external postgresql database.yml and root ca bundle

When running gitlab via omnibus package I have the following configured external RDS with the following steps.

  1. Download CA bundle (curl -O https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem) and placed in /etc/rds/global-bundle.pem
  2. Configured gitlab.rb as follows:
gitlab_rails['db_adapter'] = "postgresql"
gitlab_rails['db_encoding'] = "unicode"
gitlab_rails['db_database'] = "gitlabhq_production"
gitlab_rails['db_username'] = "gitlab"
gitlab_rails['db_password'] = "REDACTED"
gitlab_rails['db_host'] = "gitlab-REDACTED.us-east-1.rds.amazonaws.com"
gitlab_rails['db_sslmode'] = "verify-full"
gitlab_rails['db_sslrootcert'] = '/etc/rds/global-bundle.pem'
  1. Results in the database.yml being configured as follows:
production:
  main:
    adapter: postgresql
    encoding: unicode
    collation:
    database: gitlabhq_production
    username: "gitlab"
    password: "REDACTED"
    host: "gitlab-REDACTED.us-east-1.rds.amazonaws.com"
    port: 5432
    socket:
    sslmode: "verify-full"
    sslcompression: 0
    sslrootcert: "/etc/rds/global-bundle.pem"
    sslca: "/etc/rds/global-bundle.pem"
    load_balancing: {"hosts":[]}
    prepared_statements: false
    database_tasks: true
    statement_limit: 1000
    connect_timeout:
    keepalives:
    keepalives_idle:
    keepalives_interval:
    keepalives_count:
    tcp_user_timeout:
    application_name:
    variables:
      statement_timeout:

The Helm Chart migration I've tried the following:

global:
  psql:
    host: gitlab-REDACTED.us-east-1.rds.amazonaws.com
    ssl:
      secret: import-gitlab-postgres-secret
      serverCA: ca # <-- This is the key where the global-bundle BASE64 resides
      clientCertificate: cert # <-- I don't need this but chart requires it
      clientKey: key # <-- I don't need this but chart requires it
    port: 5432
    database: gitlabhq_production
    username: gitlab
    password:
      secret: import-gitlab-postgres-secret
      key: password
gitlab:
  psql:
    ssl:
      config: |
        sslmode: verify-full
        sslrootcert: '/etc/gitlab/postgres/ssl/server-ca.pem'

This config doesn't override the config and we still have the following rendered:

production:
  main:
    adapter: postgresql
    encoding: unicode
    database: gitlabhq_production
    username: gitlab
    password: "REDACTED"
    host: "gitlab-REDACTED.us-east-1.rds.amazonaws.com"
    port: 5432
    connect_timeout:
    keepalives:
    keepalives_idle:
    keepalives_interval:
    keepalives_count:
    tcp_user_timeout:
    application_name:
    prepared_statements: false
    database_tasks: true


    sslmode: verify-ca # <-- wrong, should be verify-full
    sslrootcert: '/etc/gitlab/postgres/ssl/server-ca.pem'
    sslcert: '/etc/gitlab/postgres/ssl/client-certificate.pem' # <-- should be removed
    sslkey: '/etc/gitlab/postgres/ssl/client-key.pem' # <-- should be removed

Should also create to mimic omnibus installer:

    sslca: '/etc/gitlab/postgres/ssl/server-ca.pem'

Testing connection shows:

/srv/gitlab/bin/rails dbconsole -p
/srv/gitlab/vendor/bundle/ruby/3.1.0/gems/activerecord-7.0.8/lib/active_record/connection_adapters/postgresql_adapter.rb:87:in `rescue in new_client': connection to server at "REDACTED", port 5432 failed: SSL error: tlsv1 alert unknown ca (ActiveRecord::ConnectionNotEstablished)
...
/srv/gitlab/vendor/bundle/ruby/3.1.0/gems/pg-1.5.4/lib/pg/connection.rb:696:in `async_connect_or_reset': connection to server at "REDACTED", port 5432 failed: SSL error: tlsv1 alert unknown ca (PG::ConnectionBad)