Skip to content

Commit 851e6c1

Browse files
committed
add support for TLS in CNPG
Signed-off-by: Utkarsh Srivastava <srivastavautkarsh8097@gmail.com>
1 parent 7dc6f1d commit 851e6c1

2 files changed

Lines changed: 23 additions & 3 deletions

File tree

pkg/system/db_reconciler.go

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -301,6 +301,15 @@ func (r *Reconciler) reconcileClusterSpec(dbSpec *nbv1.NooBaaDBSpec) error {
301301
Enabled: true,
302302
}
303303

304+
if r.CNPGCluster.Spec.Certificates == nil {
305+
r.CNPGCluster.Spec.Certificates = &cnpgv1.CertificatesConfiguration{}
306+
}
307+
r.CNPGCluster.Spec.Certificates.ServerAltDNSNames = []string{
308+
r.ServiceDbPg.Name,
309+
r.ServiceDbPg.Name + "." + r.Request.Namespace,
310+
r.ServiceDbPg.Name + "." + r.Request.Namespace + ".svc",
311+
}
312+
304313
r.CNPGCluster.Spec.FailoverDelay = defaultFailoverDelaySec
305314

306315
r.setPostgresConfig()
@@ -606,6 +615,17 @@ func (r *Reconciler) setPostgresConfig() {
606615
}
607616
r.cnpgLog("PGTune config: memory=%dKB, cpu=%d, endpoints=%d", totalMemoryKB, cpuNum, endpointMaxCount)
608617

618+
// propagate TLS security settings to the PostgreSQL server
619+
tlsSec := r.NooBaa.Spec.Security.APIServerSecurity
620+
if tlsSec != nil && !util.IsTLSConfigDisabled() {
621+
if tlsSec.TLSMinVersion != nil {
622+
overrideParameters["ssl_min_protocol_version"] = string(*tlsSec.TLSMinVersion)
623+
}
624+
if len(tlsSec.TLSCiphers) > 0 {
625+
overrideParameters["ssl_ciphers"] = util.MapCiphersToOpenSSL(tlsSec.TLSCiphers)
626+
}
627+
}
628+
609629
// apply any user-specified DBConf overrides on top of the calculated values
610630
if r.NooBaa.Spec.DBSpec.DBConf != nil {
611631
for k, v := range r.NooBaa.Spec.DBSpec.DBConf {
@@ -879,6 +899,7 @@ func (r *Reconciler) wasClusterSpecChanged(existingClusterSpec *cnpgv1.ClusterSp
879899
!reflect.DeepEqual(existingClusterSpec.Monitoring, r.CNPGCluster.Spec.Monitoring) ||
880900
!reflect.DeepEqual(existingClusterSpec.PostgresConfiguration.Parameters, r.CNPGCluster.Spec.PostgresConfiguration.Parameters) ||
881901
!reflect.DeepEqual(existingClusterSpec.Backup, r.CNPGCluster.Spec.Backup) ||
902+
!reflect.DeepEqual(existingClusterSpec.Certificates, r.CNPGCluster.Spec.Certificates) ||
882903
existingClusterSpec.PriorityClassName != r.CNPGCluster.Spec.PriorityClassName ||
883904
existingClusterSpec.FailoverDelay != r.CNPGCluster.Spec.FailoverDelay
884905
}

pkg/system/phase2_creating.go

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -577,14 +577,13 @@ func (r *Reconciler) setDesiredCoreEnv(c *corev1.Container) {
577577
c.Env[j].Value = ""
578578
c.Env[j].ValueFrom = nil
579579
case "POSTGRES_SSL_REQUIRED":
580-
if r.NooBaa.Spec.ExternalPgSSLRequired {
580+
if r.NooBaa.Spec.ExternalPgSSLRequired || r.shouldReconcileCNPGCluster() {
581581
c.Env[j].Value = "true"
582582
}
583583
case "POSTGRES_SSL_UNAUTHORIZED":
584-
if r.NooBaa.Spec.ExternalPgSSLUnauthorized {
584+
if r.NooBaa.Spec.ExternalPgSSLUnauthorized || r.shouldReconcileCNPGCluster() {
585585
c.Env[j].Value = "true"
586586
}
587-
588587
case "POSTGRES_DBNAME_PATH":
589588
c.Env[j].Value = postgresSecretMountPath + "/dbname"
590589
case "POSTGRES_PASSWORD_PATH":

0 commit comments

Comments
 (0)