Merge pull request #177 from qibobo/dev_qy_pgssl

allow secure db connection
cloudfoundry · Mar 15, 2019 · 674ebf5 · 674ebf5
2 parents 2e88f0b + 6bdbe8d
commit 674ebf5
Show file tree

Hide file tree

Showing 30 changed files with 447 additions and 22 deletions.
diff --git a/README.md b/README.md
@@ -128,6 +128,29 @@ bosh -e YOUR_ENV -d app-autoscaler \
      -v cf_client_secret=autoscaler_client_secret \
      -v skip_ssl_validation=true
 ```
+#### Deploy autoscaler with postgres database enabled TLS
+
+```sh
+bosh -e YOUR_ENV -d app-autoscaler \
+     deploy templates/app-autoscaler-deployment.yml \
+     --vars-store=bosh-lite/deployments/vars/autoscaler-deployment-vars.yml \
+     -o example/operation/postgres-ssl.yml \
+     -v system_domain=bosh-lite.com \
+     -v cf_client_id=autoscaler_client_id \
+     -v cf_client_secret=autoscaler_client_secret \
+     -v skip_ssl_validation=true
+```
+For density deployment
+```sh
+bosh -e YOUR_ENV -d app-autoscaler \
+     deploy templates/app-autoscaler-deployment-fewer.yml \
+     --vars-store=bosh-lite/deployments/vars/autoscaler-deployment-vars.yml \
+     -o example/operation/postgres-ssl-fewer.yml \
+     -v system_domain=bosh-lite.com \
+     -v cf_client_id=autoscaler_client_id \
+     -v cf_client_secret=autoscaler_client_secret \
+     -v skip_ssl_validation=true
+```
 >** It's advised not to make skip_ssl_validation=true for non-development environment
 
 ## Register service

diff --git a/example/operation/postgres-ssl-fewer.yml b/example/operation/postgres-ssl-fewer.yml
@@ -0,0 +1,135 @@
+- type: replace
+  path: /instance_groups/name=postgres_autoscaler/jobs/name=postgres/properties/databases/sslmode?
+  value: &sslmode "verify-full"
+- type: replace
+  path: /instance_groups/name=postgres_autoscaler/jobs/name=postgres/properties/databases/tls?
+  value: &database_tls
+    ca: ((postgres_ca.ca))
+    certificate: ((postgres_server.certificate))
+    private_key: ((postgres_server.private_key))
+
+- type: replace
+  path: /variables/-
+  value:
+    name: postgres_ca
+    type: certificate
+    options:
+      is_ca: true
+      common_name: postgresCA
+- type: replace
+  path: /variables/-
+  value:
+    name: postgres_server
+    type: certificate
+    options:
+      ca: postgres_ca
+      common_name: postgres.service.cf.internal
+      extended_key_usage:
+      - client_auth
+      - server_auth
+
+#scheduler
+- type: replace
+  path: /instance_groups/name=asactors/jobs/name=scheduler/properties/autoscaler/policy_db/sslmode?
+  value: *sslmode
+- type: replace
+  path: /instance_groups/name=asactors/jobs/name=scheduler/properties/autoscaler/policy_db/tls?
+  value: *database_tls
+
+- type: replace
+  path: /instance_groups/name=asactors/jobs/name=scheduler/properties/autoscaler/scheduler_db/sslmode?
+  value: *sslmode
+- type: replace
+  path: /instance_groups/name=asactors/jobs/name=scheduler/properties/autoscaler/scheduler_db/tls?
+  value: *database_tls
+#scalingengine
+- type: replace
+  path: /instance_groups/name=asactors/jobs/name=scalingengine/properties/autoscaler/scalingengine_db/sslmode?
+  value: *sslmode
+- type: replace
+  path: /instance_groups/name=asactors/jobs/name=scalingengine/properties/autoscaler/scalingengine_db/tls?
+  value: *database_tls
+
+- type: replace
+  path: /instance_groups/name=asactors/jobs/name=scalingengine/properties/autoscaler/scheduler_db/sslmode?
+  value: *sslmode
+- type: replace
+  path: /instance_groups/name=asactors/jobs/name=scalingengine/properties/autoscaler/scheduler_db/tls?
