1

I am setting up SSL for Postgres9.6 connections. I could not mount SSH private key and cert in a Kubernetes secret with appropriate permissions. I believe without any explicit user id set on the Kubernetes container, the mounted secret should be owned by root. I have set 416 decimal for octal 0640. This is a recommendation from Postgres if files are owned by root.

Any help is appreciated.

Error:

 FATAL:  could not load private key file "/var/lib/postgresql/certs/server.key": Permission denied

Helm statefulset config:

  volumes:  
  - name: {{ .Values.certs_secret.volume_name }}
    secret:
      secretName: {{ .Values.certs_secret.secret_name }}
      items:
      - key: server.key
        path: server.key
        mode: 416  
      - key: server.crt
        path: server.crt
        mode: 511 
  containers:
  - name: {{ .Chart.Name }}
    args: 
      - -c
      - ssl=on
      - -c
      - ssl_cert_file={{ .Values.certs_secret.cert_path }}
      - -c
      - ssl_key_file={{ .Values.certs_secret.private_key_path }}
    volumeMounts:
    - name: {{ .Values.certs_secret.volume_name }}
      mountPath: {{ .Values.certs_secret.mount_path }}

Updated

I have exec'd in without turning SSL on and found secret files are mounted as symlinks. Could this be a problem? The cluster is in AKS.

root@postgres-timescale-db-0:/var/lib/postgresql/certs# find . -ls
        2      0 drwxrwxrwt   3 root     root          120 Oct 29 16:40 .
        8      0 lrwxrwxrwx   1 root     root           31 Oct 29 16:40 ./..data -> ..2019_10_29_16_40_00.233198123
        7      0 lrwxrwxrwx   1 root     root           17 Oct 29 16:40 ./server.crt -> ..data/server.crt
        6      0 lrwxrwxrwx   1 root     root           17 Oct 29 16:40 ./server.key -> ..data/server.key
        3      0 drwxr-xr-x   2 root     root           80 Oct 29 16:40 ./..2019_10_29_16_40_00.233198123
        5      8 -rwxrwxrwx   1 root     root         4450 Oct 29 16:40 ./..2019_10_29_16_40_00.233198123/server.crt
        4      4 -rw-r-----   1 root     root         1679 Oct 29 16:40 ./..2019_10_29_16_40_00.233198123/server.key
Improve this question
1
  • The image used is postgres:9.6 Commented Oct 29, 2019 at 2:44

1 Answer 1

Reset to default
1

As what user does postgres run - root or something else? Some Docker images use postgres with uid of 999...

Without having the complete deployment configuration I'll suggest that, once you know the user, take a look at this doc for how to configure securityContext to set the ownership of directories and files from mounted volumes.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

cannot use securitycontext (setting user, groud ids) especially fist time as it hinders with creation of data folders. i believe postgres runs docker entrypoint files (create postgres user, data files with appropriate ownership and permissions) as root and then downgrades to postgres user
i have added long listing of files (/var/lib/postgresql/certs) to the original post. please let know if it has some clues.
"...found secret files are mounted as symlinks" - that's how files created from configMap-s and secrets appear, so it is "normal". I see you can get a shell in the container - could you get the user with which postgres runs? E.g. execute ps -f inside the container.
Here's why asked for the user: the server.key file has permissions set as 0640 - read+write for the root user and read for the root group; if postgres isn't running as root but as a different user, that user doesn't have permission to read the file. Setting the mode to 0644, or not setting it at all because that is the default for secrets, will allow that user to read the file. Yes, other users will also be able to read the file. That's why I was suggesting you to look into securityContext (fsGroup in particular) - it's worth trying to set it to the group of the postgres user, if it isn't root
Setting fsGroup and setting server.key to 416 and server.crt to 511 makes Postgres enable SSL for connections. Can be verified using select * from pg_stat_ssl;.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.