From ec36b68b5deecd8ab5b419313fdff476f18594eb Mon Sep 17 00:00:00 2001 From: Anju Pathak Date: Thu, 16 Oct 2025 04:55:47 +0000 Subject: [PATCH 1/6] feat: enable ssl postgres Signed-off-by: Anju Pathak --- .../django_postgres/settings.py | 28 ++++++++++++++++++- .../django_postgres/docker-compose.yml | 14 ++++++++++ .../django_postgres/sql/enable-ssl.sh | 15 ++++++++++ 3 files changed, 56 insertions(+), 1 deletion(-) create mode 100755 django-postgres/django_postgres/sql/enable-ssl.sh diff --git a/django-postgres/django_postgres/django_postgres/settings.py b/django-postgres/django_postgres/django_postgres/settings.py index 2791ed4..87fac32 100644 --- a/django-postgres/django_postgres/django_postgres/settings.py +++ b/django-postgres/django_postgres/django_postgres/settings.py @@ -11,6 +11,7 @@ """ from pathlib import Path +import os # Build paths inside the project like this: BASE_DIR / 'subdir'. BASE_DIR = Path(__file__).resolve().parent.parent @@ -27,6 +28,7 @@ ALLOWED_HOSTS = ["*"] +SSL_ENABLED = os.getenv('POSTGRES_SSL_ENABLED', 'false').lower() == 'true' # Application definition @@ -71,6 +73,30 @@ WSGI_APPLICATION = 'django_postgres.wsgi.application' +def _db_options_from_env(): + """ + Build psycopg2 OPTIONS dict, adding SSL keys only if requested. + """ + opts = {} + sslmode = os.getenv("DB_SSLMODE", "disable").strip() + if sslmode and sslmode.lower() != "disable": + # Common values: require | verify-ca | verify-full + opts["sslmode"] = sslmode + # Optional files if you want verification / mTLS + rootcert = os.getenv("DB_SSLROOTCERT", "").strip() + sslcert = os.getenv("DB_SSLCERT", "").strip() + sslkey = os.getenv("DB_SSLKEY", "").strip() + sslcrl = os.getenv("DB_SSLCRL", "").strip() + if rootcert: + opts["sslrootcert"] = rootcert + if sslcert: + opts["sslcert"] = sslcert + if sslkey: + opts["sslkey"] = sslkey + if sslcrl: + opts["sslcrl"] = sslcrl + return opts + # Database # https://docs.djangoproject.com/en/4.2/ref/settings/#databases @@ -83,10 +109,10 @@ 'PASSWORD': 'postgres', 'HOST': '0.0.0.0', 'PORT': '5432', + 'OPTIONS': _db_options_from_env(), } } - # Password validation # https://docs.djangoproject.com/en/4.2/ref/settings/#auth-password-validators diff --git a/django-postgres/django_postgres/docker-compose.yml b/django-postgres/django_postgres/docker-compose.yml index e5a43b7..82dd56b 100644 --- a/django-postgres/django_postgres/docker-compose.yml +++ b/django-postgres/django_postgres/docker-compose.yml @@ -12,3 +12,17 @@ services: volumes: - ./sql/init.sql:/docker-entrypoint-initdb.d/init.sql + postgres_ssl: + image: postgres:latest + environment: + POSTGRES_DB: usersdb + POSTGRES_USER: postgres + POSTGRES_PASSWORD: postgres + ports: + - "5432:5432" + volumes: + - pgdata_ssl:/var/lib/postgresql/data + - ./sql/enable-ssl.sh:/docker-entrypoint-initdb.d/enable-ssl.sh:ro + +volumes: + pgdata_ssl: diff --git a/django-postgres/django_postgres/sql/enable-ssl.sh b/django-postgres/django_postgres/sql/enable-ssl.sh new file mode 100755 index 0000000..2af15e9 --- /dev/null +++ b/django-postgres/django_postgres/sql/enable-ssl.sh @@ -0,0 +1,15 @@ +#!