feat(postgresql): add TLS related options #238
Conversation
This adds `sslCert`, `sslKey` and `sslRootCert` options to the PostgreSQL `ProviderConfig` needed to establish a connection to a database that either uses non-public certificates or requires client certificate authentication. I've opted to create the `Options` struct to hold these and the existing `sslMode` parameter, this will allow adding other options[1] easier in the future. [1] https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS Signed-off-by: Zoran Regvart <[email protected]>
|
Clear an nice code, thanks! One worry:
If we land on this design:
|
|
Thanks for having a look. Yes, this would require mounting files to the provider container, this was simplest for me to do. I can also, or solely, use a Secret, the secret would need to be fetched and placed in the $TMPDIR as well, or, I think, the I had a stab at the e2e tests, and I encountered a number of issues with port forwarding, not starting from the clean slate, etc. I have a work in progress commit here. Have a look at how the CA certificate from secret auto-generated by the Helm chart for PostgreSQL is mounted. |
Adds e2e tests for the functionality of providing the TLS options by testing with TLS turned on on the server side using the `tls.enabled=true` and `tls.autoGenerated=true` PostgreSQL Chart parameters. To make the tests as robust as possible: port forwarding is not used, but rather exposing the server port via NodePort; timeouts are increased on kubectl wait's, from 2 min to 3 min. The test iself reuses parts of the existing tests, and adds one additional check that asserts if TLS is used. Signed-off-by: Zoran Regvart <[email protected]>
An example on how to use custom TLS certificates with PostgreSQL. Signed-off-by: Zoran Regvart <[email protected]>
|
@zregvart cool, I do think we should look at secrets. For the public key it might make sense with a file but for client certs that might be per server or even role, right? I'll have to research a bit here and come back to you. |
|
I'll work on adding support for reading the key and certificates from the Secret as well, I think this can be done via the |
Adds support for configuring TLS options using the credentials Secret. Very similar to how other providers are configured, this now also reads the `clusterCA`, `clientCert` and `clientKey` keys from the Secret. Integration tests are added, though they could be optimized to setup the PostgreSQL database only once and modify the configuration as needed to reduce the lenght of the tests, left as is for now. Signed-off-by: Zoran Regvart <[email protected]>
|
0f2afad adds reading the Secret in addition to the changes made to the ProviderConfig previously. I needed to place the data from the Secret in a temporary file, the @chlunde when you get a chance I'd be happy to receive any feedback on this |
Description of your changes
This adds
sslCert,sslKeyandsslRootCertoptions to the PostgreSQLProviderConfigneeded to establish a connection to a database that either uses non-public certificates or requires client certificate authentication.I've opted to create the
Optionsstruct to hold these and the existingsslModeparameter, this will allow adding other options[1] easier in the future.[1] https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS
I have:
make reviewableto ensure this PR is ready for review.How has this code been tested
Added a simple unit test