-
-
Notifications
You must be signed in to change notification settings - Fork 664
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: Make Database SSL Configurable through files #6892
Conversation
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
❌ Code Health Quality Gates: FAILED
- Declining Code Health: 1 findings(s) 🚩
- Improving Code Health: 1 findings(s) ✅
This makes it configurable either through a single JSON file with all three certificates as separate keys or via separate files per ca/cert/key key. fixes #6718
192914d
to
c30898b
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
❌ Code Health Quality Gates: FAILED
- Declining Code Health: 1 findings(s) 🚩
- Improving Code Health: 1 findings(s) ✅
src/lib/create-config.ts
Outdated
return JSON.parse(process.env.DATABASE_SSL); | ||
} else if ( | ||
process.env.DATABASE_SSL_CA_CONFIG != null && | ||
filesExists(process.env.DATABASE_SSL_CA_CONFIG) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not convinced about the file existence checks here. Is there a place where we want the file check to return true but return an empty object if it's unreadable or contains broken JSON?
Maybe it's the Python dev in me but I'd lean on just reading the thing and trapping the exception case
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think that's a fair point, I think failing on non-existing files if you use the env vars is fair enough
src/lib/create-config.ts
Outdated
try { | ||
return readFileSync(caFilePath).toJSON(); | ||
} catch (e) { | ||
return {}; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd be tempted to just bubble here. If you asked for this to happen and it didn't, I'd be rather surprised to find a quiet fail without a log
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed. Let's fail hard, we do in other paths for config.
78bd728
to
10d5f0e
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
❌ Code Health Quality Gates: FAILED
- Declining Code Health: 1 findings(s) 🚩
- Improving Code Health: 1 findings(s) ✅
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
❌ Code Health Quality Gates: FAILED
- Declining Code Health: 1 findings(s) 🚩
@@ -1,25 +1,26 @@ | |||
import { parse } from 'pg-connection-string'; | |||
import merge from 'deepmerge'; | |||
import * as fs from 'fs'; | |||
import { readFileSync } from 'fs'; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ℹ Getting worse: Overall Code Complexity
The mean cyclomatic complexity increases from 5.24 to 5.28, threshold = 4
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
✅ Code Health Quality Gates: OK
Just to confirm, this doesn't change the default username and passwords that are setup when self-hosting, right? It just lets you configure it. |
It doesn't touch anything for default username and password, it's concerned with configuring a secure connection to the database.
|
Perfect, thanks |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ye! Code looks good, so I'm gonna tack on an approve. I'll put comments on the docs if I spot anything
Wow, IntelliJ got a little intense with the whitespace here but the docs look good at a glance
Can I set only the CA file path without |
Regarding ticket #6892: I would like to enable the use of a CA certificate without requiring other certificates. This would be useful for AWS Helm, as AWS only provides a single PEM file for DB connections.
Regarding ticket #6892: I would like to enable the use of a CA certificate without requiring other certificates. This would be useful for AWS Helm, as AWS only provides a single PEM file for DB connections.
This makes it configurable either through a single JSON file with all three certificates as separate keys or via separate files per ca/cert/key key.
fixes #6718