Error: [500] self signed certificate
pieveee opened this issue · 2 comments
Bug report
I am trying to run Supabase on a Kubernetes cluster (with the supabase-community/supabase-kubernetes project). However, when connecting to the database I get the following error:
Error: [500] self signed certificate
As I use zalando/postgres-operator to run the cluster, the TLS certificates get generated automatically. However, I am going to alter this behaviour and create custom certificates with cert-manager (server.crt and ca.crt).
Where to I have to place them inside the postgres-meta container to make use of these files? What is the default path?
According to the package.json dependencies postgres-meta uses pg, but I don't see a default path for certificates in the documentation.
Dived a bit deeper into this topic and found a little dirty hack. The Postgres URL is currently more or less hard-coded and there is no ability to set additional URL parameters as expected according to the jdbc documentation.
In constants.ts the PG_CONNECTION constant gets expanded like this:
export const PG_CONNECTION = `postgres://${PG_META_DB_USER}:${PG_META_DB_PASSWORD}@${PG_META_DB_HOST}:${PG_META_DB_PORT}/${PG_META_DB_NAME}?sslmode=${PG_META_DB_SSL_MODE}`So my temporary "hack" is to append &sslrootcert=XXX to the PG_META_DB_SSL_MODE variable, as it is the last variable expansion in this constant:
verify-full&sslrootcert=/etc/ssl/certs/ca.crtHence the URL completes to the following:
postgres://postgres:my-password@db-host:5432/postgres?sslmode=verify-full&sslrootcert=/etc/ssl/certs/ca.crtBut this is not clean and should not be used. I suggest changing the behaviour of constants.ts and aligning it with the jdbc documentation. Or even better: Make completely use of env variables. However, I am not sure if the last option will work in this kind of environment. Any ideas?
How about adding a new optional env var PG_META_DB_SSL_ROOT_CERT? Similar with PG_META_DB_SSL_MODE, if specified we can append that to the connection string. Happy to accept a PR for it.