75f3dd141c
CodeQL / Analyze (go) (push) Has been cancelled
CodeQL / Analyze (actions) (push) Has been cancelled
CodeQL / Analyze (javascript-typescript) (push) Has been cancelled
CI and Release / lint-frontend (push) Has been cancelled
CI and Release / dockerfile-scan (push) Has been cancelled
CI and Release / test-frontend (push) Has been cancelled
CI and Release / lint-verification-agent (push) Has been cancelled
CI and Release / test-verification-agent (push) Has been cancelled
CI and Release / e2e-verification-agent (push) Has been cancelled
CI and Release / test-backend (push) Has been cancelled
CI and Release / build-dev-image (push) Has been cancelled
CI and Release / push-dev-image (push) Has been cancelled
CI and Release / build-image (push) Has been cancelled
CI and Release / build-verification-image (push) Has been cancelled
CI and Release / determine-version (push) Has been cancelled
CI and Release / push-image (push) Has been cancelled
CI and Release / push-verification-image (12) (push) Has been cancelled
CI and Release / lint-backend (push) Has been cancelled
CI and Release / push-verification-image (17) (push) Has been cancelled
CI and Release / push-verification-image (18) (push) Has been cancelled
CI and Release / release (push) Has been cancelled
CI and Release / publish-helm-chart (push) Has been cancelled
CI and Release / push-verification-image (13) (push) Has been cancelled
CI and Release / push-verification-image (14) (push) Has been cancelled
CI and Release / push-verification-image (15) (push) Has been cancelled
CI and Release / push-verification-image (16) (push) Has been cancelled
mTLS test certificates
Certificate chain for the test-logical-postgres-mtls container, which enforces mutual TLS -
it rejects any TCP client that does not present a client certificate signed by
ca.crt. This reproduces a Cloud SQL instance with "Require trusted client
certificates" enabled. Not used in production.
ca.crt/ca.key- test certificate authority that signs the server and client certsserver.crt/server.key- server cert, CA-signed,CN=localhost, SANlocalhost,127.0.0.1client.crt/client.key- client cert, CA-signed,CN=testuserpg_hba.conf- requiresclientcert=verify-caon every TLS connection
The container mounts ca.crt as ssl_ca_file; the backup/restore tests pass
client.crt, client.key, and ca.crt through the database API.
To regenerate (run from this directory, requires Bash for the SAN process substitution):
openssl req -x509 -newkey rsa:2048 -keyout ca.key -out ca.crt -days 3650 -nodes \
-subj "/CN=Databasus Test CA"
openssl req -newkey rsa:2048 -keyout server.key -out server.csr -nodes \
-subj "/CN=localhost"
openssl x509 -req -in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
-out server.crt -days 3650 \
-extfile <(printf "subjectAltName=DNS:localhost,IP:127.0.0.1")
openssl req -newkey rsa:2048 -keyout client.key -out client.csr -nodes \
-subj "/CN=testuser"
openssl x509 -req -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
-out client.crt -days 3650
rm server.csr client.csr ca.srl