Add new env variable PGCONNECT_ADDRESS for postgresql connect_address

ENVIRONMENT.rst

@@ -30,6 +30,7 @@ Environment Configuration Settings
 - **ALLOW_NOSSL**: set to allow clients to connect without SSL enabled.
 - **PGPORT**: port PostgreSQL listens to for client connections, 5432 by default
 - **PGVERSION**: Specifies the version of postgreSQL to reference in the bin_dir variable (/usr/lib/postgresql/PGVERSION/bin) if postgresql.bin_dir wasn't set in SPILO_CONFIGURATION
+- **PGCONNECT_ADDRESS**: When you configure postgreSQL behind NAT or you set a hostname based SSL certificate for it you might need to advertise different connect address (for example external IP, hostname instead of IP) for the replicas.
 - **SCOPE**: cluster name, multiple Spilos belonging to the same cluster must have identical scope.
 - **SSL_CA_FILE**: path to the SSL CA certificate file inside the container (by default: '')
 - **SSL_CRL_FILE**: path to the SSL Certificate Revocation List file inside the container (by default: '')

postgres-appliance/build.sh

@@ -0,0 +1,15 @@
+#/bin/bash
+WITH_PERL=false # set to true if you want to install perl and plperl packages into image
+PGVERSION="17"
+DEMO=false # set to true to build the smallest possible image which will work only on Kubernetes
+TIMESCALEDB_APACHE_ONLY=false # set to false to build timescaledb community version (Timescale License)
+TIMESCALEDB_TOOLKIT=false # set to false to skip installing toolkit with timescaledb community edition. Only relevant when TIMESCALEDB_APACHE_ONLY=false
+ADDITIONAL_LOCALES=fi_FI # additional UTF-8 locales to build into image (example: "de_DE pl_PL fr_FR")
+
+docker build -t ghcr.io/damischa1/spilo:X.X . \
+       --build-arg WITH_PERL=false \
+       --build-arg PGVERSION="17" \
+       --build-arg DEMO=false \
+       --build-arg TIMESCALEDB_APACHE_ONLY=false \
+       --build-arg TIMESCALEDB_TOOLKIT=false \
+       --build-arg ADDITIONAL_LOCALES=fi_FI

postgres-appliance/scripts/configure_spilo.py

@@ -278,13 +278,16 @@ def deep_update(a, b):
   {{#SSL_RESTAPI_PRIVATE_KEY_FILE}}
   keyfile: {{SSL_RESTAPI_PRIVATE_KEY_FILE}}
   {{/SSL_RESTAPI_PRIVATE_KEY_FILE}}
+  {{#SSL_RESTAPI_VERIFY_CLIENT}}
+  verify_client: {{SSL_RESTAPI_VERIFY_CLIENT}}
+  {{/SSL_RESTAPI_VERIFY_CLIENT}}
 postgresql:
   pgpass: /run/postgresql/pgpass
   use_unix_socket: true
   use_unix_socket_repl: true
   name: '{{instance_data.id}}'
   listen: '*:{{PGPORT}}'
-  connect_address: {{instance_data.ip}}:{{PGPORT}}
+  connect_address: {{PGCONNECT_ADDRESS}}:{{PGPORT}}
   data_dir: {{PGDATA}}
   parameters:
     archive_command: {{{postgresql.parameters.archive_command}}}
@@ -555,6 +558,7 @@ def get_placeholders(provider):
     placeholders.setdefault('SSL_RESTAPI_CA_FILE', '')
     placeholders.setdefault('SSL_RESTAPI_CERTIFICATE_FILE', '')
     placeholders.setdefault('SSL_RESTAPI_PRIVATE_KEY_FILE', '')
+    placeholders.setdefault('SSL_RESTAPI_VERIFY_CLIENT', '')
     placeholders.setdefault('WALE_BACKUP_THRESHOLD_MEGABYTES', 102400)
     placeholders.setdefault('WALE_BACKUP_THRESHOLD_PERCENTAGE', 30)
     placeholders.setdefault('INITDB_LOCALE', 'en_US')
@@ -696,6 +700,7 @@ def get_placeholders(provider):
 
     placeholders['instance_data'] = get_instance_metadata(provider)
     placeholders.setdefault('RESTAPI_CONNECT_ADDRESS', placeholders['instance_data']['ip'])
+    placeholders.setdefault('PGCONNECT_ADDRESS', placeholders['instance_data']['ip'])
 
     placeholders['BGMON_LISTEN_IP'] = get_listen_ip()
 

postgres-appliance/scripts/patroni_wait.sh

@@ -54,6 +54,7 @@ do
     *)
         echo "Unknown option: $1"
         exit 1
+
         ;;
     esac
     shift
@@ -62,7 +63,13 @@ done
 if [ $# -gt 0 ]; then
     [ -n "$TIMEOUT" ] && CUTOFF=$(($(date +%s)+TIMEOUT))
 
-    while [ "$(curl -so /dev/null -w '%{http_code}' "http://localhost:8008/$ROLE")" != "200" ]; do
+    if [ -z "$RESTAPI_CONNECT_ADDRESS" ]; then
+      ADDRESS="localhost"
+        else
+      ADDRESS="$RESTAPI_CONNECT_ADDRESS"
+    fi
+
+    while [ "$(curl --cert $SSL_RESTAPI_CERTIFICATE_FILE --key $SSL_PRIVATE_KEY_FILE --cacert $SSL_RESTAPI_CA_FILE -so /dev/null -w '%{http_code}' "https://$ADDRESS:8008/$ROLE")" != "200" ]; do
         [ -n "$TIMEOUT" ] && [ $CUTOFF -le "$(date +%s)" ] && exit 2
         sleep "$INTERVAL"
     done