[PP-1775] Ensure ssl connections to postgres work when ssl required (#…

…286) * [PP-1775] Ensure that application to talk to postgres when SSL is required. Additional updates: * upgrades image to python 3.12 * upgrades postgres to 16 (to match latest RDS deployment)
ThePalaceProject · Oct 24, 2024 · f5b625d · f5b625d
1 parent d0b857c
commit f5b625d
Show file tree

Hide file tree

Showing 5 changed files with 16 additions and 4 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -22,6 +22,11 @@ ENV UWSGI_MASTER=1 \
     UWSGI_POST_BUFFERING=1 \
     UWSGI_LOGFORMAT="[pid: %(pid)|app: -|req: -/-] %(addr) (%(user)) {%(vars) vars in %(pktsize) bytes} [%(ctime)] %(method) %(clean_uri) => generated %(rsize) bytes in %(msecs) msecs (%(proto) %(status)) %(headers) headers in %(hsize) bytes (%(switches) switches on core %(core))"
 
+# required for postgres ssl: the crt file doesn't exist
+# but the path must point to a visible directory otherwise we
+# get a permissions error
+ENV PGSSLCERT=/tmp/postgresql.crt
+
 ARG POETRY_VERSION=1.7.1
 ARG REPO=ThePalaceProject/virtual-library-card
 

diff --git a/README.md b/README.md
@@ -143,7 +143,7 @@ Eventually you will be able to pull the container from dockerhub.
 
 Either create a new database in the production PostgreSQL Database. Or use the docker PostgreSQL container for testing.
 
-    docker run -d --name pg --rm -e POSTGRES_USER=vlc -e POSTGRES_PASSWORD=test -e POSTGRES_DB=virtual_library_card postgres:12
+    docker run -d --name pg --rm -e POSTGRES_USER=vlc -e POSTGRES_PASSWORD=test -e POSTGRES_DB=virtual_library_card postgres:16
 
 ### 3. Create settings file
 

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -1,4 +1,3 @@
-version: "3.9"
 services:
   # example docker compose configuration for testing and development
 
@@ -23,11 +22,17 @@ services:
       SUPERUSER_PASSWORD: "test"
 
   pg:
-    image: "postgres:12"
+    image: "postgres:16"
     environment:
       POSTGRES_USER: vlc
       POSTGRES_PASSWORD: test
       POSTGRES_DB: virtual_library_card_dev
+      # AWS RDS requires SSL, so we enable SSL for the database with a self-signed snakeoil cert
+      # so that this database mimics the production databases as closely as we can.
+    command: >
+             -c ssl=on
+             -c ssl_cert_file=/etc/ssl/certs/ssl-cert-snakeoil.pem
+             -c ssl_key_file=/etc/ssl/private/ssl-cert-snakeoil.key
 
   minio:
     image: "bitnami/minio:2023.2.27"

diff --git a/tox.ini b/tox.ini
@@ -14,6 +14,7 @@ docker =
     docker: minio-vlc
 setenv =
     COVERAGE_FILE = .coverage.{envname}
+    VLC_DEV_DB_SSL_MODE = allow
 allowlist_externals =
     poetry
 
@@ -27,7 +28,7 @@ allowlist_externals =
     coverage
 
 [docker:db-vlc]
-image = postgres:12
+image = postgres:16
 environment =
     POSTGRES_USER=vlc
     POSTGRES_PASSWORD=test

diff --git a/virtual_library_card/settings/dev.py b/virtual_library_card/settings/dev.py
@@ -22,6 +22,7 @@
         "PASSWORD": "test",
         "HOST": os.environ.get("VLC_DEV_DB_HOST", "pg"),
         "PORT": os.environ.get("VLC_DEV_DB_PORT", "5432"),
+        "OPTIONS": {"sslmode": os.environ.get("VLC_DEV_DB_SSL_MODE", "require")},
     }
 }