This section describes how to enable scram-sha-256 authentication on a newly built FEPpgpool2 container.
Create the resources required to enable scram-sha-256 authentication.
Create secret for encryption key
Create an encryption key secret (pgpoolkeySecret) containing the password to use for scram-sha-256 authentication.
The key is pgpoolkey and the value is a base64 encrypted version of the password to be used for encryption.
apiVersion: v1 kind: Secret metadata: name: scrampgpoolkey-secret type: Opaque data: pgpoolkey: cGdwb29sa2V5cGFzc3dvcmQ=
After creating the secret, write the name of the secret you created in the FEPPgpool2 custom resource. This mounts the created secret in the FEPpgpool2 container as a file in the volume and passes the password used for encryption to the FEPpgpool2 container.
If you use scram-sha-256 authentication and do not create a secret, the operator automatically creates the following secret based on the information in the FEPPgpool2 custom resource.
apiVersion: v1
kind: Secret
metadata:
name: "{{spec.name}}-feppgpool2-pgpoolkey"
type: Opaque
data:
pgpoolkey: K1kxOVZxKzRrdWluT3A2UHNQMzcwcUJuOUZ2UUoxUklNMms2cktIY1NkekFOemZBYkhjZDFadG5VR3ZtTVR6Uw==Value is set to the value of a password randomly generated by the operator and encrypted with base64. The secret name is "{{spec.name}} -feppgpool2-pgpoolkey".
Information
scram-sha-256 encryption uses an encryption key. This encryption key is used by the FEPpgpool2 container to decrypt the AES-encrypted password if it was stored in the pool_passwd file. Therefore, the encryption and decryption keys must be the same.
Create a secret for database user information
The user/password used for client authentication in the FEPpgpool2 container must be the same as the database user used in the database in the FEP server container.
Create a database user information secret (userinfoSecret) in the FEPpgpool2 container to inform the database user username and password information in the FEP server container.
The user name and password should describe the secret in the following format.
apiVersion: v1 kind: Secret metadata: name: scramuserinfo-secret #Specify any name type: Opaque data: user1: dXNlcjFwYXNzd2Q= user2: dXNlcjJwYXNzd2Q=
For database users that Operator creates automatically, you do not need to create a secret because Operator retrieves the database username and password information from the FEPCluster custom resource and the FEP server container.
If you use scram-sha-256 authentication and do not create a secret, the operator automatically creates the following secret:
apiVersion: v1
kind: Secret
metadata:
name: "{{spec.name}}-feppgpool2-userinfo"
type: Opaque
data:The secret name is "{{spec.name}}-feppgpool2-userinfo".
To enable scram-sha-256 authentication, edit and deploy a FEPPgpool2 custom resource with the following settings:
Set secret information
Specify scram for spec.clientAuthMethod in the FEPPgppol2 custom resource.
In addition, in the secret for the encryption key (spec.scram.pgpoolkeySecret), specify the secret name that you created in step 1 of "4.15.2.1 Creating the Resources Required to Enable scram-sha-256 Authentication" Similarly, in the database user information secret (spec.scram.userinfoSecret), specify the secret name that you created in step 2 of "4.15.2.1 Creating the Resources Required to Enable scram-sha-256 Authentication".
spec:
clientAuthMethod: scram
scram:
pgpoolkeySecret: scrampgpoolkey-secret
userinfoSecret: scramuserinfo-secretThis mounts the created secret in the FEPpgpool2 container as a file in the volume and notifies the FEPpgpool2 container of the username and password information.
Edit spec.customhba
Edit the spec.customhba field in the FEPPgpool2 custom resource to add an entry for scram-sha-256 authentication.
Edit pgpool.conf
You must edit the spec.customparams field in the FEPPgpool2 custom resource to edit the parameters related to the authentication settings.
enable_pool_hba=true