Skip to content

Commit

Permalink
feat(postgres): Support TLS ca and client keypair as a secret (#121)
Browse files Browse the repository at this point in the history 
* feat(postgres): Support TLS ca and client keypair as a secret

* Rename ldap script and create postgres tls secret

* add version notice

* wip, sort out cert permissions

* fix test postgres deployment and certificate script

* fix postgres cert init

* create ns if it does not exist

* move configmap to dedicated template. update jobs pod to use postgres tls init container

* revert
  • Loading branch information
@jsirianni
jsirianni authored May 14, 2024
1 parent 5c68026 commit ab8371d
Show file tree
Hide file tree
Showing 11 changed files with 309 additions and 40 deletions.
30 changes: 0 additions & 30 deletions .github/scripts/ldap.sh
View file

This file was deleted.

74 changes: 74 additions & 0 deletions .github/scripts/tls.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
#!/usr/bin/env bash

set -e

curl -L -o step-cli_amd64.deb https://github.com/smallstep/cli/releases/download/v0.26.1/step-cli_0.26.1_amd64.deb
sudo apt-get install -y -qq -f ./step-cli_amd64.deb

step certificate create \
ca.ldap.example.com \
ca.crt ca.key \
--profile root-ca \
--no-password \
--insecure \
--not-after=87600h

# Can be used for server and client
# despite the name being "client".
step certificate create \
'ldap.example.com' \
client.crt client.key \
--profile leaf \
--not-after 2160h \
--no-password \
--insecure \
--ca ca.crt \
--ca-key ca.key

kubectl create secret generic ldap-tls \
--from-file ca.crt \
--from-file client.crt \
--from-file client.key

rm -f ca.crt ca.key client.crt client.key

step certificate create \
postgres.svc.cluster.local \
ca.crt ca.key \
--profile root-ca \
--no-password \
--insecure \
--not-after=87600h

step certificate create \
'postgres' \
client.crt client.key \
--profile leaf \
--not-after 2160h \
--no-password \
--insecure \
--ca ca.crt \
--ca-key ca.key

step certificate create \
'postgres.postgres.svc.cluster.local' \
server.crt server.key \
--profile leaf \
--not-after 2160h \
--no-password \
--insecure \
--ca ca.crt \
--ca-key ca.key

kubectl create secret generic postgres-tls \
--from-file ca.crt \
--from-file client.crt \
--from-file client.key

kubectl create namespace postgres || true

kubectl create secret generic postgres-tls \
-n postgres \
--from-file ca.crt \
--from-file server.crt \
--from-file server.key
5 changes: 3 additions & 2 deletions .github/workflows/ci.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ jobs:
- "ingress"
- "volume"
- "pubsub"
- "postgres"
k8s_version:
- v1.25.0
- v1.27.0
Expand All @@ -51,8 +52,8 @@ jobs:
- name: Deploy PubSub Emulator
run: kubectl apply -f test/helper/pubsub/pubsub.yaml

- name: Deploy LDAP Certificate
run: .github/scripts/ldap.sh
- name: Deploy Certificate
run: .github/scripts/tls.sh

