TLS

TLS Configuration

Should you desire to alter the default TLS settings for the Postgres Operator, you can set the following variables as described below.

Server Settings

To disable TLS and make an unsecured connection on port 8080 instead of connecting securely over the default port, 8443, set:

Bash environment variables

export DISABLE_TLS=true
export PGO_APISERVER_PORT=8080		

Or inventory variables if using Ansible

pgo_disable_tls='true'
pgo_apiserver_port=8080

To disable TLS verifcation, set the follwing as a Bash environment variable

export TLS_NO_VERIFY=false

Or the following in the inventory file if using Ansible

pgo_tls_no_verify='false'

TLS Trust

Custom Trust Additions

To configure the server to allow connections from any client presenting a certificate issued by CAs within a custom, PEM-encoded certificate list, set the following as a Bash environment variable

export TLS_CA_TRUST="/path/to/trust/file"

Or the following in the inventory file if using Ansible

pgo_tls_ca_store='/path/to/trust/file'

System Default Trust

To configure the server to allow connections from any client presenting a certificate issued by CAs within the operating system’s default trust store, set the following as a Bash environment variable

export ADD_OS_TRUSTSTORE=true

Or the following in the inventory file if using Ansible

pgo_add_os_ca_store='true'

Connection Settings

If TLS authentication has been disabled, or if the Operator’s apiserver port is changed, be sure to update the PGO_APISERVER_URL accordingly.

For example with an Ansible installation,

export PGO_APISERVER_URL='https://<apiserver IP>:8443'

would become

export PGO_APISERVER_URL='http://<apiserver IP>:8080'

With a Bash installation,

setip()
{
   export PGO_APISERVER_URL=https://`$PGO_CMD -n "$PGO_OPERATOR_NAMESPACE" get service postgres-operator -o=jsonpath="{.spec.clusterIP}"`:8443
}

would become

setip()
{
   export PGO_APISERVER_URL=http://`$PGO_CMD -n "$PGO_OPERATOR_NAMESPACE" get service postgres-operator -o=jsonpath="{.spec.clusterIP}"`:8080
}

Client Settings

By default, the pgo client will trust certificates issued by one of the Certificate Authorities listed in the operating system’s default CA trust store, if any. To exclude them, either use the environment variable

EXCLUDE_OS_TRUST=true

or use the –exclude-os-trust flag

pgo version --exclude-os-trust

Finally, if TLS has been disabled for the Operator’s apiserver, the PGO client connection must be set to match the given settings.

Two options are available, either the Bash environment variable

DISABLE_TLS=true

must be configured, or the –disable-tls flag must be included when using the client, i.e.

pgo version --disable-tls