[KEYCLOAK-15633] Add "s2i" subdirectory to hold an example

on how to enable SSL/TLS for PostgreSQL 10 SQL database server
container image.

It will be later used in S2I (re)builds of the PostgreSQL 10
SQL database server container image in the available PostgreSQL
templates for Red Hat Single Sign-On 7.5 for OpenJDK / OpenJ9
on OpenShift container images

Signed-off-by: Jan Lieskovsky <[email protected]>

Author: Jan Lieskovsky

s2i/postgresql/README.md

@@ -0,0 +1,14 @@
+# SSL/TLS support for PostgreSQL SQL database server container image
+
+The [PostgreSQL 10 SQL database server](https://catalog.redhat.com/software/containers/rhscl/postgresql-10-rhel7/5aa63541ac3db95f196086f1)
+doesn't support SSL/TLS encryption by default. In order to enable the
+SSL/TLS encryption, the PostgreSQL server container image needs to be
+extended using the [source-to-image](https://github.com/openshift/source-to-image)
+method. Refer to [_*Extending image*_](https://catalog.redhat.com/software/containers/rhscl/postgresql-10-rhel7/5aa63541ac3db95f196086f1)
+and primarily to [the available example](https://github.com/sclorg/postgresql-container/tree/master/examples/enable-ssl)
+for additional details.
+
+This (sub)directory contains all the information needed to enable SSL/TLS
+support for the [PostgreSQL 10 SQL database server](https://catalog.redhat.com/software/containers/rhscl/postgresql-10-rhel7/5aa63541ac3db95f196086f1)
+used in the available PostgreSQL [templates](https://github.com/jboss-container-images/redhat-sso-7-openshift-image/tree/sso75-dev/templates)
+for [Red Hat Single Sign-On 7.5 for OpenJDK / OpenJ9 on OpenShift container images](https://github.com/jboss-container-images/redhat-sso-7-openshift-image/tree/sso75-dev).

s2i/postgresql/enable-ssl/README.md

@@ -0,0 +1,10 @@
+# Example to enable SSL/TLS for the PostgreSQL SQL database server container image
+
+Inspired by the ["enable-ssl"](https://github.com/sclorg/postgresql-container/tree/master/examples/enable-ssl)
+example from the Red Hat Software Collections PostgreSQL container images repository.
+
+Compared to the original, this example does NOT store the TLS certificate & private
+key files directly in the repository. Instead of that, those files are generated
+on the fly by the PostgreSQL OpenShift service using the OpenShift's service serving
+certificate secrets mechanism based on the corresponding annotation applied to the
+definition of the PostgreSQL service.

s2i/postgresql/enable-ssl/postgresql-cfg/ssl.conf

@@ -0,0 +1,13 @@
+ssl = on
+# The TLS certificate & key are generated using the OpenShift's service serving
+# certificate secrets via corresponding annotation of the PostgreSQL service
+# and stored into a read-only persistent volume, corresponding to the OpenShift
+# secret.
+#
+# Later the 'postgresql-pre-start/enable_ssl.sh' script, present in this
+# repository, copies the generated TLS certificate & key to by current UID
+# writable "/var/run/postgresql/pki" directory, so it's possible to correct
+# the permissions of the TLS private key to mode required by PostgreSQL server
+ssl_cert_file = '/var/run/postgresql/pki/tls.crt'                   # PostgreSQL server certificate
+ssl_key_file  = '/var/run/postgresql/pki/tls.key'                   # PostgreSQL server private key
+ssl_ca_file   = '/run/secrets/kubernetes.io/serviceaccount/ca.crt'  # OpenShift CA

s2i/postgresql/enable-ssl/postgresql-pre-start/enable_ssl.sh

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+
+set -eu
+
+# Copy the TLS certificate & key generated by the OpenShift's service serving
+# certificate secrets from "/etc/pki/postgresql" (which is mounted read-only,
+# since coming from secret) to "/var/run/postgresql/pki", so it's possible to
+# correct the permissions of the TLS private key as required below
+SOURCE_DIR="/etc/pki/postgresql"
+DESTINATION_DIR="/var/run/postgresql/pki"
+if [ ! -d "${DESTINATION_DIR}" ]; then
+  mkdir -p "${DESTINATION_DIR}"
+fi
+cp "${SOURCE_DIR}"/tls.{crt,key} "${DESTINATION_DIR}"
+
+# PostgreSQL will fail to start and throw an error like:
+#
+#   FATAL:  private key file "/path/to/key" has group or world access
+#   File must have permissions u=rw (0600) or less if owned by the database user, or permissions u=rw,g=r (0640) or less if owned by root.
+#
+# if the permissions of the TLS private key are incorrect.
+#
+# Thus correct the permissions so PostgreSQL server can start successfully
+chmod 0600 "${DESTINATION_DIR}/tls.key"