gitlab-geo-logcursor pod won't start due to missing CA certificate when tracking database configured to use SSL
Summary
A Premium customer (ZD internal link) is trying to configure Geo via the Helm chart and has run into a problem with the gitlab-geo-logcursor
pod not starting and reporting the following error in the pod log:
Error checking geo: connection to server at "1.2.3.4", port 5432 failed: root certificate file "/etc/gitlab/postgres/ssl/geo-server-ca.pem" does not exist
This appears to be due to the geo-logcursor
deployment.yaml
file only including the gitlab.psql.ssl.volumeMount
volumeMount and not gitlab.geo.psql.ssl.volumeMount
. The other deployments include both, e.g.:
geo-logcursor/templates/deployment.yaml
volumeMounts:
{{- include "gitlab.extraVolumeMounts" . | nindent 10 }}
{{- include "gitlab.psql.ssl.volumeMount" . | nindent 10 }}
webservice/templates/deployment.yaml
volumeMounts:
{{- include "gitlab.extraVolumeMounts" $ | nindent 10 }}
{{- include "gitlab.psql.ssl.volumeMount" $ | nindent 10 }}
{{- include "gitlab.geo.psql.ssl.volumeMount" $ | nindent 10 }}
Steps to reproduce
Configure Geo as per the documentation also enabling SSL for the tracking database.
Configuration used
They have configured the Geo tracking database to use SSL as follows, with required secrets created:
geo:
enabled: true
nodeName: <NODE>
psql:
database: gitlabhq_geo_tracking
host: 1.2.3.4
password:
key: password
secret: <SECRET>
port: <PORT>
ssl:
clientCertificate: <CERT>
clientKey: <KEY>
secret: <SECRET>
serverCA: <CA>
username: gitlab
role: secondary
Current behavior
gitlab-geo-logcursor
pod fails to start, goes into Init:CrashLoopBackOff
state
Expected behavior
gitlab-geo-logcursor
pod starts up with SSL connections to the tracking database.
Versions
- Chart:
- Platform:
- Cloud: (GKE | AKS | EKS | ?)
- Self-hosted: (OpenShift | Minikube | Rancher RKE | ?)
- Kubernetes: (
kubectl version
)- Client:
- Server:
- Helm: (
helm version
)- Client:
- Server:
Relevant logs
See above.