Kubernetes api with intermediate CA not supported

Lenard_Pasztor · July 13, 2023, 11:47am

Description:

We using multiple kubernetes cluster signed by our own CA. Each cluster have ICA certificate.
Since the root CA cert not trusted in postgres pod it fails to start.
There is no option in the CRD to add the ca bundle as volume also configure Petroni via env to use it.

Steps to Reproduce:

Default install in a kubernetes that have ICA.

Version:

2.2.0

Logs:

2023-07-13 11:45:03,521 WARNING: Retrying (Retry(total=0, connect=None, read=None, redirect=0, status=None)) after connection broken by ‘SSLError(SSLError(1, ‘[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)’),)’: /api/v1/namespaces/admin/pods?labelSelector=postgres-operator.crunchydata.com%2Fcluster%3Dawx%2Cpostgres-operator.crunchydata.com%2Fpatroni%3Dawx-ha

2023-07-13 11:45:03,522 WARNING: Retrying (Retry(total=0, connect=None, read=None, redirect=0, status=None)) after connection broken by ‘SSLError(SSLError(1, ‘[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)’),)’: /api/v1/namespaces/admin/endpoints?labelSelector=postgres-operator.crunchydata.com%2Fcluster%3Dawx%2Cpostgres-operator.crunchydata.com%2Fpatroni%3Dawx-ha

2023-07-13 11:45:03,528 ERROR: Request to server https://172.23.8.1:443 failed: MaxRetryError(“HTTPSConnectionPool(host=‘172.23.8.1’, port=443): Max retries exceeded with url: /api/v1/namespaces/admin/pods?labelSelector=postgres-operator.crunchydata.com%2Fcluster%3Dawx%2Cpostgres-operator.crunchydata.com%2Fpatroni%3Dawx-ha (Caused by SSLError(SSLError(1, ‘[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)’),))”,)

2023-07-13 11:45:03,529 ERROR: Request to server https://172.23.8.1:443 failed: MaxRetryError(“HTTPSConnectionPool(host=‘172.23.8.1’, port=443): Max retries exceeded with url: /api/v1/namespaces/admin/endpoints?labelSelector=postgres-operator.crunchydata.com%2Fcluster%3Dawx%2Cpostgres-operator.crunchydata.com%2Fpatroni%3Dawx-ha (Caused by SSLError(SSLError(1, ‘[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:897)’),))”,)

2023-07-13 11:45:04,529 ERROR: ObjectCache.run K8sConnectionFailed(‘No more API server nodes in the cluster’,)

Expected Result:

Postgres cluster starts normally.

Actual Result:

Pods in crashloop.

Additional Information:

Lenard_Pasztor · July 13, 2023, 12:16pm

For quick-fix the postgres image can be modified, but I can’t find the dockerfile for it. Can somebody tell where can I find it?

Lenard_Pasztor · July 14, 2023, 1:54pm

Finally I created a new image using the base image, because in the CRD the image can be changed.
My dockerfile looks like this:

FROM percona/percona-postgresql-operator:2.2.0-ppg15-postgres
ENV PATRONI_KUBERNETES_CACERT=/ca.crt
USER 0
COPY ca.crt /ca.crt
RUN trust anchor --store /ca.crt && update-ca-trust
USER 1001

But… it would be great if we doesn’t need to recreate the image. If we can add volume/volumemounts and env variables to the CRD this problem can be solved easily while we retain the original image for easier upgrades in the future.
Can somebody in the percona staff help on this?

Topic		Replies	Views
PostgresSQL fails to trust kubernetes api certificate Percona Operator for PostgreSQL kubernetes	11	2456	July 4, 2023
Kubernetes - [Galera] Handshake failed due to unknown CA Percona Server for MySQL 8.0 kubernetes	1	599	October 31, 2023
Failed to pull image for pgo-client Percona Operator for PostgreSQL	4	1022	May 15, 2022
Installing Percona in kubernetes using Helm Percona Distribution for PostgreSQL	2	65	April 29, 2024
PostgreSQL operator pods fail to come up Percona Operator for PostgreSQL	36	2718	April 10, 2023