Support SSL/TLS options for PostgreSQL connections (make sslmode configurable)

[rojo1997]

Summary

Currently, Crossview always connects to PostgreSQL using sslmode=disable, making it impossible to enforce secure database connections for environments that require SSL/TLS, such as managed databases on cloud providers.

Problem

In the backend code (crossview-go-server/lib/db.go), the DSN string is hard-coded with sslmode=disable. There is no way to choose require, verify-ca, or other SSL modes, or to provide root certificates for database verification.

Proposal

• Allow configuring the sslmode parameter for the PostgreSQL DSN via an environment variable, e.g., DB_SSLMODE (default: disable for backward compatibility).
• (Optional for full secure support) Allow specifying the path to a root certificate (DB_SSLROOTCERT), and additional client certificate/key options if needed.
• Update documentation and deployment templates (Helm chart, manifests) to expose the new environment variables.

Suggested Code Change

Modify the code section in crossview-go-server/lib/db.go as follows:

defaultSSLMode := "disable"
if os.Getenv("DB_SSLMODE") != "" {
    defaultSSLMode = os.Getenv("DB_SSLMODE")
}
dsn := fmt.Sprintf(
    "host=%s user=%s password=%s dbname=%s port=%s sslmode=%s TimeZone=UTC",
    host, username, password, dbname, port, defaultSSLMode,
)
// Optionally: add sslrootcert, sslcert, sslkey if those envs are set

Update the Env struct and config propagation to allow passing through these new env vars.

Acceptance Criteria

• User can set DB_SSLMODE in the environment or Helm values, and the backend connects to PostgreSQL with that mode.
• Optional: User can mount DB_SSLROOTCERT, DB_SSLCERT, and DB_SSLKEY and pass them in the DSN if needed.
• Documentation updated to reflect secure database options.

Use Cases

• Deploy Crossview with RDS/Aurora/GCP SQL instance that requires or enforces SSL/TLS.
• Satisfy security policy/industry compliance.

---

Feel free to reach out if you need an example PR or further clarifications!

[MoeidHeidari]

Hi @rojo1997
Thanks for the report. it is a fair point and needs to be added. I will pick this issue personally and will try to include it in the next release candidate.

[MoeidHeidari]

We are already working on this issue.

Possible sslmodes will be disable(default), allow, 'require', prefer, 'verify-ca', and verify-full. I would like to add support for sslrootcert sslcert and sslkey parameters as it might be required for Cloud PostgreSQ usually.