mirror of
https://github.com/neondatabase/neon.git
synced 2026-01-13 16:32:56 +00:00
3dec117572
Closes: https://github.com/neondatabase/cloud/issues/22998 If control-plane reports that TLS should be used, load the certificates (and watch for updates), make sure postgres use them, and detects updates. Procedure: 1. Load certificates 2. Reconfigure postgres/pgbouncer 3. Loop on a timer until certificates have loaded 4. Go to 1 Notes: 1. We only run this procedure if requested on startup by control plane. 2. We needed to compile pgbouncer with openssl enabled 3. Postgres doesn't allow tls keys to be globally accessible - must be read only to the postgres user. I couldn't convince the autoscaling team to let me put this logic into the VM settings, so instead compute_ctl will copy the keys to be read-only by postgres. 4. To mitigate a race condition, we also verify that the key matches the cert.
30 lines
585 B
Rust
30 lines
585 B
Rust
//! Various tools and helpers to handle cluster / compute node (Postgres)
|
|
//! configuration.
|
|
#![deny(unsafe_code)]
|
|
#![deny(clippy::undocumented_unsafe_blocks)]
|
|
|
|
pub mod checker;
|
|
pub mod config;
|
|
pub mod configurator;
|
|
pub mod http;
|
|
#[macro_use]
|
|
pub mod logger;
|
|
pub mod catalog;
|
|
pub mod compute;
|
|
pub mod disk_quota;
|
|
pub mod extension_server;
|
|
pub mod installed_extensions;
|
|
pub mod local_proxy;
|
|
pub mod lsn_lease;
|
|
pub mod metrics;
|
|
mod migration;
|
|
pub mod monitor;
|
|
pub mod params;
|
|
pub mod pg_helpers;
|
|
pub mod rsyslog;
|
|
pub mod spec;
|
|
mod spec_apply;
|
|
pub mod swap;
|
|
pub mod sync_sk;
|
|
pub mod tls;
|