I have sucecssfully installed a crunchy data postgres cluster with tls certificates from cert-manager on kubernetes by following this tutorial. https://blog.crunchydata.com/blog/using-cert-manager-to-deploy-tls-for-postgres-on-kubernetes
kubectl -n postgres-operator get secrets
NAME TYPE DATA AGE
default-token-w7mnw kubernetes.io/service-account-token 3 45h
pgo-token-9t7dw kubernetes.io/service-account-token 3 45h
pgo-root-cacert Opaque 2 45h
hippo-repl-tls kubernetes.io/tls 3 45h
hippo-tls kubernetes.io/tls 3 45h
hippo-instance-token-mmxfj kubernetes.io/service-account-token 3 45h
hippo-00-5klh-certs Opaque 4 45h
hippo-00-rsvm-certs Opaque 4 45h
hippo-pguser-hippo Opaque 7 45h
hippo-ssh Opaque 3 45h
hippo-pgbackrest-token-hcp7m kubernetes.io/service-account-token 3 45h
Most of these secrets contain something to do with tls for example hippo-tls contains a "ca.crt", "tls.crt", "tls.key" and the pgo-root-cacert secret contains a "root.crt", "root.key". Im not sure which one to use for connecting my application to my database.
This is my deployment yaml for my application
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: admin-app
namespace: postgres-operator
spec:
replicas: 1
selector:
matchLabels:
app: admin-app
template:
metadata:
labels:
app: admin-app
spec:
containers:
- name: admin-app
image: localhost:32000/wtl-admin3.2:registry
env:
- name: CA_CERT
valueFrom: {secretKeyRef: {name: pgo-root-cacert, key: root.crt}}
- name: TLS_CERT
valueFrom: {secretKeyRef: {name: hippo-tls, key: tls.crt}}
- name: TLS_KEY
valueFrom: {secretKeyRef: {name: hippo-tls, key: tls.key}}
# imagePullPolicy: Never
ports:
- containerPort: 80
resources:
limits:
memory: "100Mi"
cpu: "100m"
This is my first time working with tls so im not really sure how to connect with it. This is my Golang postgres connection file.
package infastructure
import (
"context"
"crypto/tls"
"crypto/x509"
"fmt"
"log"
"os"
"github.com/go-pg/pg/v10"
"github.com/go-pg/pg/v10/orm"
)
func ConnectTls(ctx context.Context) *pg.DB {
cert, err := tls.X509KeyPair([]byte(os.Getenv("TLS_CERT")), []byte(os.Getenv("TLS_KEY")))
if err != nil {
log.Printf("failed to load client certificate: %v", err)
log.Println(err)
panic(err)
}
CACertPool := x509.NewCertPool()
CACertPool.AppendCertsFromPEM([]byte(os.Getenv("CA_CERT")))
tlsConfig := &tls.Config{
Certificates: []tls.Certificate{cert},
RootCAs: CACertPool,
InsecureSkipVerify: true,
// ServerName: "localhost",
}
opt := &pg.Options{
Addr: "hippo-primary.postgres-operator.svc:5432",
User: "hippo",
Password: "1XNrN1H-AF)=S(U_9*6(A0V7",
Database: "hippo",
TLSConfig: tlsConfig,
}
DB := pg.Connect(opt)
if err := DB.Ping(ctx); err != nil {
log.Print("failed to connect")
log.Print(err)
}
return DB
}
I've tried to connect using the different secrets in the postgres operator namespace but i usually get the same error about not using tls. I'm also not sure what the ServerName should be for the tls config.
kubectl -n postgres-operator logs admin-app-b7d97764d-lkrqn
2021/09/03 17:48:46 failed to connect
2021/09/03 17:48:46 pg: SASL: got "SCRAM-SHA-256-PLUS", wanted "SCRAM-SHA-256"
panic: pg: SASL: got "SCRAM-SHA-256-PLUS", wanted "SCRAM-SHA-256"
Upgrading to go-pg v10.10.5 solves this.