feat: add support for keymanager service to create TLS connection using sslmode=verify-full #36
Conversation
…fy-full for postgres
…ce into encrypt_database_connection_url
src/storage.rs
Outdated
|
|
||
| let mut roots = rustls::RootCertStore::empty(); | ||
|
|
||
| match env::var(DB_ROOT_CA_PATH) { |
There was a problem hiding this comment.
Instead of env better take it from the config
There was a problem hiding this comment.
We can't read this from config as this method is being called from establish_connection method.
We are not calling establish_connection in our code directly instead, we are passing the method to custom_setup param of ManagerConfig. establish_connection method only accept &str parameter where we can't pass our Config
There was a problem hiding this comment.
So, instead of passing this function for custom_setup you can pass a closure, and you can move the CA environment value in the closure from from_config's context.
src/storage.rs
Outdated
|
|
||
| let mut roots = rustls::RootCertStore::empty(); | ||
|
|
||
| match env::var(DB_ROOT_CA_PATH) { |
There was a problem hiding this comment.
So, instead of passing this function for custom_setup you can pass a closure, and you can move the CA environment value in the closure from from_config's context.
…ce into encrypt_database_connection_url
| keyspace = "encryption_db" | ||
| timeout = 60 | ||
| cache_size = 120 | ||
| enable_ssl = false |
There was a problem hiding this comment.
why are you removing cassandra? is this intended?
PR Description:
Steps to enable TLS:
"database.enable_ssl" in the env should be true and "database.root_ca" should be provided for enabling "verify-full" ssl mode.
Steps to disable TLS
"database.enable_ssl" is an optional field, So setting it as false or not at all having this config in the env will prevent the application to establish connection with DB using TLS.