I’m trying to apply the ssl in pgParameters. I’ve mounted the ssl certs in stolon-keeper.yaml.
Is this the correct way to specify in postgresql.conf?
kubectl exec -it stolon-keeper-0 – /usr/local/bin/stolonctl update -p --cluster-name=kube-stolon --store-backend=kubernetes --kube-resource-kind=configmap ‘{ “pgParameters” : { “ssl” : “on”, “ssl_cert_file” : “tls.crt”, “ssl_key_file” : “tls.key”, “ssl_ca_file” : “cluster-ca.pem”}}’
Any help on why the tls cert could not be loaded?
kubectl logs stolon-keeper-0
…
020-03-19T06:44:16.858Z INFO postgresql/postgresql.go:421 reloading database configuration
server signaled
2020-03-19 06:44:16.870 UTC [72] LOG: received SIGHUP, reloading configuration files
2020-03-19 06:44:16.871 UTC [72] LOG: parameter “ssl_ca_file” changed to “/etc/ssl/certs/cluster-ca.pem”
2020-03-19 06:44:16.871 UTC [72] LOG: parameter “ssl_cert_file” changed to “/etc/ssl/certs/tls.crt”
2020-03-19 06:44:16.871 UTC [72] LOG: parameter “ssl” changed to “on”
2020-03-19 06:44:16.871 UTC [72] LOG: parameter “ssl_key_file” changed to “/etc/ssl/certs/tls.key”
2020-03-19 06:44:16.874 UTC [72] LOG: private key file “/etc/ssl/certs/tls.key” has group or world access
2020-03-19 06:44:16.874 UTC [72] DETAIL: File must have permissions u=rw (0600) or less if owned by the database user, or permissions u=rw,g=r (0640) or less if owned by root.
2020-03-19 06:44:16.874 UTC [72] LOG: SSL configuration was not reloaded
Postgres is complaining about the files permission. It depends on how you created them and if k8s now supports changing them (in past if wasn’t possible when providing the files using a secret and you needed some workaround, you should search inside k8s repository issues).