Wikijs | Postgresql | Transport Encryption

Posted on by

Today I am on a quest to have all my applications running in Kubernetes containers connected to PostgreSQL to only use encrypted database connections. Earlier I did Sonarqube and posted about it. Now let’s talk about Wikijs, which I am using for my wiki.
Needless to say that the Postgresql database server is already set for encryption and pg_hba.conf has proper entries.
Wikijs is based on node.js and that has its own rules about using SSL for the database encryption. Like with my Sonar setup, I don’t want to run full chain verification, only the traffic encryption does suffice for me. However Node.js is a bit fuzzy about it and simply enabling SSL like SSL:true will not work because it throws a tantrum about a self-signed certificate. What we need to do is tell it two more things:

sslOptions: auto: false # rejectUnauthorized: false

This is documented here. How do we do it in a Kubernetes raw manifest: Using a config map and reference it in the deployment:

apiVersion: v1
kind: ConfigMap
metadata:
     name: wikijs-config
     namespace: wikijs
labels:
     app: wikijs
data:
      DB_HOST: "<db_host>
     DB_PORT: "5432"
     DB_NAME: "<db_name>"
     DB_USER: "<db_user"
     DB_SSL: '{"auto":false,"rejectUnauthorized":false}'

and the reference:

 containers:
        - name: wikijs
          image: requarks/wiki:latest
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 3000
          env:
            - name: DB_TYPE
              value: "postgres"
            - name: DB_HOST
              valueFrom:
                configMapKeyRef:
                  name: wikijs-config
                  key: DB_HOST
            - name: DB_PORT
              valueFrom:
                configMapKeyRef:
                  name: wikijs-config
                  key: DB_PORT
            - name: DB_NAME
              valueFrom:
                configMapKeyRef:
                  name: wikijs-config
                  key: DB_NAME
            - name: DB_USER
              valueFrom:
                configMapKeyRef:
                  name: wikijs-config
                  key: DB_USER
            - name: DB_SSL
              valueFrom:
                configMapKeyRef:
                  name: wikijs-config
                  key: DB_SSL

Replace the values in <> with your real values.
Anything else goes as usual. This way, our traffic is encrypted and we are all good to go.

Happy coding!

Update

Turned out at the end this was not sufficient. The real solution is described in this blog post and is indeed fully tested. Another technical description can be found in my wiki.

About The Author

sunrider

See author's posts

Related Posts

1 thought on “Wikijs | Postgresql | Transport Encryption

  1. sunrider Post authorReply

    Turns out there is more to the thing. The DB_SSL probably needs more settings. Running it like above does not throw an error, but when I remove the pg_hba entry for ‘host’ and only leave ‘hostssl’, the connection fails. Coming back to that again.

Leave a Reply

Your email address will not be published. Required fields are marked *

four × five =