Add tls to Postgresql

This PS provides the capability to enable tls for the Postgresql chart. Change-Id: Ie1ebd693dbf23f98bef832e3c57defe3a4e026bd
2020-09-24 21:09:19 +00:00 · 2020-09-24 21:09:19 +00:00 · ce9d420ee5
parent 1e892660d0
commit ce9d420ee5
5 changed files with 74 additions and 1 deletions
--- a/postgresql/Chart.yaml
+++ b/postgresql/Chart.yaml
@ -15,7 +15,7 @@ apiVersion: v1
 appVersion: v9.6
 description: OpenStack-Helm PostgreSQL
 name: postgresql
-version: 0.1.7
+version: 0.1.8
 home: https://www.postgresql.org
 sources:
  - https://github.com/postgres/postgres
--- a/postgresql/templates/certificates.yaml
+++ b/postgresql/templates/certificates.yaml
@ -0,0 +1,14 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+  http://www.apache.org/licenses/LICENSE-2.0
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+{{- if .Values.manifests.certificates -}}
+{{ dict "envAll" . "service" "postgresql" "type" "internal" | include "helm-toolkit.manifests.certificates" }}
+{{- end -}}
--- a/postgresql/templates/statefulset.yaml
+++ b/postgresql/templates/statefulset.yaml
@ -149,6 +149,13 @@ spec:
              /bin/chown {{ .Values.pod.security_context.server.pod.runAsUser }} {{ .Values.storage.mount.path }};
              /bin/chmod 700 {{ .Values.storage.mount.path }};
              /bin/chmod 700 {{ .Values.storage.mount.path }}/*;
+{{- if .Values.manifests.certificates }}
+              /bin/cp /server_certs_temp/* /server_certs/.;
+              /bin/chown {{ .Values.pod.security_context.server.pod.runAsUser }} /server_certs;
+              /bin/chown {{ .Values.pod.security_context.server.pod.runAsUser }} /server_certs/*;
+              /bin/chmod 700 /server_certs;
+              /bin/chmod 600 /server_certs/*;
+{{- end }}
 {{ dict "envAll" $envAll "application" "server" "container" "set_volume_perms" | include "helm-toolkit.snippets.kubernetes_container_security_context" | indent 10 }}
          volumeMounts:
            - name: pod-tmp
@ -156,6 +163,14 @@ spec:
            - name: postgresql-data
              mountPath: {{ .Values.storage.mount.path }}
              subPath: {{ .Values.storage.mount.subpath }}
+{{- if .Values.manifests.certificates }}
+            - name: server-certs
+              mountPath: /server_certs
+              # server-cert-temp mountpoint is temp storage for secrets. We copy the
+              # secrets to server-certs folder and set owner and permissions.
+              # This is needed because the secrets are always created readonly.
+{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.postgresql.tls.server.internal "path" "/server_certs_temp" | include "helm-toolkit.snippets.tls_volume_mount" | indent 12 }}
+{{- end }}
      containers:
        - name: postgresql
 {{ tuple $envAll "postgresql" | include "helm-toolkit.snippets.image" | indent 10 }}
@ -234,6 +249,10 @@ spec:
              mountPath: /tmp/archive_cleanup.sh
              subPath: archive_cleanup.sh
              readOnly: true
+{{- end }}
+{{- if .Values.manifests.certificates }}
+            - name: server-certs
+              mountPath: /server_certs
 {{- end }}
      volumes:
        - name: pod-tmp
@ -247,6 +266,11 @@ spec:
          secret:
            secretName: postgresql-bin
            defaultMode: 0555
+{{- if .Values.manifests.certificates }}
+        - name: server-certs
+          emptyDir: {}
+{{ dict "enabled" $envAll.Values.manifests.certificates "name" $envAll.Values.secrets.postgresql.tls.server.internal | include "helm-toolkit.snippets.tls_volume" | indent 8 }}
+{{- end }}
        - name: postgresql-etc
          configMap:
            name: postgresql-etc
--- a/postgresql/values.yaml
+++ b/postgresql/values.yaml
@ -303,6 +303,11 @@ conf:
    max_worker_processes: '10'
    port: '5432'
    shared_buffers: '2GB'
+    ssl: 'off'
+    ssl_cert_file: '/server_certs/tls.crt'
+    ssl_ca_file: '/server_certs/ca.crt'
+    ssl_key_file: '/server_certs/tls.key'
+    ssl_ciphers: 'TLSv1.2:!aNULL'
    tcp_keepalives_idle: '900'
    tcp_keepalives_interval: '100'
    timezone: 'UTC'
@ -340,6 +345,9 @@ secrets:
    exporter: postgresql-exporter
    audit: postgresql-audit
    backup_restore: postgresql-backup-restore
+    tls:
+      server:
+        internal: postgresql-tls-direct
  identity:
    admin: keystone-admin-user
    postgresql: postgresql-backup-user
@ -441,6 +449,7 @@ endpoints:
        internal: 5000

 manifests:
+  certificates: false
  configmap_bin: true
  configmap_etc: true
  job_image_repo_sync: true
--- a/postgresql/values_overrides/tls.yaml
+++ b/postgresql/values_overrides/tls.yaml
@ -0,0 +1,26 @@
+---
+conf:
+  postgresql:
+    ssl: 'on'
+pod:
+  security_context:
+    server:
+      container:
+        perms:
+          readOnlyRootFilesystem: false
+        postgresql:
+          runAsUser: 0
+          allowPrivilegeEscalation: true
+          readOnlyRootFilesystem: false
+endpoints:
+  postgresql:
+    host_fqdn_override:
+      default:
+        tls:
+          secretName: postgresql-tls-direct
+          issuerRef:
+            name: ca-issuer
+            kind: ClusterIssuer
+manifests:
+  certificates: true
+...