-
-
Save mrw34/c97bb03ea1054afb551886ffc8b63c3b to your computer and use it in GitHub Desktop.
#!/bin/bash | |
set -euo pipefail | |
openssl req -new -text -passout pass:abcd -subj /CN=localhost -out server.req -keyout privkey.pem | |
openssl rsa -in privkey.pem -passin pass:abcd -out server.key | |
openssl req -x509 -in server.req -text -key server.key -out server.crt | |
chmod 600 server.key | |
test $(uname -s) = Linux && chown 70 server.key | |
docker run -d --name postgres -e POSTGRES_HOST_AUTH_METHOD=trust -v "$(pwd)/server.crt:/var/lib/postgresql/server.crt:ro" -v "$(pwd)/server.key:/var/lib/postgresql/server.key:ro" postgres:12-alpine -c ssl=on -c ssl_cert_file=/var/lib/postgresql/server.crt -c ssl_key_file=/var/lib/postgresql/server.key | |
sleep 1 | |
docker run --rm -it --link postgres postgres:12-alpine psql -h postgres -U postgres |
I also have a bash script that is a wrapper around OpenSSL and makes it easy to generate self-signed certificates (and authorities). The directions here are great, but just thought it could be useful for some others.
look at https://github.com/cloudflare/cfssl ;-)
I. I've created a self-contained Docker image that does full certificate automation (including automated renewal) for PostgreSQL 14. S
That's looking very well. As I unterstand, this setup needs a external PKI server, right ?
@suikast42 Yes, that's true. The self-signed cert that you created in this script will expire after a month. The CA server can renew the certificate. For the CA, you can set up smallstep/certificates open source CA server, or sign up for a hosted CA (it's free for small homelabs).
@suikast42 Yes, that's true. The self-signed cert that you created in this script will expire after a month. The CA server can renew the certificate. For the CA, you can set up smallstep/certificates open source CA server, or sign up for a hosted CA (it's free for small homelabs).
Look like cert-manager outside of k8s. Looking good.
@Istellway you are a savior. Thank you!
Are the permissions different when using debian-based image?
Are the permissions different when using debian-based image?
you found solution?
Just wanted to share an alternative, in case you are wanting to run TLS on PostgreSQL in production with an internal PKI. I've created a self-contained Docker image that does full certificate automation (including automated renewal) for PostgreSQL 14. See smallstep/docker-tls.