django-DefectDojo icon indicating copy to clipboard operation
django-DefectDojo copied to clipboard

Published 20 hours ago verified publisher icon DefectDojo

Add support for connecting to Postgres DBMS over mutual TLS

Open pna-nca opened this issue 2 years ago • 4 comments

pna-nca avatar Sep 07 '22 09:09 pna-nca

I'm just wondering why not service mesh then?

dsever avatar Sep 07 '22 09:09 dsever

I'm just wondering why not service mesh then?

I followed the straightforward approach and stumbled across various issues and came up with this solution as a result. I would vote myself for more clear implementation.

pna-nca avatar Sep 07 '22 09:09 pna-nca

I followed the straightforward approach and stumbled across various issues and came up with this solution as a result. I would vote myself for more clear implementation.

I consider istio the more clean solution, have you tried to do the same using istio?

dsever avatar Sep 07 '22 09:09 dsever

I followed the straightforward approach and stumbled across various issues and came up with this solution as a result. I would vote myself for more clear implementation.

I consider istio the more clean solution, have you tried to do the same using istio?

Will have a look into it, thanks!

pna-nca avatar Sep 07 '22 10:09 pna-nca

I followed the straightforward approach and stumbled across various issues and came up with this solution as a result. I would vote myself for more clear implementation.

I consider istio the more clean solution, have you tried to do the same using istio?

Two points here:

  • DefectDojo lacks support of specific authentication method to access DBMS. This commit fixes that. Using some third-party solution as a workaround can be okay until this is not implemented on the side of DefectDojo. Even if workaround is more clear, DefectDojo should not abandon such support.
  • Istio does not support the discussed connection type, so it does not work even as a workaround. See https://github.com/istio/istio/issues/29761

pna-nca avatar Sep 30 '22 09:09 pna-nca

@pna-nca I believe are helm people are away right now :( I apologize this can't be reviewed sooner.

devGregA avatar Sep 30 '22 19:09 devGregA

@pna-nca I will try to review it in the next few days.

dsever avatar Oct 03 '22 06:10 dsever

Thanks for your work @pna-nca and sorry for the long delay.

I think the current approach mixes tls (for encryption) and mtls (for authentication). Of course tls is required for mtls, but in a lot of situations tls is sufficient. So we should be able to configure these two things separate. Can you take a look and ensure that we can activate tls without mtls and tls with mtls?

A point where I am not so happy with, is the modification of the entrypoint. It makes it harder to maintain and test, but I don't have a better solution for it at the moment.

alles-klar avatar Nov 04 '22 07:11 alles-klar

I'm still having mix feelings about that, it is not the way how things should be done in k8s, it will not scale. This is the reason why cloud native is recommending to use service mesh.

dsever avatar Nov 04 '22 10:11 dsever

Closing due to inactivity

Maffooch avatar Apr 11 '23 18:04 Maffooch