Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Make Database SSL Configurable through files #6892

Merged
merged 3 commits into from
Apr 19, 2024
Merged

feat: Make Database SSL Configurable through files #6892

merged 3 commits into from
Apr 19, 2024

Conversation

chriswk
Copy link
Contributor

@chriswk chriswk commented Apr 19, 2024

This makes it configurable either through a single JSON file with all three certificates as separate keys or via separate files per ca/cert/key key.

fixes #6718

@chriswk chriswk requested review from Tymek and sighphyre April 19, 2024 08:02
@chriswk chriswk self-assigned this Apr 19, 2024
@vercel Vercel
Copy link

vercel bot commented Apr 19, 2024
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
unleash-docs ✅ Ready (Inspect) Visit Preview 💬 Add feedback Apr 19, 2024 10:45am
unleash-monorepo-frontend ✅ Ready (Inspect) Visit Preview 💬 Add feedback Apr 19, 2024 10:45am

codescene-delta-analysis[bot]
codescene-delta-analysis bot reviewed Apr 19, 2024
View reviewed changes
Copy link

@codescene-delta-analysis codescene-delta-analysis bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Health Quality Gates: FAILED

  • Declining Code Health: 1 findings(s) 🚩
  • Improving Code Health: 1 findings(s) ✅

View detailed results in CodeScene

@chriswk
feat: Make Database SSL Configurable
c30898b 
This makes it configurable either through a single JSON file with all
three certificates as separate keys or via separate files per
ca/cert/key key.

fixes #6718
@chriswk chriswk force-pushed the task/makeDbSslConfigurableFromFile branch from 192914d to c30898b Compare April 19, 2024 08:06
codescene-delta-analysis[bot]
codescene-delta-analysis bot reviewed Apr 19, 2024
View reviewed changes
Copy link

@codescene-delta-analysis codescene-delta-analysis bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Health Quality Gates: FAILED

  • Declining Code Health: 1 findings(s) 🚩
  • Improving Code Health: 1 findings(s) ✅

View detailed results in CodeScene

@chriswk chriswk mentioned this pull request Apr 19, 2024
Closed
sighphyre
sighphyre reviewed Apr 19, 2024
View reviewed changes
src/lib/create-config.ts Outdated
return JSON.parse(process.env.DATABASE_SSL);
} else if (
process.env.DATABASE_SSL_CA_CONFIG != null &&
filesExists(process.env.DATABASE_SSL_CA_CONFIG)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not convinced about the file existence checks here. Is there a place where we want the file check to return true but return an empty object if it's unreadable or contains broken JSON?

Maybe it's the Python dev in me but I'd lean on just reading the thing and trapping the exception case

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that's a fair point, I think failing on non-existing files if you use the env vars is fair enough

sighphyre
sighphyre reviewed Apr 19, 2024
View reviewed changes
src/lib/create-config.ts Outdated
try {
return readFileSync(caFilePath).toJSON();
} catch (e) {
return {};
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd be tempted to just bubble here. If you asked for this to happen and it didn't, I'd be rather surprised to find a quiet fail without a log

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agreed. Let's fail hard, we do in other paths for config.

@chriswk chriswk force-pushed the task/makeDbSslConfigurableFromFile branch from 78bd728 to 10d5f0e Compare April 19, 2024 10:16
codescene-delta-analysis[bot]
codescene-delta-analysis bot reviewed Apr 19, 2024
View reviewed changes
Copy link

@codescene-delta-analysis codescene-delta-analysis bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Health Quality Gates: FAILED

  • Declining Code Health: 1 findings(s) 🚩
  • Improving Code Health: 1 findings(s) ✅

View detailed results in CodeScene

codescene-delta-analysis[bot]
codescene-delta-analysis bot reviewed Apr 19, 2024
View reviewed changes
Copy link

@codescene-delta-analysis codescene-delta-analysis bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Health Quality Gates: FAILED

  • Declining Code Health: 1 findings(s) 🚩

View detailed results in CodeScene

src/lib/create-config.ts
@@ -1,25 +1,26 @@
import { parse } from 'pg-connection-string';
import merge from 'deepmerge';
import * as fs from 'fs';
import { readFileSync } from 'fs';
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ℹ Getting worse: Overall Code Complexity
The mean cyclomatic complexity increases from 5.24 to 5.28, threshold = 4

codescene-delta-analysis[bot]
codescene-delta-analysis bot approved these changes Apr 19, 2024
View reviewed changes
Copy link

@codescene-delta-analysis codescene-delta-analysis bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Health Quality Gates: OK

View detailed results in CodeScene

@alvinometric
Copy link
Contributor

Just to confirm, this doesn't change the default username and passwords that are setup when self-hosting, right? It just lets you configure it.

