Support inline SSL certificates #818
Conversation
| accrue := func(k, v string) { | ||
| if v != "" { | ||
| kvs = append(kvs, k+"="+escaper.Replace(v)) | ||
| kvs = append(kvs, k+"='"+escaper.Replace(v)+"'") |
There was a problem hiding this comment.
This change was made because PEM certificates include newlines, equal signs and various stuff that is tricky to escape - but by adding single quotes, we can work around the problem.
|
I'm not sure why the Travis build fails... looks like a flaky test, maybe? Could somebody please trigger a new build? |
|
I have the exact same use case, which is what led me to this PR and the PR you submitted to Vault: hashicorp/vault#5963. I really hope this gets reviewed at some point. |
|
@mjibson could you please look at this PR? Would be nice to have the possibility to use inline certificates. Hope for your help, thanks! |
|
Can you or someone rebase this on master so the tests re-run? Open a new PR and mention me if needed. |
Presently, pq only supports SSL connections by loading PEM certificates from files on disk. There are some situations (for example integration with HashiCorp Vault) where it's not so feasible to load certificates from a file system, but better to store them in-memory. This patch lets you set ?sslinline=true in the connection string, which changes the behavior of the paramters sslrootcert, sslcert and sslkey, so they contain the contents of the certificates directly, instead of file names pointing to the certificates on disk.
eirslett
force-pushed
the
feature/ssl-inline
branch
from
aeef29c
to
b7c85ee
Compare
|
2 years already... time flies! I rebased it on top of master now. 🤞 |
What do you think about a change like this?
My specific use case is adding SSL support to Vault's integration with PostgreSQL - today it can only communicate over a plaintext socket. However, Vault doesn't store secrets/certificates directly on disk, but rather on an encrypted, distributed, pluggable backend system, which is the reason for this feature request: Vault can read the certificates from wherever they are stored, and pass them into pq via the connection string.