Fix PostgreSQL 15 SSL authentication and test with SSL

NREL · Feb 3, 2025 · b7c593b · b7c593b
1 parent a666501
commit b7c593b
Show file tree

Hide file tree

Showing 6 changed files with 55 additions and 2 deletions.
diff --git a/Dockerfile-postgres b/Dockerfile-postgres
@@ -0,0 +1,6 @@
+FROM public.ecr.aws/docker/library/postgres:15.10-bookworm
+COPY ./test/config/ssl_test.crt /var/lib/postgresql/server.crt
+COPY ./test/config/ssl_test.key /var/lib/postgresql/server.key
+RUN chown postgres /var/lib/postgresql/server.key /var/lib/postgresql/server.key && chmod 600 /var/lib/postgresql/server.key
+
+CMD ["postgres", "-c", "ssl=on", "-c", "ssl_cert_file=/var/lib/postgresql/server.crt", "-c", "ssl_key_file=/var/lib/postgresql/server.key"]
diff --git a/build/patches/lua-resty-openssl.patch b/build/patches/lua-resty-openssl.patch
@@ -0,0 +1,34 @@
+diff --git a/lib/resty/openssl/auxiliary/nginx.lua b/lib/resty/openssl/auxiliary/nginx.lua
+index 5755d8a..540cbc1 100644
+--- a/lib/resty/openssl/auxiliary/nginx.lua
++++ b/lib/resty/openssl/auxiliary/nginx.lua
+@@ -44,8 +44,9 @@ else
+   local ngx_has_http_v3 = ngx_configure and ngx_configure:find("--with-http_v3_module", 1, true)
+   -- https://github.com/nginx/nginx/blob/master/src/core/ngx_connection.h
+   if ngx_version == 1017008 or ngx_version == 1019003 or ngx_version == 1019009 
+-    or ngx_version == 1021004 or (not ngx_has_http_v3 and ngx_version == 1025003) then
+-    -- 1.17.8, 1.19.3, 1.19.9, 1.21.4, 1.25.3
++    or ngx_version == 1021004
++    or (not ngx_has_http_v3 and (ngx_version == 1025003 or ngx_version == 1027001)) then
++    -- 1.17.8, 1.19.3, 1.19.9, 1.21.4, 1.25.3, 1.27.1
+     ffi.cdef [[
+     typedef struct ngx_proxy_protocol_s ngx_proxy_protocol_t;
+
+@@ -82,7 +83,7 @@ else
+       // trimmed
+     } ngx_connection_s;
+   ]]
+-  elseif ngx_has_http_v3 and ngx_version == 1025003 then
++  elseif ngx_has_http_v3 and (ngx_version == 1025003 or ngx_version == 1027001) then
+     -- 1.25.3
+     ffi.cdef [[
+     typedef struct ngx_proxy_protocol_s ngx_proxy_protocol_t;
+@@ -255,7 +256,7 @@ else
+         ngx.config.ngx_lua_version and
+         ngx.config.ngx_lua_version
+
+-  if ngx_lua_version >= 10019 and ngx_lua_version <= 10026 then
++  if ngx_lua_version >= 10019 and ngx_lua_version <= 10027 then
+     -- https://github.com/openresty/lua-nginx-module/blob/master/src/ngx_http_lua_socket_tcp.h
+     ffi.cdef[[
+       typedef struct {
diff --git a/config/test.yml b/config/test.yml
@@ -98,6 +98,8 @@ fluent_bit:
 geoip:
   db_update_frequency: false
 postgresql:
+  ssl: true
+  ssl_required: true
   database: api_umbrella_test
   password: dev_password
   migrations:

diff --git a/docker-compose.ci.yml b/docker-compose.ci.yml
@@ -9,7 +9,9 @@ services:
       - postgres
       - opensearch
   postgres:
-    image: postgres:15.10-bookworm
+    build:
+      context: .
+      dockerfile: Dockerfile-postgres
     environment:
       POSTGRES_PASSWORD: dev_password
     healthcheck:

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -24,7 +24,9 @@ services:
       - postgres
       - opensearch
   postgres:
-    image: postgres:15.10-bookworm
+    build:
+      context: .
+      dockerfile: Dockerfile-postgres
     environment:
       POSTGRES_PASSWORD: dev_password
     volumes:

diff --git a/tasks/app-deps/luarocks b/tasks/app-deps/luarocks
@@ -17,6 +17,13 @@ extra_args=(
 
 luarocks_install "./api-umbrella-git-1.rockspec" "git-1" "${extra_args[@]}"
 
+# Temporary workaround for lua-resty-openssl and OpenResty 1.27:
+# https://github.com/fffonion/lua-resty-openssl/pull/200
+(
+  cd "${APP_VENDOR_LUA_SHARE_DIR}/resty/openssl"
+  patch -p4 < "$SOURCE_DIR/build/patches/lua-resty-openssl.patch"
+)
+
 # lrexlib-pcre2
 (
   lrexlib_pcre2_version="2.9.2-1"