Last active
May 1, 2024 21:26
-
-
Save dincosman/b21f66744fd997a473da66319be39f3e to your computer and use it in GitHub Desktop.
Configure Patroni REST APIS for SSL encryption
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#-- Some security related parameters -- set on all postgresql servers | |
[postgres@posvt01 ~]$ vi /etc/patroni.yml | |
... | |
restapi: | |
listen: posvt01.localdomain:3308 | |
connect_address: posvt01.localdomain:3308 | |
certfile: /etc/ssl/postgres/server.crt | |
keyfile: /etc/ssl/postgres/server.key | |
cafile: /etc/ssl/postgres/root.crt | |
authentication: | |
username: patroni_admin | |
password: patroni | |
allowlist: ['192.168.60.0/24'] | |
allowlist_include_members: true | |
verify_client: required | |
... | |
ctl: | |
insecure: false | |
certfile: /etc/ssl/postgres/server.crt | |
cacert: /etc/ssl/postgres/root.crt | |
keyfile: /etc/ssl/postgres/server.key | |
... | |
# -- Example of GET rest api call | |
[postgres@posvt01 pgdata]$ curl -sv https://posvt01.localdomain:3308/master --cacert /etc/ssl/postgres/root.crt --cert /etc/ssl/postgres/server.crt --key /etc/ssl/postgres/server.key | |
# -- Add the root certificate to the trusted authorities | |
[root@posvt01 anchors]# cp /etc/ssl/postgres/root.crt /etc/pki/ca-trust/source/anchors/ | |
[root@posvt01 anchors]# update-ca-trust | |
# -- Example of POST rest api call -- requires password authentication also, otherwise HTTP/1.0 401 Unauthorized | |
[root@posvt02 ~]# curl -sv https://patroni_admin:patroni@posvt02.localdomain:3308/reload -XPOST --cacert /etc/ssl/postgres/root.crt --cert /etc/ssl/postgres/server.crt --key /etc/ssl/postgres/server.key |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment