Merge pull request #1160 from ashfall/postgresql-cert-auth

Enable client and server cert auth in postgresql

Dockerfile

@@ -20,6 +20,6 @@ RUN useradd -ms /bin/bash notary \
 ENV NOTARYDIR /go/src/github.com/docker/notary
 
 COPY . ${NOTARYDIR}
-RUN chmod -R a+rw /go
+RUN chmod -R a+rw /go && chmod 0600 ${NOTARYDIR}/fixtures/database/*
 
 WORKDIR ${NOTARYDIR}

buildscripts/dbtests.sh

@@ -15,8 +15,8 @@ case ${db} in
     ;;
   postgresql*)
     db="postgresql"
-    dbContainerOpts="--name postgresql_tests postgresql"
-    DBURL="postgres://server@postgresql_tests:5432/notaryserver?sslmode=disable"
+    dbContainerOpts="--name postgresql_tests postgresql -l"
+    DBURL="postgres://server@postgresql_tests:5432/notaryserver?sslmode=verify-ca&sslrootcert=/go/src/github.com/docker/notary/fixtures/database/ca.pem&sslcert=/go/src/github.com/docker/notary/fixtures/database/notary-server.pem&sslkey=/go/src/github.com/docker/notary/fixtures/database/notary-server-key.pem"
     ;;
   *)
     echo "Usage: $0 (mysql|rethink)"

development.postgresql.yml

@@ -14,7 +14,7 @@ services:
     command: -c "./migrations/migrate.sh && notary-server -config=fixtures/server-config.postgres.json"
     environment:
       MIGRATIONS_PATH: migrations/server/postgresql
-      DB_URL: postgres://server@postgresql:5432/notaryserver?sslmode=disable
+      DB_URL: postgres://server@postgresql:5432/notaryserver?sslmode=verify-ca&sslrootcert=/go/src/github.com/docker/notary/fixtures/database/ca.pem&sslcert=/go/src/github.com/docker/notary/fixtures/database/notary-server.pem&sslkey=/go/src/github.com/docker/notary/fixtures/database/notary-server-key.pem
     depends_on:
       - postgresql
       - signer
@@ -31,7 +31,7 @@ services:
     command: -c "./migrations/migrate.sh && notary-signer -config=fixtures/signer-config.postgres.json"
     environment:
       MIGRATIONS_PATH: migrations/signer/postgresql
-      DB_URL: postgres://signer@postgresql:5432/notarysigner?sslmode=disable
+      DB_URL: postgres://signer@postgresql:5432/notarysigner?sslmode=verify-ca&sslrootcert=/go/src/github.com/docker/notary/fixtures/database/ca.pem&sslcert=/go/src/github.com/docker/notary/fixtures/database/notary-signer.pem&sslkey=/go/src/github.com/docker/notary/fixtures/database/notary-signer-key.pem
     depends_on:
       - postgresql
   postgresql:
@@ -40,6 +40,7 @@ services:
       - mdb 
     volumes:
       - ./notarysql/postgresql-initdb.d:/docker-entrypoint-initdb.d
+    command: -l
   client:
     build:
       context: .

docker-compose.postgresql.yml

@@ -14,7 +14,7 @@ services:
     command: -c "./migrations/migrate.sh && notary-server -config=fixtures/server-config.postgres.json"
     environment:
       MIGRATIONS_PATH: migrations/server/postgresql
-      DB_URL: postgres://server@postgresql:5432/notaryserver?sslmode=disable
+      DB_URL: postgres://server@postgresql:5432/notaryserver?sslmode=verify-ca&sslrootcert=/go/src/github.com/docker/notary/fixtures/database/ca.pem&sslcert=/go/src/github.com/docker/notary/fixtures/database/notary-server.pem&sslkey=/go/src/github.com/docker/notary/fixtures/database/notary-server-key.pem
     depends_on:
       - postgresql
       - signer
@@ -31,7 +31,7 @@ services:
     command: -c "./migrations/migrate.sh && notary-signer -config=fixtures/signer-config.postgres.json"
     environment:
       MIGRATIONS_PATH: migrations/signer/postgresql
-      DB_URL: postgres://signer@postgresql:5432/notarysigner?sslmode=disable
+      DB_URL: postgres://signer@postgresql:5432/notarysigner?sslmode=verify-ca&sslrootcert=/go/src/github.com/docker/notary/fixtures/database/ca.pem&sslcert=/go/src/github.com/docker/notary/fixtures/database/notary-signer.pem&sslkey=/go/src/github.com/docker/notary/fixtures/database/notary-signer-key.pem
     depends_on:
       - postgresql
   postgresql:
@@ -43,6 +43,7 @@ services:
       - notary_data:/var/lib/postgresql
     ports:
       - 5432:5432
+    command: -l
 volumes:
   notary_data:
     external: false

fixtures/database/ca.pem

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDajCCAlKgAwIBAgIUHN8eDMtoTOBXOd+RjnCxLYUs4kYwDQYJKoZIhvcNAQEL
+BQAwTTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJh
+bmNpc2NvMRkwFwYDVQQDExBub3RhcnkncyBUZXN0IENBMB4XDTE3MDUxMjIyMzcw
+MFoXDTIyMDUxMTIyMzcwMFowTTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYw
+FAYDVQQHEw1TYW4gRnJhbmNpc2NvMRkwFwYDVQQDExBub3RhcnkncyBUZXN0IENB
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy9811sQcEoe2pH0+jUQP
+8Jq7RkuUnFtbYpR7H6AyMXfyCsiz4ghpkENFScJlQhFE/Q5XXk0mTVEJD7UEwuQp
+haqqSbDYMKVXHGY3CESyRF6z/k4jPTpxK0KxqsIXi8MZFvLOMUVGhXp+duFFX365
+ZXi0GTIhkkbo6/tQLLAYAL5dfAOU7FTOthK6RkPBnPLdb5ZuKJfbSBkIBH+Rdrm5
+atJYzL6rha3p2Hnm6FFF0eqdd+uqYpBuXcmQsftxPLBMvqbHXaPMov51+WvRXz0K
+EeluT0Fue0LuYCRYFMlbmALFg85tFAHWXKer6M/ejK4MCWQnpPwalE9Oaetb1/q5
+MwIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNV
+HQ4EFgQU30PAjq5cOwlLzi4fxSE3J/v9EPcwDQYJKoZIhvcNAQELBQADggEBAJhV
+p1Va9r/NdCXaL5Ah+4i+l5m3hcKXT9h3811rmtLtKqcUwwnBbG+V3Ko+arbuCDYV
+VajGLRnhTjy1thqYZr6KbeG6HZ6BN8Zxhcam86O7JXDBKoWJH4SIGysXO0jXg1n4
+fM1teEhQ69OUCrCkFGBblL88uHbdgIQGTDkD9F4hFGia6NSII46MTIE6tH0UBrIy
+L5ZNCgG5Mn5w4D2Su6X6vq5ovE/mXRJLYCQLkvKSi5BQDdM26SwmKFSNk2V+DUeu
+te3qluUTIFLa+V+U0C6vJMaxgaTB5phzQ1R7HykqBnSrzcqyQKYKnR3aGzvHnb2m
+VYGGXEToG4TacQ/psn8=
+-----END CERTIFICATE-----

