TLS - add OpenShift compatibility (zalando#885)

ReSearchITEng · FxKu · web-flow · commit 6ed10308380c · 2020-04-01T09:39:54.000+02:00
* solves zalando#798 (comment) Co-authored-by: Felix Kunde <felix-kunde@gmx.de>
diff --git a/docs/user.md b/docs/user.md
@@ -572,10 +572,15 @@ However, this certificate cannot be verified and thus doesn't protect from
 active MITM attacks. In this section we show how to specify a custom TLS
 certificate which is mounted in the database pods via a K8s Secret.
 
-Before applying these changes, the operator must also be configured with the
-`spilo_fsgroup` set to the GID matching the postgres user group. If the value
-is not provided, the cluster will default to `103` which is the GID from the
-default spilo image.
+Before applying these changes, in k8s the operator must also be configured with
+the `spilo_fsgroup` set to the GID matching the postgres user group. If you
+don't know the value, use `103` which is the GID from the default spilo image
+(`spilo_fsgroup=103` in the cluster request spec).
+
+OpenShift allocates the users and groups dynamically (based on scc), and their
+range is different in every namespace. Due to this dynamic behaviour, it's not
+trivial to know at deploy time the uid/gid of the user in the cluster.
+This way, in OpenShift, you may want to skip the spilo_fsgroup setting.
 
 Upload the cert as a kubernetes secret:
 ```sh
diff --git a/manifests/complete-postgres-manifest.yaml b/manifests/complete-postgres-manifest.yaml
@@ -109,3 +109,5 @@ spec:
     certificateFile: "tls.crt"
     privateKeyFile: "tls.key"
     caFile: ""  # optionally configure Postgres with a CA certificate
+# When TLS is enabled, also set spiloFSGroup parameter above to the relevant value.
+# if unknown, set it to 103 which is the usual value in the default spilo images.
diff --git a/pkg/cluster/k8sres.go b/pkg/cluster/k8sres.go
@@ -37,9 +37,6 @@ const (
 	localHost                        = "127.0.0.1/32"
 	connectionPoolContainer          = "connection-pool"
 	pgPort                           = 5432
-
-	// the gid of the postgres user in the default spilo image
-	spiloPostgresGID = 103
 )
 
 type pgUser struct {
@@ -990,13 +987,8 @@ func (c *Cluster) generateStatefulSet(spec *acidv1.PostgresSpec) (*appsv1.Statef
 
 	// configure TLS with a custom secret volume
 	if spec.TLS != nil && spec.TLS.SecretName != "" {
-		if effectiveFSGroup == nil {
-			c.logger.Warnf("Setting the default FSGroup to satisfy the TLS configuration")
-			fsGroup := int64(spiloPostgresGID)
-			effectiveFSGroup = &fsGroup
-		}
-		// this is combined with the FSGroup above to give read access to the
-		// postgres user
+		// this is combined with the FSGroup in the section above
+		// to give read access to the postgres user
 		defaultMode := int32(0640)
 		volumes = append(volumes, v1.Volume{
 			Name: "tls-secret",
