Docs around SSL support for RDS#635
Conversation
HarshCasper
requested review from
bentsku,
cloutierMat,
nik-localstack,
quetzalliwrites and
steffyP
as code owners
Deploying localstack-docs with
|
| Latest commit: |
ac86302
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://adbebf5c.localstack-docs.pages.dev |
| Branch Preview URL: | https://doc-206-doc-rds-add-ssl-supp.localstack-docs.pages.dev |
cloutierMat
left a comment
cloutierMat
left a comment
There was a problem hiding this comment.
Thanks for adding this to the documentation. I think we should probably be more forward about what we do not support, since this seems to indicate we have mostly full parity with aws, but only sslmode=require is supported and we do not enforce ssl as is suggested by force_ssl
| ### Force SSL connections | ||
|
|
||
| To require every client to connect over SSL, set the `rds.force_ssl` parameter on a DB parameter group and associate it with your instance: | ||
|
|
||
| ```bash | ||
| awslocal rds create-db-parameter-group \ | ||
| --db-parameter-group-name force-ssl \ | ||
| --db-parameter-group-family postgres17 \ | ||
| --description "Force SSL connections" | ||
|
|
||
| awslocal rds modify-db-parameter-group \ | ||
| --db-parameter-group-name force-ssl \ | ||
| --parameters "ParameterName=rds.force_ssl,ParameterValue=1,ApplyMethod=pending-reboot" | ||
| ``` | ||
|
|
||
| Pass `--db-parameter-group-name force-ssl` when creating the DB instance, or attach the parameter group to an existing instance and reboot it. | ||
| Setting `rds.force_ssl=0` disables the SSL requirement, allowing clients to connect with `sslmode=disable`. |
There was a problem hiding this comment.
We do not support this. Currently SSL is always enabled (like in AWS), but never enforced (force-ssl=1 is ignored)
|
|
||
| ## SSL/TLS Support | ||
|
|
||
| LocalStack's RDS PostgreSQL emulation supports SSL/TLS-encrypted client connections, so you can test applications that require `sslmode=require` (or stricter modes) the same way they would connect to AWS RDS. |
There was a problem hiding this comment.
We do not currently support stricter mode
| PGPASSWORD=$MASTER_PW psql "host=$HOST port=$PORT dbname=$DB_NAME user=$MASTER_USER sslmode=require" | ||
| ``` | ||
|
|
||
| The DB instance uses a self-signed certificate, so clients that pin certificate authorities (`sslmode=verify-ca` or `sslmode=verify-full`) will need to disable certificate verification or supply their own trust anchors. |
There was a problem hiding this comment.
sslmode=verify-ca or sslmode=verify-full currently not supported
|
tyvm for the solid review @cloutierMat ! :) i'll let harsh address your feedback |
|
ping @HarshCasper this still has feedback waiting for you :) |
Co-authored-by: Mathieu Cloutier <79954947+cloutierMat@users.noreply.github.com>
cloutierMat
left a comment
cloutierMat
left a comment
There was a problem hiding this comment.
Thanks Harsh for adding this documentation and addressing the comments.
3 participants
Fixes DOC-206