gitpod icon indicating copy to clipboard operation
gitpod copied to clipboard

Published 20 hours ago verified publisher icon gitpod-io

Support SSL configurations of mysql connections

Open mrzarquon opened this issue 3 years ago • 0 comments

Is your feature request related to a problem? Please describe

Currently gitpod-db service only takes basic credentials which is counter to many corporate requirements around best practices for access. Without it users have to raise an exception to be allowed to install it.

The mysql library gitpod-db uses exposes a configurable ssl setting, including RDS specific configuration that loads the AmazonAWS certificates.

The only other change appears to be in our db migration job, which would need to be modifiable in cases where SSL is used, since it is performing a mysql cli command.

Describe the behaviour you'd like

Allow the user to enable at minimum --ssl-mode=VERIFY_IDENTITY and --ssl-ca=custom-ca.crt level of options to their mysql configuration part of the Gitpod installation.

If it is an RDS mysql instance, the user should be able to specify that.

mrzarquon avatar Aug 09 '22 16:08 mrzarquon

Scheduled for investigation.

jldec avatar Aug 26 '22 09:08 jldec

I started to look into this in this draft PR.

So far, it allows to set an optional installer config at database.ssl.ca that configures all DB-accessing code to configure a custom CA for verifying SSL connections. It's not tested yet, but should be straight forward.

@mrzarquon Does that solve you usecase?

As far as I understand the semantics of the "'Amazon RDS' profile" option in typeorm, it's a special case that eases the configuration, because it pulls the CA from a certain AWS-controlled destination. But I don't think we should start pulling up that implementation detail into installer if we can avoid it with a more general approach (specifying a custom CA value).

geropl avatar Sep 09 '22 07:09 geropl

@geropl Thinking about this, while the rds option for the mysql option fast tracks that specific use case, for doing test connections, we'd still need the CA exposed there (maybe we extract it from the module?).

Downside of using the CA upload method is we then encode the CA into the users gitpod configuration file, so they will need to know to refresh that in 2 years when it expires:

% openssl x509 -enddate -noout -in us-east-2-bundle.pem
notAfter=Aug 22 17:08:50 2024 GMT

The RDS option just uses what is stored in the mysql library which is updated regularly, so we can ensure we keep the mysql module up to date and the ssl ca updates come along for free.

mrzarquon avatar Sep 14 '22 15:09 mrzarquon

the CA into the users gitpod configuration file

This is actually an oversight on my end: it should be a Secret on the control plane, really. Fixing the PR.

so they will need to know to refresh that in 2 years when it expires:

Yes, cert renewal can be solve with external tools like cert-manager, for instance.

FWIW: Some cloud providers (like) GCP offer SSL proxies to encrypt traffic between k8s cluster workloads and DBs. Maybe AWS has something similar?

geropl avatar Sep 15 '22 09:09 geropl