Kubernetes postgres - 用户的密码认证失败

Question

我正在努力实现的目标

我正在建立一个由 postgres 数据库和与数据库通信的 elixir 应用程序组成的 microk8s 集群。

我遇到的问题

尝试连接时，我总是从数据库 pod 中收到错误消息：

2022-01-05 18:54:05.179 UTC [216] DETAIL:  Password does not match for user "phoenix_db_username
        ".
        Connection matched pg_hba.conf line 99: "host all all all md5"

由于数据库记录了错误，数据库和应用程序之间的连接显然工作正常。

我尝试过的

其他有问题的人建议删除 PV 和 PVC。请参阅此 github 问题： https://github.com/helm/charts/issues/16251#issuecomment-577560984

• 我已经尝试删除 pvc 和 pv，我可以确认 pv 已被删除，因为我在删除前后检查了/var/snap/microk8s/common/default-storage。
• 我尝试通过运行microk8s.disable storage 永久删除存储，然后再次使用microk8s.enable storage 启用存储。

microk8s.disable storage 的输出：

Disabling default storage
[...]
Storage removed
Remove PVC storage at /var/snap/microk8s/common/default-storage ? (Y/N): y
Storage space reclaimed

• 我使用 printenv 检查了数据库 pod 的环境，发现 POSTGRES_USER 和 POSTGRES_PASSWORD 的值正确（phoenix_db_username、phoenix_db_password）
• 我使用 printenv 检查了应用程序 pod 的环境，我看到 DB_USERNAME 和 DB_PASSWORD 的正确值（phoenix_db_username、phoenix_db_password）
• 我检查了 pq_hba.conf 文件，它不包含任何用户

根据 postgres docker 文档，这应该创建一个用户，但我不认为它正在创建一个。 https://hub.docker.com/_/postgres

Elixir 应用 yml 资源

elixir 应用的 configMap

apiVersion: v1
kind: ConfigMap
metadata:
  name: phoenix-app-config
  labels:
    app: phoenix-app
data:
  APP_NAME: "phoenix-app"
  APP_HOST: "0.0.0.0"
  APP_PORT: "4000"
  DB_NAME: "prod_db"
  DB_HOSTNAME: "phoenix-app-database"
  NAMESPACE: "production"

灵药应用的秘密

apiVersion: v1
kind: Secret
metadata:
  name: phoenix-app-secrets
  labels:
    app: phoenix-app
data:
  SECRET_KEY_BASE: KtpxCV3OY8KnRiC5yVo7Be+GRVeND+NxAsyk+FASDFasdfadffhNS804MLk
  DB_PASSWORD: cGhvZW5peC1kYi1wYXNzd29yZAo= # phoenix_db_username
  DB_USERNAME: cGhvZW5peC1kYi11c2VybmFtZQo= # phoenix_db_password

elixir 应用的部署

apiVersion: apps/v1
kind: Deployment
metadata:
  name: phoenix-app
  labels:
    app: phoenix-app
spec:
  replicas: 2
  selector:
    matchLabels:
      app: phoenix-app
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 1
    type: RollingUpdate
  template:
    metadata:
      labels:
        app: phoenix-app
    spec:
      containers:
      - name: phoenix-app
        image: REDACTED
        imagePullPolicy: Always
        command: ["./bin/hello", "start"]
        lifecycle:
          preStop:
            exec:
              command: ["./bin/hello", "stop"]
        ports:
        - containerPort: 4000
        env:
        - name: POD_IP
          valueFrom:
            fieldRef:
              fieldPath: status.podIP
        envFrom:
        - configMapRef:
            name: phoenix-app-config
        - secretRef:
            name: phoenix-app-secrets
      imagePullSecrets:
      - name: gitlab-pull-secret

数据库 yml 资源

apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: phoenix-app-database
  labels:
    app: phoenix-app-database
spec:
  serviceName: phoenix-app-database
  replicas: 1
  selector:
    matchLabels:
      app: phoenix-app-database
  template:
    metadata:
      labels:
        app: phoenix-app-database
    spec:
      containers:
      - name: phoenix-app-database
        image: postgres:12-alpine
        envFrom:
        - configMapRef:
            name: phoenix-app-database-config
        - secretRef:
            name: phoenix-app-database-secrets
        ports:
        - containerPort: 5432
          name: postgresdb
        volumeMounts:
        - name: phoenix-app-database
          mountPath: /var/lib/postgresql/data
      volumes:
      - name: phoenix-app-database
        persistentVolumeClaim:
          claimName: phoenix-app-db-pvc
---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: phoenix-app-db-pvc
spec:
  storageClassName: microk8s-hostpath
  capacity:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 250Mi
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: phoenix-app-database-config
  labels:
    app: phoenix-app-database
data:
  POSTGRES_DB: "prod_db"
---
apiVersion: v1
kind: Secret
metadata:
  name: phoenix-app-database-secrets
  labels:
    app: phoenix-app-database
data:
  POSTGRES_USER: cGhvZW5peF9kYl91c2VybmFtZQo= # phoenix_db_username
  POSTGRES_PASSWORD: cGhvZW5peF9kYl9wYXNzd29yZAo= # phoenix_db_password
---
apiVersion: v1
kind: Service
metadata:
  name: phoenix-app-database
  labels:
    app: phoenix-app-database
spec:
  ports:
  - port: 5432
    name: phoenix-app-database
  type: NodePort 
  selector:
    app: phoenix-app-database
---

来自数据库 pod 创建的日志

me@me:~/Documents/kubernetes-test$ kubectl logs phoenix-app-database-0 -n production
The files belonging to this database system will be owned by user "postgres".
This user must also own the server process.