@chriswk
Copy link
Contributor Author

chriswk commented Apr 19, 2024
edited
Loading

Just to confirm, this doesn't change the default username and passwords that are setup when self-hosting, right? It just lets you configure it.

It doesn't touch anything for default username and password, it's concerned with configuring a secure connection to the database.
I see the autoformatter has touched quite a bit of the configuring-unleash file that did not receive any actual eyeballs on it. Just to confirm that the new keys are

  • DATABASE_SSL_CA_FILE: sets ssl: { ca }
  • DATABASE_SSL_KEY_FILE: sets ssl: { key }
  • DATABASE_SSL_CERT_FILE: sets ssl: { cert }
  • DATABASE_SSL_CA_CONFIG: expects a path to a json file with { rejectUnauthorized: bool, ca: string, key: string, cert: string }, currently, the DATABASE_SSL option expects a stringified json object with the same keys, set in an environment variable. This is often hard to manage in various kubernetes setups. it's better to be able to write an actual json file to disk, and then read this in to memory in Unleash.
  • DATABASE_SSL_REJECT_UNAUTHORIZED: sets ssl: { rejectUnauthorized }

@alvinometric
Copy link
Contributor

Perfect, thanks

sighphyre
sighphyre approved these changes Apr 19, 2024
View reviewed changes
Copy link
Member

@sighphyre sighphyre left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ye! Code looks good, so I'm gonna tack on an approve. I'll put comments on the docs if I spot anything

Wow, IntelliJ got a little intense with the whitespace here but the docs look good at a glance

@chriswk chriswk merged commit ff6297d into main Apr 19, 2024
15 checks passed
@chriswk chriswk deleted the task/makeDbSslConfigurableFromFile branch April 19, 2024 12:38
@egor-xyz
Copy link
Contributor

egor-xyz commented May 6, 2024

Just to confirm, this doesn't change the default username and passwords that are setup when self-hosting, right? It just lets you configure it.

It doesn't touch anything for default username and password, it's concerned with configuring a secure connection to the database. I see the autoformatter has touched quite a bit of the configuring-unleash file that did not receive any actual eyeballs on it. Just to confirm that the new keys are

  • DATABASE_SSL_CA_FILE: sets ssl: { ca }

  • DATABASE_SSL_KEY_FILE: sets ssl: { key }

  • DATABASE_SSL_CERT_FILE: sets ssl: { cert }

  • DATABASE_SSL_CA_CONFIG: expects a path to a json file with { rejectUnauthorized: bool, ca: string, key: string, cert: string }, currently, the DATABASE_SSL option expects a stringified json object with the same keys, set in an environment variable. This is often hard to manage in various kubernetes setups. it's better to be able to write an actual json file to disk, and then read this in to memory in Unleash.

  • DATABASE_SSL_REJECT_UNAUTHORIZED: sets ssl: { rejectUnauthorized }

Can I set only the CA file path without DATABASE_SSL_KEY_FILE and DATABASE_SSL_CERT_FILE? AWS provides me only one CA file, and it's enough for connection to DB

@egor-xyz egor-xyz mentioned this pull request May 6, 2024
Merged
chriswk pushed a commit that referenced this pull request May 7, 2024
@egor-xyz
feat: Allow to use CA certificate file path for DB (#6985)
8ae8cbb 
Regarding ticket #6892:

I would like to enable the use of a CA certificate without requiring
other certificates. This would be useful for AWS Helm, as AWS only
provides a single PEM file for DB connections.
chriswk pushed a commit that referenced this pull request May 7, 2024
@egor-xyz @chriswk
feat: Allow to use CA certificate file path for DB (#6985)
7e71d09 
Regarding ticket #6892:

I would like to enable the use of a CA certificate without requiring
other certificates. This would be useful for AWS Helm, as AWS only
provides a single PEM file for DB connections.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sighphyre sighphyre sighphyre approved these changes

@codescene-delta-analysis codescene-delta-analysis[bot] codescene-delta-analysis approved these changes

@Tymek Tymek Awaiting requested review from Tymek

@alvinometric alvinometric Awaiting requested review from alvinometric alvinometric is a code owner

@nnennandukwe nnennandukwe Awaiting requested review from nnennandukwe nnennandukwe is a code owner

Assignees

@chriswk chriswk

Labels
None yet
Projects
Issues and PRs
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Easier DB CA certificate configuration
4 participants
@chriswk @alvinometric @egor-xyz @sighphyre