+  value: *database_tls
+
+- type: replace
+  path: /instance_groups/name=asactors/jobs/name=scalingengine/properties/autoscaler/policy_db/sslmode?
+  value: *sslmode
+- type: replace
+  path: /instance_groups/name=asactors/jobs/name=scalingengine/properties/autoscaler/policy_db/tls?
+  value: *database_tls
+
+#metricscollector
+- type: replace
+  path: /instance_groups/name=asmetrics/jobs/name=metricscollector/properties/autoscaler/instancemetrics_db/sslmode?
+  value: *sslmode
+- type: replace
+  path: /instance_groups/name=asmetrics/jobs/name=metricscollector/properties/autoscaler/instancemetrics_db/tls?
+  value: *database_tls
+
+- type: replace
+  path: /instance_groups/name=asmetrics/jobs/name=metricscollector/properties/autoscaler/policy_db/sslmode?
+  value: *sslmode
+- type: replace
+  path: /instance_groups/name=asmetrics/jobs/name=metricscollector/properties/autoscaler/policy_db/tls?
+  value: *database_tls
+#eventgenertor
+- type: replace
+  path: /instance_groups/name=asmetrics/jobs/name=eventgenerator/properties/autoscaler/appmetrics_db/sslmode?
+  value: *sslmode
+- type: replace
+  path: /instance_groups/name=asmetrics/jobs/name=eventgenerator/properties/autoscaler/appmetrics_db/tls?
+  value: *database_tls
+- type: replace
+  path: /instance_groups/name=asmetrics/jobs/name=eventgenerator/properties/autoscaler/policy_db/sslmode?
+  value: *sslmode
+- type: replace
+  path: /instance_groups/name=asmetrics/jobs/name=eventgenerator/properties/autoscaler/policy_db/tls?
+  value: *database_tls
+
+#operator
+- type: replace
+  path: /instance_groups/name=asactors/jobs/name=operator/properties/autoscaler/appmetrics_db/sslmode?
+  value: *sslmode
+- type: replace
+  path: /instance_groups/name=asactors/jobs/name=operator/properties/autoscaler/appmetrics_db/tls?
+  value: *database_tls
+
+- type: replace
+  path: /instance_groups/name=asactors/jobs/name=operator/properties/autoscaler/instancemetrics_db/sslmode?
+  value: *sslmode
+- type: replace
+  path: /instance_groups/name=asactors/jobs/name=operator/properties/autoscaler/instancemetrics_db/tls?
+  value: *database_tls
+
+- type: replace
+  path: /instance_groups/name=asactors/jobs/name=operator/properties/autoscaler/scalingengine_db/sslmode?
+  value: *sslmode
+- type: replace
+  path: /instance_groups/name=asactors/jobs/name=operator/properties/autoscaler/scalingengine_db/tls?
+  value: *database_tls
+
+- type: replace
+  path: /instance_groups/name=asactors/jobs/name=operator/properties/autoscaler/policy_db/sslmode?
+  value: *sslmode
+- type: replace
+  path: /instance_groups/name=asactors/jobs/name=operator/properties/autoscaler/policy_db/tls?
+  value: *database_tls
+
+- type: replace
+  path: /instance_groups/name=asactors/jobs/name=operator/properties/autoscaler/lock_db/sslmode?
+  value: *sslmode
+- type: replace
+  path: /instance_groups/name=asactors/jobs/name=operator/properties/autoscaler/lock_db/tls?
+  value: *database_tls
+
+
+
+
+
+
diff --git a/example/operation/postgres-ssl.yml b/example/operation/postgres-ssl.yml
@@ -0,0 +1,135 @@
+- type: replace
+  path: /instance_groups/name=postgres_autoscaler/jobs/name=postgres/properties/databases/sslmode?
+  value: &sslmode "verify-full"
+- type: replace
+  path: /instance_groups/name=postgres_autoscaler/jobs/name=postgres/properties/databases/tls?