The database cluster will be initialized with locale "en_US.utf8".
The default database encoding has accordingly been set to "UTF8".
The default text search configuration will be set to "english".

Data page checksums are disabled.

fixing permissions on existing directory /var/lib/postgresql/data ... ok
creating subdirectories ... ok
selecting dynamic shared memory implementation ... posix
selecting default max_connections ... 100
selecting default shared_buffers ... 128MB
selecting default time zone ... UTC
creating configuration files ... ok
running bootstrap script ... ok
sh: locale: not found
2022-01-05 20:47:02.013 UTC [30] WARNING:  no usable system locales were found
performing post-bootstrap initialization ... ok
syncing data to disk ... ok


Success. You can now start the database server using:

    pg_ctl -D /var/lib/postgresql/data -l logfile start

initdb: warning: enabling "trust" authentication for local connections
You can change this by editing pg_hba.conf or using the option -A, or
--auth-local and --auth-host, the next time you run initdb.
waiting for server to start....2022-01-05 20:47:02.621 UTC [36] LOG:  starting PostgreSQL 12.9 on x86_64-pc-linux-musl, compiled by gcc (Alpine 10.3.1_git20211027) 10.3.1 20211027, 64-bit
2022-01-05 20:47:02.623 UTC [36] LOG:  listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432"
2022-01-05 20:47:02.641 UTC [37] LOG:  database system was shut down at 2022-01-05 20:47:02 UTC
2022-01-05 20:47:02.645 UTC [36] LOG:  database system is ready to accept connections
 done
server started
CREATE DATABASE


/usr/local/bin/docker-entrypoint.sh: ignoring /docker-entrypoint-initdb.d/*

waiting for server to shut down....2022-01-05 20:47:02.794 UTC [36] LOG:  received fast shutdown request
2022-01-05 20:47:02.795 UTC [36] LOG:  aborting any active transactions
2022-01-05 20:47:02.797 UTC [36] LOG:  background worker "logical replication launcher" (PID 43) exited with exit code 1
2022-01-05 20:47:02.797 UTC [38] LOG:  shutting down
2022-01-05 20:47:02.808 UTC [36] LOG:  database system is shut down
 done
server stopped

PostgreSQL init process complete; ready for start up.

2022-01-05 20:47:02.904 UTC [1] LOG:  starting PostgreSQL 12.9 on x86_64-pc-linux-musl, compiled by gcc (Alpine 10.3.1_git20211027) 10.3.1 20211027, 64-bit
2022-01-05 20:47:02.904 UTC [1] LOG:  listening on IPv4 address "0.0.0.0", port 5432
2022-01-05 20:47:02.905 UTC [1] LOG:  listening on IPv6 address "::", port 5432
2022-01-05 20:47:02.909 UTC [1] LOG:  listening on Unix socket "/var/run/postgresql/.s.PGSQL.5432"
2022-01-05 20:47:02.925 UTC [50] LOG:  database system was shut down at 2022-01-05 20:47:02 UTC
2022-01-05 20:47:02.929 UTC [1] LOG:  database system is ready to accept connections

Answer 1

好的，我已经解决了这个问题，而且解决起来相当简单，但很难注意到。

我正在通过模板创建 yml 文件，例如：

apiVersion: v1
kind: Secret
metadata:
  name: {{APP_NAME}}-database-secrets
  labels:
    app: {{APP_NAME}}-database
data:
  POSTGRES_USER: {{DB_USERNAME_B64}}
  POSTGRES_PASSWORD: {{DB_PASSWORD_B64}}

然后我将这些模板合并在一起，并将所有 {{ }} 封闭声明替换为来自特定环境的值。以_B64结尾的我在插入之前编码成base64格式。

我是这样做的，似乎工作正常：

if [[ "${variable_key}" == *_B64 ]]; then
    variable_value="$(echo "${variable_value}" | base64)"
fi

但是，这是不行的，因为当我在这里echo 变量时，我将换行符 添加到变量，这使得数据库名称和用户名对于 postgres 来说是非法的。我在检查 base64decode.org 上的解码值时意识到了这一点，发现有两行。

我通过将 bash 脚本更改为不打印换行符 (-n) 来修复它：

if [[ "${variable_key}" == *_B64 ]]; then
    variable_value="$(echo -n "${variable_value}" | base64 -w 0 )"
fi

我希望这可以帮助将来有人调试这个问题！