SLO

The Grey Matter Service Level Objective (SLO) service is compatible with Postgres versions 10.x and 11.x only. For more information on the SLO service and using its API, see the usage docs.

SSL Configuration

The server certificate must have a CN that matches the hostname of the Postgres server. See Postgres Secure TCP/IP Connections with SSL for details.

To ensure that clients connect via SSL a pg_hba.conf file must be configured accordingly.

Example

# TYPE DATABASE USER ADDRESS METHOD
# "local" is for Unix domain socket connections only
local all all trust
# IPv4 local connections:
host all all 127.0.0.1/32 trust
# IPv4 remote connections for authenticated users
hostssl all www-data 0.0.0.0/0 cert clientcert=1
hostssl all postgres 0.0.0.0/0 cert clientcert=1

Certificates and the pg_hba.conf file must be volume mounted into the container and referenced via a Postgres startup command. The same configuration should be followed for production deployments.

environment:
DATABASE_URI: postgres://postgres:mysecretpassword@postgres:5432/slo-db
SSL_ENABLED: "true"
SSL_SERVER_CA: /etc/gm-slo/certs/postgres/ca.crt
SSL_SERVER_CERT: /etc/gm-slo/certs/postgres/server.crt
SSL_SERVER_KEY: /etc/gm-slo/certs/postgres/server.key
# Uncomment the env vars below to serve over TLS
# SERVICE_SSL_ENABLED: "true"
# SERVICE_SSL_CA: /etc/gm-slo/certs/server/ca.crt
# SERVICE_SSL_CERT: /etc/gm-slo/certs/server/server.crt
# SERVICE_SSL_KEY: /etc/gm-slo/certs/server/server.key
volumes:
- ./docker/postgres/certs/:/etc/gm-slo/certs/postgres/
- ./docker/server/certs/:/etc/gm-slo/certs/server/

Configuration Variables

Name

Type

Default

Description

GITHUB_ACCESS_KEY

String

""

OAuth token used to interact with GitHub via automated scripts

LOG_LEVEL

String

debug (dev), error (prod)

Level of messages to log. debug (see Winston Logger for more)

DROP_SCHEMA

Boolean

false

Controls whether or not the schema is dropped when DB connection is established. Use with extreme caution in production.

DATABASE_URI

String

none

Database connection URL. In production, replace the password string with a secret.

SSL_ENABLED

Boolean

false

Informs service to connect to Postgres via SSL

SSL_SERVER_CA

String

none

Path to CA or intermediate certificate (SSL_ENABLED=true is required)

SSL_SERVER_CERT

String

none

Path to server certificate (SSL_ENABLED=true is required)

SSL_SERVER_KEY

String

none

Path to server certificate private key (SSL_ENABLED=true is required)

SERVICE_PORT

Number

1337

Port where gm-slo will listen (overridden to use 443 if SERVER_SSL_ENABLED=true)

SERVICE_SSL_ENABLED

Boolean

false

Informs service to receive client connections over SSL only

SERVICE_SSL_CA

String

none

Path to client trust file (SERVICE_SSL_ENABLED=true is required)

SERVICE_SSL_CERT

String

none

Path to client certificate (SERVICE_SSL_ENABLED=true is required)

SERVICE_SSL_KEY

String

none

Path to client private key (SERVICE_SSL_ENABLED=true is required)

Questions

Need help configuring SLOs? Contact us at Decipher Support.