Postgres TLS Setup

TLS setup for Docker installations of Xray

AuthorFullName__c
Patrick Russell
articleNumber
000004737
ft:sourceType
Salesforce
FirstPublishedDate
2020-06-09T17:02:06Z
lastModifiedDate
2021-04-27
VersionNumber
6
To enable encryption in a Docker installation, your TLS certificates need to be loaded into both Xray and PostgreSQL Docker containers. This is best accomplished by using existing volume mounts, which will allow the containers to remain transient. This can be done by following these steps:

1. Create your PostgreSQL TLS certificate files outside of the container:
openssl req -newkey rsa:2048 -nodes -keyout psql.key -x509 -days 365 -out psql.crt
Due to the nature of how Xray connects to PostgreSQL, when prompted, be certain to use postgres as the Common Name (CN). The other prompts may be filled in with anything, as those fields are intended to be human-readable and won't be used by Xray or PostgreSQL. 

2. Add the certificates to PostgreSQL:

a. Head to the PostgreSQL volume folder (default: ~/.jfrog/xray/postgres) and create a folder called certs. As the parent "postgres" directory is mounted in the container, any files or folders will appear in the container:
mkdir .jfrog/xray/postgres/certs
b. Copy the key and crt files created in step 1 into the "certs" folder.

c. Ensure the files are owned by the postgres user. If you're unsure of the PostgreSQL user's UID and GID, this can be done inside the container:
[Inside the Postgres container]
chown postgres:postgres /var/lib/postgresql/data/certs/*
chmod 600 /var/lib/postgresql/data/certs/*
d. Update the .jfrog/xray/postgres/postgresql.conf file. You can refer to the Xray documentation for information on the syntax, make sure the paths refer to the internal PostgreSQL container path (/var/lib/postgres/data):

ssl = on
ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL'
ssl_prefer_server_ciphers = on

#/var/lib/postgres/data/certs is the path inside the PSQL container
ssl_cert_file = '/var/lib/postgres/data/certs/psql.crt'
ssl_key_file = '/var/lib/postgres/data/certs/psql.key'
#ssl_ca_file = '/full/path/to/postgres/certificates/server_ca.crt' #Not needed, comment out

3. Restart the PostgreSQL container:
      docker restart xray_postgres_1
4. Add the same PostgreSQL certificate files to Xray's volume mount. There should already be an SSL folder in this location, which you can use:
mkdir .jfrog/xray/xray/ssl/postgres_tls/
5. Update the xray_config.yaml file in the volume with the SSL file paths. Note: The paths need to map to what's inside the Xray container. This means the jfrog/xray/xray/ssl/postgres_tls folder will be /var/opt/jfrog/xray/data/ssl/postgres_tls inside the container:
    postgresqlUrl:        postgres://92a[...]w==@postgres:5432/xraydb?sslrootcert=/var/opt/jfrog/xray/data/ssl/postgres_tls/psql.crt&sslkey=/var/opt/jfrog/xray/data/ssl/postgres_tls/psql.key
6. Restart xray.