Google Git
Sign in
go / pkgsite / b7b7129ed82f18b0d4e41badd47a400ba051beef^! / .
commitb7b7129ed82f18b0d4e41badd47a400ba051beef[log] [tgz]
authorMarwan Sulaiman <marwan.sameer@gmail.com>Fri Dec 03 23:18:02 2021 -0500
committerJamal Carvalho <jamal@golang.org>Mon Jan 31 18:16:18 2022 +0000
treea21afa681cf7fcfcd0fd483ad902775a6c7deed6
parent2f9bfc14a2392e0dca9eff54997817584fa7f92e [diff]
pkgsite/internal/config: parameterize Postgres sslmode

This CL adds a new GO_DISCOVERY_DATABASE_SSL environment variable
so that the sslmode in a Postgres database can be configured.
It defaults to "disable" to ensure backwards compatibility.

Fixes golang/go#49977

Change-Id: I399e32f1a7862c55c7923bc55f465e16b9a5659b
Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/369314
Trust: Jamal Carvalho <jamal@golang.org>
Run-TryBot: Jamal Carvalho <jamal@golang.org>
TryBot-Result: kokoro <noreply+kokoro@google.com>
Reviewed-by: Jonathan Amsterdam <jba@google.com>

diff --git a/devtools/migrate_db.sh b/devtools/migrate_db.sh
index e47b106..b4a6d26 100755
--- a/devtools/migrate_db.sh
+++ b/devtools/migrate_db.sh

@@ -28,6 +28,10 @@
 if [[ $GO_DISCOVERY_DATABASE_NAME != "" ]]; then
   database_name=$GO_DISCOVERY_DATABASE_NAME
 fi
+ssl_mode='disable'
+if [[ $GO_DISCOVERY_DATABASE_SSL != "" ]]; then
+  ssl_mode=$GO_DISCOVERY_DATABASE_SSL
+fi
 
 # Redirect stderr to stdout because migrate outputs to stderr, and we want
 # to be able to use ordinary output redirection.
@@ -35,7 +39,7 @@
   up|down|force|version)
     migrate \
       -source file:migrations \
-      -database "postgresql://$database_user:$database_password@$database_host:5432/$database_name?sslmode=disable" \
+      -database "postgresql://$database_user:$database_password@$database_host:5432/$database_name?sslmode=$ssl_mode" \
       "$@" 2>&1
     ;;
   *)

diff --git a/internal/config/config.go b/internal/config/config.go
index 739f5d9..8faa521 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go

@@ -159,9 +159,9 @@
 	// AppEngine.
 	FallbackVersionLabel string
 
-	DBSecret, DBUser, DBHost, DBPort, DBName string
-	DBSecondaryHost                          string // DB host to use if first one is down
-	DBPassword                               string `json:"-"`
+	DBSecret, DBUser, DBHost, DBPort, DBName, DBSSL string
+	DBSecondaryHost                                 string // DB host to use if first one is down
+	DBPassword                                      string `json:"-"`
 
 	// Configuration for redis page cache.
 	RedisCacheHost, RedisBetaCacheHost, RedisCachePort string
@@ -267,8 +267,10 @@
 	// Set the statement_timeout config parameter for this session.
 	// See https://www.postgresql.org/docs/current/runtime-config-client.html.
 	timeoutOption := fmt.Sprintf("-c statement_timeout=%d", StatementTimeout/time.Millisecond)
-	return fmt.Sprintf("user='%s' password='%s' host='%s' port=%s dbname='%s' sslmode=disable options='%s'",
-		c.DBUser, c.DBPassword, host, c.DBPort, c.DBName, timeoutOption)
+	return fmt.Sprintf(
+		"user='%s' password='%s' host='%s' port=%s dbname='%s' sslmode='%s' options='%s'",
+		c.DBUser, c.DBPassword, host, c.DBPort, c.DBName, c.DBSSL, timeoutOption,
+	)
 }
 
 // HostAddr returns the network on which to serve the primary HTTP service.
@@ -385,6 +387,7 @@
 		DBPort:               GetEnv("GO_DISCOVERY_DATABASE_PORT", "5432"),
 		DBName:               GetEnv("GO_DISCOVERY_DATABASE_NAME", "discovery-db"),
 		DBSecret:             os.Getenv("GO_DISCOVERY_DATABASE_SECRET"),
+		DBSSL:                GetEnv("GO_DISCOVERY_DATABASE_SSL", "disable"),
 		RedisCacheHost:       os.Getenv("GO_DISCOVERY_REDIS_HOST"),
 		RedisBetaCacheHost:   os.Getenv("GO_DISCOVERY_REDIS_BETA_HOST"),
 		RedisCachePort:       GetEnv("GO_DISCOVERY_REDIS_PORT", "6379"),