Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable client and server cert auth in postgresql #1160

Merged
merged 9 commits into from
May 25, 2017
Merged

Enable client and server cert auth in postgresql #1160

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
d1ec184
Add certs and modify settings to require TLS
ashfall May 12, 2017
d13a1d5
Typo
ashfall May 12, 2017
586dba6
Use RSA, some config tweaks
ashfall May 12, 2017
b939a48
Tweak startup ssl params in postgresql.conf
ashfall May 13, 2017
5a8f5fe
Add a reference to an obscure setting.
ashfall May 13, 2017
06cc6ef
Update postgresql DBURL in testing script
ashfall May 15, 2017
deb6db3
Enable SSH on the test server for our CI
ashfall May 15, 2017
79e691a
Change permissions for mounted keys
ashfall May 15, 2017
fb1735b
Update permissions for server and signer.
ashfall May 16, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,6 @@ RUN useradd -ms /bin/bash notary \
ENV NOTARYDIR /go/src/github.com/docker/notary

COPY . ${NOTARYDIR}
RUN chmod -R a+rw /go
RUN chmod -R a+rw /go && chmod 0600 ${NOTARYDIR}/fixtures/database/*

WORKDIR ${NOTARYDIR}
4 changes: 2 additions & 2 deletions buildscripts/dbtests.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,8 +15,8 @@ case ${db} in
;;
postgresql*)
db="postgresql"
dbContainerOpts="--name postgresql_tests postgresql"
DBURL="postgres://server@postgresql_tests:5432/notaryserver?sslmode=disable"
dbContainerOpts="--name postgresql_tests postgresql -l"
DBURL="postgres://server@postgresql_tests:5432/notaryserver?sslmode=verify-ca&sslrootcert=/go/src/github.com/docker/notary/fixtures/database/ca.pem&sslcert=/go/src/github.com/docker/notary/fixtures/database/notary-server.pem&sslkey=/go/src/github.com/docker/notary/fixtures/database/notary-server-key.pem"
;;
*)
echo "Usage: $0 (mysql|rethink)"
Expand Down
5 changes: 3 additions & 2 deletions development.postgresql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ services:
command: -c "./migrations/migrate.sh && notary-server -config=fixtures/server-config.postgres.json"
environment:
MIGRATIONS_PATH: migrations/server/postgresql
DB_URL: postgres://server@postgresql:5432/notaryserver?sslmode=disable
DB_URL: postgres://server@postgresql:5432/notaryserver?sslmode=verify-ca&sslrootcert=/go/src/github.com/docker/notary/fixtures/database/ca.pem&sslcert=/go/src/github.com/docker/notary/fixtures/database/notary-server.pem&sslkey=/go/src/github.com/docker/notary/fixtures/database/notary-server-key.pem
depends_on:
- postgresql
- signer
Expand All @@ -31,7 +31,7 @@ services:
command: -c "./migrations/migrate.sh && notary-signer -config=fixtures/signer-config.postgres.json"
environment:
MIGRATIONS_PATH: migrations/signer/postgresql
DB_URL: postgres://signer@postgresql:5432/notarysigner?sslmode=disable
DB_URL: postgres://signer@postgresql:5432/notarysigner?sslmode=verify-ca&sslrootcert=/go/src/github.com/docker/notary/fixtures/database/ca.pem&sslcert=/go/src/github.com/docker/notary/fixtures/database/notary-signer.pem&sslkey=/go/src/github.com/docker/notary/fixtures/database/notary-signer-key.pem
depends_on:
- postgresql
postgresql:
Expand All @@ -40,6 +40,7 @@ services:
- mdb
volumes:
- ./notarysql/postgresql-initdb.d:/docker-entrypoint-initdb.d
command: -l
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

for my own understanding: where does this come from? I didn't find this option on the official image description...tried searching around but couldn't find the flag elsewhere

Copy link
Contributor Author

@ashfall ashfall May 25, 2017
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Per https://www.postgresql.org/docs/9.5/static/app-postgres.html, -l "Enables secure connections using SSL.".

