Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-1964

Validation fails on Quay startup when Azure PostgreSQL db is used with SSL

    XMLWordPrintable

Details

    • 0

    Description

      We have a client who is using the operator to install Quay 3.5.1 on an OpenShift cluster deployed on Azure and backed with Azure PostgreSQL RDS. The RDS is enforcing SSL on all connections. The client has set the database component to be unmanaged:

      apiVersion: quay.redhat.com/v1
      kind: QuayRegistry
      metadata: 
        name: lht-quay-registry
        namespace: lht-quay-registry
      spec: 
        configBundleSecret: lht-quay-registry-config-bundle
        components: 
          - managed: false
            kind: clair
          - managed: false
            kind: postgres
          - managed: true
            kind: objectstorage
          - managed: true
            kind: redis
          - managed: true
            kind: horizontalpodautoscaler
          - managed: true
            kind: route
          - managed: false
            kind: mirror
          - managed: false
            kind: monitoring
      

      and has added the following config bundle to the operator:

      -> lht-quay-registry-config-bundle secret
      config.yaml: |
        ALLOW_PULLS_WITHOUT_STRICT_LOGGING: false
        AUTHENTICATION_TYPE: Database
        DEFAULT_TAG_EXPIRATION: 8w
        ENTERPRISE_LOGO_URL: /static/img/RH_Logo_Quay_Black_UX-horizontal.svg
        FEATURE_BUILD_SUPPORT: false
        FEATURE_DIRECT_LOGIN: true
        FEATURE_ANONYMOUS_ACCESS: false
        FEATURE_MAILING: false
        REGISTRY_TITLE: LHT
        REGISTRY_TITLE_SHORT: LHT
        TAG_EXPIRATION_OPTIONS: 
        - 2w
        - 4w
        - 8w
        - 16w
        TEAM_RESYNC_STALE_TIME: 60m
        TESTING: false
        DB_URI: "postgresql://<user>@<server>:<pw>@<server>.postgres.database.azure.com:5432/quay?sslmode=require"
      

      The deployment went through fine and the bundle was correctly interpreted by the operator but the init pod keeps crashing:

      -> oc get pods
      NAME                                                    READY   STATUS             RESTARTS   AGE
      lht-quay-registry-quay-app-upgrade-f68666497-hpgkt      0/1     CrashLoopBackOff   4          2m32s
      lht-quay-registry-quay-config-editor-85654dc7d6-t6tp7   1/1     Running            0          2m41s
      lht-quay-registry-quay-redis-64d7976bd4-xhnv4           1/1     Running            0          2m46s
      quay-operator.v3.5.1-6d86c485c-tp6hz                    1/1     Running            0          19m
      
      
      -> oc logs lht-quay-registry-quay-app-upgrade-f68666497-hpgkt
      [...]
      | Database               | Could not connect to database. Error: FATAL #28000 SSL connection is required. Please specify SSL options and retry. |     |
      [...]
      

      The client also created a small Python script to actually check the connectivity with the database:

      -> Created a script and filled in my DB connection data [2]
      import psycopg2
      
      # Update connection string information
      host = "<server-name>"
      dbname = "<database-name>"
      user = "<admin-username>"
      password = "<admin-password>"
      sslmode = "require"
      
      # Construct connection string
      conn_string = "host={0} user={1} dbname={2} password={3} sslmode={4}".format(host, user, dbname, password, sslmode)
      conn = psycopg2.connect(conn_string)
      print("Connection established")
      
      -> Execute the script inside the pod with "python db.py"
      Connection established
      

      The deployment also works if SSL is deliberately turned off, but not if SSL is enforced on the database. Please check, thanks!

      Attachments

        Issue Links

          Activity

            People

              jonathankingfc Jonathan King
              rhn-support-ibazulic Ivan Bazulic
              Dongbo Yan Dongbo Yan
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: