Merge pull request #260 from erickedji/master

josegonzalez · web-flow · commit ee2d2f10f74d · 2023-05-27T22:33:27.000-04:00
fix: create ssl certs outside container
diff --git a/functions b/functions
@@ -149,7 +149,9 @@ service_create_container() {
 
   dokku_log_verbose_quiet "Securing connection to database"
   service_pause "$SERVICE" >/dev/null
-  "$DOCKER_BIN" container run --rm -i -v "$SERVICE_HOST_ROOT/data:/var/lib/postgresql/data" "$PLUGIN_IMAGE:$PLUGIN_IMAGE_VERSION" bash -s <"$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)/scripts/enable_ssl.sh" &>/dev/null
+  "$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)/scripts/create_ssl_certs.sh" "$SERVICE_HOST_ROOT" &>/dev/null
+  "$DOCKER_BIN" container run --rm -i -v "$SERVICE_HOST_ROOT/data:/var/lib/postgresql/data" -v "$SERVICE_HOST_ROOT/certs:/var/lib/postgresql/certs" "$PLUGIN_IMAGE:$PLUGIN_IMAGE_VERSION" bash -s <"$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)/scripts/enable_ssl.sh" &>/dev/null
+  rm -rf "$SERVICE_HOST_ROOT/certs"
 
   suppress_output "$DOCKER_BIN" container start "$(cat "$SERVICE_ROOT/ID")"
   service_port_reconcile_status "$SERVICE"
diff --git a/scripts/create_ssl_certs.sh b/scripts/create_ssl_certs.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+postgres_service_dir="$1"
+
+cd "$postgres_service_dir"
+mkdir certs && cd certs
+openssl req -new -newkey rsa:4096 -x509 -days 365000 -nodes -out server.crt -keyout server.key -batch
diff --git a/scripts/enable_ssl.sh b/scripts/enable_ssl.sh
@@ -1,7 +1,10 @@
-#!/bin/bash
-pushd /var/lib/postgresql/data >/dev/null
-openssl req -new -newkey rsa:4096 -x509 -days 365000 -nodes -out server.crt -keyout server.key -batch
+#!/bin/sh
+
+cd /var/lib/postgresql/data
+
+cp ../certs/* .
+chown postgres:postgres server.key
 chmod 600 server.key
+
 sed -i "s/^#ssl = off/ssl = on/" postgresql.conf
 sed -i "s/^#ssl_ciphers =.*/ssl_ciphers = 'AES256+EECDH:AES256+EDH'/" postgresql.conf
-popd >/dev/null
