Management Plane
Tetrate Service Express (TSE) utilizes many of the same components as the Tetrate Service Bridge(TSB) product but has the several distinctions. Go to Comparing TSE and TSB for more details.
ManagementPlane resource exposes a set of configurations necessary to automatically install the Service Express management plane on a cluster. The installation API is an override API so any unset fields that are not required will use sensible defaults.
Prior to creating the ManagementPlane resource, verify that the following secrets exist in the namespace the management plane will be installed into:
- tsb-certs
- ldap-credentials
- custom-host-ca (if you are using TLS connection and need a custom CA to connect to LDAP host)
- postgres-credentials (non-demo deployments)
- admin-credentials
- es-certs (if your Elasticsearch is using a self-signed certificate)
- elastic-credentials (if your Elasticsearch backend requires authentication)
A resource containing only the container registry hub will install a demo of Service Express , create a default
Organization and install local instances of external dependencies, such as Postgres, Elasticsearch, and LDAP server.
Please note that these local instances are for demonstrative purposes only and should not be used in production.
Production setups should point to a user managed Postgres and Elasticsearch as well as the enterprise LDAP server.
apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: managementplane
spec:
hub: docker.io/tetrate
organization: tse
To move from the demo installation to production readiness, configure the top level settings that enable TSE to connect to external dependencies. When one of these settings stanzas are added the operator will delete the relevant demo component and configure the management plane to talk to the dependencies described.
apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: managementplane
spec:
hub: docker.io/tetrate
imagePullSecrets:
- name: my-registry-creds
organization: tse
dataStore:
postgres:
address: postgres:1234
telemetryStore:
elastic:
host: elastic
port: 5678
identityProvider:
ldap:
host: ldap
port: 389
search:
baseDN: dc=tetrate,dc=io
iam:
matchDN: "cn=%s,ou=People,dc=tetrate,dc=io"
matchFilter: "(&(objectClass=person)(uid=%s))"
sync:
usersFilter: "(objectClass=person)"
groupsFilter: "(objectClass=groupOfUniqueNames)"
membershipAttribute: uniqueMember
tokenIssuer:
jwt:
expiration: 1h
issuers:
- name: https://jwt.tetrate.io
algorithm: RS256
signingKey: tls.key
Top level settings deal with higher level concepts like persistence, but some configuration can also be overridden per component. For example, to configure the team synchronization schedule in the API server, set the schedule field in the apiServer component
apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: managementplane
spec:
hub: docker.io/tetrate
organization: tse
components:
apiServer:
teamSyncSchedule: 17 * * * *
dataStore:
postgres:
address: postgres:1234
telemetryStore:
elastic:
host: elastic
port: 5678
identityProvider:
ldap:
host: ldap
port: 389
search:
baseDN: dc=tetrate,dc=io
iam:
matchDN: "cn=%s,ou=People,dc=tetrate,dc=io"
matchFilter: "(&(objectClass=person)(uid=%s))"
sync:
usersFilter: "(objectClass=person)"
groupsFilter: "(objectClass=groupOfUniqueNames)"
membershipAttribute: uniqueMember
tokenIssuer:
jwt:
expiration: 1h
issuers:
- name: https://jwt.tetrate.io
algorithm: RS256
signingKey: tls.key
To configure infrastructure specific settings such as resource limits on the deployment in Kubernetes, set the relevant field in a component. Remember that the installation API is an override API so if these fields are unset the operator will use sensible defaults. Only a subset of Kubernetes configuration is available and only for individual components.
apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: managementplane
spec:
hub: docker.io/tetrate
organization: tse
components:
collector:
kubeSpec:
deployment:
resources:
limits:
memory: 750Mi
requests:
memory: 500Mi
dataStore:
postgres:
address: postgres:1234
telemetryStore:
elastic:
host: elastic
port: 5678
identityProvider:
ldap:
host: ldap
port: 389
search:
baseDN: dc=tetrate,dc=io
iam:
matchDN: "cn=%s,ou=People,dc=tetrate,dc=io"
matchFilter: "(&(objectClass=person)(uid=%s))"
sync:
usersFilter: "(objectClass=person)"
groupsFilter: "(objectClass=groupOfUniqueNames)"
membershipAttribute: uniqueMember
tokenIssuer:
jwt:
expiration: 1h
issuers:
- name: https://jwt.tetrate.io
algorithm: RS256
signingKey: tls.key
ManagementPlaneComponentSet
The set of components that make up the management plane. Use this to override application settings or Kubernetes settings for each individual component.
Field | Description | Validation Rule |
---|---|---|
apiServer | – | |
iamServer | – | |
webUI | – | |
frontEnvoy | – | |
oap | – | |
collector | tetrateio.api.install.managementplane.v1alpha1.OpenTelemetryCollector | – |
xcp | – | |
mpc | – | |
defaultLogLevel | string | – |
ngac | – | |
internalCertProvider | tetrateio.api.install.common.InternalCertProvider | – |
defaultKubeSpec | tetrateio.api.install.kubernetes.KubernetesSpec | – |
gitops | tetrateio.api.install.common.GitOps | – |
n2ac | tetrateio.api.install.managementplane.v1alpha1.N2AC | – |
ManagementPlaneSpec
ManagementPlaneSpec defines the desired installed state of TSE management plane components. Specifying a minimal ManagementPlaneSpec with hub set results in a demo installation.
Field | Description | Validation Rule |
---|---|---|
hub | string | string = { |
imagePullSecrets | List of tetrateio.api.install.kubernetes.LocalObjectReference List of references to secrets in the same namespace to use for pulling any images in pods that reference this ServiceAccount. ImagePullSecrets are distinct from Secrets because Secrets can be mounted in the pod, but ImagePullSecrets are only accessed by the kubelet. More info: https://kubernetes.io/docs/concepts/containers/images/#specifying-imagepullsecrets-on-a-pod https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.18/#service_account-v1-core | – |
organization | string | string = { |
components | tetrateio.api.install.managementplane.v1alpha1.ManagementPlaneComponentSet | – |
dataStore | tetrateio.api.install.managementplane.v1alpha1.ManagementPlaneSpec.DataStore | – |
telemetryStore | tetrateio.api.install.managementplane.v1alpha1.ManagementPlaneSpec.TelemetryStore | – |
identityProvider | tetrateio.api.install.managementplane.v1alpha1.ManagementPlaneSpec.IdentityProvider | – |
tokenIssuer | tetrateio.api.install.managementplane.v1alpha1.ManagementPlaneSpec.TokenIssuer | – |
meshObservability | tetrateio.api.install.managementplane.v1alpha1.ManagementPlaneSpec.MeshObservability | – |
certIssuer | tetrateio.api.install.managementplane.v1alpha1.CertIssuer | – |
enableWasmDownloadProxy | bool | – |
providerSettings | tetrateio.api.install.managementplane.v1alpha1.ProviderSettings | – |
DataStore
Configure the data store for TSE to persist its data to.
This is a mandatory setting for production. If omitted, the operator will assume
a demo installation and for your convenience install a demo grade data store.
Select one of the DataStore
settings to see complete examples.
Field | Description | Validation Rule |
---|---|---|
postgres | tetrateio.api.install.managementplane.v1alpha1.PostgresSettings oneof _data_store | – |
IdentityProvider
Configure the Identity Provider TSE will use as the source of users.
This identity provider is used for user authentication and to periodically synchronize the
information of existing users and groups into the platform.
This is a mandatory setting for production. If omitted, the operator will assume
a demo installation and for your convenience install a demo identity provider.
Select one of the IdentityProvider
settings to see complete examples.
Field | Description | Validation Rule |
---|---|---|
oidc | tetrateio.api.install.managementplane.v1alpha1.OIDCSettings oneof _identity_provider | – |
ldap | tetrateio.api.install.managementplane.v1alpha1.LDAPSettings oneof _identity_provider | – |
sync | tetrateio.api.install.managementplane.v1alpha1.ManagementPlaneSpec.IdentityProvider.OrgSyncSettings | – |
OrgSyncSettings
Field | Description | Validation Rule |
---|---|---|
azure | tetrateio.api.install.managementplane.v1alpha1.AzureSyncSettings oneof _provider | – |
ignoreOrphanUsers | bool | – |
MeshObservability
Configure how the mesh should be observed, which observability functionalities should be
enabled to observe your registered services in the mesh, and the store properties
that TSE will use to persist application observability data like metrics, traces,
logs.
