feat(db): allow passing an encoded ca certificate through envornment variables

c44ac0bc · Yannis Barlas · 45f189cd · c44ac0bc · c44ac0bc
Commit c44ac0bc authored 3 months ago by Yannis Barlas
--- a/dev/config/custom-environment-variables.js
+++ b/dev/config/custom-environment-variables.js
@@ -14,12 +14,7 @@ module.exports = {
      __name: 'POSTGRES_ALLOW_SELF_SIGNED_CERTIFICATES',
      __format: 'json',
    },
-    // ssl: {
-    //   rejectUnauthorized: {
-    //     __name: 'POSTGRES_ALLOW_SELF_SIGNED_CERTIFICATES',
-    //     __format: 'json',
-    //   },
-    // },
+    caCert: 'POSTGRES_CA_CERT',
  },
  serverUrl: 'SERVER_URL',
  fileStorage: {

--- a/src/db/connectionConfig.js
+++ b/src/db/connectionConfig.js
 const config = require('config')

 const getDbConnectionConfig = () => {
-  const { allowSelfSignedCertificates, ...connectionConfig } = config.get('db')
+  const { allowSelfSignedCertificates, caCert, ...connectionConfig } =
+    config.get('db')

  // clone to get around an issue of knex deleting password from the original object
  const connection = { ...connectionConfig }
@@ -11,6 +12,20 @@ const getDbConnectionConfig = () => {
    connection.ssl.rejectUnauthorized = false
  }

+  if (caCert) {
+    if (!connection.ssl) connection.ssl = {}
+    connection.ssl.rejectUnauthorized = true
+
+    /**
+     * The value of the env variable should be the base64 encoded crt file.
+     * eg. the result of `base64 -w0 ca-certificate.crt`
+     * It gets decoded here. This is to prevent issues with newlines when trying
+     * to pass the contents of a cert file as an environment variable in some
+     * deployment environments.
+     */
+    connection.ssl.ca = Buffer.from(caCert, 'base64').toString('utf-8')
+  }
+
  return connection
 }