Enable TLS with dev postgres container

.gitignore

@@ -5,6 +5,7 @@
 /docker/object-storage/storage
 /docker/object-storage/pict-rs-garage.toml
 /docker/object-storage/*.log
+/docker/object-storage/out
 /result
 /.ash_history
 /.direnv

docker/object-storage/Dockerfile.postgres

@@ -0,0 +1,9 @@
+FROM postgres:15-alpine
+
+COPY --chown=0:70 --chmod=640 ./out/postgres.key ./etc/
+COPY --chown=0:70 --chmod=640 ./out/postgres.crt ./etc/
+
+COPY --chown=0:70 --chmod=640 ./out/pictrsCA.crt ./etc/
+COPY --chown=0:70 --chmod=640 ./out/pictrsCA.crl ./etc/
+
+CMD ["-c", "ssl=on", "-c", "ssl_cert_file=/etc/postgres.crt", "-c", "ssl_key_file=/etc/postgres.key", "-c", "ssl_ca_file=/etc/pictrsCA.crt", "-c", "ssl_crl_file=/etc/pictrsCA.crl"]

docker/object-storage/docker-compose.yml

@@ -53,7 +53,9 @@ services:
       - ./garage.toml:/etc/garage.toml
 
   postgres:
-    image: postgres:15-alpine
+    build:
+      context: .
+      dockerfile: ./Dockerfile.postgres
     ports:
       - "5432:5432"
     environment:

docker/object-storage/setup-tls.sh

@@ -0,0 +1,15 @@
+#!/usr/bin/env bash
+
+set -xe
+
+certstrap init --common-name pictrsCA
+certstrap request-cert --common-name postgres --domain localhost
+certstrap sign postgres --CA pictrsCA
+
+mkdir -p ./storage/
+sudo mkdir -p ./storage/postgres
+
+sudo tee ./storage/postgres/pg_hba.conf << EOF
+host all all all trust
+hostssl all all all cert clientcert=verify-full
+EOF