-
Notifications
You must be signed in to change notification settings - Fork 49
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IMPORTANT: Missing ssl_ca_file in Spilo Config #435
Comments
I'm thinking that adding one line may solve this ...
There may need to be some logic somewhere to exclude it if its not supplied, not sure what postgreSql will do if its set to empty |
So, I built a custom image after making the above changes using:
Tagged it and uploaded it to my Dockerhub, I will next try it by removing the ca file from the pod, to test what PostgreSQL does when no ca is specified, but this ends up in the postgres parameters
|
I did this test, and can confirm that PostgreSQL threw a fit :) with the following log entry
So some logic in there somewhere is obviously required to ensure that parameter is populated with the correct ca or not included Possibly in |
Some additional issues with the Helm chart can be found at: timescale/helm-charts#641 |
The configure_spilo.py is deprecated long ago. Patroni is configured from the helm chart: That configuration is stored in its own configmap and is mounted into the Patroni container using the volume defined from that configmap: |
@MarkCupitt one may need to add support for the I think if one wants to retain this compatibility, the right actions would be moving |
@alexeyklyukin If we include the ssl_ca_file in the helm chart, which we can in the postgres section, it IS included in the configmap, however it gets stripped out and does not end up in the postgres config in the container, I have verified that. If I add the ssl_ca_file into a running container postgres parameters and reload the config, it works as expected. SO whatever script runs at container init is the point of failure, I presumed it was the configure_spilo.py, in the container as part of the patroni deployment process but based on what you say, there must be some other process that runs???? Do you know what that is, so I can look at a fix, I have only been able to find the configure_spilo script in the container that seems to access that parameter... I did a global repo search I don't think this is a helm issue as the chart does what it is supposed to and ssl_ca_file does end up in the config map, and is mounted, it breaks down after that point |
@MarkCupitt the container init is at timescaledb-docker-ha/timescaledb_entrypoint.sh Lines 1 to 50 in 26d75a1
unless you specify the In the helm chart values, you have the the The default behavior, if you don't specify the custom secret in the |
@alexeyklyukin in a Kubernetes environment adding a Ca in certificateSecretName breaks Patroni. This certificate is used to talk to the Kubernetes API and of course. on a custom cert, kubernetes does not know about it. Patroni DCS uses teh Kubernetes API for its object store. Its the first thing we tried. The self signed cert does happen, but that cert cannot be used with Teleport per our use case we originally stated ssl_ca_file in postgres parameters is REMOVEd by patroni, I gave you the code where that happened This is going in circles .. we will have to find alternatives I guess .. an adjust manage our own builds .. Bottom line is that the container needs to be fixed, we proved it and have it running in our own build, I gave the changes we made to get it working .. the only consideration is if a ca file is not specified, then some logic is required to remove the ssl_ca_file form the config or postgres will break, I suspect that people believe that certificateSecretName is the way to do it, its not, it breaks Patroni in a Kubernetes environment as I stated above |
@alexeyklyukin our decision at this stage is that until timescaledb can fix the containers so we can specify a ca, we have no choice but to maintain our own builds (Which we are using now) ... We will drop the helm deployment and use a manifest based deployment using KLUCTL as the deployment tool. We will make our code and configs available in our GIthub Repos for anyone else who needs it, once we have it looking respectable We will happily go back to official builds once the container can be given a Ca in the postgres parms section of the patroni config and it's not removed, unfortunately, we need to progress our project, our timelines are slipping significantly now |
@alexeyklyukin if you feel that there is nothing wrong with the container or the patroni script , then please close this ticket, The container is unusable for us the way it is right now .. However I really hope you guys will look at this issue, replicate it, and fix it so we can go back to the official builds OR tell us what we need to do to supply our own ca if its is indeed NOT the patroni script in the container that is the root cause of this issue |
Patroni supports the inclusion of
ssl_ca_file
so that PostgreSQL can use custom tls certs with root cert validation (we require it for teleport db access, our database is airgapped, so we proxy to it via teleport)patroni/features/environment.py
supportsssl_ca_file
patroni/patroni/postgresql/validator.py
supportsssl_ca_file
helm-charts/charts/timescaledb-single/values.yaml
supportsssl_ca_file
However
timescaledb-docker-ha/scripts/configure_spilo.py
omitsssl_ca_file
which means that postgres never gets the ca and tls fails for any session that requires tls validation
This makes TimescaleDb unusable in many scenarios
The text was updated successfully, but these errors were encountered: