Certificate-based Authentication
hxtk opened this issue · comments
I'm attempting to set up kubegres with certificate-based authentication, replacing password-based authentication entirely using the cert
auth-method [1] [2] That is, I want my pg_hba.conf
to look something like this:
hostssl all all all cert clientcert=1
Much of the issues that must be overcome to accomplish this are similar to the issues described in #81. However, using the cert
auth method for the replication role is forbidden in practice because the spec requires that we have POSTGRES_PASSWORD
and POSTGRES_REPLICATION_PASSWORD
environment variables set [3], and the replication role is created with a password in a the non-overridable primary_create_replication_role.sh
script [4].
The POSTGRES_PASSWORD
variable is understandable as it is required by the base image to be non-empty, so I understand you have a requirement for that; an acceptable tradeoff for me is to modify that account after initialization. The replication user, on the other hand, poses a concern for me that I'm not sure how best to overcome.
1: https://www.postgresql.org/docs/current/auth-pg-hba-conf.html
2: https://www.postgresql.org/docs/current/auth-cert.html
3:
kubegres/controllers/spec/checker/SpecChecker.go
Lines 140 to 148 in 5c49a73
4:
kubegres/controllers/spec/template/yaml/BaseConfigMapTemplate.yaml
Lines 172 to 185 in 7d751fe
I've worked through this problem and gotten a working solution. It's not "clean" and requires manual changes, but I can now identify two distinct subtasks that will allow this to be completed with the standard tooling, so I am closing this ticket to create two precisely-targeted tickets for those specific changes.