From c07305b85cf6cb852a33ed1707fcff733c5d21e5 Mon Sep 17 00:00:00 2001 From: admire Date: Mon, 17 May 2021 21:50:50 +0200 Subject: [PATCH] add ssl_dir env to allow dynamic setup of custom certificates --- README.md | 29 ++++++++--------------------- scripts/env-data.sh | 4 ++++ scripts/setup-ssl.sh | 8 +++++++- 3 files changed, 19 insertions(+), 22 deletions(-) diff --git a/README.md b/README.md index 6cb8f1f..22b8bcd 100644 --- a/README.md +++ b/README.md @@ -181,6 +181,7 @@ mounting an empty volume. Or use parameter `RECREATE_DATADIR` to forcefully delete the current cluster and create a new one. Make sure to remove parameter `RECREATE_DATADIR` after creating the cluster. +See [the postgres documentation about encoding](https://www.postgresql.org/docs/11/multibyte.html) for more information. #### Basic configuration @@ -342,7 +343,7 @@ When running scripts they will only be executed against the first database ie POSTGRES_DB=gis,data,sample The SQL script will be executed against the gis database. Additionally, a lock file is generated in `/docker-entrypoint-initdb.d`, which will prevent the scripts from getting executed after the first container startup. Provide `IGNORE_INIT_HOOK_LOCKFILE=true` to execute the scripts on _every_ container start. -Currently you can pass `.sql` , `.sql.gz` and `.sh` files as mounted volumes. +Currently, you can pass `.sql` , `.sql.gz` and `.sh` files as mounted volumes. ``` @@ -387,33 +388,19 @@ need to use the environment variable FORCE_SSL=TRUE ``` -The following is an example Dockerfile that sets up a container with custom ssl private key and certificate: +The following example sets up a container with custom ssl private key and certificate: + ``` -FROM kartoza/postgis:11.0-2.5 - -ADD ssl_cert.pem /etc/ssl/certs/ssl_cert.pem -ADD localhost_ssl_key.pem /etc/ssl/private/ssl_key.pem - -RUN chmod 400 /etc/ssl/private/ssl_key.pem +docker run -p 25432:5432 -e FORCE_SSL=TRUE -e SSL_DIR="/etc/ssl_certificates" -e SSL_CERT_FILE='/etc/ssl_certificates/fullchain.pem' -e SSL_KEY_FILE='/etc/ssl_certificates/privkey.pem' -e SSL_CA_FILE='/etc/ssl_certificates/root.crt' -v /tmp/postgres/letsencrypt:/etc/ssl_certificates --name ssl -d kartoza/postgis:13-3.1 ``` -The docker-compose.yml to initialize with this configuration: - -``` -services: - postgres: - build: - dockerfile: Dockerfile - context: ssl_secured_docker - environment: - - SSL_CERT_FILE=/etc/ssl/certs/ssl_cert.pem - - SSL_KEY_FILE=/etc/ssl/private/ssl_key.pem -``` +The environment variable `SSL_DIR` allows a user to specify the location +where custom SSL certificates will be located. The environment variable currently +defaults to `SSL_DIR=/ssl_certificates` See [the postgres documentation about SSL](https://www.postgresql.org/docs/11/libpq-ssl.html#LIBQ-SSL-CERTIFICATES) for more information. -See [the postgres documentation about encoding](https://www.postgresql.org/docs/11/multibyte.html) for more information. ### Forced SSL: forced using the shipped snakeoil certificates diff --git a/scripts/env-data.sh b/scripts/env-data.sh index 176dbec..438d72f 100644 --- a/scripts/env-data.sh +++ b/scripts/env-data.sh @@ -89,6 +89,10 @@ if [ -z "${RECREATE_DATADIR}" ]; then else RECREATE_DATADIR=$(boolean ${RECREATE_DATADIR}) fi +if [ -z "${SSL_DIR}" ]; then + SSL_DIR="/ssl_certificates" +fi + # SSL mode if [ -z "${PGSSLMODE}" ]; then PGSSLMODE=require diff --git a/scripts/setup-ssl.sh b/scripts/setup-ssl.sh index bedf906..82774d3 100644 --- a/scripts/setup-ssl.sh +++ b/scripts/setup-ssl.sh @@ -17,7 +17,13 @@ chown -R postgres /tmp/ssl-copy rm -r /etc/ssl mv /tmp/ssl-copy /etc/ssl -# Needed under debian, wasnt needed under ubuntu +# Setup Permission for SSL Directory +create_dir ${SSL_DIR} +chmod -R 0700 ${SSL_DIR} +chown -R postgres ${SSL_DIR} + + +# Needed under debian, wasn't needed under ubuntu mkdir -p ${PGSTAT_TMP} chmod 0777 ${PGSTAT_TMP}