-
Notifications
You must be signed in to change notification settings - Fork 916
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support inline SSL certificates #818
Conversation
accrue := func(k, v string) { | ||
if v != "" { | ||
kvs = append(kvs, k+"="+escaper.Replace(v)) | ||
kvs = append(kvs, k+"='"+escaper.Replace(v)+"'") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This change was made because PEM certificates include newlines, equal signs and various stuff that is tricky to escape - but by adding single quotes, we can work around the problem.
I'm not sure why the Travis build fails... looks like a flaky test, maybe? Could somebody please trigger a new build? |
I have the exact same use case, which is what led me to this PR and the PR you submitted to Vault: hashicorp/vault#5963. I really hope this gets reviewed at some point. |
@mjibson could you please look at this PR? Would be nice to have the possibility to use inline certificates. Hope for your help, thanks! |
Can you or someone rebase this on master so the tests re-run? Open a new PR and mention me if needed. |
Presently, pq only supports SSL connections by loading PEM certificates from files on disk. There are some situations (for example integration with HashiCorp Vault) where it's not so feasible to load certificates from a file system, but better to store them in-memory. This patch lets you set ?sslinline=true in the connection string, which changes the behavior of the paramters sslrootcert, sslcert and sslkey, so they contain the contents of the certificates directly, instead of file names pointing to the certificates on disk.
aeef29c
to
b7c85ee
Compare
2 years already... time flies! I rebased it on top of master now. 🤞 |
What do you think about a change like this?
My specific use case is adding SSL support to Vault's integration with PostgreSQL - today it can only communicate over a plaintext socket. However, Vault doesn't store secrets/certificates directly on disk, but rather on an encrypted, distributed, pluggable backend system, which is the reason for this feature request: Vault can read the certificates from wherever they are stored, and pass them into pq via the connection string.