[security] Require client certificate to connect to yugabyte sql interface (#1290)

barroco · web-flow · commit 92be735b9c64 · 2026-01-02T15:35:55.000+01:00
diff --git a/deploy/services/helm-charts/dss/values.yaml b/deploy/services/helm-charts/dss/values.yaml
@@ -64,6 +64,8 @@ yugabyte:
       placement_cloud: "cloud-1"
       placement_region: "uss-1"
       placement_zone: "zone-1"
+      use_client_to_server_encryption: true
+      ysql_hba_conf_csv: 'hostssl all all 0.0.0.0/0 cert'
 
 monitoring:
   enabled: false
@@ -269,4 +271,3 @@ grafana:
   persistence:
     type: pvc
     enabled: true
->>>>>>> f3220540 ([helm] Add support for monitoring stack)
diff --git a/deploy/services/tanka/yugabyte-auxiliary.libsonnet b/deploy/services/tanka/yugabyte-auxiliary.libsonnet
@@ -100,6 +100,7 @@ local yugabyteLB(metadata, name, ip) =
             --placement_zone=%s
             --use_private_ip=zone
             --node_to_node_encryption_use_client_certificates=true
+            --ysql_hba_conf_csv='hostssl all all 0.0.0.0/0 cert'
           ||| % [
             std.join(",", metadata.yugabyte.masterAddresses),
             metadata.yugabyte.tserver.rpc_bind_addresses,
