diff --git a/Makefile b/Makefile index 8a47658159..1b6ff5156d 100644 --- a/Makefile +++ b/Makefile @@ -53,6 +53,8 @@ OTEL ?= false LOKI ?= false # If set to true docker-compose will install editable dependencies EDITABLE_DEPENDENCIES ?= false +# If set to true, use tls for postgres connection +PG_TLS ?= false VENV_BASE ?= /var/lib/awx/venv @@ -542,6 +544,7 @@ docker-compose-sources: .git/hooks/pre-commit -e enable_otel=$(OTEL) \ -e enable_loki=$(LOKI) \ -e install_editable_dependencies=$(EDITABLE_DEPENDENCIES) \ + -e pg_tls=$(PG_TLS) \ $(EXTRA_SOURCES_ANSIBLE_OPTS) docker-compose: awx/projects docker-compose-sources diff --git a/tools/docker-compose/ansible/roles/sources/defaults/main.yml b/tools/docker-compose/ansible/roles/sources/defaults/main.yml index d336f29fc4..669f2cfe20 100644 --- a/tools/docker-compose/ansible/roles/sources/defaults/main.yml +++ b/tools/docker-compose/ansible/roles/sources/defaults/main.yml @@ -4,6 +4,7 @@ awx_image: 'ghcr.io/ansible/awx_devel' pg_port: 5432 pg_username: 'awx' pg_database: 'awx' +pg_tls: false control_plane_node_count: 1 minikube_container_group: false receptor_socket_file: /var/run/awx-receptor/receptor.sock diff --git a/tools/docker-compose/ansible/roles/sources/templates/database.py.j2 b/tools/docker-compose/ansible/roles/sources/templates/database.py.j2 index 76bebff159..120a5c0d0a 100644 --- a/tools/docker-compose/ansible/roles/sources/templates/database.py.j2 +++ b/tools/docker-compose/ansible/roles/sources/templates/database.py.j2 @@ -5,6 +5,9 @@ DATABASES = { 'NAME': "{{ pg_database }}", 'USER': "{{ pg_username }}", 'PASSWORD': "{{ pg_password }}", +{% if pg_tls|bool %} + 'OPTIONS': {'sslmode': 'require'}, +{% endif %} {% if enable_pgbouncer|bool %} 'HOST': "pgbouncer", 'PORT': "{{ pgbouncer_port }}", diff --git a/tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2 b/tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2 index 86f84523a3..734b3ba47e 100644 --- a/tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2 +++ b/tools/docker-compose/ansible/roles/sources/templates/docker-compose.yml.j2 @@ -237,13 +237,24 @@ services: image: quay.io/sclorg/postgresql-15-c9s container_name: tools_postgres_1 # additional logging settings for postgres can be found https://www.postgresql.org/docs/current/runtime-config-logging.html - command: run-postgresql -c log_destination=stderr -c log_min_messages=info -c log_min_duration_statement={{ pg_log_min_duration_statement|default(1000) }} -c max_connections={{ pg_max_connections|default(1024) }} + command: > + bash -c " +{% if pg_tls|bool %} + mkdir -p /opt/app-root/src/certs + && openssl genrsa -out /opt/app-root/src/certs/tls.key 2048 + && openssl req -new -x509 -key /opt/app-root/src/certs/tls.key -out /opt/app-root/src/certs/tls.crt -subj '/CN=postgres' + && chmod 600 /opt/app-root/src/certs/tls.crt /opt/app-root/src/certs/tls.key && +{% endif %} + run-postgresql -c log_destination=stderr -c log_min_messages=info -c log_min_duration_statement={{ pg_log_min_duration_statement|default(1000) }} -c max_connections={{ pg_max_connections|default(1024) }}" environment: POSTGRESQL_USER: {{ pg_username }} POSTGRESQL_DATABASE: {{ pg_database }} POSTGRESQL_PASSWORD: {{ pg_password }} volumes: - "awx_db_15:/var/lib/pgsql/data" +{% if pg_tls|bool %} + - "../../docker-compose/pgssl.conf:/opt/app-root/src/postgresql-cfg/pgssl.conf" +{% endif %} networks: - awx ports: diff --git a/tools/docker-compose/pgssl.conf b/tools/docker-compose/pgssl.conf new file mode 100644 index 0000000000..d34917d1ff --- /dev/null +++ b/tools/docker-compose/pgssl.conf @@ -0,0 +1,5 @@ +ssl = on +ssl_cert_file = '/opt/app-root/src/certs/tls.crt' # server certificate +ssl_key_file = '/opt/app-root/src/certs/tls.key' # server private key +#ssl_ca_file # trusted certificate authorities +#ssl_crl_file # certificates revoked by certificate authorities