feat(postgres): ssl for postgres #2473
Conversation
✅ Deploy Preview for testcontainers-go ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
There was a problem hiding this comment.
We are in the right track with this one, although I left some comments that need to be addressed.
Besides that, we need to include the new option in the docs. Please check the docs/modules/postgres.md file for that. Remember adding this right after the option title:
- Not available until the next release of testcontainers-go <a href="https://github.com/testcontainers/testcontainers-go"><span class="tc-version">:material-tag: main</span></a>
Thanks!
|
@mdelapenya That makes a lot of sense. Much cleaner. Do you want me to wait until that's done then base this on top of that? |
|
@bearrito I went ahead and extracted the TLS cert generation to a separate go package, which makes more sense: https://github.com/mdelapenya/tlscert Please take a look and use it as you need here! |
|
@mdelapenya Updated to use your package. |
|
@mdelapenya Update so that the entrypoint is coupled with the ssl settings. What about doing something similar for the conf file? |
|
@mdelapenya added docs. |
|
@mdelapenya Anything else on this? I'm going on holiday and am closing out my open pr's |
| os.RemoveAll(tmpDir) | ||
| }) | ||
|
|
||
| caCert := tlscert.SelfSignedFromRequest(tlscert.Request{ |
There was a problem hiding this comment.
Have you considered using tlscert.SelfSignedCA here instead? See https://github.com/mdelapenya/tlscert/blob/a038576e80ef259d2a60317ab51e37cdda8da3c8/tlscert.go#L135
|
@stevenh with the latest merges, I think we can prioritise this one using the new approach for TLS, wdyt? |
I dropped off from this for a while. Two questions
|
modules/postgres/postgres.go
Outdated
| expectedFiles := []string{sslSettings.CACertFile, sslSettings.CertFile, sslSettings.KeyFile} | ||
| for _, expectedFile := range expectedFiles { | ||
| _, err := os.Stat(expectedFile) | ||
| if err != nil { | ||
| return err | ||
| } | ||
| } |
There was a problem hiding this comment.
suggestion: I don't believe this is needed as it would caught by the copy handler, see full suggestion below.
Co-authored-by: Steven Hartland <[email protected]>
Co-authored-by: Steven Hartland <[email protected]>
Co-authored-by: Steven Hartland <[email protected]>
Co-authored-by: Steven Hartland <[email protected]>
Co-authored-by: Steven Hartland <[email protected]>
bearrito
changed the title
bearrito
changed the title
|
Addressed latest. |
|
@mdelapenya Is this good to go from your end? |
What does this PR do?
Enables SSL for postgres
The main thing to recognize when reviewing this is that the secret material must be owned by the postgres user.
The docker file copy api doesn't allowfor setting a user when copying. The only way I could think was to take wrap the entrypoint script with one that does what we want.
Why is it important?
User ran into issue trying to use SSL. It's not obviously supported (able) due to file permissions.
Related issues
Link related issues below. Insert the issue link or reference after the word "Closes" if merging this should automatically close it.
How to test this PR
Unit tests will work when complete.