|
48 | 48 | # Update CA Certs |
49 | 49 | RUN update-ca-certificates |
50 | 50 |
|
| 51 | +# Copy AWS RDS certificate bundle for psql SSL connections |
| 52 | +COPY global-bundle.pem /etc/ssl/certs/aws-global-bundle.pem |
| 53 | +RUN chmod 644 /etc/ssl/certs/aws-global-bundle.pem |
| 54 | + |
| 55 | +# Configure SSL for postgres user to use the AWS CA bundle |
| 56 | +# This creates the .postgresql directory for the postgres user and sets up SSL config |
| 57 | +RUN mkdir -p /var/lib/postgresql/.postgresql && \ |
| 58 | + ln -s /etc/ssl/certs/aws-global-bundle.pem /var/lib/postgresql/.postgresql/root.crt && \ |
| 59 | + chown -R postgres:postgres /var/lib/postgresql/.postgresql && \ |
| 60 | + chmod 700 /var/lib/postgresql/.postgresql && \ |
| 61 | + chmod 644 /var/lib/postgresql/.postgresql/root.crt |
| 62 | + |
| 63 | +# Also set up for root user |
| 64 | +RUN mkdir -p /root/.postgresql && \ |
| 65 | + ln -s /etc/ssl/certs/aws-global-bundle.pem /root/.postgresql/root.crt && \ |
| 66 | + chmod 700 /root/.postgresql && \ |
| 67 | + chmod 644 /root/.postgresql/root.crt |
| 68 | + |
| 69 | +# Set default PostgreSQL client SSL mode to require (not require client certs) |
| 70 | +ENV PGSSLMODE=require |
| 71 | +ENV PGSSLROOTCERT=/etc/ssl/certs/aws-global-bundle.pem |
| 72 | + |
51 | 73 | # Configure postgres. |
52 | 74 | RUN true \ |
53 | 75 | && echo "host all all 0.0.0.0/0 md5" >> /etc/postgresql/16/main/pg_hba.conf \ |
@@ -85,6 +107,7 @@ COPY conf.d/postgres-tuning.conf /etc/postgresql/16/main/conf.d/ |
85 | 107 | COPY config.sh /app/config.sh |
86 | 108 | COPY init.sh /app/init.sh |
87 | 109 | COPY start.sh /app/start.sh |
| 110 | +COPY server.py /app/server.py |
88 | 111 |
|
89 | 112 | # Collapse image to single layer. |
90 | 113 | FROM scratch |
|
0 commit comments