FWIW, I think ssl=on is implicit after passing -l, but since I was editing the conf for ssl_ca_file path, I thought it would be clearer to set ssl=on explicitly, in case anything changes silently in the future versions. (e.g. Not sure what happens if we use -l and ssl=off -- which one takes a higher priority is never mentioned. :( In fact, the docs that mention ssl=on never refer to -l, and vice versa.)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

awesome that helps a lot, thank you @ashfall!

client:
build:
context: .
Expand Down
5 changes: 3 additions & 2 deletions docker-compose.postgresql.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ services:
command: -c "./migrations/migrate.sh && notary-server -config=fixtures/server-config.postgres.json"
environment:
MIGRATIONS_PATH: migrations/server/postgresql
DB_URL: postgres://server@postgresql:5432/notaryserver?sslmode=disable
DB_URL: postgres://server@postgresql:5432/notaryserver?sslmode=verify-ca&sslrootcert=/go/src/github.com/docker/notary/fixtures/database/ca.pem&sslcert=/go/src/github.com/docker/notary/fixtures/database/notary-server.pem&sslkey=/go/src/github.com/docker/notary/fixtures/database/notary-server-key.pem
depends_on:
- postgresql
- signer
Expand All @@ -31,7 +31,7 @@ services:
command: -c "./migrations/migrate.sh && notary-signer -config=fixtures/signer-config.postgres.json"
environment:
MIGRATIONS_PATH: migrations/signer/postgresql
DB_URL: postgres://signer@postgresql:5432/notarysigner?sslmode=disable
DB_URL: postgres://signer@postgresql:5432/notarysigner?sslmode=verify-ca&sslrootcert=/go/src/github.com/docker/notary/fixtures/database/ca.pem&sslcert=/go/src/github.com/docker/notary/fixtures/database/notary-signer.pem&sslkey=/go/src/github.com/docker/notary/fixtures/database/notary-signer-key.pem
depends_on:
- postgresql
postgresql:
Expand All @@ -43,6 +43,7 @@ services:
- notary_data:/var/lib/postgresql
ports:
- 5432:5432
command: -l
volumes:
notary_data:
external: false
Expand Down
21 changes: 21 additions & 0 deletions fixtures/database/ca.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
-----BEGIN CERTIFICATE-----
MIIDajCCAlKgAwIBAgIUHN8eDMtoTOBXOd+RjnCxLYUs4kYwDQYJKoZIhvcNAQEL
BQAwTTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJh
bmNpc2NvMRkwFwYDVQQDExBub3RhcnkncyBUZXN0IENBMB4XDTE3MDUxMjIyMzcw
MFoXDTIyMDUxMTIyMzcwMFowTTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYw
FAYDVQQHEw1TYW4gRnJhbmNpc2NvMRkwFwYDVQQDExBub3RhcnkncyBUZXN0IENB
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy9811sQcEoe2pH0+jUQP
8Jq7RkuUnFtbYpR7H6AyMXfyCsiz4ghpkENFScJlQhFE/Q5XXk0mTVEJD7UEwuQp
haqqSbDYMKVXHGY3CESyRF6z/k4jPTpxK0KxqsIXi8MZFvLOMUVGhXp+duFFX365
ZXi0GTIhkkbo6/tQLLAYAL5dfAOU7FTOthK6RkPBnPLdb5ZuKJfbSBkIBH+Rdrm5
atJYzL6rha3p2Hnm6FFF0eqdd+uqYpBuXcmQsftxPLBMvqbHXaPMov51+WvRXz0K
EeluT0Fue0LuYCRYFMlbmALFg85tFAHWXKer6M/ejK4MCWQnpPwalE9Oaetb1/q5
MwIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNV
HQ4EFgQU30PAjq5cOwlLzi4fxSE3J/v9EPcwDQYJKoZIhvcNAQELBQADggEBAJhV
p1Va9r/NdCXaL5Ah+4i+l5m3hcKXT9h3811rmtLtKqcUwwnBbG+V3Ko+arbuCDYV
VajGLRnhTjy1thqYZr6KbeG6HZ6BN8Zxhcam86O7JXDBKoWJH4SIGysXO0jXg1n4
fM1teEhQ69OUCrCkFGBblL88uHbdgIQGTDkD9F4hFGia6NSII46MTIE6tH0UBrIy
L5ZNCgG5Mn5w4D2Su6X6vq5ovE/mXRJLYCQLkvKSi5BQDdM26SwmKFSNk2V+DUeu
te3qluUTIFLa+V+U0C6vJMaxgaTB5phzQ1R7HykqBnSrzcqyQKYKnR3aGzvHnb2m
VYGGXEToG4TacQ/psn8=
-----END CERTIFICATE-----
27 changes: 27 additions & 0 deletions fixtures/database/notary-server-key.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAznRYoWEqB8VQQ3VnFSv1b2PU1UwTdREfsFu/O/yxdBpCEbSY
s1Qc6ynHZuMOyscS46kiB3PSX1/CxMmPPSGcO1Z3VIbf8YUBtaMxTsO7nA5H22EO
/M8SI+psrDhv+OtmrjzDtWVC9KgDV/F5+/8vynyh4J7HMilUjzbMHXYCZvW7aG7z
rrItMNjhGmJeRXFlBIuSLxdbKGcuFv2xz3QPqF151mNcPaQosj1k7LtvB5Dkfhra
33nMEsBp8QZfAag6xfuhEREeV6qOlG2DQL8nKuti1hLYUDFy3G7k1iswG/HadUBo
MGrn+n8SywTmAW3HDvcfxOXzl5brmLURNUY+dQIDAQABAoIBAAu+cow7iriGcNpl
g0ehCIUdmK3JdhHit3rAvVAcP7vrAncfXtBUqJB3/+/KWr0ONfTdWiIyZHUobVvk
W1GO5+Q4NvGH+pUyi7ZZYiSo3bMy3MON8dxPqyh/3U6upy/xtBWVP0zCRdzE8eu+
wMGk8oMCM/MjFRG1aCn9Y/8JB3nzxl2d8QCxeLjbIHJ/NWj7gf0xGVmKK7YVXd7W
FHFFLTAxLRgfjZcxZB/u/L/T0pEwuyzbk2iGc9YkkgiBVUEqtIce6a7HHnKL7oBJ
9sWxqc10rs9EP/2W7qfNolNkFVNnfJmY4x8ZpfAjW7/Osin22qCp5+kWyT2I/Qg6
+TwNQgECgYEA5ie0FdwsJbh0qNuWpXyMYJ2m27ag1zhpnsGs8iT9yWorZwp8BNm0
1NchF/hE1Gkwvo+47U3ZvEmx7tLEA7Ekl7KZZro5+0jumSKd/vUrEpThqeJglz68
T6/xZBGPIa3KZdXszs1pGjBNVEs1WuXgMPiFSypFT3ODnXgbFovX/nkCgYEA5aNR
fCF2ACs3oeKHDwVCwMh3fbSmf4ZwpzdhARV5rSc8Je9K7oyoO5fgGWWXZqKLP138
1ARQGwGcwImzrYvY8g7AqXe/J+Mr9Jr6+vrLDPShmeqyTiBdOTwgg/5muDdv+GS3
zqzXtPI1Upuo8/1EwYUacYOk4EX7ga7iZMEoEN0CgYEAvkOgSloDXQOJ3XX6qb+2
xMBPil8FxCXsmsN9V4hhDTrpunseX1wic7mMsCYbsIVtOHvT4sly8Ibzw30Vcf/l
QkrxKc1V1XhLVukZOAYxn2DY1PpB44aHYlEO+yzQ6ISlR158L9H7yxyXMNIjv4s9
tP4eIy9EsRPLgEgkDJV67/ECgYAwHbxhKhGzj1qkzPZHq26FPnvrFwMcDWtlXjEx
LPLF2Ua9HBqzST2m3vfR2nuSwdQzftoPAqhWQEw7+55uarMWZQjxeWnQTcVUB3U3
SX1qRYfm3EpoHFfsOjEF9zRGvTb08QWihIzeGTIbEQqhtRvHAMC9sDvH0mIUljRR
sDdY8QKBgQDcT3yamYnGy6GzxWfpZYwoWqJFMtXjacD2rV32jwHifCa1RNu/Su6S
UJcN9v/1GYfvLWzjDMv6hKFt/Q1e3mACgohL9vfZtgiZx5SCVi0AXdOpXLBWlLvl
KM4XVhbuVTko/DsuGPVyXAHFHRFOjr+00Bw8y80DQIjNv4fgocr58Q==
-----END RSA PRIVATE KEY-----
22 changes: 22 additions & 0 deletions fixtures/database/notary-server.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
-----BEGIN CERTIFICATE-----
MIIDojCCAoqgAwIBAgIUXF5OjDTCDfBwQkJSdzPtt7HTljUwDQYJKoZIhvcNAQEL
BQAwTTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJh
bmNpc2NvMRkwFwYDVQQDExBub3RhcnkncyBUZXN0IENBMB4XDTE3MDUxMjIyNDAw
MFoXDTE4MDUxMjIyNDAwMFowQzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYw
FAYDVQQHEw1TYW4gRnJhbmNpc2NvMQ8wDQYDVQQDEwZzZXJ2ZXIwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDOdFihYSoHxVBDdWcVK/VvY9TVTBN1ER+w
W787/LF0GkIRtJizVBzrKcdm4w7KxxLjqSIHc9JfX8LEyY89IZw7VndUht/xhQG1
ozFOw7ucDkfbYQ78zxIj6mysOG/462auPMO1ZUL0qANX8Xn7/y/KfKHgnscyKVSP
NswddgJm9btobvOusi0w2OEaYl5FcWUEi5IvF1soZy4W/bHPdA+oXXnWY1w9pCiy
PWTsu28HkOR+GtrfecwSwGnxBl8BqDrF+6ERER5Xqo6UbYNAvycq62LWEthQMXLc
buTWKzAb8dp1QGgwauf6fxLLBOYBbccO9x/E5fOXluuYtRE1Rj51AgMBAAGjgYMw
gYAwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAwGA1UdEwEB
/wQCMAAwHQYDVR0OBBYEFAs/6pFKZmzdHb27KyFFd0G9G/39MB8GA1UdIwQYMBaA
FN9DwI6uXDsJS84uH8UhNyf7/RD3MAsGA1UdEQQEMAKCADANBgkqhkiG9w0BAQsF
AAOCAQEAhCYtK8m7gPrijUgmYFyUqwiYFSLIhTEE+9nGZ/3Q5IeLneTVcQMAogUY
cZCNPrj8QBQmEXupacHBH1UO58L0OsXf+jJ3Gx5W9YiNyEzhZxoi08u2y/JzQ+3K
OVfSYpsHPVH82f9pz9TVmBhcVBrxUY1cO4vTxBm5P9irVo1M8KHRB3qLjHSSr7mP
pvFRYTrnG8cEMRwJT+Akfc9jFDXzCxPptHGme5lZAXH0OcyAEaGLrBlmrZKOuGa8
ssJWcp5OoTdUiL0j6LfRZSghbVkNsSTXPVcBU38YsowpOm8AOpqu+mF0hl/cq8/h
vE8cxe19y4FmiPD5JaUtndkwXxM8bQ==
-----END CERTIFICATE-----
27 changes: 27 additions & 0 deletions fixtures/database/notary-signer-key.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEA0UiaAApHxQUjBAY+02+ioQKbPivrFmCrsNEC4VPHmAuHfgbh
IwSf+zZq4+xL2j7If354Mb7RpgUT+Y0jFfaIBBLWXVXG+/91EVTwFTj33iCmRyNB
AbD0BkiAYqV5PkqlUhkCIglLell/MiOM+8CEUARKA3L82bkILG86fdHhYK0cRzf1
CPQrgtWg1GtWZlDEilnG083a8PjUyc1ejuSjoa606nszS/UctKAkGkvhl+KQyEep
EFffm1Xmb66wv/S+p3Ba4YhU5xqT7b6TSTcIuXpzOOkkNwnyU79BIBaP1BSAE8Rx
EXBts9Lo6E8b9QhEJyzPxmQXM5qE1y2yYoOoLwIDAQABAoIBAHGEi+PRr7QyYRfh
u1o8h14GZ+aFM/LjZL134bQPGYhjWI8HdD7mV1CP59LRbSNoQqDFHLT+6ADBaGBI
KevT2Vs8TII78L7nhbxs8fzQ9cHKu+aCPNSKAxMVaG4Zi3Y6TwoE/p8vo30t5kxv
9BzqA9rTOMI+MOB3+PMBMhzlJvakc0fOy3w2ZTZoTWYe0Fnv8NcslKqYoTLBEkC1
drwBU9G4BlkeRg6E6zadJJCyy6r8PmUp0ipfC87nVZDPrHxQmjemMrBCVUDE5e+V
9R0CtxXGfOuyXUQUS3ZQMQerILfhx+O49VV/H08SctDpOPeKNFi8wK5uffutDykL
C0XyTyECgYEA09xVLRKRdyAC7s4KV4b4JTRBtrlI/5CxyrlfxlZZGUbAtf6prpOP
YPNCetHEOW9dF5kSLDVNujaOrdvu30f2BkQcf1f0MavLh9lU+zwrqnRhGn+IOOat
Jhf0zF8H7NccEI1w93XQG/M9+3Lczs60ioiyX+IL7EJRaGaDguUOAOsCgYEA/OLR
0cOAGvzWpKuUmS5yGIewGk6P8uLlnBkv7Lo607PTlIDMmTl8KTFyqrXajulK5o0W
JsgTlCr/0lfaOV9boW1+PkvA3NYCzoR/c+gdvvCSDbnfmgFkx8dUh05oXW2zGdgv
3PFK2IUzHgBvjR9kB7hWl5BaCYMFzLCKd7qLxM0CgYAxZGnbMzwEqMrmP9T7aPUL
P26emf3hzysUFzmz9Mea8/rTs0Z989r2gGAcYDE+Lq9mZAJvmhG/+x4yfFbpaU57
UX/PVIMS3Xl693kvhWystas50UfB9E2j1uv0hadEWTYqyb7vgmD9Uy09JR9De79t
