Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-1964

Validation fails on Quay startup when Azure PostgreSQL db is used with SSL

XMLWordPrintable

      We have a client who is using the operator to install Quay 3.5.1 on an OpenShift cluster deployed on Azure and backed with Azure PostgreSQL RDS. The RDS is enforcing SSL on all connections. The client has set the database component to be unmanaged:

      apiVersion: quay.redhat.com/v1
kind: QuayRegistry
metadata: 
  name: lht-quay-registry
  namespace: lht-quay-registry
spec: 
  configBundleSecret: lht-quay-registry-config-bundle
  components: 
    - managed: false
      kind: clair
    - managed: false
      kind: postgres
    - managed: true
      kind: objectstorage
    - managed: true
      kind: redis
    - managed: true
      kind: horizontalpodautoscaler
    - managed: true
      kind: route
    - managed: false
      kind: mirror
    - managed: false
      kind: monitoring

      and has added the following config bundle to the operator:

      -> lht-quay-registry-config-bundle secret
config.yaml: |
  ALLOW_PULLS_WITHOUT_STRICT_LOGGING: false
  AUTHENTICATION_TYPE: Database
  DEFAULT_TAG_EXPIRATION: 8w
  ENTERPRISE_LOGO_URL: /static/img/RH_Logo_Quay_Black_UX-horizontal.svg
  FEATURE_BUILD_SUPPORT: false
  FEATURE_DIRECT_LOGIN: true
  FEATURE_ANONYMOUS_ACCESS: false
  FEATURE_MAILING: false
  REGISTRY_TITLE: LHT
  REGISTRY_TITLE_SHORT: LHT
  TAG_EXPIRATION_OPTIONS: 
  - 2w
  - 4w
  - 8w
  - 16w
  TEAM_RESYNC_STALE_TIME: 60m
  TESTING: false
  DB_URI: "postgresql://<user>@<server>:<pw>@<server>.postgres.database.azure.com:5432/quay?sslmode=require"

      The deployment went through fine and the bundle was correctly interpreted by the operator but the init pod keeps crashing:

      -> oc get pods
NAME                                                    READY   STATUS             RESTARTS   AGE
lht-quay-registry-quay-app-upgrade-f68666497-hpgkt      0/1     CrashLoopBackOff   4          2m32s
lht-quay-registry-quay-config-editor-85654dc7d6-t6tp7   1/1     Running            0          2m41s
lht-quay-registry-quay-redis-64d7976bd4-xhnv4           1/1     Running            0          2m46s
quay-operator.v3.5.1-6d86c485c-tp6hz                    1/1     Running            0          19m


-> oc logs lht-quay-registry-quay-app-upgrade-f68666497-hpgkt
[...]
| Database               | Could not connect to database. Error: FATAL #28000 SSL connection is required. Please specify SSL options and retry. |     |
[...]

      The client also created a small Python script to actually check the connectivity with the database:

      -> Created a script and filled in my DB connection data [2]
import psycopg2

# Update connection string information
host = "<server-name>"
dbname = "<database-name>"
user = "<admin-username>"
password = "<admin-password>"
sslmode = "require"

# Construct connection string
conn_string = "host={0} user={1} dbname={2} password={3} sslmode={4}".format(host, user, dbname, password, sslmode)
conn = psycopg2.connect(conn_string)
print("Connection established")

-> Execute the script inside the pod with "python db.py"
Connection established

      The deployment also works if SSL is deliberately turned off, but not if SSL is enforced on the database. Please check, thanks!

        1. image-2021-07-05-12-06-43-184.png
          image-2021-07-05-12-06-43-184.png
          275 kB
        2. image-2021-07-05-16-36-02-805.png
          image-2021-07-05-16-36-02-805.png
          287 kB

              jonathankingfc Jonathan King
              rhn-support-ibazulic Ivan Bazulic
              Dongbo Yan Dongbo Yan
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: