Skip to content

Commit

Permalink
Put certificates in /etc/pki instead
Browse files Browse the repository at this point in the history
The problem with /var/lib/pgsql/data/userdata is if this is a new install,
initalizing the database will fail because the userdata directory is not
empty and it is expected to be empty.  Since the postgres configs are always
mounted on the pod we need the certs to be in a predictable location.
  • Loading branch information
bdunne committed Sep 25, 2023
1 parent 2c5c31e commit 64196a0
Show file tree
Hide file tree
Showing 3 changed files with 9 additions and 4 deletions.
1 change: 1 addition & 0 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,7 @@ RUN ARCH=$(uname -m) && \
yum -y reinstall tzdata && \
yum -y clean all --enablerepo='*' && \
localedef -f UTF-8 -i en_US en_US.UTF-8 && \
chmod -R g+w /etc/pki/tls && \
test "$(id postgres)" = "uid=26(postgres) gid=26(postgres) groups=26(postgres)" && \
mkdir -p /var/lib/pgsql/data && \
/usr/libexec/fix-permissions /var/lib/pgsql /var/run/postgresql
Expand Down
6 changes: 5 additions & 1 deletion container-assets/on-start.sh
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,10 @@

psql --command "ALTER ROLE \"${POSTGRESQL_USER}\" SUPERUSER;"

if [ -f /opt/app-root/src/certificates/server.key ]; then
if [ -f /etc/pki/tls/private/server.key ]; then
sed -i 's/host\(\b.*\)/hostssl\1/g' /var/lib/pgsql/data/userdata/pg_hba.conf

sed -i 's/.*ssl = off.*/ssl = on/g' /var/lib/pgsql/data/userdata/postgresql.conf
sed -i 's/.*ssl_cert_file.*/ssl_cert_file = \/etc\/pki\/tls\/certs\/server.crt/g' /var/lib/pgsql/data/userdata/postgresql.conf
sed -i 's/.*ssl_key_file.*/ssl_key_file = \/etc\/pki\/tls\/private\/server.key/g' /var/lib/pgsql/data/userdata/postgresql.conf
fi
6 changes: 3 additions & 3 deletions container-assets/pre-start.sh
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,9 @@
if [ ! -f /opt/app-root/src/certificates/server.key ]; then
echo "Skipping SSL setup, key not found."
else
cp /opt/app-root/src/certificates/server.crt /var/lib/pgsql/data/userdata/server.crt
cp /opt/app-root/src/certificates/server.key /var/lib/pgsql/data/userdata/server.key
cp /opt/app-root/src/certificates/server.crt /etc/pki/tls/certs/server.crt
cp /opt/app-root/src/certificates/server.key /etc/pki/tls/private/server.key

# Postgresql server will reject key files with liberal permissions
chmod og-rwx /var/lib/pgsql/data/userdata/server.key
chmod og-rwx /etc/pki/tls/private/server.key
fi

0 comments on commit 64196a0

Please sign in to comment.