Update recommended PG cluster configuration to use ssl certificates instead of passwords
Summary
A pain point in maintaining db clusters is handling user passwords, and the appropriate settings in pg_hba.conf. If we add the ability to use client certificates, this should be somewhat alleviated. It would also remove the need to store a plaintext password in gitlab.rb
for gitlab_rails['db_password']
.
Proposal
Update gitlab-org/omnibus-gitlab>, and gitlab-org/gitlab> to handle certificate based authentication rather than password based for their database connection.
References
https://info.crunchydata.com/blog/ssl-certificate-authentication-postgresql-docker-containers - Quick intro on how to quickly setup certificate authentication on PostgreSQL for testing.