- name: Wait For Ingress Pods
run: |
Expand Down
2 changes: 1 addition & 1 deletion charts/bindplane/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ name: bindplane
description: BindPlane OP is an observability pipeline.
type: application
# The chart's version
version: 1.10.4
version: 1.11.0
# The BindPlane OP tagged release. If the user does not
# set the `image.tag` values option, this version is used.
appVersion: 1.56.0
Expand Down
6 changes: 5 additions & 1 deletion charts/bindplane/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,7 +47,11 @@ BindPlane OP is an observability pipeline.
| backend.postgres.maxConnections | int | `100` | Max number of connections to use when communicating with Postgres. |
| backend.postgres.password | string | `""` | Password for the username used to connect to Postgres. |
| backend.postgres.port | int | `5432` | TCP port used to connect to Postgres. |
| backend.postgres.sslmode | string | `"disable"` | SSL mode to use when connecting to Postgres over TLS. See the [postgres ssl documentation](https://jdbc.postgresql.org/documentation/ssl/) for valid options. |
| backend.postgres.sslmode | string | `"disable"` | SSL mode to use when connecting to Postgres over TLS. Supported options include "disable", "require", "verify-ca", "verify-full". See the [postgres ssl documentation](https://jdbc.postgresql.org/documentation/ssl/) for more information. |
| backend.postgres.sslsecret.name | string | `"bindplane-postgres-tls"` | Name of the secret that contains the Postgres TLS certificate(s). When SSL mode is set to `verify-ca` or `verify-full`, this secret will be used to mount certificates into the BindPlane container. |
| backend.postgres.sslsecret.sslcertSubPath | string | `""` | Path to the client certificate used to authenticate with the Postgres server, when mutual TLS is required. |
| backend.postgres.sslsecret.sslkeySubPath | string | `""` | Path to the client private key used to authenticate with the Postgres server, when mutual TLS is required. |
| backend.postgres.sslsecret.sslrootcertSubPath | string | `""` | Path to the CA certificate used to verify the Postgres server's certificate. |
| backend.postgres.username | string | `""` | Username to use when connecting to Postgres. |
| backend.type | string | `"bbolt"` | Backend to use for persistent storage. Available options are `bbolt`, and `postgres`. |
| config.accept_eula | bool | `true` | Whether or not to accept the EULA. EULA acceptance is required. See https://observiq.com/legal/eula. |
Expand Down
53 changes: 53 additions & 0 deletions charts/bindplane/templates/bindplane-jobs.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,34 @@ spec:
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.backend.postgres.sslsecret.name }}
initContainers:
- name: postgres-tls
image: busybox
command:
- sh
- -c
- /bin/sh /init.sh
volumeMounts:
- name: postgres-tls-init
mountPath: /init.sh
subPath: init.sh
- mountPath: /postgres-tls
name: postgres-tls-dir
{{- if .Values.backend.postgres.sslsecret.sslrootcertSubPath }}
- mountPath: /ca.crt
name: {{ .Values.backend.postgres.sslsecret.name }}
subPath: {{ .Values.backend.postgres.sslsecret.sslrootcertSubPath }}
{{- end }}
{{- if .Values.backend.postgres.sslsecret.sslcertSubPath }}
- mountPath: /client.crt
name: {{ .Values.backend.postgres.sslsecret.name }}
subPath: {{ .Values.backend.postgres.sslsecret.sslcertSubPath }}
- mountPath: /client.key
name: {{ .Values.backend.postgres.sslsecret.name }}
subPath: {{ .Values.backend.postgres.sslsecret.sslkeySubPath }}
{{- end }}
{{- end }}
containers:
- name: server
image: {{ include "bindplane.image" . }}:{{ include "bindplane.tag" . }}
Expand Down Expand Up @@ -134,6 +162,16 @@ spec:
value: {{ .Values.backend.postgres.database }}
- name: BINDPLANE_POSTGRES_SSL_MODE
value: {{ .Values.backend.postgres.sslmode }}
{{- if .Values.backend.postgres.sslsecret.sslrootcertSubPath }}
- name: BINDPLANE_POSTGRES_SSL_ROOT_CERT
value: /postgres-tls/ca.crt
{{- end }}
{{- if .Values.backend.postgres.sslsecret.sslcertSubPath }}
- name: BINDPLANE_POSTGRES_SSL_CERT
value: /postgres-tls/client.crt
- name: BINDPLANE_POSTGRES_SSL_KEY
value: /postgres-tls/client.key
{{- end }}
- name: BINDPLANE_POSTGRES_MAX_CONNECTIONS
value: "{{ .Values.backend.postgres.maxConnections }}"
{{- else }}
Expand Down Expand Up @@ -408,6 +446,10 @@ spec:
subPath: {{ .Values.prometheus.tls.secret.keySubPath }}
{{- end }}
{{- end }}
{{- if .Values.backend.postgres.sslsecret.name }}
- mountPath: /postgres-tls
name: postgres-tls-dir
{{- end }}
{{- if len .Values.extraVolumeMounts }}
{{- toYaml .Values.extraVolumeMounts | nindent 12 }}
{{- end }}
Expand Down Expand Up @@ -455,6 +497,17 @@ spec:
secretName: {{ .Values.prometheus.tls.secret.name }}
{{- end }}
{{- end }}
{{- if .Values.backend.postgres.sslsecret.name }}
- name: postgres-tls-dir
emptyDir: {}
- name: {{ .Values.backend.postgres.sslsecret.name }}
secret:
defaultMode: 0400
secretName: {{ .Values.backend.postgres.sslsecret.name }}
- name: postgres-tls-init
configMap:
name: postgres-tls-init
{{- end }}
{{- if len .Values.extraVolumes }}
{{- toYaml .Values.extraVolumes | nindent 8 }}
{{- end }}
Expand Down
