add config for enabling tekton results dbssl

- add dbssl for dev_setup - add config for enabling dbssl generally Signed-off-by: Avinal Kumar <[email protected]> rh-pre-commit.version: 2.2.0 rh-pre-commit.check-secrets: ENABLED
openshift-pipelines · Mar 15, 2024 · bb03c53 · bb03c53
1 parent d41cf56
commit bb03c53
Show file tree

Hide file tree

Showing 8 changed files with 94 additions and 5 deletions.
diff --git a/developer/openshift/apps/pipeline-service.sh b/developer/openshift/apps/pipeline-service.sh
@@ -30,6 +30,7 @@ configure_argocd_apps(){
 setup_tekton_results() {
   echo -n "- Tekton Results: "
   get_tekton_results_credentials
+  generate_tekton_results_db_ssl_cert
   patch_tekton_results_manifests
   echo "OK"
 }
@@ -56,6 +57,38 @@ EOF
   TEKTON_RESULTS_S3_PASSWORD="$(yq ".s3_password" "$tekton_results_credentials")"
 }
 
+generate_tekton_results_db_ssl_cert(){
+  TEKTON_RESULTS_DB_SSL="$WORK_DIR/certificates/tekton-results"
+  mkdir -p "$TEKTON_RESULTS_DB_SSL"
+  openssl req -newkey rsa:4096 -nodes -text \
+    -keyout "$TEKTON_RESULTS_DB_SSL/root.key" \
+    -out "$TEKTON_RESULTS_DB_SSL/root.csr" \
+    -subj "/CN=postgres-postgresql.tekton-results.svc.cluster.local" \
+    -addext "subjectAltName=DNS:postgres-postgresql.tekton-results.svc.cluster.local" \
+    > /dev/null 2>&1
+  chmod og-rwx "$TEKTON_RESULTS_DB_SSL/root.key"
+  openssl x509 -req -days 7 -text \
+    -signkey "$TEKTON_RESULTS_DB_SSL/root.key" \
+    -in "$TEKTON_RESULTS_DB_SSL/root.csr" \
+    -extfile "/etc/ssl/openssl.cnf" \
+    -extensions v3_ca \
+    -out "$TEKTON_RESULTS_DB_SSL/ca.crt" \
+    > /dev/null 2>&1
+  openssl req -new -nodes -text \
+    -out "$TEKTON_RESULTS_DB_SSL/root.csr" \
+    -keyout "$TEKTON_RESULTS_DB_SSL/tls.key" \
+    -subj "/CN=postgres-postgresql.tekton-results.svc.cluster.local" \
+    -addext "subjectAltName=DNS:postgres-postgresql.tekton-results.svc.cluster.local" \
+    > /dev/null 2>&1
+  chmod og-rwx "$TEKTON_RESULTS_DB_SSL/tls.key"
+  openssl x509 -req -text -days 7 -CAcreateserial \
+    -in "$TEKTON_RESULTS_DB_SSL/root.csr" \
+    -CA "$TEKTON_RESULTS_DB_SSL/ca.crt" \
+    -CAkey "$TEKTON_RESULTS_DB_SSL/root.key" \
+    -out "$TEKTON_RESULTS_DB_SSL/tls.crt" \
+    > /dev/null 2>&1
+}
+
 patch_tekton_results_manifests(){
   yq --inplace "
     .data.[\"db.password\"]=\"$(echo -n "$TEKTON_RESULTS_DATABASE_PASSWORD" | base64)\",
@@ -75,8 +108,18 @@ EOF
   yq --inplace "
     .data.[\"config.env\"]=\"$string_data\"
   " "$WORK_DIR/environment/compute/tekton-results/tekton-results-minio-config.yaml"
+  yq --inplace "
+    .data.[\"ca.crt\"]=\"$(base64 "$TEKTON_RESULTS_DB_SSL/ca.crt")\" |
+    .data.[\"tls.crt\"]=\"$(base64 "$TEKTON_RESULTS_DB_SSL/tls.crt")\" |
+    .data.[\"tls.key\"]=\"$(base64 "$TEKTON_RESULTS_DB_SSL/tls.key")\"
+  " "$WORK_DIR/environment/compute/tekton-results/tekton-results-postgresql-tls-secret.yaml"
+  yq --inplace "
+  .data.[\"tekton-results-db-ca.pem\"]=\"$(cat "$TEKTON_RESULTS_DB_SSL/tls.crt" "$TEKTON_RESULTS_DB_SSL/ca.crt")\"
+  " "$WORK_DIR/environment/compute/tekton-results/rds-db-cert-configmap.yaml"
 }
 