mMb1Qa8D6sYt79BzQNGN9wKBgEzjUdQrUsnh0gkjOf0RCBO5Pavh8xZwMkuxxMZ/
IN+5Lz1Zo9t6hOupYynQPPFysRlEEFYeQwWrxThZCbqj6aI9PkMGmU8LqrLLykyd
aF3jmySdPQUAI3oyetrg1g6CChBzkKnmm1EVvqMCkugfgTRvsbRHaXi2446GprMc
ft6JAoGAYPumwvVhH2hQ+/CxvcESE1Udl9uavnwwtrw52wKBOTqwZYnVojEVn8e3
rQpiBHU89K2dsEmvomrU2HHnPBmXYV3frh7GD/VIP4NvFQmXNs+1LNPP+3A56PtT
/UqE7KPUPJ0WqkyJ/wC2r9QFylA4swxJEiZH0s8SvbY/Ce1IEDE=
-----END RSA PRIVATE KEY-----
22 changes: 22 additions & 0 deletions fixtures/database/notary-signer.pem
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
-----BEGIN CERTIFICATE-----
MIIDojCCAoqgAwIBAgIUeYAM7aBfKP6UBYbE83msSo04RsowDQYJKoZIhvcNAQEL
BQAwTTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJh
bmNpc2NvMRkwFwYDVQQDExBub3RhcnkncyBUZXN0IENBMB4XDTE3MDUxMjIyNDAw
MFoXDTE4MDUxMjIyNDAwMFowQzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYw
FAYDVQQHEw1TYW4gRnJhbmNpc2NvMQ8wDQYDVQQDEwZzaWduZXIwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDRSJoACkfFBSMEBj7Tb6KhAps+K+sWYKuw
0QLhU8eYC4d+BuEjBJ/7Nmrj7EvaPsh/fngxvtGmBRP5jSMV9ogEEtZdVcb7/3UR
VPAVOPfeIKZHI0EBsPQGSIBipXk+SqVSGQIiCUt6WX8yI4z7wIRQBEoDcvzZuQgs
bzp90eFgrRxHN/UI9CuC1aDUa1ZmUMSKWcbTzdrw+NTJzV6O5KOhrrTqezNL9Ry0
oCQaS+GX4pDIR6kQV9+bVeZvrrC/9L6ncFrhiFTnGpPtvpNJNwi5enM46SQ3CfJT
v0EgFo/UFIATxHERcG2z0ujoTxv1CEQnLM/GZBczmoTXLbJig6gvAgMBAAGjgYMw
gYAwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAwGA1UdEwEB
/wQCMAAwHQYDVR0OBBYEFKKGeJZLHFg3QgqFOFE7UjmSYCjNMB8GA1UdIwQYMBaA
FN9DwI6uXDsJS84uH8UhNyf7/RD3MAsGA1UdEQQEMAKCADANBgkqhkiG9w0BAQsF
AAOCAQEAREI6iRUC0Pjn41QLI0Xtjv/2GeM1jKY0i6LcT+779QAU5iqPvmxhtO1N
BM5ycQwyLD3T55t50ANDDm91klFlXF8IgSvq3efCVSWPtEkVznfQVMOu4dwVblhT
GPg1BWbRsbjqdSVfU2cjoQNlflqRaw0XMJ738TrciaLxRHkvYsd0XCOjNTUfUuzi
G16zdjBYn43XXW+4FnB2FzqzoM+PicCfEl8Gvi20QlgqtM5kaflhik2gQy6zXc1i
hCiiRiE1Qv60VjsGvLFG+TN6HeWQlE260v5drzjmMen9i8hYc42glRDolUSg6hQs
DLjTitTiXond4yxJ80LQH6CTtPybvg==
-----END CERTIFICATE-----
2 changes: 1 addition & 1 deletion fixtures/server-config.postgres.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,6 @@
},
"storage": {
"backend": "postgres",
"db_url": "postgres://server@postgresql:5432/notaryserver?sslmode=disable"
"db_url": "postgres://server@postgresql:5432/notaryserver?sslmode=verify-ca&sslrootcert=/go/src/github.com/docker/notary/fixtures/database/ca.pem&sslcert=/go/src/github.com/docker/notary/fixtures/database/notary-server.pem&sslkey=/go/src/github.com/docker/notary/fixtures/database/notary-server-key.pem"
}
}
2 changes: 1 addition & 1 deletion fixtures/signer-config.postgres.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,6 @@
},
"storage": {
"backend": "postgres",
"db_url": "postgres://signer@postgresql:5432/notarysigner?sslmode=disable"
