postgres-operator icon indicating copy to clipboard operation
postgres-operator copied to clipboard

Published 20 hours ago verified publisher icon zalando

DB Passwords managed outside (Vault), how to trigger rollout restart ?

Open vhurtevent opened this issue 1 year ago • 3 comments

Please, answer some short questions which should help us to understand your problem / question better?

  • Which image of the operator are you using? registry.opensource.zalan.do/acid/postgres-operator:v1.11.0
  • Where do you run it - cloud or metal? Kubernetes or OpenShift? [AWS K8s | GCP ... | Bare Metal K8s] Kubernetes (Talos) on OpenStack
  • Are you running Postgres Operator in production? Not yet
  • Type of issue? Question / Feat request

Hello, we are working on DBaaS service based on postgres-operator for Postgres instances and Hashicorp Vault for database roles and credentials management. Initially, Postgres system credentials are provided by postgres-operator through the Kubernetes secrets

  • postgres.xxxxxx.credentials.postgresql.acid.zalan.do
  • standby.xxxxxx.credentials.postgresql.acid.zalan.do

and passed through envvar to postgres pods.

We are using inhouse code and Vault Config Operator (VCO) to register Postgres instance in Vault and create roles (static and dynamic). The postgres admin role is managed by Vault with possible rotation. We are also using Vault Secret Operator (VSO) to sync back credentials from Vault to the initial Kubernetes secret.

But we are missing a way to cleanly trigger Postgres pods/nodes restart to sync envvar and inside-pods Postgres admin and standby credential. We tried the rolloutRestartTargets feature of VSO or stakater/Reloader to trigger statefulset rollout but the UpdateStragtegy is staticly defined to onDelete and pods are not restarted.

Is there a way to cleanly rollout statefulset to restarts pods/nodes in case of password rotation from Vault ?

vhurtevent avatar Jul 16 '24 11:07 vhurtevent

https://github.com/zalando/postgres-operator/issues/847

vhurtevent avatar Jul 16 '24 12:07 vhurtevent

Link to issue with similar request : https://github.com/zalando/postgres-operator/issues/1968

vhurtevent avatar Jul 17 '24 12:07 vhurtevent

I am testing the use of annotation zalando-postgres-operator-rolling-update-required Add it to pod template in statefulset ressource trigger a resync and recreation of pods. I will then test with a Kyverno policy to add anno on secret change.

vhurtevent avatar Jul 17 '24 12:07 vhurtevent