Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.codezero.io/llms.txt

Use this file to discover all available pages before exploring further.

Cordon can inject credentials into database connections, not just HTTP APIs. For PostgreSQL, cordon intercepts the wire protocol handshake and injects the password before the connection reaches the upstream database. Your application connects to a local port with no password and cordon handles authentication transparently.

How it works

  1. Cordon listens on a local port (e.g., 15432)
  2. Your app connects to localhost:15432 with no password
  3. Cordon intercepts the PostgreSQL authentication handshake
  4. The real password, resolved when Cordon starts, is injected into the authentication handshake
  5. The authenticated connection is forwarded to the upstream database
Your application never sees or handles database credentials.
PostgreSQL listeners currently resolve credentials at startup, not per connection. If you rotate the underlying secret, restart Cordon to pick up the new value.

Configuration

Database connections are configured as [[listeners]] entries in cordon.toml, alongside HTTP routes: 
listen = 6790

[tls]
enabled = true
# Substitute paths from your real `cordon.toml` (typically under ~/.config/cordon/projects/<namespace>/certs/).
ca_cert_path = "/path/to/ca-cert.pem"
ca_key_path = "/path/to/ca-key.pem"

# ... your HTTP routes ...

[[listeners]]
name = "prod-db"
port = 15432
upstream = "db.prod.example.com:5432"

[listeners.auth]
type = "password"
username = "app_user"

[listeners.auth.secret]
source = "1password"
vault = "Engineering"
item = "Postgres Prod"
field = "password"
FieldTypeRequiredDescription
namestringYesIdentifier for the listener (used in logs)
portintegerYesLocal port to listen on
upstreamstringYesUpstream database host and port
auth.typestringYesAuth type. Currently password.
auth.usernamestringYesUsername to authenticate as
auth.secretobjectYesSecret source reference. See Secret Sources.

Connecting your application

Point your application at the local port instead of the upstream database: 
postgresql://app_user@localhost:15432/mydb
No password in the connection string. Cordon injects it.

Multiple databases

Configure multiple PostgreSQL listeners for different databases, each on its own local port: 
[[listeners]]
name = "prod-db"
port = 15432
upstream = "db.prod.example.com:5432"

[listeners.auth]
type = "password"
username = "app_user"

[listeners.auth.secret]
source = "1password"
vault = "Engineering"
item = "Postgres Prod"
field = "password"

[[listeners]]
name = "staging-db"
port = 15433
upstream = "db.staging.example.com:5432"

[listeners.auth]
type = "password"
username = "staging_user"

[listeners.auth.secret]
source = "keyring"
account = "staging-pg-pass"