From 9ff4196be4e4af0e534d26cc491950c1e90ea3a7 Mon Sep 17 00:00:00 2001
From: Salvatore D'Angelo <sasadangelo@gmail.com>
Date: Wed, 30 Aug 2023 13:16:49 +0200
Subject: [PATCH] Fix ssl.SSLError: [SSL: HTTP_REQUEST] http request
 (_ssl.c:997) in Spilo code

---
 postgres-appliance/runit/pgqd/run          |  2 +-
 postgres-appliance/scripts/patroni_wait.sh | 28 ++++++++++++++++++++--
 2 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/postgres-appliance/runit/pgqd/run b/postgres-appliance/runit/pgqd/run
index 27721aa18..a6f6c04db 100755
--- a/postgres-appliance/runit/pgqd/run
+++ b/postgres-appliance/runit/pgqd/run
@@ -6,4 +6,4 @@ if ! $CHPST true 2> /dev/null; then
 fi
 
 exec 2>&1
-exec $CHPST env -i PGAPPNAME="pgq ticker" /scripts/patroni_wait.sh --role master -- /usr/bin/pgqd /home/postgres/pgq_ticker.ini
+exec $CHPST env -i PGAPPNAME="pgq ticker" SSL_RESTAPI_CERTIFICATE_FILE="$SSL_RESTAPI_CERTIFICATE_FILE" SSL_RESTAPI_PRIVATE_KEY_FILE="$SSL_RESTAPI_PRIVATE_KEY_FILE" SSL_RESTAPI_CA_FILE="$SSL_RESTAPI_CA_FILE" /scripts/patroni_wait.sh --role master -- /usr/bin/pgqd /home/postgres/pgq_ticker.ini
diff --git a/postgres-appliance/scripts/patroni_wait.sh b/postgres-appliance/scripts/patroni_wait.sh
index 79a0be650..4e996c868 100755
--- a/postgres-appliance/scripts/patroni_wait.sh
+++ b/postgres-appliance/scripts/patroni_wait.sh
@@ -62,8 +62,32 @@ done
 if [ $# -gt 0 ]; then
     [ -n "$TIMEOUT" ] && CUTOFF=$(($(date +%s)+TIMEOUT))
 
-    while [ "$(curl -so /dev/null -w '%{http_code}' "http://localhost:8008/$ROLE")" != "200" ]; do
-        [ -n "$TIMEOUT" ] && [ $CUTOFF -le "$(date +%s)" ] && exit 2
+    PORT=8008
+    if [ -n "$APIPORT" ]
+    then
+        PORT="$APIPORT"
+    fi
+
+    options=""
+    protocol="http"
+
+    # If Patroni is configured in SSL we need to query the Patroni REST API using the 
+    # HTTPS protocol and certificates.
+    if [ "$SSL_RESTAPI_CERTIFICATE_FILE" != "" ] && [ "$SSL_RESTAPI_PRIVATE_KEY_FILE" != "" ]
+    then
+        protocol="https"
+        options="$options --cert $SSL_RESTAPI_CERTIFICATE_FILE --key $SSL_RESTAPI_PRIVATE_KEY_FILE"
+    fi
+
+    if [ "$SSL_RESTAPI_CA_FILE" != "" ]
+    then
+        protocol="https"
+        options="$options --cacert $SSL_RESTAPI_CA_FILE"
+    fi
+
+    # shellcheck disable=SC2086
+    while [ "$(curl -so /dev/null -w '%{http_code}' $options "$protocol://localhost:$PORT/$ROLE")" != "200" ]; do
+        [ -n "$TIMEOUT" ] && [ "$CUTOFF" -le "$(date +%s)" ] && exit 2
         sleep "$INTERVAL"
     done