diff --git a/Changelog.md b/Changelog.md index 79f7a18..b3b91a0 100644 --- a/Changelog.md +++ b/Changelog.md @@ -6,6 +6,7 @@ - `PSQL_MODE` config parameter renamed to `REPLICATION_MODE` - `PSQL_SSLMODE` config parameter renamed to `REPLICATION_SSLMODE` - defined `/etc/postgresql/certs` as the mountpoint to install SSL key and certificate +- added `PG_SSL` parameter to enable/disable SSL support **9.4-2** - added replication options diff --git a/entrypoint.sh b/entrypoint.sh index 2172a4e..0e3e7a2 100755 --- a/entrypoint.sh +++ b/entrypoint.sh @@ -1,6 +1,7 @@ #!/bin/bash set -e +PG_SSL=${PG_SSL:-} PG_TRUST_LOCALNET=${PG_TRUST_LOCALNET:-$PSQL_TRUST_LOCALNET} # backward compatibility PG_TRUST_LOCALNET=${PG_TRUST_LOCALNET:-false} @@ -114,6 +115,25 @@ set_hba_param() { fi } +configure_ssl() { + ## NOT SURE IF THIS IS A GOOD ALTERNATIVE TO ENABLE SSL SUPPORT BY DEFAULT ## + ## BECAUSE USERS WHO PULL A PREBUILT IMAGE WILL HAVE THE SAME CERTIFICATES ## + # if [[ ! -f ${PG_CERTDIR}/server.crt && ! -f ${PG_CERTDIR}/server.key ]]; then + # if [[ -f /etc/ssl/certs/ssl-cert-snakeoil.pem && -f /etc/ssl/private/ssl-cert-snakeoil.key ]]; then + # ln -sf /etc/ssl/certs/ssl-cert-snakeoil.pem ${PG_CERTDIR}/server.crt + # ln -sf /etc/ssl/private/ssl-cert-snakeoil.key ${PG_CERTDIR}/server.key + # fi + # fi + + if [[ -f ${PG_CERTDIR}/server.crt && -f ${PG_CERTDIR}/server.key ]]; then + PG_SSL=${PG_SSL:-on} + set_postgresql_param "ssl_cert_file" "${PG_CERTDIR}/server.crt" + set_postgresql_param "ssl_key_file" "${PG_CERTDIR}/server.key" + fi + PG_SSL=${PG_SSL:-off} + set_postgresql_param "ssl" "${PG_SSL}" +} + configure_hot_standby() { case ${REPLICATION_MODE} in slave|snapshot) ;; @@ -341,6 +361,7 @@ if [[ -z ${1} ]]; then create_rundir initialize_database + configure_ssl trust_localnet create_user