merge: #3107

3107: feat: add ssl to postgres r=sprutton1 a=sprutton1 Shhhhhhhhh, this PR didn't happen today. I definitely posted this yesterday. Anyways, this adds SSL to postgres connections. I also added a root cert to the docker image so we can use SSL locally and in the launcher. I'm really not sure how to test this for the module-index and I have a feeling all of the tests are going to fail unless we stage this in multiple parts. Merging this should wait until next year. P.S. I need to do some more work ensuring the launcher still works. Co-authored-by: Scott Prutton <[email protected]>
systeminit · Jan 2, 2024 · 1672a27 · 1672a27
2 parents 9c3b1e8 + 6ba837d
commit 1672a27
Show file tree

Hide file tree

Showing 30 changed files with 1,111 additions and 19 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -111,6 +111,8 @@ regex = "1.8.1"
 remain = "0.2.8"
 reqwest = { version = "0.11.17", default-features = false, features = ["rustls-tls", "json", "multipart"] }
 ring = "=0.17.5" # Upgrading this is possible, but a pain, so we don't want to pick up every new minor version (see: https://github.com/facebook/buck2/commit/91af40b66960d003067c3d241595fb53d1e636c8)
+rustls = { version = "0.21.1" } # pinned because ring above depends on it
+rustls-pemfile = { version = "2.0.0" }
 rust-s3 = { version = "0.34.0-rc4", default-features = false, features = ["tokio-rustls-tls"] }
 sea-orm = { version = "0.12.0", features = ["sqlx-postgres", "runtime-tokio-rustls", "macros", "with-chrono", "debug-print"] }
 self-replace = "1.3.7"
@@ -130,6 +132,7 @@ test-log = { version = "0.2.11", default-features = false, features = ["trace"]
 thiserror = "1.0.40"
 tokio = { version = "1.28.0", features = ["full"] }
 tokio-postgres = { version = "0.7.8", features = ["runtime", "with-chrono-0_4", "with-serde_json-1"] }
+tokio-postgres-rustls = { version = "0.10.0" }
 tokio-serde = { version = "0.8.0", features = ["json"] }
 tokio-stream = "0.1.14"
 tokio-test = "0.4.2"
@@ -147,6 +150,7 @@ url = { version = "2.3.1", features = ["serde"] }
 uuid = { version = "1.3.2", features = ["serde", "v4"] }
 vfs = "0.10.0"
 vfs-tar = { version = "0.4.0", features = ["mmap"] }
+webpki-roots = { version = "0.25.3" }
 y-sync = { version = "0.4.0", features = ["net"] }
 yrs = { version = "0.17.2" }
 

diff --git a/bin/module-index/BUCK b/bin/module-index/BUCK
@@ -18,6 +18,7 @@ rust_binary(
     resources = {
         "dev.jwt_signing_public_key.pem": "//config/keys:dev.jwt_signing_public_key.pem",
         "prod.jwt_signing_public_key.pem": "//config/keys:prod.jwt_signing_public_key.pem",
+        "dev.postgres.root.crt": "//config/keys:dev.postgres.root.crt",
 #        "pkgs_path": "//pkgs:pkgs",
     },
 )

diff --git a/bin/module-index/src/args.rs b/bin/module-index/src/args.rs
@@ -45,6 +45,14 @@ pub(crate) struct Args {
     #[arg(long, env)]
     pub(crate) pg_password: Option<String>,
 
+    /// PostgreSQL connection certification path
+    #[arg(long)]
+    pub(crate) pg_cert_path: Option<String>,
+
+    /// PostgreSQL connection certification base64 string
+    #[arg(long)]
+    pub(crate) pg_cert_base64: Option<String>,
+
     /// The address and port to bind the HTTP server to [example: 0.0.0.0:80]
     #[arg(long, env)]
     pub(crate) socket_addr: Option<String>,
@@ -105,6 +113,12 @@ impl TryFrom<Args> for Config {
             if let Some(password) = args.pg_password {
                 config_map.set("pg.password", password);
             }
+            if let Some(cert) = args.pg_cert_path {
+                config_map.set("pg.certificate_path", cert);
+            }
+            if let Some(cert) = args.pg_cert_base64 {
+                config_map.set("pg.certificate_base64", cert);
+            }
             if let Some(socket_addr) = args.socket_addr {
                 config_map.set("socket_addr", socket_addr);
             }

diff --git a/bin/pinga/BUCK b/bin/pinga/BUCK
@@ -18,6 +18,7 @@ rust_binary(
     resources = {
         "dev.encryption.key": "//lib/cyclone-server:dev.encryption.key",
         "dev.donkey.key": "//lib/dal:dev.donkey.key",
+        "dev.postgres.root.crt": "//config/keys:dev.postgres.root.crt",
     },
 )
 
