fix: ensure PGSSL* environment variables are explicitly set by stripping inherited values

fix: use psycopg2.sql for safe database drop and create commands

fix: Also check POSTGRES_SSL is true before skipping default POSTGRES_PASSWORD

fix: update usage comment to reflect correct script path

fix: improve cleanup logic to conditionally remove certificate directory
This commit is contained in:
SergeantPanda 2026-03-31 09:44:55 -05:00
parent 763f42cfff
commit 6f8ca243af
5 changed files with 11 additions and 7 deletions

View file

@ -51,7 +51,9 @@ def _get_pg_env() -> dict:
"sslcert": "PGSSLCERT",
"sslkey": "PGSSLKEY",
}
# Always strip inherited PGSSL* vars first, then set only what is explicitly configured
for opt_key, env_key in _ssl_env_map.items():
env.pop(env_key, None)
value = options.get(opt_key)
if value:
env[env_key] = value

View file

@ -1,5 +1,6 @@
import sys
import psycopg2
from psycopg2 import sql
from django.core.management.base import BaseCommand
from django.conf import settings
from django.db import connection
@ -41,9 +42,9 @@ class Command(BaseCommand):
conn.autocommit = True
cur = conn.cursor()
self.stdout.write(f"Dropping database '{db_name}'...")
cur.execute(f"DROP DATABASE IF EXISTS {db_name};")
cur.execute(sql.SQL("DROP DATABASE IF EXISTS {}").format(sql.Identifier(db_name)))
self.stdout.write(f"Creating database '{db_name}'...")
cur.execute(f"CREATE DATABASE {db_name};")
cur.execute(sql.SQL("CREATE DATABASE {}").format(sql.Identifier(db_name)))
cur.close()
conn.close()
self.stdout.write(self.style.SUCCESS(f"Database '{db_name}' has been dropped and recreated."))

View file

@ -31,8 +31,9 @@ echo_with_timestamp() {
export POSTGRES_DB=${POSTGRES_DB:-dispatcharr}
export POSTGRES_USER=${POSTGRES_USER:-dispatch}
# AIO mode: default to 'secret' for internal DB.
# Modular mode: no default — cert-only auth (mTLS) uses no password.
if [[ "${DISPATCHARR_ENV:-}" == "modular" ]]; then
# Modular mode + TLS: no default — cert-only auth (mTLS) uses no password.
# Modular mode + no TLS: preserve 'secret' default for backward compatibility.
if [[ "${DISPATCHARR_ENV:-}" == "modular" && "${POSTGRES_SSL:-}" == "true" ]]; then
export POSTGRES_PASSWORD="${POSTGRES_PASSWORD:-}"
else
export POSTGRES_PASSWORD="${POSTGRES_PASSWORD:-secret}"

View file

@ -11,7 +11,7 @@
#
# Usage: source this script with FIXED_KEY_PATH set to the destination.
# FIXED_KEY_PATH="/data/.pg-client.key"
# . /app/docker/init/fix-pg-ssl-key.sh
# . /app/docker/init/00-fix-pg-ssl-key.sh
#
# After sourcing, POSTGRES_SSL_KEY is updated to the fixed path if a copy
# was needed. The caller is responsible for propagating the new value to

View file

@ -97,7 +97,7 @@ fresh_volume() {
}
cleanup_scenario() {
if [ "$KEEP_ON_FAIL" = true ] && [ ${#ERRORS[@]} -gt 0 ]; then
if [ "$KEEP_ON_FAIL" = true ] && [ "$FAIL" -gt "${SCENARIO_FAIL_BEFORE:-0}" ]; then
log_info "Keeping resources for debugging (--keep-on-fail)"
CLEANUP_ITEMS=()
return
@ -114,7 +114,7 @@ cleanup_scenario() {
CLEANUP_ITEMS=()
}
trap 'cleanup_scenario' EXIT
trap 'cleanup_scenario; [ -n "$CERT_DIR" ] && rm -rf "$CERT_DIR"' EXIT
wait_for_ready() {
local name="$1"