provider-sql icon indicating copy to clipboard operation
provider-sql copied to clipboard

Published 20 hours ago verified publisher icon crossplane-contrib

Add RDS CA to Docker image

Open petteja opened this issue 3 years ago • 4 comments

What problem are you facing?

One popular use case is to use provider-sql with Amazon RDS. The latest version introduced verify-full as default sslMode, which requires that provider-sql needs to trust the RDS CA to be able to connect. Without trust it will return x509: certificate signed by unknown authority when trying to connect.

How could Crossplane help solve your problem?

I think that the RDS CA should be added to the Docker image, so that it works out of the box for RDS.

petteja avatar May 24 '22 08:05 petteja

Perhaps we can pass along the root certs to the ProviderConfig as a Secret/ConfigMap reference? This way we can make the feature available to anyone using different root certs.

WDYT?

Duologic avatar May 24 '22 09:05 Duologic

Yes, that is also an option. More config for users, but as you say that makes it easy to support other CAs. Or is this something that would fit better for ControllerConfig?

petteja avatar May 24 '22 09:05 petteja

I think that RDS should work out the box without additional config as it is a fairly common use case. Support for custom CAs through config could be implemented later if anyone requests it?

petteja avatar Jun 04 '22 19:06 petteja

I'd rather not see arbitrary certificates (common or not) embedded in the provider, it puts a maintenance burden on the provider as we'd have to follow up with any changes on that end upstream.

Duologic avatar Jun 10 '22 12:06 Duologic