SLO

The Grey Matter Service Level Objective (SLO) service is compatible with Postgres versions 10.x and 11.x only.

SSL Configuration

The server certificate must have a CN that matches the hostname of the Postgres server. See Postgres Secure TCP/IP Connections with SSL for details.

To ensure that clients connect via SSL a pg_hba.conf file must be configured accordingly.

Example

# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all trust
# IPv4 local connections:
host all all 127.0.0.1/32 trust
# IPv4 remote connections for authenticated users
hostssl all www-data 0.0.0.0/0 cert clientcert=1
hostssl all postgres 0.0.0.0/0 cert clientcert=1

Certificates and the pg_hba.conf file must be volume mounted into the container and referenced via a Postgres startup command. The same configuration should be followed for production deployments.

environment:
DATABASE_URI: postgres://postgres:mysecretpassword@postgres:5432/slo-db
SSL_ENABLED: "true"
SSL_SERVER_CA: /etc/gm-slo/certs/postgres/ca.crt
SSL_SERVER_CERT: /etc/gm-slo/certs/postgres/server.crt
SSL_SERVER_KEY: /etc/gm-slo/certs/postgres/server.key
# Uncomment the env vars below to serve over TLS
# SERVICE_SSL_ENABLED: "true"
# SERVICE_SSL_CA: /etc/gm-slo/certs/server/ca.crt
# SERVICE_SSL_CERT: /etc/gm-slo/certs/server/server.crt
# SERVICE_SSL_KEY: /etc/gm-slo/certs/server/server.key
volumes:
- ./docker/postgres/certs/:/etc/gm-slo/certs/postgres/
- ./docker/server/certs/:/etc/gm-slo/certs/server/

Configuration Variables

Name

Type

Default

Description

GITHUB_ACCESS_KEY

String

""

OAuth token used to interact with GitHub via automated scripts

LOG_LEVEL

String

debug (dev), error (prod)

Level of messages to log. debug (see Winston Logger for more)

DROP_SCHEMA

Boolean

false

Controls whether or not the schema is dropped when DB connection is established. Use with extreme caution in production.

DATABASE_URI

String

none

Database connection URL. In production, replace the password string with a secret.

SSL_ENABLED

Boolean

false

Informs service to connect to Postgres via SSL

SSL_SERVER_CA

String

none

Path to CA or intermediate certficate (SSL_ENABLED=true is required)

SSL_SERVER_CERT

String

none

Path to server certificate (SSL_ENABLED=true is required)

SSL_SERVER_KEY

String

none

Path to server certficate private key (SSL_ENABLED=true is required)

SERVICE_PORT

Number

1337

Port where gm-slo will listen (overridden to use 443 if SERVER_SSL_ENABLED=true)

SERVICE_SSL_ENABLED

Boolean

false

Informs service to receive client connections over SSL only

SERVICE_SSL_CA

String

none

Path to client trust file (SERVICE_SSL_ENABLED=true is required)

SERVICE_SSL_CERT

String

none

Path to client certificate (SERVICE_SSL_ENABLED=true is required)

SERVICE_SSL_KEY

String

none

Path to client private key (SERVICE_SSL_ENABLED=true is required)

Questions

Need help configuring SLOs? Contact us at Decipher Support.