53 changes: 53 additions & 0 deletions charts/bindplane/templates/bindplane.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,34 @@ spec:
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if .Values.backend.postgres.sslsecret.name }}
initContainers:
- name: postgres-tls
image: busybox
command:
- sh
- -c
- /bin/sh /init.sh
volumeMounts:
- name: postgres-tls-init
mountPath: /init.sh
subPath: init.sh
- mountPath: /postgres-tls
name: postgres-tls-dir
{{- if .Values.backend.postgres.sslsecret.sslrootcertSubPath }}
- mountPath: /ca.crt
name: {{ .Values.backend.postgres.sslsecret.name }}
subPath: {{ .Values.backend.postgres.sslsecret.sslrootcertSubPath }}
{{- end }}
{{- if .Values.backend.postgres.sslsecret.sslcertSubPath }}
- mountPath: /client.crt
name: {{ .Values.backend.postgres.sslsecret.name }}
subPath: {{ .Values.backend.postgres.sslsecret.sslcertSubPath }}
- mountPath: /client.key
name: {{ .Values.backend.postgres.sslsecret.name }}
subPath: {{ .Values.backend.postgres.sslsecret.sslkeySubPath }}
{{- end }}
{{- end }}
containers:
- name: server
image: {{ include "bindplane.image" . }}:{{ include "bindplane.tag" . }}
Expand Down Expand Up @@ -149,6 +177,16 @@ spec:
value: {{ .Values.backend.postgres.database }}
- name: BINDPLANE_POSTGRES_SSL_MODE
value: {{ .Values.backend.postgres.sslmode }}
{{- if .Values.backend.postgres.sslsecret.sslrootcertSubPath }}
- name: BINDPLANE_POSTGRES_SSL_ROOT_CERT
value: /postgres-tls/ca.crt
{{- end }}
{{- if .Values.backend.postgres.sslsecret.sslcertSubPath }}
- name: BINDPLANE_POSTGRES_SSL_CERT
value: /postgres-tls/client.crt
- name: BINDPLANE_POSTGRES_SSL_KEY
value: /postgres-tls/client.key
{{- end }}
- name: BINDPLANE_POSTGRES_MAX_CONNECTIONS
value: "{{ .Values.backend.postgres.maxConnections }}"
{{- else }}
Expand Down Expand Up @@ -425,6 +463,10 @@ spec:
subPath: {{ .Values.prometheus.tls.secret.keySubPath }}
{{- end }}
{{- end }}
{{- if .Values.backend.postgres.sslsecret.name }}
- mountPath: /postgres-tls
name: postgres-tls-dir
{{- end }}
{{- if len .Values.extraVolumeMounts }}
{{- toYaml .Values.extraVolumeMounts | nindent 12 }}
{{- end }}
Expand Down Expand Up @@ -496,6 +538,17 @@ spec:
secretName: {{ .Values.prometheus.tls.secret.name }}
{{- end }}
{{- end }}
{{- if .Values.backend.postgres.sslsecret.name }}
- name: postgres-tls-dir
emptyDir: {}
- name: {{ .Values.backend.postgres.sslsecret.name }}
secret:
defaultMode: 0400
secretName: {{ .Values.backend.postgres.sslsecret.name }}
- name: postgres-tls-init
configMap:
name: postgres-tls-init
{{- end }}
{{- if len .Values.extraVolumes }}
{{- toYaml .Values.extraVolumes | nindent 8 }}
{{- end }}
Expand Down
12 changes: 12 additions & 0 deletions charts/bindplane/templates/configmap.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
{{- if .Values.backend.postgres.sslsecret.name }}
kind: ConfigMap
apiVersion: v1
metadata:
name: postgres-tls-init
data:
init.sh: |
#!/bin/sh
cp /ca.crt /client.crt /client.key /postgres-tls
chmod 0400 /postgres-tls/*
chown -R 65534:65534 /postgres-tls
{{ end }}
14 changes: 13 additions & 1 deletion charts/bindplane/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,8 +18,20 @@ backend:
port: 5432
# -- Database to use.
database: ""
# -- SSL mode to use when connecting to Postgres over TLS. See the [postgres ssl documentation](https://jdbc.postgresql.org/documentation/ssl/) for valid options.
# -- SSL mode to use when connecting to Postgres over TLS. Supported options include "disable", "require", "verify-ca", "verify-full". See the [postgres ssl documentation](https://jdbc.postgresql.org/documentation/ssl/) for more information.
sslmode: "disable"
sslsecret:
# -- Name of the secret that contains the Postgres TLS certificate(s). When SSL mode is set to
# `verify-ca` or `verify-full`, this secret will be used to mount certificates into the BindPlane
# container. Requires BindPlane v1.56.0 or newer.
name: ""
# -- Path to the CA certificate used to verify the Postgres server's certificate.
sslrootcertSubPath: ""
# -- Path to the client certificate used to authenticate with the Postgres server, when mutual TLS is required.
sslcertSubPath: ""
# -- Path to the client private key used to authenticate with the Postgres server, when mutual TLS is required.
# Required when `sslcertSubPath` is set.
sslkeySubPath: ""
# -- Username to use when connecting to Postgres.
username: ""
# -- Password for the username used to connect to Postgres.
Expand Down
40 changes: 40 additions & 0 deletions test/cases/postgres/values.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
# Required options
config:
username: bpuser
password: bppass
sessions_secret: 4484766F-5016-4077-B8E0-0DE1D637854B
licenseUseSecret: true

backend:
type: postgres
postgres:
host: postgres.postgres.svc.cluster.local
database: bindplane
username: postgres
password: password
maxConnections: 12
sslmode: verify-ca
sslsecret:
name: postgres-tls
sslrootcertSubPath: ca.crt
sslcertSubPath: client.crt
sslkeySubPath: client.key

replicas: 2

resources:
requests:
memory: 100Mi
cpu: 100m
limits:
memory: 100Mi
cpu: 100m

jobs:
resources:
requests:
memory: 100Mi
cpu: 100m
limits:
memory: 100Mi
cpu: 100m
Loading

0 comments on commit ab8371d

Please sign in to comment.