Update recommended PG HA configuration to use ssl certificates instead of passwords
Update omnibus-gitlab and the database HA documentation with the steps necessary to configure and maintain a setup using certificate authentication.
Things to consider
- repmgr client will need to be able to use the certificate
- if sidekiq and rails clients cannot use certificate, pgbouncer will need to support md5 user auth, while using certificate auth to connect to the database
- a secure method to distribute the certificates
- Certificate lifetime will be a factor
- How long should they be valid for
- Can/should we auto-renew or alert admin of their expiration?
- Can we easily revoke certificates