Connection Pooler crashes when using custom TLS certificates #2201
Description
Since #2146 has been merged connection pooler pods are going into crash loop on start. We were really looking forward to this feature, but sadly it isn't working at all in our environments. Pinging the authors of that PR @jeremie-seguin @FxKu
I suspect that I might have missed something here, because it looks to me like the current solution should have never worked anywhere. Anyways, in our deployments we are encountering the following:
The custom TLS certificates are mounted as a secret with a default mode of 0640. This creates two problems:
(1) The secret mount in the container is a separate tmpfs filesystem. The entrypoint.sh of the default pooler image (at tag master-26) tries to hardlink the files in the secret mount to the container's root overlay filesystem which produces a Cross-device link error. At that point the container will crash.
(2) Even with a fix for the above problem the container will probably still not run because it defaults to running as a non-root user. At the same time the operator does not set a fsGroup in the security context for the pods. This will cause the secret to be owned by root and with the operator setting the defaultMode of the secret to 0640 the certificates will not be readable by the pgbouncer process.
Possible solutions:
(1) Update the entrypoint.sh for the default pooler conatainer to use symlinks which will work across file system boundaries (i.e. replace ln with ln -s
(2) (a) Set a more permissive default mode for the secret mount, (b) use an initContainer running with UID 0 to copy and chown the certificates into a emptyDir volume (c) run pgboucner as UID 0 or (d) set a fsGroup for the pod.
- Which image of the operator are you using? registry.opensource.zalan.do/acid/postgres-operator:v1.9.0
- Where do you run it - cloud or metal? Kubernetes or OpenShift? KKP, Bare Metal K8s
- Are you running Postgres Operator in production? yes
- Type of issue? Bug report