Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[SSL config ] Postgres SSL handling

See original GitHub issue

Expected Behavior

In order to have stateless backstage implementation , Postgres DB is used as a persistence layer to backend. the backend should be able to connect to Postgres . ( the backstage code is created using npx @backstage/create-app )

database:
   client: pg
   connection:
     host:  
       $env: POSTGRES_HOST
     port:  
       $env: POSTGRES_PORT
     user:  
       $env: POSTGRES_USER
     password:  
       $env: POSTGRES_PASSWORD
     # https://node-postgres.com/features/ssl
     ssl: require # see https://www.postgresql.org/docs/current/libpq-ssl.html Table 33.1. SSL Mode Descriptions (e.g. require)
     ca: # if you have a CA file and want to verify it you can uncomment this section
         $file: /etc/ssl/certs/rds-combined-ca-bundle.pem

backend connected to postgres db using SSL .

Current Behavior

backend docker is failing

 2020-12-15T16:12:51.349+11:00 [APP/PROC/WEB/0] [ERR] /usr/src/app/node_modules/pg/lib/connection.js:86
2020-12-15T16:12:51.349+11:00 [APP/PROC/WEB/0] [ERR] if ('key' in self.ssl) {
2020-12-15T16:12:51.349+11:00 [APP/PROC/WEB/0] [ERR] ^
2020-12-15T16:12:51.349+11:00 [APP/PROC/WEB/0] [ERR] TypeError: Cannot use 'in' operator to search for 'key' in verify-ca
2020-12-15T16:12:51.349+11:00 [APP/PROC/WEB/0] [ERR] at Socket.<anonymous> (/usr/src/app/node_modules/pg/lib/connection.js:86:19)
2020-12-15T16:12:51.349+11:00 [APP/PROC/WEB/0] [ERR] at Object.onceWrapper (events.js:421:26)
2020-12-15T16:12:51.349+11:00 [APP/PROC/WEB/0] [ERR] at Socket.emit (events.js:314:20)
2020-12-15T16:12:51.349+11:00 [APP/PROC/WEB/0] [ERR] at addChunk (_stream_readable.js:297:12)
2020-12-15T16:12:51.349+11:00 [APP/PROC/WEB/0] [ERR] at readableAddChunk (_stream_readable.js:272:9)
2020-12-15T16:12:51.349+11:00 [APP/PROC/WEB/0] [ERR] at Socket.Readable.push (_stream_readable.js:213:10)
2020-12-15T16:12:51.349+11:00 [APP/PROC/WEB/0] [ERR] at TCP.onStreamRead (internal/stream_base_commons.js:188:23)
2020-12-15T16:12:51.402+11:00 [APP/PROC/WEB/0] [OUT] Exit status

Possible Solution

fixing app-config.yaml reader to allow ‘ca’ to be child of ‘ssl’ therefore allowing it to be an object and not string. in that case the errorCannot use 'in' operator to search for 'key' wouldn’t occur as ‘in’ will find ssl as an json object. currently it is string.

So ssl yaml key needs to be an object here but it is an String. the app config YAML file is driving it. Ideally ‘ca’ should be child of ‘ssl’ and that would framed ‘ssl’ as json object. but in this case it is getting framed as an string ( as result of no nesting under ssl ) . and in string we cant use ‘in’ which is obvious. [ if we try to give ca as a child of ssl in YAML config - it is throwing: Error: Failed to read static configuration file: All collection items must start at the same column ]

Steps to Reproduce

Step 1 add pgdb app config as below

database:
    client: pg
    connection:
      host:  
        $env: POSTGRES_HOST
      port:  
        $env: POSTGRES_PORT
      user:  
        $env: POSTGRES_USER
      password:  
        $env: POSTGRES_PASSWORD
      # https://node-postgres.com/features/ssl
      ssl: require # see https://www.postgresql.org/docs/current/libpq-ssl.html Table 33.1. SSL Mode Descriptions (e.g. require)
      ca: # if you have a CA file and want to verify it you can uncomment this section
          $file: /etc/ssl/certs/rds-combined-ca-bundle.pem

Step 2 build the backend docker image
… deploy / run it

Context

Your Environment

bamboo for build and deploy dockerised backstage backend and frontend

NodeJS Version (v12): v12.20.0
Operating System and Version (e.g. Ubuntu 14.04): [ FROM node:12-buster - backend image ]
Browser Information: Chrome

Issue Analytics

State:
Created 3 years ago
Comments:24 (19 by maintainers)

Top GitHub Comments

1reaction

kaparwancommented, Apr 6, 2021

Hi thank you. yes, I was able to.

Regards Manoj Kaparwan

On Wed, Apr 7, 2021 at 5:33 AM regicsolutions @.***> wrote:

@kaparwan https://github.com/kaparwan were you ever able to enable ssl using Postgres?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/backstage/backstage/issues/3724#issuecomment-814385870, or unsubscribe https://github.com/notifications/unsubscribe-auth/AF22FDULU4U3QAUWOTJZT2DTHNOYLANCNFSM4U34D76A .

1reaction

andrewthauercommented, Dec 18, 2020

@kaparwan - The backstage backend example app by default uses the SingleConnectionDatabaseManager which will attempt to create a database for each plugin that requires a database. These by default are named with the convention backstage_plugin_${pluginName}. There are 2 main ways to configure the database in the app-config.yaml as you’ve discovered. The default way is using breaking out each setting like knex and pg want them. Alternatively you can supply a connection string which will be parsed by pg-connection-string. However, when doing this it will parse the connection string down to it’s constituent config and attempt to modify the database name for each plugin. Using this method is not as flexible as it doesn’t support the full range of settings. To better understand what is possible I suggest having a look at:

If you want full flexibility then the expanded non connection string is the way to go (if possibly).