observIQ · jsirianni · May 14, 2024 · Apr 25, 2024 · Apr 25, 2024 · Apr 25, 2024
@@ -0,0 +1,74 @@
+#!/usr/bin/env bash
+
+set -e
+
+curl -L -o step-cli_amd64.deb https://github.com/smallstep/cli/releases/download/v0.26.1/step-cli_0.26.1_amd64.deb
+sudo apt-get install -y -qq -f ./step-cli_amd64.deb
+
+step certificate create \
+  ca.ldap.example.com \
+    ca.crt ca.key \
+    --profile root-ca \
+    --no-password \
+    --insecure \
+    --not-after=87600h
+
+# Can be used for server and client
+# despite the name being "client".
+step certificate create \
+    'ldap.example.com' \
+    client.crt client.key \
+    --profile leaf \
+    --not-after 2160h \
+    --no-password \
+    --insecure \
+    --ca ca.crt \
+    --ca-key ca.key
+
+kubectl create secret generic ldap-tls \
+    --from-file ca.crt \
+    --from-file client.crt \
+    --from-file client.key
+
+rm -f ca.crt ca.key client.crt client.key
+
+step certificate create \
+  postgres.svc.cluster.local \
+    ca.crt ca.key \
+    --profile root-ca \
+    --no-password \
+    --insecure \
+    --not-after=87600h
+
+step certificate create \
+    'postgres' \
+    client.crt client.key \
+    --profile leaf \
+    --not-after 2160h \
+    --no-password \
+    --insecure \
+    --ca ca.crt \
+    --ca-key ca.key
+
+step certificate create \
+    'postgres.postgres.svc.cluster.local' \
+    server.crt server.key \
+    --profile leaf \
+    --not-after 2160h \
+    --no-password \
+    --insecure \
+    --ca ca.crt \
+    --ca-key ca.key
+
+kubectl create secret generic postgres-tls \
+    --from-file ca.crt \
+    --from-file client.crt \
+    --from-file client.key
+
+kubectl create namespace postgres || true
+
+kubectl create secret generic postgres-tls \
+    -n postgres \
+    --from-file ca.crt \
+    --from-file server.crt \
+    --from-file server.key
@@ -27,6 +27,7 @@ jobs:
           - "ingress"
           - "volume"
           - "pubsub"
+          - "postgres"
         k8s_version:
           - v1.25.0
           - v1.27.0
@@ -51,8 +52,8 @@ jobs:
       - name: Deploy PubSub Emulator
         run: kubectl apply -f test/helper/pubsub/pubsub.yaml
 
-      - name: Deploy LDAP Certificate
-        run: .github/scripts/ldap.sh
+      - name: Deploy Certificate
+        run: .github/scripts/tls.sh
 
       - name: Wait For Ingress Pods
         run: |

@@ -3,7 +3,7 @@ name: bindplane
 description: BindPlane OP is an observability pipeline.
 type: application
 # The chart's version
-version: 1.10.4
+version: 1.11.0
 # The BindPlane OP tagged release. If the user does not
 # set the `image.tag` values option, this version is used.
 appVersion: 1.56.0

@@ -47,7 +47,11 @@ BindPlane OP is an observability pipeline.
 | backend.postgres.maxConnections | int | `100` | Max number of connections to use when communicating with Postgres. |
 | backend.postgres.password | string | `""` | Password for the username used to connect to Postgres. |
 | backend.postgres.port | int | `5432` | TCP port used to connect to Postgres. |
-| backend.postgres.sslmode | string | `"disable"` | SSL mode to use when connecting to Postgres over TLS. See the [postgres ssl documentation](https://jdbc.postgresql.org/documentation/ssl/) for valid options. |
+| backend.postgres.sslmode | string | `"disable"` | SSL mode to use when connecting to Postgres over TLS. Supported options include "disable", "require", "verify-ca", "verify-full". See the [postgres ssl documentation](https://jdbc.postgresql.org/documentation/ssl/) for more information. |
+| backend.postgres.sslsecret.name | string | `"bindplane-postgres-tls"` | Name of the secret that contains the Postgres TLS certificate(s). When SSL mode is set to `verify-ca` or `verify-full`, this secret will be used to mount certificates into the BindPlane container. |
+| backend.postgres.sslsecret.sslcertSubPath | string | `""` | Path to the client certificate used to authenticate with the Postgres server, when mutual TLS is required. |
+| backend.postgres.sslsecret.sslkeySubPath | string | `""` | Path to the client private key used to authenticate with the Postgres server, when mutual TLS is required. |
+| backend.postgres.sslsecret.sslrootcertSubPath | string | `""` | Path to the CA certificate used to verify the Postgres server's certificate. |
 | backend.postgres.username | string | `""` | Username to use when connecting to Postgres. |
 | backend.type | string | `"bbolt"` | Backend to use for persistent storage. Available options are `bbolt`, and `postgres`. |
 | config.accept_eula | bool | `true` | Whether or not to accept the EULA. EULA acceptance is required. See https://observiq.com/legal/eula. |

