This topic describes how to configure LDAP authentication with Postgres for Kubernetes.

Overview

The VMware Postgres Operator allows you to configure LDAP authentication instances with either (Transport Layer Security) TLS enabled or disabled.

Prerequisites

Before creating a VMware Postgres Operator LDAP configuration you need the following:

  • The kubectl command line tool installed on your local client, with access permissions to the Kubernetes cluster.
  • Access to a preconfigured LDAP server.

Steps to Configure LDAP

  1. Apply the pg_hba custom configuration to enable LDAP authentication for Postgres users.
  • Enter the address of the target LDAP server as the .
  • Enter as 0 when TLS is disabled or 1 when TLS is enabled for you.
  • You can provide multiple entries at once for the purpose of multi-user configuration in pg_hba.
kubectl apply -f - <<EOF
apiVersion: v1
kind: ConfigMap
metadata:
  name: <configmap-name>
  namespace: <namespace>
data:
  pg_hba.custom.conf: |
    host "<database-name>" "<user>" 0.0.0.0/0   ldap ldapserver=<fully-qualified-domain-name> ldaptls=<0/1> ldapprefix="cn=" ldapsuffix=", ou=<value>, dc=<value>, dc=<value>"
    host "<database-name>" "<another-user>" 0.0.0.0/0   ldap ldapserver=<fully-qualified-domain-name> ldaptls=<0/1> ldapprefix="cn=" ldapsuffix=", ou=<value>, dc=<value>, dc=<value>"
EOF
  1. [Only required if TLS is enabled] Create or copy the secret using the ca.crt file from the LDAP server.
  • Acquire the secret from the Kubernetes cluster as follows, if needed: 
kubectl get secret <ldap-server-tls-secret-name> -n <namespace> -o jsonpath="{.data.ca\.crt}"

kubectl apply -f - <<EOF
apiVersion: v1
kind: Secret
metadata:
  name: <secret-name>
  namespace: <namespace>
data:
  ca.crt: <value>
EOF
  1. Configurie the postgres instance with the following:
  • customConfig.pghba.name: configured in step 1.
  • [Only required if TLS is enabled] spec.trustedCaCertificates.ldap.name: configured in step 2. 
kubectl apply -f - <<EOF
apiVersion: sql.tanzu.vmware.com/v1
kind: Postgres
metadata:
  name: <postgres-instance-name>
  namespace: <namespace>
spec:
  customConfig:
    pghba:
      name: <configmap-name>
  trustedCaCertificates:
    ldap:
      name: <secret-name>
EOF
  1. [Only required if TLS is enabled] Ensure that TLS is configured. LDAPTLS_CACERT stores the path to the ca.crt file in the instance.
kubectl exec -t pod/<postgres-instance-name>-0 -n <namespace> -- bash -c 'echo $LDAPTLS_CACERT'

Successful TLS enabling ensures that the 'ca.crt' of the provided secret is stored successfully and is available to the instance as follows:

/etc/ldap_tls/ca.crt
  1. Create a Postgres role for the LDAP user with a login privilege.
kubectl exec -t <postgres-instance-name>-0 -n <namespace> -- psql -c "CREATE ROLE <user> login"
  1. Define the 'CONNECT ON DATABASE' access privilege to the Postgres user.
kubectl exec -t <postgres-instance-name>-0 -n <namespace> -- psql -c "GRANT CONNECT ON DATABASE <database-name> TO <user>"
check-circle-line exclamation-circle-line close-line
Scroll to top icon