fix: override PGSSLROOTCERT in psql container#219
Merged
Conversation
The latest alpine/psql image sets PGSSLROOTCERT=system at the container level (upstream commit alpine-docker/multi-arch-docker-images@27830b4), which makes libpq read the OS trust store and implicitly upgrades sslmode to verify-full. Since CNPG serves TLS with a self-signed CA that is not present in the Alpine trust store, the connection fails with "SSL error: certificate verify failed" before authentication is attempted. Override PGSSLROOTCERT with an empty value in the "extension-installed" Jobs (both the generic and PostGIS variants) so libpq falls back to the default sslmode and the extension presence check can complete. See cloudnative-pg#218. Signed-off-by: Gabriele Fedi <gabriele.fedi@enterprisedb.com>
Pin the alpine/psql image used by the "extension-installed" Jobs (both the generic and PostGIS variants) to a specific tag and digest instead of :latest, so test runs are reproducible and a new upstream release cannot silently break CI (see cloudnative-pg#218 for the SSL verification regression that motivated this). Add a Renovate custom manager covering test/*.yaml and **/test/*.yaml so the pinned tag is tracked automatically. Because config:recommended pulls in :ignoreModulesAndTests, which excludes **/test/** from scanning, override ignorePaths to an empty array so the new manager can actually see those files. Signed-off-by: Gabriele Fedi <gabriele.fedi@enterprisedb.com>
Signed-off-by: Gabriele Fedi <gabriele.fedi@enterprisedb.com>
mnencia
changed the title
Signed-off-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com>
Signed-off-by: Marco Nenciarini <marco.nenciarini@enterprisedb.com>
mnencia
approved these changes
May 26, 2026
Signed-off-by: Gabriele Fedi <gabriele.fedi@enterprisedb.com>
Contributor
|
Ran the Chainsaw tests locally per this PR which passes ... approving |
hh24k
approved these changes
May 26, 2026
gbartolini
approved these changes
May 27, 2026
gbartolini
changed the title
PGSSLROOTCERT in psql container
Contributor
Author
|
The I suggest to remove that env var in the Clusters config accordingly as part of #221. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fix the broken Chainsaw
extension-installedchecks afteralpine/psql:lateststarted enforcing TLS certificate verification against the system trust store, and prevent the same class of regression in the future.Closes #218.
What changed
PGSSLROOTCERTin theextension-installedJob (generic and PostGIS variants). The upstream image now setsPGSSLROOTCERT=systemat the container level, which makes libpq implicitly usesslmode=verify-fullagainst the OS trust store, and CNPG's self-signed CA isn't in it, so connections fail withSSL error: certificate verify failed. Overriding the env var to empty restores the default sslmode for the connectivity probe.alpine/psqlto18.4by tag + digest in both check-extension Jobs, so a new upstream release can't silently break CI again.**/test/*.yaml, so the pinned image is tracked automatically.ignorePathsto an empty array, sinceconfig:recommendedpulls in:ignoreModulesAndTests, which excludes**/test/**and would otherwise hide these files from Renovate.