feat(postgres): add ssl support and connection retry logic

Add SSL configuration options for PostgreSQL connections with different modes (disable/require/verify-full).
Implement connection retry logic with exponential backoff for database initialization.
Add new configuration parameters for connection retries and SSL settings.

app/core/config.py

@@ -27,6 +27,13 @@ class Settings(BaseSettings):
     POSTGRES_PASSWORD: str = os.getenv("POSTGRES_PASSWORD", "")
     POSTGRES_MIN_POOL_SIZE: int = int(os.getenv("POSTGRES_MIN_POOL_SIZE", "5"))
     POSTGRES_MAX_POOL_SIZE: int = int(os.getenv("POSTGRES_MAX_POOL_SIZE", "20"))
+    POSTGRES_CONNECT_MAX_RETRIES: int = int(os.getenv("POSTGRES_CONNECT_MAX_RETRIES", "20"))
+    POSTGRES_CONNECT_INITIAL_DELAY_MS: int = int(os.getenv("POSTGRES_CONNECT_INITIAL_DELAY_MS", "500"))
+    POSTGRES_CONNECT_BACKOFF_MULTIPLIER: float = float(os.getenv("POSTGRES_CONNECT_BACKOFF_MULTIPLIER", "1.5"))
+    POSTGRES_SSL_MODE: str = os.getenv("POSTGRES_SSL_MODE", "disable")  # disable | require | verify-full
+    POSTGRES_SSL_ROOT_CERT: Optional[str] = os.getenv("POSTGRES_SSL_ROOT_CERT")
+    POSTGRES_SSL_CERT: Optional[str] = os.getenv("POSTGRES_SSL_CERT")
+    POSTGRES_SSL_KEY: Optional[str] = os.getenv("POSTGRES_SSL_KEY")
     
     @property
     def POSTGRES_URI(self) -> str:

app/postgres.py

@@ -3,6 +3,7 @@ PostgreSQL connection pool management.
 Provides async connection pool for PostgreSQL operations.
 """
 import asyncpg
+import ssl
 from typing import Optional, Dict, Any
 from insightfy_utils.logging import get_logger
 from app.core.config import settings
@@ -51,6 +52,25 @@ class PostgreSQLConnectionPool:
                 "max_pool_size": settings.POSTGRES_MAX_POOL_SIZE
             })
 
+            # Optional SSL context
+            ssl_context = None
+            mode = (settings.POSTGRES_SSL_MODE or "disable").lower()
+            if mode != "disable":
+                if mode == "verify-full":
+                    ssl_context = ssl.create_default_context(cafile=settings.POSTGRES_SSL_ROOT_CERT) if settings.POSTGRES_SSL_ROOT_CERT else ssl.create_default_context()
+                    if settings.POSTGRES_SSL_CERT and settings.POSTGRES_SSL_KEY:
+                        try:
+                            ssl_context.load_cert_chain(certfile=settings.POSTGRES_SSL_CERT, keyfile=settings.POSTGRES_SSL_KEY)
+                        except Exception as e:
+                            logger.warning("Failed to load client SSL cert/key for PostgreSQL pool", exc_info=e)
+                    ssl_context.check_hostname = True
+                    ssl_context.verify_mode = ssl.CERT_REQUIRED
+                else:
+                    ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
+                    ssl_context.check_hostname = False
+                    ssl_context.verify_mode = ssl.CERT_NONE
+                logger.info("PostgreSQL pool SSL enabled", extra={"ssl_mode": settings.POSTGRES_SSL_MODE})
+
             # Create connection pool
             cls._pool = await asyncpg.create_pool(
                 host=settings.POSTGRES_HOST,
@@ -62,6 +82,7 @@ class PostgreSQLConnectionPool:
                 max_size=settings.POSTGRES_MAX_POOL_SIZE,
                 command_timeout=30.0,
                 timeout=30.0,
+                ssl=ssl_context,
             )
 
             # Test connection by acquiring and releasing

app/sql.py

@@ -3,6 +3,7 @@ PostgreSQL database connection and session management for SCM microservice.
 Following TMS pattern with SQLAlchemy async engine.
 """
 import logging
+import ssl
 from sqlalchemy.ext.asyncio import create_async_engine, AsyncSession
 from sqlalchemy.orm import sessionmaker
 from sqlalchemy import MetaData, text
@@ -19,6 +20,36 @@ if not DATABASE_URI:
 
 logger.info("Using PostgreSQL DATABASE_URL", extra={"url": DATABASE_URI.split('@')[0] + '@***'})
 
