Postgres mTLS: Permissions of client key file
Summary
Hello everyone,
I would like to set up an mTLS connection to an external Postgres instance. However, I'm running into a file permissions issue. An error is thrown about too broad file permissions on the client key file.
This might just be a documentation issue because there is currently no documentation about how to do this correctly. Or it could be that specifying correct permissions and file ownership is currently impossible because multiple processes running with different user ids need to access the client key file, but only one use can be the owner.
Related:
- PR that implemented this feature: !3529 (merged)
- Issue that the above PR addresses: #4296 (closed)
- Documentation page: https://docs.gitlab.com/omnibus/settings/database.html#require-ssl-and-verify-server-certificate-against-ca-bundle (shows only how to configure normal TLS)
Steps to reproduce
What is the current bug behavior?
When I start the container GitLab throws an error during initialization under Recipe: gitlab::database_migrations
:
PG::ConnectionBad: private key file "/secrets/postgres_client_key" has group or world access; permissions should be u=rw (0600) or less
What is the expected correct behavior?
Establish mTLS connection to external Postgres instance. Clear instructions about how to configure mTLS for an external Postgres instance
Details of package version
GitLab Omnibus container image gitlab/gitlab-ee:13.0.5-ee.0
Configuration details
gitlab_rails['db_database'] = "gitlab"
gitlab_rails['db_username'] = "admin"
gitlab_rails['db_password'] = File.read('/secrets/postgres_password')
gitlab_rails['db_host'] = "10.1.0.27"
gitlab_rails['db_port'] = 5432
gitlab_rails['db_sslmode'] = 'verify-full'
gitlab_rails['db_sslrootcert'] = '/secrets/postgres_server_ca_certificate'
gitlab_rails['db_sslcert'] = '/secrets/postgres_client_certificate'
gitlab_rails['db_sslkey'] = '/secrets/postgres_client_key'
cc @balasankarc (author of the PR that implement support for MTLS) @twk3 (who confirmed ability to connect to Google CloudSQL via mTLS. This is what I would like to achieve)