@@ -30,6 +30,9 @@ WAN_DATABASES = json.loads(os.environ["WAN_DATABASES"])
3030WAN_HBA_TPL = os .environ ["WAN_HBA_TPL" ]
3131WAN_TLS = json .loads (os .environ ["WAN_TLS" ])
3232WAN_USERS = json .loads (os .environ ["WAN_USERS" ])
33+ PGSSLCERT = os .environ .get ("PGSSLCERT" )
34+ PGSSLKEY = os .environ .get ("PGSSLKEY" )
35+ PGSSLROOTCERT = os .environ .get ("PGSSLROOTCERT" )
3336
3437# Configuration file templates
3538CONF_FOLDER = "/etc/postgres"
@@ -56,23 +59,29 @@ hba_conf = []
5659ssl_conf = []
5760
5861
59- def permissions_fix (filename ):
62+ def permissions_fix (filename , client = False ):
6063 """Make :param:`filename` be owned by root user and postgres group."""
6164 shutil .chown (filename , "root" , "postgres" )
62- os .chmod (filename , stat .S_IRUSR | stat .S_IWUSR | stat .S_IRGRP )
65+ if client :
66+ os .chmod (filename , stat .S_IRUSR | stat .S_IWUSR )
67+ else :
68+ os .chmod (filename , stat .S_IRUSR | stat .S_IWUSR | stat .S_IRGRP )
6369
6470
6571# Configure TLS
66- for key , filename in SUPPORTED_CERTS .items ():
67- full_path = os .path .join (CONF_FOLDER , filename )
72+ for key , filen in SUPPORTED_CERTS .items ():
73+ full_path = os .path .join (CONF_FOLDER , filen )
6874 # Write PEM file if it came from env variable
69- if not os .path .exists (full_path ) and CERTS .get (filename ):
75+ if not os .path .exists (full_path ) and CERTS .get (filen ):
7076 with open (full_path , "w" ) as cert_file :
71- cert_file .write (CERTS [filename ])
77+ cert_file .write (CERTS [filen ])
7278 if os .path .exists (full_path ):
7379 # Enable file in postgres configuration
7480 ssl_conf .append ("{} = '{}'" .format (key , full_path ))
7581 permissions_fix (full_path )
82+ for filen in (PGSSLCERT , PGSSLKEY , PGSSLROOTCERT ):
83+ if filen and os .path .exists (filen ):
84+ permissions_fix (filen , client = True )
7685
7786if ssl_conf :
7887 ssl_conf .append ("ssl = on" )
0 commit comments