feat(postgres): Support TLS ca and client keypair as a secret

[jsirianni]

Description of Changes

This PR requires BindPlane v1.56.0, which will release May 8th.

• Updated the test script ldap.sh to handle ldap and postgres certificates, for creating certs in CI
• Added or updated the following backend.postgres options
  • sslmode
  • sslsecret
    • name: Name of the secret containing the optional certificates
    • sslcertSubPath: Name of the key in the secret containing the client certificate
    • sslkeySubPath: Name of the key in the secret containing the client private key
    • sslrootcertsubPath: Name of the key in the secret containing the certificate authority used to verify the server certificates authenticity

Added an initContainer to bindplane and bindplane-jobs deployments. This container is used to configure certificate permissions. The postgres client will refuse to start if the certificates are world readable. By default, files mounted from a secret will be world readable. To get around this, the init container will copy the files to an emptyDir volume and set their permissions. The environment variables that point to the TLS certificates will use the copy in the emptyDir volume.

Updated the bindplane and bindplane-jobs deployments with the following

• Environment variables
  • BINDPLANE_POSTGRES_SSL_ROOT_CERT
  • BINDPLANE_POSTGRES_SSL_CERT
  • BINDPLANE_POSTGRES_SSL_KEY
• volume and volume mounts
  • emptyDir containing the certificates with appropriate file permissions

Testing

I have a CloudSQL instance that requires mTLS. With the certs downloaded (I can share these). Latency is pretty bad, but it does work when using minikube locally.

minikube start
minikube addons enable ingress 
kubectl apply -f test/helper/pubsub/pubsub.yaml 

I created the bindplane and postgres secret with:

kubectl create secret generic bindplane \
  --from-literal=license=$BINDPLANE_LICENSE

kubectl create secret generic postgres-tls \
  --from-file server-ca.pem \
  --from-file client-cert.pem \
  --from-file client-key.pem

My values file looks like this:

config:
  username: bpuser
  password: bppass
  sessions_secret: 4484766F-5016-4077-B8E0-0DE1D637854B
  licenseUseSecret: true 

eventbus:
  type: 'pubsub'
  pubsub:
    projectid: 'my-project'
    topic: 'bindplane'
    insecure: true
    endpoint: "pubsub-emulator.pubsub.svc.cluster.local:8681"

backend:
  type: postgres
  postgres:
    host: redacted
    database: bindplane
    username: redacted
    password: redacted
    maxConnections: 12
    sslmode: verify-ca
    sslsecret:
      name: postgres-tls
      sslrootcertSubPath: server-ca.pem
      sslcertSubPath: client-cert.pem
      sslkeySubPath: client-key.pem

replicas: 2

resources:
  requests:
    memory: 100Mi
    cpu: 100m
  limits:
    memory: 100Mi
    cpu: 100m

jobs:
  resources:
    requests:
      memory: 100Mi
      cpu: 100m
    limits:
      memory: 100Mi
      cpu: 100m

ingress:
  enable: true
  host: bindplane.local
  class: nginx

helm install --values ./values.yaml  bindplane charts/bindplane

The pods should spin up without issue, connecting to pubsub emulator (in cluster) and cloudsql.

On macOS, run minikube tunnel and navigate to http://bindplane.local (make sure you have an /etc/hosts entry for this hostname, pointing to 127.0.0.1).

You should be able to create and delete configs, integrating that access to Postgres is working correctly.

If you turn SSL off with backend.postgres.sslmode: disable and redeploy, the new pod will fail to startup (old pod stays in place).

helm upgrade \
  --install bindplane \
  charts/bindplane \
  --values values.yaml

The new pod will log the following:

{"level":"info","timestamp":"2024-05-13T15:15:29.240Z","message":"Using postgres store"}
{"level":"error","timestamp":"2024-05-13T15:15:29.375Z","message":"failed to build server during server startup","error":"failed to load store: build store: failed to init Postgres storage: pq: pg_hba.conf rejects connection for host \"redacted\", user \"redacted\", database \"postgres\", no encryption"}
Error: failed to load store: build store: failed to init Postgres storage: pq: pg_hba.conf rejects connection for host "redacted", user "redacted", database "postgres", no encryption

Please check that the PR fulfills these requirements

• Tests for the changes have been added (for bug fixes / features)
• Docs have been added / updated (for bug fixes / features)
• CI passes

[jsirianni]

This configmap is mounted by the init container and executed to set permissions.

[jsirianni]

This test case is executed by CI

[jsirianni]

Updated the CI test postgres to use TLS.

[tbm48813]

qa'd