Postgres Secure Connection Support (#1117)

* init

* rename POSTGRES_SECURE to POSTGRES_SSL

* fix

* fix

* tweaks

---------

Co-authored-by: Deepak Prabhakara <[email protected]>

.env

@@ -1,4 +1,5 @@
 POSTGRES_HOST=127.0.0.1
+POSTGRES_SSL=
 HMAC_SECRET_ADMIN=xxxxxxx
 NSQD_HTTP_PORT=4151
 SHLVL=1

src/_db/commands/up/pg.ts

@@ -37,7 +37,9 @@ export const handler = async (argv) => {
   try {
     const postgrator = (await import("postgrator")).default;
     logger.child({ up: "pg", schemaPath: argv.schemaPath }).info("beginning handler");
-    const cs = `tcp://${argv.postgresUser}:${argv.postgresPassword}@${argv.postgresHost}:${argv.postgresPort}/${argv.postgresDatabase}`;
+    const cs = `tcp://${argv.postgresUser}:${argv.postgresPassword}@${argv.postgresHost}:${
+      argv.postgresPort
+    }/${argv.postgresDatabase}${argv.postgresSsl ? "?sslmode=require" : ""}`;
     const client = new pg.Client(cs);
     // Establish a database connection
     await client.connect();

src/config.ts

@@ -10,6 +10,7 @@ export default {
   EXPORT_PAGE_SIZE_INTERNAL: process.env.EXPORT_PAGE_SIZE_INTERNAL || env.EXPORT_PAGE_SIZE_INTERNAL || 10000,
   POSTGRES_PASSWORD: process.env.POSTGRES_PASSWORD || env.POSTGRES_PASSWORD,
   POSTGRES_POOL_SIZE: process.env.POSTGRES_POOL_SIZE || env.POSTGRES_POOL_SIZE || 20,
+  POSTGRES_SSL: process.env.POSTGRES_SSL || env.POSTGRES_SSL,
   HMAC_SECRET_VIEWER: process.env.HMAC_SECRET_VIEWER || env.HMAC_SECRET_VIEWER,
   POSTGRES_PORT: process.env.POSTGRES_PORT || env.POSTGRES_PORT,
   API_BASE_URL_PATH: process.env.API_BASE_URL_PATH || env.API_BASE_URL_PATH,

src/persistence/pg.ts

@@ -15,6 +15,7 @@ export default function getPgPool(): pg.Pool {
       host: config.POSTGRES_HOST,
       port: Number(config.POSTGRES_PORT),
       max: Number(config.POSTGRES_POOL_SIZE) || 20,
+      ssl: config.POSTGRES_SSL || false,
       idleTimeoutMillis: Number(config.PUBLISHER_CREATE_EVENT_TIMEOUT) || 2000, // how long a client is allowed to remain idle before being closed
     });