SSL certificates should not be created on the host

codeforall · codeforall · commit 0d83875f6942 · 2018-11-20T19:44:18.000+05:00
Moving the ssl certificate creation step to inside the container.
diff --git a/README.md b/README.md
@@ -41,7 +41,7 @@ hostssl   all         all                0.0.0.0/0  cert
 
 To run the exmaple do the following:
 ```
-./build_all.sh
+docker-compose build
 docker-compose up
 ```
 # Testing
diff --git a/build_all.sh b/build_all.sh
diff --git a/clientnode.Dockerfile b/clientnode.Dockerfile
@@ -2,10 +2,11 @@ FROM pgsql-pgpool:10
 MAINTAINER m.usama@gmail.com
 #copy the client certificates
 RUN mkdir /home/postgres/.postgresql 
+RUN cp ${CERTDIR}/postgresql.key /home/postgres/.postgresql/postgresql.key
+RUN cp ${CERTDIR}/postgresql.crt /home/postgres/.postgresql/postgresql.crt
+RUN cp ${CERTDIR}/root.crt /home/postgres/.postgresql/root.crt
+
 
-COPY certs/postgresql.key /home/postgres/.postgresql/postgresql.key
-COPY certs/postgresql.crt /home/postgres/.postgresql/postgresql.crt
-COPY certs/root.crt /home/postgres/.postgresql/root.crt
 RUN chmod 0600 /home/postgres/.postgresql/postgresql.key
 RUN chown postgres:postgres /home/postgres/.postgresql/postgresql.key
 
diff --git a/pg-pgpool.Dockerfile b/pg-pgpool.Dockerfile
@@ -30,13 +30,13 @@ RUN echo 'postgres   ALL=(ALL)   NOPASSWD: ALL' >> /etc/sudoers
 RUN echo 'postgres:postgres'|chpasswd
 
 #copy scripts for generating certificates
-#RUN mkdir ${CERTDIR}
-#COPY ./scripts/generate_client_ssl_crt.sh ${CERTDIR}/generate_client_ssl_crt.sh
-#COPY ./scripts/generate_server_ssl_crt.sh ${CERTDIR}/generate_server_ssl_crt.sh
+RUN mkdir ${CERTDIR}
+COPY ./scripts/generate_client_ssl_crt.sh ${CERTDIR}/generate_client_ssl_crt.sh
+COPY ./scripts/generate_server_ssl_crt.sh ${CERTDIR}/generate_server_ssl_crt.sh
 
 #create certificates
-#RUN if [ "x$CERTUSERNAME" = "x" ] ; then cd ${CERTDIR} && ./generate_server_ssl_crt.sh certuser; else cd ${CERTDIR} && ./generate_server_ssl_crt.sh ${CERTUSERNAME}; fi
-#RUN if [ "x$CERTUSERNAME" = "x" ] ; then cd ${CERTDIR} && ./generate_client_ssl_crt.sh certuser; else cd ${CERTDIR} && ./generate_client_ssl_crt.sh ${CERTUSERNAME}; fi
+RUN if [ "x$CERTUSERNAME" = "x" ] ; then cd ${CERTDIR} && ./generate_server_ssl_crt.sh certuser; else cd ${CERTDIR} && ./generate_server_ssl_crt.sh ${CERTUSERNAME}; fi
+RUN if [ "x$CERTUSERNAME" = "x" ] ; then cd ${CERTDIR} && ./generate_client_ssl_crt.sh certuser; else cd ${CERTDIR} && ./generate_client_ssl_crt.sh ${CERTUSERNAME}; fi
 
 #initialize database
 RUN service ${PGSERVICE_NAME} initdb
diff --git a/pgnode.Dockerfile b/pgnode.Dockerfile
@@ -9,19 +9,15 @@ ENV ROLE_=$ROLE
 ENV MASTER_IP_=$MASTER_IP
 
 
-#copy the client certificates
-#RUN mkdir ~/.postgresql
-
 COPY ./scripts/setup_pg_server.sh /tmp/setup_pg_server.sh
 RUN chmod u+x /tmp/setup_pg_server.sh
 RUN sed -i "s/^MASTER_IP=/MASTER_IP=$MASTER_IP/" /tmp/setup_pg_server.sh
 RUN sed -i "s/^ROLE=/ROLE=$ROLE/" /tmp/setup_pg_server.sh
 
-#copy the server certificates
-COPY certs/server.key ${PGDATA}/server.key
-COPY certs/server.crt ${PGDATA}/server.crt 
-COPY certs/root.crt ${PGDATA}/root.crt
-
+#copy the server certificates data directory
+RUN cp ${CERTDIR}/server.key ${PGDATA}/server.key
+RUN cp ${CERTDIR}/server.crt ${PGDATA}/server.crt
+RUN cp ${CERTDIR}/root.crt ${PGDATA}/root.crt
 
 RUN chmod 0600 ${PGDATA}/server.key && chown postgres:postgres ${PGDATA}/server.key
 RUN chmod 0600 ${PGDATA}/server.crt && chown postgres:postgres ${PGDATA}/server.crt
@@ -36,6 +32,7 @@ RUN echo "listen_addresses = '*'"    >> ${PGDATA}/postgresql.conf
 RUN echo "ssl = on" >> ${PGDATA}/postgresql.conf
 RUN echo "ssl_cert_file = 'server.crt'" >> ${PGDATA}/postgresql.conf
 RUN echo "ssl_key_file = 'server.key'" >> ${PGDATA}/postgresql.conf
+RUN echo "ssl_ca_file = 'root.crt'" >> ${PGDATA}/postgresql.conf
 
 RUN echo "local  all         all                 trust" >  ${PGDATA}/pg_hba.conf
 RUN echo "local  replication all                 trust" >> ${PGDATA}/pg_hba.conf
diff --git a/pgpoolnode.Dockerfile b/pgpoolnode.Dockerfile
@@ -8,18 +8,15 @@ ENV PGPORT=5432
 ENV PGPOOLPORT=9999
 ENV PCPPORT=9898
 
-#copy the server certificates
-#COPY server.key /server.key
-#COPY server.crt /server.crt
-#COPY root.crt /root.crt
 COPY scripts/wait_for_pg_server.sh /tmp/wait_for_pg_server.sh
 RUN sed -i "s/^IP=/IP=$SLAVE_IP/" /tmp/wait_for_pg_server.sh
 RUN sed -i "s/^PORT=/PORT=5432/" /tmp/wait_for_pg_server.sh
 
+#copy the server certificates to certs dir
 RUN mkdir /certs
-COPY certs/server.key /certs/server.key
-COPY certs/server.crt /certs/server.crt 
-COPY certs/root.crt /certs/root.crt
+RUN cp ${CERTDIR}/server.key /certs/server.key
+RUN cp ${CERTDIR}/server.crt /certs/server.crt
+RUN cp ${CERTDIR}/root.crt /certs/root.crt
 
 # Set up pgpool config files
 RUN sed -i "s/^backend_hostname0 = .*/backend_hostname0 = '${MASTER_IP}'/"         ${PGPOOLCONF}/pgpool.conf
