Leon (Synth)
Leon (Synth)•2w ago

Using CloudNativePG/ssl database for the convex backend

After a lot of banging my head, and some unexplainable errors, I've got it to work 🥳
10 Replies
Leon (Synth)
Leon (Synth)OP•2w ago
I'll put details here Now, what I am going to show is pulumi config, but it is pretty much 1-1 with normal kubernetes yaml.
Leon (Synth)
Leon (Synth)OP•2w ago
So, I've got just your standard cloudnativepg cluster, no special certificates or anything, we can just use the ca secret that the cnpg operator creates:
No description
Leon (Synth)
Leon (Synth)OP•2w ago
This of course can be any database with ssl, as long as you can extract or have control over the ca.crt file
Leon (Synth)
Leon (Synth)OP•2w ago
I then use the clustersecret (https://clustersecret.com/) operator to copy the generated ca secret into other namespaces on the cluster
No description
Leon (Synth)
Leon (Synth)OP•2w ago
Then on the convex deployment, I define a new volume that is populated from that public secret: 
volumes: [
    {
        name: "postgres-ca",
        secret: {
            secretName: "postgres-cluster-public-ca"
        }
    }
]
volumes: [
    {
        name: "postgres-ca",
        secret: {
            secretName: "postgres-cluster-public-ca"
        }
    }
]
and then mount the volume to the backend container and set the PG_CA_FILE to point at the ca.crt in the volume: 
env: {
    ...
    DO_NOT_REQUIRE_SSL: "",
    PG_CA_FILE: "/var/postgres-cluster/ca.crt"
    ...
},
volumeMounts: [
    {
        name: "postgres-ca",
        mountPath: "/var/postgres-cluster",
        readOnly: true
    }
]
env: {
    ...
    DO_NOT_REQUIRE_SSL: "",
    PG_CA_FILE: "/var/postgres-cluster/ca.crt"
    ...
},
volumeMounts: [
    {
        name: "postgres-ca",
        mountPath: "/var/postgres-cluster",
        readOnly: true
    }
]
Marc
Marc•2w ago
and then it just works? seems i misconfigured the PG_CA_FILE variable or didnt pass the correct CA cert thanks a lot for the info
Leon (Synth)
Leon (Synth)OP•2w ago
It just works np, hope you get it working on your end!
Marc
Marc•2w ago
and for the do_not_require_ssl variable do you leave it empty (or false) as in the codeblock or do you set it to true?
Leon (Synth)
Leon (Synth)OP•2w ago
I just leave it as an empty string i.e. "use ssl"
Marc
Marc•2w ago
alright thank you so much! i'll report back when i decide to tackle the issue again

Did you find this page helpful?