From adcd11b1f8e708f660007c7df4c63f06e0110974 Mon Sep 17 00:00:00 2001
From: Ongy <github@ongy.net>
Date: Sun, 2 Apr 2023 17:39:36 +0200
Subject: [PATCH] core: extend postgres configuration (#5138)

Add postgres configuration options to control
TLS verification and client certificates.
---
 authentik/root/settings.py                 | 4 ++++
 lifecycle/migrate.py                       | 4 ++++
 lifecycle/wait_for_db.py                   | 4 ++++
 website/docs/installation/configuration.md | 4 ++++
 4 files changed, 16 insertions(+)

diff --git a/authentik/root/settings.py b/authentik/root/settings.py
index eeb6688b8..61362bfab 100644
--- a/authentik/root/settings.py
+++ b/authentik/root/settings.py
@@ -276,6 +276,10 @@ DATABASES = {
         "USER": CONFIG.y("postgresql.user"),
         "PASSWORD": CONFIG.y("postgresql.password"),
         "PORT": int(CONFIG.y("postgresql.port")),
+        "SSLMODE": CONFIG.y("postgresql.sslmode"),
+        "SSLROOTCERT": CONFIG.y("postgresql.sslrootcert"),
+        "SSLCERT": CONFIG.y("postgresql.sslcert"),
+        "SSLKEY": CONFIG.y("postgresql.sslkey"),
     }
 }
 
diff --git a/lifecycle/migrate.py b/lifecycle/migrate.py
index bd6975201..507d1cac1 100755
--- a/lifecycle/migrate.py
+++ b/lifecycle/migrate.py
@@ -57,6 +57,10 @@ if __name__ == "__main__":
         password=CONFIG.y("postgresql.password"),
         host=CONFIG.y("postgresql.host"),
         port=int(CONFIG.y("postgresql.port")),
+        sslmode=CONFIG.y("postgresql.sslmode"),
+        sslrootcert=CONFIG.y("postgresql.sslrootcert"),
+        sslcert=CONFIG.y("postgresql.sslcert"),
+        sslkey=CONFIG.y("postgresql.sslkey"),
     )
     curr = conn.cursor()
     try:
diff --git a/lifecycle/wait_for_db.py b/lifecycle/wait_for_db.py
index 7aade6a2a..f8d7deb36 100755
--- a/lifecycle/wait_for_db.py
+++ b/lifecycle/wait_for_db.py
@@ -29,6 +29,10 @@ while True:
             password=CONFIG.y("postgresql.password"),
             host=CONFIG.y("postgresql.host"),
             port=int(CONFIG.y("postgresql.port")),
+            sslmode=CONFIG.y("postgresql.sslmode"),
+            sslrootcert=CONFIG.y("postgresql.sslrootcert"),
+            sslcert=CONFIG.y("postgresql.sslcert"),
+            sslkey=CONFIG.y("postgresql.sslkey"),
         )
         conn.cursor()
         break
diff --git a/website/docs/installation/configuration.md b/website/docs/installation/configuration.md
index 97577e910..53410b19e 100644
--- a/website/docs/installation/configuration.md
+++ b/website/docs/installation/configuration.md
@@ -33,6 +33,10 @@ kubectl exec -it deployment/authentik-worker -c authentik -- ak dump_config
 -   `AUTHENTIK_POSTGRESQL__PORT`: Database port, defaults to 5432
 -   `AUTHENTIK_POSTGRESQL__PASSWORD`: Database password, defaults to the environment variable `POSTGRES_PASSWORD`
 -   `AUTHENTIK_POSTGRESQL__USE_PGBOUNCER`: Adjust configuration to support connection to PgBouncer
+-   `AUTHENTIK_POSTGRESQL__SSLMODE`: Strictness of ssl verification. Defaults to `verify-ca`
+-   `AUTHENTIK_POSTGRESQL__SSLROOTCERT`: CA root for server ssl verification
+-   `AUTHENTIK_POSTGRESQL__SSLCERT`: Path to x509 client certificate to authenticate to server
+-   `AUTHENTIK_POSTGRESQL__SSLKEY`: Path to private key of `SSLCERT` certificate
 
 ## Redis Settings