feat(tls): present client certificate to upstream servers for mTLS#1173
Open
andy-paine wants to merge 1 commit into
Open
feat(tls): present client certificate to upstream servers for mTLS#1173andy-paine wants to merge 1 commit into
andy-paine wants to merge 1 commit into
Conversation
PgDog could validate an upstream Postgres server's certificate (`tls_verify` + `tls_server_ca_certificate`) but had no way to present its own client certificate on that connection, so it could not satisfy servers that require mutual TLS (e.g. Cloud SQL with "require trusted client certificate", or any Postgres using `clientcert=verify-full`). Add two settings, mirroring the existing `tls_server_ca_certificate` naming for the upstream leg: - tls_server_certificate: client cert PgDog presents to the server - tls_server_private_key: its private key The certificate is loaded as a full chain (leaf + intermediates) and attached to the client config across every `tls_verify` mode. Setting only one of the two is rejected at load time so misconfigurations surface on reload rather than at connection time. Closes pgdogdev#890 Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
PgDog can validate an upstream Postgres server's certificate (
tls_verify+tls_server_ca_certificate) but has no way to present its own client certificate on that connection. This means it can't connect to servers that require mutual TLS — e.g. Cloud SQL with "require trusted client certificate", or any Postgres configured withclientcert=verify-full.This adds the missing upstream leg. Two new settings, named to mirror the existing
tls_server_ca_certificate:tls_server_certificate— the client certificate PgDog presents to the servertls_server_private_key— its private key(also available as
PGDOG_TLS_SERVER_CERTIFICATE/PGDOG_TLS_SERVER_PRIVATE_KEY.)Closes #890
Implementation
build_acceptorloads PgDog's own server certificate (CertificateDer::from_pem_file/PrivateKeyDer::from_pem_file), then attached via rustlswith_client_auth_certacross everytls_verifymode (disabled/prefer/verify_ca/verify_full).Tests
connector_requires_both_client_cert_and_key— both-or-neither validation.client_cert_is_part_of_connector_cache_key— adding a client cert rebuilds the connector; identical inputs reuse the cache.test_upstream_client_cert_config_parses(pgdog-config) — the new keys parse and are optional.Note on the schema diff
Regenerating
.schema/pgdog.schema.jsonviapgdog-jsonschema(required by thejsonschemaCI check) also corrected a small pre-existing drift onmain: the top-level array key wasquery_parserin the committed schema but the source field isquery_parsers. That correction is unrelated to this change but is needed for the schema check to pass.