按照本教程,我已经在kubernetes上成功地安装了一个具有cert-manager tls证书的crunchy data postgres集群。https://blog.crunchydata.com/blog/using-cert-manager-to-deploy-tls-for-postgres-on-kubernetes
kubectl -n postgres-operator get secrets
NAME TYPE DATA AGE
default-token-w7mnw kubernetes.io/service-account-token 3 45h
pgo-token-9t7dw kubernetes.io/service-account-token 3 45h
pgo-root-cacert Opaque 2 45h
hippo-repl-tls kubernetes.io/tls 3 45h
hippo-tls kubernetes.io/tls 3 45h
hippo-instance-token-mmxfj kubernetes.io/service-account-token 3 45h
hippo-00-5klh-certs Opaque 4 45h
hippo-00-rsvm-certs Opaque 4 45h
hippo-pguser-hippo Opaque 7 45h
hippo-ssh Opaque 3 45h
hippo-pgbackrest-token-hcp7m kubernetes.io/service-account-token 3 45h
这些秘密中的大多数都包含与tls有关的内容,例如php -tls包含"ca.crt" "tls.crt" "tls.key"pgo-root- cert密钥包含"root.crt"one_answers"root.key"。我不知道用哪一个来连接我的应用程序到我的数据库。
这是我的应用程序的部署文件
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: admin-app
namespace: postgres-operator
spec:
replicas: 1
selector:
matchLabels:
app: admin-app
template:
metadata:
labels:
app: admin-app
spec:
containers:
- name: admin-app
image: localhost:32000/wtl-admin3.2:registry
env:
- name: CA_CERT
valueFrom: {secretKeyRef: {name: pgo-root-cacert, key: root.crt}}
- name: TLS_CERT
valueFrom: {secretKeyRef: {name: hippo-tls, key: tls.crt}}
- name: TLS_KEY
valueFrom: {secretKeyRef: {name: hippo-tls, key: tls.key}}
# imagePullPolicy: Never
ports:
- containerPort: 80
resources:
limits:
memory: "100Mi"
cpu: "100m"
这是我第一次使用tls,所以我真的不知道如何与它连接。这是我的Golang postgres连接文件
package infastructure
import (
"context"
"crypto/tls"
"crypto/x509"
"fmt"
"log"
"os"
"github.com/go-pg/pg/v10"
"github.com/go-pg/pg/v10/orm"
)
func ConnectTls(ctx context.Context) *pg.DB {
cert, err := tls.X509KeyPair([]byte(os.Getenv("TLS_CERT")), []byte(os.Getenv("TLS_KEY")))
if err != nil {
log.Printf("failed to load client certificate: %v", err)
log.Println(err)
panic(err)
}
CACertPool := x509.NewCertPool()
CACertPool.AppendCertsFromPEM([]byte(os.Getenv("CA_CERT")))
tlsConfig := &tls.Config{
Certificates: []tls.Certificate{cert},
RootCAs: CACertPool,
InsecureSkipVerify: true,
// ServerName: "localhost",
}
opt := &pg.Options{
Addr: "hippo-primary.postgres-operator.svc:5432",
User: "hippo",
Password: "1XNrN1H-AF)=S(U_9*6(A0V7",
Database: "hippo",
TLSConfig: tlsConfig,
}
DB := pg.Connect(opt)
if err := DB.Ping(ctx); err != nil {
log.Print("failed to connect")
log.Print(err)
}
return DB
}
我试图使用postgres操作符命名空间中的不同秘密连接,但我通常会得到关于不使用tls的相同错误。我也不确定服务器名称应该是tls配置。
kubectl -n postgres-operator logs admin-app-b7d97764d-lkrqn
2021/09/03 17:48:46 failed to connect
2021/09/03 17:48:46 pg: SASL: got "SCRAM-SHA-256-PLUS", wanted "SCRAM-SHA-256"
panic: pg: SASL: got "SCRAM-SHA-256-PLUS", wanted "SCRAM-SHA-256"
升级到go-pg v10.10.5解决了这个问题。