feat(db): enable JDBC TLS configuration #1019
Open
+104
−75
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Welcome to Cryostat! 👋
Before contributing, make sure you have:
mainbranch[chore, ci, docs, feat, fix, test]git commit -S -m "YOUR_COMMIT_MESSAGE"Related to #1005
Description of the change:
Enables JDBC TLS configuration for the connection between Cryostat and the database container. This sets up TLS on the database's server side, and sets up Cryostat's database driver to expect to find a TLS port there and to require that the connection passes all checks (cert from trusted CA, hostname matches, SSL/TLS must be enabled). Authentication from the client (Cryostat) to the database server is still using normal Basic-style authentication, not TLS client certificate authentication.
If TLS is disabled, ie cert-manager is not available, then this should fall back to the same previous unencrypted JDBC behaviour.
Motivation for the change:
Enhances security.
How to manually test:
jdbc:postgresql://cryostat-sample-database.cryostat.svc.cluster.local:5432/cryostat?ssl=true&sslmode=verify-full&sslcert=&sslrootcert=/var/run/secrets/operator.cryostat.io/cryostat-sample-database-tls/ca.crt. In particularssl=trueandsslmode=verify-fullshould be present, and thesslrootcert=should point to the database TLS secret and theca.crtcorresponding to the cert used by the database container..spec.enableCertManager: false. After everything gets redeployed, ensure it's all still working, but now the JDBC URL has no SSL parameters, the database container has no SSL arguments, etc.