@@ -32,4 +33,4 @@ nix_omnibus_pkg(
     name = "omnibus",
     pkg_name = "pinga",
     build_dep = "//bin/pinga:pinga",
-)
+)
diff --git a/bin/pinga/src/args.rs b/bin/pinga/src/args.rs
@@ -41,6 +41,14 @@ pub(crate) struct Args {
     #[arg(long)]
     pub(crate) pg_user: Option<String>,
 
+    /// PostgreSQL connection certification path
+    #[arg(long)]
+    pub(crate) pg_cert_path: Option<String>,
+
+    /// PostgreSQL connection certification base64 string
+    #[arg(long)]
+    pub(crate) pg_cert_base64: Option<String>,
+
     /// NATS connection URL [example: demo.nats.io]
     #[arg(long)]
     pub(crate) nats_url: Option<String>,
@@ -101,6 +109,12 @@ impl TryFrom<Args> for Config {
             if let Some(user) = args.pg_user {
                 config_map.set("pg.user", user);
             }
+            if let Some(cert) = args.pg_cert_path {
+                config_map.set("pg.certificate_path", cert);
+            }
+            if let Some(cert) = args.pg_cert_base64 {
+                config_map.set("pg.certificate_base64", cert);
+            }
             if let Some(url) = args.nats_url {
                 config_map.set("nats.url", url);
             }

diff --git a/bin/sdf/BUCK b/bin/sdf/BUCK
@@ -19,6 +19,7 @@ rust_binary(
         "dev.jwt_signing_public_key.pem": "//config/keys:dev.jwt_signing_public_key.pem",
         "prod.jwt_signing_public_key.pem": "//config/keys:prod.jwt_signing_public_key.pem",
         "dev.encryption.key": "//lib/cyclone-server:dev.encryption.key",
+        "dev.postgres.root.crt": "//config/keys:dev.postgres.root.crt",
         "dev.donkey.key": "//lib/dal:dev.donkey.key",
         "pkgs_path": "//pkgs:pkgs",
     },
@@ -38,4 +39,4 @@ nix_omnibus_pkg(
     name = "omnibus",
     pkg_name = "sdf",
     build_dep = "//bin/sdf:sdf",
-)
+)
diff --git a/bin/sdf/src/args.rs b/bin/sdf/src/args.rs
@@ -43,6 +43,14 @@ pub(crate) struct Args {
     #[arg(long)]
     pub(crate) pg_user: Option<String>,
 
+    /// PostgreSQL connection certification path
+    #[arg(long)]
+    pub(crate) pg_cert_path: Option<String>,
+
+    /// PostgreSQL connection certification base64 string
+    #[arg(long)]
+    pub(crate) pg_cert_base64: Option<String>,
+
     /// NATS connection URL [example: demo.nats.io]
     #[arg(long)]
     pub(crate) nats_url: Option<String>,
@@ -119,6 +127,12 @@ impl TryFrom<Args> for Config {
             if let Some(user) = args.pg_user {
                 config_map.set("pg.user", user);
             }
+            if let Some(cert) = args.pg_cert_path {
+                config_map.set("pg.certificate_path", cert);
+            }
+            if let Some(cert) = args.pg_cert_base64 {
+                config_map.set("pg.certificate_base64", cert);
+            }
             if let Some(migration_mode) = args.migration_mode {
                 config_map.set("migration_mode", migration_mode);
             }

diff --git a/component/postgres/BUCK b/component/postgres/BUCK
@@ -14,6 +14,8 @@ docker_image(
         "multiple-database-support.sh": ".",
         "pganalyze-collector.conf.sample": ".",
         "postgresql-additions.conf": ".",
+        "server.key": ".",
+        "server.crt": ".",
     },
     build_args = {
         "BASE_VERSION": "14.5-bullseye",

