I was able to successfully connect my Kong deployment (GCP GKE) to a Postgres database (GCP Cloud SQL) using the following, basic configuration:
database: "postgres" pg_host: "my-database-host" pg_port: "my-database-port" pg_database: "my-database" pg_user: "my-database-user" pg_password: "my-database-password"
I then enabled SSL in the database, created a client certificate for my Kong user and added SSL-related properties to Kong config, ending up with the following:
database: "postgres" pg_host: "my-database-host" pg_port: "my-database-port" pg_database: "my-database" pg_user: "my-database-user" # pg_password: "This is commented out" pg_ssl: "on" pg_ssl_required: "on" pg_ssl_verify: "on" pg_ssl_version: "tlsv1_2" pg_ssl_cert: "/etc/secrets/db-cert-secret/tls.crt" pg_ssl_cert_key: "/etc/secrets/db-cert-secret/tls.key" lua_ssl_trusted_certificate: "/etc/secrets/db-cert-secret/ca.pem"
Please note that the postgres password property is commented out - it would seem logical to me I can now omit the password since the authentication should now happen with the client certificate.
However, the connectivity now fails with the init migrations job throwing an error:
Error: missing password, required for connect Run with --v (verbose) or --vv (debug) for more details
Is there anything I’m doing wrong? Is certificate-based authentication supported by Kong?