Commit d0f42ba
committed
K8SPG-911: Add pg_tde support
This commit adds native pg_tde extension support into operator.
**This commit only adds Vault KMS support for pg_tde. KMIP support will
be added in future releases.**
When pg_tde is enabled and Vault configuration is provided, the operator:
- appends pg_tde into shared_preload_libraries,
- mounts Vault token and CA secrets into database containers,
- runs CREATE EXTENSION in all databases,
- creates Vault provider by running pg_tde_add_global_key_provider_vault_v2,
- create a global key by running pg_tde_create_key_using_global_key_provider,
- sets the default key by running pg_tde_set_default_key_using_global_key_provider.
-> Example configuration
pg_tde:
enabled: true
vault:
host: https://vault-service.vault-service.svc:8200
mountPath: tde
tokenSecret:
name: vault-secret
key: token
caSecret:
name: vault-secret
key: ca.crt
Note that:
- Mount path needs to be a KV v2 storage engine.
- caSecret is optional and can be omitted if you want to use http. But
in my testing I couldn't manage the make vault work without TLS. It
responds with HTTP 405 if I disable TLS in vault.
- tokenSecret and caSecret can be the same secret or different. Operator
doesn't assume anything about the contents of the secrets since you'll
need to set secret keys in cr.yaml yourself.
- Using a non-root token requires more configuration. Check out pg_tde
docs for that. But don't forget to add these in the Vault policy:
```
path "sys/internal/ui/mounts/*" {
capabilities = ["read"]
}
path "sys/mounts/*" {
capabilities = ["read"]
}
```
-> API changes
pg_tde requires more configuration options than other extensions
operator supports. This required us make some changes in the extensions
API. With these changes, 'spec.extensions.builtin' section is deprecated
and all builtin extensions are moved to 'spec.extensions.<extension>'
(i.e. 'spec.extensions.pg_stat_monitor'). Right now extensions can be
enabled/disabled with the old and the new method. If two methods are
used at the same time, 'spec.extensions.builtin' takes precedence.
-> Status changes
A hash will be calculated using pg_tde configuration provided by user.
Operator uses this hash to understand if config is changed and it should
reconfigure pg_tde. The hash can be found in status.pgTDERevision field
of **PostgresCluster** object. This hash will be removed when pg_tde is
disabled.
Operator also communicates the status of pg_tde with conditions. The
condition with type=PGTDEEnabled can be found in both PerconaPGCluster
and PostgresCluster statuses.
-> Disabling pg_tde
Disabling pg_tde is more complex than other extensions:
- First of all any encrypted objects must be dropped before disabling.
Otherwise DROP EXTENSION will fail with a descriptive error message.
**Operator won't drop anything, user needs to do this manually.**
- The extension needs to be disabled in two steps:
1. First set pg_tde.enabled=false without removing the vault section.
Operator will drop the extension and restart the pods.
2. Then you can remove pg_tde.vault. Database pods will be restarted
again to remove secret mounts from containers.
- It's recommended to run CHECKPOINT before removing pg_tde.vault. Even
though extension is dropped, Postgres might still try to use encrypted
objects during recovery after restart and it might try to access token
secret. CHECKPOINT helps you prevent this failure case.
-> Deleting and recreating clusters
If cluster with pg_tde enabled is deleted but PVCs are retained, on
recreation you'll see some errors about pg_tde in operator logs. They
happen because the vault provider and/or global key already exists.
Operator will handle these errors gracefully and configure pg_tde. Same
thing applies when pg_tde is disabled and re-enabled. Since both vault
provider and global key already exists, operator will handle "already
exists" errors and configure pg_tde.
The global key name is determined by cluster's .metadata.uid. For
example 'global-master-key-ad19534a-d778-460e-ac87-ca38ef5e6755'. This
means the key will be changed if cluster is deleted and recreated. As
long as the old key and the new key is accessible to pg_tde, this won't
cause any issues. pg_tde will handle it as it handles key rotation.
