better handling of Postgres pg_hba.conf

comanage-registry-postgres/Dockerfile

@@ -40,4 +40,4 @@ ENV COMANAGE_REGISTRY_POSTGRES_USER_PASSWORD ${COMANAGE_REGISTRY_POSTGRES_USER_P
 
 ENTRYPOINT ["/usr/local/bin/comanage-registry-postgres-entrypoint.sh"]
 
-CMD ["-c", "hba_file=/etc/postgres/pg_hba.conf"]
+CMD ["postgres"]

comanage-registry-postgres/create-pg_hba.conf.sh

@@ -21,21 +21,35 @@
 
 set -e
 
-mkdir -p /etc/postgres
-
-if [ -n "$COMANAGE_REGISTRY_POSTGRES_USER_PASSWORD" ]
+# Measure the existing pg_hba.conf file to see if it is the default.
+# The default version written will depend on whether or not passwords
+# have been injected.
+CHECKSUM=`md5sum /var/lib/postgresql/data/pg_hba.conf | awk '{print $1}'`
+if [ "$CHECKSUM" = "d3cf011ed2c2f5ff9b7664911969c0f5" ] || [ "$CHECKSUM" = "42f44484c701461a44b713b1b6c0b901" ]
 then
+    PG_HBA_DEFAULT="1"
+else
+    PG_HBA_DEFAULT="0"
+fi
+
+# If the pg_hba.conf file is the default overwrite a more restrictive
+# version.
 
-    cat >> /etc/postgres/pg_hba.conf <<EOF
+if [ "$PG_HBA_DEFAULT" = "1" ]
+then
+    # If a password has been injected require it, otherwise just use samenet trust.
+    if [ -n "$COMANAGE_REGISTRY_POSTGRES_USER_PASSWORD" ] 
+    then
+        cat > /var/lib/postgresql/data/pg_hba.conf <<EOF
 local all postgres peer
 host $COMANAGE_REGISTRY_POSTGRES_DATABASE $COMANAGE_REGISTRY_POSTGRES_USER 127.0.0.1/32 md5
 host $COMANAGE_REGISTRY_POSTGRES_DATABASE $COMANAGE_REGISTRY_POSTGRES_USER samenet md5
 EOF
 
-else
-    cat >> /etc/postgres/pg_hba.conf <<EOF
+    else
+        cat > /var/lib/postgresql/data/pg_hba.conf <<EOF
 local all postgres peer
 host $COMANAGE_REGISTRY_POSTGRES_DATABASE $COMANAGE_REGISTRY_POSTGRES_USER samenet trust
 EOF
-
+    fi
 fi