Hi, I use an external postgres instance with SSL mode 'verify-ca'.
I mount the ssl cert like this:
extraVolumes:
- name: pmgmt-postgres-cluster-tls-cert-external
secret:
secretName: pmgmt-postgres-cluster-tls-cert-external
extraVolumeMounts:
- name: pmgmt-postgres-cluster-tls-cert-external
mountPath: /db-ssl
readOnly: trueNow, this volume gets mounted by the seeder, as well as the main containers of both openproject-web and -worker. Though, the init-containers of both do not mount it, thus their attempts to fetch the ssl cert from /db-ssl/ca.crt fail. The logs:
/app/vendor/bundle/ruby/3.4.0/gems/pg-1.5.9/lib/pg/connection.rb:709:in 'PG::Connection#async_connect_or_reset': connection to server at "10.x.x.x", port 5432 failed: root certificate file "/db-ssl/ca.crt" does not exist (PG::ConnectionBad)
Either provide the file, use the system's trusted roots with sslrootcert=system, or change sslmode to disable server certificate verification.
This behaviour can be seen in the helm chart here. To fix it, one just needs to add the line {{- include "openproject.extraVolumeMounts" . | indent 12 }} to both initi-containers in web and worker.
This issue might be relevant for #105
Hi, I use an external postgres instance with SSL mode 'verify-ca'.
I mount the ssl cert like this:
Now, this volume gets mounted by the seeder, as well as the main containers of both openproject-web and -worker. Though, the init-containers of both do not mount it, thus their attempts to fetch the ssl cert from
/db-ssl/ca.crtfail. The logs:This behaviour can be seen in the helm chart here. To fix it, one just needs to add the line
{{- include "openproject.extraVolumeMounts" . | indent 12 }}to both initi-containers in web and worker.This issue might be relevant for #105