Pooler don't works with custom clientCASecret

[xabufr]

Hello!

When I create a Cluster using a certificates.clientCASecret generated using cert-manager (like in the doc), the controller fails if the Cluster has an attached Pooler.

Logs

{
  "level": "error",
  "ts": "2023-09-21T14:03:45Z",
  "msg": "Reconciler error",
  "controller": "cluster",
  "controllerGroup": "postgresql.cnpg.io",
  "controllerKind": "Cluster",
  "Cluster": {
    "name": "barcnpg-tloubiou-test",
    "namespace": "barcnpg-tloubiou-test"
  },
  "namespace": "barcnpg-tloubiou-test",
  "name": "barcnpg-tloubiou-test",
  "reconcileID": "8f4e007b-5505-47c6-a73c-c1095994f489",
  "error": "cannot create Cluster auxiliary objects: missing ca.key secret data",
  "stacktrace": "sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\tpkg/mod/sigs.k8s.io/controller-runtime@v0.15.0/pkg/internal/controller/controller.go:324\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\tpkg/mod/sigs.k8s.io/controller-runtime@v0.15.0/pkg/internal/controller/controller.go:265\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\tpkg/mod/sigs.k8s.io/controller-runtime@v0.15.0/pkg/internal/controller/controller.go:226"
}

After looking the source code, I've found the error is raised by the ensureLeafCertificate function which call generateCertificateFromCA which calls certs.ParseCASecret using the clientCASecret generated by cert-manager.

This certificate only contains ca.crt, tls.crt and tls.key.

I think I can use the Pooler.spec.pgbouncer.authQuerySecret field as a workaround, but it would be nice to at least document this behavior.

Removing the pooler fixes the problem.

[gbartolini]

Up for a PR? :)

[phisco]

I could reproduce the issue.

cert-manager-cluster-certificates.yaml

---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: selfsigned-issuer
spec:
  selfSigned: {}
---
apiVersion: v1
kind: Secret
metadata:
  name: my-postgres-server-cert
  labels:
    cnpg.io/reload: ""
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: my-postgres-server-cert
spec:
  secretName: my-postgres-server-cert
  usages:
    - server auth
  dnsNames:
    - cluster-example-lb.internal.mydomain.net
    - cluster-example-rw
    - cluster-example-rw.default
    - cluster-example-rw.default.svc
    - cluster-example-r
    - cluster-example-r.default
    - cluster-example-r.default.svc
    - cluster-example-ro
    - cluster-example-ro.default
    - cluster-example-ro.default.svc
  issuerRef:
    name: selfsigned-issuer
    kind: Issuer
    group: cert-manager.io
---
apiVersion: v1
kind: Secret
metadata:
  name: my-postgres-client-cert
  labels:
    cnpg.io/reload: ""
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: my-postgres-client-cert
spec:
  secretName: my-postgres-client-cert
  usages:
    - client auth
  commonName: streaming_replica
  issuerRef:
    name: selfsigned-issuer
    kind: Issuer
    group: cert-manager.io

Then a Cluster using both the secrets above.

cluster-example-using-certs.yaml

apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
  name: cluster-example
spec:
  instances: 3
  certificates:
    serverTLSSecret: my-postgres-server-cert
    serverCASecret: my-postgres-server-cert
    clientCASecret: my-postgres-client-cert
    replicationTLSSecret: my-postgres-client-cert
  storage:
    size: 1Gi

Everything works fine as expected.

Then deploying a Pooler:

pooler.yaml

apiVersion: postgresql.cnpg.io/v1
kind: Pooler
metadata:
  name: pooler-example-rw
spec:
  cluster:
    name: cluster-example

  instances: 3
  type: rw
  pgbouncer:
    poolMode: session
    parameters:
      max_client_conn: "1000"
      default_pool_size: "10"

Results in the same error as in the description.

error.json

{
  "level": "error",
  "ts": "2023-12-11T13:47:46Z",
  "msg": "Reconciler error",
  "controller": "cluster",
  "controllerGroup": "postgresql.cnpg.io",
  "controllerKind": "Cluster",
  "Cluster": {
    "name": "cluster-example",
    "namespace": "default"
  },
  "namespace": "default",
  "name": "cluster-example",
  "reconcileID": "b9357cf3-9dc0-4ab0-ac3b-2b46d4efea98",
  "error": "cannot create Cluster auxiliary objects: missing ca.key secret data",
  "stacktrace": "sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\tpkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:329\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\tpkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\tpkg/mod/sigs.k8s.io/controller-runtime@v0.16.3/pkg/internal/controller/controller.go:227"
}

This error comes from the Cluster reconciler trying to generate a Client certificate cluster-example-pooler for the Pooler, as specified at status.poolerIntegrations.secrets.

kubect get cluster cluster-example -o yaml

apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
  name: cluster-example
  namespace: default
spec:
  # ... omitted for brevity ...
status:
  certificates:
    clientCASecret: my-postgres-client-cert
    expirations:
      my-postgres-client-cert: 2024-03-10 13:30:55 +0000 UTC
      my-postgres-server-cert: 2024-03-10 13:25:46 +0000 UTC
    replicationTLSSecret: my-postgres-client-cert
    serverAltDNSNames:
    - cluster-example-rw
    - cluster-example-rw.default
    - cluster-example-rw.default.svc
    - cluster-example-r
    - cluster-example-r.default
    - cluster-example-r.default.svc
    - cluster-example-ro
    - cluster-example-ro.default
    - cluster-example-ro.default.svc
    serverCASecret: my-postgres-server-cert
    serverTLSSecret: my-postgres-server-cert
  phase: Cluster in healthy state
  poolerIntegrations:
    pgBouncerIntegration:
      secrets:
      - cluster-example-pooler                           # <= the operator tries to create this secret
  secretsResourceVersion:
    applicationSecretVersion: "4335"
    clientCaSecretVersion: "2187"
    replicationSecretVersion: "2187"
    serverCaSecretVersion: "1568"
    serverSecretVersion: "1568"
  # ... omitted for brevity ...

Not really a bug

The operator can not indeed properly generate the required client certificate, as it doesn't have access to the CA private key.
The fix would be to manually create a client certificate for the Pooler and set it as spec.pgbouncer.authQuerySecret, however that will mean the Pooler is in manual certificates mode as specified in the docs.

Possible Improvements

There is nothing the operator could do in this case, so this is not a bug, however we could improve its behaviour:

• the error message could be more explicit, e.g. mention why we are trying to read the client ca.key
• the operator could avoid trying to setup automatic pooler integration if we know we are not handling the CA
• if possible, the pooler should be rejected if the target cluster has certificates not handled by the operator itself
• we could relax the condition on the pooler, and still automatically configure or try configuring everything if authQuerySecret is provided without authQuery which would be equivalent to creating a secret with the same name expected by the operator cluster-example-pooler without actually configuring it as authQuerySecret, see manifest below.

---
apiVersion: v1
kind: Secret
metadata:
  name: cluster-example-pooler
  labels:
    cnpg.io/reload: ""
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: cluster-example-pooler
spec:
  secretName: cluster-example-pooler
  usages:
    - client auth
  commonName: cnpg_pooler_pgbouncer
  issuerRef:
    name: selfsigned-issuer
    kind: Issuer
    group: cert-manager.io

[phisco]

This indeed would allow to configure assuming that a secret with the Client CA is available, e.g.:

---
apiVersion: v1
kind: Namespace
metadata:
  name: sandbox
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: selfsigned-issuer
spec:
  selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: my-selfsigned-ca
  namespace: sandbox
spec:
  isCA: true
  commonName: my-selfsigned-ca
  secretName: root-secret
  privateKey:
    algorithm: ECDSA
    size: 256
  issuerRef:
    name: selfsigned-issuer
    kind: ClusterIssuer
    group: cert-manager.io
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: my-ca-issuer
  namespace: sandbox
spec:
  ca:
    secretName: root-secret
---
apiVersion: v1
kind: Secret
metadata:
  name: my-postgres-server-cert
  labels:
    cnpg.io/reload: ""
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: my-postgres-server-cert
spec:
  secretName: my-postgres-server-cert
  usages:
    - server auth
  dnsNames:
    - cluster-example-lb.internal.mydomain.net
    - cluster-example-rw
    - cluster-example-rw.default
    - cluster-example-rw.default.svc
    - cluster-example-r
    - cluster-example-r.default
    - cluster-example-r.default.svc
    - cluster-example-ro
    - cluster-example-ro.default
    - cluster-example-ro.default.svc
  issuerRef:
    name: my-ca-issuer
    kind: Issuer
    group: cert-manager.io
---
apiVersion: v1
kind: Secret
metadata:
  name: my-postgres-client-cert
  labels:
    cnpg.io/reload: ""
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: my-postgres-client-cert
spec:
  secretName: my-postgres-client-cert
  usages:
    - client auth
  commonName: streaming_replica
  issuerRef:
    name: my-ca-issuer
    kind: Issuer
    group: cert-manager.io

and then:

apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
  name: cluster-example
spec:
  instances: 3
  certificates:
    serverTLSSecret: my-postgres-server-cert
    serverCASecret: my-postgres-server-cert
    clientCASecret: root-secret                             # <= the secret containing the ca.key
    replicationTLSSecret: my-postgres-client-cert
  storage:
    size: 1Gi

Note that, this is an additional use-case w.r.t. the ones explained in the docs, as what we would like here is for the operator to be able to adopt a CA provided by cert-manager and therefore work in a hybrid mode, while what we support atm is client and/or server certificates fully handled either by cert-manager or cnpg.

[Otterpohl]

Is there any sort of workaround/alternative for this in the meantime?

[github-actions]

This issue is stale because it has been open for 60 days with no activity.