SLO

The Grey Matter Service Level Objective (SLO) service is compatible with Postgres versions 10.x and 11.x only. For more information on the SLO service and using its API, see the usage docs.

SSL Configuration

The server certificate must have a CN that matches the hostname of the Postgres server. See Postgres Secure TCP/IP Connections with SSL for details.

To ensure that clients connect via SSL a pg_hba.conf file must be configured accordingly.

Example

# TYPE  DATABASE        USER            ADDRESS                 METHOD

# "local" is for Unix domain socket connections only
local all all trust

# IPv4 local connections:
host all all 127.0.0.1/32 trust

# IPv4 remote connections for authenticated users
hostssl all www-data 0.0.0.0/0 cert clientcert=1
hostssl all postgres 0.0.0.0/0 cert clientcert=1

Certificates and the pg_hba.conf file must be volume mounted into the container and referenced via a Postgres startup command. The same configuration should be followed for production deployments.

    environment:
      DATABASE_URI: postgres://postgres:mysecretpassword@postgres:5432/slo-db
      SSL_ENABLED: "true"
      SSL_SERVER_CA: /etc/gm-slo/certs/postgres/ca.crt
      SSL_SERVER_CERT: /etc/gm-slo/certs/postgres/server.crt
      SSL_SERVER_KEY: /etc/gm-slo/certs/postgres/server.key
      # Uncomment the env vars below to serve over TLS
      # SERVICE_SSL_ENABLED: "true"
      # SERVICE_SSL_CA: /etc/gm-slo/certs/server/ca.crt
      # SERVICE_SSL_CERT: /etc/gm-slo/certs/server/server.crt
      # SERVICE_SSL_KEY: /etc/gm-slo/certs/server/server.key
    volumes:
      - ./docker/postgres/certs/:/etc/gm-slo/certs/postgres/
      - ./docker/server/certs/:/etc/gm-slo/certs/server/

Configuration Variables

Name	Type	Default	Description
GITHUB_ACCESS_KEY	String	""	OAuth token used to interact with GitHub via automated scripts
LOG_LEVEL	String	debug (dev), error (prod)	Level of messages to log. debug (see Winston Logger for more)
DROP_SCHEMA	Boolean	false	Controls whether or not the schema is dropped when DB connection is established. Use with extreme caution in production.
DATABASE_URI	String	none	Database connection URL. In production, replace the password string with a secret.
SSL_ENABLED	Boolean	false	Informs service to connect to Postgres via SSL
SSL_SERVER_CA	String	none	Path to CA or intermediate certificate (SSL_ENABLED=true is required)
SSL_SERVER_CERT	String	none	Path to server certificate (SSL_ENABLED=true is required)
SSL_SERVER_KEY	String	none	Path to server certificate private key (SSL_ENABLED=true is required)
SERVICE_PORT	Number	1337	Port where gm-slo will listen (overridden to use 443 if SERVER_SSL_ENABLED=true)
SERVICE_SSL_ENABLED	Boolean	false	Informs service to receive client connections over SSL only
SERVICE_SSL_CA	String	none	Path to client trust file (SERVICE_SSL_ENABLED=true is required)
SERVICE_SSL_CERT	String	none	Path to client certificate (SERVICE_SSL_ENABLED=true is required)
SERVICE_SSL_KEY	String	none	Path to client private key (SERVICE_SSL_ENABLED=true is required)

Questions

Need help configuring SLOs? Contact us at Grey Matter Support.