Add support for client certificate access
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
PostgreSQL Charm |
New
|
Undecided
|
Unassigned |
Bug Description
PostgreSQL supports client certificates as an access control method, available in pg_auth as a `clientcert=1` option. This will refuse connections that do not present a client certificate signed by a recognised CA, which is configured via a CA cert file pointed to in the `ssl_ca_file` option.
There are three use cases:
1. The user has an existing CA which they use to sign client certs, and need to upload the cert file to a location that will be automatically configured in postgres.conf.
2. The user wants the charm to generate its own CA internally, and sign/revoke client certs via juju actions.
3. The user wants the charm to generate its own CA internally, and generate signed client carts retrievable with their keys via juju actions, as well as revoking said certs via a juju action.
For most installations, it will make sense for there to be a CA specific to the postgres application. Since postgres trusts any cert signed by that CA, it is likely to be common for this set of certs to be contained by the administrators of the model. That said, there are still use cases where an external group is in charge of access control to the service, and will need to be able to provide a specific CA cert to authenticate against.