"db_url": "postgres://signer@postgresql:5432/notarysigner?sslmode=verify-ca&sslrootcert=/go/src/github.com/docker/notary/fixtures/database/ca.pem&sslcert=/go/src/github.com/docker/notary/fixtures/database/notary-signer.pem&sslkey=/go/src/github.com/docker/notary/fixtures/database/notary-signer-key.pem"
}
}
2 changes: 2 additions & 0 deletions notarysql/postgresql-initdb.d/pg_hba.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
# http://stackoverflow.com/q/18497299
hostssl all all 0.0.0.0/0 cert clientcert=1
21 changes: 21 additions & 0 deletions notarysql/postgresql-initdb.d/root.crt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
-----BEGIN CERTIFICATE-----
MIIDajCCAlKgAwIBAgIUHN8eDMtoTOBXOd+RjnCxLYUs4kYwDQYJKoZIhvcNAQEL
BQAwTTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJh
bmNpc2NvMRkwFwYDVQQDExBub3RhcnkncyBUZXN0IENBMB4XDTE3MDUxMjIyMzcw
MFoXDTIyMDUxMTIyMzcwMFowTTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYw
FAYDVQQHEw1TYW4gRnJhbmNpc2NvMRkwFwYDVQQDExBub3RhcnkncyBUZXN0IENB
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy9811sQcEoe2pH0+jUQP
8Jq7RkuUnFtbYpR7H6AyMXfyCsiz4ghpkENFScJlQhFE/Q5XXk0mTVEJD7UEwuQp
haqqSbDYMKVXHGY3CESyRF6z/k4jPTpxK0KxqsIXi8MZFvLOMUVGhXp+duFFX365
ZXi0GTIhkkbo6/tQLLAYAL5dfAOU7FTOthK6RkPBnPLdb5ZuKJfbSBkIBH+Rdrm5
atJYzL6rha3p2Hnm6FFF0eqdd+uqYpBuXcmQsftxPLBMvqbHXaPMov51+WvRXz0K
EeluT0Fue0LuYCRYFMlbmALFg85tFAHWXKer6M/ejK4MCWQnpPwalE9Oaetb1/q5
MwIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNV
HQ4EFgQU30PAjq5cOwlLzi4fxSE3J/v9EPcwDQYJKoZIhvcNAQELBQADggEBAJhV
p1Va9r/NdCXaL5Ah+4i+l5m3hcKXT9h3811rmtLtKqcUwwnBbG+V3Ko+arbuCDYV
VajGLRnhTjy1thqYZr6KbeG6HZ6BN8Zxhcam86O7JXDBKoWJH4SIGysXO0jXg1n4
fM1teEhQ69OUCrCkFGBblL88uHbdgIQGTDkD9F4hFGia6NSII46MTIE6tH0UBrIy
L5ZNCgG5Mn5w4D2Su6X6vq5ovE/mXRJLYCQLkvKSi5BQDdM26SwmKFSNk2V+DUeu
te3qluUTIFLa+V+U0C6vJMaxgaTB5phzQ1R7HykqBnSrzcqyQKYKnR3aGzvHnb2m
VYGGXEToG4TacQ/psn8=
-----END CERTIFICATE-----
22 changes: 22 additions & 0 deletions notarysql/postgresql-initdb.d/server.crt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
-----BEGIN CERTIFICATE-----
MIIDtTCCAp2gAwIBAgIUBFaJGFhoc5kBplg2RjIG0EJCNAUwDQYJKoZIhvcNAQEL
BQAwTTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJh
bmNpc2NvMRkwFwYDVQQDExBub3RhcnkncyBUZXN0IENBMB4XDTE3MDUxMjIyMzkw
MFoXDTE4MDUxMjIyMzkwMFowRTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYw
FAYDVQQHEw1TYW4gRnJhbmNpc2NvMREwDwYDVQQDEwhkYXRhYmFzZTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMoEIo/VnyDNDkwHPBB+Lvc0ibOvTQN8
HNpMhPDkAr10pI4dpgizGevvw3OP26h1aVdZA9mMQB9NfX207R8Vlvq4R8PeY59k
iWXb4rEN3WmyY6L042SiABgUB0sSP9OIS+pRXlUyT8dyv4GeWfV3onL5WFvf1AzX
3uWard9hLCNE0EzXVSyxxxtLNTJB8qXniKFWuFyHaFalaaesmhedbK3H5k+VU2Um
