Merge branch 'release/v14.15-2'

alexander-dammeier · cesmarvin · commit 778768b745c9 · 2025-02-21T08:45:21.000Z
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [v14.15-2] - 2025-02-21
+### Changed
+- [#47] Do not restrict access via `pg_hba.conf` in multinode anymore because network policies do that.
+
 ## [v14.15-1] - 2025-01-23
 ### Changed 
 - [#42] Update Makefiles to 9.5.0
diff --git a/Dockerfile b/Dockerfile
@@ -18,7 +18,7 @@ RUN set -x -o errexit \
 FROM registry.cloudogu.com/official/base:3.21.0-1
 
 LABEL NAME="official/postgresql" \
-        VERSION="14.15-1" \
+        VERSION="14.15-2" \
         maintainer="hello@cloudogu.com"
 
 ENV LANG=en_US.utf8 \
diff --git a/batsTests/startup.bats b/batsTests/startup.bats
@@ -13,30 +13,29 @@ setup() {
   export STARTUP_DIR=/workspace/resources
   export WORKDIR=/workspace
   netstat="$(mock_create)"
+  doguctl="$(mock_create)"
   export netstat
+  export doguctl
   export PATH="${BATS_TMPDIR}:${PATH}"
   ln -s "${netstat}" "${BATS_TMPDIR}/netstat"
+  ln -s "${doguctl}" "${BATS_TMPDIR}/doguctl"
 }
 
 teardown() {
   unset STARTUP_DIR
   unset WORKDIR
   rm "${BATS_TMPDIR}/netstat"
+  rm "${BATS_TMPDIR}/doguctl"
 }
 
-@test "create_hba() should use cidr 16 if the dogu is running in a k8s cluster" {
-  mock_set_output "${netstat}" "Kernel-IP-Routentabelle
-Ziel            Router          Genmask         Flags   MSS Fenster irtt Iface
-192.168.179.0   0.0.0.0         255.255.255.0   U         0 0          0 wlp0s20f3"
-
+@test "create_hba() should accept all if the dogu is running in a k8s cluster" {
   source /workspace/resources/startup.sh
-  local POD_NAMESPACE
-  export POD_NAMESPACE="ecosystem"
+  mock_set_output "${doguctl}" "true"
 
   run create_hba
 
   assert_success
-  assert_equal "$(mock_get_call_num "${netstat}")" "1"
+  assert_equal "$(mock_get_call_num "${doguctl}")" "1"
   assert_line '# generated, do not override'
   assert_line '# "local" is for Unix domain socket connections only'
   assert_line 'local   all             all                                     trust'
@@ -45,10 +44,11 @@ Ziel            Router          Genmask         Flags   MSS Fenster irtt Iface
   assert_line '# IPv6 local connections:'
   assert_line 'host    all             all             ::1/128                 trust'
   assert_line '# container networks'
-  assert_line "host    all             all             192.168.179.0/16          password"
+  assert_line "host    all             all             all          password"
 }
 
 @test "create_hba() should use regular cidr if the dogu is not running in a k8s cluster" {
+  mock_set_output "${doguctl}" "false"
   mock_set_output "${netstat}" "Kernel-IP-Routentabelle
 Ziel            Router          Genmask         Flags   MSS Fenster irtt Iface
 192.168.179.0   0.0.0.0         255.255.255.0   U         0 0          0 wlp0s20f3"
@@ -59,6 +59,7 @@ Ziel            Router          Genmask         Flags   MSS Fenster irtt Iface
 
   assert_success
   assert_equal "$(mock_get_call_num "${netstat}")" "1"
+  assert_equal "$(mock_get_call_num "${doguctl}")" "1"
   assert_line '# generated, do not override'
   assert_line '# "local" is for Unix domain socket connections only'
   assert_line 'local   all             all                                     trust'
diff --git a/dogu.json b/dogu.json
@@ -1,6 +1,6 @@
 {
   "Name": "official/postgresql",
-  "Version": "14.15-1",
+  "Version": "14.15-2",
   "DisplayName": "PostgreSQL",
   "Description": "PostgreSQL Database.",
   "Url": "https://www.postgresql.org/",
diff --git a/resources/startup.sh b/resources/startup.sh
@@ -58,25 +58,19 @@ function create_hba() {
   echo '# IPv6 local connections:'
   echo 'host    all             all             ::1/128                 trust'
   echo '# container networks'
-  for NETWITHMASK in $(netstat -nr | tail -n +3 | grep -v '^0' | awk '{print $1"/"$3}'); do
-    local NET
-    NET=$(echo "${NETWITHMASK}" | awk -F'/' '{print $1}')
-    local MASK
-    MASK=$(echo "${NETWITHMASK}" | awk -F'/' '{print $2}')
-    local CIDR
-    CIDR=$(mask2cidr "$MASK")
-    local isNotRunningUnderK8s="${POD_NAMESPACE:-"not running k8s"}"
-    local netmaskCidrValue
-    if [ "${isNotRunningUnderK8s}" == "not running k8s" ]; then
-      netmaskCidrValue="${NET}/${CIDR}"
-    else
-      # Hyper-scalers default to a CIDR of /32 which blocks any network traffic from others pods esp. from other nodes.
-      # /16 allows traffic from a sufficiently large network range from the kubernetes cluster, independently how the
-      # cluster is configured.
-      netmaskCidrValue="${NET}/16"
-    fi
-    echo "host    all             all             ${netmaskCidrValue}          password"
-  done
+  if [[ "$(doguctl multinode)" = "false" ]]; then
+    for NETWITHMASK in $(netstat -nr | tail -n +3 | grep -v '^0' | awk '{print $1"/"$3}'); do
+      local NET
+      NET=$(echo "${NETWITHMASK}" | awk -F'/' '{print $1}')
+      local MASK
+      MASK=$(echo "${NETWITHMASK}" | awk -F'/' '{print $2}')
+      local CIDR
+      CIDR=$(mask2cidr "$MASK")
+      echo "host    all             all             ${NET}/${CIDR}          password"
+    done
+  else
+    echo "host    all             all             all          password"
+  fi
 }
 
 function write_pg_hba_conf() {

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"Name": "official/postgresql",`
`3`		`- "Version": "14.15-1",`
	`3`	`+ "Version": "14.15-2",`
`4`	`4`	`"DisplayName": "PostgreSQL",`
`5`	`5`	`"Description": "PostgreSQL Database.",`
`6`	`6`	`"Url": "https://www.postgresql.org/",`