Gitlab on Azure using postgres flexible server

We are having difficulty using azure flexible server PostgreSQL v 14.4 with cloud native gitlab. The challenge we have is that the helm chart for gitlab requires a client key and certificate as part of the configuration for the serverCA field in the helm chart:

  • global.psql.ssl.secret: A secret that contains the client certificate, key, and certificate authority.
  • global.psql.ssl.serverCA: In the secret, the key that refers to the certificate authority (CA).
  • global.psql.ssl.clientCertificate: In the secret, the key that refers to the client certificate.
  • global.psql.ssl.clientKey: In the secret, the client.

However, we have not been able to connect to the azure server instance when using a client key and certificate we generate and self-sign because of an unknown-CA error. We see the same error when using PSQL on the command line.

We noticed that openssl or psql can connect successfully if we either omit client cert/key, or point to the non-existing file. The server does not try to validate the client cert if none is submitted, thus accepting the connection. However, we cannot figure out how to implement the same behavior with the “dependencies” container in the webservice chart: how can we only provide a valid CA, but skip providing client cert/key?

Has anyone successfully used azure flexible server for Postgres with Gitlab with SSL enabled? What configuration did you use?