fygYUYoHABTEKe0miMsTgzXQSHheKzowyt7BiI2FpcmHUMg8C+CWIvzrbWWC+0rr
Pka7YBFCscJyfMyKN2YblFQhqIbyf6QenyFe3cuOP2OMdR4Ukw66KYsCAwEAAaOB
lDCBkTAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0T
AQH/BAIwADAdBgNVHQ4EFgQU7bNuwTAm8Ez3cb8+fYQHymgV2t8wHwYDVR0jBBgw
FoAU30PAjq5cOwlLzi4fxSE3J/v9EPcwHAYDVR0RBBUwE4IKcG9zdGdyZXNxbIIF
bXlzcWwwDQYJKoZIhvcNAQELBQADggEBACSdcADswQRitOr+EUUTrb6xluXtMMjQ
h2ZDkZ8FXNMiem149o22FGtmKVKhaNnG0hgejHrzJKJp6TFS56HAz55PkO8NxP1C
opk2whrvq/5Nspz+91WLWqMel8CbaHxVlLjMZbgLCkEOiZJ27Va1AWVZd+cW4ACQ
vb7/clQumZQi49jSthJuzY//aFsuT0/CtkuGwXg38bqNI6hGvU9crDQermuGnd8t
uMabgyWfQeUohKn1HZ0mo+rnMR/Y8pJXZvcoLwyxfo9hRXk1PHMGdwAOI5VlxxOy
89sRyeXdFkzipGg1Ywd3TR528+q1lUYkYmRReEqKS/HquGHQtnvT1Nw=
-----END CERTIFICATE-----
27 changes: 27 additions & 0 deletions notarysql/postgresql-initdb.d/server.key
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAygQij9WfIM0OTAc8EH4u9zSJs69NA3wc2kyE8OQCvXSkjh2m
CLMZ6+/Dc4/bqHVpV1kD2YxAH019fbTtHxWW+rhHw95jn2SJZdvisQ3dabJjovTj
ZKIAGBQHSxI/04hL6lFeVTJPx3K/gZ5Z9XeicvlYW9/UDNfe5Zqt32EsI0TQTNdV
LLHHG0s1MkHypeeIoVa4XIdoVqVpp6yaF51srcfmT5VTZSZ/KBhRigcAFMQp7SaI
yxODNdBIeF4rOjDK3sGIjYWlyYdQyDwL4JYi/OttZYL7Sus+RrtgEUKxwnJ8zIo3
ZhuUVCGohvJ/pB6fIV7dy44/Y4x1HhSTDropiwIDAQABAoIBAQCXXKHIw3aHTRz5
OjJ26RSnhGXoi+BYTBYSOmMhWrXy3gKtuOk+e3NgpDT90Tvz7IURPVD1H3CsA5OT
LIy+TZ7iHFEpIOfj9aA9AZPItWrAVzjwUCxQqlEHuXn9dZ79D5JR7sWPcDL2bbOv
msYsdYbyPoFF1V88gEIyJsNAK762bPN7pIMasHdtQGninx7IXoI2pZKnarMfxADy
TS5z95qKmegFcOfPtjF+QbFLqScb8uuDWkHGhpNyWN9dhVtSkzPnuT/Y87x9SRNI
Si3dVG1rPJ2FN6mQGhqs6Wp5VjXyu43O0zk/Dt5NO4nEqIXnfjkZ0NhsKy51gUmy
4YnkU+CBAoGBANYBFd842c2NThlNATRSaoWEcf2p2QL2Ss1B2lgYwxw0jm5wZWJt
muH1RILY5erign2yEtPDOubBQS9OePvyJsaaPepRyyMAUdv9vvAqxW3ev3DLQhy0
8BQFsabGu/7WBQLIuiR0N682sANNJREGY5XZiWogaNCt7AEKkCygeVFHAoGBAPGo
zhAbcnKvUFHZXG4Kw8axlNpT75JISxeRilmt6KtiWHwhHzBxQgkyj3413wD7vADd
NIu8eqJUzBDJ8ZFAn3ZSdZCgDtCbTTn59wdRXzUT8WJGj7ProQVZH5+Vw0MEhtT3
YOxlNefN+1OlJTZ6V1o8BTyhXi66DJAqUHMUQqedAoGAPKUaGaP2tPVySGE2Eim4
3hVmaEgVo21ATWJ4Cbcas4eBRXK8iGQfHCFxRNNKdIG0EQLBqxkMPBBP9KP8TQmW
S3myShDbzBNvHzSNQ2obgMM65S/0kEYGMuZaLbTr2Y+049EWTvZQQWrx/j2CX4y7
898tvdFpYpmm47Smnr7rIkkCgYB1uRwZMKXCRLFGDjM+0DOrOZsf+L++bUVXh+jz
4wpzYwdkAOamvKXEwUKx4yBt5DQj357Xa8v6BIEctKPfdLG5/FWVTMOqz90BH0o9
4GAXBU4T5/fdWC4q4s3K+jQTE8NzP8eRoYRvFiMXDl5geZzQMmkCrkGpVa0FFff2
96m46QKBgGzCuE2ZSaCduQYKVL6KcvASqkJ72eodKSzvB1aY2MD6d+RCWPebLqR2
TuUpwx13/G6RUMO7i5cDeE9rMxinGPU7X0/h9m+Fr2+vO3a2FuBiL8ZZM5+CI2y2
0av1S7h0quIScNifN3QM8jawE1IWXd6AQPbFx7nCrtmEP+rVl5Z9
-----END RSA PRIVATE KEY-----
14 changes: 14 additions & 0 deletions notarysql/postgresql-initdb.d/tls-setup.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
#!/bin/bash