/usr/bin/env bash +set -e + +# Generate a self-signed server cert the first time the cluster initializes +if [[ ! -f "$PGDATA/server.crt" ]]; then + openssl req -new -x509 -days 365 -nodes -text \ + -subj "/CN=postgres_ssl" \ + -keyout "$PGDATA/server.key" \ + -out "$PGDATA/server.crt" + chmod 600 "$PGDATA/server.key" "$PGDATA/server.crt" + chown postgres:postgres "$PGDATA/server.key" "$PGDATA/server.crt" + echo "ssl = on" >> "$PGDATA/postgresql.conf" + echo "ssl_cert_file = 'server.crt'" >> "$PGDATA/postgresql.conf" + echo "ssl_key_file = 'server.key'" >> "$PGDATA/postgresql.conf" +fi From 906b2a234fff49ab7761df151d00d93f730bcc4e Mon Sep 17 00:00:00 2001 From: Anju Pathak Date: Mon, 20 Oct 2025 12:21:53 +0000 Subject: [PATCH 2/6] fix: remove unused line Signed-off-by: Anju Pathak --- django-postgres/django_postgres/django_postgres/settings.py | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/django-postgres/django_postgres/django_postgres/settings.py b/django-postgres/django_postgres/django_postgres/settings.py index 87fac32..5a63c71 100644 --- a/django-postgres/django_postgres/django_postgres/settings.py +++ b/django-postgres/django_postgres/django_postgres/settings.py @@ -28,8 +28,6 @@ ALLOWED_HOSTS = ["*"] -SSL_ENABLED = os.getenv('POSTGRES_SSL_ENABLED', 'false').lower() == 'true' - # Application definition INSTALLED_APPS = [ @@ -108,7 +106,7 @@ def _db_options_from_env(): 'USER': 'postgres', 'PASSWORD': 'postgres', 'HOST': '0.0.0.0', - 'PORT': '5432', + 'PORT': '6000', 'OPTIONS': _db_options_from_env(), } } From 9751053538d6554692a44d6d68cfa06d62a43682 Mon Sep 17 00:00:00 2001 From: Anju Pathak Date: Mon, 20 Oct 2025 12:22:52 +0000 Subject: [PATCH 3/6] debug: print the sslmode Signed-off-by: Anju Pathak --- django-postgres/django_postgres/django_postgres/settings.py | 1 + 1 file changed, 1 insertion(+) diff --git a/django-postgres/django_postgres/django_postgres/settings.py b/django-postgres/django_postgres/django_postgres/settings.py index 5a63c71..fca1756 100644 --- a/django-postgres/django_postgres/django_postgres/settings.py +++ b/django-postgres/django_postgres/django_postgres/settings.py @@ -77,6 +77,7 @@ def _db_options_from_env(): """ opts = {} sslmode = os.getenv("DB_SSLMODE", "disable").strip() + print("DB_SSLMODE is:", sslmode) if sslmode and sslmode.lower() != "disable": # Common values: require | verify-ca | verify-full opts["sslmode"] = sslmode From e46157017d393f6b6a80882f417626faa4bd58c7 Mon Sep 17 00:00:00 2001 From: Anju Pathak Date: Mon, 20 Oct 2025 13:17:59 +0000 Subject: [PATCH 4/6] fix: shift back to correct port Signed-off-by: Anju Pathak --- django-postgres/django_postgres/django_postgres/settings.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/django-postgres/django_postgres/django_postgres/settings.py b/django-postgres/django_postgres/django_postgres/settings.py index fca1756..1e76767 100644 --- a/django-postgres/django_postgres/django_postgres/settings.py +++ b/django-postgres/django_postgres/django_postgres/settings.py @@ -107,7 +107,7 @@ def _db_options_from_env(): 'USER': 'postgres', 'PASSWORD': 'postgres', 'HOST': '0.0.0.0', - 'PORT': '6000', + 'PORT': '5432', 'OPTIONS': _db_options_from_env(), } } From e8de1aeadcd003c115c3c5b956bffc5a59d3e4d9 Mon Sep 17 00:00:00 2001 From: Anju