From adcd11b1f8e708f660007c7df4c63f06e0110974 Mon Sep 17 00:00:00 2001 From: Ongy Date: Sun, 2 Apr 2023 17:39:36 +0200 Subject: [PATCH] core: extend postgres configuration (#5138) Add postgres configuration options to control TLS verification and client certificates. --- authentik/root/settings.py | 4 ++++ lifecycle/migrate.py | 4 ++++ lifecycle/wait_for_db.py | 4 ++++ website/docs/installation/configuration.md | 4 ++++ 4 files changed, 16 insertions(+) diff --git a/authentik/root/settings.py b/authentik/root/settings.py index eeb6688b8..61362bfab 100644 --- a/authentik/root/settings.py +++ b/authentik/root/settings.py @@ -276,6 +276,10 @@ DATABASES = { "USER": CONFIG.y("postgresql.user"), "PASSWORD": CONFIG.y("postgresql.password"), "PORT": int(CONFIG.y("postgresql.port")), + "SSLMODE": CONFIG.y("postgresql.sslmode"), + "SSLROOTCERT": CONFIG.y("postgresql.sslrootcert"), + "SSLCERT": CONFIG.y("postgresql.sslcert"), + "SSLKEY": CONFIG.y("postgresql.sslkey"), } } diff --git a/lifecycle/migrate.py b/lifecycle/migrate.py index bd6975201..507d1cac1 100755 --- a/lifecycle/migrate.py +++ b/lifecycle/migrate.py @@ -57,6 +57,10 @@ if __name__ == "__main__": password=CONFIG.y("postgresql.password"), host=CONFIG.y("postgresql.host"), port=int(CONFIG.y("postgresql.port")), + sslmode=CONFIG.y("postgresql.sslmode"), + sslrootcert=CONFIG.y("postgresql.sslrootcert"), + sslcert=CONFIG.y("postgresql.sslcert"), + sslkey=CONFIG.y("postgresql.sslkey"), ) curr = conn.cursor() try: diff --git a/lifecycle/wait_for_db.py b/lifecycle/wait_for_db.py index 7aade6a2a..f8d7deb36 100755 --- a/lifecycle/wait_for_db.py +++ b/lifecycle/wait_for_db.py @@ -29,6 +29,10 @@ while True: password=CONFIG.y("postgresql.password"), host=CONFIG.y("postgresql.host"), port=int(CONFIG.y("postgresql.port")), + sslmode=CONFIG.y("postgresql.sslmode"), + sslrootcert=CONFIG.y("postgresql.sslrootcert"), + sslcert=CONFIG.y("postgresql.sslcert"), + sslkey=CONFIG.y("postgresql.sslkey"), ) conn.cursor() break diff --git a/website/docs/installation/configuration.md b/website/docs/installation/configuration.md index 97577e910..53410b19e 100644 --- a/website/docs/installation/configuration.md +++ b/website/docs/installation/configuration.md @@ -33,6 +33,10 @@ kubectl exec -it deployment/authentik-worker -c authentik -- ak dump_config - `AUTHENTIK_POSTGRESQL__PORT`: Database port, defaults to 5432 - `AUTHENTIK_POSTGRESQL__PASSWORD`: Database password, defaults to the environment variable `POSTGRES_PASSWORD` - `AUTHENTIK_POSTGRESQL__USE_PGBOUNCER`: Adjust configuration to support connection to PgBouncer +- `AUTHENTIK_POSTGRESQL__SSLMODE`: Strictness of ssl verification. Defaults to `verify-ca` +- `AUTHENTIK_POSTGRESQL__SSLROOTCERT`: CA root for server ssl verification +- `AUTHENTIK_POSTGRESQL__SSLCERT`: Path to x509 client certificate to authenticate to server +- `AUTHENTIK_POSTGRESQL__SSLKEY`: Path to private key of `SSLCERT` certificate ## Redis Settings