From 9fe7069146d5f0a60ab4f5f46a211d1725cc25cf Mon Sep 17 00:00:00 2001
From: Weny Xu <wenymedia@gmail.com>
Date: Thu, 11 Sep 2025 20:18:13 +0800
Subject: [PATCH] feat: add postgres tls support for CLI (#6941)

* feat: add postgres tls support for cli

Signed-off-by: WenyXu <wenymedia@gmail.com>

* chore: apply suggestions

Signed-off-by: WenyXu <wenymedia@gmail.com>

---------

Signed-off-by: WenyXu <wenymedia@gmail.com>
---
 src/cli/src/metadata/common.rs | 29 +++++++++++++++++------------
 src/meta-srv/src/bootstrap.rs  |  1 +
 2 files changed, 18 insertions(+), 12 deletions(-)

diff --git a/src/cli/src/metadata/common.rs b/src/cli/src/metadata/common.rs
index 4019ed3ef8..3fe0cbca58 100644
--- a/src/cli/src/metadata/common.rs
+++ b/src/cli/src/metadata/common.rs
@@ -83,6 +83,20 @@ pub(crate) struct StoreConfig {
 }
 
 impl StoreConfig {
+    pub fn tls_config(&self) -> Option<TlsOption> {
+        if self.backend_tls_mode != TlsMode::Disable {
+            Some(TlsOption {
+                mode: self.backend_tls_mode.clone(),
+                cert_path: self.backend_tls_cert_path.clone(),
+                key_path: self.backend_tls_key_path.clone(),
+                ca_cert_path: self.backend_tls_ca_cert_path.clone(),
+                watch: self.backend_tls_watch,
+            })
+        } else {
+            None
+        }
+    }
+
     /// Builds a [`KvBackendRef`] from the store configuration.
     pub async fn build(&self) -> Result<KvBackendRef, BoxedError> {
         let max_txn_ops = self.max_txn_ops;
@@ -92,17 +106,7 @@ impl StoreConfig {
         } else {
             let kvbackend = match self.backend {
                 BackendImpl::EtcdStore => {
-                    let tls_config = if self.backend_tls_mode != TlsMode::Disable {
-                        Some(TlsOption {
-                            mode: self.backend_tls_mode.clone(),
-                            cert_path: self.backend_tls_cert_path.clone(),
-                            key_path: self.backend_tls_key_path.clone(),
-                            ca_cert_path: self.backend_tls_ca_cert_path.clone(),
-                            watch: self.backend_tls_watch,
-                        })
-                    } else {
-                        None
-                    };
+                    let tls_config = self.tls_config();
                     let etcd_client = create_etcd_client_with_tls(store_addrs, tls_config.as_ref())
                         .await
                         .map_err(BoxedError::new)?;
@@ -111,7 +115,8 @@ impl StoreConfig {
                 #[cfg(feature = "pg_kvbackend")]
                 BackendImpl::PostgresStore => {
                     let table_name = &self.meta_table_name;
-                    let pool = meta_srv::bootstrap::create_postgres_pool(store_addrs, None)
+                    let tls_config = self.tls_config();
+                    let pool = meta_srv::bootstrap::create_postgres_pool(store_addrs, tls_config)
                         .await
                         .map_err(BoxedError::new)?;
                     let schema_name = self.meta_schema_name.as_deref();
diff --git a/src/meta-srv/src/bootstrap.rs b/src/meta-srv/src/bootstrap.rs
index 3f10a0bcd4..e349a0f61d 100644
--- a/src/meta-srv/src/bootstrap.rs
+++ b/src/meta-srv/src/bootstrap.rs
@@ -472,6 +472,7 @@ fn build_connection_options(tls_config: Option<&TlsOption>) -> Result<Option<Con
     if matches!(tls_config.mode, TlsMode::Disable) {
         return Ok(None);
     }
+    info!("Creating etcd client with TLS mode: {:?}", tls_config.mode);
     let mut etcd_tls_opts = TlsOptions::new();
     // Set CA certificate if provided
     if !tls_config.ca_cert_path.is_empty() {