I was able to successfully connect my Kong deployment (GCP GKE) to a Postgres database (GCP Cloud SQL) using the following, basic configuration:
database: "postgres"
pg_host: "my-database-host"
pg_port: "my-database-port"
pg_database: "my-database"
pg_user: "my-database-user"
pg_password: "my-database-password"
I then enabled SSL in the database, created a client certificate for my Kong user and added SSL-related properties to Kong config, ending up with the following:
database: "postgres"
pg_host: "my-database-host"
pg_port: "my-database-port"
pg_database: "my-database"
pg_user: "my-database-user"
# pg_password: "This is commented out"
pg_ssl: "on"
pg_ssl_required: "on"
pg_ssl_verify: "on"
pg_ssl_version: "tlsv1_2"
pg_ssl_cert: "/etc/secrets/db-cert-secret/tls.crt"
pg_ssl_cert_key: "/etc/secrets/db-cert-secret/tls.key"
lua_ssl_trusted_certificate: "/etc/secrets/db-cert-secret/ca.pem"
Please note that the postgres password property is commented out - it would seem logical to me I can now omit the password since the authentication should now happen with the client certificate.
However, the connectivity now fails with the init migrations job throwing an error:
Error: missing password, required for connect
Run with --v (verbose) or --vv (debug) for more details
Is there anything I’m doing wrong? Is certificate-based authentication supported by Kong?