+
+
 deploy_application() {
   echo "- Deploy application:"
 

diff --git a/developer/openshift/gitops/argocd/pipeline-service-storage/postgres.yaml b/developer/openshift/gitops/argocd/pipeline-service-storage/postgres.yaml
@@ -22,8 +22,18 @@ spec:
           value: 13.14.0
         - name: tls.enabled
           value: "true"
-        - name: tls.autoGenerated
-          value: "true"
+        - name: tls.certificatesSecret
+          value: "postgresql-tls"
+        - name: tls.certFilename
+          value: "tls.crt"
+        - name: tls.certKeyFilename
+          value: "tls.key"
+        # There is an unresolved issue with CA cert that stops pods from
+        # starting due to readiness probe failure. The workaround is
+        # discussed here along with the linked issues:
+        # https://github.com/bitnami/charts/issues/8026
+        # - name: tls.certCAFilename
+        #   value: "ca.crt"
         - name: auth.database
           value: "tekton_results"
         - name: auth.username
@@ -54,6 +64,10 @@ spec:
           value: "false"
         - name: shmVolume.enabled
           value: "false"
+      # provide CA cert as extraEnv until the issue is resolved. See above ^
+      extraEnv:
+        - name: PGSSLROOTCERT
+          value: /opt/bitnami/postgresql/certs/ca.crt
   syncPolicy:
     # Comment this out if you want to manually trigger deployments (using the
     # Argo CD Web UI or Argo CD CLI), rather than automatically deploying on

diff --git a/developer/openshift/gitops/argocd/pipeline-service/tekton-results/postgres.yaml b/developer/openshift/gitops/argocd/pipeline-service/tekton-results/postgres.yaml
@@ -13,4 +13,4 @@ spec:
         - name: api
           env:
             - name: DB_SSLMODE
-              value: "disable"
+              value: "verify-ca"
diff --git a/developer/openshift/gitops/local/tekton-results/kustomization.yaml b/developer/openshift/gitops/local/tekton-results/kustomization.yaml
@@ -6,3 +6,5 @@ resources:
   - tekton-results-db-secret.yaml
   - tekton-results-s3-secret.yaml
   - tekton-results-minio-config.yaml
+  - rds-db-cert-configmap.yaml
+  - tekton-results-postgresql-tls-secret.yaml
diff --git a/developer/openshift/gitops/local/tekton-results/rds-db-cert-configmap.yaml b/developer/openshift/gitops/local/tekton-results/rds-db-cert-configmap.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: rds-root-crt
+  namespace: tekton-results
+data:
+  # contents of the public certificate should be inserted here
+  # the name of the key must be same as provided in the tekton results .env config
+  tekton-results-db-ca.pem:
diff --git a/developer/openshift/gitops/local/tekton-results/tekton-results-postgresql-tls-secret.yaml b/developer/openshift/gitops/local/tekton-results/tekton-results-postgresql-tls-secret.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: postgresql-tls
+  namespace: tekton-results
+data:
+  # Provide CA, TLS cert and key. CA cert is not being used until readiness
+  # probe issue is resolved with the binami/postgresql chart
+  ca.crt:
+  tls.crt:
+  tls.key:
diff --git a/operator/gitops/argocd/pipeline-service/tekton-results/api-db-config.yaml b/operator/gitops/argocd/pipeline-service/tekton-results/api-db-config.yaml
@@ -33,3 +33,11 @@ spec:
                 secretKeyRef:
                   name: tekton-results-database
                   key: db.name
+          volumeMounts:
+            - name: db-tls-ca
+              mountPath: /etc/tls/db
+              readOnly: true
+      volumes:
+        - name: db-tls-ca
+          configMap:
+            name: rds-root-crt
diff --git a/operator/gitops/argocd/pipeline-service/tekton-results/config.env b/operator/gitops/argocd/pipeline-service/tekton-results/config.env
@@ -3,8 +3,8 @@ DB_PASSWORD=
 DB_HOST=
 DB_PORT=5432
 DB_NAME=
-DB_SSLMODE=disable
-DB_SSLROOTCERT=
+DB_SSLMODE=verify-full
+DB_SSLROOTCERT=/etc/tls/db/tekton-results-db-ca.pem
 DB_ENABLE_AUTO_MIGRATION=true
 SERVER_PORT=8080
 PROMETHEUS_PORT=9090