Mounting SSH keys for SSL for Postgres

10/28/2019

I am setting up SSL for Postgres9.6 connections. I could not mount SSH private key and cert in a Kubernetes secret with appropriate permissions. I believe without any explicit user id set on the Kubernetes container, the mounted secret should be owned by root. I have set 416 decimal for octal 0640. This is a recommendation from Postgres if files are owned by root.

Any help is appreciated.

Error:

 FATAL:  could not load private key file "/var/lib/postgresql/certs/server.key": Permission denied

Helm statefulset config:

  volumes:  
  - name: {{ .Values.certs_secret.volume_name }}
    secret:
      secretName: {{ .Values.certs_secret.secret_name }}
      items:
      - key: server.key
        path: server.key
        mode: 416  
      - key: server.crt
        path: server.crt
        mode: 511 
  containers:
  - name: {{ .Chart.Name }}
    args: 
      - -c
      - ssl=on
      - -c
      - ssl_cert_file={{ .Values.certs_secret.cert_path }}
      - -c
      - ssl_key_file={{ .Values.certs_secret.private_key_path }}
    volumeMounts:
    - name: {{ .Values.certs_secret.volume_name }}
      mountPath: {{ .Values.certs_secret.mount_path }}

Updated

I have exec'd in without turning SSL on and found secret files are mounted as symlinks. Could this be a problem? The cluster is in AKS.

root@postgres-timescale-db-0:/var/lib/postgresql/certs# find . -ls
        2      0 drwxrwxrwt   3 root     root          120 Oct 29 16:40 .
        8      0 lrwxrwxrwx   1 root     root           31 Oct 29 16:40 ./..data -> ..2019_10_29_16_40_00.233198123
        7      0 lrwxrwxrwx   1 root     root           17 Oct 29 16:40 ./server.crt -> ..data/server.crt
        6      0 lrwxrwxrwx   1 root     root           17 Oct 29 16:40 ./server.key -> ..data/server.key
        3      0 drwxr-xr-x   2 root     root           80 Oct 29 16:40 ./..2019_10_29_16_40_00.233198123
        5      8 -rwxrwxrwx   1 root     root         4450 Oct 29 16:40 ./..2019_10_29_16_40_00.233198123/server.crt
        4      4 -rw-r-----   1 root     root         1679 Oct 29 16:40 ./..2019_10_29_16_40_00.233198123/server.key
-- Rag
kubernetes
kubernetes-helm
postgresql

1 Answer

10/28/2019

As what user does postgres run - root or something else? Some Docker images use postgres with uid of 999...

Without having the complete deployment configuration I'll suggest that, once you know the user, take a look at this doc for how to configure securityContext to set the ownership of directories and files from mounted volumes.

-- apisim
Source: StackOverflow