PostgreSQL

The PostgreSQL handler authenticates and brokers connections to a PostgreSQL database.

To secure connections, we support all the PostgreSQL SSL options you're familar with. See the sslmode option below for details.

 

Unlike most clients, the default sslmode for Secretless is require, since nearly all use cases require TLS. If you do need to turn it off, however, and know you can do so safely, you can.

Configure the handler

Configure the Secretless Broker to specify where to find your database connection details in the yaml file's credentials section. This includes where to find your database's address, username, and password, as well as the sslmode details, such as the location of any relevant certificates and revocation lists, if applicable.

The options are as follows:

Parameter

Description

Required

address

Connection string of the form host[:port][/dbname]

Required

username

Username of the PostgreSQL account to connect as

Required

password

Password of the PostgreSQL account to connect with

Required

sslmode



Determines if the connection between Secretless Broker and your database will be protected by SSL. Defaults to require.

For details on the supported values of this parameter, see supported SSL modes.

Optional

sslcert

The content of this parameter specifies the client SSL certificate, replacing the default ~/.postgresql/postgresql.crt. This parameter is ignored if an SSL connection is not made.

Optional

sslrootcert

The content of this parameter specifies the SSL certificate authority (CA) certificate(s), replacing the default ~/.postgresql/root.crt. If present, the server's certificate will be verified to be signed by one of these authorities.

Optional

sslkey

The content of this parameter specifies the secret key used for the client certificate, replacing the default ~/.postgresql/postgresql.key. This parameter is ignored if an SSL connection is not made.

Optional

sslcrl (not yet supported)

This content of this parameter specifies the SSL certificate revocation list (CRL), replacing the default ~/.postgresql/root.crl. Certificates listed, if present, will be rejected while attempting to authenticate the server's certificate.

Optional

The PostgreSQL documentation website provides detail on the levels of protection provided by different values for the sslmode parameter.

There are six modes:

Parameter

Description

disable

Only try a non-SSL connection

allow (not yet supported)

First try a non-SSL connection; if that fails, try an SSL connection

prefer (not yet supported)

First try an SSL connection; if that fails, try a non-SSL connection

require

Default

Only try an SSL connection. If a root CA file is present, verify the certificate in the same way as if verify-ca was specified

verify-ca

Only try an SSL connection, and verify that the server certificate is issued by a trusted certificate authority (CA).

verify-full (not yet supported)

Only try an SSL connection, verify that the server certificate is issued by a trusted CA and that the server host name matches that in the certificate

 

 

The optional SSL configuration parameters sslcert, sslkey, sslrootcert, and sslcrl may be necessary if sslmode is set to require, verify-ca, or verify-full. The particular values needed depend on your use case; more information on these parameters can be found in the PostgreSQL documentation.

Examples

 
9.7