Tunneling from Heroku to Compose RethinkDB

When you are connecting a cloud application platform to a database platform, you need to take some extra precautions. Take connecting a Heroku based application to Compose's RethinkDB deployments. Currently we only support an SSH tunnel connection into RethinkDB deployments. This is because there's no strong authentication stage integrated into the server so it is easier and more secure to expose the RethinkDB ports over an SSH tunnel.

This means though that the Heroku end needs the private key of a public/private key pair – the public key being recorded with the Compose RethinkDB deployment's SSH gateway. Now, Heroku applications are pulled from GitHub and the last thing you want to do is leave your private key up on GitHub (or any other version control system in the cloud).

On a recent Hacker News thread about the arrival of RethinkDB 2.0, Compose customer and Fanout.io CEO Justin Karneges mentioned that he'd created a solution to this tricky conundrum. It comes in the form of a Python script – tunnel.py – which can configure an SSH tunnel for your Heroku app.

What's important though is that it gets all its configuration and key data from environment variables. SSH_TUNNEL_TARGET needs to be set to the host, user and port to tunnel to, SSH_TUNNEL_FORWARDS is set with a list of localaddress:localport:remoteaddress:remoteport mappings and finally, SSH_TUNNEL_KEY is set with the private key for the connection as a base 64 string. As the notes say "Yes, you're setting an entire giant ssh key as an environment variable, but it works. :)".

Environment variables are part of the Heroku side configuration for applications so they don't need to be written to GitHub, only set in the run-time environment for the application. The tunnel.py script is invoked in the Heroku Procfile, before any worker needs to use the RethinkDB database.

The tunnel.py script is generic enough that it should be ideal for setting SSH tunnels between Heroku and other Compose databases which support tunneling, such as Elasticsearch.