If omitted, the operator will assume
a demo installation and for your convenience install a demo grade mesh observability
setting.
Check MeshObservabilitySettings
to see complete examples.
Field | Description | Validation Rule |
---|---|---|
settings | tetrateio.api.install.common.MeshObservabilitySettings oneof _mesh_observability | – |
TelemetryStore
Configure the store that TSE will use to persist application telemetry data
This is a mandatory setting for production. If omitted, the operator will assume
a demo installation and for your convenience install a demo grade telemetry store.
Select one of the TelemetryStore
settings to see complete examples.
Field | Description | Validation Rule |
---|---|---|
elastic | tetrateio.api.install.managementplane.v1alpha1.ElasticSearchSettings oneof _telemetry_store | – |
TokenIssuer
Configure the Token Issuer TSE will use to mint tokens upon initial authentication with the
identity provider. This token is used to authenticate any subsequent internal requests in TSE .
This is a mandatory setting for production. If omitted, the operator will use an insecure default.
Select one of the TokenIssuer
settings to see complete examples.
Field | Description | Validation Rule |
---|---|---|
jwt | tetrateio.api.install.managementplane.v1alpha1.JWTSettings oneof _token_issuer | – |
AWSController
Kubernetes settings for the AWS Integration Controller component.
Field | Description | Validation Rule |
---|---|---|
kubeSpec | tetrateio.api.install.kubernetes.KubernetesComponentSpec | – |
ApiServer
Application and Kubernetes settings for the API server component.
Field | Description | Validation Rule |
---|---|---|
kubeSpec | tetrateio.api.install.kubernetes.KubernetesJobComponentSpec | – |
teamSyncSchedule | string | – |
logLevels | map<string, string> | – |
FrontEnvoy
Application and Kubernetes settings for the FrontEnvoy component.
Field | Description | Validation Rule |
---|---|---|
kubeSpec | tetrateio.api.install.kubernetes.KubernetesComponentSpec | – |
authenticationTimeout | google.protobuf.Duration | – |
port | int32 | – |
TLSMinimumProtocolVersion | tetrateio.api.install.managementplane.v1alpha1.TLSProtocol | – |
cipherSuites | List of string | – |
ecdhCurves | List of string | – |
logLevels | map<string, string> | – |
IamServer
Kubernetes settings for the IAM server component.
Field | Description | Validation Rule |
---|---|---|
kubeSpec | tetrateio.api.install.kubernetes.KubernetesComponentSpec | – |
logLevels | map<string, string> | – |
MPC
Kubernetes settings for the MPC component.
Field | Description | Validation Rule |
---|---|---|
kubeSpec | tetrateio.api.install.kubernetes.KubernetesComponentSpec | – |
logLevels | map<string, string> | – |
N2AC
Kubernetes settings for the N2AC component.
Field | Description | Validation Rule |
---|---|---|
controller | tetrateio.api.install.managementplane.v1alpha1.N2AC.Component | – |
server | tetrateio.api.install.managementplane.v1alpha1.N2AC.Component | – |
enabled | bool | – |
Component
Common kubernetes settings for the different NGAC components.
Field | Description | Validation Rule |
---|---|---|
kubeSpec | tetrateio.api.install.kubernetes.KubernetesComponentSpec | – |
logLevels | map<string, string> | – |
NGAC
Kubernetes settings for the NGAC component.
Field | Description | Validation Rule |
---|---|---|
enabled | bool | – |
kubeSpec | tetrateio.api.install.kubernetes.KubernetesComponentSpec | – |
logLevels | map<string, string> | – |
Oap
Kubernetes settings for the OAP (SkyWalking) component.
Field | Description | Validation Rule |
---|---|---|
retentionPeriodDays | int32 | – |
streamingLogEnabled | bool | – |
onDemandEnvoyMetricsEnabled | bool | – |
storageIndexMergingEnabled | bool | – |
storageSpecificIndexSettings | List of tetrateio.api.install.managementplane.v1alpha1.Oap.StorageIndexSetting | – |
kubeSpec | tetrateio.api.install.kubernetes.KubernetesComponentSpec | – |
logLevel | string | – |
StorageIndexSetting
Configure the number of shards and replicas a concrete index template should have.
