Awx postgress setup via tls certs

Vijender7 · October 6, 2023, 1:29pm

Hi,

Please provide the exact syntax of how to create a postgresql secret for postgresdb with tls.crt, tls.key, ca.crt with db details.

I am trying to deploy awx application with ssl enabled external database

Regards,
Vijender

jbericat · October 8, 2023, 4:33pm

Hello @Vijender7 welcome to the Community!

Can you provide us with more data? What are you exactly trying to achieve? Do you want to automate the self-signed certificate creation, or are you trying to use ansible to configure these certificates on a postgresql db server? What did you try so far? Any errors we could analyze? What ansible-core & related galaxy collections version have you installed?

Maybe you could start by checking-out ansible’s documentation for postgresql, there is a community collections here:

https://docs.ansible.com/ansible/latest/collections/community/postgresql/postgresql_set_module.html#parameter-ssl_cert

On the other hand, If what you need is help on how to create the self-signed certificate stuff, you may check this link:

If you tell us a bit more I’m sure we’ll be able to help you further

Cheers!

Vijender7 · October 9, 2023, 10:41am

Hi,
I have external postgresql database with third party CA signed certs (ca.crt, tls.key, tls.crt )files with database hostname, password, port, user name .
I have created secret.yaml file with adding ca.crt, tls.key, tls.crt files with base64 format along with all db connection details then created a postgresql secret, this scret added into awx deployment file, after deploying the awx, when we try to connect the DB getting below error.

Secret.yaml file syntax is below:

cat db_secret.yaml
apiVersion: v1
data:
ca.crt: base64format-key
tls.crt: base64format-key
tls.key: base64format-key
kind: Secret
metadata:
creationTimestamp: null
name: awx-postgres-configuration
namespace: awx
stringData:
host: db-hostname
port: “5432”
database: awx
username: awx
password: VVBiUHFxbUZEMlJx
type: unmanaged
sslmode: require
type: kubernetes.io/tls

+++++++++++++++++++++++++

Below are the errors:

$ kubectl exec -ti deploy/awx-web -c awx-web – /bin/bash -c “awx-manage check_db”
Traceback (most recent call last):
File “/var/lib/awx/venv/awx/lib64/python3.9/site-packages/django/db/backends/base/base.py”, line 289, in ensure_connection
self.connect()
File “/var/lib/awx/venv/awx/lib64/python3.9/site-packages/django/utils/asyncio.py”, line 26, in inner
return func(*args, **kwargs)
File “/var/lib/awx/venv/awx/lib64/python3.9/site-packages/django/db/backends/base/base.py”, line 270, in connect
self.connection = self.get_new_connection(conn_params)
File “/var/lib/awx/venv/awx/lib64/python3.9/site-packages/django/utils/asyncio.py”, line 26, in inner
return func(*args, **kwargs)
File “/var/lib/awx/venv/awx/lib64/python3.9/site-packages/django/db/backends/postgresql/base.py”, line 275, in get_new_connection
connection = self.Database.connect(**conn_params)
File “/var/lib/awx/venv/awx/lib64/python3.9/site-packages/psycopg/connection.py”, line 728, in connect
raise ex.with_traceback(None)
psycopg.OperationalError: connection failed: connection requires a valid client certificate
FATAL: no pg_hba.conf entry for host “172.16.53.54”, user “awx”, database “awx”, no encryption

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
File “/usr/bin/awx-manage”, line 8, in
sys.exit(manage())
File “/var/lib/awx/venv/awx/lib64/python3.9/site-packages/awx/init.py”, line 184, in manage
if (connection.pg_version // 10000) < 12:
File “/var/lib/awx/venv/awx/lib64/python3.9/site-packages/django/utils/connection.py”, line 15, in getattr
return getattr(self._connections[self._alias], item)
File “/var/lib/awx/venv/awx/lib64/python3.9/site-packages/django/utils/functional.py”, line 57, in get
res = instance.dict[self.name] = self.func(instance)
File “/var/lib/awx/venv/awx/lib64/python3.9/site-packages/django/db/backends/postgresql/base.py”, line 436, in pg_version
with self.temporary_connection():
File “/usr/lib64/python3.9/contextlib.py”, line 119, in enter
return next(self.gen)
File “/var/lib/awx/venv/awx/lib64/python3.9/site-packages/django/db/backends/base/base.py”, line 705, in temporary_connection
with self.cursor() as cursor:
File “/var/lib/awx/venv/awx/lib64/python3.9/site-packages/django/utils/asyncio.py”, line 26, in inner
return func(*args, **kwargs)
File “/var/lib/awx/venv/awx/lib64/python3.9/site-packages/django/db/backends/base/base.py”, line 330, in cursor
return self._cursor()
File “/var/lib/awx/venv/awx/lib64/python3.9/site-packages/django/db/backends/base/base.py”, line 306, in _cursor
self.ensure_connection()
File “/var/lib/awx/venv/awx/lib64/python3.9/site-packages/django/utils/asyncio.py”, line 26, in inner
return func(*args, **kwargs)
File “/var/lib/awx/venv/awx/lib64/python3.9/site-packages/django/db/backends/base/base.py”, line 289, in ensure_connection
self.connect()
File “/var/lib/awx/venv/awx/lib64/python3.9/site-packages/django/db/utils.py”, line 91, in exit
raise dj_exc_value.with_traceback(traceback) from exc_value
File “/var/lib/awx/venv/awx/lib64/python3.9/site-packages/django/db/backends/base/base.py”, line 289, in ensure_connection
self.connect()
File “/var/lib/awx/venv/awx/lib64/python3.9/site-packages/django/utils/asyncio.py”, line 26, in inner
return func(*args, **kwargs)
File “/var/lib/awx/venv/awx/lib64/python3.9/site-packages/django/db/backends/base/base.py”, line 270, in connect
self.connection = self.get_new_connection(conn_params)
File “/var/lib/awx/venv/awx/lib64/python3.9/site-packages/django/utils/asyncio.py”, line 26, in inner
return func(*args, **kwargs)
File “/var/lib/awx/venv/awx/lib64/python3.9/site-packages/django/db/backends/postgresql/base.py”, line 275, in get_new_connection
connection = self.Database.connect(**conn_params)
File “/var/lib/awx/venv/awx/lib64/python3.9/site-packages/psycopg/connection.py”, line 728, in connect
raise ex.with_traceback(None)
django.db.utils.OperationalError: connection failed: connection requires a valid client certificate
FATAL: no pg_hba.conf entry for host “172.16.53.54”, user “awx”, database “awx”, no encryption
command terminated with exit code 1

jbericat · October 9, 2023, 11:29am

Ok now I understand what you want to achieve. I haven’t done such a deployment of AWX before, since I only use it on lab environments. On my mind looks like you should be customizing the specs section on the awx-operator yml config with your tls settings before deploying (see awx-demo.yml on the docs example below):

github.com

ansible/awx-operator/blob/devel/docs/installation/basic-install.md

### Basic Install

Once you have a running Kubernetes cluster, you can deploy AWX Operator into your cluster using [Kustomize](https://kubectl.docs.kubernetes.io/guides/introduction/kustomize/). Since kubectl version 1.14 kustomize functionality is built-in (otherwise, follow the instructions here to install the latest version of Kustomize: https://kubectl.docs.kubernetes.io/installation/kustomize/ )

There is a make target you can run:
```
make deploy
```

If you have a custom operator image you have built, you can specify it with:
```
IMG=quay.io/$YOURNAMESPACE/awx-operator:$YOURTAG make deploy
```

Otherwise, you can manually create a file called `kustomization.yaml` with the following content:

```yaml
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:

This file has been truncated. show original

Now, to know what exactly you should add to the specs section you might find some clues on this document for helm install (I couldn’t find anything intended for minikube, but you didn’t tell if that’s your case anyway):

github.com

ansible/awx-operator/blob/a7cfbe23daae1f0e71623e190537a95f15fd95c2/.helm/starter/README.md#external-postgres

# AWX Operator Helm Chart

This chart installs the AWX Operator resources configured in [this](https://github.com/ansible/awx-operator) repository.

## Getting Started
To configure your AWX resource using this chart, create your own `yaml` values file. The name is up to personal preference since it will explicitly be passed into the helm chart. Helm will merge whatever values you specify in your file with the default `values.yaml`, overriding any settings you've changed while allowing you to fall back on defaults. Because of this functionality, `values.yaml` should not be edited directly.

In your values config, enable `AWX.enabled` and add `AWX.spec` values based on the awx operator's [documentation](https://github.com/ansible/awx-operator/blob/devel/README.md). Consult the docs below for additional functionality.

### Installing
The operator's [helm install](https://github.com/ansible/awx-operator/blob/devel/README.md#helm-install-on-existing-cluster) guide provides key installation instructions.

Example:
```
helm install my-awx-operator awx-operator/awx-operator -n awx --create-namespace -f myvalues.yaml
```

Argument breakdown:
* `-f` passes in the file with your custom values
* `-n` sets the namespace to be installed in

This file has been truncated. show original

See if that helps you figure out the solution yourself. If not, I could find a time spot and try to replicate a similar scenario, do my own trials, and so on. Or if anyone else here did try such an AWX deploy before and want to add his insight… that’s what forums are made for

Cheers