Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add a database TLS option to trust system CAs #43286

Merged
merged 5 commits into from
Jun 24, 2024
Merged

Add a database TLS option to trust system CAs #43286

merged 5 commits into from
Jun 24, 2024

Conversation

greedy52
Copy link
Contributor

@greedy52 greedy52 commented Jun 20, 2024
edited
Loading

Closes #42221:

changelog: added support to trust system CAs for self-hosted databases

Example:

db_service:
  enabled: yes
  databases:
  - name: "redis-system-ca"
    protocol: "redis"
    uri: "my-redis.local:6379"
    tls:
      trust_system_cert_pool: true
    static_labels:
      "env": "dev"

The flag avoids downloading the CA for the database service or appending the pem file for terraform db resources, when database servers are publicly-signed.

In theory, this also gives a small performance boost as db definition will be smaller without the CA bytes.

Tested by generating a self-signed cert for a Redis database. Then faked /etc/hosts, then added the self-signed cert to system store (/etc/pki/ca-trust/source/anchors/ for Amazon linux, then update-ca-trust extract)

@greedy52 greedy52 self-assigned this Jun 20, 2024
@greedy52 greedy52 force-pushed the STeve/42221_db_trust_system_cert_pool branch from 12397b6 to 949cabf Compare June 20, 2024 14:40
@github-actions GitHub Actions
Copy link

🤖 Vercel preview here: https://docs-ib28s6q04-goteleport.vercel.app/docs/ver/preview

@greedy52 greedy52 force-pushed the STeve/42221_db_trust_system_cert_pool branch from 949cabf to 48d472e Compare June 20, 2024 14:45
@github-actions GitHub Actions
Copy link

🤖 Vercel preview here: https://docs-ns2m9pc6t-goteleport.vercel.app/docs/ver/preview

@greedy52 greedy52 added the ux label Jun 20, 2024
@greedy52 greedy52 marked this pull request as ready for review June 20, 2024 14:57
@github-actions github-actions bot added database-access Database access related issues and PRs documentation size/sm labels Jun 20, 2024
GavinFrazar
GavinFrazar approved these changes Jun 20, 2024
View reviewed changes
Copy link
Contributor

@GavinFrazar GavinFrazar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

need to update the db tctl reference in docs/pages/database-access/reference/configuration.mdx as well

docs/pages/includes/database-access/self-hosted-config-start.mdx Outdated Show resolved Hide resolved
lib/config/database.go Outdated Show resolved Hide resolved
@greedy52 greedy52 enabled auto-merge June 21, 2024 21:15
@github-actions GitHub Actions
Copy link

🤖 Vercel preview here: https://docs-xzz73ctt4-goteleport.vercel.app/docs/ver/preview

@github-actions GitHub Actions
Copy link

🤖 Vercel preview here: https://docs-nbzlwju82-goteleport.vercel.app/docs/ver/preview

@github-actions GitHub Actions
Copy link

🤖 Vercel preview here: https://docs-b5fipngxv-goteleport.vercel.app/docs/ver/preview

@greedy52 greedy52 added this pull request to the merge queue Jun 24, 2024
Merged via the queue into master with commit 3d8fb11 Jun 24, 2024
41 checks passed
@greedy52 greedy52 deleted the STeve/42221_db_trust_system_cert_pool branch June 24, 2024 16:52
@public-teleport-github-review-bot
Copy link

@greedy52 See the table below for backport results.

Branch Result
branch/v15 Failed
branch/v16 Create PR

@greedy52 greedy52 mentioned this pull request Jun 25, 2024
Merged
greedy52 added a commit that referenced this pull request Jun 25, 2024
@greedy52
Add a database TLS option to trust system CAs (#43286)
33519fc 
* Add a database TLS option to trust system CAs

* add doc

* review comments

* make derive
@greedy52 greedy52 mentioned this pull request Jun 25, 2024
Merged
github-merge-queue bot pushed a commit that referenced this pull request Jun 26, 2024
@greedy52
Add a database TLS option to trust system CAs (#43286) (#43500)
fefe178 
* Add a database TLS option to trust system CAs

* add doc

* review comments

* make derive
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Tener Tener Tener approved these changes

@GavinFrazar GavinFrazar GavinFrazar approved these changes

@smallinsky smallinsky smallinsky approved these changes

@ptgott ptgott ptgott approved these changes

Assignees

@greedy52 greedy52

Labels
backport/branch/v15 backport/branch/v16 database-access Database access related issues and PRs documentation size/sm ux
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Need to attach CA-Bundle on Database Resources
5 participants
@greedy52 @Tener @GavinFrazar @smallinsky @ptgott