Allow passing ssl_cert_data, ssl_key_dadta and ssl_root_cert_data

.gitignore

@@ -5,3 +5,4 @@
 /postgresqlAWSExporter
 /postgresql_*.ptar
 *.local.json
+/vendor

README.md

@@ -95,8 +95,11 @@ restored roles will have no password set.
 | `pg_bin_dir` | — | Directory containing the PostgreSQL client binaries (`pg_dump`, `pg_dumpall`, `psql`). When omitted, binaries are resolved via `$PATH`. Useful when multiple PostgreSQL versions are installed. |
 | `ssl_mode` | `prefer` | SSL mode: `disable`, `allow`, `prefer`, `require`, `verify-ca`, or `verify-full`. Passed via `PGSSLMODE`. |
 | `ssl_cert` | — | Path to the client SSL certificate file (PEM). Passed via `PGSSLCERT`. |
+| `ssl_cert_data` | — | Inline PEM content of the client SSL certificate. Alternative to `ssl_cert`. |
 | `ssl_key` | — | Path to the client SSL private key file (PEM). Passed via `PGSSLKEY`. |
+| `ssl_key_data` | — | Inline PEM content of the client SSL private key. Alternative to `ssl_key`. |
 | `ssl_root_cert` | — | Path to the root CA certificate used to verify the server (PEM). Passed via `PGSSLROOTCERT`. |
+| `ssl_root_cert_data` | — | Inline PEM content of the root CA certificate. Alternative to `ssl_root_cert`. |
 
 ### Exporter options (`postgres://`)
 
@@ -119,8 +122,11 @@ restored roles will have no password set.
 | `pg_bin_dir` | — | Directory containing the PostgreSQL client binaries (`pg_restore`, `psql`). When omitted, binaries are resolved via `$PATH`. Useful when multiple PostgreSQL versions are installed. |
 | `ssl_mode` | `prefer` | SSL mode: `disable`, `allow`, `prefer`, `require`, `verify-ca`, or `verify-full`. Passed via `PGSSLMODE`. |
 | `ssl_cert` | — | Path to the client SSL certificate file (PEM). Passed via `PGSSLCERT`. |
+| `ssl_cert_data` | — | Inline PEM content of the client SSL certificate. Alternative to `ssl_cert`. |
 | `ssl_key` | — | Path to the client SSL private key file (PEM). Passed via `PGSSLKEY`. |
+| `ssl_key_data` | — | Inline PEM content of the client SSL private key. Alternative to `ssl_key`. |
 | `ssl_root_cert` | — | Path to the root CA certificate used to verify the server (PEM). Passed via `PGSSLROOTCERT`. |
+| `ssl_root_cert_data` | — | Inline PEM content of the root CA certificate. Alternative to `ssl_root_cert`. |
 
 ### Examples
 
@@ -301,8 +307,11 @@ functions (execution role).
 | `pg_bin_dir` | — | Directory containing the PostgreSQL client binaries. When omitted, binaries are resolved via `$PATH`. |
 | `ssl_mode` | `prefer` | SSL mode. IAM authentication requires an encrypted connection — use `require` or higher. |
 | `ssl_cert` | — | Path to the client SSL certificate file (PEM). Passed via `PGSSLCERT`. |
+| `ssl_cert_data` | — | Inline PEM content of the client SSL certificate. Alternative to `ssl_cert`. |
 | `ssl_key` | — | Path to the client SSL private key file (PEM). Passed via `PGSSLKEY`. |
+| `ssl_key_data` | — | Inline PEM content of the client SSL private key. Alternative to `ssl_key`. |
 | `ssl_root_cert` | — | Path to the root CA certificate used to verify the server (PEM). Passed via `PGSSLROOTCERT`. |
+| `ssl_root_cert_data` | — | Inline PEM content of the root CA certificate. Alternative to `ssl_root_cert`. |
 