-> Validations
- You can't set pg_tde.enabled=true without setting pg_tde.vault.
- If you already had pg_tde.enabled, you can't remove pg_tde section
completely.
- If you already had pg_tde.enabled, you can't remove pg_tde.vault
section completely.
---------
K8SPG-911: pg_tde improvements/fixes
- add pg version validation
- explicitly disable wal encryption
- enable pg_tde in restore job
- [e2e] read from all pods after restore
- use pg_tde binaries in patroni
- fix vault provider change
All items except the last is straightforward. Fixing the vault provider
change, required a lot of changes.
The problem with changing the Vault token in pg_tde was that pg_tde
requires both the new and the old token at the same time to perform the
change. This is not trivial to achieve on K8s, since operator needs to
mount the new secret to the pods and somehow needs the keep the old
secret mounted.
To achieve this, operator performs provider change in two phases:
1. In the first phase, operator keeps the old secret mounted in the pod
and prevents restart. Then it fetches the new secret contents and
stores them in temporary files in `/pgdata` directory. Then, operator
runs pg_tde_change_global_key_provider_vault_v2.
2. In the second phase, operator mounts the new secret and restarts the
pods. Then it runs pg_tde_change_global_key_provider_vault_v2 with
standard credential paths. At the end of this phase, temporary files
are cleaned up.1 parent 1172a77 commit d0f42ba
62 files changed
Lines changed: 3421 additions & 63 deletions
File tree
- build/crd
- crunchy/generated
- percona/generated
- config/crd/bases
- deploy
- e2e-tests
- tests
- builtin-extensions
- custom-extensions
- pg-tde
- upgrade-minor
- internal
- controller/postgrescluster
- naming
- patroni
- pgbackrest
- pgtde
- pgvector
- postgres
- percona/controller
- pgbackup
- pgcluster
- pkg/apis
- pgv2.percona.com/v2
- postgres-operator.crunchydata.com/v1beta1
Some content is hidden
Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.
Lines changed: 56 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
13594 | 13594 | | |
13595 | 13595 | | |
13596 | 13596 | | |
| 13597 | + | |
| 13598 | + | |
| 13599 | + | |
| 13600 | + | |
| 13601 | + | |
| 13602 | + | |
| 13603 | + | |
| 13604 | + | |
| 13605 | + | |
| 13606 | + | |
| 13607 | + | |
| 13608 | + | |
| 13609 | + | |
| 13610 | + | |
| 13611 | + | |
| 13612 | + | |
| 13613 | + | |
| 13614 | + | |
| 13615 | + | |
| 13616 | + | |
| 13617 | + | |
| 13618 | + | |
| 13619 | + | |
| 13620 | + | |
| 13621 | + | |
| 13622 | + | |
| 13623 | + | |
| 13624 | + | |
| 13625 | + | |
| 13626 | + | |
| 13627 | + | |
| 13628 | + | |
| 13629 | + | |
| 13630 | + | |
| 13631 | + | |
| 13632 | + | |
| 13633 | + | |
| 13634 | + | |
| 13635 | + | |
| 13636 | + | |
| 13637 | + | |
| 13638 | + | |