Field | Description | Validation Rule |
---|---|---|
indexName | string | string = { |
numberOfShards | int32 | int32 = { |
numberOfReplicas | int32 | int32 = { |
OpenTelemetryCollector
Kubernetes settings for the OpenTelemetry Collector component.
Field | Description | Validation Rule |
---|---|---|
kubeSpec | tetrateio.api.install.kubernetes.KubernetesComponentSpec | – |
logLevel | string | – |
WebUI
Kubernetes settings for the WebUI component.
Field | Description | Validation Rule |
---|---|---|
kubeSpec | tetrateio.api.install.kubernetes.KubernetesComponentSpec | – |
XCP
Application and Kubernetes settings for the XCP component.
Field | Description | Validation Rule |
---|---|---|
centralAuthModes | tetrateio.api.install.managementplane.v1alpha1.XCP.CentralAuthModes | – |
configProtection | tetrateio.api.install.common.ConfigProtection | – |
kubeSpec | tetrateio.api.install.kubernetes.KubernetesComponentSpec | – |
logLevels | map<string, string> | – |
CentralAuthModes
Authentication modes for connections to XCP Central (from XCP Edges or MPC). At least one mode must be enabled. Multiple modes can be enabled to facilitate migration from one mode to another.
Field | Description | Validation Rule |
---|---|---|
mutualTls | bool | – |
jwt | bool | – |
AWSSettings
Global settings to AWS.
Field | Description | Validation Rule |
---|---|---|
serviceAccountName | string | string = { |
LatticeSettings
Settings specific to Lattice. These settings enable the AWS Lattice Discovery Service integration feature. It takes care of discovering AWS Lattice services with tag "Tetrate:ExposeToMesh" set to "true", registering them into TSE and creating the TSE configs to make them accessible from the mesh.
Field | Description | Validation Rule |
---|---|---|
enabled | bool oneof __enabled | – |
regions | List of string | – |
tenant | string | – |
ProviderSettings
Configure Kubernetes provider specific settings.
Field | Description | Validation Rule |
---|---|---|
aws | tetrateio.api.install.managementplane.v1alpha1.AWSSettings | – |
lattice | tetrateio.api.install.managementplane.v1alpha1.LatticeSettings | – |
AzureSyncSettings
Azure configures how users and groups are synchronized from Azure Active Directory.
Field | Description | Validation Rule |
---|---|---|
clientId | string | string = { |
tenantId | string | string = { |
environment | string
| – |
usersFilter | string | – |
groupsFilter | string | – |
baseGroupName | string | – |
CertIssuer
Configures a built in issuer for TSE TLS certificates.
apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: managementplane
spec:
certIssuer:
selfSigned: \{\}
tsbCerts: \{\}
clusterIntermediateCAs: \{\}
Field | Description | Validation Rule |
---|---|---|
selfSigned | tetrateio.api.install.managementplane.v1alpha1.CertIssuer.SelfSignedCertIssuer oneof _issuer | – |
tsbCerts | tetrateio.api.install.managementplane.v1alpha1.CertIssuer.TsbCertsSettings | – |
clusterIntermediateCAs | tetrateio.api.install.managementplane.v1alpha1.CertIssuer.ClusterIntermediateCASettings | – |
ClusterIntermediateCASettings
Options for configuring the issued intermediate CAs that Istio in the control plane will use for assigning TLS certificates to each workload
Options such as the expiration and renewal period can be added here in the future if needed.
SelfSignedCertIssuer
Options such as the expiration and renewal period of the self signed root CA can be added here in the future if needed.
TsbCertsSettings
Options for configuring the issued TSE TLS certs.
Options such as the expiration and renewal period can be added here in the future if needed.
