  imagePullSecrets:
  - name: hello-registry

This is possible we are using this with image Pull Secrets configKubernetes for Postgres Pods imagePullSecrets: For Operator

Falcondevils commented 3 months ago

Do operator and postgres cluster need to be in same namespace for this to work as postgres-pod service account will be in the namespace where postgres cluster is present?

teimyBr commented 3 months ago

The Image Pull Secret must be in every namespace. We are using here Kyverno to copy the secret everywhere needed with a Cluster Policy.

So the Operator and the PG Database can live where you want. The reason behind this service accounts is that, this gets created by the postgresoperator, so he will apply this to every postgressql resource. And when you have the Image Pull Secret in the Service Account you not have to specify the Pull Secret for every container in your pod.

Only negativ thing you can not use 2 Different Private Registry for 2 Containers in a Pod.

Falcondevils commented 3 months ago

Thanks a lot for the response and linking the issues. I was able to use the suggestion to use imagepullsecrets for spilo image.