Feature request: support pg_ident.conf (similar to pg_hba.conf) #280
Description
The normal mode of certificate-based authentication requires the certificate Common Name to match the postgresql username to authenticate.
This does not work for standard SPIFFE X.509 SVIDs (such as those issued by cert-manager-cis-driver-spiffe) where the CN is a SPIFFE ID:
$ openssl x509 -text -noout -in /var/run/secrets/spiffe.io/tls.crt
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
f1:2f:73:cf:65:05:0e:51:c9:47:64:84:ee:95:e5:30
Signature Algorithm: ecdsa-with-SHA256
Issuer: CN=home.arpa PKCS #11 Intermediate
...
Subject: CN=spiffe://home.arpa/ns/workload1/sa/workload1
...
pg_ident.conf can be used to map this to a username:
# MAPNAME SYSTEM-USERNAME PG-USERNAME
spiffe /^spiffe:\/\/home\.arpa\/ns\/workload1\/sa\/workload1$/ workload1
pg_hba.conf:
...
hostssl all all 0.0.0.0/0 cert clientcert=1 map=spiffe
...
I propose a postgresql_ident_entries similar to postgresql_hba_entries:
postgresql_ident_entries:
- {mapname: spiffe, system_username: "/^spiffe:\/\/home\.arpa\/ns\/workload1\/sa\/workload1$/", pg_username: "workload1"}
Full docs here: https://www.postgresql.org/docs/current/auth-username-maps.html
I'd contribute a PR, but I'm restricted by my work in what open-source code I can contribute (apologies for that).