From 2deb900e4a6f81fe25b48868e68aa9c4adbecbf9 Mon Sep 17 00:00:00 2001
From: Johan Schuijt <johan.schuijt@ftm.nl>
Date: Wed, 25 May 2022 10:13:27 +0200
Subject: [PATCH 1/3] Load self-signed CA from file as described in the helm
 chart

---
 server/core/db.js | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/server/core/db.js b/server/core/db.js
index 2d614c55..2f42aefb 100644
--- a/server/core/db.js
+++ b/server/core/db.js
@@ -60,17 +60,13 @@ module.exports = {
       sslOptions = true
     }
 
-    // Handle inline SSL CA Certificate mode
+    // Handle self-signed CA file
+    // https://node-postgres.com/features/ssl
     if (!_.isEmpty(process.env.DB_SSL_CA)) {
-      const chunks = []
-      for (let i = 0, charsLength = process.env.DB_SSL_CA.length; i < charsLength; i += 64) {
-        chunks.push(process.env.DB_SSL_CA.substring(i, i + 64))
-      }
-
       dbUseSSL = true
       sslOptions = {
-        rejectUnauthorized: true,
-        ca: '-----BEGIN CERTIFICATE-----\n' + chunks.join('\n') + '\n-----END CERTIFICATE-----\n'
+        rejectUnauthorized: false,
+        ca: fs.readFileSync(process.env.DB_SSL_CA).toString(),
       }
     }
 

From ee72ad07da0ddb3eafbba271fd3e33e16c309e98 Mon Sep 17 00:00:00 2001
From: Johan Schuijt <johan.schuijt@ftm.nl>
Date: Wed, 8 Jun 2022 12:09:27 +0200
Subject: [PATCH 2/3] Restore concatenated CA string logic for db connnections,
 make rejectUnauthorized configurable through environment variable

---
 dev/helm/templates/deployment.yaml |  2 ++
 dev/helm/values.yaml               | 10 ++++++++--
 server/core/db.js                  | 17 ++++++++++++++---
 3 files changed, 24 insertions(+), 5 deletions(-)

diff --git a/dev/helm/templates/deployment.yaml b/dev/helm/templates/deployment.yaml
index 24910f2b..cd637feb 100644
--- a/dev/helm/templates/deployment.yaml
+++ b/dev/helm/templates/deployment.yaml
@@ -53,6 +53,8 @@ spec:
               value: "{{ default "false" .Values.postgresql.ssl }}"
             - name: DB_SSL_CA
               value: "{{ default "" .Values.postgresql.ca }}"
+            - name: DB_SSL_REJECTUNAUTHORIZED
+              value: "{{ default "true" .Values.postgresql.rejectUnauthorized }}"
             - name: DB_PASS
               valueFrom:
                 secretKeyRef:
diff --git a/dev/helm/values.yaml b/dev/helm/values.yaml
index 6b7296a7..ce5c9ba4 100644
--- a/dev/helm/values.yaml
+++ b/dev/helm/values.yaml
@@ -115,9 +115,15 @@ postgresql:
   ##
   # ssl: false
   ## ca Certificate of Authority
-  ## Default to empty, point to location of CA
+  ## this can either be a single line string (without spaces or new lines)
+  ## without the prefix and suffix lines, or a path to a certificate file.
+  ## Default to empty
   ##
-  # ca: "path to ca"
+  # ca: "single line or path to ca"
+  ## rejectUnauthorized reject self-signed certificates
+  ## Default to true
+  ##
+  # rejectUnauthorized: true
   ## postgresqlHost override postgres database host
   ## Default to postgres
   ##
diff --git a/server/core/db.js b/server/core/db.js
index 2f42aefb..6e900c9d 100644
--- a/server/core/db.js
+++ b/server/core/db.js
@@ -60,13 +60,24 @@ module.exports = {
       sslOptions = true
     }
 
-    // Handle self-signed CA file
+    // Handle self-signed CA file or concatenated string
     // https://node-postgres.com/features/ssl
     if (!_.isEmpty(process.env.DB_SSL_CA)) {
+      try {
+        ca = fs.readFileSync(process.env.DB_SSL_CA).toString()
+      } catch(_) {
+        const chunks = []
+        for (let i = 0, charsLength = process.env.DB_SSL_CA.length; i < charsLength; i += 64) {
+          chunks.push(process.env.DB_SSL_CA.substring(i, i + 64))
+        }
+
+        ca = '-----BEGIN CERTIFICATE-----\n' + chunks.join('\n') + '\n-----END CERTIFICATE-----\n'
+      }
+
       dbUseSSL = true
       sslOptions = {
-        rejectUnauthorized: false,
-        ca: fs.readFileSync(process.env.DB_SSL_CA).toString(),
+        rejectUnauthorized: [true, 'true', 1, '1'].includes(process.env.DB_SSL_REJECTUNAUTHORIZED),
+        ca,
       }
     }
 

From c79112f5cdd216088638587b184923517fc8f09c Mon Sep 17 00:00:00 2001
From: Johan Schuijt <johan.schuijt@ftm.nl>
Date: Mon, 13 Jun 2022 09:57:14 +0200
Subject: [PATCH 3/3] make rejectUnauthorized on postgres db connection
 configurable through environment variable

---
 dev/helm/README.md                 |  1 +
 dev/helm/templates/deployment.yaml |  2 +-
 server/core/db.js                  | 14 ++++++++------
 3 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/dev/helm/README.md b/dev/helm/README.md
index ae95ab45..72a7a3d9 100644
--- a/dev/helm/README.md
+++ b/dev/helm/README.md
@@ -125,6 +125,7 @@ The following table lists the configurable parameters of the Wiki.js chart and t
 | `postgresql.postgresqlPort`            | External postgres port                      | `5432`                                                     |
 | `postgresql.ssl`                       | Enable external postgres SSL connection     | `false`                                                   |
 | `postgresql.ca`                        | Certificate of Authority content for postgres  | `nil`                                                     |
+| `postgresql.rejectUnauthorized`                 | Reject self-signed CA certificate     | `true`                                                   |
 | `postgresql.persistence.enabled`                | Enable postgres persistence using PVC                | `true`                                                     |
 | `postgresql.persistence.existingClaim`          | Provide an existing `PersistentVolumeClaim` for postgres | `nil`                                                      |
 | `postgresql.persistence.storageClass`           | Postgres PVC Storage Class (example: `nfs`)                           | `nil`                 |
diff --git a/dev/helm/templates/deployment.yaml b/dev/helm/templates/deployment.yaml
index cd637feb..87f59e8d 100644
--- a/dev/helm/templates/deployment.yaml
+++ b/dev/helm/templates/deployment.yaml
@@ -54,7 +54,7 @@ spec:
             - name: DB_SSL_CA
               value: "{{ default "" .Values.postgresql.ca }}"
             - name: DB_SSL_REJECTUNAUTHORIZED
-              value: "{{ default "true" .Values.postgresql.rejectUnauthorized }}"
+              value: "{{ hasKey .Values.postgresql "rejectUnauthorized" | ternary .Values.postgresql.rejectUnauthorized true }}"
             - name: DB_PASS
               valueFrom:
                 secretKeyRef:
diff --git a/server/core/db.js b/server/core/db.js
index 6e900c9d..49f6cdac 100644
--- a/server/core/db.js
+++ b/server/core/db.js
@@ -39,7 +39,12 @@ module.exports = {
 
     // Handle SSL Options
 
-    let dbUseSSL = (WIKI.config.db.ssl === true || WIKI.config.db.ssl === 'true' || WIKI.config.db.ssl === 1 || WIKI.config.db.ssl === '1')
+    let isTruthy = function(value) {
+      return (value === true || value === 'true' || value === 1 || value === '1')
+    }
+
+    let dbUseSSL = isTruthy(WIKI.config.db.ssl)
+    let rejectUnauthorized = !_.isEmpty(process.env.DB_SSL_REJECTUNAUTHORIZED) ? isTruthy(process.env.DB_SSL_REJECTUNAUTHORIZED) : true;
     let sslOptions = null
     if (dbUseSSL && _.isPlainObject(dbConfig) && _.get(WIKI.config.db, 'sslOptions.auto', null) === false) {
       sslOptions = WIKI.config.db.sslOptions
@@ -75,10 +80,7 @@ module.exports = {
       }
 
       dbUseSSL = true
-      sslOptions = {
-        rejectUnauthorized: [true, 'true', 1, '1'].includes(process.env.DB_SSL_REJECTUNAUTHORIZED),
-        ca,
-      }
+      sslOptions = { rejectUnauthorized, ca }
     }
 
     // Engine-specific config
@@ -87,7 +89,7 @@ module.exports = {
         dbClient = 'pg'
 
         if (dbUseSSL && _.isPlainObject(dbConfig)) {
-          dbConfig.ssl = (sslOptions === true) ? { rejectUnauthorized: true } : sslOptions
+          dbConfig.ssl = (sslOptions === true) ? { rejectUnauthorized } : sslOptions
         }
         break
       case 'mariadb':