Fix PostgreSQL SSL connection issue with sslmode=require in distroless images (#33523)

* Copy CA certificates to distroless

* Change home directory

---------

Co-authored-by: Mattermost Build <build@mattermost.com>

server/build/Dockerfile

@@ -31,6 +31,10 @@ RUN mkdir -p /mattermost/data /mattermost/plugins /mattermost/client/plugins \
   && curl -L $MM_PACKAGE | tar -xvz \
   && chown -R mattermost:mattermost /mattermost /mattermost/data /mattermost/plugins /mattermost/client/plugins
 
+# Create PostgreSQL client SSL directory structure for ssl_mode=require
+RUN mkdir -p /mattermost/.postgresql \
+  && chmod 700 /mattermost/.postgresql
+
 # Final stage using distroless for minimal attack surface
 FROM gcr.io/distroless/base-debian12
 
@@ -41,6 +45,9 @@ ENV MM_SERVICESETTINGS_ENABLELOCALMODE="true"
 # Copy over metadata files needed by runtime
 COPY --from=builder /etc/mime.types /etc
 
+# Copy CA certificates for SSL/TLS validation with proper ownership
+COPY --from=builder --chown=2000:2000 /etc/ssl/certs /etc/ssl/certs
+
 # Copy document processing utilities and necessary support files
 COPY --from=builder /usr/bin/pdftotext /usr/bin/pdftotext
 COPY --from=builder /usr/bin/wvText /usr/bin/wvText
@@ -57,7 +64,7 @@ COPY --from=builder /usr/lib/libwv.so* /usr/lib/
 COPY --from=builder /usr/lib/libtidy.so* /usr/lib/
 COPY --from=builder /usr/lib/libfontconfig.so* /usr/lib/
 
-# Copy mattermost from builder stage 
+# Copy mattermost from builder stage
 COPY --from=builder --chown=2000:2000 /mattermost /mattermost
 
 # Copy passwd including mattermost user

server/build/passwd

@@ -1,4 +1,4 @@
 root:x:0:0:root:/root:/sbin/nologin
 nobody:x:65534:65534:nobody:/nonexistent:/sbin/nologin
 nonroot:x:65532:65532:nonroot:/home/nonroot:/sbin/nologin
-mattermost:x:2000:2000:nonroot:/home/nonroot:/sbin/nologin
+mattermost:x:2000:2000:mattermost:/mattermost:/sbin/nologin