+  value: &database_tls
+    ca: ((postgres_ca.ca))
+    certificate: ((postgres_server.certificate))
+    private_key: ((postgres_server.private_key))
+
+- type: replace
+  path: /variables/-
+  value:
+    name: postgres_ca
+    type: certificate
+    options:
+      is_ca: true
+      common_name: postgresCA
+- type: replace
+  path: /variables/-
+  value:
+    name: postgres_server
+    type: certificate
+    options:
+      ca: postgres_ca
+      common_name: postgres.service.cf.internal
+      extended_key_usage:
+      - client_auth
+      - server_auth
+
+#scheduler
+- type: replace
+  path: /instance_groups/name=scheduler_autoscaler/jobs/name=scheduler/properties/autoscaler/policy_db/sslmode?
+  value: *sslmode
+- type: replace
+  path: /instance_groups/name=scheduler_autoscaler/jobs/name=scheduler/properties/autoscaler/policy_db/tls?
+  value: *database_tls
+
+- type: replace
+  path: /instance_groups/name=scheduler_autoscaler/jobs/name=scheduler/properties/autoscaler/scheduler_db/sslmode?
+  value: *sslmode
+- type: replace
+  path: /instance_groups/name=scheduler_autoscaler/jobs/name=scheduler/properties/autoscaler/scheduler_db/tls?
+  value: *database_tls
+#scalingengine
+- type: replace
+  path: /instance_groups/name=scalingengine/jobs/name=scalingengine/properties/autoscaler/scalingengine_db/sslmode?
+  value: *sslmode
+- type: replace
+  path: /instance_groups/name=scalingengine/jobs/name=scalingengine/properties/autoscaler/scalingengine_db/tls?
+  value: *database_tls
+
+- type: replace
+  path: /instance_groups/name=scalingengine/jobs/name=scalingengine/properties/autoscaler/scheduler_db/sslmode?
+  value: *sslmode
+- type: replace
+  path: /instance_groups/name=scalingengine/jobs/name=scalingengine/properties/autoscaler/scheduler_db/tls?
+  value: *database_tls
+
+- type: replace
+  path: /instance_groups/name=scalingengine/jobs/name=scalingengine/properties/autoscaler/policy_db/sslmode?
+  value: *sslmode
+- type: replace
+  path: /instance_groups/name=scalingengine/jobs/name=scalingengine/properties/autoscaler/policy_db/tls?
+  value: *database_tls
+
+#metricscollector
+- type: replace
+  path: /instance_groups/name=metricscollector/jobs/name=metricscollector/properties/autoscaler/instancemetrics_db/sslmode?
+  value: *sslmode
+- type: replace
+  path: /instance_groups/name=metricscollector/jobs/name=metricscollector/properties/autoscaler/instancemetrics_db/tls?
+  value: *database_tls
+
+- type: replace
+  path: /instance_groups/name=metricscollector/jobs/name=metricscollector/properties/autoscaler/policy_db/sslmode?
+  value: *sslmode
+- type: replace
+  path: /instance_groups/name=metricscollector/jobs/name=metricscollector/properties/autoscaler/policy_db/tls?
+  value: *database_tls
+#eventgenertor
+- type: replace
+  path: /instance_groups/name=eventgenerator/jobs/name=eventgenerator/properties/autoscaler/appmetrics_db/sslmode?
+  value: *sslmode
+- type: replace
+  path: /instance_groups/name=eventgenerator/jobs/name=eventgenerator/properties/autoscaler/appmetrics_db/tls?
+  value: *database_tls
+- type: replace
+  path: /instance_groups/name=eventgenerator/jobs/name=eventgenerator/properties/autoscaler/policy_db/sslmode?
+  value: *sslmode
+- type: replace
+  path: /instance_groups/name=eventgenerator/jobs/name=eventgenerator/properties/autoscaler/policy_db/tls?
+  value: *database_tls
+
+#operator
+- type: replace
+  path: /instance_groups/name=operator/jobs/name=operator/properties/autoscaler/appmetrics_db/sslmode?
+  value: *sslmode
+- type: replace
+  path: /instance_groups/name=operator/jobs/name=operator/properties/autoscaler/appmetrics_db/tls?
