Merge remote-tracking branch 'origin/db-ssl'

GUI · GUI · commit 2ae966b6d989 · 2025-02-03T18:13:15.000-07:00
diff --git a/Dockerfile-postgres b/Dockerfile-postgres
@@ -0,0 +1,6 @@
+FROM public.ecr.aws/docker/library/postgres:15.10-bookworm
+COPY ./test/config/ssl_test.crt /var/lib/postgresql/server.crt
+COPY ./test/config/ssl_test.key /var/lib/postgresql/server.key
+RUN chown postgres /var/lib/postgresql/server.key /var/lib/postgresql/server.key && chmod 600 /var/lib/postgresql/server.key
+
+CMD ["postgres", "-c", "ssl=on", "-c", "ssl_cert_file=/var/lib/postgresql/server.crt", "-c", "ssl_key_file=/var/lib/postgresql/server.key"]
diff --git a/config/test.yml b/config/test.yml
@@ -98,6 +98,8 @@ fluent_bit:
 geoip:
   db_update_frequency: false
 postgresql:
+  ssl: true
+  ssl_required: true
   database: api_umbrella_test
   password: dev_password
   migrations:
diff --git a/docker-compose.ci.yml b/docker-compose.ci.yml
@@ -9,7 +9,9 @@ services:
       - postgres
       - opensearch
   postgres:
-    image: postgres:15.10-bookworm
+    build:
+      context: .
+      dockerfile: Dockerfile-postgres
     environment:
       POSTGRES_PASSWORD: dev_password
     healthcheck:
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -24,7 +24,9 @@ services:
       - postgres
       - opensearch
   postgres:
-    image: postgres:15.10-bookworm
+    build:
+      context: .
+      dockerfile: Dockerfile-postgres
     environment:
       POSTGRES_PASSWORD: dev_password
     volumes:
diff --git a/src/api-umbrella/utils/pg_utils.lua b/src/api-umbrella/utils/pg_utils.lua
@@ -7,6 +7,9 @@ local xpcall_error_handler = require "api-umbrella.utils.xpcall_error_handler"
 -- Preload modules that pgmoon may require at query() time.
 require "pgmoon.arrays"
 require "pgmoon.json"
+require "resty.openssl"
+require "resty.openssl.auxiliary.nginx"
+require "resty.openssl.auxiliary.nginx_c"
 
 local _encode_bytea = pgmoon.Postgres.encode_bytea
 local _escape_identifier = pgmoon.Postgres.escape_identifier
diff --git a/tasks/deps/openresty b/tasks/deps/openresty
@@ -1,5 +1,7 @@
 #!/usr/bin/env bash
 
+lua_resty_openssl_aux_module_version="0.3.0"
+lua_resty_openssl_aux_module_hash="535cda86ca5f326479fb9870288ca8f6ecd94e579374e6686d8fe508872dd4ce"
 ngx_http_geoip2_module_version="3.4"
 ngx_http_geoip2_module_hash="82d4beef48c260c3568eb0ae56451c95"
 openresty_version="1.27.1.1"
@@ -16,6 +18,9 @@ extract_download "openresty-$openresty_version.tar.gz"
 download "https://github.com/leev/ngx_http_geoip2_module/archive/$ngx_http_geoip2_module_version.tar.gz" "md5" "$ngx_http_geoip2_module_hash"
 extract_download "$ngx_http_geoip2_module_version.tar.gz"
 
+download "https://github.com/fffonion/lua-resty-openssl-aux-module/archive/refs/tags/$lua_resty_openssl_aux_module_version.tar.gz" "sha256" "$lua_resty_openssl_aux_module_hash"
+extract_download "$lua_resty_openssl_aux_module_version.tar.gz"
+
 cd "openresty-$openresty_version"
 patch -p1 < "$SOURCE_DIR/build/patches/openresty-cli.patch"
 
@@ -51,6 +56,8 @@ patch -p1 < "$SOURCE_DIR/build/patches/openresty-cli.patch"
   --with-threads \
   --with-luajit-xcflags="-DLUAJIT_NUMMODE=2 -DLUAJIT_ENABLE_LUA52COMPAT" \
   --add-module="../ngx_http_geoip2_module-$ngx_http_geoip2_module_version" \
+  --add-module="../lua-resty-openssl-aux-module-$lua_resty_openssl_aux_module_version" \
+  --add-module="../lua-resty-openssl-aux-module-$lua_resty_openssl_aux_module_version/stream" \
   -j"$NPROC"
 make -j"$NPROC"
 make install DESTDIR="$STAGE_DIR"
