Make Postgres SSL connection configurable.

This will allow us to force SSL connections to the database in
production by setting two values:

- PGSSLMODE should be set to "verify-full". This forces the client to
  verify the server against a known CA: https://www.postgresql.org/docs/10/libpq-ssl.html
- PGSSLROOTCERT should be set to the path of the public cert for the
  relevant CA.

When the database connection is made, these values are passed to the
adapter. For local development, PGSSLMODE is set to "prefer" and
PGSSLROOTCERT is left unset.

Kubernetes config has been added to maintain the root CAs for both Azure
and AWS as k8s ConfigMap objects. These are mounted into the containers
and referenced by PGSSLROOTCERT in the container environment.

.secrets.baseline

@@ -1,9 +1,9 @@
 {
   "exclude": {
-    "files": "^.secrets.baseline$",
+    "files": "^.secrets.baseline$|^.*pgsslrootcert.yml$",
     "lines": null
   },
-  "generated_at": "2019-10-14T19:14:26Z",
+  "generated_at": "2019-10-17T14:42:56Z",
   "plugins_used": [
     {
       "base64_limit": 4.5,
@@ -111,7 +111,7 @@
         "hashed_secret": "abcdb568713c255c81376829da20004ba9463fd3",
         "is_secret": false,
         "is_verified": false,
-        "line_number": 26,
+        "line_number": 28,
         "type": "Secret Keyword"
       }
     ],

atst/app.py

@@ -158,7 +158,13 @@ def map_config(config):
         "PORT": int(config["default"]["PORT"]),
         "SQLALCHEMY_DATABASE_URI": config["default"]["DATABASE_URI"],
         "SQLALCHEMY_TRACK_MODIFICATIONS": False,
-        "SQLALCHEMY_ENGINE_OPTIONS": {"json_serializer": sqlalchemy_dumps},
+        "SQLALCHEMY_ENGINE_OPTIONS": {
+            "json_serializer": sqlalchemy_dumps,
+            "connect_args": {
+                "sslmode": config["default"]["PGSSLMODE"],
+                "sslrootcert": config["default"]["PGSSLROOTCERT"],
+            },
+        },
         "WTF_CSRF_ENABLED": config.getboolean("default", "WTF_CSRF_ENABLED"),
         "PERMANENT_SESSION_LIFETIME": config.getint(
             "default", "PERMANENT_SESSION_LIFETIME"

config/base.ini

@@ -19,6 +19,8 @@ PGDATABASE = atat
 PGHOST = localhost
 PGPASSWORD = postgres
 PGPORT = 5432
+PGSSLMODE = prefer
+PGSSLROOTCERT
 PGUSER = postgres
 PORT=8000
 REDIS_URI = redis://localhost:6379

deploy/aws/atst-envvars-configmap.yml

@@ -9,6 +9,7 @@ data:
   FLASK_ENV: dev
   OVERRIDE_CONFIG_FULLPATH: /opt/atat/atst/atst-overrides.ini
   UWSGI_CONFIG_FULLPATH: /opt/atat/atst/uwsgi.ini
-  CRL_STORAGE_PROVIDER: CLOUDFILES
   LOG_JSON: "true"
   CSP: aws
+  PGSSLMODE: verify-full
+  PGSSLROOTCERT: /opt/atat/atst/ssl/pgsslrootcert.crt

deploy/aws/atst-worker-envvars-configmap.yml

@@ -8,3 +8,5 @@ data:
   TZ: UTC
   DISABLE_CRL_CHECK: "True"
   SERVER_NAME: aws.atat.code.mil
+  PGSSLMODE: verify-full
+  PGSSLROOTCERT: /opt/atat/atst/ssl/pgsslrootcert.crt

deploy/aws/aws.yml

@@ -43,6 +43,9 @@ spec:
               mountPath: "/var/run/uwsgi"
             - name: crls-vol
               mountPath: "/opt/atat/atst/crls"
+            - name: pgsslrootcert
+              mountPath: "/opt/atat/atst/ssl/pgsslrootcert.crt"
+              subPath: pgsslrootcert.crt
         - name: nginx
           image: nginx:alpine
           ports:
@@ -111,6 +114,13 @@ spec:
         - name: crls-vol
           persistentVolumeClaim:
             claimName: efs
+        - name: pgsslrootcert
+          configMap:
+            name: pgsslrootcert
+            items:
+            - key: cert
+              path: pgsslrootcert.crt
+              mode: 0666
 ---
 apiVersion: extensions/v1beta1
 kind: Deployment
@@ -154,6 +164,9 @@ spec:
             - name: atst-config
               mountPath: "/opt/atat/atst/atst-overrides.ini"
               subPath: atst-overrides.ini
+            - name: pgsslrootcert
+              mountPath: "/opt/atat/atst/ssl/pgsslrootcert.crt"
+              subPath: pgsslrootcert.crt
       volumes:
         - name: atst-config
           secret:
@@ -162,6 +175,13 @@ spec:
             - key: override.ini
               path: atst-overrides.ini
               mode: 0644
+        - name: pgsslrootcert
+          configMap:
+            name: pgsslrootcert
+            items:
+            - key: cert
+              path: pgsslrootcert.crt
+              mode: 0666
 ---
 apiVersion: extensions/v1beta1
 kind: Deployment
@@ -205,6 +225,9 @@ spec:
             - name: atst-config
               mountPath: "/opt/atat/atst/atst-overrides.ini"
               subPath: atst-overrides.ini
+            - name: pgsslrootcert
+              mountPath: "/opt/atat/atst/ssl/pgsslrootcert.crt"
+              subPath: pgsslrootcert.crt
       volumes:
         - name: atst-config
           secret:
@@ -213,6 +236,13 @@ spec:
             - key: override.ini
               path: atst-overrides.ini
               mode: 0644
+        - name: pgsslrootcert
+          configMap:
+            name: pgsslrootcert
+            items:
+            - key: cert
+              path: pgsslrootcert.crt
+              mode: 0666
 ---
 apiVersion: v1
 kind: Service

