dave/coolify
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

fix(ssl): improve SSL cert file mounts

Browse Source 
- If SSL is disabled, delete the SSL crt and file mounts in the DB
- If SSL is disabled, delete the SSL folder
- If SSL is enabled, make sure the file mounts are added inside the helper
- remove old file mounts first to make sure the ssl crt content is always up to date and no duplicates are added
This commit is contained in:
peaklabs-dev
2025-02-04 16:34:24 +01:00
parent 6de76ca3f8
commit 3c62130e86
5 changed files with 71 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
app/Actions/Database/StartPostgresql.php
View File

@@ -36,12 +36,33 @@ class StartPostgresql
"echo 'Creating directories.'",
"mkdir -p $this->configuration_dir",
"mkdir -p $this->configuration_dir/docker-entrypoint-initdb.d/",
"mkdir -p $this->configuration_dir/ssl",
"echo 'Directories created successfully.'",
];
if ($this->database->enable_ssl) {
if (! $this->database->enable_ssl) {
$this->commands[] = "rm -rf $this->configuration_dir/ssl";
SslCertificate::where('resource_type', $this->database->getMorphClass())
->where('resource_id', $this->database->id)
->delete();
$this->database->fileStorages()
->where('resource_type', $this->database->getMorphClass())
->where('resource_id', $this->database->id)
->get()
->filter(function ($storage) {
return in_array($storage->mount_path, [
'/var/lib/postgresql/certs/server.crt',
'/var/lib/postgresql/certs/server.key',
]);
})
->each(function ($storage) {
$storage->delete();
});
} else {
$this->commands[] = "echo 'Setting up SSL for this database.'";
$this->commands[] = "rm -rf $this->configuration_dir/ssl";
$this->commands[] = "mkdir -p $this->configuration_dir/ssl";
$server = $this->database->destination->server;
$caCert = SslCertificate::where('server_id', $server->id)->firstOrFail();
@@ -57,8 +78,8 @@ class StartPostgresql
serverId: $server->id,
caCert: $caCert->ssl_certificate,
caKey: $caCert->ssl_private_key,
configurationDir: $this->configuration_dir,
);
$this->addSslFilesToFileStorage();
}
}
@@ -300,27 +321,4 @@ class StartPostgresql
$content_base64 = base64_encode($content);
$this->commands[] = "echo '{$content_base64}' | base64 -d | tee $config_file_path > /dev/null";
}
private function addSslFilesToFileStorage()
{
if (! $this->ssl_certificate) {
return;
}
$this->database->fileStorages()->create([
'fs_path' => $this->configuration_dir.'/ssl/server.crt',
'mount_path' => '/var/lib/postgresql/certs/server.crt',
'content' => $this->ssl_certificate->ssl_certificate,
'is_directory' => false,
'chmod' => '644',
]);
$this->database->fileStorages()->create([
'fs_path' => $this->configuration_dir.'/ssl/server.key',
'mount_path' => '/var/lib/postgresql/certs/server.key',
'content' => $this->ssl_certificate->ssl_private_key,
'is_directory' => false,
'chmod' => '600',
]);
}
}

46
app/Helpers/SslHelper.php
View File

@@ -23,7 +23,8 @@ class SslHelper
int $validityDays = 365,
?string $caCert = null,
?string $caKey = null,
bool $isCaCertificate = false
bool $isCaCertificate = false,
?string $configurationDir = null
): SslCertificate {
try {
@@ -101,17 +102,58 @@ class SslHelper
->where('server_id', $serverId)
->delete();
return SslCertificate::create([
$sslCertificate = SslCertificate::create([
'ssl_certificate' => $certificateStr,
'ssl_private_key' => $privateKeyStr,
'resource_type' => $resourceType,
'resource_id' => $resourceId,
'server_id' => $serverId,
'configuration_dir' => $configurationDir,
'valid_until' => CarbonImmutable::now()->addDays($validityDays),
'is_ca_certificate' => $isCaCertificate,
'common_name' => $commonName,
'subject_alternative_names' => $subjectAlternativeNames,
]);
if ($configurationDir && $resourceType && $resourceId) {
$model = app($resourceType)->find($resourceId);
$model->fileStorages()
->where('resource_type', $model->getMorphClass())
->where('resource_id', $model->id)
->get()
->filter(function ($storage) {
return in_array($storage->mount_path, [
'/var/lib/postgresql/certs/server.crt',
'/var/lib/postgresql/certs/server.key',
]);
})
->each(function ($storage) {
$storage->delete();
});
$model->fileStorages()->create([
'fs_path' => $configurationDir.'/ssl/server.crt',
'mount_path' => '/var/lib/postgresql/certs/server.crt',
'content' => $certificateStr,
'is_directory' => false,
'chmod' => '644',
'resource_type' => $resourceType,
'resource_id' => $resourceId,
]);
$model->fileStorages()->create([
'fs_path' => $configurationDir.'/ssl/server.key',
'mount_path' => '/var/lib/postgresql/certs/server.key',
'content' => $privateKeyStr,
'is_directory' => false,
'chmod' => '600',
'resource_type' => $resourceType,
'resource_id' => $resourceId,
]);
}
return $sslCertificate;
} catch (\Throwable $e) {
throw new \RuntimeException('SSL Certificate generation failed: '.$e->getMessage(), 0, $e);
}

1
app/Livewire/Project/Database/Postgresql/General.php
View File

@@ -144,6 +144,7 @@ class General extends Component
serverId: $existingCert->server_id,
caCert: $caCert->ssl_certificate,
caKey: $caCert->ssl_private_key,
configurationDir: $existingCert->configuration_dir,
);
$this->dispatch('success', 'SSL certificates have been regenerated. Please restart the database for changes to take effect.');

1
app/Models/SslCertificate.php
View File

@@ -9,6 +9,7 @@ class SslCertificate extends Model
protected $fillable = [
'ssl_certificate',
'ssl_private_key',
'configuration_dir',
'resource_type',
'resource_id',
'server_id',

1
database/migrations/2025_01_27_153741_create_ssl_certificates_table.php
View File

@@ -12,6 +12,7 @@ return new class extends Migration
$table->id();
$table->text('ssl_certificate');
$table->text('ssl_private_key');
$table->text('configuration_dir')->nullable();
$table->string('resource_type')->nullable();
$table->unsignedBigInteger('resource_id')->nullable();
$table->unsignedBigInteger('server_id');