Cordon can inject credentials into database connections, not just HTTP APIs. For PostgreSQL, cordon intercepts the wire protocol handshake and injects the password before the connection reaches the upstream database. Your application connects to a local port with no password and cordon handles authentication transparently.
How it works
- Cordon listens on a local port (e.g.,
15432)
- Your app connects to
localhost:15432 with no password
- Cordon intercepts the PostgreSQL authentication handshake
- The real password, resolved when Cordon starts, is injected into the authentication handshake
- The authenticated connection is forwarded to the upstream database
Your application never sees or handles database credentials.
PostgreSQL services currently resolve credentials at startup, not per connection. If you rotate the underlying secret, restart Cordon to pick up the new value.
Configuration
Database connections are configured as services in cordon.toml, separate from HTTP routes:
listen = 6790
[tls]
enabled = true
# Substitute paths from your real `cordon.toml` (typically under ~/.config/cordon/projects/<namespace>/certs/).
ca_cert_path = "/path/to/ca-cert.pem"
ca_key_path = "/path/to/ca-key.pem"
# ... your HTTP routes ...
[[services]]
name = "prod-db"
listen = 15432
upstream = "db.prod.example.com:5432"
protocol = "postgres"
[services.auth]
type = "password"
username = "app_user"
[services.auth.secret]
source = "1password"
vault = "Engineering"
item = "Postgres Prod"
field = "password"
| Field | Type | Required | Description |
|---|
name | string | Yes | Identifier for the service (used in logs) |
listen | integer | Yes | Local port to listen on |
upstream | string | Yes | Upstream database host and port |
protocol | string | Yes | Wire protocol. Currently postgres. |
auth.type | string | Yes | Auth type. Currently password. |
auth.username | string | Yes | Username to authenticate as |
auth.secret | object | Yes | Secret source reference. See Secret Sources. |
Connecting your application
Point your application at the local port instead of the upstream database:
Connection string
Environment variable
postgresql://app_user@localhost:15432/mydb
DATABASE_URL=postgresql://app_user@localhost:15432/mydb
Multiple databases
Configure multiple services for different databases, each on its own local port:
[[services]]
name = "prod-db"
listen = 15432
upstream = "db.prod.example.com:5432"
protocol = "postgres"
[services.auth]
type = "password"
username = "app_user"
[services.auth.secret]
source = "1password"
vault = "Engineering"
item = "Postgres Prod"
field = "password"
[[services]]
name = "staging-db"
listen = 15433
upstream = "db.staging.example.com:5432"
protocol = "postgres"
[services.auth]
type = "password"
username = "staging_user"
[services.auth.secret]
source = "keyring"
account = "staging-pg-pass"
