pk/atst
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Make Postgres SSL connection configurable.

Browse Source 
This will allow us to force SSL connections to the database in
production by setting two values:

- PGSSLMODE should be set to "verify-full". This forces the client to
  verify the server against a known CA: https://www.postgresql.org/docs/10/libpq-ssl.html
- PGSSLROOTCERT should be set to the path of the public cert for the
  relevant CA.

When the database connection is made, these values are passed to the
adapter. For local development, PGSSLMODE is set to "prefer" and
PGSSLROOTCERT is left unset.

Kubernetes config has been added to maintain the root CAs for both Azure
and AWS as k8s ConfigMap objects. These are mounted into the containers
and referenced by PGSSLROOTCERT in the container environment.
This commit is contained in:
dandds 2019-10-16 09:39:16 -04:00
parent 5cdead1175
commit efcb9681d3
11 changed files with 1195 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.secrets.baseline
View File

@ -1,9 +1,9 @@
{
"exclude": {
"files": "^.secrets.baseline$",
"files": "^.secrets.baseline$|^.*pgsslrootcert.yml$",
"lines": null
},
"generated_at": "2019-10-14T19:14:26Z",
"generated_at": "2019-10-17T14:42:56Z",
"plugins_used": [
{
"base64_limit": 4.5,
@ -111,7 +111,7 @@
"hashed_secret": "abcdb568713c255c81376829da20004ba9463fd3",
"is_secret": false,
"is_verified": false,
"line_number": 26,
"line_number": 28,
"type": "Secret Keyword"
}
],

8
atst/app.py
View File

@ -158,7 +158,13 @@ def map_config(config):
"PORT": int(config["default"]["PORT"]),
"SQLALCHEMY_DATABASE_URI": config["default"]["DATABASE_URI"],
"SQLALCHEMY_TRACK_MODIFICATIONS": False,
"SQLALCHEMY_ENGINE_OPTIONS": {"json_serializer": sqlalchemy_dumps},
"SQLALCHEMY_ENGINE_OPTIONS": {
"json_serializer": sqlalchemy_dumps,
"connect_args": {
"sslmode": config["default"]["PGSSLMODE"],
"sslrootcert": config["default"]["PGSSLROOTCERT"],
},
},
"WTF_CSRF_ENABLED": config.getboolean("default", "WTF_CSRF_ENABLED"),
"PERMANENT_SESSION_LIFETIME": config.getint(
"default", "PERMANENT_SESSION_LIFETIME"

2
config/base.ini
View File

@ -19,6 +19,8 @@ PGDATABASE = atat
PGHOST = localhost
PGPASSWORD = postgres
PGPORT = 5432
PGSSLMODE = prefer
PGSSLROOTCERT
PGUSER = postgres
PORT=8000
REDIS_URI = redis://localhost:6379

3
deploy/aws/atst-envvars-configmap.yml
View File

@ -9,6 +9,7 @@ data:
FLASK_ENV: dev
OVERRIDE_CONFIG_FULLPATH: /opt/atat/atst/atst-overrides.ini
UWSGI_CONFIG_FULLPATH: /opt/atat/atst/uwsgi.ini
CRL_STORAGE_PROVIDER: CLOUDFILES
LOG_JSON: "true"
CSP: aws
PGSSLMODE: verify-full
PGSSLROOTCERT: /opt/atat/atst/ssl/pgsslrootcert.crt

2
deploy/aws/atst-worker-envvars-configmap.yml
View File

@ -8,3 +8,5 @@ data:
TZ: UTC
DISABLE_CRL_CHECK: "True"
SERVER_NAME: aws.atat.code.mil
PGSSLMODE: verify-full
PGSSLROOTCERT: /opt/atat/atst/ssl/pgsslrootcert.crt