fixtures/database/notary-server-key.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAznRYoWEqB8VQQ3VnFSv1b2PU1UwTdREfsFu/O/yxdBpCEbSY
+s1Qc6ynHZuMOyscS46kiB3PSX1/CxMmPPSGcO1Z3VIbf8YUBtaMxTsO7nA5H22EO
+/M8SI+psrDhv+OtmrjzDtWVC9KgDV/F5+/8vynyh4J7HMilUjzbMHXYCZvW7aG7z
+rrItMNjhGmJeRXFlBIuSLxdbKGcuFv2xz3QPqF151mNcPaQosj1k7LtvB5Dkfhra
+33nMEsBp8QZfAag6xfuhEREeV6qOlG2DQL8nKuti1hLYUDFy3G7k1iswG/HadUBo
+MGrn+n8SywTmAW3HDvcfxOXzl5brmLURNUY+dQIDAQABAoIBAAu+cow7iriGcNpl
+g0ehCIUdmK3JdhHit3rAvVAcP7vrAncfXtBUqJB3/+/KWr0ONfTdWiIyZHUobVvk
+W1GO5+Q4NvGH+pUyi7ZZYiSo3bMy3MON8dxPqyh/3U6upy/xtBWVP0zCRdzE8eu+
+wMGk8oMCM/MjFRG1aCn9Y/8JB3nzxl2d8QCxeLjbIHJ/NWj7gf0xGVmKK7YVXd7W
+FHFFLTAxLRgfjZcxZB/u/L/T0pEwuyzbk2iGc9YkkgiBVUEqtIce6a7HHnKL7oBJ
+9sWxqc10rs9EP/2W7qfNolNkFVNnfJmY4x8ZpfAjW7/Osin22qCp5+kWyT2I/Qg6
++TwNQgECgYEA5ie0FdwsJbh0qNuWpXyMYJ2m27ag1zhpnsGs8iT9yWorZwp8BNm0
+1NchF/hE1Gkwvo+47U3ZvEmx7tLEA7Ekl7KZZro5+0jumSKd/vUrEpThqeJglz68
+T6/xZBGPIa3KZdXszs1pGjBNVEs1WuXgMPiFSypFT3ODnXgbFovX/nkCgYEA5aNR
+fCF2ACs3oeKHDwVCwMh3fbSmf4ZwpzdhARV5rSc8Je9K7oyoO5fgGWWXZqKLP138
+1ARQGwGcwImzrYvY8g7AqXe/J+Mr9Jr6+vrLDPShmeqyTiBdOTwgg/5muDdv+GS3
+zqzXtPI1Upuo8/1EwYUacYOk4EX7ga7iZMEoEN0CgYEAvkOgSloDXQOJ3XX6qb+2
+xMBPil8FxCXsmsN9V4hhDTrpunseX1wic7mMsCYbsIVtOHvT4sly8Ibzw30Vcf/l
+QkrxKc1V1XhLVukZOAYxn2DY1PpB44aHYlEO+yzQ6ISlR158L9H7yxyXMNIjv4s9
+tP4eIy9EsRPLgEgkDJV67/ECgYAwHbxhKhGzj1qkzPZHq26FPnvrFwMcDWtlXjEx
+LPLF2Ua9HBqzST2m3vfR2nuSwdQzftoPAqhWQEw7+55uarMWZQjxeWnQTcVUB3U3
+SX1qRYfm3EpoHFfsOjEF9zRGvTb08QWihIzeGTIbEQqhtRvHAMC9sDvH0mIUljRR
+sDdY8QKBgQDcT3yamYnGy6GzxWfpZYwoWqJFMtXjacD2rV32jwHifCa1RNu/Su6S
+UJcN9v/1GYfvLWzjDMv6hKFt/Q1e3mACgohL9vfZtgiZx5SCVi0AXdOpXLBWlLvl
+KM4XVhbuVTko/DsuGPVyXAHFHRFOjr+00Bw8y80DQIjNv4fgocr58Q==
+-----END RSA PRIVATE KEY-----

fixtures/database/notary-server.pem

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDojCCAoqgAwIBAgIUXF5OjDTCDfBwQkJSdzPtt7HTljUwDQYJKoZIhvcNAQEL
+BQAwTTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJh
+bmNpc2NvMRkwFwYDVQQDExBub3RhcnkncyBUZXN0IENBMB4XDTE3MDUxMjIyNDAw
+MFoXDTE4MDUxMjIyNDAwMFowQzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYw
+FAYDVQQHEw1TYW4gRnJhbmNpc2NvMQ8wDQYDVQQDEwZzZXJ2ZXIwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDOdFihYSoHxVBDdWcVK/VvY9TVTBN1ER+w
+W787/LF0GkIRtJizVBzrKcdm4w7KxxLjqSIHc9JfX8LEyY89IZw7VndUht/xhQG1
+ozFOw7ucDkfbYQ78zxIj6mysOG/462auPMO1ZUL0qANX8Xn7/y/KfKHgnscyKVSP
+NswddgJm9btobvOusi0w2OEaYl5FcWUEi5IvF1soZy4W/bHPdA+oXXnWY1w9pCiy
+PWTsu28HkOR+GtrfecwSwGnxBl8BqDrF+6ERER5Xqo6UbYNAvycq62LWEthQMXLc
+buTWKzAb8dp1QGgwauf6fxLLBOYBbccO9x/E5fOXluuYtRE1Rj51AgMBAAGjgYMw
+gYAwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAwGA1UdEwEB
+/wQCMAAwHQYDVR0OBBYEFAs/6pFKZmzdHb27KyFFd0G9G/39MB8GA1UdIwQYMBaA
+FN9DwI6uXDsJS84uH8UhNyf7/RD3MAsGA1UdEQQEMAKCADANBgkqhkiG9w0BAQsF
+AAOCAQEAhCYtK8m7gPrijUgmYFyUqwiYFSLIhTEE+9nGZ/3Q5IeLneTVcQMAogUY
+cZCNPrj8QBQmEXupacHBH1UO58L0OsXf+jJ3Gx5W9YiNyEzhZxoi08u2y/JzQ+3K
+OVfSYpsHPVH82f9pz9TVmBhcVBrxUY1cO4vTxBm5P9irVo1M8KHRB3qLjHSSr7mP
+pvFRYTrnG8cEMRwJT+Akfc9jFDXzCxPptHGme5lZAXH0OcyAEaGLrBlmrZKOuGa8
+ssJWcp5OoTdUiL0j6LfRZSghbVkNsSTXPVcBU38YsowpOm8AOpqu+mF0hl/cq8/h
+vE8cxe19y4FmiPD5JaUtndkwXxM8bQ==
+-----END CERTIFICATE-----

fixtures/database/notary-signer-key.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEogIBAAKCAQEA0UiaAApHxQUjBAY+02+ioQKbPivrFmCrsNEC4VPHmAuHfgbh
+IwSf+zZq4+xL2j7If354Mb7RpgUT+Y0jFfaIBBLWXVXG+/91EVTwFTj33iCmRyNB
+AbD0BkiAYqV5PkqlUhkCIglLell/MiOM+8CEUARKA3L82bkILG86fdHhYK0cRzf1
+CPQrgtWg1GtWZlDEilnG083a8PjUyc1ejuSjoa606nszS/UctKAkGkvhl+KQyEep
+EFffm1Xmb66wv/S+p3Ba4YhU5xqT7b6TSTcIuXpzOOkkNwnyU79BIBaP1BSAE8Rx
+EXBts9Lo6E8b9QhEJyzPxmQXM5qE1y2yYoOoLwIDAQABAoIBAHGEi+PRr7QyYRfh
+u1o8h14GZ+aFM/LjZL134bQPGYhjWI8HdD7mV1CP59LRbSNoQqDFHLT+6ADBaGBI
+KevT2Vs8TII78L7nhbxs8fzQ9cHKu+aCPNSKAxMVaG4Zi3Y6TwoE/p8vo30t5kxv
+9BzqA9rTOMI+MOB3+PMBMhzlJvakc0fOy3w2ZTZoTWYe0Fnv8NcslKqYoTLBEkC1
+drwBU9G4BlkeRg6E6zadJJCyy6r8PmUp0ipfC87nVZDPrHxQmjemMrBCVUDE5e+V
+9R0CtxXGfOuyXUQUS3ZQMQerILfhx+O49VV/H08SctDpOPeKNFi8wK5uffutDykL
+C0XyTyECgYEA09xVLRKRdyAC7s4KV4b4JTRBtrlI/5CxyrlfxlZZGUbAtf6prpOP
+YPNCetHEOW9dF5kSLDVNujaOrdvu30f2BkQcf1f0MavLh9lU+zwrqnRhGn+IOOat
+Jhf0zF8H7NccEI1w93XQG/M9+3Lczs60ioiyX+IL7EJRaGaDguUOAOsCgYEA/OLR
+0cOAGvzWpKuUmS5yGIewGk6P8uLlnBkv7Lo607PTlIDMmTl8KTFyqrXajulK5o0W
+JsgTlCr/0lfaOV9boW1+PkvA3NYCzoR/c+gdvvCSDbnfmgFkx8dUh05oXW2zGdgv
+3PFK2IUzHgBvjR9kB7hWl5BaCYMFzLCKd7qLxM0CgYAxZGnbMzwEqMrmP9T7aPUL
+P26emf3hzysUFzmz9Mea8/rTs0Z989r2gGAcYDE+Lq9mZAJvmhG/+x4yfFbpaU57
+UX/PVIMS3Xl693kvhWystas50UfB9E2j1uv0hadEWTYqyb7vgmD9Uy09JR9De79t
+mMb1Qa8D6sYt79BzQNGN9wKBgEzjUdQrUsnh0gkjOf0RCBO5Pavh8xZwMkuxxMZ/
+IN+5Lz1Zo9t6hOupYynQPPFysRlEEFYeQwWrxThZCbqj6aI9PkMGmU8LqrLLykyd
+aF3jmySdPQUAI3oyetrg1g6CChBzkKnmm1EVvqMCkugfgTRvsbRHaXi2446GprMc
+ft6JAoGAYPumwvVhH2hQ+/CxvcESE1Udl9uavnwwtrw52wKBOTqwZYnVojEVn8e3
+rQpiBHU89K2dsEmvomrU2HHnPBmXYV3frh7GD/VIP4NvFQmXNs+1LNPP+3A56PtT
+/UqE7KPUPJ0WqkyJ/wC2r9QFylA4swxJEiZH0s8SvbY/Ce1IEDE=
+-----END RSA PRIVATE KEY-----

fixtures/database/notary-signer.pem

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDojCCAoqgAwIBAgIUeYAM7aBfKP6UBYbE83msSo04RsowDQYJKoZIhvcNAQEL
+BQAwTTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJh
+bmNpc2NvMRkwFwYDVQQDExBub3RhcnkncyBUZXN0IENBMB4XDTE3MDUxMjIyNDAw
+MFoXDTE4MDUxMjIyNDAwMFowQzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYw
+FAYDVQQHEw1TYW4gRnJhbmNpc2NvMQ8wDQYDVQQDEwZzaWduZXIwggEiMA0GCSqG
+SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDRSJoACkfFBSMEBj7Tb6KhAps+K+sWYKuw
+0QLhU8eYC4d+BuEjBJ/7Nmrj7EvaPsh/fngxvtGmBRP5jSMV9ogEEtZdVcb7/3UR
+VPAVOPfeIKZHI0EBsPQGSIBipXk+SqVSGQIiCUt6WX8yI4z7wIRQBEoDcvzZuQgs
+bzp90eFgrRxHN/UI9CuC1aDUa1ZmUMSKWcbTzdrw+NTJzV6O5KOhrrTqezNL9Ry0
+oCQaS+GX4pDIR6kQV9+bVeZvrrC/9L6ncFrhiFTnGpPtvpNJNwi5enM46SQ3CfJT
+v0EgFo/UFIATxHERcG2z0ujoTxv1CEQnLM/GZBczmoTXLbJig6gvAgMBAAGjgYMw
+gYAwDgYDVR0PAQH/BAQDAgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMCMAwGA1UdEwEB
+/wQCMAAwHQYDVR0OBBYEFKKGeJZLHFg3QgqFOFE7UjmSYCjNMB8GA1UdIwQYMBaA
+FN9DwI6uXDsJS84uH8UhNyf7/RD3MAsGA1UdEQQEMAKCADANBgkqhkiG9w0BAQsF
+AAOCAQEAREI6iRUC0Pjn41QLI0Xtjv/2GeM1jKY0i6LcT+779QAU5iqPvmxhtO1N
+BM5ycQwyLD3T55t50ANDDm91klFlXF8IgSvq3efCVSWPtEkVznfQVMOu4dwVblhT
+GPg1BWbRsbjqdSVfU2cjoQNlflqRaw0XMJ738TrciaLxRHkvYsd0XCOjNTUfUuzi
+G16zdjBYn43XXW+4FnB2FzqzoM+PicCfEl8Gvi20QlgqtM5kaflhik2gQy6zXc1i
+hCiiRiE1Qv60VjsGvLFG+TN6HeWQlE260v5drzjmMen9i8hYc42glRDolUSg6hQs
+DLjTitTiXond4yxJ80LQH6CTtPybvg==
+-----END CERTIFICATE-----

fixtures/server-config.postgres.json

@@ -18,6 +18,6 @@
 	},
 	"storage": {
 		"backend": "postgres",
-		"db_url": "postgres://server@postgresql:5432/notaryserver?sslmode=disable"
+		"db_url": "postgres://server@postgresql:5432/notaryserver?sslmode=verify-ca&sslrootcert=/go/src/github.com/docker/notary/fixtures/database/ca.pem&sslcert=/go/src/github.com/docker/notary/fixtures/database/notary-server.pem&sslkey=/go/src/github.com/docker/notary/fixtures/database/notary-server-key.pem"
 	}
 }

fixtures/signer-config.postgres.json

@@ -10,6 +10,6 @@
   },
   "storage": {
     "backend": "postgres",
-    "db_url": "postgres://signer@postgresql:5432/notarysigner?sslmode=disable"
+    "db_url": "postgres://signer@postgresql:5432/notarysigner?sslmode=verify-ca&sslrootcert=/go/src/github.com/docker/notary/fixtures/database/ca.pem&sslcert=/go/src/github.com/docker/notary/fixtures/database/notary-signer.pem&sslkey=/go/src/github.com/docker/notary/fixtures/database/notary-signer-key.pem"
   }
 }

notarysql/postgresql-initdb.d/pg_hba.conf

@@ -0,0 +1,2 @@
+# http://stackoverflow.com/q/18497299
+hostssl  all  all  0.0.0.0/0  cert clientcert=1

notarysql/postgresql-initdb.d/root.crt

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDajCCAlKgAwIBAgIUHN8eDMtoTOBXOd+RjnCxLYUs4kYwDQYJKoZIhvcNAQEL
+BQAwTTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJh
+bmNpc2NvMRkwFwYDVQQDExBub3RhcnkncyBUZXN0IENBMB4XDTE3MDUxMjIyMzcw
+MFoXDTIyMDUxMTIyMzcwMFowTTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYw
+FAYDVQQHEw1TYW4gRnJhbmNpc2NvMRkwFwYDVQQDExBub3RhcnkncyBUZXN0IENB
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAy9811sQcEoe2pH0+jUQP
+8Jq7RkuUnFtbYpR7H6AyMXfyCsiz4ghpkENFScJlQhFE/Q5XXk0mTVEJD7UEwuQp
+haqqSbDYMKVXHGY3CESyRF6z/k4jPTpxK0KxqsIXi8MZFvLOMUVGhXp+duFFX365
+ZXi0GTIhkkbo6/tQLLAYAL5dfAOU7FTOthK6RkPBnPLdb5ZuKJfbSBkIBH+Rdrm5
+atJYzL6rha3p2Hnm6FFF0eqdd+uqYpBuXcmQsftxPLBMvqbHXaPMov51+WvRXz0K
+EeluT0Fue0LuYCRYFMlbmALFg85tFAHWXKer6M/ejK4MCWQnpPwalE9Oaetb1/q5
+MwIDAQABo0IwQDAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNV
+HQ4EFgQU30PAjq5cOwlLzi4fxSE3J/v9EPcwDQYJKoZIhvcNAQELBQADggEBAJhV
+p1Va9r/NdCXaL5Ah+4i+l5m3hcKXT9h3811rmtLtKqcUwwnBbG+V3Ko+arbuCDYV
+VajGLRnhTjy1thqYZr6KbeG6HZ6BN8Zxhcam86O7JXDBKoWJH4SIGysXO0jXg1n4
+fM1teEhQ69OUCrCkFGBblL88uHbdgIQGTDkD9F4hFGia6NSII46MTIE6tH0UBrIy
+L5ZNCgG5Mn5w4D2Su6X6vq5ovE/mXRJLYCQLkvKSi5BQDdM26SwmKFSNk2V+DUeu
+te3qluUTIFLa+V+U0C6vJMaxgaTB5phzQ1R7HykqBnSrzcqyQKYKnR3aGzvHnb2m
+VYGGXEToG4TacQ/psn8=
+-----END CERTIFICATE-----

notarysql/postgresql-initdb.d/server.crt

@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDtTCCAp2gAwIBAgIUBFaJGFhoc5kBplg2RjIG0EJCNAUwDQYJKoZIhvcNAQEL
+BQAwTTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1TYW4gRnJh
+bmNpc2NvMRkwFwYDVQQDExBub3RhcnkncyBUZXN0IENBMB4XDTE3MDUxMjIyMzkw
+MFoXDTE4MDUxMjIyMzkwMFowRTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYw
+FAYDVQQHEw1TYW4gRnJhbmNpc2NvMREwDwYDVQQDEwhkYXRhYmFzZTCCASIwDQYJ
+KoZIhvcNAQEBBQADggEPADCCAQoCggEBAMoEIo/VnyDNDkwHPBB+Lvc0ibOvTQN8
+HNpMhPDkAr10pI4dpgizGevvw3OP26h1aVdZA9mMQB9NfX207R8Vlvq4R8PeY59k
+iWXb4rEN3WmyY6L042SiABgUB0sSP9OIS+pRXlUyT8dyv4GeWfV3onL5WFvf1AzX
+3uWard9hLCNE0EzXVSyxxxtLNTJB8qXniKFWuFyHaFalaaesmhedbK3H5k+VU2Um
+fygYUYoHABTEKe0miMsTgzXQSHheKzowyt7BiI2FpcmHUMg8C+CWIvzrbWWC+0rr
+Pka7YBFCscJyfMyKN2YblFQhqIbyf6QenyFe3cuOP2OMdR4Ukw66KYsCAwEAAaOB
+lDCBkTAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0T
+AQH/BAIwADAdBgNVHQ4EFgQU7bNuwTAm8Ez3cb8+fYQHymgV2t8wHwYDVR0jBBgw
+FoAU30PAjq5cOwlLzi4fxSE3J/v9EPcwHAYDVR0RBBUwE4IKcG9zdGdyZXNxbIIF
+bXlzcWwwDQYJKoZIhvcNAQELBQADggEBACSdcADswQRitOr+EUUTrb6xluXtMMjQ
+h2ZDkZ8FXNMiem149o22FGtmKVKhaNnG0hgejHrzJKJp6TFS56HAz55PkO8NxP1C
+opk2whrvq/5Nspz+91WLWqMel8CbaHxVlLjMZbgLCkEOiZJ27Va1AWVZd+cW4ACQ
+vb7/clQumZQi49jSthJuzY//aFsuT0/CtkuGwXg38bqNI6hGvU9crDQermuGnd8t
+uMabgyWfQeUohKn1HZ0mo+rnMR/Y8pJXZvcoLwyxfo9hRXk1PHMGdwAOI5VlxxOy
+89sRyeXdFkzipGg1Ywd3TR528+q1lUYkYmRReEqKS/HquGHQtnvT1Nw=
+-----END CERTIFICATE-----