Pathak Date: Mon, 20 Oct 2025 13:27:43 +0000 Subject: [PATCH 5/6] fix: use 6000 as port Signed-off-by: Anju Pathak --- django-postgres/django_postgres/django_postgres/settings.py | 2 +- django-postgres/django_postgres/docker-compose.yml | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/django-postgres/django_postgres/django_postgres/settings.py b/django-postgres/django_postgres/django_postgres/settings.py index 1e76767..fca1756 100644 --- a/django-postgres/django_postgres/django_postgres/settings.py +++ b/django-postgres/django_postgres/django_postgres/settings.py @@ -107,7 +107,7 @@ def _db_options_from_env(): 'USER': 'postgres', 'PASSWORD': 'postgres', 'HOST': '0.0.0.0', - 'PORT': '5432', + 'PORT': '6000', 'OPTIONS': _db_options_from_env(), } } diff --git a/django-postgres/django_postgres/docker-compose.yml b/django-postgres/django_postgres/docker-compose.yml index 82dd56b..bc290bc 100644 --- a/django-postgres/django_postgres/docker-compose.yml +++ b/django-postgres/django_postgres/docker-compose.yml @@ -8,7 +8,7 @@ services: POSTGRES_USER: postgres POSTGRES_PASSWORD: postgres ports: - - "5432:5432" # Map the PostgreSQL port to the host machine + - "6000:5432" # Map the PostgreSQL port to the host machine volumes: - ./sql/init.sql:/docker-entrypoint-initdb.d/init.sql @@ -19,7 +19,7 @@ services: POSTGRES_USER: postgres POSTGRES_PASSWORD: postgres ports: - - "5432:5432" + - "6000:5432" volumes: - pgdata_ssl:/var/lib/postgresql/data - ./sql/enable-ssl.sh:/docker-entrypoint-initdb.d/enable-ssl.sh:ro From bfecaac4c7a3ae043671b4e7f553af37ba74171b Mon Sep 17 00:00:00 2001 From: Anju Pathak Date: Mon, 20 Oct 2025 15:09:36 +0000 Subject: [PATCH 6/6] fix: update port in django postgres app Signed-off-by: Anju Pathak --- django-postgres/django_postgres/django_postgres/settings.py | 2 +- django-postgres/django_postgres/docker-compose.yml | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/django-postgres/django_postgres/django_postgres/settings.py b/django-postgres/django_postgres/django_postgres/settings.py index fca1756..1e76767 100644 --- a/django-postgres/django_postgres/django_postgres/settings.py +++ b/django-postgres/django_postgres/django_postgres/settings.py @@ -107,7 +107,7 @@ def _db_options_from_env(): 'USER': 'postgres', 'PASSWORD': 'postgres', 'HOST': '0.0.0.0', - 'PORT': '6000', + 'PORT': '5432', 'OPTIONS': _db_options_from_env(), } } diff --git a/django-postgres/django_postgres/docker-compose.yml b/django-postgres/django_postgres/docker-compose.yml index bc290bc..de47937 100644 --- a/django-postgres/django_postgres/docker-compose.yml +++ b/django-postgres/django_postgres/docker-compose.yml @@ -8,7 +8,7 @@ services: POSTGRES_USER: postgres POSTGRES_PASSWORD: postgres ports: - - "6000:5432" # Map the PostgreSQL port to the host machine + - "5432:5432" # Map the PostgreSQL port to the host machine volumes: - ./sql/init.sql:/docker-entrypoint-initdb.d/init.sql @@ -19,9 +19,9 @@ services: POSTGRES_USER: postgres POSTGRES_PASSWORD: postgres ports: - - "6000:5432" + - "5432:5432" volumes: - - pgdata_ssl:/var/lib/postgresql/data + - pgdata_ssl:/var/lib/postgresql - ./sql/enable-ssl.sh:/docker-entrypoint-initdb.d/enable-ssl.sh:ro volumes: