PostgreSQL client: support $PGSSLROOTCERT env var

derhuerst · derhuerst · commit ea7f7e3f9bba · 2024-07-12T12:36:58.000+02:00
This is a shim for brianc/node-postgres#2723.
diff --git a/lib/db.js b/lib/db.js
@@ -1,12 +1,26 @@
+import {ok} from 'node:assert'
+import {readFileSync} from 'node:fs'
 import _pg from 'pg'
 const {Pool} = _pg
 
+const ssl = {}
+// pg doesn't support $PGSSLROOTCERT yet, so we pass it in ourselves
+// see https://github.com/brianc/node-postgres/issues/2723
+if ('PGSSLROOTCERT' in process.env) {
+	ok(process.env.PGSSLROOTCERT, '$PGSSLROOTCERT must not be empty')
+	ssl.ca = readFileSync(process.env.PGSSLROOTCERT, {encoding: 'utf8'})
+}
+
 const connectToPostgres = (opt = {}) => {
 	// todo?
 	// > Do not use pool.query if you need transactional integrity: the pool will dispatch every query passed to pool.query on the first available idle client. Transactions within PostgreSQL are scoped to a single client and so dispatching individual queries within a single transaction across multiple, random clients will cause big problems in your app and not work. For more info please read transactions.
 	// https://node-postgres.com/api/pool
 	const db = new Pool({
 		...opt,
+		ssl: {
+			...ssl,
+			...(opt.ssl || {}),
+		},
 		// todo: let this depend on the configured matching parallelism
 		max: parseInt(process.env.PG_POOL_SIZE || '30'),
 	})
