Add ssl config and cert for testing purposes (#114)

* Add ssl config and cert for testing purposes * Use SSL container for tests just for smoke purposes * Use ssl container for circleci
singer-io · Dec 23, 2020 · b432f9b · b432f9b
1 parent 1b30ad5
commit b432f9b
Show file tree

Hide file tree

Showing 6 changed files with 120 additions and 4 deletions.
diff --git a/.circleci/Dockerfile b/.circleci/Dockerfile
@@ -13,4 +13,10 @@ RUN apt-get update && apt-get install -y postgresql-server-dev-9.6 gcc git make
 COPY postgresql.conf /usr/local/share/postgresql/postgresql.conf
 
 # Copy the script which will initialize the replication permissions
-COPY /docker-entrypoint-initdb.d /docker-entrypoint-initdb.d
+COPY /docker-entrypoint-initdb.d /docker-entrypoint-initdb.d
+
+# Copy the self-signed cert for general SSL testing
+# Must be owned by postgres:postgres according to https://www.postgresql.org/docs/9.6/ssl-tcp.html
+# NOTE: ONLY TO BE USED FOR TESTING, this is a publicly published keypair
+COPY server.key server.crt /var/lib/postgresql/
+RUN chown postgres:postgres /var/lib/postgresql/server.*
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -6,7 +6,7 @@ jobs:
   build:
     docker:
       - image: 218546966473.dkr.ecr.us-east-1.amazonaws.com/circle-ci:tap-tester-v4
-      - image: singerio/postgres:9.6-wal2json-2.2
+      - image: singerio/postgres:9.6-wal2json-2.2-ssl
         environment:
           POSTGRES_USER: postgres
           POSTGRES_PASSWORD: password

