We are migrating form a Zalando based Kubernetes Postgres to a Helm based TimescaleDb deployment in our clusters.
We use Teleport to manage all of our cluster and database access. Teleport requires that we use a custom, teleport generated ssl tls cert, which we have done, but we are getting ssl connection failures as clients cannot verify the cert, meaning we need to add the root ca to postgreSQL.
Zalando had a neat way to do this in the CRDs, one simply added ca.crt as an additional field on the cert secret, and it happened automatically.
Before I go down the rabbit hole of a custom volume mount and figuring out how to get postgreSQL to use it, has anyone done this before? am I missing something in the helm chart?
Many thanks in advance
Mark Cupitt
Head of Global Operations
Billrush NZ
I was able to figure out how to get the CA into Patroni, HOWEVER< it seems to have broken the cluster due to everything talking via SSL, lots of SSL related errors, so more investigation required
# Generate a Teleport Certificate taht it wil be happy with
tctl auth sign --format=db --host=timescaledb.eng.svc.cluster.local --out=server --ttl=1000000h
# Load the cert, with teh Ca into a Secret
kubectl create secret generic eng-db-teleport-tls --namespace eng --from-file=tls.crt=server.crt --from-
file=tls.key=server.key --from-file=ca.crt=server.cas
# The entire secret is already mounted, so its just a matter of telling Patroni where to find teh CA
# SO Add a Custom Env Var that points Patroni to teh rot CA filed in the secret
# Extra custom environment variables.
# These should be an EnvVar, as this allows you to inject secrets into the environment
# https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.16/#envvar-v1-core
env: - name: PATRONI_KUBERNETES_CACERT
value: "/etc/certificate/ca.crt"
As I Said above, Patroni sees this, but nothing SSL related works, so more effort is required
Finally tracked this down, issue is at
Github /timescale/timescaledb-docker-ha/issues/435