 ### Importer examples
 
@@ -343,8 +352,11 @@ the password for the restore connection.
 | `pg_bin_dir` | — | Directory containing the PostgreSQL client binaries. When omitted, binaries are resolved via `$PATH`. |
 | `ssl_mode` | `prefer` | SSL mode. IAM authentication requires an encrypted connection — use `require` or higher. |
 | `ssl_cert` | — | Path to the client SSL certificate file (PEM). Passed via `PGSSLCERT`. |
+| `ssl_cert_data` | — | Inline PEM content of the client SSL certificate. Alternative to `ssl_cert`. |
 | `ssl_key` | — | Path to the client SSL private key file (PEM). Passed via `PGSSLKEY`. |
+| `ssl_key_data` | — | Inline PEM content of the client SSL private key. Alternative to `ssl_key`. |
 | `ssl_root_cert` | — | Path to the root CA certificate used to verify the server (PEM). Passed via `PGSSLROOTCERT`. |
+| `ssl_root_cert_data` | — | Inline PEM content of the root CA certificate. Alternative to `ssl_root_cert`. |
 
 ### Exporter examples
 
@@ -430,8 +442,11 @@ The PostgreSQL server must have:
 | `pg_bin_dir` | — | Directory containing the PostgreSQL client binaries (`pg_basebackup`, `psql`). When omitted, binaries are resolved via `$PATH`. Useful when multiple PostgreSQL versions are installed. |
 | `ssl_mode` | `prefer` | SSL mode: `disable`, `allow`, `prefer`, `require`, `verify-ca`, or `verify-full`. Passed via `PGSSLMODE`. |
 | `ssl_cert` | — | Path to the client SSL certificate file (PEM). Passed via `PGSSLCERT`. |
+| `ssl_cert_data` | — | Inline PEM content of the client SSL certificate. Alternative to `ssl_cert`. |
 | `ssl_key` | — | Path to the client SSL private key file (PEM). Passed via `PGSSLKEY`. |
+| `ssl_key_data` | — | Inline PEM content of the client SSL private key. Alternative to `ssl_key`. |
 | `ssl_root_cert` | — | Path to the root CA certificate used to verify the server (PEM). Passed via `PGSSLROOTCERT`. |
+| `ssl_root_cert_data` | — | Inline PEM content of the root CA certificate. Alternative to `ssl_root_cert`. |
 
 ### Restoring a physical backup
 

awsexporter/schema.json

@@ -90,15 +90,30 @@
       "minLength": 1,
       "description": "Path to the client SSL certificate file (PEM format), passed via PGSSLCERT."
     },
+    "ssl_cert_data": {
+      "type": "string",
+      "minLength": 1,
+      "description": "Inline PEM content of the client SSL certificate. Alternative to ssl_cert."
+    },
     "ssl_key": {
       "type": "string",
       "minLength": 1,
       "description": "Path to the client SSL private key file (PEM format), passed via PGSSLKEY."
     },
+    "ssl_key_data": {
+      "type": "string",
+      "minLength": 1,
+      "description": "Inline PEM content of the client SSL private key. Alternative to ssl_key."
+    },
     "ssl_root_cert": {
       "type": "string",
       "minLength": 1,
       "description": "Path to the root CA certificate used to verify the server (PEM format), passed via PGSSLROOTCERT."
+    },
+    "ssl_root_cert_data": {
+      "type": "string",
+      "minLength": 1,
+      "description": "Inline PEM content of the root CA certificate. Alternative to ssl_root_cert."
     }
   }
 }

awsimporter/schema.json

@@ -71,15 +71,30 @@
       "minLength": 1,
       "description": "Path to the client SSL certificate file (PEM format), passed via PGSSLCERT."
     },
+    "ssl_cert_data": {
+      "type": "string",
+      "minLength": 1,
+      "description": "Inline PEM content of the client SSL certificate. Alternative to ssl_cert."
+    },
     "ssl_key": {
       "type": "string",
       "minLength": 1,
       "description": "Path to the client SSL private key file (PEM format), passed via PGSSLKEY."
     },
+    "ssl_key_data": {
+      "type": "string",
+      "minLength": 1,
+      "description": "Inline PEM content of the client SSL private key. Alternative to ssl_key."
+    },
     "ssl_root_cert": {
       "type": "string",
       "minLength": 1,
       "description": "Path to the root CA certificate used to verify the server (PEM format), passed via PGSSLROOTCERT."
+    },
+    "ssl_root_cert_data": {
+      "type": "string",
+      "minLength": 1,
+      "description": "Inline PEM content of the root CA certificate. Alternative to ssl_root_cert."
     }
   }
 }

binimporter/importer.go

@@ -171,7 +171,10 @@ func (p *BinImporter) Ping(ctx context.Context) error {
 	return p.conn.Ping(ctx, "")
 }
 
