I am setting up SSL for Postgres9.6 connections. I could not mount SSH private key and cert in a Kubernetes secret with appropriate permissions. I believe without any explicit user id set on the Kubernetes container, the mounted secret should be owned by root. I have set 416
decimal for octal 0640
. This is a recommendation from Postgres if files are owned by root.
Any help is appreciated.
Error:
FATAL: could not load private key file "/var/lib/postgresql/certs/server.key": Permission denied
Helm statefulset config:
volumes:
- name: {{ .Values.certs_secret.volume_name }}
secret:
secretName: {{ .Values.certs_secret.secret_name }}
items:
- key: server.key
path: server.key
mode: 416
- key: server.crt
path: server.crt
mode: 511
containers:
- name: {{ .Chart.Name }}
args:
- -c
- ssl=on
- -c
- ssl_cert_file={{ .Values.certs_secret.cert_path }}
- -c
- ssl_key_file={{ .Values.certs_secret.private_key_path }}
volumeMounts:
- name: {{ .Values.certs_secret.volume_name }}
mountPath: {{ .Values.certs_secret.mount_path }}
Updated
I have exec'd in without turning SSL on and found secret files are mounted as symlinks. Could this be a problem? The cluster is in AKS.
root@postgres-timescale-db-0:/var/lib/postgresql/certs# find . -ls
2 0 drwxrwxrwt 3 root root 120 Oct 29 16:40 .
8 0 lrwxrwxrwx 1 root root 31 Oct 29 16:40 ./..data -> ..2019_10_29_16_40_00.233198123
7 0 lrwxrwxrwx 1 root root 17 Oct 29 16:40 ./server.crt -> ..data/server.crt
6 0 lrwxrwxrwx 1 root root 17 Oct 29 16:40 ./server.key -> ..data/server.key
3 0 drwxr-xr-x 2 root root 80 Oct 29 16:40 ./..2019_10_29_16_40_00.233198123
5 8 -rwxrwxrwx 1 root root 4450 Oct 29 16:40 ./..2019_10_29_16_40_00.233198123/server.crt
4 4 -rw-r----- 1 root root 1679 Oct 29 16:40 ./..2019_10_29_16_40_00.233198123/server.key
As what user does postgres run - root or something else? Some Docker images use postgres
with uid
of 999...
Without having the complete deployment configuration I'll suggest that, once you know the user, take a look at this doc for how to configure securityContext
to set the ownership of directories and files from mounted volumes.