From 1f72d9f78345731d36e06b1175c79e057313afd9 Mon Sep 17 00:00:00 2001
From: Garet Halliday <me@garet.holiday>
Date: Wed, 30 Aug 2023 19:38:23 -0500
Subject: [PATCH] fix ssl
---
cgat.Dockerfile | 11 ++++++++---
cgat.sh | 4 ++++
lib/gat/acceptor.go | 2 ++
lib/gat/modes/pgbouncer/config.go | 18 ++++++++++++++++--
lib/zap/conn.go | 8 ++++++++
5 files changed, 38 insertions(+), 5 deletions(-)
create mode 100644 cgat.sh
diff --git a/cgat.Dockerfile b/cgat.Dockerfile
index 9ee40dd3..4fd82fc2 100644
--- a/cgat.Dockerfile
+++ b/cgat.Dockerfile
@@ -5,10 +5,15 @@ WORKDIR /src
COPY . .
RUN go mod tidy
-RUN go build -o pggat ./cmd/cgat
+RUN go build -o cgat ./cmd/cgat
FROM alpine:latest
WORKDIR /bin
-COPY --from=GOBUILDER /src/pggat pggat
+RUN addgroup -S pgbouncer && adduser -S pgbouncer && mkdir -p /etc/pgbouncer /var/log/pgbouncer /var/run/pgbouncer
+COPY --from=GOBUILDER /src/cgat.sh run.sh
+COPY --from=GOBUILDER /src/cgat pggat
+RUN apk add openssl
+RUN chown -R pgbouncer:pgbouncer /var/log/pgbouncer /var/run/pgbouncer /etc/pgbouncer /etc/ssl/certs
+USER pgbouncer:pgbouncer
-ENTRYPOINT ["/bin/pggat"]
+ENTRYPOINT ["/bin/run.sh"]
diff --git a/cgat.sh b/cgat.sh
new file mode 100644
index 00000000..9e455f71
--- /dev/null
+++ b/cgat.sh
@@ -0,0 +1,4 @@
+#!/bin/sh
+
+openssl req -nodes -new -x509 -subj '/CN=spilo.dummy.org' -keyout /etc/ssl/certs/pgbouncer.key -out /etc/ssl/certs/pgbouncer.crt
+/bin/pggat
diff --git a/lib/gat/acceptor.go b/lib/gat/acceptor.go
index bccea393..803a3256 100644
--- a/lib/gat/acceptor.go
+++ b/lib/gat/acceptor.go
@@ -80,10 +80,12 @@ func Serve(acceptor Acceptor, pools Pools) error {
for {
conn, acceptParams, err := acceptor.Accept()
if err != nil {
+ // log.Println("error accepting", err)
continue
}
go func() {
_ = serve(conn, acceptParams, pools)
+ // log.Println("error serving", err)
}()
}
}
diff --git a/lib/gat/modes/pgbouncer/config.go b/lib/gat/modes/pgbouncer/config.go
index 548d0115..94f201f1 100644
--- a/lib/gat/modes/pgbouncer/config.go
+++ b/lib/gat/modes/pgbouncer/config.go
@@ -1,6 +1,7 @@
package pgbouncer
import (
+ "crypto/tls"
"net"
"strconv"
"strings"
@@ -260,9 +261,22 @@ func (T *Config) ListenAndServe() error {
allowedStartupParameters := append(trackedParameters, T.PgBouncer.IgnoreStartupParameters...)
+ var sslConfig *tls.Config
+ if T.PgBouncer.ClientTLSCertFile != "" && T.PgBouncer.ClientTLSKeyFile != "" {
+ certificate, err := tls.LoadX509KeyPair(T.PgBouncer.ClientTLSCertFile, T.PgBouncer.ClientTLSKeyFile)
+ if err != nil {
+ return err
+ }
+ sslConfig = &tls.Config{
+ Certificates: []tls.Certificate{
+ certificate,
+ },
+ }
+ }
+
acceptOptions := frontends.AcceptOptions{
- SSLRequired: T.PgBouncer.ClientTLSSSLMode.IsRequired(),
- // TODO(garet) SSL Certificates
+ SSLRequired: T.PgBouncer.ClientTLSSSLMode.IsRequired(),
+ SSLConfig: sslConfig,
AllowedStartupOptions: allowedStartupParameters,
}
diff --git a/lib/zap/conn.go b/lib/zap/conn.go
index 7354caa4..d12117c9 100644
--- a/lib/zap/conn.go
+++ b/lib/zap/conn.go
@@ -4,6 +4,7 @@ import (
"crypto/tls"
"encoding/binary"
"io"
+ "log"
"net"
)
@@ -36,6 +37,9 @@ func WrapNetConn(conn net.Conn) Conn {
}
func (T *netConn) EnableSSLClient(config *tls.Config) error {
+ if err := T.flush(); err != nil {
+ return err
+ }
sslConn := tls.Client(T.conn, config)
T.conn = sslConn
T.w = sslConn
@@ -43,6 +47,10 @@ func (T *netConn) EnableSSLClient(config *tls.Config) error {
}
func (T *netConn) EnableSSLServer(config *tls.Config) error {
+ if err := T.flush(); err != nil {
+ return err
+ }
+ defer log.Println("done enabling ssl")
sslConn := tls.Server(T.conn, config)
T.conn = sslConn
T.w = sslConn
--
GitLab