TLS
TLS Configuration
Should you desire to alter the default TLS settings for the Postgres Operator, you can set the following variables as described below.
Server Settings
To disable TLS and make an unsecured connection on port 8080 instead of connecting securely over the default port, 8443, set:
Bash environment variables
DISABLE_TLS=true
PGO_APISERVER_PORT=8080 Or inventory variables if using Ansible
pgo_disable_tls='true'
pgo_apiserver_port=8080
To disable TLS verifcation, set the follwing as a Bash environment variable
export TLS_NO_VERIFY=falseOr the following in the inventory file is using Ansible
pgo_tls_no_verify='false'
Connection Settings
If TLS authentication has been disabled, or if the Operator’s apiserver port is changed, be sure to update the PGO_APISERVER_URL accordingly.
For example with an Ansible installation,
export PGO_APISERVER_URL='https://<apiserver IP>:8443'would become
export PGO_APISERVER_URL='http://<apiserver IP>:8080'With a Bash installation,
setip()
{
export PGO_APISERVER_URL=https://`$PGO_CMD -n "$PGO_OPERATOR_NAMESPACE" get service postgres-operator -o=jsonpath="{.spec.clusterIP}"`:8443
}would become
setip()
{
export PGO_APISERVER_URL=http://`$PGO_CMD -n "$PGO_OPERATOR_NAMESPACE" get service postgres-operator -o=jsonpath="{.spec.clusterIP}"`:8080
}Client Settings
Finally, if TLS has been disabled for the Operator’s apiserver, the PGO client connection must be set to match the given settings.
Two options are available, either the Bash environment variable
DISABLE_TLS=truemust be configured, or the –disable-tls flag must be included when using the client, i.e.
pgo version --disable-tls