search

Kong / kong

🦍 The Cloud-Native API Gateway and AI Gateway.
https://konghq.com/install/#kong-community
Apache License 2.0
39.24k stars 4.81k forks source link

Kong not able to connect to Postgres using mTLS #11768

Closed bpariente closed 1 year ago

bpariente commented 1 year ago

Is there an existing issue for this?

Kong version ($ kong version)

3.4.1

Current Behavior

I am trying to connect to PostgreSQL with mTLS as the documentation says setting the properties:

`lua_ssl_trusted_certificate = /usr/local/kong/ssl/ca-bundle.pem lua_ssl_verify_depth = 1

database = postgres

pg_host = int-poolpostgreskong.int.marathon.mesos pg_port = 5432 pg_user = int-kong-new_int pg_database = int-kong-new_int_kong pg_ssl = on pg_ssl_verify = on pg_ssl_required = on pg_ssl_cert = /usr/local/kong/ssl/int-kong-new_int.pem pg_ssl_cert_key = /usr/local/kong/ssl/int-kong-new_int.key`

But it doesn't send the certificate in conecction to Postgres as the error shows:

Error: /usr/local/share/lua/5.1/kong/cmd/migrations.lua:101: [PostgreSQL error] failed to retrieve PostgreSQL server_version_num: receive_message: failed to get type: tlsv13 alert certificate required stack traceback: [C]: in function 'assert' /usr/local/share/lua/5.1/kong/cmd/migrations.lua:101: in function 'cmd_exec' /usr/local/share/lua/5.1/kong/cmd/init.lua:31: in function </usr/local/share/lua/5.1/kong/cmd/init.lua:31> [C]: in function 'xpcall' /usr/local/share/lua/5.1/kong/cmd/init.lua:31: in function </usr/local/share/lua/5.1/kong/cmd/init.lua:15> (command line -e):7: in function 'inline_gen' init_worker_by_lua:44: in function [C]: in function 'xpcall' init_worker_by_lua:52: in function

If i run the migrations with -vv it doesn't show the ssl config set to connect to Postgres in the output:

