Db tls (#102)

* go mod tidy * complete example config * add tls support for db connection * add certpool to tlsConfig * add some lil docker scripts
2025-12-10 08:48:08 -06:00 · 2021-07-19 18:03:07 +02:00 · 2021-07-19 18:03:07 +02:00 · 677490bc4e
commit 677490bc4e
parent bbc2494c58
10 changed files with 302 additions and 45 deletions
--- a/internal/config/config.go
+++ b/internal/config/config.go
@ -165,6 +165,14 @@ func (c *Config) ParseCLIFlags(f KeyedFlags, version string) error {
 		c.DBConfig.Database = f.String(fn.DbDatabase)
 	}

+	if c.DBConfig.TLSMode == DBTLSModeUnset || f.IsSet(fn.DbTLSMode) {
+		c.DBConfig.TLSMode = DBTLSMode(f.String(fn.DbTLSMode))
+	}
+
+	if c.DBConfig.TLSCACert == "" || f.IsSet(fn.DbTLSCACert) {
+		c.DBConfig.TLSCACert = f.String(fn.DbTLSCACert)
+	}
+
 	// template flags
 	if c.TemplateConfig.BaseDir == "" || f.IsSet(fn.TemplateBaseDir) {
 		c.TemplateConfig.BaseDir = f.String(fn.TemplateBaseDir)
@ -284,12 +292,14 @@ type Flags struct {
 	Host            string
 	Protocol        string

-	DbType     string
-	DbAddress  string
-	DbPort     string
-	DbUser     string
-	DbPassword string
-	DbDatabase string
+	DbType      string
+	DbAddress   string
+	DbPort      string
+	DbUser      string
+	DbPassword  string
+	DbDatabase  string
+	DbTLSMode   string
+	DbTLSCACert string

 	TemplateBaseDir string
 	AssetBaseDir    string
@ -329,12 +339,14 @@ type Defaults struct {
 	Protocol        string
 	SoftwareVersion string

-	DbType     string
-	DbAddress  string
-	DbPort     int
-	DbUser     string
-	DbPassword string
-	DbDatabase string
+	DbType      string
+	DbAddress   string
+	DbPort      int
+	DbUser      string
+	DbPassword  string
+	DbDatabase  string
+	DBTlsMode   string
+	DBTlsCACert string

 	TemplateBaseDir string
 	AssetBaseDir    string
@ -375,12 +387,14 @@ func GetFlagNames() Flags {
 		Host:            "host",
 		Protocol:        "protocol",

-		DbType:     "db-type",
-		DbAddress:  "db-address",
-		DbPort:     "db-port",
-		DbUser:     "db-user",
-		DbPassword: "db-password",
-		DbDatabase: "db-database",
+		DbType:      "db-type",
+		DbAddress:   "db-address",
+		DbPort:      "db-port",
+		DbUser:      "db-user",
+		DbPassword:  "db-password",
+		DbDatabase:  "db-database",
+		DbTLSMode:   "db-tls-mode",
+		DbTLSCACert: "db-tls-ca-cert",

 		TemplateBaseDir: "template-basedir",
 		AssetBaseDir:    "asset-basedir",
@ -422,12 +436,14 @@ func GetEnvNames() Flags {
 		Host:            "GTS_HOST",
 		Protocol:        "GTS_PROTOCOL",

-		DbType:     "GTS_DB_TYPE",
-		DbAddress:  "GTS_DB_ADDRESS",
-		DbPort:     "GTS_DB_PORT",
-		DbUser:     "GTS_DB_USER",
-		DbPassword: "GTS_DB_PASSWORD",
-		DbDatabase: "GTS_DB_DATABASE",
+		DbType:      "GTS_DB_TYPE",
+		DbAddress:   "GTS_DB_ADDRESS",
+		DbPort:      "GTS_DB_PORT",
+		DbUser:      "GTS_DB_USER",
+		DbPassword:  "GTS_DB_PASSWORD",
+		DbDatabase:  "GTS_DB_DATABASE",
+		DbTLSMode:   "GTS_DB_TLS_MODE",
+		DbTLSCACert: "GTS_DB_CA_CERT",

 		TemplateBaseDir: "GTS_TEMPLATE_BASEDIR",
 		AssetBaseDir:    "GTS_ASSET_BASEDIR",
--- a/internal/config/db.go
+++ b/internal/config/db.go
@ -20,11 +20,30 @@ package config

 // DBConfig provides configuration options for the database connection
 type DBConfig struct {
-	Type            string `yaml:"type"`
-	Address         string `yaml:"address"`
-	Port            int    `yaml:"port"`
-	User            string `yaml:"user"`
-	Password        string `yaml:"password"`
-	Database        string `yaml:"database"`
-	ApplicationName string `yaml:"applicationName"`
+	Type            string    `yaml:"type"`
+	Address         string    `yaml:"address"`
+	Port            int       `yaml:"port"`
+	User            string    `yaml:"user"`
+	Password        string    `yaml:"password"`
+	Database        string    `yaml:"database"`
+	ApplicationName string    `yaml:"applicationName"`
+	TLSMode         DBTLSMode `yaml:"tlsMode"`
+	TLSCACert       string    `yaml:"tlsCACert"`
 }
+
+// DBTLSMode describes a mode of connecting to a database with or without TLS.
+type DBTLSMode string
+
+// DBTLSModeDisable does not attempt to make a TLS connection to the database.
+var DBTLSModeDisable DBTLSMode = "disable"
+
+// DBTLSModeEnable attempts to make a TLS connection to the database, but doesn't fail if
+// the certificate passed by the database isn't verified.
+var DBTLSModeEnable DBTLSMode = "enable"
+
+// DBTLSModeRequire attempts to make a TLS connection to the database, and requires
+// that the certificate presented by the database is valid.
+var DBTLSModeRequire DBTLSMode = "require"
+
+// DBTLSModeUnset means that the TLS mode has not been set.
+var DBTLSModeUnset DBTLSMode = ""
--- a/internal/config/default.go
+++ b/internal/config/default.go
@ -120,12 +120,14 @@ func GetDefaults() Defaults {
 		Host:            "",
 		Protocol:        "https",

-		DbType:     "postgres",
-		DbAddress:  "localhost",
-		DbPort:     5432,
-		DbUser:     "postgres",
-		DbPassword: "postgres",
-		DbDatabase: "postgres",
+		DbType:      "postgres",
+		DbAddress:   "localhost",
+		DbPort:      5432,
+		DbUser:      "postgres",
+		DbPassword:  "postgres",
+		DbDatabase:  "postgres",
+		DBTlsMode:   "disable",
+		DBTlsCACert: "",

 		TemplateBaseDir: "./web/template/",
 		AssetBaseDir:    "./web/assets/",