ElasticSearchSettings
Configure an Elasticsearch connection.
apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: managementplane
spec:
telemetryStore:
elastic:
host: elastic
port: 5678
protocol: https
selfSigned: true
version: 7
Field | Description | Validation Rule |
---|---|---|
host | string | string = { |
port | int32 | int32 = { |
protocol | tetrateio.api.install.managementplane.v1alpha1.ElasticSearchSettings.Protocol | – |
selfSigned | bool | – |
version | int32 | int32 = { |
JWTSettings
Configure JWT based token issuance
apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: managementplane
spec:
tokenIssuer:
jwt:
expiration: 1h
refreshExpiration: 720h
tokenPruneInterval: 1h
issuers:
- name: https://jwt.tetrate.io
algorithm: RS256
signingKey: tls.key
audiences:
- tetrate
Field | Description | Validation Rule |
---|---|---|
issuers | List of tetrateio.api.install.managementplane.v1alpha1.JWTSettings.Issuer | – |
expiration | google.protobuf.Duration | – |
refreshExpiration | google.protobuf.Duration | – |
tokenPruneInterval | google.protobuf.Duration | – |
signingKeysSecret | string If unset will default to the "iam-signing-key" secret generated by the operator. | – |
Issuer
Field | Description | Validation Rule |
---|---|---|
name | string | – |
algorithm | tetrateio.api.install.managementplane.v1alpha1.JWTSettings.Issuer.Algorithm | – |
signingKey | string | – |
audiences | List of string | – |
LDAPSettings
Detail connection and query mappings for LDAP
apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: managementplane
spec:
identityProvider:
ldap:
host: ldap
port: 389
search:
baseDN: dc=tetrate,dc=io
timeout: 20s
recursive: true
iam:
matchDN: "cn=%s,ou=People,dc=tetrate,dc=io"
matchFilter: "(&(objectClass=person)(uid=%s))"
sync:
usersFilter: "(objectClass=person)"
groupsFilter: "(objectClass=groupOfUniqueNames)"
membershipAttribute: uniqueMember
Field | Description | Validation Rule |
---|---|---|
host | string | string = { |
port | int32 | int32 = { |
disableTLS | bool | – |
debug | bool | – |
search | tetrateio.api.install.managementplane.v1alpha1.LDAPSettings.Search | – |
iam | tetrateio.api.install.managementplane.v1alpha1.LDAPSettings.IAM | – |
sync | tetrateio.api.install.managementplane.v1alpha1.LDAPSettings.Sync | – |
IAM
Field | Description | Validation Rule |
---|---|---|
matchDN | string | string = { |
matchFilter | string Here are some example search patterns for common LDAP implementations:
| string = { |
Search
Field | Description | Validation Rule |
---|---|---|
baseDN | string | string = { |
recursive | bool | – |
timeout | google.protobuf.Duration | – |
pagesize | int32 | – |
Sync
Field | Description | Validation Rule |
---|---|---|
usersFilter | string | string = { |
groupsFilter | string | string = { |
membershipAttribute | string | string = { |
OIDCSettings
Identity provider configuration for OIDC
apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: managementplane
spec:
identityProvider:
oidc:
clientId: 50076fd0b8f911eb85290242ac130003
scopes: ['email', 'profile']
redirectUri: https://example.com/iam/v2/oidc/callback
providerConfig:
dynamic:
configurationUri: https://accounts.google.com/.well-known/openid-configuration
offlineAccessConfig:
deviceCodeAuth:
clientId: 981174759bab4dc49d0072294900eade
Field | Description | Validation Rule |
---|---|---|
clientId | string | string = { |
scopes | List of string | – |
redirectUri | string | string = { |
authorizationParams | map<string, string> | – |
maxExpirationSeconds | int32 | – |
providerConfig | tetrateio.api.install.managementplane.v1alpha1.OIDCSettings.ProviderSettings | message = { |
offlineAccessConfig | tetrateio.api.install.managementplane.v1alpha1.OIDCSettings.OfflineAccessSettings | – |
DynamicSettings
Dynamically configures OIDC client settings using values from the OIDC provider's well-known OIDC configuration endpoint.
Field | Description | Validation Rule |
---|---|---|
configurationUri | string | string = { |
OfflineAccessOverrides
OIDC settings that can be used to override top-level settings for offline access.
Field | Description | Validation Rule |
---|---|---|
clientId | string | – |
scopes | List of string | – |
skipClientIdCheck | bool | – |
providerConfig | tetrateio.api.install.managementplane.v1alpha1.OIDCSettings.ProviderSettings | – |
OfflineAccessSettings
Optional OIDC settings specific to offline access. When specified these settings take precedence over top-level OIDC settings.
