mTLS support for postgresql datasources

[ZwS]

Hello, I'm looking if it possible to use quarkus with mTLS database connections. My use case is following: postgresql with mTLS auth enabled, certificates provided in PEM format and rotated automatically.
For the JDBC datasource I can see it is supported to set sslmode, but no way to provide client and server certificates/keys. Are there any plans to extend support for these options?
For reactive datasource it seems that mTLS support is present, but it's unclear, what will happen if certificates will be rotated. Will datasource reload them, or it only read them once, and certificate rotation should be handled manually?

[cescoffier]

About the reactive datasource because it's based on TCP, mTLS will work. Your question about certificate rotation is interesting. Once the connection is established, it will continue to work until the connection is closed. When a new connection will be established, the rotated certificates should be used. If you see something different, it's most probably a bug. Note that you either need coordinating the certificate upgrades or use a common parent trusted certificate.

I honestly have no idea about JDBC. Maybe @yrodiere knows.

[yrodiere]

I honestly have no idea about JDBC. Maybe @yrodiere knows.

Absolutely no idea.

@ZwS if you are talking about a feature of the PostgreSQL JDBC driver, maybe provide pointers to relevant documentation?

If you're running your app in JVM mode, it's likely that whatever the PostgreSQL JDBC driver recommends can be done as you would in any other framework. In native mode, it's probably more complicated.

[ZwS]

Hi @cescoffier, thank you for confirmation of the reactive datasource behavior.
Hi @yrodiere, it seems that I got confused since I looked at it late night. Since the documentation only describes certifiates configuration for the reactive datasource I've started to question if regular datasource requires any additional configurations as well. I've somehow ended up on the PostgreSQLServiceBindingConverter and assumed that only sslmode and sslrootcert supported, with no way provide client certificate/key.
But this is not relevant to the regular datasource setup via quarkus.datasource.jdbc.url, right? quarkus will take the whole jdbc url as is with all mtls related properties such as sslkey and sslcert.

[yrodiere]

I've somehow ended up on the PostgreSQLServiceBindingConverter and assumed that only sslmode and sslrootcert supported, with no way provide client certificate/key.

I confirm this is most likely completely irrelevant to you. It's about (semi-)automatic configuration in Kubernetes.

quarkus will take the whole jdbc url as is with all mtls related properties such as sslkey and sslcert.

Yes, anything you pass to the JDBC URL will be forwarded to the JDBC driver.

You can also add properties even if they are not in the URL, using quarkus.datasource.jdbc.additional-jdbc-properties."property-key".