Enable client and server cert auth in postgresql #1160
Conversation
(For both client and server) Status: Server cert validation is successful, client (notary signer and server) fails. Signed-off-by: Ashwini Oruganti <ashwini.oruganti@gmail.com>
Signed-off-by: Ashwini Oruganti <ashwini.oruganti@gmail.com>
Signed-off-by: Ashwini Oruganti <ashwini.oruganti@gmail.com>
Signed-off-by: Ashwini Oruganti <ashwini.oruganti@gmail.com>
|
Some thoughts:
TODO:
|
|
Could we add generating the certs to |
|
Looks like tests are failing because we have one more place we specify the DB_URL for db-specific unit tests :| https://github.com/docker/notary/blob/master/buildscripts/dbtests.sh#L19 |
|
Ah, thanks! |
Signed-off-by: Ashwini Oruganti <ashwini.oruganti@gmail.com>
Signed-off-by: Ashwini Oruganti <ashwini.oruganti@gmail.com>
ashfall
force-pushed
the
postgresql-cert-auth
branch
from
eaf300e
to
deb6db3
Compare
There was a problem hiding this comment.
thanks for tackling this! Looks like the postgres tests on circle are running into a connection error:
time="2017-05-15T20:26:12Z" level=fatal msg="Unable to connect to postgres://server@postgresql_tests:5432/notaryserver?sslmode=verify-ca&sslrootcert=/go/src/github.com/docker/notary/fixtures/database/ca.pem&sslcert=/go/src/github.com/docker/notary/fixtures/database/notary-server.pem&sslkey=/go/src/github.com/docker/notary/fixtures/database/notary-server-key.pem after 60 seconds"
| # started with TLS enabled. | ||
| set -e | ||
|
|
||
| sed -i "s/#ssl = off/ssl = on/" "$PGDATA"/postgresql.conf |
There was a problem hiding this comment.
for my own understanding: where does $PGDATA come from?
There was a problem hiding this comment.
It is set in the Dockerfile for the image: https://github.com/docker-library/postgres/blob/master/9.5/Dockerfile#L60
|
@riyazdf Thanks for reviewing! It appears that the DBURL per #1160 (comment) doesn't lead to a successful connection, I am trying to figure out what might be different. (Since this script/setup is specifically for our CI, I'm unable to debug much locally. Any thoughts/insights?) |
Signed-off-by: Ashwini Oruganti <ashwini.oruganti@gmail.com>
Signed-off-by: Ashwini Oruganti <ashwini.oruganti@gmail.com>
ashfall
force-pushed
the
postgresql-cert-auth
branch
from
90d25ff
to
fb1735b
Compare
|
jenkins is back up now, I kicked off a new test run |
|
jenkins, test this please |
| @@ -40,6 +40,7 @@ services: | |||
| - mdb | |||
| volumes: | |||
| - ./notarysql/postgresql-initdb.d:/docker-entrypoint-initdb.d | |||
| command: -l | |||
There was a problem hiding this comment.
for my own understanding: where does this come from? I didn't find this option on the official image description...tried searching around but couldn't find the flag elsewhere
There was a problem hiding this comment.
Per https://www.postgresql.org/docs/9.5/static/app-postgres.html, -l "Enables secure connections using SSL.".
FWIW, I think ssl=on is implicit after passing -l, but since I was editing the conf for ssl_ca_file path, I thought it would be clearer to set ssl=on explicitly, in case anything changes silently in the future versions. (e.g. Not sure what happens if we use -l and ssl=off -- which one takes a higher priority is never mentioned. :( In fact, the docs that mention ssl=on never refer to -l, and vice versa.)
There was a problem hiding this comment.
awesome that helps a lot, thank you @ashfall!
./buildscripts/integrationtest.sh postgresqlshould run cleanly after this change.