Handle SSL for Geo postgresql replication by default
Currently, users have to take additional actions while configuring Geo to benefit from TLS protection of the postgres replication traffic from passive and active attackers. We have all the data we need to automatically protect this data path in the common case, so we should.
Some discussion about what this needs is in https://gitlab.com/gitlab-org/gitlab-ee/issues/1745
Things we need to do:
-
On primary, set postgresql['ssl'] = 'on'
in/etc/gitlab/gitlab.rb
-
Document how to copy/set SSL keys/bundle. We may need some documentation and tools to help admins do this, especially if they need self-signed certificates. -
On secondary, set sslmode=verify-ca
inrecovery.conf
Edited by Nick Thomas