This topic describes how to configure LDAP authentication with Postgres for Kubernetes.
The VMware Postgres Operator allows you to configure LDAP authentication instances with either (Transport Layer Security) TLS enabled or disabled.
Before creating a VMware Postgres Operator LDAP configuration you need the following:
kubectl
command line tool installed on your local client, with access permissions to the Kubernetes cluster.pg_hba
custom configuration to enable LDAP authentication for Postgres users.0
when TLS is disabled or
1
when TLS is enabled for you.
pg_hba
.kubectl apply -f - <<EOF
apiVersion: v1
kind: ConfigMap
metadata:
name: <configmap-name>
namespace: <namespace>
data:
pg_hba.custom.conf: |
host "<database-name>" "<user>" 0.0.0.0/0 ldap ldapserver=<fully-qualified-domain-name> ldaptls=<0/1> ldapprefix="cn=" ldapsuffix=", ou=<value>, dc=<value>, dc=<value>"
host "<database-name>" "<another-user>" 0.0.0.0/0 ldap ldapserver=<fully-qualified-domain-name> ldaptls=<0/1> ldapprefix="cn=" ldapsuffix=", ou=<value>, dc=<value>, dc=<value>"
EOF
kubectl get secret <ldap-server-tls-secret-name> -n <namespace> -o jsonpath="{.data.ca\.crt}"
kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
name: <secret-name>
namespace: <namespace>
data:
ca.crt: <value>
EOF
kubectl apply -f - <<EOF
apiVersion: sql.tanzu.vmware.com/v1
kind: Postgres
metadata:
name: <postgres-instance-name>
namespace: <namespace>
spec:
customConfig:
pghba:
name: <configmap-name>
trustedCaCertificates:
ldap:
name: <secret-name>
EOF
LDAPTLS_CACERT
stores the path to the ca.crt file in the instance.kubectl exec -t pod/<postgres-instance-name>-0 -n <namespace> -- bash -c 'echo $LDAPTLS_CACERT'
Successful TLS enabling ensures that the 'ca.crt' of the provided secret is stored successfully and is available to the instance as follows:
/etc/ldap_tls/ca.crt
kubectl exec -t <postgres-instance-name>-0 -n <namespace> -- psql -c "CREATE ROLE <user> login"
kubectl exec -t <postgres-instance-name>-0 -n <namespace> -- psql -c "GRANT CONNECT ON DATABASE <database-name> TO <user>"