@@ -38,6 +38,34 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if .Values.backend.postgres.sslsecret.name }}
+      initContainers:
+        - name: postgres-tls
+          image: busybox
+          command:
+          - sh
+          - -c
+          - /bin/sh /init.sh
+          volumeMounts:
+            - name: postgres-tls-init
+              mountPath: /init.sh
+              subPath: init.sh
+            - mountPath: /postgres-tls
+              name: postgres-tls-dir
+            {{- if .Values.backend.postgres.sslsecret.sslrootcertSubPath }}
+            - mountPath: /ca.crt
+              name: {{ .Values.backend.postgres.sslsecret.name }}
+              subPath: {{ .Values.backend.postgres.sslsecret.sslrootcertSubPath }}
+            {{- end }}
+            {{- if .Values.backend.postgres.sslsecret.sslcertSubPath }}
+            - mountPath: /client.crt
+              name: {{ .Values.backend.postgres.sslsecret.name }}
+              subPath: {{ .Values.backend.postgres.sslsecret.sslcertSubPath }}
+            - mountPath: /client.key
+              name: {{ .Values.backend.postgres.sslsecret.name }}
+              subPath: {{ .Values.backend.postgres.sslsecret.sslkeySubPath }}
+            {{- end }}
+      {{- end }}
       containers:
         - name: server
           image: {{ include "bindplane.image" . }}:{{ include "bindplane.tag" . }}
@@ -134,6 +162,16 @@ spec:
               value: {{ .Values.backend.postgres.database }}
             - name: BINDPLANE_POSTGRES_SSL_MODE
               value: {{ .Values.backend.postgres.sslmode }}
+            {{- if .Values.backend.postgres.sslsecret.sslrootcertSubPath }}
+            - name: BINDPLANE_POSTGRES_SSL_ROOT_CERT
+              value: /postgres-tls/ca.crt
+            {{- end }}
+            {{- if .Values.backend.postgres.sslsecret.sslcertSubPath }}
+            - name: BINDPLANE_POSTGRES_SSL_CERT
+              value: /postgres-tls/client.crt
+            - name: BINDPLANE_POSTGRES_SSL_KEY
+              value: /postgres-tls/client.key
+            {{- end }}
             - name: BINDPLANE_POSTGRES_MAX_CONNECTIONS
               value: "{{ .Values.backend.postgres.maxConnections }}"
             {{- else }}
@@ -408,6 +446,10 @@ spec:
               subPath: {{ .Values.prometheus.tls.secret.keySubPath }}
             {{- end }}
             {{- end }}
+            {{- if .Values.backend.postgres.sslsecret.name }}
+            - mountPath: /postgres-tls
+              name: postgres-tls-dir
+            {{- end }}
             {{- if len .Values.extraVolumeMounts }}
             {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
             {{- end }}
@@ -455,6 +497,17 @@ spec:
             secretName: {{ .Values.prometheus.tls.secret.name }}
         {{- end }}
         {{- end }}
+        {{- if .Values.backend.postgres.sslsecret.name }}
+        - name: postgres-tls-dir
+          emptyDir: {}
+        - name: {{ .Values.backend.postgres.sslsecret.name }}
+          secret:
+            defaultMode: 0400
+            secretName: {{ .Values.backend.postgres.sslsecret.name }}
+        - name: postgres-tls-init
+          configMap:
+            name: postgres-tls-init
+        {{- end }}
         {{- if len .Values.extraVolumes }}
         {{- toYaml .Values.extraVolumes | nindent 8 }}
         {{- end }}

