search

diggerhq / digger

Digger is an open source IaC orchestration tool. Digger allows you to run IaC in your existing CI pipeline ⚡️
https://digger.dev
Apache License 2.0
2.84k stars 132 forks source link

backend seems to require SSL for Postgres #1407

Open dannysauer opened 4 months ago

dannysauer commented 4 months ago

No documentation I've seen so far says SSL is required for communication with Postgres, but I'm getting this output in a helm install using DB Operator (https://github.com/db-operator/db-operator) to provision a Postgres DB:

Error: postgres: scanning system variables: pq: SSL is not enabled on the server

I don't particularly need SSL between the digger container and the auth gateway container (https://github.com/db-operator/db-auth-gateway) running in the same namespace on k8s, and it's not clear if that's even possible. I like the auth gateway because 1) it's how all the other databases work here and 2) it secures the connection over the wire using the Google APIs and transient certs which rotate roughly hourly.

I'm having a hard time finding documentation on where this SSL requirement is configured, though. The error message itself is coming from the Go library - https://github.com/lib/pq/blob/3d613208bca2e74f2a20e04126ed30bcb5c4cc27/conn.go#L1129 - but I'm not sure exactly where the path is between "run digger" and "enforce PSQL connection using ssl" is happening, or how to disable it. Suggestions? :)

dannysauer commented 3 months ago

Turns out that making this work was as simple as adding the sslmode parameter to the connection string. In my case, I used this file applied in the appropriate namespace to create the DB and populate a secret with the connection string:

---
apiVersion: kinda.rocks/v1beta1
kind: Database
metadata:
  name: "digger-db"
spec:
  secretName: digger-db-credentials
  instance: gsql           # This has to match DbInstance name
  deletionProtected: false # delete DB when resource is deleted
  cleanup: true            # remove configmap/secret on deletion
  backup:
    enable: false
    cron: "0 0 * * *"
  secretsTemplates:
    DATABASE_URL: "postgres://{{ .UserName }}:{{ .Password }}@{{ .DatabaseHost }}:{{ .DatabasePort }}/{{ .DatabaseName }}?sslmode=disable"

The important part is that ?sslmode=disable added to the end of the URL.

This might be something to stick into the documentation somewhere, but I'm not sure where. So even though my issue is resolves, I'm leaving the issue open in case someone more familiar with the docs has an opinion on that. :)