Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Providing Patroni with a custom CA bundle #726

Closed
khmarochos opened this issue May 12, 2022 · 1 comment
Closed

Providing Patroni with a custom CA bundle #726

khmarochos opened this issue May 12, 2022 · 1 comment

Comments

@khmarochos
Copy link

khmarochos commented May 12, 2022

Hello,

I use zalando/posrgres-operator that utilizes Spilo image.

Is there a way to provide Spilo with a custom CA certificate to be passed to Patroni?

Patroni handles the PATRONI_KUBERNETES_CACERT environment variable, but Spilo discards this variable and it's never been passed to Patroni.

Here's the link to the same issue discussed in the zalando/posrgres-operator repository: zalando/postgres-operator#1877.

Is there some way to make Spilo passing thie CA certificate of Kubernetes API Server to Patroni?

Thank you!

@CyberDem0n
Copy link
Contributor

Yeah... Spilo currently discards all Patroni environment variables because it is relying on its own.
The get_dcs_config() function should be a bit changed so it handles KUBERNETES_* env variables similarly to remaining DCS:

def get_dcs_config(config, placeholders):
if USE_KUBERNETES and placeholders.get('DCS_ENABLE_KUBERNETES_API'):
try:
kubernetes_labels = json.loads(placeholders.get('KUBERNETES_LABELS'))
except (TypeError, ValueError) as e:
logging.warning("could not parse kubernetes labels as a JSON: {0}, "
"reverting to the default: {1}".format(e, KUBERNETES_DEFAULT_LABELS))
kubernetes_labels = json.loads(KUBERNETES_DEFAULT_LABELS)
config = {'kubernetes': {'role_label': placeholders.get('KUBERNETES_ROLE_LABEL'),
'scope_label': placeholders.get('KUBERNETES_SCOPE_LABEL'),
'labels': kubernetes_labels}}
if not placeholders.get('KUBERNETES_USE_CONFIGMAPS'):
config['kubernetes'].update({'use_endpoints': True, 'pod_ip': placeholders['instance_data']['ip'],
'ports': [{'port': 5432, 'name': 'postgresql'}]})
if str(placeholders.get('KUBERNETES_BYPASS_API_SERVICE')).lower() == 'true':
config['kubernetes']['bypass_api_service'] = True
else:
# (ZOOKEEPER|EXHIBITOR|CONSUL|ETCD3|ETCD)_(HOSTS|HOST|PORT|...)
dcs_configs = defaultdict(dict)
for name, value in placeholders.items():
if '_' not in name:
continue
dcs, param = name.lower().split('_', 1)
if dcs in PATRONI_DCS:
if param == 'hosts':
if not (value.strip().startswith('-') or '[' in value):
value = '[{0}]'.format(value)
value = yaml.safe_load(value)
elif param == 'discovery_domain':
param = 'discovery_srv'
dcs_configs[dcs][param] = value
for dcs in PATRONI_DCS:
if dcs in dcs_configs:
config = {dcs: dcs_configs[dcs]}
break

CyberDem0n pushed a commit that referenced this issue Jun 17, 2022
- ensure all packages are upgraded to the latest version (apt-get -y upgrade)
- allow starting etcd on non-x86 platforms
- refactor `get_dcs_config()` function

Close #736, #726
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants