build: capture certs on startup

database/testdata/gencerts.sh

@@ -1,11 +1,14 @@
 #!/bin/bash
+set -e
+
 # This script generates TLS certs for local development:
 # - Creates a self-signed root CA
 # - Generates server and client certs signed by the root CA
 # - Sets up certs for localhost use (e.g., local HTTPS and mTLS testing)
 # Note: These certs are for development/testing only, not for production use.
 mkdir -p testcerts
 cd testcerts
+
 echo "STARTING Generating test certificates"
 openssl genrsa -out root.key 2048
 openssl req -new -x509 -days 365 -key root.key -subj "/C=CN/ST=GD/L=SZ/O=Moov, Inc./CN=Moov Root CA" -out root.crt
@@ -14,10 +17,8 @@ openssl x509 -req -extfile <(printf "subjectAltName=DNS:localhost,IP:127.0.0.1")
 openssl req -newkey rsa:2048 -nodes -keyout client.key -subj "/C=CN/ST=GD/L=SZ/O=Moov, Inc./CN=moov" -out client.csr
 openssl x509 -req -extfile <(printf "subjectAltName=DNS:localhost,IP:127.0.0.1") -days 365 -in client.csr -CA root.crt -CAkey root.key -CAcreateserial -out client.crt
 
-# On Github Actions chmod to match the uid/gid of our container
-if [[ "$GITHUB_ACTIONS" != "" ]];
-then
-    chown 999:999 *.crt *.key
-fi
+rm -f server.csr client.csr
+chmod 600 *.key
+chmod 644 *.crt
 
 echo "FINIHSED Generating test certificates"

database/testdata/owncerts.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+set -e
+
+chmod 600 /var/lib/postgresql/*.key
+chmod 644 /var/lib/postgresql/*.crt
+
+chown postgres:postgres /var/lib/postgresql/*.key
+chown postgres:postgres /var/lib/postgresql/*.crt
+
+ls -l /var/lib/postgresql/

docker-compose.yml

@@ -49,6 +49,7 @@ services:
       - ./testcerts/root.crt:/var/lib/postgresql/root.crt
       - ./testcerts/server.crt:/var/lib/postgresql/server.crt
       - ./testcerts/server.key:/var/lib/postgresql/server.key
+      - ./database/testdata/owncerts.sh:/docker-entrypoint-initdb.d/owncerts.sh
 
 networks:
   intranet: