From 64196a0b0883f5dd52bdf80f4aa7db5e6a0d6f8e Mon Sep 17 00:00:00 2001
From: Brandon Dunne <brandondunne@hotmail.com>
Date: Thu, 8 Dec 2022 18:25:20 -0500
Subject: [PATCH] Put certificates in /etc/pki instead

The problem with /var/lib/pgsql/data/userdata is if this is a new install,
initalizing the database will fail because the userdata directory is not
empty and it is expected to be empty.  Since the postgres configs are always
mounted on the pod we need the certs to be in a predictable location.
---
 Dockerfile                    | 1 +
 container-assets/on-start.sh  | 6 +++++-
 container-assets/pre-start.sh | 6 +++---
 3 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index d9c8572..eda5b95 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -74,6 +74,7 @@ RUN ARCH=$(uname -m) && \
     yum -y reinstall tzdata && \
     yum -y clean all --enablerepo='*' && \
     localedef -f UTF-8 -i en_US en_US.UTF-8 && \
+    chmod -R g+w /etc/pki/tls && \
     test "$(id postgres)" = "uid=26(postgres) gid=26(postgres) groups=26(postgres)" && \
     mkdir -p /var/lib/pgsql/data && \
     /usr/libexec/fix-permissions /var/lib/pgsql /var/run/postgresql
diff --git a/container-assets/on-start.sh b/container-assets/on-start.sh
index 03df013..9a1a1c9 100755
--- a/container-assets/on-start.sh
+++ b/container-assets/on-start.sh
@@ -2,6 +2,10 @@
 
 psql --command "ALTER ROLE \"${POSTGRESQL_USER}\" SUPERUSER;"
 
-if [ -f /opt/app-root/src/certificates/server.key ]; then
+if [ -f /etc/pki/tls/private/server.key ]; then
   sed -i 's/host\(\b.*\)/hostssl\1/g' /var/lib/pgsql/data/userdata/pg_hba.conf
+
+  sed -i 's/.*ssl = off.*/ssl = on/g' /var/lib/pgsql/data/userdata/postgresql.conf
+  sed -i 's/.*ssl_cert_file.*/ssl_cert_file = \/etc\/pki\/tls\/certs\/server.crt/g' /var/lib/pgsql/data/userdata/postgresql.conf
+  sed -i 's/.*ssl_key_file.*/ssl_key_file = \/etc\/pki\/tls\/private\/server.key/g' /var/lib/pgsql/data/userdata/postgresql.conf
 fi
diff --git a/container-assets/pre-start.sh b/container-assets/pre-start.sh
index 4e79905..dd1b36f 100755
--- a/container-assets/pre-start.sh
+++ b/container-assets/pre-start.sh
@@ -3,9 +3,9 @@
 if [ ! -f /opt/app-root/src/certificates/server.key ]; then
   echo "Skipping SSL setup, key not found."
 else
-  cp /opt/app-root/src/certificates/server.crt /var/lib/pgsql/data/userdata/server.crt
-  cp /opt/app-root/src/certificates/server.key /var/lib/pgsql/data/userdata/server.key
+  cp /opt/app-root/src/certificates/server.crt /etc/pki/tls/certs/server.crt
+  cp /opt/app-root/src/certificates/server.key /etc/pki/tls/private/server.key
 
   # Postgresql server will reject key files with liberal permissions
-  chmod og-rwx /var/lib/pgsql/data/userdata/server.key
+  chmod og-rwx /etc/pki/tls/private/server.key
 fi