-func (p *BinImporter) Close(ctx context.Context) error { return nil }
+func (p *BinImporter) Close(ctx context.Context) error {
+	p.conn.Cleanup()
+	return nil
+}
 func (p *BinImporter) Root() string                    { return "/" }
 func (p *BinImporter) Origin() string                  { return p.conn.Host }
 func (p *BinImporter) Type() string                    { return "postgres+bin" }

binimporter/schema.json

@@ -45,15 +45,30 @@
       "minLength": 1,
       "description": "Path to the client SSL certificate file (PEM format), passed via PGSSLCERT."
     },
+    "ssl_cert_data": {
+      "type": "string",
+      "minLength": 1,
+      "description": "Inline PEM content of the client SSL certificate. Alternative to ssl_cert."
+    },
     "ssl_key": {
       "type": "string",
       "minLength": 1,
       "description": "Path to the client SSL private key file (PEM format), passed via PGSSLKEY."
     },
+    "ssl_key_data": {
+      "type": "string",
+      "minLength": 1,
+      "description": "Inline PEM content of the client SSL private key. Alternative to ssl_key."
+    },
     "ssl_root_cert": {
       "type": "string",
       "minLength": 1,
       "description": "Path to the root CA certificate used to verify the server (PEM format), passed via PGSSLROOTCERT."
+    },
+    "ssl_root_cert_data": {
+      "type": "string",
+      "minLength": 1,
+      "description": "Inline PEM content of the root CA certificate. Alternative to ssl_root_cert."
     }
   }
 }

exporter/exporter.go

@@ -142,6 +142,7 @@ func (p *Exporter) Ping(ctx context.Context) error {
 }
 
 func (p *Exporter) Close(ctx context.Context) error {
+	p.conn.Cleanup()
 	return nil
 }
 

exporter/schema.json

@@ -90,15 +90,30 @@
       "minLength": 1,
       "description": "Path to the client SSL certificate file (PEM format), passed via PGSSLCERT."
     },
+    "ssl_cert_data": {
+      "type": "string",
+      "minLength": 1,
+      "description": "Inline PEM content of the client SSL certificate. Alternative to ssl_cert."
+    },
     "ssl_key": {
       "type": "string",
       "minLength": 1,
       "description": "Path to the client SSL private key file (PEM format), passed via PGSSLKEY."
     },
+    "ssl_key_data": {
+      "type": "string",
+      "minLength": 1,
+      "description": "Inline PEM content of the client SSL private key. Alternative to ssl_key."
+    },
     "ssl_root_cert": {
       "type": "string",
       "minLength": 1,
       "description": "Path to the root CA certificate used to verify the server (PEM format), passed via PGSSLROOTCERT."
+    },
+    "ssl_root_cert_data": {
+      "type": "string",
+      "minLength": 1,
+      "description": "Inline PEM content of the root CA certificate. Alternative to ssl_root_cert."
     }
   }
 }

importer/importer.go

@@ -349,7 +349,10 @@ func (p *Importer) Ping(ctx context.Context) error {
 	return p.conn.Ping(ctx, p.database)
 }
 
-func (p *Importer) Close(ctx context.Context) error { return nil }
+func (p *Importer) Close(ctx context.Context) error {
+	p.conn.Cleanup()
+	return nil
+}
 func (p *Importer) Root() string                    { return "/" }
 func (p *Importer) Origin() string                  { return p.conn.Host }
 func (p *Importer) Type() string                    { return p.connType }

