diff --git a/db_store/src/iam_auth_pool.rs b/db_store/src/iam_auth_pool.rs index a21c801f7..28427d5b4 100644 --- a/db_store/src/iam_auth_pool.rs +++ b/db_store/src/iam_auth_pool.rs @@ -1,6 +1,6 @@ use crate::{error::invalid_configuration, Error, Result, Settings}; use sqlx::{ - postgres::{PgConnectOptions, Postgres}, + postgres::{PgConnectOptions, PgSslMode, Postgres}, Pool, }; @@ -18,6 +18,13 @@ pub async fn connect(settings: &Settings) -> Result> { let client = aws_sdk_sts::Client::new(&aws_config); let connect_parameters = ConnectParameters::try_from(settings)?; let connect_options = connect_parameters.connect_options(&client).await?; + let connect_options = if let Some(ref ca_path) = settings.ca_path { + connect_options + .ssl_mode(PgSslMode::VerifyCa) + .ssl_root_cert(ca_path) + } else { + connect_options + }; let pool = settings .pool_options() diff --git a/db_store/src/settings.rs b/db_store/src/settings.rs index 9a46b7b74..b788b9d5f 100644 --- a/db_store/src/settings.rs +++ b/db_store/src/settings.rs @@ -1,6 +1,11 @@ +use std::path::PathBuf; + use crate::{iam_auth_pool, metric_tracker, Error, Result}; use serde::Deserialize; -use sqlx::{postgres::PgPoolOptions, Pool, Postgres}; +use sqlx::{ + postgres::{PgConnectOptions, PgPoolOptions, PgSslMode}, + Pool, Postgres, +}; #[derive(Deserialize, Debug, Clone)] #[serde(rename_all = "lowercase")] @@ -17,6 +22,9 @@ pub struct Settings { /// the auth_type is Postgres pub url: Option, + /// Optionally provided certificate authority + pub ca_path: Option, + #[serde(default = "default_auth_type")] auth_type: AuthType, @@ -55,12 +63,20 @@ impl Settings { } async fn simple_connect(&self) -> Result> { - let connect_options = self + let connect_options: PgConnectOptions = self .url .as_ref() .ok_or_else(|| Error::InvalidConfiguration("url is required".to_string()))? .parse()?; + let connect_options = if let Some(ref ca_path) = self.ca_path { + connect_options + .ssl_mode(PgSslMode::VerifyCa) + .ssl_root_cert(ca_path) + } else { + connect_options + }; + let pool = self.pool_options().connect_with(connect_options).await?; Ok(pool) }