shankar0123
d809874fa1
Per operator decision the framework-mapping docs are gone. They
were aspirational (no audit, no certification, no validated
mapping); keeping them around was misleading.
Files deleted (1,883 lines):
- docs/compliance/index.md
- docs/compliance/soc2.md
- docs/compliance/pci-dss.md
- docs/compliance/nist-sp-800-57.md
Hyperlinks removed:
- README.md: 'Auditor / compliance' row in the doc table; the
'(compliance mapping included)' parenthetical in the
positioning paragraph
- docs/README.md: the '## Compliance' section table; the
'Auditor / compliance team' reading-order-by-role row
Prose name-drops swept across 24 files:
- README.md: 'FedRAMP boundary CAs / financial-services policy
CAs' → '4-level boundary CAs / 3-level policy CAs';
'Compliance-grade for PCI-DSS Level 1, FedRAMP Moderate / High,
SOC 2 Type II, HIPAA' → cut entirely
- getting-started/{quickstart,concepts,examples,why-certctl,
advanced-demo}.md: 'compliance' → 'audit' / 'policy';
'PCI-DSS / SOC 2 / NIST SP 800-57' framework lists cut;
''pci': 'true'' tag example → ''environment': 'production''
- migration/cert-manager-coexistence.md: 'compliance rules' →
'policy rules'
- operator/approval-workflow.md: 'Compliance customers (PCI-DSS
Level 1, FedRAMP Moderate / High, SOC 2 Type II, HIPAA)' →
'Operators'; entire 'Compliance control mapping' table
(PCI-DSS §6.4.5 / NIST SP 800-53 SA-15 / SOC 2 Type II CC6.1
/ HIPAA §164.308(a)(4)) deleted; 'compliance contract' →
'two-person-integrity contract'; 'compliance auditors' →
'reviewers'
- operator/legacy-clients-tls-1.2.md: 'PCI-DSS v4.0 Req 4 §2.2.5'
audit-reference → CWE-326 (kept); 'PCI-DSS Req 4 §2.2.5
attestation' section retitled to 'TLS posture summary' and
rewritten without framework framing; 'PCI-DSS, NIST, and
major browsers will eventually deprecate TLS 1.2' →
'Major browsers and OS vendors will eventually deprecate
TLS 1.2'
- operator/database-tls.md: PCI-DSS Req 4 §2.2.5 audit-ref →
CWE-319 only; 'PCI-DSS scope' → 'sensitive data'; PCI-DSS
Req 4 v4.0 prose footing → cut
- operator/runbooks/disaster-recovery.md: 'SOC 2 / PCI
procurement-team deliverable' → 'on-call deliverable';
'compliance auditors' → 'reviewers'
- reference/connectors/{acme,aws-acm,azure-kv,globalsign,
local-ca,openssl,ssh,index}.md: 'compliance reporting
(PCI-DSS §3.6, HIPAA §164.312)' → 'audit reporting';
'Compliance environments (PCI-DSS Level 1, FedRAMP High,
HIPAA)' → 'Regulated environments'; 'compliance audits' →
'audit'; 'FedRAMP boundary CA' pattern names →
'4-level boundary CA' (technically descriptive)
- reference/protocols/est.md: 'compliance-hook seam' →
'device-state hook seam'; 'compliance gating' → 'device-state
gating'; 'est_compliance_failed' → 'est_device_state_failed'
- reference/protocols/scep-intune.md: 'Optional compliance
check' → 'Optional device-state check'; failure-counter
'compliance_failed' → 'device_state_failed'; 'Conditional
Access compliance gating' → 'Conditional Access
device-state gating'
- reference/intermediate-ca-hierarchy.md: 'FedRAMP boundary-CA
deployments where the regulator requires...' →
'Boundary-CA deployments where you want separation of policy
and issuing authorities'; pattern A retitled '4-level FedRAMP
boundary CA' → '4-level boundary CA'
- reference/architecture.md: broken Related-docs link to
compliance.md removed; the rest of that block had stale
pre-Phase-2 paths (quickstart.md, demo-advanced.md,
connectors.md, openapi.md, testing-guide.md, test-env.md) —
retargeted to current locations
- reference/deployment-model.md: 'SOC 2 evidence-report
generator' → 'Audit-evidence report generator'
- reference/vendor-matrix.md: 'SOC 2 / PCI auditors paste this
into evidence packs' → 'reviewers paste this into
vendor-evaluation packs'
- contributor/qa-test-suite.md: 'compliance exist' coverage
description cut; 'Compliance (PCI / SOC2 / HIPAA-relevant)'
risk-class label → 'Audit-relevant'
What was kept:
- CWE references (legitimate technical pointers)
- Microsoft API/feature names that happen to use 'compliance'
literally ('Microsoft Graph compliance API',
'device-compliance validators' — these are MS product names,
not framework name-drops)
- 'NIST PQC' on the landing page (Post-Quantum Cryptography is
the actual NIST standard family, not a compliance framework)
Verified: zero hyperlinks into docs/compliance/ remain. All 24
ci-guards/*.sh pass locally. qa-doc-seed-count.sh clean.
Net diff: 26 files / -1,883 deletions in compliance/ + -32 net
across the prose sweep.
