feat: add tls

2026-03-05 21:11:09 +01:00
parent 4977cb0485
commit 126776f389
3 changed files with 366 additions and 9 deletions
--- a/crates/nocontrol/Cargo.toml
+++ b/crates/nocontrol/Cargo.toml
@@ -30,6 +30,9 @@ tokio-postgres = { version = "0.7", optional = true, features = [
  "with-chrono-0_4",
 ] }
 chrono = { version = "0.4", optional = true }
+tokio-postgres-rustls = { version = "0.13", optional = true }
+rustls = { version = "0.23", optional = true }
+rustls-native-certs = { version = "0.8", optional = true }


 [dev-dependencies]
@@ -39,3 +42,4 @@ tracing-test = { version = "0.2.5", features = ["no-env-filter"] }
 [features]
 default = []
 postgres = ["dep:tokio-postgres", "dep:chrono"]
+postgres-tls = ["postgres", "dep:tokio-postgres-rustls", "dep:rustls", "dep:rustls-native-certs"]
--- a/crates/nocontrol/src/control_plane/backing_store/postgres.rs
+++ b/crates/nocontrol/src/control_plane/backing_store/postgres.rs
@@ -53,15 +53,7 @@ impl<T: Specification> BackingStorePostgres<T> {
    pub(crate) async fn new(database_url: &str) -> anyhow::Result<Self> {
        tracing::debug!("connecting to postgres database");

-        let (client, connection) = tokio_postgres::connect(database_url, tokio_postgres::NoTls)
-            .await
-            .context("failed to connect to database")?;
-
-        tokio::spawn(async move {
-            if let Err(e) = connection.await {
-                tracing::error!("postgres connection error: {e}");
-            }
-        });
+        let client = Self::connect(database_url).await?;

        tracing::debug!("migrating database");
        client
@@ -91,6 +83,55 @@ impl<T: Specification> BackingStorePostgres<T> {
            client: Arc::new(client),
        })
    }
+
+    #[cfg(not(feature = "postgres-tls"))]
+    async fn connect(database_url: &str) -> anyhow::Result<Client> {
+        let (client, connection) = tokio_postgres::connect(database_url, tokio_postgres::NoTls)
+            .await
+            .context("failed to connect to database")?;
+
+        tokio::spawn(async move {
+            if let Err(e) = connection.await {
+                tracing::error!("postgres connection error: {e}");
+            }
+        });
+
+        Ok(client)
+    }
+
+    #[cfg(feature = "postgres-tls")]
+    async fn connect(database_url: &str) -> anyhow::Result<Client> {
+        let native_certs = rustls_native_certs::load_native_certs();
+        if !native_certs.errors.is_empty() {
+            tracing::warn!("errors loading some native certs: {:?}", native_certs.errors);
+        }
+        anyhow::ensure!(!native_certs.certs.is_empty(), "no native TLS certificates found");
+
+        let mut root_store = rustls::RootCertStore::empty();
+        for cert in native_certs.certs {
+            root_store
+                .add(cert)
+                .context("failed to add root certificate")?;
+        }
+
+        let tls_config = rustls::ClientConfig::builder()
+            .with_root_certificates(root_store)
+            .with_no_client_auth();
+
+        let tls = tokio_postgres_rustls::MakeRustlsConnect::new(tls_config);
+
+        let (client, connection) = tokio_postgres::connect(database_url, tls)
+            .await
+            .context("failed to connect to database")?;
+
+        tokio::spawn(async move {
+            if let Err(e) = connection.await {
+                tracing::error!("postgres connection error: {e}");
+            }
+        });
+
+        Ok(client)
+    }
 }

 impl<T: Specification> BackingStoreEdge<T> for BackingStorePostgres<T> {