Replies: 1 comment
-
|
#894 to track |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
What is the problem you are trying to solve with this feature?
Support for client certificate authentication would allow homebox to connect to a PostgreSQL database with client certificates instead of (or in supplementation to) username/password. This would be especially useful in Kubernetes environments, where features like
cert-managercan provision short-lived certificates that can be trusted by a database server, removing the need to manage secret database credentials.More info:
https://www.postgresql.org/docs/current/auth-cert.html
https://goteleport.com/learn/postgresql-ssl-authentication-guide/
What is the solution you are proposing?
Add support for configuring client certificates/key (and optionally CA) as environment variables which configure the corresponding options in the PostgreSQL connection string:
HBOX_DATABASE_SSL_CERT->sslcertHBOX_DATABASE_SSL_KEY->sslkeyOptionally, for client verification of host certificate.
HBOX_DATABASE_SSL_ROOT_CERT->sslrootcertlibpqSSL connection string parameters documented here: https://www.postgresql.org/docs/current/libpq-ssl.htmlWhat alternatives have you considered?
An alternative to using client certificate authentication is to run homebox with
HBOX_DATABASE_SSL_MODE=disableto disable SSL usage and negotiation, and runstunnelas a sidecar withprotocol = postgresql, with the appropriate client cert settings.This effectively hands off SSL to
stunnelas a sidecar, but at the cost of complexity and possibly performance.Additional context
No response
Contributions
Beta Was this translation helpful? Give feedback.
All reactions