I am running the “offical” Postgres container on Nomad (using the Docker driver) and provisioning a PKI keypair from Vault via a template
stanza. The issue I have is that the Postgres container runs as a specified user with uid 999/gid 999 and it isn’t in the root
group. Postgres requires file mode 0600
or 0640
for its SSL key. I’d like to have it in NOMAD_SECRETS_DIR
and somehow change the ownership.
Here’s a representative example of the template for generating the key:
template {
destination = local.postgres_key_path
perms = "0600" # -rw------- 1 root root
data = <<EOF
{{- with secret "pki/issue/postgres" "common_name=postgres.service.consul" "format=pem" -}}
{{ .Data.private_key }}
{{- end -}}
EOF
}
I’d prefer not to run Postgres as root or run a privileged container. Is it possible to change the ownership of a secret to make Postgres happy? Or is there some other solution I’m missing?