Closed jananivMS closed 4 years ago
Based on the investigation, it looks like (1) AzurePublicCloud instances of "Azure Database for PostgreSQL" trust the same root certificate here - https://www.digicert.com/CACerts/BaltimoreCyberTrustRoot.crt.pem (2) AzureChinaCloud instances of "Azure Database for PostgreSQL" trust this root certificate here - https://dl.cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem (This is not documented anywhere and is mentioned in some other context as the root cert someone found to work for Hyperscale PSQL)
Since this is just a root certificate, we could add the certificate to keyvault as a secret from postgres provisioning, but, (i) There isn't a reliable way to get this from the SDK. So we run a risk of this getting outdated if Azure changes this underneath. (ii) Also, I'm not sure what would be the certs for the other two clouds, which we will need to find out.
A better way would be to point to these Azure links and the cert links in the documentation.
Opened documentation issue - https://github.com/MicrosoftDocs/azure-docs/issues/51930
Based on the discussion with the team, we will now document this in our documentation. Once we have confirmation from the product team on definitive guidance on the certs to use in each cloud, we can revisit if we want to store this information as a secret
The customer's ask is if we can provide the SSL certificate information from the postgresqlserver deployment for use with the databases.
Here is a link on how they do it today. We need to investigate if we can provide this info post provisioning through operator for them to consume https://docs.microsoft.com/en-us/azure/postgresql/concepts-ssl-connection-security
Done criteria This is the "done" criteria for this task
If the investigation shows this is possible, please open a new task for the implementation