Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Done
Priority: Blocker
Fix Version/s: quay-v3.6.0
Affects Version/s: quay-v3.5.3
Component/s: config-tool, quay
Labels:
- quay-enterprise
- triaged

Blocked:
False
Ready:
False
Release Note Text:
Undefined

RICE Score:
0

SFDC Cases Links:
SFDC Cases Counter:

Description

Description:

As discussed on last program call- we'd like QE to verify if Quay can connect successfully to Postgresql 13 with sslmode=verify-ca when the config bundle is manually updated (and certificates are manually placed in the correct location). This will ensure that the issue is UX related in the config tool- otherwise we'll assume a blocker for 3.6.0.

Acceptance Criteria:

Manually configured Quay 3.6.0 is able to successfully connect to and use Postgres 13 with SSL enabled.

--------------- Original description ---------------------

This is an issue found when use Crunchy Postgresql 13 with sslmode=verify-ca to deploy Quay, now when Customers want to use Crunchy Postgresql 13 as Quay database, they need to upload sslcert,sslkey,rootcert, but Quay 3.5.3 doesn't support.

Quay 3.5.3:

oc get pod quayv353mysql-quay-config-editor-7789bb946c-66pmh -o json | jq '.spec.containers[0].image'
"registry.redhat.io/quay/quay-rhel8@sha256:6bc0876415eee1daa28f04a325c3d31441b52b5b4b1a2c0aff2025627e34a551"

oc get pod quay-operator.v3.5.3-6fb97d65b-k968b -o json | jq '.spec.containers[0].image'
"registry.redhat.io/quay/quay-operator-rhel8@sha256:11a121eaa03a9a8c7a01c128e8fe91d684d5ec8ce6a0b14da1db9fc934e320a0"

Quay 3.5.3 validate Crunchy Postgresql 13 with sslmode=verify-ca

How to deploy Crunchy Postgresql 13:

https://access.crunchydata.com/downloads/rpm-centos/postgresql13/

How to connect to Crunchy Postgresql 13 with sslmode=verify-ca:

##clientcert=verify-ca

[root@ip-10-0-1-103 data]# cat /var/lib/pgsql/13/data/pg_hba.conf | grep -i verify
hostssl    all             all             0.0.0.0/0            scram-sha-256  clientcert=verify-ca

[root@ip-10-0-1-103 data]# psql -h quayldap352.qe.devcluster.openshift.com -p 5432 "dbname=postgres user=postgres sslrootcert=./root.crt sslcert=./server.crt sslmode=verify-ca"
psql: error: certificate present, but not private key file "/root/.postgresql/postgresql.key"

[root@ip-10-0-1-103 data]# psql -h quayldap352.qe.devcluster.openshift.com -p 5432 "dbname=postgres user=postgres sslrootcert=./root.crt sslcert=./server.crt sslkey=./server.key sslmode=verify-ca"
Password for user postgres: 
psql (13.3)
SSL connection (protocol: TLSv1.2, cipher: ECDHE-RSA-AES256-GCM-SHA384, bits: 256, compression: off)
Type "help" for help
postgres=#

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

image-2021-07-08-16-48-02-820.png
332 kB
2021/07/12 8:26 PM
image-2021-07-08-16-56-58-942.png
552 kB
2021/07/12 8:26 PM
image-2021-07-14-10-17-02-678.png
271 kB
2021/07/14 2:17 AM

Issue Links

clones

PROJQUAY-2221 Quay doesn't support Crunchy Postgresql 13 with sslmode=verify-ca

Closed

is related to

PROJQUAY-2221 Quay doesn't support Crunchy Postgresql 13 with sslmode=verify-ca

Closed

relates to

PROJQUAY-2221 Quay doesn't support Crunchy Postgresql 13 with sslmode=verify-ca

Closed

Activity

People

Assignee:: luffy zhang

Reporter:: luffy zhang

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2021/07/12 8:26 PM

Updated:: 2021/10/24 6:38 AM

Resolved:: 2021/08/18 7:51 AM