Loading...

XML

Word

Printable

Type: Bug
Resolution: Obsolete
Priority: Critical
Fix Version/s: None
Affects Version/s: quay-v3.8.0
Component/s: config-tool, quay
Labels:
- config-tool
- quay
- triaged

Blocked:
False
Blocked Reason:
None
Ready:
False
Product:
Quay Enterprise
Intelligence Requested:
Market:

Target Version:

quay-v3.10.0

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

PX Priority Data:
PX Impact Score:

Client is using SSL verification on a PostgreSQL database. Config validation fails on Quay startup but Quay is working properly with IGNORE_VALIDATION set to true. This is what we see in the logs:

time="2023-01-17T17:51:44Z" level=debug msg="Validating Database"
time="2023-01-17T17:51:44Z" level=debug msg="Scheme: postgresql"
time="2023-01-17T17:51:44Z" level=debug msg="Host: pgsql.xyz.com:5432"
time="2023-01-17T17:51:44Z" level=debug msg="Db: quay"
time="2023-01-17T17:51:44Z" level=debug msg="Params: "
time="2023-01-17T17:51:44Z" level=debug msg="Including params sslmode=verify-full&sslrootcert=%2Ftmp%2Fdatabase.2781592809.pem"
time="2023-01-17T17:51:44Z" level=debug msg="Pinging database at postgresql://quay:strongpw@pgsql.xyz.com:5432/quay?sslmode=verify-full&sslrootcert=%2Ftmp%2Fdatabase.2781592809.pem" nosecret
time="2023-01-17T17:51:44Z" level=debug msg="Database%!(EXTRA string=Could not connect to database. Error: cannot parse `postgresql://quay:xxxxx@pgsql.xyz.com:5432/quay?sslmode=verify-full&sslrootcert=%2Ftmp%2Fdatabase.2781592809.pem`: failed to configure TLS (unable to add CA to cert pool), []string=[DB_URI])"
time="2023-01-17T17:51:44Z" level=debug msg="Validating DistributedStorage"

Instance health is okay:

Startup timestamp: 
Tue Jan 17 17:51:43 UTC 2023
...
gunicorn-web stdout | 2023-01-17 17:52:41,494 [173] [DEBUG] [app] Starting request: urn:request:62c3adba-597b-4da9-9b79-757890123aa6 (/health/instance) {'X-Forwarded-For': '192.168.6.1'}
...
gunicorn-web stdout | 2023-01-17 17:52:41,670 [173] [DEBUG] [app] Ending request: urn:request:62c3adba-597b-4da9-9b79-757890123aa6 (/health/instance) {'endpoint': 'web.instance_health', 'request_id': 'urn:request:62c3adba-597b-4da9-9b79-757890123aa6', 'remote_addr': '192.168.6.1', 'http_method': 'GET', 'original_url': 'https://192.168.7.77/health/instance', 'path': '/health/instance', 'parameters': {}, 'json_body': None, 'confsha': '09613875', 'user-agent': 'kube-probe/1.23'}
gunicorn-web stdout | 2023-01-17 17:52:41,670 [173] [DEBUG] [data.database] Disconnecting from database.
nginx stdout | 192.168.6.1 (-) - - [17/Jan/2023:17:52:41 +0000] "GET /health/instance HTTP/2.0" 200 152 "-" "kube-probe/1.23" (0.178 48 0.178)

Config parameters:

DB_CONNECTION_ARGS: 
  autorollback: true
  sslmode: verify-full
  sslrootcert: /quay-registry/conf/stack/extra_ca_certs/ca-bundle.crt
  threadlocals: true
DB_URI: postgresql://quay:strongpw@pgsql.xyz.com:5432/quay  nosecret

I cannot reproduce the issue on my own setup. Can you please check?

depends on

PROJQUAY-2417 Support for Postgres client-side certs via the Operator

Closed

Assignee:: Brandon Caton

Reporter:: Ivan Bazulic

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2023/01/27 4:43 PM

Updated:: 2024/05/05 7:57 PM

Resolved:: 2024/05/05 7:57 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates