fix: do not force sslmode at infrastructure level

[ships]

Issue(s) Resolved

Errors like SELF_SIGNED_CERT_IN_CHAIN when connecting with Pg module in Node.js to RDS instances; this was coming up when clicking Create Pub. I am not quite clear why some DB actions were working (such as referring users to the correct integration URLs).

You can now see this working in https://blake.duqduq.org/ "create pub" button.

This change includes:

• include RDS CA certs in all docker images by default, so TLS "just works" to RDS DNS names.
• do not set sslmode at the DATABASE_URL layer, as this stomps any configuration we set on Next.js.

With this config, TLS is "preferred" by the database and so should be used by default, but we can enforce it if we want by setting things in the creation of the pg.Pool.

[kalilsn]

I'm still seeing the self-signed cert error, and I agree that it doesn't really make sense that some connections to the db would be working.

I also don't follow this exactly, would you mind elaborating?

However, that still requires this change because ?sslmode=require overrides that block of config regardless.

are you saying we'd still need to use http even if we trusted the CA?

[ships]

@kalilsn updated comment now that i have included the CAs in hte docker image and HTTP is not required in any setting. To answer the rest of your question, there is a config block when you create a pg Pool where you can specify sslmode, but also Client cert and CA if you are using custom values or mutual TLS. This whole block is ignored if you specify sslmode in the URL, so it is preferable not to do that so those more specific fields are available (though we don't immediately foresee using them).

[kalilsn]

Thanks for the explanation! And this looks good to me, assuming pg and prisma both use the system store (not the one bundled with nodejs)?