importer/schema.json

@@ -70,15 +70,30 @@
       "minLength": 1,
       "description": "Path to the client SSL certificate file (PEM format), passed via PGSSLCERT."
     },
+    "ssl_cert_data": {
+      "type": "string",
+      "minLength": 1,
+      "description": "Inline PEM content of the client SSL certificate. Alternative to ssl_cert."
+    },
     "ssl_key": {
       "type": "string",
       "minLength": 1,
       "description": "Path to the client SSL private key file (PEM format), passed via PGSSLKEY."
     },
+    "ssl_key_data": {
+      "type": "string",
+      "minLength": 1,
+      "description": "Inline PEM content of the client SSL private key. Alternative to ssl_key."
+    },
     "ssl_root_cert": {
       "type": "string",
       "minLength": 1,
       "description": "Path to the root CA certificate used to verify the server (PEM format), passed via PGSSLROOTCERT."
+    },
+    "ssl_root_cert_data": {
+      "type": "string",
+      "minLength": 1,
+      "description": "Inline PEM content of the root CA certificate. Alternative to ssl_root_cert."
     }
   }
 }

pgconn/conn.go

@@ -10,6 +10,28 @@ import (
 	_ "github.com/jackc/pgx/v5/stdlib"
 )
 
+// sslFileParam describes one SSL file parameter and its inline-content variant.
+type sslFileParam struct {
+	pathKey string  // config key for the file path, e.g. "ssl_cert"
+	dataKey string  // config key for inline content, e.g. "ssl_cert_data"
+	field   *string // pointer to the ConnConfig field to set
+}
+
+// writeTempFile writes content to a temporary PEM file and returns its path.
+func writeTempFile(label, content string) (string, error) {
+	f, err := os.CreateTemp("", "plakar-pg-"+label+"-*")
+	if err != nil {
+		return "", fmt.Errorf("%s_data: create temp file: %w", label, err)
+	}
+	defer f.Close()
+	if _, err := f.WriteString(content); err != nil {
+		_ = os.Remove(f.Name())
+		return "", fmt.Errorf("%s_data: write temp file: %w", label, err)
+	}
+	return f.Name(), nil
+}
+
+
 // ConnConfig holds the connection parameters shared by all PostgreSQL connectors.
 type ConnConfig struct {
 	Host     string
@@ -21,6 +43,17 @@ type ConnConfig struct {
 	SSLCert     string // path to client certificate file (PEM)
 	SSLKey      string // path to client private key file (PEM)
 	SSLRootCert string // path to root CA certificate file (PEM)
+
+	tmpFiles []string // temp files written for inline SSL content; removed by Cleanup
+}
+
+// Cleanup removes any temporary files that were created for inline SSL content.
+// It should be called when the connector is closed.
+func (c *ConnConfig) Cleanup() {
+	for _, f := range c.tmpFiles {
+		_ = os.Remove(f)
+	}
+	c.tmpFiles = nil
 }
 
 // ParseConnConfig parses host, port, username, and password from the "location"
@@ -79,14 +112,28 @@ func ParseConnConfig(config map[string]string) (ConnConfig, string, error) {
 			return ConnConfig{}, "", fmt.Errorf("ssl_mode: invalid value %q (accepted: disable, allow, prefer, require, verify-ca, verify-full)", v)
 		}
 	}
-	if v, ok := config["ssl_cert"]; ok && v != "" {
-		c.SSLCert = v
-	}
-	if v, ok := config["ssl_key"]; ok && v != "" {
-		c.SSLKey = v
-	}
-	if v, ok := config["ssl_root_cert"]; ok && v != "" {
-		c.SSLRootCert = v
+	for _, p := range []sslFileParam{
+		{"ssl_cert", "ssl_cert_data", &c.SSLCert},
+		{"ssl_key", "ssl_key_data", &c.SSLKey},
+		{"ssl_root_cert", "ssl_root_cert_data", &c.SSLRootCert},
+	} {
+		path, hasPath := config[p.pathKey]
+		data, hasData := config[p.dataKey]
+		if hasPath && path != "" && hasData && data != "" {
+			c.Cleanup()
+			return ConnConfig{}, "", fmt.Errorf("%s and %s are mutually exclusive", p.pathKey, p.dataKey)
+		}
+		if hasPath && path != "" {
+			*p.field = path
+		} else if hasData && data != "" {
+			tmp, err := writeTempFile(p.pathKey, data)
+			if err != nil {
+				c.Cleanup()
+				return ConnConfig{}, "", err
+			}
+			*p.field = tmp
+			c.tmpFiles = append(c.tmpFiles, tmp)
+		}
 	}
 
 	return c, dbPath, nil