30
deploy/aws/aws.yml
View File

@ -43,6 +43,9 @@ spec:
mountPath: "/var/run/uwsgi"
- name: crls-vol
mountPath: "/opt/atat/atst/crls"
- name: pgsslrootcert
mountPath: "/opt/atat/atst/ssl/pgsslrootcert.crt"
subPath: pgsslrootcert.crt
- name: nginx
image: nginx:alpine
ports:
@ -111,6 +114,13 @@ spec:
- name: crls-vol
persistentVolumeClaim:
claimName: efs
- name: pgsslrootcert
configMap:
name: pgsslrootcert
items:
- key: cert
path: pgsslrootcert.crt
mode: 0666
---
apiVersion: extensions/v1beta1
kind: Deployment
@ -154,6 +164,9 @@ spec:
- name: atst-config
mountPath: "/opt/atat/atst/atst-overrides.ini"
subPath: atst-overrides.ini
- name: pgsslrootcert
mountPath: "/opt/atat/atst/ssl/pgsslrootcert.crt"
subPath: pgsslrootcert.crt
volumes:
- name: atst-config
secret:
@ -162,6 +175,13 @@ spec:
- key: override.ini
path: atst-overrides.ini
mode: 0644
- name: pgsslrootcert
configMap:
name: pgsslrootcert
items:
- key: cert
path: pgsslrootcert.crt
mode: 0666
---
apiVersion: extensions/v1beta1
kind: Deployment
@ -205,6 +225,9 @@ spec:
- name: atst-config
mountPath: "/opt/atat/atst/atst-overrides.ini"
subPath: atst-overrides.ini
- name: pgsslrootcert
mountPath: "/opt/atat/atst/ssl/pgsslrootcert.crt"
subPath: pgsslrootcert.crt
volumes:
- name: atst-config
secret:
@ -213,6 +236,13 @@ spec:
- key: override.ini
path: atst-overrides.ini
mode: 0644
- name: pgsslrootcert
configMap:
name: pgsslrootcert
items:
- key: cert
path: pgsslrootcert.crt
mode: 0666
---
apiVersion: v1
kind: Service

1087
deploy/aws/pgsslrootcert.yml Normal file
View File

File diff suppressed because it is too large Load Diff

3
deploy/azure/atst-envvars-configmap.yml
View File

@ -9,6 +9,7 @@ data:
FLASK_ENV: dev
OVERRIDE_CONFIG_FULLPATH: /opt/atat/atst/atst-overrides.ini
UWSGI_CONFIG_FULLPATH: /opt/atat/atst/uwsgi.ini
CRL_STORAGE_PROVIDER: CLOUDFILES
LOG_JSON: "true"
CSP: azure
PGSSLMODE: verify-full
PGSSLROOTCERT: /opt/atat/atst/ssl/pgsslrootcert.crt

2
deploy/azure/atst-worker-envvars-configmap.yml
View File

@ -8,3 +8,5 @@ data:
TZ: UTC
DISABLE_CRL_CHECK: "True"
SERVER_NAME: azure.atat.code.mil
PGSSLMODE: verify-full
PGSSLROOTCERT: /opt/atat/atst/ssl/pgsslrootcert.crt

31
deploy/azure/azure.yml
View File

@ -43,6 +43,9 @@ spec:
mountPath: "/var/run/uwsgi"
- name: crls-vol
mountPath: "/opt/atat/atst/crls"
- name: pgsslrootcert
mountPath: "/opt/atat/atst/ssl/pgsslrootcert.crt"
subPath: pgsslrootcert.crt
- name: nginx
image: nginx:alpine
ports:
@ -111,7 +114,13 @@ spec:
- name: crls-vol
persistentVolumeClaim:
claimName: crls-vol-claim
- name: pgsslrootcert
configMap:
name: pgsslrootcert
items:
- key: cert
path: pgsslrootcert.crt
mode: 0666
---
apiVersion: extensions/v1beta1
kind: Deployment
@ -155,6 +164,9 @@ spec:
- name: atst-config
mountPath: "/opt/atat/atst/atst-overrides.ini"
subPath: atst-overrides.ini
- name: pgsslrootcert
mountPath: "/opt/atat/atst/ssl/pgsslrootcert.crt"
subPath: pgsslrootcert.crt
volumes:
- name: atst-config
secret:
@ -163,6 +175,13 @@ spec:
- key: override.ini
path: atst-overrides.ini
mode: 0644
- name: pgsslrootcert
configMap:
name: pgsslrootcert
items:
- key: cert
path: pgsslrootcert.crt
mode: 0666
---
apiVersion: extensions/v1beta1
kind: Deployment
@ -206,6 +225,9 @@ spec:
- name: atst-config
mountPath: "/opt/atat/atst/atst-overrides.ini"
subPath: atst-overrides.ini
- name: pgsslrootcert
mountPath: "/opt/atat/atst/ssl/pgsslrootcert.crt"
subPath: pgsslrootcert.crt
volumes:
- name: atst-config
secret:
@ -214,6 +236,13 @@ spec:
- key: override.ini
path: atst-overrides.ini
mode: 0644
- name: pgsslrootcert
configMap:
name: pgsslrootcert
items:
- key: cert
path: pgsslrootcert.crt
mode: 0666
---
apiVersion: v1
kind: Service

