Postgres (CockroachDB) with full certificate verification (#7076)

* Postgres (CockroachDB) with full certificate verification * Apply suggestion from @Copilot Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * Apply suggestion from @Copilot Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com> * remove duplicated comments --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
2025-10-08 02:54:25 +08:00 · 2025-08-03 09:43:33 -07:00
parent 8c23952326
commit d49b44f2a4
3 changed files with 46 additions and 2 deletions
--- a/weed/command/scaffold/filer.toml
+++ b/weed/command/scaffold/filer.toml
@@ -111,6 +111,12 @@ password = ""
 database = "postgres"          # create or use an existing database
 schema = ""
 sslmode = "disable"
+# SSL certificate options for secure connections
+# For sslmode=verify-full, uncomment and configure the following:
+# sslcert = "/path/to/client.crt"     # client certificate file
+# sslkey = "/path/to/client.key"      # client private key file
+# sslrootcert = "/path/to/ca.crt"     # CA certificate file
+# sslcrl = "/path/to/client.crl"      # Certificate Revocation List (CRL) (optional)
 connection_max_idle = 100
 connection_max_open = 100
 connection_max_lifetime_seconds = 0
@@ -142,6 +148,12 @@ password = ""
 database = "postgres"          # create or use an existing database
 schema = ""
 sslmode = "disable"
+# SSL certificate options for secure connections
+# For sslmode=verify-full, uncomment and configure the following:
+# sslcert = "/path/to/client.crt"     # client certificate file
+# sslkey = "/path/to/client.key"      # client private key file
+# sslrootcert = "/path/to/ca.crt"     # CA certificate file
+# sslcrl = "/path/to/client.crl"      # Certificate Revocation List (CRL) (optional)
 connection_max_idle = 100
 connection_max_open = 100
 connection_max_lifetime_seconds = 0
--- a/weed/filer/postgres/postgres_store.go
+++ b/weed/filer/postgres/postgres_store.go
@@ -35,13 +35,17 @@ func (store *PostgresStore) Initialize(configuration util.Configuration, prefix
 		configuration.GetString(prefix+"database"),
 		configuration.GetString(prefix+"schema"),
 		configuration.GetString(prefix+"sslmode"),
+		configuration.GetString(prefix+"sslcert"),
+		configuration.GetString(prefix+"sslkey"),
+		configuration.GetString(prefix+"sslrootcert"),
+		configuration.GetString(prefix+"sslcrl"),
 		configuration.GetInt(prefix+"connection_max_idle"),
 		configuration.GetInt(prefix+"connection_max_open"),
 		configuration.GetInt(prefix+"connection_max_lifetime_seconds"),
 	)
 }

-func (store *PostgresStore) initialize(upsertQuery string, enableUpsert bool, user, password, hostname string, port int, database, schema, sslmode string, maxIdle, maxOpen, maxLifetimeSeconds int) (err error) {
+func (store *PostgresStore) initialize(upsertQuery string, enableUpsert bool, user, password, hostname string, port int, database, schema, sslmode, sslcert, sslkey, sslrootcert, sslcrl string, maxIdle, maxOpen, maxLifetimeSeconds int) (err error) {

 	store.SupportBucketTable = false
 	if !enableUpsert {
@@ -63,6 +67,18 @@ func (store *PostgresStore) initialize(upsertQuery string, enableUpsert bool, us
 	if sslmode != "" {
 		sqlUrl += " sslmode=" + sslmode
 	}
+	if sslcert != "" {
+		sqlUrl += " sslcert=" + sslcert
+	}
+	if sslkey != "" {
+		sqlUrl += " sslkey=" + sslkey
+	}
+	if sslrootcert != "" {
+		sqlUrl += " sslrootcert=" + sslrootcert
+	}
+	if sslcrl != "" {
+		sqlUrl += " sslcrl=" + sslcrl
+	}
 	if user != "" {
 		sqlUrl += " user=" + user
 	}
--- a/weed/filer/postgres2/postgres2_store.go
+++ b/weed/filer/postgres2/postgres2_store.go
@@ -40,13 +40,17 @@ func (store *PostgresStore2) Initialize(configuration util.Configuration, prefix
 		configuration.GetString(prefix+"database"),
 		configuration.GetString(prefix+"schema"),
 		configuration.GetString(prefix+"sslmode"),
+		configuration.GetString(prefix+"sslcert"),
+		configuration.GetString(prefix+"sslkey"),
+		configuration.GetString(prefix+"sslrootcert"),
+		configuration.GetString(prefix+"sslcrl"),
 		configuration.GetInt(prefix+"connection_max_idle"),
 		configuration.GetInt(prefix+"connection_max_open"),
 		configuration.GetInt(prefix+"connection_max_lifetime_seconds"),
 	)
 }

-func (store *PostgresStore2) initialize(createTable, upsertQuery string, enableUpsert bool, user, password, hostname string, port int, database, schema, sslmode string, maxIdle, maxOpen, maxLifetimeSeconds int) (err error) {
+func (store *PostgresStore2) initialize(createTable, upsertQuery string, enableUpsert bool, user, password, hostname string, port int, database, schema, sslmode, sslcert, sslkey, sslrootcert, sslcrl string, maxIdle, maxOpen, maxLifetimeSeconds int) (err error) {

 	store.SupportBucketTable = true
 	if !enableUpsert {
@@ -68,6 +72,18 @@ func (store *PostgresStore2) initialize(createTable, upsertQuery string, enableU
 	if sslmode != "" {
 		sqlUrl += " sslmode=" + sslmode
 	}
+	if sslcert != "" {
+		sqlUrl += " sslcert=" + sslcert
+	}
+	if sslkey != "" {
+		sqlUrl += " sslkey=" + sslkey
+	}
+	if sslrootcert != "" {
+		sqlUrl += " sslrootcert=" + sslrootcert
+	}
+	if sslcrl != "" {
+		sqlUrl += " sslcrl=" + sslcrl
+	}
 	if user != "" {
 		sqlUrl += " user=" + user
 	}