notarysql/postgresql-initdb.d/server.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAygQij9WfIM0OTAc8EH4u9zSJs69NA3wc2kyE8OQCvXSkjh2m
+CLMZ6+/Dc4/bqHVpV1kD2YxAH019fbTtHxWW+rhHw95jn2SJZdvisQ3dabJjovTj
+ZKIAGBQHSxI/04hL6lFeVTJPx3K/gZ5Z9XeicvlYW9/UDNfe5Zqt32EsI0TQTNdV
+LLHHG0s1MkHypeeIoVa4XIdoVqVpp6yaF51srcfmT5VTZSZ/KBhRigcAFMQp7SaI
+yxODNdBIeF4rOjDK3sGIjYWlyYdQyDwL4JYi/OttZYL7Sus+RrtgEUKxwnJ8zIo3
+ZhuUVCGohvJ/pB6fIV7dy44/Y4x1HhSTDropiwIDAQABAoIBAQCXXKHIw3aHTRz5
+OjJ26RSnhGXoi+BYTBYSOmMhWrXy3gKtuOk+e3NgpDT90Tvz7IURPVD1H3CsA5OT
+LIy+TZ7iHFEpIOfj9aA9AZPItWrAVzjwUCxQqlEHuXn9dZ79D5JR7sWPcDL2bbOv
+msYsdYbyPoFF1V88gEIyJsNAK762bPN7pIMasHdtQGninx7IXoI2pZKnarMfxADy
+TS5z95qKmegFcOfPtjF+QbFLqScb8uuDWkHGhpNyWN9dhVtSkzPnuT/Y87x9SRNI
+Si3dVG1rPJ2FN6mQGhqs6Wp5VjXyu43O0zk/Dt5NO4nEqIXnfjkZ0NhsKy51gUmy
+4YnkU+CBAoGBANYBFd842c2NThlNATRSaoWEcf2p2QL2Ss1B2lgYwxw0jm5wZWJt
+muH1RILY5erign2yEtPDOubBQS9OePvyJsaaPepRyyMAUdv9vvAqxW3ev3DLQhy0
+8BQFsabGu/7WBQLIuiR0N682sANNJREGY5XZiWogaNCt7AEKkCygeVFHAoGBAPGo
+zhAbcnKvUFHZXG4Kw8axlNpT75JISxeRilmt6KtiWHwhHzBxQgkyj3413wD7vADd
+NIu8eqJUzBDJ8ZFAn3ZSdZCgDtCbTTn59wdRXzUT8WJGj7ProQVZH5+Vw0MEhtT3
+YOxlNefN+1OlJTZ6V1o8BTyhXi66DJAqUHMUQqedAoGAPKUaGaP2tPVySGE2Eim4
+3hVmaEgVo21ATWJ4Cbcas4eBRXK8iGQfHCFxRNNKdIG0EQLBqxkMPBBP9KP8TQmW
+S3myShDbzBNvHzSNQ2obgMM65S/0kEYGMuZaLbTr2Y+049EWTvZQQWrx/j2CX4y7
+898tvdFpYpmm47Smnr7rIkkCgYB1uRwZMKXCRLFGDjM+0DOrOZsf+L++bUVXh+jz
+4wpzYwdkAOamvKXEwUKx4yBt5DQj357Xa8v6BIEctKPfdLG5/FWVTMOqz90BH0o9
+4GAXBU4T5/fdWC4q4s3K+jQTE8NzP8eRoYRvFiMXDl5geZzQMmkCrkGpVa0FFff2
+96m46QKBgGzCuE2ZSaCduQYKVL6KcvASqkJ72eodKSzvB1aY2MD6d+RCWPebLqR2
+TuUpwx13/G6RUMO7i5cDeE9rMxinGPU7X0/h9m+Fr2+vO3a2FuBiL8ZZM5+CI2y2
+0av1S7h0quIScNifN3QM8jawE1IWXd6AQPbFx7nCrtmEP+rVl5Z9
+-----END RSA PRIVATE KEY-----

notarysql/postgresql-initdb.d/tls-setup.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+
+# Setup the server so it knows where to find certs so that server can be
+# started with TLS enabled.
+set -e
+
+sed -i "s/#ssl = off/ssl = on/" "$PGDATA"/postgresql.conf
+sed -i "s/#ssl_ca_file = ''/ssl_ca_file = 'root.crt'/" "$PGDATA"/postgresql.conf
+cp /docker-entrypoint-initdb.d/pg_hba.conf "$PGDATA"
+cp /docker-entrypoint-initdb.d/server.{crt,key} "$PGDATA"
+cp /docker-entrypoint-initdb.d/root.crt "$PGDATA"
+chown postgres:postgres "$PGDATA"/server.{crt,key}
+chown postgres:postgres "$PGDATA"/root.crt
+chmod 0600 "$PGDATA"/server.key

server.Dockerfile

@@ -13,6 +13,8 @@ COPY . /go/src/${NOTARYPKG}
 
 WORKDIR /go/src/${NOTARYPKG}
 
+RUN chmod 0600 ./fixtures/database/*
+
 ENV SERVICE_NAME=notary_server
 EXPOSE 4443
 

signer.Dockerfile

@@ -13,6 +13,8 @@ COPY . /go/src/${NOTARYPKG}
 
 WORKDIR /go/src/${NOTARYPKG}
 
+RUN chmod 0600 ./fixtures/database/*
+
 ENV SERVICE_NAME=notary_signer
 ENV NOTARY_SIGNER_DEFAULT_ALIAS="timestamp_1"
 ENV NOTARY_SIGNER_TIMESTAMP_1="testpassword"