Details
-
Epic
-
Resolution: Unresolved
-
Critical
-
None
-
None
-
Support for Postgres client-side certs via the Operator
-
False
-
False
-
To Do
-
0
-
0%
-
undefined
-
0
Description
Operator does not support deploying Quay with Postgres client-side certs. We need to adjust so users can provide their certs.
Attempts were made to validate this behavior both through the UI as through a custom config bundle. For extra details please see history on https://issues.redhat.com/browse/PROJQUAY-2239
Generally this can be achived with a database connection string like this:
DB_URI: postgresql://<username>@<hostname>:5432/<database>sslcert=/conf/stack/database.crt&sslkey=/conf/stack/database.key"
Acceptance criteria
- Quay can pick user-provided certificate files for authentication against Postgres databases
- Quay deploys fine with GCP CloudSQL (using client side certs)
- Users can deploy using client side certs through a custom config bundle
- Feature is documented
Engineering hints:
- providing custom private keys is possible via the Operator-managed config bundle but the key files are injected into the Quay pod using projected volumes with a file permission mode of 0644
- the Quay postgres connector library refuses to read private key files with 0644, it can only read them via 0600 if owned by the same user as Quay or 0640 if owned by root
- because of OpenShifts randomized UID of container in pods Quay, the projected files are always owned by root but their group is set to the group id of Quay, so files readable by Quay need to be at least 0640
- the config editor does not accept private key files when uploading into "extra CA certs" so manipulating the config bundle is currently the only way to get those files into the pod
Attachments
Issue Links
- is depended on by
-
PROJQUAY-5016 PostgreSQL SSL validation fails on config tool
- To Do
- is duplicated by
-
PROJQUAY-4440 ssl certificate based authentication to postgres database instead of username/password in Quay
- Closed
- links to
- mentioned on
(2 links to, 2 mentioned on)