Restore concatenated CA string logic for db connnections, make rejectUnauthorized configurable through environment variable

3 years ago · ee72ad07da
3 changed files with 24 additions and 5 deletions
--- a/dev/helm/templates/deployment.yaml
+++ b/dev/helm/templates/deployment.yaml
@ -53,6 +53,8 @@ spec:
              value: "{{ default "false" .Values.postgresql.ssl }}"
            - name: DB_SSL_CA
              value: "{{ default "" .Values.postgresql.ca }}"
+            - name: DB_SSL_REJECTUNAUTHORIZED
+              value: "{{ default "true" .Values.postgresql.rejectUnauthorized }}"
            - name: DB_PASS
              valueFrom:
                secretKeyRef:
--- a/dev/helm/values.yaml
+++ b/dev/helm/values.yaml
@ -115,9 +115,15 @@ postgresql:
  ##
  # ssl: false
  ## ca Certificate of Authority
-  ## Default to empty, point to location of CA
+  ## this can either be a single line string (without spaces or new lines)
+  ## without the prefix and suffix lines, or a path to a certificate file.
+  ## Default to empty
  ##
-  # ca: "path to ca"
+  # ca: "single line or path to ca"
+  ## rejectUnauthorized reject self-signed certificates
+  ## Default to true
+  ##
+  # rejectUnauthorized: true
  ## postgresqlHost override postgres database host
  ## Default to postgres
  ##
--- a/server/core/db.js
+++ b/server/core/db.js
@ -60,13 +60,24 @@ module.exports = {
      sslOptions = true
    }

-    // Handle self-signed CA file
+    // Handle self-signed CA file or concatenated string
    // https://node-postgres.com/features/ssl
    if (!_.isEmpty(process.env.DB_SSL_CA)) {
+      try {
+        ca = fs.readFileSync(process.env.DB_SSL_CA).toString()
+      } catch(_) {
+        const chunks = []
+        for (let i = 0, charsLength = process.env.DB_SSL_CA.length; i < charsLength; i += 64) {
+          chunks.push(process.env.DB_SSL_CA.substring(i, i + 64))
+        }
+
+        ca = '-----BEGIN CERTIFICATE-----\n' + chunks.join('\n') + '\n-----END CERTIFICATE-----\n'
+      }
+
      dbUseSSL = true
      sslOptions = {
-        rejectUnauthorized: false,
-        ca: fs.readFileSync(process.env.DB_SSL_CA).toString(),
+        rejectUnauthorized: [true, 'true', 1, '1'].includes(process.env.DB_SSL_REJECTUNAUTHORIZED),
+        ca,
      }
    }