0

I am stuck trying to connect to a google managed postgres instance from my Kubernetes pod.

My pod and secret yaml looks like

apiVersion: v1
kind: Secret
metadata:
  name: db_secret
stringData:
  CLIENT_KEY: -----BEGIN RSA PRIVATE KEY-----3eFQ==-----END RSA PRIVATE KEY-----
  CLIENT_CERT: -----BEGIN CERTIFICATE-----iiEooYXOze-----END CERTIFICATE-----
  SERVER_CA: -----BEGIN CERTIFICATE-----M9+99XZx4=-----END CERTIFICATE-----


volumeMounts:
                    - mountPath: /certs
                      name: db-ssl-certs
                      readOnly: true
            volumes:
              - name: db-ssl-certs
                secret:
                  secretName: db_secret
                  items:
                    - key: CLIENT_KEY
                      path: client-key.key
                    - key: CLIENT_CERT
                      path: client-cert.crt
                    - key: SERVER_CA
                      path: server-ca.crt

conn = psycopg2.connect(dbname='postgres', user='postgres', host='X.X.X.X', port='5432', sslmode='verify-ca', sslrootcert='server-ca.crt', sslcert='client-cert.crt', sslkey='client-key.key')

When I try to connect with the instance like above, I get an error

Traceback (most recent call last):
  File "<console>", line 1, in <module>
  File "/usr/local/lib/python3.9/site-packages/psycopg2/__init__.py", line 122, in connect
    conn = _connect(dsn, connection_factory=connection_factory, **kwasync)
psycopg2.OperationalError: could not read root certificate file "server-ca.crt": no certificate or crl found

Any help will be appreciated.

Sam
  • 86
  • 2
  • 10
  • The internal newlines in the encoded string are not optional to PostgreSQL. I'm not familiar with this "secrets" infrastructure, when you cat the resulting file is it all one line? – jjanes Mar 27 '22 at 20:07
  • @jjanes Yes. The output is a single line. – Sam Mar 27 '22 at 21:32
  • @jjanes Adding the new lines fixed it. You can make your comment an answer and let me accept it. Thanks – Sam Mar 27 '22 at 22:22
  • @Sam Is your issue resolved ? If yes, can you post the procedure you've followed as a solution . – Ramesh kollisetty Mar 28 '22 at 07:18
  • @Rameshkollisetty What I did was to make sure I copied the certificate files as is to the secret file faith newlines kept. I used the |- literal style to ensure the newlines are kept consistent. – Sam Mar 28 '22 at 08:36
  • @Sam please post your solution as an answer and accept it so that it would be helpful for other community members for reference. – Ramesh kollisetty Apr 04 '22 at 10:56

0 Answers0