PostgreSQL

The PostgreSQL service authenticator processes connection requests to a PostgreSQL database.

To secure connections, we support all the PostgreSQL SSL options you're familar with. See the sslmode option below for details.

 

Unlike most clients, the default sslmode for Secretless is require, since nearly all use cases require TLS. If you do need to turn it off, however, and know you can do so safely, you can.

Configure the service authenticator

Configure the Secretless Broker to specify where to find your database connection details in the yaml file's credentials section. This includes where to find your database's address, username, and password, as well as the sslmode details, such as the location of any relevant certificates and revocation lists, if applicable.

The options are as follows:

Parameter

Description

Required

address

Connection string of the form host:port[/dbname]

Required

username

Username of the PostgreSQL account to connect as

Required

password

Password of the PostgreSQL account to connect with

Required

sslmode



Determines if the connection between Secretless Broker and your database will be protected by SSL. Defaults to require.

For details on the supported values of this parameter, see supported SSL modes.

Optional

sslcert

The content of this parameter specifies the client SSL certificate, replacing the default ~/.postgresql/postgresql.crt. This parameter is ignored if an SSL connection is not made.

Optional

sslrootcert

The content of this parameter specifies the SSL certificate authority (CA) certificate(s), replacing the default ~/.postgresql/root.crt. If present, the server's certificate will be verified to be signed by one of these authorities.

Optional

sslkey

The content of this parameter specifies the secret key used for the client certificate, replacing the default ~/.postgresql/postgresql.key. This parameter is ignored if an SSL connection is not made.

Optional

 

Secretless expects the address in the PostgreSQL service authenticator configuration to include the port (eg the required format is host:port). A missing or invalid port will cause the Secretless Broker to error; please see the troubleshooting section for more information.

The PostgreSQL documentation website provides detail on the levels of protection provided by different values for the sslmode parameter.

There are six modes:

Parameter

Description

disable

Only try a non-SSL connection

require

Default

Only try an SSL connection. If a root CA file is present, verify the certificate in the same way as if verify-ca was specified

verify-ca

Only try an SSL connection, and verify that the server certificate is issued by a trusted certificate authority (CA).

 

 

The optional SSL configuration parameters sslcert, sslkey, sslrootcert, and sslcrl may be necessary if sslmode is set to require, verify-ca, or verify-full. The particular values needed depend on your use case; more information on these parameters can be found in the PostgreSQL documentation.

Examples

See also

Troubleshoot Service Authenticators

 
9.7