From f1b6a51bbd3751da176dd10a9845d00ed2c050f0 Mon Sep 17 00:00:00 2001 From: Michael Barroco Date: Tue, 21 Oct 2025 11:03:29 +0200 Subject: [PATCH] [security] Require client certificate to connect to yugabyte sql interface --- deploy/services/helm-charts/dss/values.yaml | 3 ++- deploy/services/tanka/yugabyte-auxiliary.libsonnet | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/deploy/services/helm-charts/dss/values.yaml b/deploy/services/helm-charts/dss/values.yaml index 40897d127..aba6a1ab6 100644 --- a/deploy/services/helm-charts/dss/values.yaml +++ b/deploy/services/helm-charts/dss/values.yaml @@ -64,6 +64,8 @@ yugabyte: placement_cloud: "cloud-1" placement_region: "uss-1" placement_zone: "zone-1" + use_client_to_server_encryption: true + ysql_hba_conf_csv: 'hostssl all all 0.0.0.0/0 cert' monitoring: enabled: false @@ -269,4 +271,3 @@ grafana: persistence: type: pvc enabled: true ->>>>>>> f3220540 ([helm] Add support for monitoring stack) diff --git a/deploy/services/tanka/yugabyte-auxiliary.libsonnet b/deploy/services/tanka/yugabyte-auxiliary.libsonnet index 8f3274f47..53c1e0d55 100644 --- a/deploy/services/tanka/yugabyte-auxiliary.libsonnet +++ b/deploy/services/tanka/yugabyte-auxiliary.libsonnet @@ -100,6 +100,7 @@ local yugabyteLB(metadata, name, ip) = --placement_zone=%s --use_private_ip=zone --node_to_node_encryption_use_client_certificates=true + --ysql_hba_conf_csv='hostssl all all 0.0.0.0/0 cert' ||| % [ std.join(",", metadata.yugabyte.masterAddresses), metadata.yugabyte.tserver.rpc_bind_addresses,