gpt4 book ai didi

Postgresql Kubernetes 部署无法从 Secrets 中读取证书文件

转载 作者:行者123 更新时间:2023-12-04 22:38:40 30 4
gpt4 key购买 nike

我在权限方面遇到了一些问题,我真的希望有人能指出我哪里出错了......
我已经设置并运行了一个 Kube 集群(例如,我正在运行一个 mysql pod 并毫无问题地连接到它),并且我一直在尝试让一个 Postgresql pod 在支持 TLS 的情况下运行。将连接到此 pod 的服务需要 TLS,因此很遗憾,不使用 TLS 是不可行的。
这就是事情变得有点困惑的地方,一切正常 - 除了由于某种原因 Postgres init 似乎无法读取我存储在 Kube secret 中的证书文件这一事实。似乎无论我选择什么选项,Postgres init 都会返回以下内容:

$ kubectl logs data-server-97469df55-8wd6q
The files belonging to this database system will be owned by user "postgres".
This user must also own the server process.

The database cluster will be initialized with locale "en_US.utf8".
The default database encoding has accordingly been set to "UTF8".
The default text search configuration will be set to "english".

Data page checksums are disabled.

fixing permissions on existing directory /var/lib/postgres ... ok
creating subdirectories ... ok
selecting dynamic shared memory implementation ... posix
selecting default max_connections ... 100
selecting default shared_buffers ... 128MB
selecting default time zone ... UTC
creating configuration files ... ok
running bootstrap script ... ok
sh: locale: not found
2021-09-11 20:03:54.323 UTC [32] WARNING: no usable system locales were found
performing post-bootstrap initialization ... ok
initdb: warning: enabling "trust" authentication for local connections
You can change this by editing pg_hba.conf or using the option -A, or
--auth-local and --auth-host, the next time you run initdb.
syncing data to disk ... ok


Success. You can now start the database server using:

pg_ctl -D /var/lib/postgres -l logfile start

waiting for server to start....2021-09-11 20:04:01.882 GMT [37] FATAL: could not load server certificate file "/var/lib/postgres-secrets/server.crt": Permission denied
2021-09-11 20:04:01.882 GMT [37] LOG: database system is shut down
pg_ctl: could not start server
Examine the log output.
stopped waiting
我非常怀疑我的问题是第一行,但我不确定如何在 Kubernetes 中解决这个问题。我如何告诉 Kubernetes 我需要挂载我的 secret ,以便用户 'postgres' 可以读取它们(懒惰并且执行 chmod 0777 不起作用)?
这些是我的配置:
apiVersion: v1
kind: Service
metadata:
name: data-server
labels:
app: data-server
spec:
ports:
- name: data-server
targetPort: 5432
protocol: TCP
port: 5432
selector:
app: data-server
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: data-server
spec:
selector:
matchLabels:
app: data-server
strategy:
type: Recreate
template:
metadata:
labels:
app: data-server
spec:
serviceAccountName: default
containers:
- name: postgres
image: postgres:alpine
imagePullPolicy: IfNotPresent
args:
- -c
- hba_file=/var/lib/postgres-config/pg_hba.conf
- -c
- config_file=/var/lib/postgres-config/postgresql.conf
env:
- name: PGDATA
value: /var/lib/postgres
- name: POSTGRES_PASSWORD_FILE
value: /var/lib/postgres-secrets/postgres-pwd.txt
ports:
- name: data-server
containerPort: 5432
hostPort: 5432
protocol: TCP
volumeMounts:
- name: postgres-config
mountPath: /var/lib/postgres-config
- name: postgres-storage
mountPath: /var/lib/postgres-data
- name: postgres-secrets
mountPath: /var/lib/postgres-secrets
volumes:
- name: postgres-config
configMap:
name: data-server
- name: postgres-storage
persistentVolumeClaim:
claimName: gluster-claim
- name: postgres-secrets
secret:
secretName: data-server
defaultMode: 0640
secret :
$ kubectl get secret
NAME TYPE DATA AGE
data-server Opaque 5 131m
default-token-nq7pv kubernetes.io/service-account-token 3 5d5h
光伏/聚氯乙烯
$ kubectl describe pv,pvc
Name: gluster-pv
Labels: <none>
Annotations: pv.kubernetes.io/bound-by-controller: yes
Finalizers: [kubernetes.io/pv-protection]
StorageClass:
Status: Bound
Claim: default/gluster-claim
Reclaim Policy: Retain
Access Modes: RWX
VolumeMode: Filesystem
Capacity: 50Gi
Node Affinity: <none>
Message:
Source:
Type: Glusterfs (a Glusterfs mount on the host that shares a pod's lifetime)
EndpointsName: gluster-cluster
EndpointsNamespace: <unset>
Path: /gv0
ReadOnly: false
Events: <none>


Name: gluster-claim
Namespace: default
StorageClass:
Status: Bound
Volume: gluster-pv
Labels: <none>
Annotations: pv.kubernetes.io/bind-completed: yes
pv.kubernetes.io/bound-by-controller: yes
Finalizers: [kubernetes.io/pvc-protection]
Capacity: 50Gi
Access Modes: RWX
VolumeMode: Filesystem
Used By: data-server-97469df55-8wd6q
dnsutils
mysql-6f47967858-xngbr

最佳答案

想通了..原来它只是模板/规范中的一个必要 block :

securityContext:
runAsUser: 70
fsGroup: 70
花了太长时间才找到 reference使用谷歌对此。似乎也有点奇怪......如果我想把 alpine 关掉到别的东西上会发生什么? UID/GID 不会相同。我也必须在这里找到这些并更改它们。使用 ID 而不是名称似乎很愚蠢。

关于Postgresql Kubernetes 部署无法从 Secrets 中读取证书文件,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/69146525/

30 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com