Open
Description
Report
Ldaps authentication not working in the version 2.6.0 because the postgresql cannot connect to the ldap server.
More about the problem
When user want to sign in to the database, the postgresql cannot connect to ldap server because tls negotiation failed even when the ldap certificate is trusted by openssl s_client in the conatiner. In the new version the LDAPTLS_CACERT environment variable points to the /etc/postgres/ldap/ca.crt file in the statefulset. This file doesn't exists and you can't create with initContainer, secret or configMap, cannot mount a PVC, etc...
Steps to reproduce
- Install the postgresql-operator in a namespace
- Apply PerconaPGCluster kubernetes object:
apiVersion: pgv2.percona.com/v2
kind: PerconaPGCluster
metadata:
name: percona-nke-psql-17
spec:
crVersion: 2.6.0
...
instances:
- name: instance1
replicas: 1
...
patroni:
syncPeriodSeconds: 10 # default: 10
leaderLeaseDurationSeconds: 30 # default: 30
port: 8008
dynamicConfiguration:
postgresql:
pg_hba:
- host all postgres 10.0.0.0/8 md5
- host all all 172.16.0.0/12 ldap ldapurl="ldaps://ldap.example.com:636/DC=intra,DC=example,DC=com?sAMAccountName?sub" ldapbinddn="CN=ldap_percona_svc,OU=LDAP_users,DC=intra,DC=example,DC=com" ldapbindpasswd="sompassword"
...
- Try to login with ldap user
Versions
- Kubernetes: rke2 (rancher managed cluster), 1.31.7
- Operator: 2.6.0
- Database: 17.4
Anything else?
No response