diff --git a/.circleci/postgresql.conf b/.circleci/postgresql.conf
@@ -12,4 +12,9 @@ wal_level = logical             # minimal, archive, hot_standby, or logical (cha
 max_wal_senders = 5             # max number of walsender processes (change requires restart)
 #wal_keep_segments = 4          # in logfile segments, 16MB each; 0 disables
 #wal_sender_timeout = 60s       # in milliseconds; 0 disables
-max_replication_slots = 5       # max number of replication slots (change requires restart)
+max_replication_slots = 5       # max number of replication slots (change requires restart)
+
+# SSL
+ssl = on
+ssl_cert_file = '/var/lib/postgresql/server.crt'
+ssl_key_file = '/var/lib/postgresql/server.key'
diff --git a/.circleci/server.crt b/.circleci/server.crt
@@ -0,0 +1,77 @@
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number:
+            3a:7d:37:66:c9:08:92:63:75:dc:ea:bc:2e:73:3e:97:19:d8:da:95
+        Signature Algorithm: sha256WithRSAEncryption
+        Issuer: CN = localhost
+        Validity
+            Not Before: Dec 22 21:23:13 2020 GMT
+            Not After : Dec 20 21:23:13 2030 GMT
+        Subject: CN = localhost
+        Subject Public Key Info:
+            Public Key Algorithm: rsaEncryption
+                RSA Public-Key: (2048 bit)
+                Modulus:
+                    00:c1:66:eb:84:2b:b0:7d:99:b5:b0:16:7c:b7:ba:
+                    80:04:f8:fa:76:e8:f7:c2:3c:41:21:3a:1d:10:a4:
+                    0e:8a:3c:c4:2c:d3:a0:ef:e9:3c:7d:e1:37:29:34:
+                    87:92:9d:2c:69:dd:d1:80:dd:65:6e:3b:27:af:4a:
+                    ca:c6:87:2a:fa:0d:a7:5a:12:5c:e5:5e:40:77:f9:
+                    fa:63:fe:2d:3a:50:c8:86:e6:2a:b2:3b:fc:3e:2b:
+                    24:b3:e6:ae:61:5b:2c:2c:f4:f3:59:96:40:b8:9d:
+                    6e:f1:57:a9:7e:28:d3:2a:4b:71:db:16:88:29:6e:
+                    b7:8b:0e:6a:c2:55:5b:c4:4c:4d:ed:e4:4a:be:36:
+                    d9:8f:9a:cf:75:79:12:00:01:7f:d6:d3:63:20:e4:
+                    78:b9:6d:ef:ad:23:ec:ef:4d:20:70:6c:4d:bc:24:
+                    7c:59:c2:ab:cc:77:b4:99:49:ac:7b:74:78:97:84:
+                    df:b9:70:6f:e3:c9:71:62:54:ce:63:c3:62:cd:a8:
+                    3f:ae:99:e8:c8:76:b3:7a:88:66:2e:5e:c9:b6:9e:
+                    57:f8:e7:ea:7c:98:b1:03:6e:36:aa:89:66:8f:38:
+                    d5:09:e7:f7:b8:32:84:13:32:ae:79:ef:18:d5:e5:
+                    6a:cd:89:63:26:e0:c9:cf:ad:db:e5:7d:f1:61:af:
+                    81:a9
+                Exponent: 65537 (0x10001)
+        X509v3 extensions:
+            X509v3 Subject Key Identifier: 
+                09:9A:C9:F9:7C:C8:5D:EC:22:04:E1:B0:EB:84:05:30:AC:54:E2:79
+            X509v3 Authority Key Identifier: 
+                keyid:09:9A:C9:F9:7C:C8:5D:EC:22:04:E1:B0:EB:84:05:30:AC:54:E2:79
+
+            X509v3 Basic Constraints: critical
+                CA:TRUE
+    Signature Algorithm: sha256WithRSAEncryption
+         11:75:a1:9a:cc:48:86:3b:12:c6:c6:b5:fa:64:d3:d9:9f:d1:
+         3d:31:59:36:af:2c:42:4c:cb:4b:3e:d1:28:ee:9f:d8:f7:19:
+         90:ef:03:82:4c:8c:e6:d5:ef:44:2b:3f:1d:d7:dd:f8:1a:32:
+         71:c1:b5:09:15:54:0d:a5:f9:75:2b:53:77:9a:63:67:d8:a3:
+         52:c4:e2:5b:70:0f:e7:3d:73:b6:8a:b6:98:79:9f:42:ee:ee:
+         f7:21:5c:1a:17:ef:d7:22:60:73:97:0d:78:1b:ef:f2:9a:9b:
+         f4:17:3b:0b:2a:c2:9a:76:1c:fe:d5:ec:7f:9e:ef:f5:f5:50:
+         f1:c6:0a:f5:ca:97:19:d4:fe:1e:9a:6b:9e:c1:9c:aa:5b:77:
+         83:f3:d3:d6:de:1a:4d:f8:2b:df:4a:ba:49:26:b2:15:a5:5d:
