Conversation
add support for ssl_ca_cert
pgpool.docker/entrypoint.sh
Outdated
| echo -e "\n" >> ${PGPOOL_INSTALL_DIR}/etc/pgpool.conf | ||
| echo "ssl_key = '${PGPOOL_INSTALL_DIR}/tls/tls.key'" >> ${PGPOOL_INSTALL_DIR}/etc/pgpool.conf | ||
| echo "ssl_cert = '${PGPOOL_INSTALL_DIR}/tls/tls.crt'" >> ${PGPOOL_INSTALL_DIR}/etc/pgpool.conf | ||
| echo "ssl_ca_cert = '${PGPOOL_INSTALL_DIR}/tls/root.crt'" >> ${PGPOOL_INSTALL_DIR}/etc/pgpool.conf |
There was a problem hiding this comment.
@MatteoGioioso Sorry for the late response.
If root.crt doesn't exist, you should skip this step.
if [[ -f "${PGPOOL_INSTALL_DIR}/tls/root.crt" ]]; then
echo "ssl_ca_cert = '${PGPOOL_INSTALL_DIR}/tls/root.crt'" >> ${PGPOOL_INSTALL_DIR}/etc/pgpool.conf
fi
If user doesn't provide their own certs, this docker image will generate a self-signed certificate.
Could you add the commands to generate the root CA in
pgpool2_on_k8s/pgpool.docker/entrypoint.sh
Line 153 in 125d4c6
There was a problem hiding this comment.
@pengbo0328 hey, so sorry for the long wait.
If root.crt doesn't exist, you should skip this step.
Yes, I will do
Could you add the commands to generate the root CA in
Correct me if I am wrong, but the CA is needed only in case PostgreSQL has certificates as well and we want to verify-ca or verify-full from pgpool. If the user does not provide its own certs then we should just generate the self-signed pairs without the CA;
There was a problem hiding this comment.
@MatteoGioioso Sorry for the late response.
Correct me if I am wrong, but the CA is needed only in case PostgreSQL has certificates as well and we want to verify-ca or verify-full from pgpool. If the user does not provide its own certs then we should just generate the self-signed pairs without the CA;
Yes. You are correct.
Let's generate the self-signed pairs without the CA if users don't provide their own certs.
if user does not provide root.crt we will not write the paramenter in pgpool.conf
2 participants
add support for ssl_ca_cert
#17