Postgres database engine lacks secure connection attributes #13934
Description
Describe the bug
There is currently no documentation on how to configure a Postgres DB backend to use TLS and specifically also client certificates. Presumably we would specify the file locations in the DSN, but there is no guidance on this nor specific parameters for accepting CA, cert, or key values when configuring a remote Vault server.
Is it not mentioned in the existing documentation, so I assume secure connections are not supported or require pre-staging the client certificates on the Vault server in a place where the pq library may access them. This makes it impossible to dynamically configure a secure Postgres DB connection.
Current documentation: https://www.vaultproject.io/api/secret/databases/postgresql
To Reproduce
Steps to reproduce the behavior:
- Configure Vault to use a TLS PG server in
verify-fullmode
Expected behavior
Documentation and engine should provide a way to store the client cert and key assigned to Vault.
Environment:
- Vault Server Version (retrieve with
vault status): - Vault CLI Version (retrieve with
vault version): 1.9.3 - Server Operating System/Architecture: 1.9.3 / linux
Additional context
pq docs: https://pkg.go.dev/github.com/lib/pq