+  value: *database_tls
+
+- type: replace
+  path: /instance_groups/name=operator/jobs/name=operator/properties/autoscaler/instancemetrics_db/sslmode?
+  value: *sslmode
+- type: replace
+  path: /instance_groups/name=operator/jobs/name=operator/properties/autoscaler/instancemetrics_db/tls?
+  value: *database_tls
+
+- type: replace
+  path: /instance_groups/name=operator/jobs/name=operator/properties/autoscaler/scalingengine_db/sslmode?
+  value: *sslmode
+- type: replace
+  path: /instance_groups/name=operator/jobs/name=operator/properties/autoscaler/scalingengine_db/tls?
+  value: *database_tls
+
+- type: replace
+  path: /instance_groups/name=operator/jobs/name=operator/properties/autoscaler/policy_db/sslmode?
+  value: *sslmode
+- type: replace
+  path: /instance_groups/name=operator/jobs/name=operator/properties/autoscaler/policy_db/tls?
+  value: *database_tls
+
+- type: replace
+  path: /instance_groups/name=operator/jobs/name=operator/properties/autoscaler/lock_db/sslmode?
+  value: *sslmode
+- type: replace
+  path: /instance_groups/name=operator/jobs/name=operator/properties/autoscaler/lock_db/tls?
+  value: *database_tls
+
+
+
+
+
+
diff --git a/jobs/eventgenerator/spec b/jobs/eventgenerator/spec
@@ -13,6 +13,8 @@ templates:
   scalingengine_ca.crt.erb: config/certs/scalingengine/ca.crt
   scalingengine_client.crt.erb: config/certs/scalingengine/client.crt
   scalingengine_client.key.erb: config/certs/scalingengine/client.key
+  policy_db_ca.crt.erb: config/certs/policy_db/ca.crt
+  appmetrics_db_ca.crt.erb: config/certs/appmetrics_db/ca.crt
   hooks/pre-start.sh.erb: bin/hooks/pre-start.sh
   hooks/pre-stop.sh.erb: bin/hooks/pre-stop.sh
   hooks/post-start.sh.erb: bin/hooks/post-start.sh
@@ -47,6 +49,11 @@ properties:
     description: "Port on which the policydb server will listen"
   autoscaler.policy_db.roles:
     description: "The list of database roles used in policydb database including name/password"
+  autoscaler.policy_db.tls.ca:
+    default: ''
+  autoscaler.policy_db.sslmode:
+    default: disable
+    description: "sslmode to connect to postgres server"
 
   autoscaler.appmetrics_db.address:
     description: "IP address on which the appmetricsdb server will listen"
@@ -59,6 +66,11 @@ properties:
     description: "Port on which the appmetricsdb server will listen"
   autoscaler.appmetrics_db.roles:
     description: "The list of database roles used in appmetricsdb database including name/password"
+  autoscaler.appmetrics_db.tls.ca:
+    default: ''
+  autoscaler.appmetrics_db.sslmode:
+    default: disable
+    description: "sslmode to connect to postgres server"
 
   autoscaler.appmetrics_db_connection_config.max_open_connections:
     default: 100

diff --git a/jobs/eventgenerator/templates/appmetrics_db_ca.crt.erb b/jobs/eventgenerator/templates/appmetrics_db_ca.crt.erb
@@ -0,0 +1,3 @@
+<% if_p("autoscaler.appmetrics_db.tls.ca") do |value| %>
+<%= value %>
+<% end %>
diff --git a/jobs/eventgenerator/templates/eventgenerator.yml.erb b/jobs/eventgenerator/templates/eventgenerator.yml.erb
@@ -8,15 +8,15 @@
   policy_db_port = p('autoscaler.policy_db.port')
   policy_db_role = p_arr('autoscaler.policy_db.roles').find { |role| role['tag'] == 'policydb' or role['tag'] == 'default' } 
   policy_db_database = p_arr('autoscaler.policy_db.databases').find { |database| database['tag'] == 'policydb' or database['tag'] == 'default' } 
-  policy_db_url = policy_db_scheme + "://" + policy_db_role['name'] + ":" + policy_db_role['password'] + "@" + policy_db_address + ":" + policy_db_port.to_s + "/" + policy_db_database['name'] + "?sslmode=disable"
