fix ssl

1f72d9f7 · Garet Halliday · 20ab5b9a · 1f72d9f7 · 1f72d9f7 · 1f72d9f7
Commit 1f72d9f7 authored 1 year ago by Garet Halliday
--- a/cgat.Dockerfile
+++ b/cgat.Dockerfile
@@ -5,10 +5,15 @@ WORKDIR /src
 COPY . .

 RUN go mod tidy
-RUN go build -o pggat ./cmd/cgat
+RUN go build -o cgat ./cmd/cgat

 FROM alpine:latest
 WORKDIR /bin
-COPY --from=GOBUILDER /src/pggat pggat
+RUN addgroup -S pgbouncer && adduser -S pgbouncer && mkdir -p /etc/pgbouncer /var/log/pgbouncer /var/run/pgbouncer
+COPY --from=GOBUILDER /src/cgat.sh run.sh
+COPY --from=GOBUILDER /src/cgat pggat
+RUN apk add openssl
+RUN chown -R pgbouncer:pgbouncer /var/log/pgbouncer /var/run/pgbouncer /etc/pgbouncer /etc/ssl/certs
+USER pgbouncer:pgbouncer

-ENTRYPOINT ["/bin/pggat"]
+ENTRYPOINT ["/bin/run.sh"]
--- a/cgat.sh
+++ b/cgat.sh
+#!/bin/sh
+
+openssl req -nodes -new -x509 -subj '/CN=spilo.dummy.org' -keyout /etc/ssl/certs/pgbouncer.key -out /etc/ssl/certs/pgbouncer.crt
+/bin/pggat
--- a/lib/gat/acceptor.go
+++ b/lib/gat/acceptor.go
@@ -80,10 +80,12 @@ func Serve(acceptor Acceptor, pools Pools) error {
 	for {
 		conn, acceptParams, err := acceptor.Accept()
 		if err != nil {
+			// log.Println("error accepting", err)
 			continue
 		}
 		go func() {
 			_ = serve(conn, acceptParams, pools)
+			// log.Println("error serving", err)
 		}()
 	}
 }

--- a/lib/gat/modes/pgbouncer/config.go
+++ b/lib/gat/modes/pgbouncer/config.go
 package pgbouncer

 import (
+	"crypto/tls"
 	"net"
 	"strconv"
 	"strings"
@@ -260,9 +261,22 @@ func (T *Config) ListenAndServe() error {

 	allowedStartupParameters := append(trackedParameters, T.PgBouncer.IgnoreStartupParameters...)

+	var sslConfig *tls.Config
+	if T.PgBouncer.ClientTLSCertFile != "" && T.PgBouncer.ClientTLSKeyFile != "" {
+		certificate, err := tls.LoadX509KeyPair(T.PgBouncer.ClientTLSCertFile, T.PgBouncer.ClientTLSKeyFile)
+		if err != nil {
+			return err
+		}
+		sslConfig = &tls.Config{
+			Certificates: []tls.Certificate{
+				certificate,
+			},
+		}
+	}
+
 	acceptOptions := frontends.AcceptOptions{
-		SSLRequired: T.PgBouncer.ClientTLSSSLMode.IsRequired(),
-		// TODO(garet) SSL Certificates
+		SSLRequired:           T.PgBouncer.ClientTLSSSLMode.IsRequired(),
+		SSLConfig:             sslConfig,
 		AllowedStartupOptions: allowedStartupParameters,
 	}


--- a/lib/zap/conn.go
+++ b/lib/zap/conn.go
@@ -4,6 +4,7 @@ import (
 	"crypto/tls"
 	"encoding/binary"
 	"io"
+	"log"
 	"net"
 )

@@ -36,6 +37,9 @@ func WrapNetConn(conn net.Conn) Conn {
 }

 func (T *netConn) EnableSSLClient(config *tls.Config) error {
+	if err := T.flush(); err != nil {
+		return err
+	}
 	sslConn := tls.Client(T.conn, config)
 	T.conn = sslConn
 	T.w = sslConn
@@ -43,6 +47,10 @@ func (T *netConn) EnableSSLClient(config *tls.Config) error {
 }

 func (T *netConn) EnableSSLServer(config *tls.Config) error {
+	if err := T.flush(); err != nil {
+		return err
+	}
+	defer log.Println("done enabling ssl")
 	sslConn := tls.Server(T.conn, config)
 	T.conn = sslConn
 	T.w = sslConn