From f3cd2e3246946eaa85ad4070e66157858ebf1f21 Mon Sep 17 00:00:00 2001 From: asonix Date: Mon, 15 Jan 2024 18:15:36 -0500 Subject: [PATCH] Enable TLS with dev postgres container --- .gitignore | 1 + docker/object-storage/Dockerfile.postgres | 9 +++++++++ docker/object-storage/docker-compose.yml | 4 +++- docker/object-storage/setup-tls.sh | 15 +++++++++++++++ 4 files changed, 28 insertions(+), 1 deletion(-) create mode 100644 docker/object-storage/Dockerfile.postgres create mode 100755 docker/object-storage/setup-tls.sh diff --git a/.gitignore b/.gitignore index 2973511..58e7c93 100644 --- a/.gitignore +++ b/.gitignore @@ -5,6 +5,7 @@ /docker/object-storage/storage /docker/object-storage/pict-rs-garage.toml /docker/object-storage/*.log +/docker/object-storage/out /result /.ash_history /.direnv diff --git a/docker/object-storage/Dockerfile.postgres b/docker/object-storage/Dockerfile.postgres new file mode 100644 index 0000000..e0ba2e8 --- /dev/null +++ b/docker/object-storage/Dockerfile.postgres @@ -0,0 +1,9 @@ +FROM postgres:15-alpine + +COPY --chown=0:70 --chmod=640 ./out/postgres.key ./etc/ +COPY --chown=0:70 --chmod=640 ./out/postgres.crt ./etc/ + +COPY --chown=0:70 --chmod=640 ./out/pictrsCA.crt ./etc/ +COPY --chown=0:70 --chmod=640 ./out/pictrsCA.crl ./etc/ + +CMD ["-c", "ssl=on", "-c", "ssl_cert_file=/etc/postgres.crt", "-c", "ssl_key_file=/etc/postgres.key", "-c", "ssl_ca_file=/etc/pictrsCA.crt", "-c", "ssl_crl_file=/etc/pictrsCA.crl"] diff --git a/docker/object-storage/docker-compose.yml b/docker/object-storage/docker-compose.yml index 9dfa7c6..7c79728 100644 --- a/docker/object-storage/docker-compose.yml +++ b/docker/object-storage/docker-compose.yml @@ -53,7 +53,9 @@ services: - ./garage.toml:/etc/garage.toml postgres: - image: postgres:15-alpine + build: + context: . + dockerfile: ./Dockerfile.postgres ports: - "5432:5432" environment: diff --git a/docker/object-storage/setup-tls.sh b/docker/object-storage/setup-tls.sh new file mode 100755 index 0000000..3f46aae --- /dev/null +++ b/docker/object-storage/setup-tls.sh @@ -0,0 +1,15 @@ +#!/usr/bin/env bash + +set -xe + +certstrap init --common-name pictrsCA +certstrap request-cert --common-name postgres --domain localhost +certstrap sign postgres --CA pictrsCA + +mkdir -p ./storage/ +sudo mkdir -p ./storage/postgres + +sudo tee ./storage/postgres/pg_hba.conf << EOF +host all all all trust +hostssl all all all cert clientcert=verify-full +EOF