From 1ea78ffd43cde2076a90dd0d37da2c90359b2cd4 Mon Sep 17 00:00:00 2001 From: Simone Gotti Date: Mon, 4 Jun 2018 11:48:49 +0200 Subject: [PATCH] keeper: don't disable ssl for replication Set sslmode to `prefer` so, if the user has enabled ssl/tls, it'll also be used for replication (and pg_rewind). Now it's not possible to force other options like verify-ca or verify-full since they requires more effort on the user side and need to be carefully tested. --- cmd/keeper/cmd/keeper.go | 18 ++++++++++-------- doc/ssl.md | 2 +- 2 files changed, 11 insertions(+), 9 deletions(-) diff --git a/cmd/keeper/cmd/keeper.go b/cmd/keeper/cmd/keeper.go index 787048257..69e661b79 100644 --- a/cmd/keeper/cmd/keeper.go +++ b/cmd/keeper/cmd/keeper.go @@ -220,7 +220,8 @@ func (p *PostgresKeeper) getSUConnParams(db, followedDB *cluster.DB) pg.ConnPara "port": followedDB.Status.Port, "application_name": common.StolonName(db.UID), "dbname": "postgres", - "sslmode": "disable", + // prefer ssl if available (already the default for postgres libpq but not for golang lib pq) + "sslmode": "prefer", } if p.pgSUAuthMethod != "trust" { cp.Set("password", p.pgSUPassword) @@ -234,7 +235,8 @@ func (p *PostgresKeeper) getReplConnParams(db, followedDB *cluster.DB) pg.ConnPa "host": followedDB.Status.ListenAddress, "port": followedDB.Status.Port, "application_name": common.StolonName(db.UID), - "sslmode": "disable", + // prefer ssl if available (already the default for postgres libpq but not for golang lib pq) + "sslmode": "prefer", } if p.pgReplAuthMethod != "trust" { cp.Set("password", p.pgReplPassword) @@ -244,11 +246,11 @@ func (p *PostgresKeeper) getReplConnParams(db, followedDB *cluster.DB) pg.ConnPa func (p *PostgresKeeper) getLocalConnParams() pg.ConnParams { cp := pg.ConnParams{ - "user": p.pgSUUsername, - "host": common.PgUnixSocketDirectories, - "port": p.pgPort, - "dbname": "postgres", - "sslmode": "disable", + "user": p.pgSUUsername, + "host": common.PgUnixSocketDirectories, + "port": p.pgPort, + "dbname": "postgres", + // no sslmode defined since it's not needed and supported over unix sockets } if p.pgSUAuthMethod != "trust" { cp.Set("password", p.pgSUPassword) @@ -262,7 +264,7 @@ func (p *PostgresKeeper) getLocalReplConnParams() pg.ConnParams { "password": p.pgReplPassword, "host": common.PgUnixSocketDirectories, "port": p.pgPort, - "sslmode": "disable", + // no sslmode defined since it's not needed and supported over unix sockets } if p.pgReplAuthMethod != "trust" { cp.Set("password", p.pgReplPassword) diff --git a/doc/ssl.md b/doc/ssl.md index 758426ff9..1bf4541d3 100644 --- a/doc/ssl.md +++ b/doc/ssl.md @@ -1,6 +1,6 @@ ## PostgreSQL SSL/TLS setup -SSL/TLS access to an HA postgres managed by stolon can be configured as usual (see the [official postgres doc](https://www.postgresql.org/docs/current/static/ssl-tcp.html)). The setup is done [defining the required pgParameters inside the cluster spec](postgres_parameters.md). +SSL/TLS access to an HA postgres managed by stolon can be configured as usual (see the [official postgres doc](https://www.postgresql.org/docs/current/static/ssl-tcp.html)). The setup is done [defining the required pgParameters inside the cluster spec](postgres_parameters.md). If this is enabled also replication between instances will use tls (currently it'll use the default replication mode of "prefer"). If you want to enable client side full verification (`sslmode=verify-full` in the client connection string) you should configure the certificate CN to contain the FQDN or IP address that your client will use to connect to the stolon proxies. Depending on your architecture you'll have more than one stolon proxies behind a load balancer, a keepealived ip, a k8s service etc... So the certificate CN should be set to the hostname or ip that your client will connect to.