使用tls将应用程序连接到postgresql集群

Question

通过遵循本教程，我已经成功地在kubernetes上使用cert-manager提供的tls证书安装了一个易碎的data postgres集群。https://blog.crunchydata.com/blog/using-cert-manager-to-deploy-tls-for-postgres-on-kubernetes

kubectl -n postgres-operator get secrets

NAME                           TYPE                                  DATA   AGE
default-token-w7mnw            kubernetes.io/service-account-token   3      45h
pgo-token-9t7dw                kubernetes.io/service-account-token   3      45h
pgo-root-cacert                Opaque                                2      45h
hippo-repl-tls                 kubernetes.io/tls                     3      45h
hippo-tls                      kubernetes.io/tls                     3      45h
hippo-instance-token-mmxfj     kubernetes.io/service-account-token   3      45h
hippo-00-5klh-certs            Opaque                                4      45h
hippo-00-rsvm-certs            Opaque                                4      45h
hippo-pguser-hippo             Opaque                                7      45h
hippo-ssh                      Opaque                                3      45h
hippo-pgbackrest-token-hcp7m   kubernetes.io/service-account-token   3      45h

这些秘密中的大多数都包含与tls有关的内容，例如河马包含"ca.crt“、"tls.crt”、"tls.key“，pgo-root-cacert秘密包含"root.crt”、"root.key“。我不确定使用哪一个来连接我的应用程序到我的数据库。

这是我的应用程序的部署yaml

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: admin-app
  namespace: postgres-operator
spec:
  replicas: 1
  selector:
    matchLabels:
      app: admin-app
  template:
    metadata:
      labels:
        app: admin-app
    spec:
      containers:
        - name: admin-app
          image: localhost:32000/wtl-admin3.2:registry
          env:
          - name: CA_CERT
            valueFrom: {secretKeyRef: {name: pgo-root-cacert, key: root.crt}}
          - name: TLS_CERT
            valueFrom: {secretKeyRef: {name: hippo-tls, key: tls.crt}}
          - name: TLS_KEY
            valueFrom: {secretKeyRef: {name: hippo-tls, key: tls.key}}
#          imagePullPolicy: Never
          ports:
          - containerPort: 80
          resources:
            limits:
              memory: "100Mi"
              cpu: "100m"

这是我第一次使用tls，所以我不太确定如何连接它。这是我的Golang postgres连接文件。

package infastructure

import (
        "context"
        "crypto/tls"
        "crypto/x509"
        "fmt"
        "log"
        "os"

        "github.com/go-pg/pg/v10"
        "github.com/go-pg/pg/v10/orm"
)

func ConnectTls(ctx context.Context) *pg.DB {
        cert, err := tls.X509KeyPair([]byte(os.Getenv("TLS_CERT")), []byte(os.Getenv("TLS_KEY")))
        if err != nil {
                log.Printf("failed to load client certificate: %v", err)
                log.Println(err)
                panic(err)
        }

        CACertPool := x509.NewCertPool()
        CACertPool.AppendCertsFromPEM([]byte(os.Getenv("CA_CERT")))

        tlsConfig := &tls.Config{
                Certificates:       []tls.Certificate{cert},
                RootCAs:            CACertPool,
                InsecureSkipVerify: true,
                // ServerName:         "localhost",
        }

        opt := &pg.Options{

                Addr:      "hippo-primary.postgres-operator.svc:5432",
                User:      "hippo",
                Password:  "1XNrN1H-AF)=S(U_9*6(A0V7",
                Database:  "hippo",
                TLSConfig: tlsConfig,
        }
        DB := pg.Connect(opt)
        if err := DB.Ping(ctx); err != nil {
                log.Print("failed to connect")
                log.Print(err)
        }
        return DB
}

我尝试使用postgres运算符名称空间中的不同秘密进行连接，但我通常会得到不使用tls的相同错误。我也不确定tls配置的ServerName应该是什么。

kubectl -n postgres-operator logs admin-app-b7d97764d-lkrqn

2021/09/03 17:48:46 failed to connect
2021/09/03 17:48:46 pg: SASL: got "SCRAM-SHA-256-PLUS", wanted "SCRAM-SHA-256"
panic: pg: SASL: got "SCRAM-SHA-256-PLUS", wanted "SCRAM-SHA-256"

Answer 1

升级到go-pg v10.10.5可以解决这个问题。