kviklet icon indicating copy to clipboard operation
kviklet copied to clipboard
verified publisher icon kviklet

Feature Request: Support for Postgres database certificate authentication

Open cristian-bratu-l2 opened this issue 1 year ago • 4 comments

Hi Jascha & team,

We’ve exchanged emails previously, but I thought it would be helpful to formally submit an issue as well.

Problem

In our organization, we require certificate-based authentication wherever possible. This approach enhances our security posture by enabling automatic certificate rotation without human intervention. It also reduces the window of opportunity for an attacker to gain write access to our database using credentials exfiltrated from our applications or engineers (as we generate certificates on the fly).

Currently, Kviklet only supports authentication via username and password for its internal database as well as connected databases.

Feature Request

We propose adding support for certificate-based authentication for both Kviklet’s internal Postgres database and external connected databases. This enhancement would bolster the application's security, by limiting the validity of DB credentials to the lifespan of a certificate, minimizing the risk window for potential abuse.

Thank you for considering this request!

cristian-bratu-l2 avatar Dec 12 '24 17:12 cristian-bratu-l2

Hey Chris, thanks for posting it here as well and not just via email. As promised, I'll look into this in the next few days 🤞

Askir avatar Dec 19 '24 23:12 Askir

Hey, I just merged #268 which should allow you to at least use certificate auth for hosting Kviklet (check the example here if that fullfils your needs). I'll look into the managed dbs as well.

A Question for that: Would it be okay to upload the necessary certificate files via the UI (e.g. instead of setting a password) or do you need another way to do so?

Askir avatar Dec 24 '24 15:12 Askir

Hey, I just merged #268 which should allow you to at least use certificate auth for hosting Kviklet (check the example here if that fullfils your needs). I'll look into the managed dbs as well.

A Question for that: Would it be okay to upload the necessary certificate files via the UI (e.g. instead of setting a password) or do you need another way to do so?

Hey Askir,

Thank you for adding the functionality. I haven't had a chance to take a look at it yet. With respect to the certificate upload, we would be mounting the certificates on the pod. If I'm understanding the solution correctly we'd be using the URI to direct Kviklet to the correct path. We would be rotating the certificates automatically, and restarting kviklet, in the process. Does this answer your question?

cristian-bratu-l2 avatar Jan 23 '25 14:01 cristian-bratu-l2

Okay yeh that makes a lot more sense. I was wondering, how you aim to rotate these automatically if I allow a file upload. Perfect, I think this is also something I should allow for password auth actually (providing those via env variables instead of storing it in the database).

I'm going to finish IAM Auth first and then hopefully continue with this soon. Sorry for the delay

Askir avatar Jan 27 '25 00:01 Askir