fix: set default SSL to use rejectUnauthorized to enforce signed tls …

…certs
klarna-incubator · Nov 18, 2024 · 7d37bfc · 7d37bfc
1 parent 5126e4e
commit 7d37bfc
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 9 deletions.
diff --git a/config/default.ts b/config/default.ts
@@ -46,7 +46,12 @@ export const defaultConfig: GramConfiguration = {
     password: new EnvSecret("POSTGRES_PASSWORD"),
     database: new EnvSecret("POSTGRES_DATABASE"),
     port: new EnvSecret("POSTGRES_PORT"),
-    ssl: process.env.POSTGRES_DISABLE_SSL === undefined ? true : false,
+    ssl:
+      process.env.POSTGRES_DISABLE_SSL === undefined
+        ? {
+            rejectUnauthorized: true, //ca: fs.readFileSync("/opt/rds-ca-2019-root.pem", "ascii")
+          }
+        : false,
   },
 
   notifications: {

diff --git a/core/src/data/postgres.ts b/core/src/data/postgres.ts
@@ -116,14 +116,6 @@ export async function createPostgresPool(passedOpts?: pg.PoolConfig) {
   );
   defaultOpts.ssl = config.postgres.ssl;
 
-  //TODO: should be configuration...
-  // if (defaultOpts.ssl) {
-  // Load AWS RDS CA to verify connection
-  // defaultOpts.ssl = {
-  //   ca: fs.readFileSync("/opt/rds-ca-2019-root.pem", "ascii"),
-  // };
-  // }
-
   let opts = defaultOpts;
   if (passedOpts) {
     opts = { ...defaultOpts, ...passedOpts };