Fix Vert.x PG PEM trust option configuration#1910
Open
graemerocher wants to merge 3 commits into7.0.xfrom
Open
Fix Vert.x PG PEM trust option configuration#1910graemerocher wants to merge 3 commits into7.0.xfrom
graemerocher wants to merge 3 commits into7.0.xfrom
Conversation
Allow configuring PEM trust certificate paths for the Vert.x PostgreSQL client so VERIFY_CA/VERIFY_FULL style SSL setups, including CockroachDB, can start correctly. Also document the new configuration path and add focused regression coverage. Co-Authored-By: Codex with GPT-5 <[email protected]>
Contributor
Author
|
@copilot review |
…Javadoc, fix copyright year Agent-Logs-Url: https://github.com/micronaut-projects/micronaut-sql/sessions/9179a9f4-8c85-495b-9f1b-e891d947a7eb Co-authored-by: graemerocher <[email protected]>
Contributor
Reviewed (2d89d9b). Changes made as a result:
Everything else looks good: Checkstyle, Spotless, and all 3 tests pass. Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
This PR fixes Vert.x PostgreSQL SSL “verify-ca” behavior by ensuring PEM trust options are bound and preserved when building the effective PgConnectOptions (including URI-based configuration), and adds documentation plus regression tests.
Changes:
- Add
pem-trust-optionsconfiguration binding and apply it when resolving effectivePgConnectOptions. - Centralize connect options resolution for both URI and property configuration paths before pool creation.
- Add regression tests for “verify-ca” with PEM trust and document the configuration.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| vertx-pg-client/src/test/groovy/io/micronaut/configuration/vertx/pg/client/PgClientConfigurationSpec.groovy | Adds regression tests to ensure verify-ca + PEM trust options don’t get lost (direct options + URI modes). |
| vertx-pg-client/src/main/java/io/micronaut/configuration/vertx/pg/client/PgPemTrustOptionsConfiguration.java | Introduces configuration properties binding for PEM trust cert paths. |
| vertx-pg-client/src/main/java/io/micronaut/configuration/vertx/pg/client/PgDriverFactory.java | Uses a resolver to compute effective PgConnectOptions and apply PEM trust consistently. |
| vertx-pg-client/src/main/java/io/micronaut/configuration/vertx/pg/client/PgConnectOptionsResolver.java | New helper to resolve connect options from URI/properties and apply PEM trust options. |
| vertx-pg-client/src/main/java/io/micronaut/configuration/vertx/pg/client/PgClientFactory.java | Aligns pool creation with the resolver so URI mode also preserves PEM trust. |
| vertx-pg-client/src/main/java/io/micronaut/configuration/vertx/pg/client/PgClientConfiguration.java | Exposes getNetClientOptions() (public accessor). |
| src/main/docs/guide/vertxpgclient.adoc | Documents configuring PEM trust options for verify-ca SSL. |
Contributor
Author
|
@copilot apply changes based on the comments in this thread |
…g, Javadoc cleanup Agent-Logs-Url: https://github.com/micronaut-projects/micronaut-sql/sessions/3de97ad3-e2b4-462f-8309-1f694e35f9d2 Co-authored-by: graemerocher <[email protected]>
Contributor
Done in 3b520bd. Applied all four review comments:
Warning Firewall rules blocked me from connecting to one or more addresses (expand for details)I tried to connect to the following addresses, but was blocked by firewall rules:
If you need me to access, download, or install something from one of these locations, you can either:
|
| applicationContext?.stop() | ||
| } | ||
|
|
||
| void "test vertx-pg-client connects with direct options when verify-ca trust options are configured"() { |
Contributor
There was a problem hiding this comment.
Would it make more sense to do actual verification for pem trust options, something like
void "test vertx-pg-client connects with direct options when verify-ca trust options are configured"() {
given:
int port = findFreePort()
when:
ApplicationContext applicationContext = ApplicationContext.run(
'vertx.pg.client.host': 'localhost',
'vertx.pg.client.port': port,
'vertx.pg.client.ssl': true,
'vertx.pg.client.ssl-mode': 'VERIFY_CA',
'vertx.pg.client.pem-trust-options.cert-paths[0]': 'certs/ca.crt'
)
PgConnectOptions options = PgConnectOptionsResolver.resolve(
applicationContext.getBean(PgClientConfiguration),
applicationContext.getBean(PgPemTrustOptionsConfiguration)
)
PemTrustOptions trustOptions = (PemTrustOptions) options.sslOptions.trustOptions
then:
options.host == 'localhost'
options.port == port
options.sslMode == SslMode.VERIFY_CA
options.sslOptions != null
trustOptions.certPaths == ['certs/ca.crt']
cleanup:
applicationContext?.stop()
}
And the other test as well
void "test vertx-pg-client uri mode keeps verify-ca trust options during connect"() {
given:
int port = findFreePort()
when:
ApplicationContext applicationContext = ApplicationContext.run(
'vertx.pg.client.uri': "postgresql://user:secret@localhost:${port}/the-db",
'vertx.pg.client.ssl': true,
'vertx.pg.client.ssl-mode': 'VERIFY_CA',
'vertx.pg.client.pem-trust-options.cert-paths[0]': 'certs/ca.crt'
)
PgConnectOptions options = PgConnectOptionsResolver.resolve(
applicationContext.getBean(PgClientConfiguration),
applicationContext.getBean(PgPemTrustOptionsConfiguration)
)
PemTrustOptions trustOptions = (PemTrustOptions) options.sslOptions.trustOptions
then:
options.host == 'localhost'
options.port == port
options.database == 'the-db'
options.user == 'user'
options.password == 'secret'
options.sslMode == SslMode.VERIFY_CA
options.sslOptions != null
trustOptions.certPaths == ['certs/ca.crt']
cleanup:
applicationContext?.stop()
}
which seems to fail as ssl options are not being set properly (which is issue probably existed before this PR)
| * This configuration maps the {@code vertx.pg.client.pem-trust-options} namespace and allows | ||
| * specifying certificate files that should be trusted for SSL connections. | ||
| * | ||
| * @since 6.7.0 |
Contributor
There was a problem hiding this comment.
Suggested change
| * @since 6.7.0 | |
| * @since 7.0.0 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Verification
Resolves #985