Uploaded image for project: 'Project Quay'
  1. Project Quay
  2. PROJQUAY-5016

PostgreSQL SSL validation fails on config tool

    XMLWordPrintable

Details

    • False
    • None
    • False
    • Quay Enterprise
    • 0

    Description

      Client is using SSL verification on a PostgreSQL database. Config validation fails on Quay startup but Quay is working properly with IGNORE_VALIDATION set to true. This is what we see in the logs:

      time="2023-01-17T17:51:44Z" level=debug msg="Validating Database"
time="2023-01-17T17:51:44Z" level=debug msg="Scheme: postgresql"
time="2023-01-17T17:51:44Z" level=debug msg="Host: pgsql.xyz.com:5432"
time="2023-01-17T17:51:44Z" level=debug msg="Db: quay"
time="2023-01-17T17:51:44Z" level=debug msg="Params: "
time="2023-01-17T17:51:44Z" level=debug msg="Including params sslmode=verify-full&sslrootcert=%2Ftmp%2Fdatabase.2781592809.pem"
time="2023-01-17T17:51:44Z" level=debug msg="Pinging database at postgresql://quay:strongpw@pgsql.xyz.com:5432/quay?sslmode=verify-full&sslrootcert=%2Ftmp%2Fdatabase.2781592809.pem" nosecret
time="2023-01-17T17:51:44Z" level=debug msg="Database%!(EXTRA string=Could not connect to database. Error: cannot parse `postgresql://quay:xxxxx@pgsql.xyz.com:5432/quay?sslmode=verify-full&sslrootcert=%2Ftmp%2Fdatabase.2781592809.pem`: failed to configure TLS (unable to add CA to cert pool), []string=[DB_URI])"
time="2023-01-17T17:51:44Z" level=debug msg="Validating DistributedStorage"

      Instance health is okay:

      Startup timestamp: 
Tue Jan 17 17:51:43 UTC 2023
...
gunicorn-web stdout | 2023-01-17 17:52:41,494 [173] [DEBUG] [app] Starting request: urn:request:62c3adba-597b-4da9-9b79-757890123aa6 (/health/instance) {'X-Forwarded-For': '192.168.6.1'}
...
gunicorn-web stdout | 2023-01-17 17:52:41,670 [173] [DEBUG] [app] Ending request: urn:request:62c3adba-597b-4da9-9b79-757890123aa6 (/health/instance) {'endpoint': 'web.instance_health', 'request_id': 'urn:request:62c3adba-597b-4da9-9b79-757890123aa6', 'remote_addr': '192.168.6.1', 'http_method': 'GET', 'original_url': 'https://192.168.7.77/health/instance', 'path': '/health/instance', 'parameters': {}, 'json_body': None, 'confsha': '09613875', 'user-agent': 'kube-probe/1.23'}
gunicorn-web stdout | 2023-01-17 17:52:41,670 [173] [DEBUG] [data.database] Disconnecting from database.
nginx stdout | 192.168.6.1 (-) - - [17/Jan/2023:17:52:41 +0000] "GET /health/instance HTTP/2.0" 200 152 "-" "kube-probe/1.23" (0.178 48 0.178)

      Config parameters:

      DB_CONNECTION_ARGS: 
  autorollback: true
  sslmode: verify-full
  sslrootcert: /quay-registry/conf/stack/extra_ca_certs/ca-bundle.crt
  threadlocals: true
DB_URI: postgresql://quay:strongpw@pgsql.xyz.com:5432/quay  nosecret

      I cannot reproduce the issue on my own setup. Can you please check?

      Attachments

        Issue Links

          depends on

          Epic - Created by Jira Software - do not edit or delete. Issue type for a big user story that needs to be broken down. PROJQUAY-2417 Support for Postgres client-side certs via the Operator

          • Critical - To be worked on immediately following BLOCKER issues.
          • In Progress

          Activity

            People

              bcaton@redhat.com Brandon Caton
              rhn-support-ibazulic Ivan Bazulic
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated: