Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of Changes
application-prod.yml
file. Previously this would have been added by Kustomize via Kubernetes, but since we're migrating away from Kubernetes, it's easier to just keep it with the application. Can be toggled by setting theSPRING_PROFILES_ACTIVE
environment variable toprod
build.gradle
'sbootBuildImage
task to bind a volume to the packaged container. This volume is the root certificate authority needed to verify the postgres server's certificate when connecting to the AWS RDS Postgres instance with SSL.Additional Info / Concerns
Types of SSL Modes supported by Postgres
Difference between verify-ca and verify-full:
Why prefer is the default, but not recommended for secure deployments:
Finally, picking verify-full gives us more confidence that we're speaking to the server we're intending to on an encrypted connection, helping to prevent man-in-the-middle attacks (an attacker would not only need to intercept application traffic on our AWS private VPC, but also intercept the certificate download from the GitHub Action initiating the download).