-
- Downloads
fix(mastodon): broken streaming postgres certificate
This patch fixes the mastodon-streaming Pod, which refused to talk to the postgresql cluster, due to the use of TLS with a self-signed certificate. Since the pg library in NodeJS does not accept any self-signed certificate without explicitly disabling certificate checking in the source code, this patch fixes the whole problem by boostrapping a namespace CA, creating a certificate for the postgresql cluster, adjusting the required permissions for that, deploying the ca certificate to the mastodon-streaming Pod and configuring the streaming Pod to consider this namespace CA an additional CA certificate for its existence. Let me put it this way: It's not a nice, but a functional and actually sustainable solution to the problem. All this is stichted together as postRenderers since the upstream helm chart is a bit limited in that perspective. Hopefully I can submit all these adjustments upstream in the long term. It works for now. References: https://github.com/mastodon/mastodon/blob/3114c826a7a6b2b10bff722c59cca57abe7f819f/streaming/index.js#L143-L146 https://www.postgresql.org/docs/10/libpq-ssl.html https://node-postgres.com/features/ssl
Showing
- apps/base/mastodon/ca.yaml 26 additions, 0 deletionsapps/base/mastodon/ca.yaml
- apps/base/mastodon/database.yaml 22 additions, 0 deletionsapps/base/mastodon/database.yaml
- apps/base/mastodon/kustomization.yaml 1 addition, 0 deletionsapps/base/mastodon/kustomization.yaml
- apps/base/mastodon/release.yaml 31 additions, 0 deletionsapps/base/mastodon/release.yaml
Loading
Please register or sign in to comment