It is now possible to specify a CRL for use by the

replication user by mounting a replicator.crl file. If this file is detected, it will be configured along with various other certificates for use by the replication user when communicating with the database using SSL/TLS. Additionally, the SSL root certificate for the replication user can now be provided independently of various other certificates (e.g. client certificates).
CrunchyData · Dec 30, 2019 · 30f75d8 · 30f75d8
1 parent 128011f
commit 30f75d8
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 4 deletions.
diff --git a/bin/postgres-ha/bootstrap-postgres-ha.sh b/bin/postgres-ha/bootstrap-postgres-ha.sh
@@ -246,7 +246,8 @@ remove_patroni_pause_key
  # Ensure any existing SSL certificates in PGDATA have the proper permissions
 chmod -f 0600 "${PATRONI_POSTGRESQL_DATA_DIR}/server.key" "${PATRONI_POSTGRESQL_DATA_DIR}/server.crt" \
     "${PATRONI_POSTGRESQL_DATA_DIR}/ca.crt" "${PATRONI_POSTGRESQL_DATA_DIR}/ca.crl" \
-    "${PATRONI_POSTGRESQL_DATA_DIR}/replicator.crt" "${PATRONI_POSTGRESQL_DATA_DIR}/replicator.key"
+    "${PATRONI_POSTGRESQL_DATA_DIR}/replicator.crt" "${PATRONI_POSTGRESQL_DATA_DIR}/replicator.key" \
+    "${PATRONI_POSTGRESQL_DATA_DIR}/replicator.crl"
 
 # Bootstrap the cluster
 bootstrap_cmd="$@ /tmp/postgres-ha-bootstrap.yaml"

diff --git a/bin/postgres-ha/pre-bootstrap.sh b/bin/postgres-ha/pre-bootstrap.sh
@@ -226,16 +226,26 @@ set_pg_user_credentials() {
 
         # Configure certificate-based authentication for replication if proper certs are available.
         # Otherwise use a password
-        if [[ -f "/pgconf/replicator.key" ]] && [[ -f "/pgconf/replicator.crt" ]] && [[ -f "/pgconf/ca.crt" ]]
+        if [[ -f "/pgconf/replicator.key" ]] && [[ -f "/pgconf/replicator.crt" ]]
         then
             export PATRONI_REPLICATION_SSLKEY="${PATRONI_POSTGRESQL_DATA_DIR}/replicator.key"
-            export PATRONI_REPLICATION_SSLCERT="${PATRONI_POSTGRESQL_DATA_DIR}/replicator.crt"
-            export PATRONI_REPLICATION_SSLROOTCERT="${PATRONI_POSTGRESQL_DATA_DIR}/ca.crt"
+            export PATRONI_REPLICATION_SSLCERT="${PATRONI_POSTGRESQL_DATA_DIR}/replicator.crt"            
         else
             PATRONI_REPLICATION_PASSWORD=$(cat /pgconf/pgreplicator/password)
             err_check "$?" "Set replication user password" "Unable to set PATRONI_REPLICATION_PASSWORD using secret"
             export PATRONI_REPLICATION_PASSWORD
         fi
+
+        # set the server CA for the replication user if present
+        if [[ -f "${PATRONI_POSTGRESQL_DATA_DIR}/ca.crt" ]]
+        then
+            export PATRONI_REPLICATION_SSLROOTCERT="${PATRONI_POSTGRESQL_DATA_DIR}/ca.crt"
+        fi
+        # set the CRL for the replication user if present
+        if [[ -f "${PATRONI_POSTGRESQL_DATA_DIR}/replicator.crl" ]]
+        then
+            export PATRONI_REPLICATION_SSLCRL="${PATRONI_POSTGRESQL_DATA_DIR}/replicator.crl"
+        fi
 
         PATRONI_REPLICATION_USERNAME=$(cat /pgconf/pgreplicator/username)
         err_check "$?" "Set replication user" "Unable to set PATRONI_REPLICATION_USERNAME using secret"

diff --git a/bin/postgres-ha/ssl-config.sh b/bin/postgres-ha/ssl-config.sh
@@ -44,5 +44,6 @@ custom_config "/pgconf/ca.crt" "${PATRONI_POSTGRESQL_DATA_DIR}/ca.crt" 600
 custom_config "/pgconf/ca.crl" "${PATRONI_POSTGRESQL_DATA_DIR}/ca.crl" 600
 custom_config "/pgconf/replicator.crt" "${PATRONI_POSTGRESQL_DATA_DIR}/replicator.crt" 600
 custom_config "/pgconf/replicator.key" "${PATRONI_POSTGRESQL_DATA_DIR}/replicator.key" 600
+custom_config "/pgconf/replicator.crl" "${PATRONI_POSTGRESQL_DATA_DIR}/replicator.crl" 600
 
 export PGHA_SSL_CONFIG