IM pods cannot be deployed when foundational services is configured with external EDB PostgreSQL
From foundational services version 4.6.10, IM operator requires the TLS certificate verification for external EDB PostgreSQL connections. If the existing server certificates do not contain Subject Alternative Name (SAN), replace the existing server certificate in an external EDB PostgreSQL server with the new server certificate that contains SANs. The SAN attribute values have to be DNS names that the certificate is valid for, or IP address for the server where the certificate is used. This requirement follows the modern security best practices and guidelines in RFC 9525.
Symptoms
The following error message is displayed in the Identity Management (IM) operator log:
{"level":"info","ts":"2025-02-26T20:21:21Z","logger":"controller_authentication","msg":"Perform any pending migrations","Request.Namespace":"production","Request.Name":"example-authentication","subreconciler":"handleMigrations"}
{"level":"info","ts":"2025-02-26T20:21:21Z","logger":"controller_authentication","msg":"Retrieving change logs","Request.Namespace":"production","Request.Name":"example-authentication"}
{"level":"info","ts":"2025-02-26T20:21:21Z","logger":"controller_authentication","msg":"Connecting to PostgresDB","Request.Namespace":"production","Request.Name":"example-authentication","PostgresDB.Host":"postgres-client-auth1.fyre.ibm.com","PostgresDB.Port":"5432"}
{"level":"error","ts":"2025-02-26T20:21:21Z","logger":"controller_authentication","msg":"Failed to connect to PostgresDB","Request.Namespace":"production","Request.Name":"example-authentication","error":"failed to connect to `host=postgres-client-auth1.fyre.ibm.com user=postgres database=imcnpdb`: failed to write startup message (write failed: tls: failed to verify certificate: x509: certificate relies on legacy Common Name field, use SANs instead)","stacktrace":"github.com/IBM/ibm-iam-operator/database/schema/v1.GetChangelogs\n\t/home/prow/go/src/github.com/IBM/ibm-iam-operator/database/schema/v1/tables.go:1523\ngithub.com/IBM/ibm-iam-operator/database.PlanMigrations\n\t/home/prow/go/src/github.com/IBM/ibm-iam-operator/database/migrate.go:61\ngithub.com/IBM/ibm-iam-operator/controllers/operator.(*AuthenticationReconciler).handleMigrations\n\t/home/prow/go/src/github.com/IBM/ibm-iam-operator/controllers/operator/migration.go:378\ngithub.com/IBM/ibm-iam-operator/controllers/operator.(*AuthenticationReconciler).Reconcile\n\t/home/prow/go/src/github.com/IBM/ibm-iam-operator/controllers/operator/authentication_controller.go:369\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/home/prow/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.1/pkg/internal/controller/controller.go:119\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/home/prow/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.1/pkg/internal/controller/controller.go:316\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/home/prow/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.1/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/home/prow/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.1/pkg/internal/controller/controller.go:227"}
{"level":"error","ts":"2025-02-26T20:21:21Z","logger":"controller_authentication","msg":"Failed to handle migrations","Request.Namespace":"production","Request.Name":"example-authentication","subreconciler":"handleMigrations","error":"failed to form a migration plan: failed to retrieve changelogs: failed to connect to `host=postgres-client-auth1.fyre.ibm.com user=postgres database=imcnpdb`: failed to write startup message (write failed: tls: failed to verify certificate: x509: certificate relies on legacy Common Name field, use SANs instead)","stacktrace":"github.com/IBM/ibm-iam-operator/controllers/operator.(*AuthenticationReconciler).handleMigrations\n\t/home/prow/go/src/github.com/IBM/ibm-iam-operator/controllers/operator/migration.go:381\ngithub.com/IBM/ibm-iam-operator/controllers/operator.(*AuthenticationReconciler).Reconcile\n\t/home/prow/go/src/github.com/IBM/ibm-iam-operator/controllers/operator/authentication_controller.go:369\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Reconcile\n\t/home/prow/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.1/pkg/internal/controller/controller.go:119\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/home/prow/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.1/pkg/internal/controller/controller.go:316\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/home/prow/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.1/pkg/internal/controller/controller.go:266\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/home/prow/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.16.1/pkg/internal/controller/controller.go:227"}
{"level":"info","ts":"2025-02-26T20:21:21Z","logger":"controller_authentication","msg":"Update status before finishing loop.","Request.Namespace":"production","Request.Name":"example-authentication"}
Resolving the problem
To resolve the issue, complete the following workaround:
-
Set up the database server certificate.
-
Generate the database server CSR.
openssl req -new -nodes -text \ -out server.csr \ -keyout server.key \ -subj "/CN=*.fyre.ibm.com"chmod og-rwx server.key -
Sign a database server certificate with the internal intermediate CA.
openssl x509 -req \ -in server.csr -text -days 730 \ -CA root.crt -CAkey root.key -CAcreateserial \ -out server.crt \ -extfile <(printf "subjectAltName=DNS:*.fyre.ibm.com,DNS:edbcluster1.fyre.ibm.com")
-
-
Restart the EDB PostgreSQL database.
sudo systemctl restart postgresql-16