pg-cdc test: Fix certificate generation process for tests (#35751)

Follow-up to #35487

Causing test failures in main, see for example:
https://buildkite.com/materialize/test/builds/119386#019d2eee-d56c-4bd2-8d5e-409525b0a147
```
pg-cdc-ssl-ca-bundle.td:38:1: executing query failed: db error: ERROR: error performing TLS handshake: error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091:: self-signed certificate in certificate chain: error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091:: error:0A000086:SSL routines:tls_post_process_server_certificate:certificate verify failed:ssl/statem/statem_clnt.c:2091:
```

Author: def-

test/legacy-upgrade/mzcompose.py

@@ -41,7 +41,7 @@
     Zookeeper(),
     Kafka(),
     SchemaRegistry(),
-    Postgres(),
+    Postgres(volumes=["secrets:/certs:ro"]),
     MySql(),
     Cockroach(setup_materialize=True, in_memory=True),
     # Overridden below

test/pg-cdc-old-syntax/mzcompose.py

@@ -105,7 +105,9 @@ def create_postgres(
     else:
         image = f"postgres:{pg_version}"
 
-    return Postgres(image=image, extra_command=extra_command)
+    return Postgres(
+        image=image, extra_command=extra_command, volumes=["secrets:/certs:ro"]
+    )
 
 
 def get_testdrive_ssl_args(c: Composition):

test/pg-cdc/mzcompose.py

@@ -92,7 +92,9 @@ def create_postgres(
     else:
         image = f"postgres:{pg_version}"
 
-    return Postgres(image=image, extra_command=extra_command)
+    return Postgres(
+        image=image, extra_command=extra_command, volumes=["secrets:/certs:ro"]
+    )
 
 
 SERVICES = [

test/platform-checks/mzcompose.py

@@ -102,7 +102,7 @@ def create_mzs(
     Minio(setup_materialize=True, additional_directories=["copytos3"]),
     Azurite(),
     Mc(),
-    Postgres(),
+    Postgres(volumes=["secrets:/certs:ro"]),
     MySql(),
     SqlServer(),
     Zookeeper(),

test/postgres/Dockerfile

@@ -18,6 +18,11 @@ RUN apt-get update --fix-missing && TZ=UTC DEBIAN_FRONTEND=noninteractive apt-ge
     && rm -rf /var/lib/apt/lists/* \
     && rm -rf /usr/share/doc/* /usr/share/man/* /usr/share/info/* /usr/share/locale/* /var/cache/* /var/log/*
 
+# Bake in certs from test-certs as a build-time default.
 COPY --chown=postgres --from=certs /secrets/* /share/secrets/
 COPY pg_hba.conf /share/conf/pg_hba.conf
 COPY setup-postgres.sh /docker-entrypoint-initdb.d/setup-postgres.sh
+COPY entrypoint-wrapper.sh /usr/local/bin/entrypoint-wrapper.sh
+
+ENTRYPOINT ["entrypoint-wrapper.sh"]
+CMD ["postgres"]

test/postgres/entrypoint-wrapper.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+
+# Copyright Materialize, Inc. and contributors. All rights reserved.
+#
+# Use of this software is governed by the Business Source License
+# included in the LICENSE file at the root of this repository.
+#
+# As of the Change Date specified in that file, in accordance with
+# the Business Source License, use of this software will be governed
+# by the Apache License, Version 2.0.
+
+# Override baked-in TLS certificates with runtime certs from the test-certs
+# container (shared via the secrets volume at /certs). This ensures postgres
+# always uses the same CA that tests read from the test-certs container,
+# eliminating mismatches when Docker images are rebuilt independently.
+
+set -euo pipefail
+
+if [ -f /certs/postgres.crt ]; then
+    cp /certs/* /share/secrets/
+    chown -R postgres:postgres /share/secrets
+    chmod 600 /share/secrets/postgres.key
+fi
+
+exec docker-entrypoint.sh "$@"

test/ssh-connection/mzcompose.py

@@ -40,7 +40,7 @@
     Materialized(),
     Testdrive(consistent_seed=True),
     SshBastionHost(),
-    Postgres(),
+    Postgres(volumes=["secrets:/certs:ro"]),
     TestCerts(),
     Redpanda(),
     MySql(),