database/postgres: add inline certificate authentication fields #28024
Conversation
github-actions
bot
added
the
hashicorp-contributed-pr
fairclothjm
force-pushed
the
postgres-ssl-plugin-fields
branch
from
da01aee to
83748a8
Compare
|
CI Results: |
| @@ -62,15 +58,3 @@ func GetCloudSQLAuthOptions(credentials string, usePrivateIP bool) ([]cloudsqlco | |||
|
|
|||
| return opts, nil | |||
| } | |||
|
|
|||
| func ValidateAuthType(authType string) bool { | |||
|
Build Results: |
fairclothjm
force-pushed
the
postgres-ssl-plugin-fields
branch
from
83748a8 to
889ed2f
Compare
| // Deprecated: OpenPostgres will be removed in a future version of the Vault SDK. | ||
| func OpenPostgres(driverName, connString string) (*sql.DB, error) { | ||
| // Deprecated: openPostgres will be removed in a future version of the Vault SDK. | ||
| func openPostgres(driverName, connString string) (*sql.DB, error) { |
There was a problem hiding this comment.
This was only exported for tests but I decided we should not export this so the test usage was removed. This code path is tested however because it is called indirectly by our tests.
| } | ||
| tlsConfig.Certificates = []tls.Certificate{cert} | ||
| p.TLSConfig = tlsConfig | ||
| } else { |
There was a problem hiding this comment.
Are sslcert and sslkey always required to have a TLS config? Should it be possible for the user to only set the sslrootcert? If not, wondering if it is worth returning an error to the user saying that the TLS Cert and Private Key need to be added
This is for the case if the user sets the sslrootcert but does not set either the sslcert or sslkey, then p.TLSConfig will be nil, and we would not use any info decoded in L112-L119. Since it would be under the hood I was wondering if it would be worth surfacing that we will ignore the root cert because of missing info in the config
There was a problem hiding this comment.
Great question! I considered this briefly as I was writing this code but never came back to it.
Setting only sslrootcert is a legit use case. This is useful when you want the client to verify the server certificate. See https://www.postgresql.org/docs/16/libpq-ssl.html#LIBQ-SSL-CERTIFICATES
I will update this flow to allow for this use case. 👍
This PR adds support for inline TLS configuration.
We add new fields to the plugin's config endpoint:
tls_certificate,tls_private_keyandtls_ca. These fields will take certificate data as a string. This allows Vault Operators and/or development teams to configure TLS when they do not have access to the Vault Server.Here is an example of configuring TLS inline via the new fields on the plugin’s config endpoint:
The
@in the CLI argument indicates a path to a file on disk to be read.