The following procedure demonstrates how to connect {productname} with an SQL database using secure client-side certificates. This method ensures both connectivity and authentication through Certificate Trust Verification, as it verifies the SQL server’s certificate against a trusted Certificate Authority (CA). This enhances the security of the connection between {productname} and your SQL server while simplifying automation for your deployment. Although the example uses Google Cloud Platform’s CloudSQL, the procedure also applies to PostgreSQL and other supported databases.
-
You have generated custom Certificate Authorities (CAs) and your SSL/TLS certificates and keys are available in
PEMformat that will be used to generate an SSL connection with your CloudSQL database. For more information, see SSL and TLS for {productname}. -
You have
base64 decodedthe original config bundle into aconfig.yamlfile. For more information, see Downloading the existing configuration. -
You are using an externally managed PostgreSQL or CloudSQL database. For more information, see Using and existing PostgreSQL database with the
DB_URIvariable set. -
Your externally managed PostgreSQL or CloudSQL database is configured for SSL/TLS.
-
The
postgrescomponent of yourQuayRegistryCRD is set tomanaged: false, and your CloudSQL database is set with theDB_URIconfiguration variable. The following procedure usespostgresql://<cloudsql_username>:<dbpassword>@<database_host>:<port>/<database_name>.
-
After you have generated the CAs and SSL/TLS certificates and keys for your CloudSQL database and ensured that they are in
.pemformat, test the SSL connection to your CloudSQL server:-
Initiate a connection to your CloudSQL server by entering the following command:
$ psql "sslmode=verify-ca sslrootcert=<ssl_server_certificate_authority>.pem sslcert=<ssl_client_certificate>.pem sslkey=<ssl_client_key>.pem hostaddr=<database_host> port=<5432> user=<cloudsql_username> dbname=<cloudsql_database_name>"
-
-
In your {productname} directory, create a new YAML file, for example,
quay-config-bundle.yaml, by running the following command:$ touch quay-config-bundle.yaml -
Create a
postgresql-client-certsresource by entering the following command:$ oc -n <quay_namespace> create secret generic postgresql-client-certs \ --from-file config.yaml=<path/to/config.yaml> (1) --from-file=tls.crt=<path/to/ssl_client_certificate.pem> (2) --from-file=tls.key=<path/to/ssl_client_key.pem> (3) --from-file=ca.crt=<path/to/ssl_server_certificate.pem> (4)-
Where` <config.yaml>` is your
base64 decodedconfig.yamlfile. -
Where
ssl_client_certificate.pemis your SSL certificate in.pemformat. -
Where
ssl_client_key.pemis your SSL key in.pemformat. -
Where
ssl_server_certificate.pemis your SSL root CA in.pemformat.
-
-
Edit your
`quay-config-bundle.yamlfile to include the following database connection settings:Important-
The information included in the
DB_CONNECTION_ARGSvariable, for example,sslmode,sslrootcert,sslcert, andsslkeymust match the information appended to theDB_URIvariable. Failure to match might result in a failed connection. -
You cannot specify custom filenames or paths. Certificate file paths for
sslrootcert,sslcert, andsslkeyare hardcoded defaults and mounted into theQuaypod from the Kubernetes secret. You must adhere to the following naming conventions or it will result in a failed connection.
DB_CONNECTION_ARGS: autorollback: true sslmode: verify-ca (1) sslrootcert: /.postgresql/root.crt (2) sslcert: /.postgresql/postgresql.crt (3) sslkey: /.postgresql/postgresql.key (4) threadlocals: true (5) DB_URI: postgresql://<dbusername>:<dbpassword>@<database_host>:<port>/<database_name>?sslmode=verify-full&sslrootcert=/.postgresql/root.crt&sslcert=/.postgresql/postgresql.crt&sslkey=/.postgresql/postgresql.key (6)
-
Using
verify-caensures that the database connection uses SSL/TLS and verifies the server certificate against a trusted CA. This can work with both trusted CA and self-signed CA certificates. However, this mode does not verify the hostname of the server. For full hostname and certificate verification, useverify-full. For more information about the configuration options available, see PostgreSQL SSL/TLS connection arguments. -
The
root.crtfile contains the root certificate used to verify the SSL/TLS connection with your CloudSQL database. This file is mounted in theQuaypod from the Kubernetes secret. -
The
postgresql.crtfile contains the client certificate used to authenticate the connection to your CloudSQL database. This file is mounted in theQuaypod from the Kubernetes secret. -
The
postgresql.keyfile contains the private key associated with the client certificate. This file is mounted in theQuaypod from the Kubernetes secret. -
Enables auto-rollback for connections.
-
The URI that accesses your CloudSQL database. Must be appended with the
sslmodetype, yourroot.crt,postgresql.crt, andpostgresql.keyfiles. The SSL/TLS information included inDB_URImust match the information provided inDB_CONNECTION_ARGS. If you are using CloudSQL, you must include your database username and password in this variable.
-
-
Create the
configBundleSecretresource by entering the following command:$ oc create -n <namespace> -f quay-config-bundle.yamlExample outputsecret/quay-config-bundle created -
Update the
QuayRegistryYAML file to reference thequay-config-bundleobject by entering the following command:$ oc patch quayregistry <registry_name> -n <namespace> --type=merge -p '{"spec":{"configBundleSecret":"quay-config-bundle"}}'Example outputquayregistry.quay.redhat.com/example-registry patched -
Ensure that your
QuayRegistryYAML file has been updated to use the extra CA certificateconfigBundleSecretresource by entering the following command:$ oc get quayregistry <registry_name> -n <namespace> -o yamlExample output# ... configBundleSecret: quay-config-bundle # ...