Use /etc/pki for the server certificates

The problem with /var/lib/pgsql/data/userdata is if this is a new install, initalizing the database will fail because the userdata directory is not empty and it is expected to be empty. Since the postgres configs are always mounted on the pod we need the certs to be in a predictable location.
ManageIQ · Dec 12, 2022 · 8a4e3ec · 8a4e3ec
1 parent 7e12ad5
commit 8a4e3ec
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 3 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -82,6 +82,7 @@ RUN ARCH=$(uname -m) && \
     yum -y reinstall tzdata && \
     yum -y clean all --enablerepo='*' && \
     localedef -f UTF-8 -i en_US en_US.UTF-8 && \
+    chmod -R g+w /etc/pki/tls && \
     test "$(id postgres)" = "uid=26(postgres) gid=26(postgres) groups=26(postgres)" && \
     mkdir -p /var/lib/pgsql/data && \
     /usr/libexec/fix-permissions /var/lib/pgsql /var/run/postgresql

diff --git a/container-assets/pre-start.sh b/container-assets/pre-start.sh
@@ -3,9 +3,9 @@
 if [ ! -f /opt/app-root/src/certificates/server.key ]; then
   echo "Skipping SSL setup, key not found."
 else
-  cp /opt/app-root/src/certificates/server.crt /var/lib/pgsql/data/userdata/server.crt
-  cp /opt/app-root/src/certificates/server.key /var/lib/pgsql/data/userdata/server.key
+  cp /opt/app-root/src/certificates/server.crt /etc/pki/tls/certs/server.crt
+  cp /opt/app-root/src/certificates/server.key /etc/pki/tls/private/server.key
 
   # Postgresql server will reject key files with liberal permissions
-  chmod og-rwx /var/lib/pgsql/data/userdata/server.key
+  chmod og-rwx /etc/pki/tls/private/server.key
 fi