deploy/azure/atst-envvars-configmap.yml

@@ -9,6 +9,7 @@ data:
   FLASK_ENV: dev
   OVERRIDE_CONFIG_FULLPATH: /opt/atat/atst/atst-overrides.ini
   UWSGI_CONFIG_FULLPATH: /opt/atat/atst/uwsgi.ini
-  CRL_STORAGE_PROVIDER: CLOUDFILES
   LOG_JSON: "true"
   CSP: azure
+  PGSSLMODE: verify-full
+  PGSSLROOTCERT: /opt/atat/atst/ssl/pgsslrootcert.crt

deploy/azure/atst-worker-envvars-configmap.yml

@@ -8,3 +8,5 @@ data:
   TZ: UTC
   DISABLE_CRL_CHECK: "True"
   SERVER_NAME: azure.atat.code.mil
+  PGSSLMODE: verify-full
+  PGSSLROOTCERT: /opt/atat/atst/ssl/pgsslrootcert.crt

deploy/azure/azure.yml

@@ -43,6 +43,9 @@ spec:
               mountPath: "/var/run/uwsgi"
             - name: crls-vol
               mountPath: "/opt/atat/atst/crls"
+            - name: pgsslrootcert
+              mountPath: "/opt/atat/atst/ssl/pgsslrootcert.crt"
+              subPath: pgsslrootcert.crt
         - name: nginx
           image: nginx:alpine
           ports:
@@ -111,7 +114,13 @@ spec:
         - name: crls-vol
           persistentVolumeClaim:
             claimName: crls-vol-claim
-
+        - name: pgsslrootcert
+          configMap:
+            name: pgsslrootcert
+            items:
+            - key: cert
+              path: pgsslrootcert.crt
+              mode: 0666
 ---
 apiVersion: extensions/v1beta1
 kind: Deployment
@@ -155,6 +164,9 @@ spec:
             - name: atst-config
               mountPath: "/opt/atat/atst/atst-overrides.ini"
               subPath: atst-overrides.ini
+            - name: pgsslrootcert
+              mountPath: "/opt/atat/atst/ssl/pgsslrootcert.crt"
+              subPath: pgsslrootcert.crt
       volumes:
         - name: atst-config
           secret:
@@ -163,6 +175,13 @@ spec:
             - key: override.ini
               path: atst-overrides.ini
               mode: 0644
+        - name: pgsslrootcert
+          configMap:
+            name: pgsslrootcert
+            items:
+            - key: cert
+              path: pgsslrootcert.crt
+              mode: 0666
 ---
 apiVersion: extensions/v1beta1
 kind: Deployment
@@ -206,6 +225,9 @@ spec:
             - name: atst-config
               mountPath: "/opt/atat/atst/atst-overrides.ini"
               subPath: atst-overrides.ini
+            - name: pgsslrootcert
+              mountPath: "/opt/atat/atst/ssl/pgsslrootcert.crt"
+              subPath: pgsslrootcert.crt
       volumes:
         - name: atst-config
           secret:
@@ -214,6 +236,13 @@ spec:
             - key: override.ini
               path: atst-overrides.ini
               mode: 0644
+        - name: pgsslrootcert
+          configMap:
+            name: pgsslrootcert
+            items:
+            - key: cert
+              path: pgsslrootcert.crt
+              mode: 0666
 ---
 apiVersion: v1
 kind: Service

deploy/azure/pgsslrootcert.yml

@@ -0,0 +1,28 @@
+apiVersion: v1
+data:
+  cert: |-
+    -----BEGIN CERTIFICATE-----
+    MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ
+    RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD
+    VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX
+    DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y
+    ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy
+    VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr
+    mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr
+    IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK
+    mpYcqWe4PwzV9/lSEy/CG9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSu
+    XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy
+    dc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjprl3RjM71oGDHweI12v/ye
+    jl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoIVDaGezq1
+    BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3
+    DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92
+    9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx
+    jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0
+    Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz
+    ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS
+    R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp
+    -----END CERTIFICATE-----
+kind: ConfigMap
+metadata:
+  name: pgsslrootcert
+  namespace: atat