Connect to Azure Database for PostgreSQL flexible servers with require_secure_transport ON
The question partly relates to https://github.com/zitadel/zitadel/issues/6106
The official Azure docs for connecting via SSL are here: https://learn.microsoft.com/en-us/azure/postgresql/flexible-server/how-to-connect-tls-ssl#applications-that-require-certificate-verification-for-tlsssl-connectivity
We deploy (or want to ๐คฃ ) Zitadel using the official helm chart https://github.com/zitadel/zitadel-charts/tree/main via helmfile
The source error that deviates from https://zitadel.com/docs/self-hosting/manage/database and zitadel#6106 is:
host=[REDACTED].postgres.database.azure.com user=[REDACTED] database=postgres: server error (FATAL: no pg_hba.conf entry for host \"[REDACTED]\", user \"[REDACTED]\", database \"postgres\", no encryption (SQLSTATE 28000)))
Obviously due to the fact that I try to connect with SSL disable. Now, I can not really stitch 1+1 together how I would configure that with the values possible: https://github.com/zitadel/zitadel-charts/blob/main/charts/zitadel/values.yaml.
Disabling SSL is not an option atm, see: https://github.com/zitadel/zitadel/issues/3598#issuecomment-1610968551
Does anyone have a working example of using SSL? What mode would I pick? https://www.postgresql.org/docs/current/libpq-ssl.html (I believe verify-full is wrong as the cert seems to be somewhat generic...)
This is my current config fully rendered into the ConfigMap (thread).
I see the values dbSslRootCrt, dbSslRootCrtSecret (secret of the first one) and dbSslClientCrtSecret, but I can not stitch these two together. Any pointer helps โค๏ธ
Its to note that we don't need TLS, our Gateways do that for us.
PS: Yes I will (try to) move it into the secretConfig once it works.7 Replies
It is strange that you have cockroach and postgres in you config, that should not happen ๐
Can you share your values file?
@Elio what is you take on this?
The SSL settings I think should be mode: verify-full and you need to pass along the RootCert you want to use to make the verification. Like in the M$ example you provided.
Yeah I found it fishy but I thought thats how it should be. The docs say
postgres wins so I thought, alright fine.
The top two nulls I tried to at least make the init-container work but then hit the blocks with the SSL ๐คค
That is my full values of the chart.
The SSL settings I think should be mode: verify-full and you need to pass along the RootCert you want to use to make the verification. Like in the M$ example you provided.Do I pass the cert from Microsoft also to the top-level db* params somewhere?
Alright, made it work ๐
You guys help me out even though PSQL is an enterprise feature. So, I'd like to pay back something and improve your docs. I think I also found one or two bugs (depends if you sum them up).
Here is a redacted version that works with SSL against Azure Flexible Postgres.
Some points:
1. You need to trick the chart into not rendering the CRDB secrets by nulling values.
2. How to use
RootCert is very foggy, one has to drill down deep holes to fill the correct "thing" to put there ๐
3. The CRDB configMap always renders but I somehow feel that is also an issue in zitadel-charts not zitadel itself.
Let me know if you'd like to pick up something into your backlogs yourself or else I try to at least extend the docs a bit ๐ I see the challenge that the docs must basically merge zitadel and zitadel-charts ๐Oh wow thanks for sharing ๐คฉ
@Elio do you have an idea whats wrong with our helm-chart?
I think we should discuss config variants in this issue https://github.com/zitadel/zitadel-charts/issues/91 and give it a high priority
GitHub
Add and test examples for common values ยท Issue #91 ยท zitadel/zitad...
As a user, I want to have an example for my use case, so that I can create a fast proof of concept. Acceptance Criteria An example for ZITADEL with an insecure Cockroach DB is available and automat...
My pleasure, please let me know where I can contribute docs from our experience. I would write the section about Azure Flex PSQL if there is one ๐