-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(db): inherit from scl image, enforce PG_ENCRYPT_KEY #129
feat(db): inherit from scl image, enforce PG_ENCRYPT_KEY #129
Conversation
58a761a
to
abefe89
Compare
Ah, hang on. Now I need to figure out how to get Quarkus to set an encryption key when it spins up the database container for tests. |
I think this is ready for review again. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I discovered that there's an upstream CentOS Stream image of the RHEL 8 Postgres image. What do you think of using that in order to minimize differences?
https://quay.io/repository/sclorg/postgresql-15-c8s
That container has an entrypoint $ cat /usr/bin/container-entrypoint
#!/bin/bash
exec "$@" The container is built with that as the default entrypoint and the default $ cat /usr/bin/run-postgresql
#!/bin/bash
export ENABLE_REPLICATION=${ENABLE_REPLICATION:-false}
set -eu
export_vars=$(cgroup-limits) ; export $export_vars
source "${CONTAINER_SCRIPTS_PATH}/common.sh"
set_pgdata
process_extending_files \
"${APP_DATA}/src/postgresql-pre-start" \
"${CONTAINER_SCRIPTS_PATH}/pre-start"
check_env_vars
generate_passwd_file
generate_postgresql_config
# Is this brand new data volume?
PG_INITIALIZED=false
if [ ! -f "$PGDATA/postgresql.conf" ]; then
initialize_database
PG_INITIALIZED=:
else
try_pgupgrade
fi
# Use insanely large timeout (24h) to ensure that the potential recovery has
# enough time here to happen (unless liveness probe kills us). Note that in
# case of server failure this command still exists immediately.
pg_ctl start -w --timeout 86400 -o "-h ''"
# This is just a pedantic safety measure (the timeout above is unlikely to
# happen), but `pt_ctl -w` is not reliable prior to PostgreSQL v10 where it
# returns exit_status=0 even if the server is still starting. For more info
# see the issue#297 and
# https://www.postgresql.org/message-id/CAB7nPqSJs85wK9aknm%3D_jmS6GnH3SQBhpzKcqs8Qo2LhEg2etw%40mail.gmail.com
pg_isready
if $PG_INITIALIZED ; then
process_extending_files \
"${APP_DATA}/src/postgresql-init" \
"${CONTAINER_SCRIPTS_PATH}/init"
migrate_db
create_users
fi
process_extending_files \
"${APP_DATA}/src/postgresql-start" \
"${CONTAINER_SCRIPTS_PATH}/start"
pg_ctl stop
unset_env_vars
echo "Starting server..."
exec postgres "$@" The |
## Extending Image
You can extend this image in Openshift using the `Source` build strategy or via the standalone [source-to-image](https://github.com/openshift/source-to-image) application (where available). For this example, assume that you are using the `` image, available via `postgresql:15` imagestream tag in Openshift.
To build a customized image `new-postgresql` with configuration from `https://github.com/sclorg/postgresql-container/tree/master/examples/extending-image`, run:
$ oc new-app postgresql:15~https://github.com/sclorg/postgresql-container.git \
--name new-postgresql \
--context-dir examples/extending-image/ \
-e POSTGRESQL_USER=user \
-e POSTGRESQL_DATABASE=db \
-e POSTGRESQL_PASSWORD=password
or via `s2i`:
$ s2i build --context-dir examples/extending-image/ https://github.com/sclorg/postgresql-container.git new-postgresql
The directory passed to Openshift should contain one or more of the following directories:
##### `postgresql-pre-start/`
This directory should contain `*.sh` files that will be sourced during the early start of the container. At this point, there is no PostgreSQL daemon running in the background.
##### `postgresql-cfg/`
Configuration files (`*.conf`) contained in this directory will be included at the end of the image's postgresql.conf file.
##### `postgresql-init/`
This directory should contain shell scripts (`*.sh`) that are sourced when the database is freshly initialized (after a successful initdb run, which makes the data directory non-empty). At the time of sourcing these scripts, the local PostgreSQL server is running. For re-deployment scenarios with a persistent data directory, the scripts are not sourced (no-op).
##### `postgresql-start/`
This directory has the same semantics as `postgresql-init/`, except that these scripts are always sourced (after `postgresql-init/` scripts, if they exist).
---
During the s2i build, all provided files are copied into the `/opt/app-root/src`
directory in the new image. Only one file with the same name can be used for customization, and user-provided files take precedence over default files in `/usr/share/container-scripts/`. This means that it is possible to overwrite the default files. So I guess I can create a shell script to drop into the |
I think it needs to be added to |
Nice, that looks easy enough. I think it's still going to have a customized entrypoint that enforces the encryption key being set first, then hook back in to the usual entrypoint. WDYT? |
I think so. |
|
Okay, I don't know if what I did there is best practice, but it seems reasonable. I got it from here: https://stackoverflow.com/questions/12986368/installing-postgresql-extension-to-all-schemas I added a super-basic test that makes sure that the credentials table can be queried, so that exercises the database connection and makes sure the pgcrypto stuff is actually available. |
Welcome to Cryostat3! 👋
Before contributing, make sure you have:
main
branch[chore, ci, docs, feat, fix, test]
To recreate commits with GPG signature
git fetch upstream && git rebase --force --gpg-sign upstream/main
Fixes: #128