Gnous/mattermost
Archived
2
0
Fork 0
Code Issues Pull Requests Projects Releases Activity

Enable easy configuration of encrypted PostgreSQL connections with new optional DB_SSLMODE (defaults to current value of "disable") following values allowed by PostgreSQL (#506)

Browse Source 
* change to support environment variable configuration of SSL mode for PostgreSQL connections
This commit is contained in:
Dave Thompson 2020-12-10 09:02:24 -05:00 committed by GitHub
parent 43501880ff
commit bb1e8066c4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 18 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
README.md
View File

@ -67,6 +67,13 @@ If your database use some custom host and port, it is also possible to configure
* `DB_HOST`: database host address * `DB_HOST`: database host address
* `DB_PORT_NUMBER`: database port * `DB_PORT_NUMBER`: database port
Use this optional variable if your PostgreSQL connection requires encryption (you may need a certificate authority file and/or a certificate revocation list - check the documentation for your database provider). See the [PostgreSQL notes on encrypted connections](https://www.postgresql.org/docs/current/libpq-ssl.html) for recommendations on what values to use when encryption is needed.
* `DB_SSLMODE`: defaults to `disable`, indicating no encryption
PostgreSQL allows two other variables `sslrootcert` and `sslcrl` for connection strings. However these are not broadly supported when the connection string is specified as a URI. If you need these parameters, use the PostgreSQL-specified environment variables
* `PGSSLROOTCERT` specifies the location of CA file
* `PGSSLCRL` specifies the location of a certificate revocation list file
If you use a Mattermost configuration file on a different location than the default one (`/mattermost/config/config.json`) : If you use a Mattermost configuration file on a different location than the default one (`/mattermost/config/config.json`) :
* `MM_CONFIG`: configuration file location inside the container. * `MM_CONFIG`: configuration file location inside the container.

12
app/entrypoint.sh
View File

@ -8,6 +8,16 @@ generate_salt() {
# Read environment variables or set default values # Read environment variables or set default values
DB_HOST=${DB_HOST:-db} DB_HOST=${DB_HOST:-db}
DB_PORT_NUMBER=${DB_PORT_NUMBER:-5432} DB_PORT_NUMBER=${DB_PORT_NUMBER:-5432}
# see https://www.postgresql.org/docs/current/libpq-ssl.html
# for usage when database connection requires encryption
# filenames should be escaped if they contain spaces
# i.e. $(printf %s ${MY_ENV_VAR:-''} | jq -s -R -r @uri)
# the location of the CA file can be set using environment var PGSSLROOTCERT
# the location of the CRL file can be set using PGSSLCRL
# The URL syntax for connection string does not support the parameters
# sslrootcert and sslcrl reliably, so use these PostgreSQL-specified variables
# to set names if using a location other than default
DB_USE_SSL=${DB_USE_SSL:-disable}
MM_DBNAME=${MM_DBNAME:-mattermost} MM_DBNAME=${MM_DBNAME:-mattermost}
MM_CONFIG=${MM_CONFIG:-/mattermost/config/config.json} MM_CONFIG=${MM_CONFIG:-/mattermost/config/config.json}
@ -56,7 +66,7 @@ if [ "$1" = 'mattermost' ]; then
echo "Configure database connection..." echo "Configure database connection..."
# URLEncode the password, allowing for special characters # URLEncode the password, allowing for special characters
ENCODED_PASSWORD=$(printf %s "$MM_PASSWORD" | jq -s -R -r @uri) ENCODED_PASSWORD=$(printf %s "$MM_PASSWORD" | jq -s -R -r @uri)
export MM_SQLSETTINGS_DATASOURCE="postgres://$MM_USERNAME:$ENCODED_PASSWORD@$DB_HOST:$DB_PORT_NUMBER/$MM_DBNAME?sslmode=disable&connect_timeout=10" export MM_SQLSETTINGS_DATASOURCE="postgres://$MM_USERNAME:$ENCODED_PASSWORD@$DB_HOST:$DB_PORT_NUMBER/$MM_DBNAME?sslmode=$DB_USE_SSL&connect_timeout=10"
echo "OK" echo "OK"
else else
echo "Using existing database connection" echo "Using existing database connection"