feat: Allow to use CA certificate file path for DB (#6985)

Regarding ticket #6892: I would like to enable the use of a CA certificate without requiring other certificates. This would be useful for AWS Helm, as AWS only provides a single PEM file for DB connections.
2025-10-27 11:02:16 +01:00 · 2024-05-07 15:43:19 +03:00 · 2024-05-07 15:43:19 +03:00 · 8ae8cbbdb4
commit 8ae8cbbdb4
parent 8ae78236d2
1 changed files with 49 additions and 43 deletions
--- a/src/lib/create-config.ts
+++ b/src/lib/create-config.ts
@ -1,7 +1,6 @@
 import { parse } from 'pg-connection-string';
 import merge from 'deepmerge';
-import * as fs from 'fs';
-import { readFileSync } from 'fs';
+import { readFileSync, existsSync } from 'fs';
 import {
    type IAuthOption,
    IAuthType,
@ -21,6 +20,7 @@ import {
    type IUnleashConfig,
    type IUnleashOptions,
    type IVersionOption,
+    type ISSLOption,
 } from './types/option';
 import { getDefaultLogProvider, LogLevel, validateLogProvider } from './logger';
 import { defaultCustomAuthDenyAll } from './default-custom-auth-deny-all';
@ -183,43 +183,51 @@ const dateHandlingCallback = (connection, callback) => {
    });
 };

-const databaseSsl = () => {
+const readAndAddOption = (
+    name: keyof ISSLOption,
+    value: string | undefined,
+    options: ISSLOption,
+): ISSLOption =>
+    value != null
+        ? { ...options, [name]: readFileSync(value).toString() }
+        : options;
+
+const databaseSSL = (): IDBOption['ssl'] => {
    if (process.env.DATABASE_SSL != null) {
        return JSON.parse(process.env.DATABASE_SSL);
-    } else if (process.env.DATABASE_SSL_CA_CONFIG != null) {
-        return readFileSync(process.env.DATABASE_SSL_CA_CONFIG).toJSON();
-    } else if (
-        process.env.DATABASE_SSL_KEY_FILE != null &&
-        process.env.DATABASE_SSL_CERT_FILE != null
-    ) {
-        const opts = {
+    }
+
+    if (process.env.DATABASE_SSL_CA_CONFIG != null) {
+        return readFileSync(
+            process.env.DATABASE_SSL_CA_CONFIG,
+        ).toString() as unknown as IDBOption['ssl'];
+    }
+
+    const rejectUnauthorizedDefault =
+        process.env.DATABASE_SSL_CA_FILE != null ||
+        process.env.DATABASE_SSL_CERT_FILE != null ||
+        process.env.DATABASE_SSL_KEY_FILE != null;
+
+    let options: ISSLOption = {
        rejectUnauthorized: parseEnvVarBoolean(
            process.env.DATABASE_SSL_REJECT_UNAUTHORIZED,
-                true,
+            rejectUnauthorizedDefault,
        ),
    };
-        const key = readFileSync(process.env.DATABASE_SSL_KEY_FILE).toString();
-        const cert = readFileSync(
+
+    options = readAndAddOption(
+        'key',
+        process.env.DATABASE_SSL_KEY_FILE,
+        options,
+    );
+    options = readAndAddOption(
+        'cert',
        process.env.DATABASE_SSL_CERT_FILE,
-        ).toString();
-        if (process.env.DATABASE_SSL_CA_FILE != null) {
-            return {
-                ...opts,
-                ca: readFileSync(process.env.DATABASE_SSL_CA_FILE).toString(),
-                key,
-                cert,
-            };
-        } else {
-            return { ...opts, key, cert };
-        }
-    } else {
-        return {
-            rejectUnauthorized: parseEnvVarBoolean(
-                process.env.DATABASE_SSL_REJECT_UNAUTHORIZED,
-                false,
-            ),
-        };
-    }
+        options,
+    );
+    options = readAndAddOption('ca', process.env.DATABASE_SSL_CA_FILE, options);
+
+    return options;
 };

 const defaultDbOptions: WithOptional<IDBOption, 'user' | 'password' | 'host'> =
@ -229,7 +237,7 @@ const defaultDbOptions: WithOptional<IDBOption, 'user' | 'password' | 'host'> =
        host: process.env.DATABASE_HOST,
        port: parseEnvVarNumber(process.env.DATABASE_PORT, 5432),
        database: process.env.DATABASE_NAME || 'unleash',
-        ssl: databaseSsl(),
+        ssl: databaseSSL(),
        driver: 'postgres',
        version: process.env.DATABASE_VERSION,
        acquireConnectionTimeout: secondsToMilliseconds(30),
@ -491,16 +499,14 @@ export function createConfig(options: IUnleashOptions): IUnleashConfig {
        extraDbOptions = parse(process.env.DATABASE_URL);
    }
    let fileDbOptions = {};
-    if (options.databaseUrlFile && fs.existsSync(options.databaseUrlFile)) {
-        fileDbOptions = parse(
-            fs.readFileSync(options.databaseUrlFile, 'utf-8'),
-        );
+    if (options.databaseUrlFile && existsSync(options.databaseUrlFile)) {
+        fileDbOptions = parse(readFileSync(options.databaseUrlFile, 'utf-8'));
    } else if (
        process.env.DATABASE_URL_FILE &&
-        fs.existsSync(process.env.DATABASE_URL_FILE)
+        existsSync(process.env.DATABASE_URL_FILE)
    ) {
        fileDbOptions = parse(
-            fs.readFileSync(process.env.DATABASE_URL_FILE, 'utf-8'),
+            readFileSync(process.env.DATABASE_URL_FILE, 'utf-8'),
        );
    }
    const db: IDBOption = mergeAll<IDBOption>([