Field | Description | Validation Rule |
---|---|---|
deviceCodeAuth | tetrateio.api.install.managementplane.v1alpha1.OIDCSettings.OfflineAccessOverrides | – |
tokenExchange | tetrateio.api.install.managementplane.v1alpha1.OIDCSettings.OfflineAccessOverrides | – |
ProviderSettings
OIDC provider's configuration. Either dynamic or static configuration can be used. When dynamic configuration is set the TSE operator will configure OIDC settings discovered through the provider's configuration endpoint. If the provider doesn't have a configuration endpoint you can set the required OIDC settings using static values.
Field | Description | Validation Rule |
---|---|---|
dynamic | tetrateio.api.install.managementplane.v1alpha1.OIDCSettings.DynamicSettings oneof _provider_settings | – |
static | tetrateio.api.install.managementplane.v1alpha1.OIDCSettings.StaticSettings oneof _provider_settings | – |
StaticSettings
Allows to statically configure OIDC client settings if the OIDC provider doesn't have a configuration endpoint.
Field | Description | Validation Rule |
---|---|---|
authorizationEndpoint | string | string = { |
tokenEndpoint | string | string = { |
jwksUri | string oneof _jwks_setting | string = { |
jwks | string oneof _jwks_setting | string = { |
deviceCodeEndpoint | string | – |
introspectionEndpoint | string | – |
PostgresSettings
Detail connection details for Postgres
NOTE: TSE does not make any specific schema selection. It defaults to
the search_path
set by the user/role specified in the connection settings.
By default this will result in using the public
schema. If you need to use a different
schema, update the search_path
of the Postgres user accordingly.
apiVersion: install.tetrate.io/v1alpha1
kind: ManagementPlane
metadata:
name: managementplane
spec:
dataStore:
postgres:
address: "postgres:5432"
sslMode: verify_full
connectionLifetime: "8500s"
name: tsb
Field | Description | Validation Rule |
---|---|---|
host | string | – |
port | int32 | – |
sslMode | tetrateio.api.install.managementplane.v1alpha1.PostgresSettings.SSLMode | – |
connectionLifetime | string | – |
name | string | – |
address | string | string = { |
connectionIdleLifetime | string | – |
connectionMaxOpen | int32 | – |
connectionIdleMaxOpen | int32 | – |
azureIdentity | tetrateio.api.install.managementplane.v1alpha1.PostgresSettings.AzureManagedIdentity oneof _managed_identity | – |
AzureManagedIdentity
AzureManagedIdentity holds the static data needed to authenticate a PostgreSQL hosted at Azure from an Azure workload via Azure Active Directory. Ref: https://learn.microsoft.com/en-us/azure/postgresql/single-server/concepts-azure-ad-authentication
Field | Description | Validation Rule |
---|---|---|
clientId | string | string = { |
userName | string | string = { |
tokenTtl | google.protobuf.Duration | duration = { |
TLSProtocol
Field | Number | Description |
---|---|---|
TLS_AUTO | 0 | Envoy will choose the optimal TLS version. |
TLSv1_0 | 1 | |
TLSv1_1 | 2 | |
TLSv1_2 | 3 | |
TLSv1_3 | 4 |
Protocol
The list of supported protocols to communicate with Elasticsearch.
Field | Number | Description |
---|---|---|
https | 0 | |
http | 1 |
Algorithm
Field | Number | Description |
---|---|---|
RS256 | 0 | RSA / SHA-256 |
RS384 | 1 | RSA / SHA-384 |
RS512 | 2 | RSA / SHA-512 |
PS256 | 3 | RSA-PSS / SHA-256 |
PS384 | 4 | RSA-PSS / SHA-384 |
PS512 | 5 | RSA-PSS / SHA-512 |
ES256 | 6 | ECDSA / SHA-256 |
ES384 | 7 | ECDSA / SHA-384 |
ES512 | 8 | ECDSA / SHA-512 |
HS256 | 9 | HMAC / SHA-256 |
HS384 | 10 | HMAC / SHA-384 |
HS512 | 11 | HMAC / SHA-512 |
SSLMode
For more details about each of these options please refer to https://www.postgresql.org/docs/current/libpq-ssl.html
Field | Number | Description |
---|---|---|
require | 0 | |
allow | 1 | |
prefer | 2 | |
disable | 3 | |
verify_ca | 4 | |
verify_full | 5 |