Skip to content
This repository has been archived by the owner on Jan 24, 2023. It is now read-only.

SSLMode is not respected for database connections #4434

Closed
2 of 9 tasks
benwalk opened this issue Jul 7, 2020 · 1 comment
Closed
2 of 9 tasks

SSLMode is not respected for database connections #4434

benwalk opened this issue Jul 7, 2020 · 1 comment
Labels
bug community Community Raised Issue
Milestone
4.0.0

Comments

@benwalk
Copy link
Contributor

benwalk commented Jul 7, 2020
edited

Frontend Deployment type

  • Cloud Foundry Application (cf push)
  • Kubernetes, using a helm chart
  • Docker, single container deploying all components
  • npm run start
  • Other (please specify below)

Backend (Jet Stream) Deployment type

  • Cloud Foundry Application (cf push)
  • Kubernetes, using a helm chart
  • Docker, single container deploying all components
  • Other (please specify below)

Expected behaviour

SSLMode can be configured via env var or other.

Actual behaviour

SSLMode is hard coded to "disable".

Steps to reproduce the behavior

See here: https://github.com/cloudfoundry/stratos/blob/master/src/jetstream/datastore/database_cf_config.go#L81

Log output covering before error and any error statements

With a little extra logging:

   2020-07-07T14:28:47.93-0700 [APP/PROC/WEB/0] OUT INFO[Tue Jul  7 21:28:47 UTC 2020] ========================================
   2020-07-07T14:28:47.93-0700 [APP/PROC/WEB/0] OUT INFO[Tue Jul  7 21:28:47 UTC 2020] === Stratos Jetstream Backend Server ===
   2020-07-07T14:28:47.93-0700 [APP/PROC/WEB/0] OUT INFO[Tue Jul  7 21:28:47 UTC 2020] ========================================
   2020-07-07T14:28:47.93-0700 [APP/PROC/WEB/0] OUT INFO[Tue Jul  7 21:28:47 UTC 2020]
   2020-07-07T14:28:47.93-0700 [APP/PROC/WEB/0] OUT INFO[Tue Jul  7 21:28:47 UTC 2020] Initialization started.
   2020-07-07T14:28:47.93-0700 [APP/PROC/WEB/0] OUT INFO[Tue Jul  7 21:28:47 UTC 2020] Configuration loaded.
   2020-07-07T14:28:47.93-0700 [APP/PROC/WEB/0] OUT INFO[Tue Jul  7 21:28:47 UTC 2020] Stratos Version: 3.2.1
   2020-07-07T14:28:47.93-0700 [APP/PROC/WEB/0] OUT INFO[Tue Jul  7 21:28:47 UTC 2020] HTTP client initialized.
   2020-07-07T14:28:47.93-0700 [APP/PROC/WEB/0] OUT INFO[Tue Jul  7 21:28:47 UTC 2020] Encryption key set.
   2020-07-07T14:28:47.93-0700 [APP/PROC/WEB/0] OUT INFO[Tue Jul  7 21:28:47 UTC 2020] Found 1 database service instances
   2020-07-07T14:28:47.93-0700 [APP/PROC/WEB/0] OUT INFO[Tue Jul  7 21:28:47 UTC 2020] Using first database service instance: console-db
   2020-07-07T14:28:47.93-0700 [APP/PROC/WEB/0] OUT INFO[Tue Jul  7 21:28:47 UTC 2020] Attempting to apply Cloud Foundry database service config from VCAP_SERVICES credentials
   2020-07-07T14:28:47.93-0700 [APP/PROC/WEB/0] OUT INFO[Tue Jul  7 21:28:47 UTC 2020] Failed to find required Cloud Foundry database service config, falling back on credential's `uri`
   2020-07-07T14:28:47.93-0700 [APP/PROC/WEB/0] OUT parameter validation failed:
   2020-07-07T14:28:47.93-0700 [APP/PROC/WEB/0] OUT 	Parameter was nil: database name
   2020-07-07T14:28:47.93-0700 [APP/PROC/WEB/0] OUT 	Parameter was nil: host/hostname
   2020-07-07T14:28:47.93-0700 [APP/PROC/WEB/0] OUT INFO[Tue Jul  7 21:28:47 UTC 2020] Applied Cloud Foundry database service config (provider: pgsql, ssl: disable)
   2020-07-07T14:28:47.93-0700 [APP/PROC/WEB/0] OUT INFO[Tue Jul  7 21:28:47 UTC 2020] Using Cloud Foundry DB service
   2020-07-07T14:28:47.93-0700 [APP/PROC/WEB/0] OUT INFO[Tue Jul  7 21:28:47 UTC 2020] Setting SSL Mode for pgsql: disable
   2020-07-07T14:28:47.93-0700 [APP/PROC/WEB/0] OUT INFO[Tue Jul  7 21:28:47 UTC 2020] DB Connection string: dbname='***' host='***' port=5432 connect_timeout=10
   2020-07-07T14:28:47.96-0700 [APP/PROC/WEB/0] OUT INFO[Tue Jul  7 21:28:47 UTC 2020] Waiting for database to be responsive: Unable to ping the database: pq: no pg_hba.conf entry for host "10.4.11.15", user "***", database "***", SSL off

Detailed Description

When SSL is required for connections to backend databases, Stratos cannot make this connection because SSL is disabled for the connection pool.

Context

I have been following this guide https://github.com/cloudfoundry/stratos/tree/master/deploy/cloud-foundry#deploy-stratos-from-source as well as https://github.com/cloudfoundry/stratos/blob/master/deploy/cloud-foundry/db-migration/README.md.

It does not describe a way to enable SSL modes on db connections, with the exception of binding custom configuration via CUPS. Our CF use case provisions AWS RDS databases for binding as services, so using CUPS for this single configuration property is superfluous.

Possible Implementation

I have made the following changes to achieve the desired functionality:
diff
And then I was able to pass in DB_SSL_MODE as an env var via manifest.yml.
This was referenced Jul 9, 2020
Merged
Merged
@richard-cox richard-cox added the community Community Raised Issue label Jul 10, 2020
@richard-cox richard-cox added this to the 4.0.0 milestone Jul 27, 2020
@richard-cox
Copy link
Contributor

Fixed by #4442

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug community Community Raised Issue
Projects
None yet
Milestone
4.0.0
Development

No branches or pull requests
2 participants
@benwalk @richard-cox