Avoid mounting dbadmin password if not needed #396
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Currently, the dbadmin password is mounted in the container at
/etc/podinfo/superuser-passwd. This is needed so that readiness/startup probes
can log into vertica and run the 'select 1' canary query. This change is to
satisfy a request to avoid mounting the password if the probes are change to
not refer to the password.
There are two ways you can change the probes:
1. Check if the client port is open.
Instead of checking the canary query. Just check if the client port is opened.
Include overrides for the readiness and startup probes in the vdb like this:
```
apiVersion: vertica.com/v1beta1
kind: VerticaDB
metadata:
name: v
spec:
...
readinessProbeOverride:
tcpSocket:
port: 5433
startupProbeOverride:
tcpSocket:
port: 5433
```
2. Setup local trust for the dbadmin
Keep using the canary query but setup local trust for dbadmin so a password
isn't needed. After the database is up, setup a local trust using SQL like the
following:
```
CREATE AUTHENTICATION v_dbadmin_trust METHOD 'trust' LOCAL;
GRANT AUTHENTICATION v_dbadmin_trust TO dbadmin;
ALTER AUTHENTICATION v_dbadmin_trust PRIORITY 10000;
SELECT sync_catalog();
```
This can be included in an EventTrigger so that it's done automatically after a
DB was created. Then create the vdb with an override for the command.
```
apiVersion: vertica.com/v1beta1
kind: VerticaDB
metadata:
name: v
spec:
readinessProbeOverride:
exec:
command: ["vsql", "-c", "select 1"]
startupProbeOverride:
exec:
command: ["vsql", "-c", "select 1"]
```
In both cases, the operator was changed to not include the mount if we no
longer reference dbadmin password in any of the probes.
roypaulin
reviewed
May 12, 2023
roypaulin
approved these changes
May 12, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Currently, the dbadmin password is mounted in the container at /etc/podinfo/superuser-passwd. This is needed so that readiness/startup probes can log into vertica and run the 'select 1' canary query. This change is to satisfy a request to avoid mounting the password if the probes are change to not refer to the password.
There are two ways you can change the probes:
Instead of checking the canary query. Just check if the client port is opened. Include overrides for the readiness and startup probes in the vdb like this:
Keep using the canary query but setup local trust for dbadmin so a password isn't needed. After the database is up, setup a local trust using SQL like the following:
This can be included in an EventTrigger so that it's done automatically after a DB was created. Then create the vdb with an override for the command.
In both cases, the operator was changed to not include the mount if we no longer reference dbadmin password in any of the probes.