postgres-operator icon indicating copy to clipboard operation
postgres-operator copied to clipboard
verified publisher icon CrunchyData

Ability to set service externalTrafficPolicy & internalTrafficPolicy to Local

Open yarosq opened this issue 2 years ago • 4 comments

Overview

We have some clients connecting to our databases from outside the Kubernetes cluster. By default service with type Loadbalancer set externalTrafficPolicy/internalTrafficPolicy to Cluster which mask the source IP with the Kubernetes nodes IP. In this case we can not control the access to the cluster based on source IP.

Use Case

Setting externalTrafficPolicy/internalTrafficPolicy to local allows us to preserve IPs of the client, thus we can restrict/allow access via pg_hba.

Desired Behavior

Ability to set service externalTrafficPolicy & internalTrafficPolicy to Local

kind: PostgresCluster
spec:
  service:
    externalTrafficPolicy: Local
    internalTrafficPolicy: Local
...

yarosq avatar Dec 05 '23 03:12 yarosq

Hi, sorry you're running into this, and I can definitely see how it would be necessary to adjust the services that PGO creates.

That said, for a short-term fix, could you create/manage services directly? That way you could define the service with exactly the specs that you need. (You could completely ignore the PGO-provided services or use them as models for your services, e.g., what selectors the service needs, etc.)

benjaminjb avatar Dec 21 '23 19:12 benjaminjb

I've just had another idea, but not sure it will work: PGO doesn't directly edit the externalTrafficPolicy and internalTrafficPolicy fields -- can you edit the fields of the services? And does PGO overwrite those fields if you do?

benjaminjb avatar Dec 27 '23 21:12 benjaminjb

I've just had another idea, but not sure it will work: PGO doesn't directly edit the externalTrafficPolicy and internalTrafficPolicy fields -- can you edit the fields of the services? And does PGO overwrite those fields if you do?

Thank you @benjaminjb Yes that what I am using as a workaround at the moment as PGO does not update internalTrafficPolicy/externalTrafficPolicy. The only problem, it complicates the setup with CD tools such as Flux, so hoping this can be added in the future releases.

yarosq avatar Jan 02 '24 02:01 yarosq

Just noting here that we have a story in our development backlog for this ability.

dsessler7 avatar Jan 20 '24 01:01 dsessler7

Hello @yarosq, just wanted to update you on the state of this issue if you haven't seen: a PR with these changes was merged in and is part of the most recent release. Thanks for bringing this to our attention!

benjaminjb avatar Jun 24 '24 19:06 benjaminjb