Closed brody192 closed 4 months ago
melissa-hale
commented
4 months ago @brody192 this looks 🔥
~just curious though if you tested to make sure the init-ssl script only runs when the conditions are met?~
~i had moved it out of the docker-entrypoint-initdb.d/ dir because (I think) the postgres image will execute anything in that directory on startup.~
brody192
commented
4 months ago Yep, additionally I have tested the added logic in wrapper.sh by both deploying the current postgres-ssl based template and a template that deploys from postgres:16 and then replacing the source image with my image I built in my fork, in both tests the correct logic is triggered and either the invalid cert is regenerated or a cert is generated if one doesn't exist.
The logic for the expired certificate also works as I tested that by deploying with SSL_CERT_DAYS set to 20, upon the next deploy it regenerated them, still with 20 days but it was proof the logic worked.
Main change -
init-ssl.shto generate valid x509v3 certificates, previously it was generating v1 certificates and that was not compatible with rustls, Two community members have confirmed the changes made here worked, Alex and Milo.Other changes -
wrapper.shwith these changes -postgres:latestto this image.init-ssl.shscript back into thedocker-entrypoint-initdb.ddirectory so that the database is first initialized and then the certificates are generated, otherwise there would be nopostgresql.conffile to enable ssl on.-eflag on thewrapper.shandinit-ssl.shscripts so they exit if any command happens to fail, as i believe it would be better to fail than to risk starting the database without certificates.Miscellaneous changes -
--chmod=755when copying in scripts to set the execution permissions vs doingchmod +xas another RUN command.