+# Build connect args including optional SSL
+CONNECT_ARGS = {
+    "server_settings": {
+        "application_name": "cuatrolabs-scm-ms",
+        "jit": "off"
+    },
+    "command_timeout": 60,
+    "statement_cache_size": 0
+}
+
+mode = (settings.POSTGRES_SSL_MODE or "disable").lower()
+if mode != "disable":
+    ssl_context: ssl.SSLContext
+    if mode == "verify-full":
+        ssl_context = ssl.create_default_context(cafile=settings.POSTGRES_SSL_ROOT_CERT) if settings.POSTGRES_SSL_ROOT_CERT else ssl.create_default_context()
+        if settings.POSTGRES_SSL_CERT and settings.POSTGRES_SSL_KEY:
+            try:
+                ssl_context.load_cert_chain(certfile=settings.POSTGRES_SSL_CERT, keyfile=settings.POSTGRES_SSL_KEY)
+            except Exception as e:
+                logger.warning("Failed to load client SSL cert/key for PostgreSQL", exc_info=e)
+        ssl_context.check_hostname = True
+        ssl_context.verify_mode = ssl.CERT_REQUIRED
+    else:
+        # sslmode=require: encrypt but don't verify server cert
+        ssl_context = ssl.SSLContext(ssl.PROTOCOL_TLS_CLIENT)
+        ssl_context.check_hostname = False
+        ssl_context.verify_mode = ssl.CERT_NONE
+    CONNECT_ARGS["ssl"] = ssl_context
+    logger.info("PostgreSQL SSL enabled", extra={"ssl_mode": settings.POSTGRES_SSL_MODE})
+
 # Create async engine with connection pool settings
 async_engine = create_async_engine(
     DATABASE_URI,
@@ -29,14 +60,7 @@ async_engine = create_async_engine(
     pool_timeout=30,
     pool_recycle=3600,
     pool_pre_ping=True,
-    connect_args={
-        "server_settings": {
-            "application_name": "cuatrolabs-scm-ms",
-            "jit": "off"
-        },
-        "command_timeout": 60,
-        "statement_cache_size": 0
-    }
+    connect_args=CONNECT_ARGS
 )
 
 # Create async session factory
@@ -57,14 +81,47 @@ logger.info("PostgreSQL configuration loaded successfully")
 
 async def connect_to_database() -> None:
     """Initialize database connection when the application starts."""
-    try:
-        # Test the connection
-        async with async_engine.begin() as conn:
-            await conn.execute(text("SELECT 1"))
-        logger.info("Successfully connected to PostgreSQL database")
-    except Exception as e:
-        logger.exception("Error connecting to PostgreSQL database")
-        raise
+    import asyncio
+    attempts = 0
+    max_attempts = settings.POSTGRES_CONNECT_MAX_RETRIES
+    delay = settings.POSTGRES_CONNECT_INITIAL_DELAY_MS / 1000.0
+    last_error = None
+    while attempts < max_attempts:
+        try:
+            async with async_engine.begin() as conn:
+                await conn.execute(text("SELECT 1"))
+            logger.info("Successfully connected to PostgreSQL database", extra={
+                "host": settings.POSTGRES_HOST,
+                "port": settings.POSTGRES_PORT,
+                "database": settings.POSTGRES_DB
+            })
+            return
+        except Exception as e:
+            last_error = e
+            attempts += 1
+            logger.warning(
+                "PostgreSQL connection attempt failed",
+                extra={
+                    "attempt": attempts,
+                    "max_attempts": max_attempts,
+                    "retry_delay_ms": int(delay * 1000),
+                    "host": settings.POSTGRES_HOST,
+                    "port": settings.POSTGRES_PORT,
+                    "database": settings.POSTGRES_DB
+                }
+            )
+            await asyncio.sleep(delay)
+            delay = min(delay * settings.POSTGRES_CONNECT_BACKOFF_MULTIPLIER, 30.0)
+    logger.error(
+        "Failed to connect to PostgreSQL after retries",
+        exc_info=last_error,
+        extra={
+            "host": settings.POSTGRES_HOST,
+            "port": settings.POSTGRES_PORT,
+            "database": settings.POSTGRES_DB
+        }
+    )
+    raise last_error
 
 async def disconnect_from_database() -> None:
     """Close database connection when the application shuts down."""
@@ -84,4 +141,4 @@ async def create_tables() -> None:
         logger.info("Database tables created successfully")
     except Exception as e:
         logger.exception("Error creating database tables")
-        raise
+        raise