+  policy_db_url = policy_db_scheme + "://" + policy_db_role['name'] + ":" + policy_db_role['password'] + "@" + policy_db_address + ":" + policy_db_port.to_s + "/" + policy_db_database['name'] + "?sslmode=" + p('autoscaler.policy_db.sslmode') + "&sslrootcert=/var/vcap/jobs/eventgenerator/config/certs/policy_db/ca.crt" 
 
 
   app_metrics_db_scheme = p('autoscaler.appmetrics_db.db_scheme')
   app_metrics_db_address = p('autoscaler.appmetrics_db.address')
   app_metrics_db_port = p('autoscaler.appmetrics_db.port')
   app_metrics_db_role = p_arr('autoscaler.appmetrics_db.roles').find { |role| role['tag'] == 'appmetricsdb' or role['tag'] == 'default' }
   app_metrics_db_database = p_arr('autoscaler.appmetrics_db.databases').find { |database| database['tag'] == 'appmetricsdb' or database['tag'] == 'default' }
-  app_metrics_db_url = app_metrics_db_scheme + "://" + app_metrics_db_role['name'] + ":" + app_metrics_db_role['password'] + "@" + app_metrics_db_address + ":" + app_metrics_db_port.to_s + "/" + app_metrics_db_database['name'] + "?sslmode=disable"
+  app_metrics_db_url = app_metrics_db_scheme + "://" + app_metrics_db_role['name'] + ":" + app_metrics_db_role['password'] + "@" + app_metrics_db_address + ":" + app_metrics_db_port.to_s + "/" + app_metrics_db_database['name'] + "?sslmode=" + p('autoscaler.appmetrics_db.sslmode') + "&sslrootcert=/var/vcap/jobs/eventgenerator/config/certs/appmetrics_db/ca.crt" 
 
   sorted_instances=link("eventgenerator").instances.sort_by {|i|i.address}
   nodeIndex=sorted_instances.index(sorted_instances.find{|i|i.id == spec.id})

diff --git a/jobs/eventgenerator/templates/policy_db_ca.crt.erb b/jobs/eventgenerator/templates/policy_db_ca.crt.erb
@@ -0,0 +1,3 @@
+<% if_p("autoscaler.policy_db.tls.ca") do |value| %>
+<%= value %>
+<% end %>
diff --git a/jobs/metricscollector/spec b/jobs/metricscollector/spec
@@ -7,6 +7,8 @@ templates:
   metricscollector_ca.crt.erb: config/certs/metricscollector/ca.crt
   metricscollector_server.crt.erb: config/certs/metricscollector/server.crt
   metricscollector_server.key.erb: config/certs/metricscollector/server.key
+  appinstancemetrics_db_ca.crt.erb: config/certs/appinstancemetrics_db/ca.crt
+  policy_db_ca.crt.erb: config/certs/policy_db/ca.crt
   hooks/pre-start.sh.erb: bin/hooks/pre-start.sh
   hooks/pre-stop.sh.erb: bin/hooks/pre-stop.sh
   hooks/post-start.sh.erb: bin/hooks/post-start.sh
@@ -40,6 +42,11 @@ properties:
     description: "Port on which the policydb server will listen"
   autoscaler.policy_db.roles:
     description: "The list of database roles used in policydb database including name/password"
+  autoscaler.policy_db.tls.ca:
+    default: ''
+  autoscaler.policy_db.sslmode:
+    default: disable
+    description: "sslmode to connect to postgres server"
 
   autoscaler.instancemetrics_db.address:
     description: "IP address on which the instancemetricsdb server will listen"
@@ -52,6 +59,11 @@ properties:
     description: "Port on which the instancemetricsdb server will listen"
   autoscaler.instancemetrics_db.roles:
     description: "The list of database roles used in instancemetricsdb database including name/password"
+  autoscaler.instancemetrics_db.tls.ca:
+    default: ''
+  autoscaler.instancemetrics_db.sslmode:
+    default: disable
+    description: "sslmode to connect to postgres server"
 
 
   autoscaler.instancemetrics_db_connection_config.max_open_connections: