Option for dev env to enable ssl for postgres (#15151)

PG_TLS=true make docker-compose This will add some extra startup commands for the postgres container to generate a key and cert to use for postgres connections. It will also mount in pgssl.conf which has ssl configuration. This can be useful for debugging issues that only surface when using ssl postgres connections.
2026-01-11 18:09:57 -03:30 · 2024-06-05 12:48:08 -04:00 · 2024-06-05 12:48:08 -04:00 · d43c91e1a5
commit d43c91e1a5
parent b470ca32af
5 changed files with 24 additions and 1 deletions
--- a/3
+++ b/3
@ -53,6 +53,8 @@ OTEL ?= false
 LOKI ?= false
 # If set to true docker-compose will install editable dependencies
 EDITABLE_DEPENDENCIES ?= false
+# If set to true, use tls for postgres connection
+PG_TLS ?= false

 VENV_BASE ?= /var/lib/awx/venv

@ -542,6 +544,7 @@ docker-compose-sources: .git/hooks/pre-commit
 	    -e enable_otel=$(OTEL) \
 	    -e enable_loki=$(LOKI) \
 	    -e install_editable_dependencies=$(EDITABLE_DEPENDENCIES) \
+	    -e pg_tls=$(PG_TLS) \
 	    $(EXTRA_SOURCES_ANSIBLE_OPTS)

 docker-compose: awx/projects docker-compose-sources
--- a/tools/docker-compose/ansible/roles/sources/defaults/main.yml
+++ b/tools/docker-compose/ansible/roles/sources/defaults/main.yml
@ -4,6 +4,7 @@ awx_image: 'ghcr.io/ansible/awx_devel'
 pg_port: 5432
 pg_username: 'awx'
 pg_database: 'awx'
+pg_tls: false
 control_plane_node_count: 1
 minikube_container_group: false
 receptor_socket_file: /var/run/awx-receptor/receptor.sock
--- a/tools/docker-compose/ansible/roles/sources/templates/database.py.j2
+++ b/tools/docker-compose/ansible/roles/sources/templates/database.py.j2
@ -5,6 +5,9 @@ DATABASES = {
        'NAME': "{{ pg_database }}",
        'USER': "{{ pg_username }}",
        'PASSWORD': "{{ pg_password }}",
+{% if pg_tls|bool %}
+        'OPTIONS': {'sslmode': 'require'},
+{% endif %}
 {% if enable_pgbouncer|bool %}
        'HOST': "pgbouncer",
        'PORT': "{{ pgbouncer_port }}",
--- a/tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2
+++ b/tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2
@ -237,13 +237,24 @@ services:
    image: quay.io/sclorg/postgresql-15-c9s
    container_name: tools_postgres_1
    # additional logging settings for postgres can be found https://www.postgresql.org/docs/current/runtime-config-logging.html
-    command: run-postgresql -c log_destination=stderr -c log_min_messages=info -c log_min_duration_statement={{ pg_log_min_duration_statement|default(1000) }} -c max_connections={{ pg_max_connections|default(1024) }}
+    command: >
+        bash -c "
+{% if pg_tls|bool %}
+        mkdir -p /opt/app-root/src/certs
+        && openssl genrsa -out /opt/app-root/src/certs/tls.key 2048
+        && openssl req -new -x509 -key /opt/app-root/src/certs/tls.key -out /opt/app-root/src/certs/tls.crt -subj '/CN=postgres'
+        && chmod 600 /opt/app-root/src/certs/tls.crt /opt/app-root/src/certs/tls.key &&
+{% endif %}
+        run-postgresql -c log_destination=stderr -c log_min_messages=info -c log_min_duration_statement={{ pg_log_min_duration_statement|default(1000) }} -c max_connections={{ pg_max_connections|default(1024) }}"
    environment:
      POSTGRESQL_USER: {{ pg_username }}
      POSTGRESQL_DATABASE: {{ pg_database }}
      POSTGRESQL_PASSWORD: {{ pg_password }}
    volumes:
      - "awx_db_15:/var/lib/pgsql/data"
+{% if pg_tls|bool %}
+      - "../../docker-compose/pgssl.conf:/opt/app-root/src/postgresql-cfg/pgssl.conf"
+{% endif %}
    networks:
      - awx
    ports:
--- a/tools/docker-compose/pgssl.conf
+++ b/tools/docker-compose/pgssl.conf
@ -0,0 +1,5 @@
+ssl = on
+ssl_cert_file = '/opt/app-root/src/certs/tls.crt' # server certificate
+ssl_key_file =  '/opt/app-root/src/certs/tls.key' # server private key
+#ssl_ca_file                                   # trusted certificate authorities
+#ssl_crl_file                                  # certificates revoked by certificate authorities