charts icon indicating copy to clipboard operation
charts copied to clipboard

Published 20 hours ago verified publisher icon bitnami

Use of Vault dynamic secrets and bitnami/postgresql-ha

Open regel opened this issue 1 year ago • 0 comments

Name and Version

bitnami/postgresql-ha-9.3.2 app version=14.4.0

What is the problem this feature will solve?

AS-IS:

Trying to leverage Hashicorp Vault dynamic secrets fails since the file /opt/bitnami/pgpool/conf/pool_passwd in pgpool pod is static and does not know about dynamic (ephemeral) secrets that Vault injects directly inside the database.

Example of this behavior:

$ kubectl run foo-postgresql-ha-client --rm --tty -i --restart='Never' --namespace default --image docker.io/bitnami/postgresql-repmgr:14.4.0-debian-11-r23 --env="PGPASSWORD=chP2RKxfBZDjw6TWr5e-"  \
        --command -- psql -h foo-postgresql-ha-pgpool -p 5432 -U v-root-my-role-TzICi94HJy3SY64sqW6N-1660138635 -d hello
psql: error: connection to server at "foo-postgresql-ha-pgpool" (10.96.253.12), port 5432 failed: FATAL:  SCRAM authentication failed
DETAIL:  pool_passwd file does not contain an entry for "v-root-my-role-TzICi94HJy3SY64sqW6N-1660138635"
pod "foo-postgresql-ha-client" deleted
pod default/foo-postgresql-ha-client terminated (Error)

What is the feature you are proposing to solve the problem?

either: Less restrictive validation. Allow 'trust' authentication method in pgpool, and let the postgres database pod verify credentials. or: the ability to replace the file pool_hba.conf with custom content during helm install for this Chart.

What alternatives have you considered?

I considered editing the file /opt/bitnami/pgpool/conf/pool_hba.conf in pgpool pod, however it cannot be modified via the Helm Chart and still contains default values (scram-sha-256 for all users):

local all all trust host all repmgr all trust host all postgres all scram-sha-256 host all wide all trust host all pop_user all trust host all all all scram-sha-256

Finally, as a second alternative I try to set pgpool.authenticationMethod=trust in Helm install values results in the following validation error and the pgpool pod fails to start:

pgpool 14:08:06.17 Welcome to the Bitnami pgpool container
pgpool 14:08:06.18 Subscribe to project updates by watching https://github.com/bitnami/containers
pgpool 14:08:06.18 Submit issues and feature requests at https://github.com/bitnami/containers/issues
pgpool 14:08:06.18 
pgpool 14:08:06.18 INFO  ==> ** Starting Pgpool-II setup **
pgpool 14:08:06.22 INFO  ==> Validating settings in PGPOOL_* env vars...
pgpool 14:08:06.25 ERROR ==> The values allowed for PGPOOL_AUTHENTICATION_METHOD: md5,scram-sha-256

regel avatar Aug 10 '22 14:08 regel

Hi, Could you take a look to PGPOOL_USER_HBA_FILE environment variable in the image ? I think you use it in this case.

rafariossaa avatar Aug 16 '22 09:08 rafariossaa

@rafariossaa, not quite sure how to apply your suggestion. Could you please provide an example of how to set both the PGPOOL_USER_HBA_FILE environment variable as well as the contents of the file pointed to both the env var, and pass both of those to the helm install/upgrade? Thx!

mimperatore avatar Aug 19 '22 21:08 mimperatore

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

bitnami-bot avatar Sep 04 '22 01:09 bitnami-bot

Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.

bitnami-bot avatar Sep 09 '22 01:09 bitnami-bot