pkgsite/internal/config: parameterize Postgres sslmode
This CL adds a new GO_DISCOVERY_DATABASE_SSL environment variable
so that the sslmode in a Postgres database can be configured.
It defaults to "disable" to ensure backwards compatibility.
Fixes golang/go#49977
Change-Id: I399e32f1a7862c55c7923bc55f465e16b9a5659b
Reviewed-on: https://go-review.googlesource.com/c/pkgsite/+/369314
Trust: Jamal Carvalho <jamal@golang.org>
Run-TryBot: Jamal Carvalho <jamal@golang.org>
TryBot-Result: kokoro <noreply+kokoro@google.com>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
diff --git a/devtools/migrate_db.sh b/devtools/migrate_db.sh
index e47b106..b4a6d26 100755
--- a/devtools/migrate_db.sh
+++ b/devtools/migrate_db.sh
@@ -28,6 +28,10 @@
if [[ $GO_DISCOVERY_DATABASE_NAME != "" ]]; then
database_name=$GO_DISCOVERY_DATABASE_NAME
fi
+ssl_mode='disable'
+if [[ $GO_DISCOVERY_DATABASE_SSL != "" ]]; then
+ ssl_mode=$GO_DISCOVERY_DATABASE_SSL
+fi
# Redirect stderr to stdout because migrate outputs to stderr, and we want
# to be able to use ordinary output redirection.
@@ -35,7 +39,7 @@
up|down|force|version)
migrate \
-source file:migrations \
- -database "postgresql://$database_user:$database_password@$database_host:5432/$database_name?sslmode=disable" \
+ -database "postgresql://$database_user:$database_password@$database_host:5432/$database_name?sslmode=$ssl_mode" \
"$@" 2>&1
;;
*)
diff --git a/internal/config/config.go b/internal/config/config.go
index 739f5d9..8faa521 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -159,9 +159,9 @@
// AppEngine.
FallbackVersionLabel string
- DBSecret, DBUser, DBHost, DBPort, DBName string
- DBSecondaryHost string // DB host to use if first one is down
- DBPassword string `json:"-"`
+ DBSecret, DBUser, DBHost, DBPort, DBName, DBSSL string
+ DBSecondaryHost string // DB host to use if first one is down
+ DBPassword string `json:"-"`
// Configuration for redis page cache.
RedisCacheHost, RedisBetaCacheHost, RedisCachePort string
@@ -267,8 +267,10 @@
// Set the statement_timeout config parameter for this session.
// See https://www.postgresql.org/docs/current/runtime-config-client.html.
timeoutOption := fmt.Sprintf("-c statement_timeout=%d", StatementTimeout/time.Millisecond)
- return fmt.Sprintf("user='%s' password='%s' host='%s' port=%s dbname='%s' sslmode=disable options='%s'",
- c.DBUser, c.DBPassword, host, c.DBPort, c.DBName, timeoutOption)
+ return fmt.Sprintf(
+ "user='%s' password='%s' host='%s' port=%s dbname='%s' sslmode='%s' options='%s'",
+ c.DBUser, c.DBPassword, host, c.DBPort, c.DBName, c.DBSSL, timeoutOption,
+ )
}
// HostAddr returns the network on which to serve the primary HTTP service.
@@ -385,6 +387,7 @@
DBPort: GetEnv("GO_DISCOVERY_DATABASE_PORT", "5432"),
DBName: GetEnv("GO_DISCOVERY_DATABASE_NAME", "discovery-db"),
DBSecret: os.Getenv("GO_DISCOVERY_DATABASE_SECRET"),
+ DBSSL: GetEnv("GO_DISCOVERY_DATABASE_SSL", "disable"),
RedisCacheHost: os.Getenv("GO_DISCOVERY_REDIS_HOST"),
RedisBetaCacheHost: os.Getenv("GO_DISCOVERY_REDIS_BETA_HOST"),
RedisCachePort: GetEnv("GO_DISCOVERY_REDIS_PORT", "6379"),