| 13639 | + | |
| 13640 | + | |
| 13641 | + | |
| 13642 | + | |
| 13643 | + | |
13597 | 13644 | | |
13598 | 13645 | | |
13599 | 13646 | | |
| |||
13605 | 13652 | | |
13606 | 13653 | | |
13607 | 13654 | | |
| 13655 | + | |
| 13656 | + | |
| 13657 | + | |
| 13658 | + | |
| 13659 | + | |
13608 | 13660 | | |
13609 | 13661 | | |
13610 | 13662 | | |
| |||
30971 | 31023 | | |
30972 | 31024 | | |
30973 | 31025 | | |
| 31026 | + | |
| 31027 | + | |
| 31028 | + | |
| 31029 | + | |
30974 | 31030 | | |
30975 | 31031 | | |
30976 | 31032 | | |
| |||
Lines changed: 82 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
13693 | 13693 | | |
13694 | 13694 | | |
13695 | 13695 | | |
| 13696 | + | |
| 13697 | + | |
13696 | 13698 | | |
13697 | 13699 | | |
13698 | 13700 | | |
| |||
13722 | 13724 | | |
13723 | 13725 | | |
13724 | 13726 | | |
| 13727 | + | |
| 13728 | + | |
| 13729 | + | |
| 13730 | + | |
| 13731 | + | |
| 13732 | + | |
| 13733 | + | |
| 13734 | + | |
| 13735 | + | |
| 13736 | + | |
| 13737 | + | |
| 13738 | + | |
| 13739 | + | |
| 13740 | + | |
| 13741 | + | |
| 13742 | + | |
| 13743 | + | |
| 13744 | + | |
| 13745 | + | |
| 13746 | + | |
| 13747 | + | |
| 13748 | + | |
| 13749 | + | |
| 13750 | + | |
| 13751 | + | |
| 13752 | + | |
| 13753 | + | |
| 13754 | + | |
| 13755 | + | |
| 13756 | + | |
| 13757 | + | |
| 13758 | + | |
| 13759 | + | |
| 13760 | + | |
| 13761 | + | |
| 13762 | + | |
| 13763 | + | |
| 13764 | + | |
| 13765 | + | |
| 13766 | + | |
| 13767 | + | |
| 13768 | + | |
| 13769 | + | |
| 13770 | + | |
| 13771 | + | |
| 13772 | + | |
| 13773 | + | |
| 13774 | + | |
| 13775 | + | |
| 13776 | + | |
| 13777 | + | |
| 13778 | + | |
| 13779 | + | |
| 13780 | + | |
| 13781 | + | |
| 13782 | + | |
| 13783 | + | |
| 13784 | + | |
| 13785 | + | |
| 13786 | + | |
| 13787 | + | |
| 13788 | + | |
| 13789 | + | |
| 13790 | + | |
| 13791 | + | |
| 13792 | + | |
| 13793 | + | |
| 13794 | + | |
| 13795 | + | |
| 13796 | + | |
| 13797 | + | |
| 13798 | + | |
13725 | 13799 | | |
13726 | 13800 | | |
13727 | 13801 | | |
| |||
13804 | 13878 | | |
13805 | 13879 | | |
13806 | 13880 | | |
| 13881 | + | |
| 13882 | + | |
| 13883 | + | |
| 13884 | + | |
| 13885 | + | |
13807 | 13886 | | |
13808 | 13887 | | |
13809 | 13888 | | |
| |||
28778 | 28857 | | |
28779 | 28858 | | |
28780 | 28859 | | |
| 28860 | + | |
| 28861 | + | |
| 28862 | + | |
28781 | 28863 | | |
28782 | 28864 | | |
28783 | 28865 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
14332 | 14332 | | |
14333 | 14333 | | |
14334 | 14334 | | |
| 14335 | + | |
| 14336 | + | |
14335 | 14337 | | |
14336 | 14338 | | |
14337 | 14339 | | |
| |||
14361 | 14363 | | |
14362 | 14364 | | |
14363 | 14365 | | |
| 14366 | + | |
| 14367 | + | |
| 14368 | + | |
| 14369 | + | |
| 14370 | + | |
| 14371 | + | |
| 14372 | + | |
| 14373 | + | |
| 14374 | + | |
