Conversation
nastena1606
requested review from
egegunes,
eleo007,
gkech,
hors,
jvpasinatto,
nmarukovich,
pooknull and
valmiranogueira
as code owners
There was a problem hiding this comment.
Pull request overview
Adds end-user documentation for Transparent Data Encryption (TDE) / data-at-rest encryption support and exposes it in the MkDocs navigation and Operator configuration reference.
Changes:
- Adds a new “Data-at-rest encryption” documentation section (overview + Vault setup guide).
- Updates
docs/operator.mdto document newextensions.*options (includingextensions.pg_tde.*) and mark olderextensions.builtin.*entries as deprecated. - Wires the new docs into the site navigation via
mkdocs-base.yml.
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 16 comments.
Show a summary per file
| File | Description |
|---|---|
| mkdocs-base.yml | Adds nav entries for the new data-at-rest encryption docs. |
| docs/operator.md | Adds/updates extension option documentation, deprecation notes, and new pg_tde/Vault settings. |
| docs/encryption.md | New overview page for data-at-rest encryption (TDE) and how it works. |
| docs/encryption-setup.md | New step-by-step Vault setup and CR configuration guide for pg_tde. |
| docs/encryption-disable.md | New guide describing how to disable encryption safely. |
| docs/assets/fragments/vault-install-tls.txt | New Vault-on-Kubernetes (Helm + TLS) procedure fragment used by the setup guide. |
| docs/assets/fragments/vault-generate-tls-certs.txt | New TLS certificate generation procedure fragment used by the setup guide. |
| docs/assets/fragments/vault-enable-kv.txt | New fragment describing how to enable Vault KV v2 at a mount path. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| ??? example "Expected output" | ||
|
|
||
| ```{.text .no-value} | ||
| Key Value | ||
| --- ----- | ||
| Seal Type shamir | ||
| Initialized true | ||
| Sealed true | ||
| Total Shares 1 | ||
| Threshold 1 | ||
| Unseal Progress 0/1 | ||
| Unseal Nonce n/a | ||
| Version 1.19.0 | ||
| Build Date 2025-03-04T12:36:40Z | ||
| Storage Type raft | ||
| Removed From Cluster false | ||
| HA Enabled true | ||
| ``` |
There was a problem hiding this comment.
The "Expected output" for unsealing the remaining pods shows Sealed true and Unseal Progress 0/1, which indicates the pod is still sealed. After a successful unseal (threshold=1), the output should show Sealed false. Also, the code fence uses .no-value, which doesn’t appear elsewhere in the docs (likely meant .no-copy).
|
|
||
| ```bash | ||
| openssl req -new -key $WORKDIR/vault.key \ | ||
| -subj "/CN=system:node:${SERVICE}.${NAMESPACE}.svc;/O=system:nodes" \ |
There was a problem hiding this comment.
The OpenSSL -subj value uses ; between DN components (...svc;/O=...). OpenSSL expects DN components separated by / (e.g. /CN=.../O=...); with the current command the CSR subject may be malformed and the procedure may fail.
| -subj "/CN=system:node:${SERVICE}.${NAMESPACE}.svc;/O=system:nodes" \ | |
| -subj "/CN=system:node:${SERVICE}.${NAMESPACE}.svc/O=system:nodes" \ |
docs/encryption-disable.md
Outdated
| 3. Apply the changes: | ||
|
|
||
| ```bash | ||
| kubectl apply -f deploy/cr.yaml -n $NAMESPACE | ||
| ``` |
There was a problem hiding this comment.
This guide uses $NAMESPACE in the kubectl apply commands, but the variable is never defined here (and the setup guide uses $CLUSTER_NAMESPACE for the database/CR namespace). Use the correct namespace variable consistently so the commands are runnable as-is.
egegunes
left a comment
egegunes
left a comment
There was a problem hiding this comment.
LGTM. Please just check Copilot comments.
|
@janwieremjewicz if you have some time, please take a look at this pg_tde documentation for the operator |
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
it-percona
temporarily deployed
to
K8SPG-911-Doc-pg-tde-support - percona-postgresql-operator-2.0 PR #366
Render
Destroyed
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
it-percona
temporarily deployed
to
K8SPG-911-Doc-pg-tde-support - percona-postgresql-operator-2.0 PR #366
Render
Destroyed
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
it-percona
temporarily deployed
to
K8SPG-911-Doc-pg-tde-support - percona-postgresql-operator-2.0 PR #366
Render
Destroyed
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Split text into sections for scannability
nastena1606
force-pushed
the
K8SPG-911-Doc-pg-tde-support
branch
from
77e5302 to
34675a0
Compare
No description provided.