2023-10-16T12:43:41.333+00:00 INFO - 0 /data/docker-entrypoint.sh main:266 {"@message": "Launching kong new migrations"} 2023/10/16 12:43:41 [verbose] Kong: 3.4.1 2023/10/16 12:43:41 [debug] ngx_lua: 10021 2023/10/16 12:43:41 [debug] nginx: 1021004 2023/10/16 12:43:41 [debug] Lua: LuaJIT 2.1.0-20220411 2023/10/16 12:43:41 [verbose] reading config file at /etc/kong/kong.conf 2023/10/16 12:43:41 [debug] reading environment variables 2023/10/16 12:43:41 [debug] KONG_PLUGINS ENV found with "stratio-cas-introspect,stratio-acl-authorization,bundled" 2023/10/16 12:43:41 [verbose] prefix in use: /usr/local/kong 2023/10/16 12:43:41 [debug] _debug_pg_ttl_cleanup_interval = 300 2023/10/16 12:43:41 [debug] admin_acc_logs = "/usr/local/kong/logs/admin_access.log" 2023/10/16 12:43:41 [debug] admin_access_log = "/dev/stdout" 2023/10/16 12:43:41 [debug] admin_error_log = "/dev/stderr" 2023/10/16 12:43:41 [debug] admin_gui_access_log = "logs/admin_gui_access.log" 2023/10/16 12:43:41 [debug] admin_gui_error_log = "logs/admin_gui_error.log" 2023/10/16 12:43:41 [debug] admin_gui_listen = {"0.0.0.0:8002","0.0.0.0:8445 ssl"} 2023/10/16 12:43:41 [debug] admin_gui_path = "/" 2023/10/16 12:43:41 [debug] admin_gui_ssl_cert = {} 2023/10/16 12:43:41 [debug] admin_gui_ssl_cert_default = "/usr/local/kong/ssl/admin-gui-kong-default.crt" 2023/10/16 12:43:41 [debug] admin_gui_ssl_cert_default_ecdsa = "/usr/local/kong/ssl/admin-gui-kong-default-ecdsa.crt" 2023/10/16 12:43:41 [debug] admin_gui_ssl_cert_key = "**" 2023/10/16 12:43:41 [debug] admin_gui_ssl_cert_key_default = "/usr/local/kong/ssl/admin-gui-kong-default.key" 2023/10/16 12:43:41 [debug] admin_gui_ssl_cert_key_default_ecdsa = "/usr/local/kong/ssl/admin-gui-kong-default-ecdsa.key" 2023/10/16 12:43:41 [debug] admin_listen = {"0.0.0.0:8444 http2 ssl reuseport backlog=16384"} 2023/10/16 12:43:41 [debug] admin_ssl_cert = {"/usr/local/kong/ssl/int-kong-new_int.pem"} 2023/10/16 12:43:41 [debug] admin_ssl_cert_default = "/usr/local/kong/ssl/admin-kong-default.crt" 2023/10/16 12:43:41 [debug] admin_ssl_cert_default_ecdsa = "/usr/local/kong/ssl/admin-kong-default-ecdsa.crt" 2023/10/16 12:43:41 [debug] admin_ssl_cert_key = "**" 2023/10/16 12:43:41 [debug] admin_ssl_cert_key_default = "/usr/local/kong/ssl/admin-kong-default.key" 2023/10/16 12:43:41 [debug] admin_ssl_cert_key_default_ecdsa = "/usr/local/kong/ssl/admin-kong-default-ecdsa.key" 2023/10/16 12:43:41 [debug] allow_debug_header = false 2023/10/16 12:43:41 [debug] anonymous_reports = false 2023/10/16 12:43:41 [debug] client_body_buffer_size = "8k" 2023/10/16 12:43:41 [debug] client_ssl = false 2023/10/16 12:43:41 [debug] client_ssl_cert_default = "/usr/local/kong/ssl/kong-default.crt" 2023/10/16 12:43:41 [debug] client_ssl_cert_key_default = "/usr/local/kong/ssl/kong-default.key" 2023/10/16 12:43:41 [debug] cluster_control_plane = "127.0.0.1:8005" 2023/10/16 12:43:41 [debug] cluster_data_plane_purge_delay = 1209600 2023/10/16 12:43:41 [debug] cluster_dp_labels = {} 2023/10/16 12:43:41 [debug] cluster_listen = {"0.0.0.0:8005"} 2023/10/16 12:43:41 [debug] cluster_max_payload = 16777216 2023/10/16 12:43:41 [debug] cluster_mtls = "shared" 2023/10/16 12:43:41 [debug] cluster_ocsp = "off" 2023/10/16 12:43:41 [debug] cluster_use_proxy = false 2023/10/16 12:43:41 [debug] database = "postgres" 2023/10/16 12:43:41 [debug] db_cache_ttl = 0 2023/10/16 12:43:41 [debug] db_cache_warmup_entities = {"services"} 2023/10/16 12:43:41 [debug] db_resurrect_ttl = 30 2023/10/16 12:43:41 [debug] db_update_frequency = 5 2023/10/16 12:43:41 [debug] db_update_propagation = 0 2023/10/16 12:43:41 [debug] dns_cache_size = 10000 2023/10/16 12:43:41 [debug] dns_error_ttl = 1 2023/10/16 12:43:41 [debug] dns_hostsfile = "/etc/hosts" 2023/10/16 12:43:41 [debug] dns_no_sync = false 2023/10/16 12:43:41 [debug] dns_not_found_ttl = 30 2023/10/16 12:43:41 [debug] dns_order = {"LAST","SRV","A","CNAME"} 2023/10/16 12:43:41 [debug] dns_resolver = {} 2023/10/16 12:43:41 [debug] dns_stale_ttl = 4 2023/10/16 12:43:41 [debug] error_default_type = "text/plain" 2023/10/16 12:43:41 [debug] headers = {"server_tokens","latency_tokens"} 2023/10/16 12:43:41 [debug] host_ports = {} 2023/10/16 12:43:41 [debug] kic = false 2023/10/16 12:43:41 [debug] kong_env = "/usr/local/kong/.kong_env" 2023/10/16 12:43:41 [debug] kong_process_secrets = "/usr/local/kong/.kong_process_secrets" 2023/10/16 12:43:41 [debug] lmdb_environment_path = "dbless.lmdb" 2023/10/16 12:43:41 [debug] lmdb_map_size = "2048m" 2023/10/16 12:43:41 [debug] loaded_vaults = {env=true} 2023/10/16 12:43:41 [debug] log_level = "debug" 2023/10/16 12:43:41 [debug] lua_max_post_args = 100 2023/10/16 12:43:41 [debug] lua_max_req_headers = 100 2023/10/16 12:43:41 [debug] lua_max_resp_headers = 100 2023/10/16 12:43:41 [debug] lua_max_uri_args = 100 2023/10/16 12:43:41 [debug] lua_package_cpath = "" 2023/10/16 12:43:41 [debug] lua_package_path = "/usr/local/?.lua;;" 2023/10/16 12:43:41 [debug] lua_socket_pool_size = 30 2023/10/16 12:43:41 [debug] lua_ssl_protocols = "TLSv1.1 TLSv1.2 TLSv1.3" 2023/10/16 12:43:41 [debug] lua_ssl_trusted_certificate = {"/usr/local/kong/ssl/ca-bundle.pem"} 2023/10/16 12:43:41 [debug] lua_ssl_trusted_certificate_combined = "/usr/local/kong/.ca_combined" 2023/10/16 12:43:41 [debug] lua_ssl_verify_depth = 1 2023/10/16 12:43:41 [debug] mem_cache_size = "128m" 2023/10/16 12:43:41 [debug] nginx_acc_logs = "/usr/local/kong/logs/access.log" 2023/10/16 12:43:41 [debug] nginx_admin_client_body_buffer_size = "10m" 2023/10/16 12:43:41 [debug] nginx_admin_client_max_body_size = "10m" 2023/10/16 12:43:41 [debug] nginx_admin_directives = {{name="client_max_body_size",value="10m"},{name="client_body_buffer_size",value="10m"}} 2023/10/16 12:43:41 [debug] nginx_conf = "/usr/local/kong/nginx.conf" 2023/10/16 12:43:41 [debug] nginx_daemon = "off" 2023/10/16 12:43:41 [debug] nginx_err_logs = "/usr/local/kong/logs/error.log" 2023/10/16 12:43:41 [debug] nginx_events_directives = {{name="worker_connections",value="auto"},{name="multi_accept",value="on"}} 2023/10/16 12:43:41 [debug] nginx_events_multi_accept = "on" 2023/10/16 12:43:41 [debug] nginx_events_worker_connections = "auto" 2023/10/16 12:43:41 [debug] nginx_http_charset = "UTF-8" 2023/10/16 12:43:41 [debug] nginx_http_client_body_buffer_size = "8k" 2023/10/16 12:43:41 [debug] nginx_http_client_max_body_size = "0" 2023/10/16 12:43:41 [debug] nginx_http_directives = {{name="charset",value="UTF-8"},{name="client_max_body_size",value="0"},{name="client_body_buffer_size",value="8k"},{name="lua_regex_match_limit",value="100000"},{name="lua_regex_cache_max_entries",value="8192"},{name="keepalive_requests",value="1000"},{name="ssl_protocols",value="TLSv1.2 TLSv1.3"},{name="ssl_prefer_server_ciphers",value="off"},{name="ssl_dhparam",value="ffdhe2048"},{name="ssl_session_tickets",value="on"},{name="ssl_session_timeout",value="1d"}} 2023/10/16 12:43:41 [debug] nginx_http_keepalive_requests = "1000" 2023/10/16 12:43:41 [debug] nginx_http_lua_regex_cache_max_entries = "8192" 2023/10/16 12:43:41 [debug] nginx_http_lua_regex_match_limit = "100000" 2023/10/16 12:43:41 [debug] nginx_http_lua_ssl_protocols = "TLSv1.1 TLSv1.2 TLSv1.3" 2023/10/16 12:43:41 [debug] nginx_http_ssl_dhparam = "ffdhe2048" 2023/10/16 12:43:41 [debug] nginx_http_ssl_prefer_server_ciphers = "off" 2023/10/16 12:43:41 [debug] nginx_http_ssl_protocols = "TLSv1.2 TLSv1.3" 2023/10/16 12:43:41 [debug] nginx_http_ssl_session_tickets = "on" 2023/10/16 12:43:41 [debug] nginx_http_ssl_session_timeout = "1d" 2023/10/16 12:43:41 [debug] nginx_inject_conf = "/usr/local/kong/nginx-inject.conf" 2023/10/16 12:43:41 [debug] nginx_kong_conf = "/usr/local/kong/nginx-kong.conf" 2023/10/16 12:43:41 [debug] nginx_kong_gui_include_conf = "/usr/local/kong/nginx-kong-gui-include.conf" 2023/10/16 12:43:41 [debug] nginx_kong_inject_conf = "/usr/local/kong/nginx-kong-inject.conf" 2023/10/16 12:43:41 [debug] nginx_kong_stream_conf = "/usr/local/kong/nginx-kong-stream.conf" 2023/10/16 12:43:41 [debug] nginx_kong_stream_inject_conf = "/usr/local/kong/nginx-kong-stream-inject.conf" 2023/10/16 12:43:41 [debug] nginx_main_daemon = "off" 2023/10/16 12:43:41 [debug] nginx_main_directives = {{name="worker_processes",value="auto"},{name="worker_rlimit_nofile",value="auto"},{name="user",value="kong kong"},{name="daemon",value="off"}} 2023/10/16 12:43:41 [debug] nginx_main_user = "kong kong" 2023/10/16 12:43:41 [debug] nginx_main_worker_processes = "auto" 2023/10/16 12:43:41 [debug] nginx_main_worker_rlimit_nofile = "auto" 2023/10/16 12:43:41 [debug] nginx_pid = "/usr/local/kong/pids/nginx.pid" 2023/10/16 12:43:41 [debug] nginx_proxy_directives = {{name="real_ip_header",value="X-Real-IP"},{name="real_ip_recursive",value="off"}} 2023/10/16 12:43:41 [debug] nginx_proxy_real_ip_header = "X-Real-IP" 2023/10/16 12:43:41 [debug] nginx_proxy_real_ip_recursive = "off" 2023/10/16 12:43:41 [debug] nginx_sproxy_directives = {} 2023/10/16 12:43:41 [debug] nginx_status_directives = {} 2023/10/16 12:43:41 [debug] nginx_stream_directives = {{name="ssl_protocols",value="TLSv1.2 TLSv1.3"},{name="ssl_prefer_server_ciphers",value="off"},{name="ssl_dhparam",value="ffdhe2048"},{name="ssl_session_tickets",value="on"},{name="ssl_session_timeout",value="1d"}} 2023/10/16 12:43:41 [debug] nginx_stream_lua_ssl_protocols = "TLSv1.1 TLSv1.2 TLSv1.3" 2023/10/16 12:43:41 [debug] nginx_stream_ssl_dhparam = "ffdhe2048" 2023/10/16 12:43:41 [debug] nginx_stream_ssl_prefer_server_ciphers = "off" 2023/10/16 12:43:41 [debug] nginx_stream_ssl_protocols = "TLSv1.2 TLSv1.3" 2023/10/16 12:43:41 [debug] nginx_stream_ssl_session_tickets = "on" 2023/10/16 12:43:41 [debug] nginx_stream_ssl_session_timeout = "1d" 2023/10/16 12:43:41 [debug] nginx_supstream_directives = {} 2023/10/16 12:43:41 [debug] nginx_upstream_directives = {} 2023/10/16 12:43:41 [debug] nginx_user = "kong kong" 2023/10/16 12:43:41 [debug] nginx_wasm_main_directives = {} 2023/10/16 12:43:41 [debug] nginx_wasm_main_shm_directives = {} 2023/10/16 12:43:41 [debug] nginx_wasm_v8_directives = {} 2023/10/16 12:43:41 [debug] nginx_wasm_wasmer_directives = {} 2023/10/16 12:43:41 [debug] nginx_wasm_wasmtime_directives = {} 2023/10/16 12:43:41 [debug] nginx_worker_processes = "auto" 2023/10/16 12:43:41 [debug] opentelemetry_tracing = {"off"} 2023/10/16 12:43:41 [debug] opentelemetry_tracing_sampling_rate = 0.01 2023/10/16 12:43:41 [debug] pg_database = "int-kong-new_int_kong" 2023/10/16 12:43:41 [debug] pg_host = "int-poolpostgreskong.int.marathon.mesos" 2023/10/16 12:43:41 [debug] pg_max_concurrent_queries = 0 2023/10/16 12:43:41 [debug] pg_port = 5432 2023/10/16 12:43:41 [debug] pg_ro_ssl = false 2023/10/16 12:43:41 [debug] pg_ro_ssl_verify = false 2023/10/16 12:43:41 [debug] pg_semaphore_timeout = 60000 2023/10/16 12:43:41 [debug] pg_ssl = true 2023/10/16 12:43:41 [debug] pg_ssl_verify = true 2023/10/16 12:43:41 [debug] pg_timeout = 5000 2023/10/16 12:43:41 [debug] pg_user = "int-kong-new_int" 2023/10/16 12:43:41 [debug] plugins = {"my-plugin","bundled"} 2023/10/16 12:43:41 [debug] pluginserver_names = {} 2023/10/16 12:43:41 [debug] port_maps = {} 2023/10/16 12:43:41 [debug] prefix = "/usr/local/kong" 2023/10/16 12:43:41 [debug] privileged_agent = false 2023/10/16 12:43:41 [debug] proxy_access_log = "/dev/stdout" 2023/10/16 12:43:41 [debug] proxy_error_log = "/dev/stderr" 2023/10/16 12:43:41 [debug] proxy_listen = {"0.0.0.0:8443 http2 ssl reuseport backlog=16384"} 2023/10/16 12:43:41 [debug] proxy_server_ssl_verify = true 2023/10/16 12:43:41 [debug] proxy_stream_access_log = "logs/access.log basic" 2023/10/16 12:43:41 [debug] proxy_stream_error_log = "logs/error.log" 2023/10/16 12:43:41 [debug] real_ip_header = "X-Real-IP" 2023/10/16 12:43:41 [debug] real_ip_recursive = "off" 2023/10/16 12:43:41 [debug] role = "traditional" 2023/10/16 12:43:41 [debug] router_flavor = "traditional_compatible" 2023/10/16 12:43:41 [debug] ssl_cert = {"/usr/local/kong/ssl/int-kong-new_int.pem"} 2023/10/16 12:43:41 [debug] ssl_cert_csr_default = "/usr/local/kong/ssl/kong-default.csr" 2023/10/16 12:43:41 [debug] ssl_cert_default = "/usr/local/kong/ssl/kong-default.crt" 2023/10/16 12:43:41 [debug] ssl_cert_default_ecdsa = "/usr/local/kong/ssl/kong-default-ecdsa.crt" 2023/10/16 12:43:41 [debug] ssl_cert_key = "**" 2023/10/16 12:43:41 [debug] ssl_cert_key_default = "/usr/local/kong/ssl/kong-default.key" 2023/10/16 12:43:41 [debug] ssl_cert_key_default_ecdsa = "/usr/local/kong/ssl/kong-default-ecdsa.key" 2023/10/16 12:43:41 [debug] ssl_cipher_suite = "intermediate" 2023/10/16 12:43:41 [debug] ssl_ciphers = "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384" 2023/10/16 12:43:41 [debug] ssl_dhparam = "ffdhe2048" 2023/10/16 12:43:41 [debug] ssl_prefer_server_ciphers = "on" 2023/10/16 12:43:41 [debug] ssl_protocols = "TLSv1.1 TLSv1.2 TLSv1.3" 2023/10/16 12:43:41 [debug] ssl_session_cache_size = "10m" 2023/10/16 12:43:41 [debug] ssl_session_tickets = "on" 2023/10/16 12:43:41 [debug] ssl_session_timeout = "1d" 2023/10/16 12:43:41 [debug] status_access_log = "off" 2023/10/16 12:43:41 [debug] status_error_log = "logs/status_error.log" 2023/10/16 12:43:41 [debug] status_listen = {"off"} 2023/10/16 12:43:41 [debug] status_ssl_cert = {} 2023/10/16 12:43:41 [debug] status_ssl_cert_default = "/usr/local/kong/ssl/status-kong-default.crt" 2023/10/16 12:43:41 [debug] status_ssl_cert_default_ecdsa = "/usr/local/kong/ssl/status-kong-default-ecdsa.crt" 2023/10/16 12:43:41 [debug] status_ssl_cert_key = "**" 2023/10/16 12:43:41 [debug] status_ssl_cert_key_default = "/usr/local/kong/ssl/status-kong-default.key" 2023/10/16 12:43:41 [debug] status_ssl_cert_key_default_ecdsa = "/usr/local/kong/ssl/status-kong-default-ecdsa.key" 2023/10/16 12:43:41 [debug] stream_listen = {"off"} 2023/10/16 12:43:41 [debug] tracing_instrumentations = {"off"} 2023/10/16 12:43:41 [debug] tracing_sampling_rate = 0.01 2023/10/16 12:43:41 [debug] trusted_ips = {} 2023/10/16 12:43:41 [debug] untrusted_lua = "sandbox" 2023/10/16 12:43:41 [debug] untrusted_lua_sandbox_environment = {} 2023/10/16 12:43:41 [debug] untrusted_lua_sandbox_requires = {} 2023/10/16 12:43:41 [debug] upstream_keepalive_idle_timeout = 60 2023/10/16 12:43:41 [debug] upstream_keepalive_max_requests = 1000 2023/10/16 12:43:41 [debug] upstream_keepalive_pool_size = 512 2023/10/16 12:43:41 [debug] vaults = {"bundled"} 2023/10/16 12:43:41 [debug] wasm = false 2023/10/16 12:43:41 [debug] worker_consistency = "eventual" 2023/10/16 12:43:41 [debug] worker_events_max_payload = 65535 2023/10/16 12:43:41 [debug] worker_state_update_frequency = 5 2023/10/16 12:43:41 [verbose] preparing nginx prefix directory at /usr/local/kong 2023/10/16 12:43:41 [verbose] SSL enabled on admin_gui, no custom certificate set: using default certificates 2023/10/16 12:43:41 [verbose] admin_gui SSL certificate found at /usr/local/kong/ssl/admin-gui-kong-default.crt 2023/10/16 12:43:41 [verbose] admin_gui SSL certificate found at /usr/local/kong/ssl/admin-gui-kong-default-ecdsa.crt 2023/10/16 12:43:41 [verbose] generating trusted certs combined file in /usr/local/kong/.ca_combined