diff --git a/component/postgres/Dockerfile b/component/postgres/Dockerfile
@@ -32,6 +32,11 @@ COPY multiple-database-support.sh /docker-entrypoint-initdb.d/
 COPY entrypoint-wrapper.sh /usr/local/bin/entrypoint-wrapper.sh
 COPY pganalyze-collector.conf.sample /etc/pganalyze-collector.conf.sample
 COPY postgresql-additions.conf /etc/postgresql-additions.conf
+COPY server.key /var/lib/postgresql/
+COPY server.crt /var/lib/postgresql/
+
+RUN chown root:ssl-cert /var/lib/postgresql/server.key && chmod 740 /var/lib/postgresql/server.key
+RUN chown root:ssl-cert /var/lib/postgresql/server.crt && chmod 740 /var/lib/postgresql/server.crt
 
 RUN chmod +x /usr/local/bin/entrypoint-wrapper.sh \
     && mkdir -p /etc/postgresql \

diff --git a/component/postgres/entrypoint-wrapper.sh b/component/postgres/entrypoint-wrapper.sh
@@ -11,7 +11,10 @@ trap 'kill -TERM $(jobs -p); wait' SIGINT SIGTERM
 
 /usr/local/bin/docker-entrypoint.sh \
   "$@" \
-  -c config_file=/etc/postgresql/postgresql.conf &
+  -c config_file=/etc/postgresql/postgresql.conf \
+  -c ssl=on \
+  -c ssl_cert_file=/var/lib/postgresql/server.crt \
+  -c ssl_key_file=/var/lib/postgresql/server.key &
 
 if [ -n "${PGANALYZE:-}" ]; then
   echo '--- pganalyze enabled'

diff --git a/component/postgres/server.crt b/component/postgres/server.crt
@@ -0,0 +1,20 @@
+-----BEGIN CERTIFICATE-----
+MIIDNzCCAh+gAwIBAgIIJB180Ufm2cYwDQYJKoZIhvcNAQELBQAwIDEeMBwGA1UE
+AxMVbWluaWNhIHJvb3QgY2EgMDIxMTg0MB4XDTI0MDEwMjE4MjI1NloXDTI2MDIw
+MTE4MjI1NlowFDESMBAGA1UEAxMJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEF
+AAOCAQ8AMIIBCgKCAQEAo6AmFdhKoE1KWEGHof3mhYgtXxXjYTgE7ux25cpJmg2l
+TuQL/AhUkJqTdcRwjQeNZdp7YgnuzxnOCyZWddyRn68fxfAhRUlv0aBMedLrF4/O
+aEekRC8hxlLFSATe1w2/dc7EIVsezSlBAHCzwAlpaaWA275LxEuVR+N/+esFxgkw
+3qOyutylxEaeeH2ELdV2PW8GuXCQHCISlQa0blaTsBeG8bLJpuUjFeo3vYj7rP3E
+dtFoEEJ3tMbd3ku5m5iLubfHlnHDZIY/EF29j3frI7KLRuEhzhOL8F0/U7iLATgj
+yit3dZvBQYw/XZqTlDs7/WES+eqFJpaVMhb6QcDhMQIDAQABo4GAMH4wDgYDVR0P
+AQH/BAQDAgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMB
+Af8EAjAAMB8GA1UdIwQYMBaAFAcYAHyM52e+nG6VLw2UjYvSNHFTMB4GA1UdEQQX
+MBWCCWxvY2FsaG9zdIIIcG9zdGdyZXMwDQYJKoZIhvcNAQELBQADggEBAJWrwSaz
+rT+Q9lMmvW64L+b6r6X4vi3gHhQzZnbfj/7KhNxdbfIromoN0tYjhWrH4Uy+w4Oc
+8Mz+KDXqu1XzHMbSSt4w75GnZ2YJuLu6lIbJtX3l3Q1LAai+tZ6FoqIdBIBKe7Ft
+tbn8lCYRh0vFtTTbUSWX8IHAd1fnP36OFrvj/pO+4c739jVMkMFShE4QabRPJCBP
+zOssFHjfM7cKjbIdwkvWySQK2lVC1iSPPSblLn1r++vxHDWy+rBAZnpB32lthJMY
+WKBH0xI1Ry2UhlJexyOH+VhACeKCIsWCFN8oRyPISumhe4dYUCgUA2fV6xfsMR/A
+zOF5rW9cqadRYAk=
+-----END CERTIFICATE-----