28
deploy/azure/pgsslrootcert.yml Normal file
View File

@ -0,0 +1,28 @@
apiVersion: v1
data:
cert: |-
-----BEGIN CERTIFICATE-----
MIIDdzCCAl+gAwIBAgIEAgAAuTANBgkqhkiG9w0BAQUFADBaMQswCQYDVQQGEwJJ
RTESMBAGA1UEChMJQmFsdGltb3JlMRMwEQYDVQQLEwpDeWJlclRydXN0MSIwIAYD
VQQDExlCYWx0aW1vcmUgQ3liZXJUcnVzdCBSb290MB4XDTAwMDUxMjE4NDYwMFoX
DTI1MDUxMjIzNTkwMFowWjELMAkGA1UEBhMCSUUxEjAQBgNVBAoTCUJhbHRpbW9y
ZTETMBEGA1UECxMKQ3liZXJUcnVzdDEiMCAGA1UEAxMZQmFsdGltb3JlIEN5YmVy
VHJ1c3QgUm9vdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKMEuyKr
mD1X6CZymrV51Cni4eiVgLGw41uOKymaZN+hXe2wCQVt2yguzmKiYv60iNoS6zjr
IZ3AQSsBUnuId9Mcj8e6uYi1agnnc+gRQKfRzMpijS3ljwumUNKoUMMo6vWrJYeK
mpYcqWe4PwzV9/lSEy/CG9VwcPCPwBLKBsua4dnKM3p31vjsufFoREJIE9LAwqSu
XmD+tqYF/LTdB1kC1FkYmGP1pWPgkAx9XbIGevOF6uvUA65ehD5f/xXtabz5OTZy
dc93Uk3zyZAsuT3lySNTPx8kmCFcB5kpvcY67Oduhjprl3RjM71oGDHweI12v/ye
jl0qhqdNkNwnGjkCAwEAAaNFMEMwHQYDVR0OBBYEFOWdWTCCR1jMrPoIVDaGezq1
BE3wMBIGA1UdEwEB/wQIMAYBAf8CAQMwDgYDVR0PAQH/BAQDAgEGMA0GCSqGSIb3
DQEBBQUAA4IBAQCFDF2O5G9RaEIFoN27TyclhAO992T9Ldcw46QQF+vaKSm2eT92
9hkTI7gQCvlYpNRhcL0EYWoSihfVCr3FvDB81ukMJY2GQE/szKN+OMY3EU/t3Wgx
jkzSswF07r51XgdIGn9w/xZchMB5hbgF/X++ZRGjD8ACtPhSNzkE1akxehi/oCr0
Epn3o0WC4zxe9Z2etciefC7IpJ5OCBRLbf1wbWsaY71k5h+3zvDyny67G7fyUIhz
ksLi4xaNmjICq44Y3ekQEe5+NauQrz4wlHrQMz2nZQ/1/I6eYs9HRCwBXbsdtTLS
R9I4LtD+gdwyah617jzV/OeBHRnDJELqYzmp
-----END CERTIFICATE-----
kind: ConfigMap
metadata:
name: pgsslrootcert
namespace: atat