-
Notifications
You must be signed in to change notification settings - Fork 50
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tell postgres client to use OS cert bundle for ssl root keys #341
Conversation
Whether a company wants connect to the database using ssl for self signed certs or for a company CA, we want to have the library just use the standard operating system mechanism (OS cert bundle) If this were not set, then we would need to install the database certificate and put into the ~/.postgres/root.crt for root and manageiq (and any other users that come down the line)
Checked commit kbrock@59c68f2 with ruby 2.6.3, rubocop 1.13.0, haml-lint 0.35.0, and yamllint |
WIP: need to walk through this with someone to understand my rational behind a few decisions. this is working for me on a single appliance |
UNWIP: this will not affect pods. It does affect existing appliance installations that have ssl database set this up. I think all appliance upgrades (not rpm upgrades) will need to setup the database again anyway. But I put that assumption in ink so others can point to my errors now and in the future. |
LGTM, @bdunne can you review/merge? It makes sense to me to not store the keys in the |
Sorry all. thank you for merging @bdunne but looks like this is only good after someone configures the appliance to use certificates |
Goal
Part of larger PR ManageIQ/manageiq#20394
Enables:
Transitioning from root to other users means we don't store key configuration files in
/root
Luckily, the operating system has a mechanism for storing ca certs in a centralized location.
This PR is focused on connecting to the database and encrypting traffic using ssl.
Before
/root/.postgres/root.crt
~/.postgres/root
so the CA cert will register. orchestrator.go:176After
/etc/pki/tis/certs/ca-bundle.crt
libpg
) will pick it up from/etc
.Appliance Reproduction steps
Bibliography