make rejectUnauthorized on postgres db connection configurable through environment variable

2025-02-25 18:55:30 -06:00 · 2022-06-13 09:57:14 +02:00 · 2022-06-13 09:57:14 +02:00 · c79112f5cd
commit c79112f5cd
parent ee72ad07da
3 changed files with 10 additions and 7 deletions
--- a/dev/helm/README.md
+++ b/dev/helm/README.md
@ -125,6 +125,7 @@ The following table lists the configurable parameters of the Wiki.js chart and t
 | `postgresql.postgresqlPort`            | External postgres port                      | `5432`                                                     |
 | `postgresql.ssl`                       | Enable external postgres SSL connection     | `false`                                                   |
 | `postgresql.ca`                        | Certificate of Authority content for postgres  | `nil`                                                     |
+| `postgresql.rejectUnauthorized`                 | Reject self-signed CA certificate     | `true`                                                   |
 | `postgresql.persistence.enabled`                | Enable postgres persistence using PVC                | `true`                                                     |
 | `postgresql.persistence.existingClaim`          | Provide an existing `PersistentVolumeClaim` for postgres | `nil`                                                      |
 | `postgresql.persistence.storageClass`           | Postgres PVC Storage Class (example: `nfs`)                           | `nil`                 |
--- a/dev/helm/templates/deployment.yaml
+++ b/dev/helm/templates/deployment.yaml
@ -54,7 +54,7 @@ spec:
            - name: DB_SSL_CA
              value: "{{ default "" .Values.postgresql.ca }}"
            - name: DB_SSL_REJECTUNAUTHORIZED
-              value: "{{ default "true" .Values.postgresql.rejectUnauthorized }}"
+              value: "{{ hasKey .Values.postgresql "rejectUnauthorized" | ternary .Values.postgresql.rejectUnauthorized true }}"
            - name: DB_PASS
              valueFrom:
                secretKeyRef:
--- a/server/core/db.js
+++ b/server/core/db.js
@ -39,7 +39,12 @@ module.exports = {

    // Handle SSL Options

-    let dbUseSSL = (WIKI.config.db.ssl === true || WIKI.config.db.ssl === 'true' || WIKI.config.db.ssl === 1 || WIKI.config.db.ssl === '1')
+    let isTruthy = function(value) {
+      return (value === true || value === 'true' || value === 1 || value === '1')
+    }
+
+    let dbUseSSL = isTruthy(WIKI.config.db.ssl)
+    let rejectUnauthorized = !_.isEmpty(process.env.DB_SSL_REJECTUNAUTHORIZED) ? isTruthy(process.env.DB_SSL_REJECTUNAUTHORIZED) : true;
    let sslOptions = null
    if (dbUseSSL && _.isPlainObject(dbConfig) && _.get(WIKI.config.db, 'sslOptions.auto', null) === false) {
      sslOptions = WIKI.config.db.sslOptions
@ -75,10 +80,7 @@ module.exports = {
      }

      dbUseSSL = true
-      sslOptions = {
-        rejectUnauthorized: [true, 'true', 1, '1'].includes(process.env.DB_SSL_REJECTUNAUTHORIZED),
-        ca,
-      }
+      sslOptions = { rejectUnauthorized, ca }
    }

    // Engine-specific config
@ -87,7 +89,7 @@ module.exports = {
        dbClient = 'pg'

        if (dbUseSSL && _.isPlainObject(dbConfig)) {
-          dbConfig.ssl = (sslOptions === true) ? { rejectUnauthorized: true } : sslOptions
+          dbConfig.ssl = (sslOptions === true) ? { rejectUnauthorized } : sslOptions
        }
        break
      case 'mariadb':