Companion edits in cowork/ (CLAUDE.md doc-tree summary +
WORKSPACE-CHANGELOG.md retirement note) land separately.
5.2 KiB
Database TLS — Postgres Transport Encryption
Last reviewed: 2026-05-05
Audit reference: Bundle B / M-018. CWE-319 (Cleartext transmission of sensitive information).
certctl talks to Postgres over a single connection-string URL controlled by the
CERTCTL_DATABASE_URL env var. The sslmode query parameter on that URL
selects the transport-encryption posture. Pre-Bundle-B all the bundled
deployment artifacts (Helm chart, docker-compose) hard-coded sslmode=disable.
Bundle B exposes that as an operator-facing knob with a documented default and
explicit opt-in / opt-out paths for the four real-world deployment shapes.
Quick reference
| Deployment shape | Default sslmode |
When to change |
|---|---|---|
| Helm chart, bundled Postgres, in-cluster | disable |
When the cluster does not provide pod-network encryption (CNI without WireGuard / IPSec) and the workload handles sensitive data. |
| Helm chart, external Postgres (RDS / Cloud SQL / Azure DB) | not auto-set | Always set to verify-full and provide the cloud provider's server CA bundle. |
| docker-compose, bundled Postgres on docker bridge | disable |
Demo/dev only; not a deployment shape we expect operators to harden. |
| docker-compose / k8s with external Postgres | not auto-set | Always set CERTCTL_DATABASE_URL to a connection string with sslmode=verify-full. |
sslmode values come from lib/pq (the underlying driver). The full set is:
disable, allow, prefer, require, verify-ca, verify-full.
verify-ca is the floor for sensitive-data transport; verify-full
is the floor for systems exposed to spoofing risk (it adds hostname
validation against the server cert's CN/SAN).
Helm chart (Bundle B)
Bundle B adds two values under postgresql.tls:
postgresql:
tls:
mode: disable # disable | require | verify-ca | verify-full
caSecretRef: "" # Secret with ca.crt key (required for verify-ca / verify-full)
The chart pipes postgresql.tls.mode into the ?sslmode= parameter of the
generated CERTCTL_DATABASE_URL (see templates/_helpers.tpl::certctl.databaseURL).
For external Postgres, set postgresql.enabled: false and override
server.env.CERTCTL_DATABASE_URL directly with the full connection string —
the operator authoring an external-DB values file owns the entire URL.
Example: external RDS with verify-full
postgresql:
enabled: false # Disable bundled Postgres
server:
env:
CERTCTL_DATABASE_URL: |
postgres://certctl:STRONGPW@my-db.cabc12345.us-east-1.rds.amazonaws.com:5432/certctl?sslmode=verify-full
# Provide the AWS RDS root CA bundle as a secret + mount.
# AWS publishes per-region root certs at https://truststore.pki.rds.amazonaws.com/
extraVolumes:
- name: rds-ca
secret:
secretName: rds-ca-bundle # kubectl create secret generic rds-ca-bundle --from-file=ca.crt=...
extraVolumeMounts:
- name: rds-ca
mountPath: /etc/postgresql-ca
readOnly: true
# lib/pq honors PGSSLROOTCERT for the verify-{ca,full} CA bundle path.
server:
env:
PGSSLROOTCERT: /etc/postgresql-ca/ca.crt
docker-compose (development / demo)
The bundled deploy/docker-compose.yml keeps sslmode=disable as the default
because the Postgres container shares the docker bridge network with the certctl
server and the compose file is not a production deployment artifact. To opt in:
export CERTCTL_DATABASE_URL='postgres://certctl:certctl@postgres:5432/certctl?sslmode=verify-full'
docker compose up
Verification
For any non-disable mode, confirm the connection actually negotiated TLS:
# From inside the certctl-server container or any host with psql + the same URL:
psql "$CERTCTL_DATABASE_URL" -c "SELECT ssl, version, cipher FROM pg_stat_ssl WHERE pid = pg_backend_pid();"
# Expected output for verify-full: ssl=t, version=TLSv1.3 (or TLSv1.2), cipher=...
If ssl=f appears, the connection silently fell back to plaintext — investigate
the cert chain or sslmode value before treating the deployment as PCI-compliant.
What this does NOT cover
- Postgres-to-Postgres replication — if you run a replica, replica-primary
TLS is configured via the Postgres server itself (
pg_hba.conf+ssl=on); it is independent of certctl'sCERTCTL_DATABASE_URL. - Backup transport —
pg_dump/pg_basebackuphonor the samesslmodeparameter when invoked with the URL form, but the bundled chart's backup story (if any) is operator-owned. - Encryption at rest —
sslmodeis a transport concern only. Disk encryption is the cloud provider's storage layer (RDS, EBS, etc.) or the operator's Postgres TDE / disk LUKS / etc.
Reverting
If sslmode=verify-full causes connection failures (most common: missing CA
bundle, wrong hostname), drop temporarily to sslmode=require to confirm TLS
is at least negotiated, then add the CA bundle and ratchet back up. Never
revert to sslmode=disable on a system carrying real cert metadata —
audit_events alone contains enough operator/issuer/target identity to justify
TLS in any scoped environment.