Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

keeper: don't disable ssl for replication #501

Merged
merged 1 commit into from
Jun 5, 2018
Merged

keeper: don't disable ssl for replication #501

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
18 changes: 10 additions & 8 deletions cmd/keeper/cmd/keeper.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -220,7 +220,8 @@ func (p *PostgresKeeper) getSUConnParams(db, followedDB *cluster.DB) pg.ConnPara
"port": followedDB.Status.Port,
"application_name": common.StolonName(db.UID),
"dbname": "postgres",
"sslmode": "disable",
// prefer ssl if available (already the default for postgres libpq but not for golang lib pq)
"sslmode": "prefer",
}
if p.pgSUAuthMethod != "trust" {
cp.Set("password", p.pgSUPassword)
Expand All @@ -234,7 +235,8 @@ func (p *PostgresKeeper) getReplConnParams(db, followedDB *cluster.DB) pg.ConnPa
"host": followedDB.Status.ListenAddress,
"port": followedDB.Status.Port,
"application_name": common.StolonName(db.UID),
"sslmode": "disable",
// prefer ssl if available (already the default for postgres libpq but not for golang lib pq)
"sslmode": "prefer",
}
if p.pgReplAuthMethod != "trust" {
cp.Set("password", p.pgReplPassword)
Expand All @@ -244,11 +246,11 @@ func (p *PostgresKeeper) getReplConnParams(db, followedDB *cluster.DB) pg.ConnPa

func (p *PostgresKeeper) getLocalConnParams() pg.ConnParams {
cp := pg.ConnParams{
"user": p.pgSUUsername,
"host": common.PgUnixSocketDirectories,
"port": p.pgPort,
"dbname": "postgres",
"sslmode": "disable",
"user": p.pgSUUsername,
"host": common.PgUnixSocketDirectories,
"port": p.pgPort,
"dbname": "postgres",
// no sslmode defined since it's not needed and supported over unix sockets
}
if p.pgSUAuthMethod != "trust" {
cp.Set("password", p.pgSUPassword)
Expand All @@ -262,7 +264,7 @@ func (p *PostgresKeeper) getLocalReplConnParams() pg.ConnParams {
"password": p.pgReplPassword,
"host": common.PgUnixSocketDirectories,
"port": p.pgPort,
"sslmode": "disable",
// no sslmode defined since it's not needed and supported over unix sockets
}
if p.pgReplAuthMethod != "trust" {
cp.Set("password", p.pgReplPassword)
Expand Down
2 changes: 1 addition & 1 deletion doc/ssl.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
## PostgreSQL SSL/TLS setup

SSL/TLS access to an HA postgres managed by stolon can be configured as usual (see the [official postgres doc](https://www.postgresql.org/docs/current/static/ssl-tcp.html)). The setup is done [defining the required pgParameters inside the cluster spec](postgres_parameters.md).
SSL/TLS access to an HA postgres managed by stolon can be configured as usual (see the [official postgres doc](https://www.postgresql.org/docs/current/static/ssl-tcp.html)). The setup is done [defining the required pgParameters inside the cluster spec](postgres_parameters.md). If this is enabled also replication between instances will use tls (currently it'll use the default replication mode of "prefer").

If you want to enable client side full verification (`sslmode=verify-full` in the client connection string) you should configure the certificate CN to contain the FQDN or IP address that your client will use to connect to the stolon proxies. Depending on your architecture you'll have more than one stolon proxies behind a load balancer, a keepealived ip, a k8s service etc... So the certificate CN should be set to the hostname or ip that your client will connect to.

Expand Down