Postgres (CockroachDB) with full certificate verification (#7076)

* Postgres (CockroachDB) with full certificate verification

* Apply suggestion from @Copilot

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* Apply suggestion from @Copilot

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* remove duplicated comments

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

3 files changed, 46 insertions, 2 deletions

diff --git a/weed/command/scaffold/filer.toml b/weed/command/scaffold/filer.toml
index 24aeacef3..e828f65d7 100644
--- a/weed/command/scaffold/filer.toml
+++ b/weed/command/scaffold/filer.toml
@@ -111,6 +111,12 @@ password = ""
 database = "postgres"          # create or use an existing database
 schema = ""
 sslmode = "disable"
+# SSL certificate options for secure connections
+# For sslmode=verify-full, uncomment and configure the following:
+# sslcert = "/path/to/client.crt"     # client certificate file
+# sslkey = "/path/to/client.key"      # client private key file
+# sslrootcert = "/path/to/ca.crt"     # CA certificate file
+# sslcrl = "/path/to/client.crl"      # Certificate Revocation List (CRL) (optional)
 connection_max_idle = 100
 connection_max_open = 100
 connection_max_lifetime_seconds = 0
@@ -142,6 +148,12 @@ password = ""
 database = "postgres"          # create or use an existing database
 schema = ""
 sslmode = "disable"
+# SSL certificate options for secure connections
+# For sslmode=verify-full, uncomment and configure the following:
+# sslcert = "/path/to/client.crt"     # client certificate file
+# sslkey = "/path/to/client.key"      # client private key file
+# sslrootcert = "/path/to/ca.crt"     # CA certificate file
+# sslcrl = "/path/to/client.crl"      # Certificate Revocation List (CRL) (optional)
 connection_max_idle = 100
 connection_max_open = 100
 connection_max_lifetime_seconds = 0
diff --git a/weed/filer/postgres/postgres_store.go b/weed/filer/postgres/postgres_store.go
index 0c02f0726..568096b0b 100644
--- a/weed/filer/postgres/postgres_store.go
+++ b/weed/filer/postgres/postgres_store.go
@@ -35,13 +35,17 @@ func (store *PostgresStore) Initialize(configuration util.Configuration, prefix
 		configuration.GetString(prefix+"database"),
 		configuration.GetString(prefix+"schema"),
 		configuration.GetString(prefix+"sslmode"),
+		configuration.GetString(prefix+"sslcert"),
+		configuration.GetString(prefix+"sslkey"),
+		configuration.GetString(prefix+"sslrootcert"),
+		configuration.GetString(prefix+"sslcrl"),
 		configuration.GetInt(prefix+"connection_max_idle"),
 		configuration.GetInt(prefix+"connection_max_open"),
 		configuration.GetInt(prefix+"connection_max_lifetime_seconds"),
 	)
 }
 
-func (store *PostgresStore) initialize(upsertQuery string, enableUpsert bool, user, password, hostname string, port int, database, schema, sslmode string, maxIdle, maxOpen, maxLifetimeSeconds int) (err error) {
+func (store *PostgresStore) initialize(upsertQuery string, enableUpsert bool, user, password, hostname string, port int, database, schema, sslmode, sslcert, sslkey, sslrootcert, sslcrl string, maxIdle, maxOpen, maxLifetimeSeconds int) (err error) {
 
 	store.SupportBucketTable = false
 	if !enableUpsert {
@@ -63,6 +67,18 @@ func (store *PostgresStore) initialize(upsertQuery string, enableUpsert bool, us
 	if sslmode != "" {
 		sqlUrl += " sslmode=" + sslmode
 	}
+	if sslcert != "" {
+		sqlUrl += " sslcert=" + sslcert
+	}
+	if sslkey != "" {
+		sqlUrl += " sslkey=" + sslkey
+	}
+	if sslrootcert != "" {
+		sqlUrl += " sslrootcert=" + sslrootcert
+	}
+	if sslcrl != "" {
+		sqlUrl += " sslcrl=" + sslcrl
+	}
 	if user != "" {
 		sqlUrl += " user=" + user
 	}
diff --git a/weed/filer/postgres2/postgres2_store.go b/weed/filer/postgres2/postgres2_store.go
index 4f063ad19..135bd54c4 100644
--- a/weed/filer/postgres2/postgres2_store.go
+++ b/weed/filer/postgres2/postgres2_store.go
@@ -40,13 +40,17 @@ func (store *PostgresStore2) Initialize(configuration util.Configuration, prefix
 		configuration.GetString(prefix+"database"),
 		configuration.GetString(prefix+"schema"),
 		configuration.GetString(prefix+"sslmode"),
+		configuration.GetString(prefix+"sslcert"),
+		configuration.GetString(prefix+"sslkey"),
+		configuration.GetString(prefix+"sslrootcert"),
+		configuration.GetString(prefix+"sslcrl"),
 		configuration.GetInt(prefix+"connection_max_idle"),
 		configuration.GetInt(prefix+"connection_max_open"),
 		configuration.GetInt(prefix+"connection_max_lifetime_seconds"),
 	)
 }
 
-func (store *PostgresStore2) initialize(createTable, upsertQuery string, enableUpsert bool, user, password, hostname string, port int, database, schema, sslmode string, maxIdle, maxOpen, maxLifetimeSeconds int) (err error) {
+func (store *PostgresStore2) initialize(createTable, upsertQuery string, enableUpsert bool, user, password, hostname string, port int, database, schema, sslmode, sslcert, sslkey, sslrootcert, sslcrl string, maxIdle, maxOpen, maxLifetimeSeconds int) (err error) {
 
 	store.SupportBucketTable = true
 	if !enableUpsert {
@@ -68,6 +72,18 @@ func (store *PostgresStore2) initialize(createTable, upsertQuery string, enableU
 	if sslmode != "" {
 		sqlUrl += " sslmode=" + sslmode
 	}
+	if sslcert != "" {
+		sqlUrl += " sslcert=" + sslcert
+	}
+	if sslkey != "" {
+		sqlUrl += " sslkey=" + sslkey
+	}
+	if sslrootcert != "" {
+		sqlUrl += " sslrootcert=" + sslrootcert
+	}
+	if sslcrl != "" {
+		sqlUrl += " sslcrl=" + sslcrl
+	}
 	if user != "" {
 		sqlUrl += " user=" + user
 	}