PostgreSQL

The PostgreSQL service connector processes connection requests to a PostgreSQL database.

To secure connections, we support all of the PostgreSQL SSL options that you are familar with. For details, see sslmode.

Unlike other clients, the default sslmode for Secretless is require since most use cases require TLS. If your environment does not use TLS, turn it off if you can do so safely.

Configure the service connector

Configure the Secretless Broker to specify where to find your database connection details in the credentials section of the yaml file. This includes where to find your database's host, port, username, and password, as well as the sslmode details, such as the location of any relevant certificates and revocation lists, if applicable.

The options are as follows:

Parameter	Description	Required
`host`	Host name of the PostgreSQL server.	Required
`port`	Port of the PostgreSQL server.	Optional (Default setting is 5432)
`username`	Username of the PostgreSQL account.	Required
`password`	Password of the PostgreSQL account.	Required
`sslmode`	Determines if the connection between the Secretless Broker and your database is protected by SSL. Defaults to `require`. For details on the supported values of this parameter, see SSL Modes.	Optional
`sslcert`	The content of this parameter specifies the client SSL certificate, replacing the default ~/.postgresql/postgresql.crt. This parameter is ignored if an SSL connection is not made.	Optional
`sslrootcert`	The content of this parameter specifies the SSL certificate authority (CA) certificate(s), replacing the default ~/.postgresql/root.crt. If present, the server's certificate is verified to be signed by one of these authorities.	Optional
`sslkey`	The content of this parameter specifies the secret key used for the client certificate, replacing the default ~/.postgresql/postgresql.key. This parameter is ignored if an SSL connection is not made.	Optional

The PostgreSQL documentation website provides detail on the levels of protection provided by different values for the sslmode parameter.

Secretless supports the following SSL modes:

Parameter	Description
`disable`	Try only a non-SSL connection.
`require` Default	Try only an SSL connection. If a root CA file is present, verify the certificate in the same way as if verify-ca was specified.
`verify-ca`	Try only an SSL connection, and verify that the server certificate is issued by a trusted certificate authority (CA).
`verify-full`	Try only an SSL connection, and verify the server certificate against the configured CA certificates (provided in the Secretless configuration via `sslrootcert`). In addition, the `verify-full` SSL mode option helps prevent man-in-the-middle attacks by performing a host name identity verification. Secretless checks the host name the client uses for connecting to the server against the identity provided in the certificate the server sends to the client. The connection fails if the host name does not match the certificate Common Name. Secretless uses the value of the `host` parameter in the Secretless configuration to perform the host name identity verification. If desired, you can override this value for the purpose of the certificate check by providing a value for the `sslhost` configuration parameter.

Secretless does not currently support the allow, prefer, or verify-full SSL modes, and does not yet support providing an SSL certificate revocation list (eg ssl-crl). See GitHub Issues for information on future support for these modes.

When sslmode is set to require or verify-ca, the optional SSL configuration parameters sslcert, sslkey, and sslrootcert may be necessary. The particular values needed depend on your use case; more information on these parameters can be found in the PostgreSQL documentation.

Examples

Listening on a network address with default sslmode of require

                                    
version: "2"
services:
  postgres-db:
    connector: pg
    listenOn: tcp://0.0.0.0:5432
    credentials:
      host: postgres.my-service.internal
      port: 5432
      username: my-service
      password:
        from: env
        get: PG_PASSWORD

Listening on a Unix-domain socket with default sslmode of require

                                    
version: "2"
services:
  postgres-db:
    connector: pg
    listenOn: unix:///sock/.s.PGSQL.5432
    credentials:
      host: postgres.my-service.internal
      port: 5432
      username: my-service
      password:
        from: env
        get: PG_PASSWORD

Listening on a network address with verifiable CA, revocation list and private key-pair

                                    
version: "2"
services:
  postgres-db:
    connector: pg
    listenOn: tcp://0.0.0.0:5432
    credentials:
      host: postgres.my-service.internal
      port: 5432
      username: my-service
      password:
        from: env
        get: PG_PASSWORD
      sslmode: verify-ca
      sslrootcert:
        from: file
        get: /etc/pg/root.crt
      sslcert:
        from: file
        get: /etc/pg/client.crt
      sslkey:
        from: file
        get: /etc/pg/client.key

If your certificate is stored in the environment or a secret store rather than a file, you can use the appropriate provider.

PostgreSQL

Configure the service connector

Examples

See also