@@ -1,3 +1,4 @@
+---
 apiVersion: apps/v1
 kind: {{ include "bindplane.deployment_type" . }}
 metadata:
@@ -49,6 +50,34 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      {{- if .Values.backend.postgres.sslsecret.name }}
+      initContainers:
+        - name: postgres-tls
+          image: busybox
+          command:
+          - sh
+          - -c
+          - /bin/sh /init.sh
+          volumeMounts:
+            - name: postgres-tls-init
+              mountPath: /init.sh
+              subPath: init.sh
+            - mountPath: /postgres-tls
+              name: postgres-tls-dir
+            {{- if .Values.backend.postgres.sslsecret.sslrootcertSubPath }}
+            - mountPath: /ca.crt
+              name: {{ .Values.backend.postgres.sslsecret.name }}
+              subPath: {{ .Values.backend.postgres.sslsecret.sslrootcertSubPath }}
+            {{- end }}
+            {{- if .Values.backend.postgres.sslsecret.sslcertSubPath }}
+            - mountPath: /client.crt
+              name: {{ .Values.backend.postgres.sslsecret.name }}
+              subPath: {{ .Values.backend.postgres.sslsecret.sslcertSubPath }}
+            - mountPath: /client.key
+              name: {{ .Values.backend.postgres.sslsecret.name }}
+              subPath: {{ .Values.backend.postgres.sslsecret.sslkeySubPath }}
+            {{- end }}
+      {{- end }}
       containers:
         - name: server
           image: {{ include "bindplane.image" . }}:{{ include "bindplane.tag" . }}
@@ -149,6 +178,16 @@ spec:
               value: {{ .Values.backend.postgres.database }}
             - name: BINDPLANE_POSTGRES_SSL_MODE
               value: {{ .Values.backend.postgres.sslmode }}
+            {{- if .Values.backend.postgres.sslsecret.sslrootcertSubPath }}
+            - name: BINDPLANE_POSTGRES_SSL_ROOT_CERT
+              value: /postgres-tls/ca.crt
+            {{- end }}
+            {{- if .Values.backend.postgres.sslsecret.sslcertSubPath }}
+            - name: BINDPLANE_POSTGRES_SSL_CERT
+              value: /postgres-tls/client.crt
+            - name: BINDPLANE_POSTGRES_SSL_KEY
+              value: /postgres-tls/client.key
+            {{- end }}
             - name: BINDPLANE_POSTGRES_MAX_CONNECTIONS
               value: "{{ .Values.backend.postgres.maxConnections }}"
             {{- else }}
@@ -425,6 +464,10 @@ spec:
               subPath: {{ .Values.prometheus.tls.secret.keySubPath }}
             {{- end }}
             {{- end }}
+            {{- if .Values.backend.postgres.sslsecret.name }}
+            - mountPath: /postgres-tls
+              name: postgres-tls-dir
+            {{- end }}
             {{- if len .Values.extraVolumeMounts }}
             {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
             {{- end }}
@@ -496,6 +539,17 @@ spec:
             secretName: {{ .Values.prometheus.tls.secret.name }}
         {{- end }}
         {{- end }}
+        {{- if .Values.backend.postgres.sslsecret.name }}
+        - name: postgres-tls-dir
+          emptyDir: {}
+        - name: {{ .Values.backend.postgres.sslsecret.name }}
+          secret:
+            defaultMode: 0400
+            secretName: {{ .Values.backend.postgres.sslsecret.name }}
+        - name: postgres-tls-init
+          configMap:
+            name: postgres-tls-init
+        {{- end }}
         {{- if len .Values.extraVolumes }}
         {{- toYaml .Values.extraVolumes | nindent 8 }}
         {{- end }}

@@ -0,0 +1,12 @@
+{{- if .Values.backend.postgres.sslsecret.name }}
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: postgres-tls-init
+data:
+  init.sh: |
+    #!/bin/sh
+    cp /ca.crt /client.crt /client.key /postgres-tls
+    chmod 0400 /postgres-tls/*
+    chown -R 65534:65534 /postgres-tls
+{{ end }}
@@ -18,8 +18,20 @@ backend:
     port: 5432
     # -- Database to use.
     database: ""
-    # -- SSL mode to use when connecting to Postgres over TLS. See the [postgres ssl documentation](https://jdbc.postgresql.org/documentation/ssl/) for valid options.
+    # -- SSL mode to use when connecting to Postgres over TLS. Supported options include "disable", "require", "verify-ca", "verify-full". See the [postgres ssl documentation](https://jdbc.postgresql.org/documentation/ssl/) for more information.
     sslmode: "disable"
+    sslsecret:
+      # -- Name of the secret that contains the Postgres TLS certificate(s). When SSL mode is set to
+      # `verify-ca` or `verify-full`, this secret will be used to mount certificates into the BindPlane
+      # container. Requires BindPlane v1.56.0 or newer.
+      name: ""
+      # -- Path to the CA certificate used to verify the Postgres server's certificate.
+      sslrootcertSubPath: ""
+      # -- Path to the client certificate used to authenticate with the Postgres server, when mutual TLS is required.
+      sslcertSubPath: ""
+      # -- Path to the client private key used to authenticate with the Postgres server, when mutual TLS is required.
+      # Required when `sslcertSubPath` is set.
+      sslkeySubPath: ""
     # -- Username to use when connecting to Postgres.
     username: ""
     # -- Password for the username used to connect to Postgres.

@@ -0,0 +1,40 @@
+# Required options
+config:
+  username: bpuser
+  password: bppass
+  sessions_secret: 4484766F-5016-4077-B8E0-0DE1D637854B
+  licenseUseSecret: true
+
+backend:
+  type: postgres
+  postgres:
+    host: postgres.postgres.svc.cluster.local
+    database: bindplane
+    username: postgres
+    password: password
+    maxConnections: 12
+    sslmode: verify-ca
+    sslsecret:
+      name: postgres-tls
+      sslrootcertSubPath: ca.crt
+      sslcertSubPath: client.crt
+      sslkeySubPath: client.key
+
+replicas: 2
+
+resources:
+  requests:
+    memory: 100Mi
+    cpu: 100m
+  limits:
+    memory: 100Mi
+    cpu: 100m
+
+jobs:
+  resources:
+    requests:
+      memory: 100Mi
+      cpu: 100m
+    limits:
+      memory: 100Mi
+      cpu: 100m