+         e8:0a:7c:85:7e:41:4d:64:3d:a1:65:8f:41:fb:4d:df:7b:eb:
+         3d:16:f7:4a:05:b9:9b:81:6e:d4:e3:ca:be:95:08:6b:3c:2a:
+         c9:4d:8c:68:ce:37:5b:4f:ab:e0:81:7b:9c:51:95:48:f2:41:
+         4d:b0:97:14:72:c6:02:31:4b:ec:80:a3:9c:e0:09:98:9a:dc:
+         d4:b3:f6:c9:2a:04:5e:8c:ec:0e:c0:40:96:24:e4:70:15:4e:
+         c7:44:19:31
+-----BEGIN CERTIFICATE-----
+MIIDCTCCAfGgAwIBAgIUOn03ZskIkmN13Oq8LnM+lxnY2pUwDQYJKoZIhvcNAQEL
+BQAwFDESMBAGA1UEAwwJbG9jYWxob3N0MB4XDTIwMTIyMjIxMjMxM1oXDTMwMTIy
+MDIxMjMxM1owFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAwWbrhCuwfZm1sBZ8t7qABPj6duj3wjxBITodEKQOijzE
+LNOg7+k8feE3KTSHkp0sad3RgN1lbjsnr0rKxocq+g2nWhJc5V5Ad/n6Y/4tOlDI
+huYqsjv8Pisks+auYVssLPTzWZZAuJ1u8VepfijTKktx2xaIKW63iw5qwlVbxExN
+7eRKvjbZj5rPdXkSAAF/1tNjIOR4uW3vrSPs700gcGxNvCR8WcKrzHe0mUmse3R4
+l4TfuXBv48lxYlTOY8Nizag/rpnoyHazeohmLl7Jtp5X+OfqfJixA242qolmjzjV
+Cef3uDKEEzKuee8Y1eVqzYljJuDJz63b5X3xYa+BqQIDAQABo1MwUTAdBgNVHQ4E
+FgQUCZrJ+XzIXewiBOGw64QFMKxU4nkwHwYDVR0jBBgwFoAUCZrJ+XzIXewiBOGw
+64QFMKxU4nkwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAEXWh
+msxIhjsSxsa1+mTT2Z/RPTFZNq8sQkzLSz7RKO6f2PcZkO8DgkyM5tXvRCs/Hdfd
++BoyccG1CRVUDaX5dStTd5pjZ9ijUsTiW3AP5z1ztoq2mHmfQu7u9yFcGhfv1yJg
+c5cNeBvv8pqb9Bc7CyrCmnYc/tXsf57v9fVQ8cYK9cqXGdT+HpprnsGcqlt3g/PT
+1t4aTfgr30q6SSayFaVd6Ap8hX5BTWQ9oWWPQftN33vrPRb3SgW5m4Fu1OPKvpUI
+azwqyU2MaM43W0+r4IF7nFGVSPJBTbCXFHLGAjFL7ICjnOAJmJrc1LP2ySoEXozs
+DsBAliTkcBVOx0QZMQ==
+-----END CERTIFICATE-----
diff --git a/.circleci/server.key b/.circleci/server.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDBZuuEK7B9mbWw
+Fny3uoAE+Pp26PfCPEEhOh0QpA6KPMQs06Dv6Tx94TcpNIeSnSxp3dGA3WVuOyev
+SsrGhyr6DadaElzlXkB3+fpj/i06UMiG5iqyO/w+KySz5q5hWyws9PNZlkC4nW7x
+V6l+KNMqS3HbFogpbreLDmrCVVvETE3t5Eq+NtmPms91eRIAAX/W02Mg5Hi5be+t
+I+zvTSBwbE28JHxZwqvMd7SZSax7dHiXhN+5cG/jyXFiVM5jw2LNqD+umejIdrN6
+iGYuXsm2nlf45+p8mLEDbjaqiWaPONUJ5/e4MoQTMq557xjV5WrNiWMm4MnPrdvl
+ffFhr4GpAgMBAAECggEABOJLekf8Kf/StcKrnZwpFXcQJCaX8yDAaE1mZIAwGc+V
+CKjDfKuAKpGgafr4nXw4nefLHZz5rcHyq5uQ6ViKfkwP+NdT3zr1F9KJPzMxAzL9
+DWMMmvmm0g8W2zAtISpDQFNjPdTsh3z6Sz/yeMwhIQVMt8Km55zzJ6DSk1vCeH+F
+gW555Hez0qL/GKLJX4pRU45getXnqt/oQOnMEpe2Ar21GJO8JYWNC954SWacE90S
+7p4Y/Y4BmlCvaF0Kr8qxs2jDQmWKHYMuuxnMsKzz4u3f6wdRCEPt++Z6jMnHmjA6
+Mp7i8Zm5cWKehbS4hLRa/uA1JbFZXdHwJsaHeJIv3QKBgQD1cmGUYxp/GXSFjH2A
+1c03FiTcifp0ui8AjFBNb5pB7aHcsLK2EZRsV8PpgvpzpaDd9iYSmxxA7Xq9gBaV
+daRikRVvf12FvLkiZmmpulG3DyzvpP+CEGur102+gNjQXyBrtpJ9hG8rC7PHTCoG
+ZIraVocQ6Ft/T8bRMEE59gctewKBgQDJt69dk6H0UYSIJkFT3CMikMamk3ObAGT3
+WquP+GJ+2NaIM/9aHnaNMkN4MnpN9B73VUME26k8D3nm6+smZNvK2uWeqU/MONye
+zTF8L7yNBsO47rWCAoiNyJgfzDXc4gHEnKP4CeU3cjebzEg1Vdb5xKDeF8XwcrUV
+bOUgvnc6KwKBgQC8UHfBi4/GuFcIJ9Qaxu7eNuUtN8erSzXIq97oqpmlv5aSZheX
+TUGdJnEvdciGditIYRSw7cTto8aqId4x6cKnxTy3APdWJoe8durWyBbt5nzJmMRY
+nBSgEV6arOysYm/TdI5MMxG/6wiR/kO4B+fowL58IGoi8ahO00EYIUU8hQKBgDac
+i1bLVGp/82Ck8sTQcZa3GYEZpI/PYIZzPsWAmrH65MIFSdnNK414kTmmeORH9mZB
+6B4VllDTY854CrbfUX4vG0GEVz1UG67GoOIdTm/j5/NWdT+Yjf3M1Bqvv9loOtBP
+FDlf/HWxb4q3mMkPz17ZtC/MweMiOxJs4++kgUT3AoGBAJDNpcpbaANd8WDGnb+o
+xHgl7lO8c897HEyF7Ea9aI4d+NK/NThOJPANHSBovH9AulFipVlTQs6FTMNxI19d
+lGiFNwUbuVNDQucnPu5Goc0VFjI9Rwn9GcwH2vsJ9emxKlsl9VDoTl5HVgItYZK5
+VcTFh/izUO6ONHyrlkC7+6Pe
+-----END PRIVATE KEY-----
diff --git a/bin/test-db b/bin/test-db
@@ -6,7 +6,7 @@ import subprocess
 import time
 from argparse import RawTextHelpFormatter
 
-full_image_name = "singerio/postgres:9.6-wal2json-2.2"
+full_image_name = "singerio/postgres:9.6-wal2json-2.2-ssl"
 
 def start_container(name):
     START_COMMAND = """