[Artifactory-HA] Metadata service does not respect customVolumeMounts for DB CAs

[Atchuu]

Is this a request for help?: No

---

Is this a BUG REPORT or FEATURE REQUEST? (choose one): Bug

Version of Helm and Kubernetes:

Helm 3.11.0 / Kubernetes 1.24.9

Which chart:

Artifactory-HA 107.63.14

Which product license (Enterprise/Pro/oss):

Enterprise

JFrog support reference (if already raised with support team):

What happened:

It appears the metadata container within the primary statefulset makes a connection to the database but does not support customVolumeMounts for when a Database's CA is needed, nor does there appear to be any other way to get the Database's CA into that container.

What you expected to happen:

The metadata container should respect the customVolumeMounts variable so that a trusted database Certificate Authorities (CA) can be set when making it's database connection

How to reproduce it (as minimally and precisely as possible):

• Create an external PostgreSQL database with SSL enabled utilizing an default untrusted certificate.

• Add the CA to artifactory.configMaps

  # Add any list of configmaps to Artifactory
  configMaps: |
  mydbca.crt: |
    -----BEGIN CERTIFICATE-----
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
    -----END CERTIFICATE-----

• Add that configmap name to artifactory.customVolumeMounts

  ## Add custom volumesMounts
  customVolumeMounts: |
  - name: artifactory-configmaps
    mountPath: "/tmp/mydbca.crt"
    subPath: mydbca.crt

• Set your external database URL to include the CA file

  ## If NOT using the PostgreSQL in this chart (postgresql.enabled=false),
  ## you MUST specify custom database details here or Artifactory will NOT start
  database:
  ...snip...
  ## If you set the url, leave host and port empty
  url: jdbc:postgresql://mydb.fqdn:5432/artifactory?ssl=true&sslfactory=org.postgresql.ssl.jdbc4.LibPQFactory&sslmode=verify&sslrootcert=/tmp/mydbca.crt

• Deploy the artifactory-ha chart and retrieve the logs for the metadata container.

• Observe crashing due to lack of the /tmp/mydbca.crt file

Could not initialize database (db config: ...snip... : Failed to configure TLS (unable to read CA file: open /tmp/mydbca.crt: no such file or directory)

Anything else we need to know:

Opinion: There should be little to no harm in adding customVolumeMounts support to every container within the various pods specs, whether they utilize this mount point or not

[Logeshwarsn]

@Atchuu Thanks for reporting this issue. Currently we are working on this issue , and will update you soon.

[Logeshwarsn]

@Atchuu We have released a new version of artifactory chart. Could you please test it and send us feedback ?