# Setup the server so it knows where to find certs so that server can be
# started with TLS enabled.
set -e

sed -i "s/#ssl = off/ssl = on/" "$PGDATA"/postgresql.conf
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

for my own understanding: where does $PGDATA come from?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is set in the Dockerfile for the image: https://github.com/docker-library/postgres/blob/master/9.5/Dockerfile#L60

sed -i "s/#ssl_ca_file = ''/ssl_ca_file = 'root.crt'/" "$PGDATA"/postgresql.conf
cp /docker-entrypoint-initdb.d/pg_hba.conf "$PGDATA"
cp /docker-entrypoint-initdb.d/server.{crt,key} "$PGDATA"
cp /docker-entrypoint-initdb.d/root.crt "$PGDATA"
chown postgres:postgres "$PGDATA"/server.{crt,key}
chown postgres:postgres "$PGDATA"/root.crt
chmod 0600 "$PGDATA"/server.key
2 changes: 2 additions & 0 deletions server.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,8 @@ COPY . /go/src/${NOTARYPKG}

WORKDIR /go/src/${NOTARYPKG}

RUN chmod 0600 ./fixtures/database/*

ENV SERVICE_NAME=notary_server
EXPOSE 4443

Expand Down
2 changes: 2 additions & 0 deletions signer.Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,8 @@ COPY . /go/src/${NOTARYPKG}

WORKDIR /go/src/${NOTARYPKG}

RUN chmod 0600 ./fixtures/database/*

ENV SERVICE_NAME=notary_signer
ENV NOTARY_SIGNER_DEFAULT_ALIAS="timestamp_1"
ENV NOTARY_SIGNER_TIMESTAMP_1="testpassword"
Expand Down