| 14375 | + | |
| 14376 | + | |
| 14377 | + | |
| 14378 | + | |
| 14379 | + | |
| 14380 | + | |
| 14381 | + | |
| 14382 | + | |
| 14383 | + | |
| 14384 | + | |
| 14385 | + | |
| 14386 | + | |
| 14387 | + | |
| 14388 | + | |
| 14389 | + | |
| 14390 | + | |
| 14391 | + | |
| 14392 | + | |
| 14393 | + | |
| 14394 | + | |
| 14395 | + | |
| 14396 | + | |
| 14397 | + | |
| 14398 | + | |
| 14399 | + | |
| 14400 | + | |
| 14401 | + | |
| 14402 | + | |
| 14403 | + | |
| 14404 | + | |
| 14405 | + | |
| 14406 | + | |
| 14407 | + | |
| 14408 | + | |
| 14409 | + | |
| 14410 | + | |
| 14411 | + | |
| 14412 | + | |
| 14413 | + | |
| 14414 | + | |
| 14415 | + | |
| 14416 | + | |
| 14417 | + | |
| 14418 | + | |
| 14419 | + | |
| 14420 | + | |
| 14421 | + | |
| 14422 | + | |
| 14423 | + | |
| 14424 | + | |
| 14425 | + | |
| 14426 | + | |
| 14427 | + | |
| 14428 | + | |
| 14429 | + | |
| 14430 | + | |
| 14431 | + | |
| 14432 | + | |
| 14433 | + | |
| 14434 | + | |
| 14435 | + | |
| 14436 | + | |
| 14437 | + | |
14364 | 14438 | | |
14365 | 14439 | | |
14366 | 14440 | | |
| |||
14443 | 14517 | | |
14444 | 14518 | | |
14445 | 14519 | | |
| 14520 | + | |
| 14521 | + | |
| 14522 | + | |
| 14523 | + | |
| 14524 | + | |
14446 | 14525 | | |
14447 | 14526 | | |
14448 | 14527 | | |
| |||
29417 | 29496 | | |
29418 | 29497 | | |
29419 | 29498 | | |
| 29499 | + | |
| 29500 | + | |
| 29501 | + | |
29420 | 29502 | | |
29421 | 29503 | | |
29422 | 29504 | | |
| |||
Lines changed: 56 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
13554 | 13554 | | |
13555 | 13555 | | |
13556 | 13556 | | |
| 13557 | + | |
| 13558 | + | |
| 13559 | + | |
| 13560 | + | |
| 13561 | + | |
| 13562 | + | |
| 13563 | + | |
| 13564 | + | |
| 13565 | + | |
| 13566 | + | |
| 13567 | + | |
| 13568 | + | |
| 13569 | + | |
| 13570 | + | |
| 13571 | + | |
| 13572 | + | |
| 13573 | + | |
| 13574 | + | |
| 13575 | + | |
| 13576 | + | |
| 13577 | + | |
| 13578 | + | |
| 13579 | + | |
| 13580 | + | |
| 13581 | + | |
| 13582 | + | |
| 13583 | + | |
| 13584 | + | |
| 13585 | + | |
| 13586 | + | |
| 13587 | + | |
| 13588 | + | |
| 13589 | + | |
| 13590 | + | |
| 13591 | + | |
| 13592 | + | |
| 13593 | + | |
| 13594 | + | |
| 13595 | + | |
| 13596 | + | |
| 13597 | + | |
| 13598 | + | |
| 13599 | + | |
| 13600 | + | |
| 13601 | + | |
| 13602 | + | |
| 13603 | + | |
13557 | 13604 | | |
13558 | 13605 | | |
13559 | 13606 | | |
| |||
13565 | 13612 | | |
13566 | 13613 | | |
13567 | 13614 | | |
| 13615 | + | |
| 13616 | + | |
| 13617 | + | |
| 13618 | + | |
| 13619 | + | |
13568 | 13620 | | |
13569 | 13621 | | |
13570 | 13622 | | |
| |||
30869 | 30921 | | |
30870 | 30922 | | |
30871 | 30923 | | |
| 30924 | + | |
| 30925 | + | |
| 30926 | + | |
| 30927 | + | |
30872 | 30928 | | |
30873 | 30929 | | |
30874 | 30930 | | |
| |||
0 commit comments