Understanding database connection behaviour to external database

[ggeldenhuis]

I want to configure TLS for our postgres database that k3s connects to. Postgres supports reloading config which would load the new certificates and the assumption is that postgres would then serve the new certificate on every new connection after the reload but won't be touching existing connections.

So the question is how does k3s connect to postgres, does it open up a connection and reuse it, does it open up a new connection for every database write/read or something in between. I am trying to understand the possible failure modes during a certificate renewal, which would be every 3 months.

[brandond]

how does k3s connect to postgres, does it open up a connection and reuse it, does it open up a new connection for every database write/read or something in between

We use the default golang sql client libraries, which use a small connection pool by default. If additional connections are necessary to accommodate client requests, new connections will be opened. I'm not sure what certificate rotation would have to do with existing connections though; certificate validation only occurs at the start of the TLS connection, the certificate is not renegotiated after the connection is up.

[ggeldenhuis]

Well, my thinking were:

1. Client(k3s) establishes connection and negotiates TLS
2. Certficate gets renewed and Postgres reloaded
3. Client connection is still active but in the mean time the certificate has expired.

Perhaps I am overthinking it... since you would typically renew the certificate a week or so before it expires and I suspect it would be unlikely that the connection from k3s to postgres would be that long living.

[brandond]

Like I said, certificates are only checked when the TLS connection is being established. If you have an existing connection over a secure channel, there is nothing that goes back and periodically checks to see if the certificate that was presented by the server minutes/hour/days ago when the connection was initiated, is still valid. You only need to worry about new connections.

[ggeldenhuis]

Ok, thanks for clearing that up. That makes the whole certificate renewal process a non-issue then.