I checked the code in the repo but i couldn't find anything related with the pg_ssl_cert and pg_ssl_cert_key property

Expected Behavior

Successful connection to PostgreSQL using mTLS

Steps To Reproduce

I built the kong deb package inside of docker using as ubuntu 20.04 as base and installed it afterwards

Kong version is 3.4.1 Openresty version 1.21.4.1 Luarocks version 3.9.2

And I execute:

kong prepare -p "${KONG_PREFIX}" "$@" kong migrations bootstrap --vv ---------- This command is the first one that fails kong migrations up --vv kong migrations finish --vv

Anything else?

No response

robincher commented 1 year ago

Hi,

Could it be related to your pg_ssl_version setting? and the upstream PSQL is expecting only TLS v1.3?

https://docs.konghq.com/gateway/3.4.x/reference/configuration/#postgres-settings

There a guide on troubleshooting here https://docs.konghq.com/gateway/latest/production/networking/troubleshoot-postgres-tls/#troubleshooting-tls-on-kong-gateway

bpariente commented 1 year ago

No, I checked with all allowed versions of TLS, The error is that kong is not sending the certificate to Postgres and because of that Postgres is complaining and it is not working.

I have checked the code in the repo where the config of Postgres is send to pgmoon to make the connection buy I didn't see that the cert and the key are send to the pgmoon:

https://github.com/Kong/kong/blob/3.4.1/kong/db/strategies/postgres/connector.lua#L957

` local config = { application_name = "kong", host = kong_config.pg_host, port = kong_config.pg_port, timeout = kong_config.pg_timeout, user = kong_config.pg_user, password = kong_config.pg_password, database = kong_config.pg_database, schema = kong_config.pg_schema or "", ssl = kong_config.pg_ssl, ssl_verify = kong_config.pg_ssl_verify, cafile = kong_config.lua_ssl_trusted_certificate_combined, sem_max = kong_config.pg_max_concurrent_queries or 0, sem_timeout = (kong_config.pg_semaphore_timeout or 60000) / 1000, pool_size = kong_config.pg_pool_size, backlog = kong_config.pg_backlog,

--- not used directly by pgmoon, but used internally in connector to set the keepalive timeout
keepalive_timeout = kong_config.pg_keepalive_timeout,
--- non user-faced parameters
ttl_cleanup_interval = kong_config._debug_pg_ttl_cleanup_interval or 300,

}

`

So I wonder, is it really working with those properties?

I couldn find as well where are the cert and the key, that are set in the variables pg_ssl_cer and pg_ssl_cert_key, loaded in the conf_loader/init.lua

Which value should I pass to those values: the absolute path? the string with the cert and key?

Thanks in advance

bungle commented 1 year ago

@bpariente, for me it looks like you need to use Kong Gateway (for Enterprise) to be able to do mTLS with Postgres: https://docs.konghq.com/gateway/latest/install/

It looks like we have not enabled this feature on Kong Gateway Open Source.

bpariente commented 1 year ago

But in the documentation it doesn't say that it is for the enterprise version :(

That's ok, I added it myself and I got it working. Thank you for the help anyway.

zd9KgA commented 7 months ago

Hi @bungle:

I had the same issue with version 3.6.1. The documentation explicitly suggests that this capability is available in the OSS version. Can either the documentation be updated to avoid this confusion or the feature be made available in the OSS version as well?

Cheers!