Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixes #10234 - Postgres SSL Certificate fix #10300

Merged
merged 3 commits into from
Feb 7, 2023
Merged

Fixes #10234 - Postgres SSL Certificate fix #10300

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
490f7c2
Postgres SSL Certificate fix
reddymh Jan 31, 2023
4a8496b
Re-Run The Build
reddymh Jan 31, 2023
f8f46eb
Re-Run The Build
reddymh Jan 31, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -101,6 +101,8 @@ FROM gcr.io/distroless/static as workflow-controller

USER 8737

WORKDIR /home/argo

Comment on lines +104 to +105
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we really need this? can't we use absolute paths for files in persist/sqldb/sqldb.go

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WorkDir is needed to refer to where all the binary and files need to be copied. Can we config the path?

COPY hack/ssh_known_hosts /etc/ssh/
COPY hack/nsswitch.conf /etc/
COPY --chown=8737 --from=workflow-controller-build /go/src/github.com/argoproj/argo-workflows/dist/workflow-controller /bin/
Expand Down
15 changes: 13 additions & 2 deletions config/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -232,8 +232,19 @@ func (c DatabaseConfig) GetHostname() string {

type PostgreSQLConfig struct {
DatabaseConfig
SSL bool `json:"ssl,omitempty"`
SSLMode string `json:"sslMode,omitempty"`
SSL bool `json:"ssl,omitempty"`
SSLMode string `json:"sslMode,omitempty"`
CaCertSecret apiv1.SecretKeySelector `json:"caCertSecret,omitempty"`
ClientCertSecret apiv1.SecretKeySelector `json:"clientCertSecret,omitempty"`
ClientKeySecret apiv1.SecretKeySelector `json:"clientKeySecret,omitempty"`
CertPath string `json:"certPath"`
}

func (c PostgreSQLConfig) GetPGCertPath() string {
if c.CertPath != "" {
return c.CertPath
}
return "/home/argo/pgcerts"
}

type MySQLConfig struct {
Expand Down
39 changes: 37 additions & 2 deletions persist/sqldb/sqldb.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ package sqldb
import (
"context"
"fmt"
"os"
"time"

"k8s.io/client-go/kubernetes"
Expand Down Expand Up @@ -53,9 +54,43 @@ func CreatePostGresDBSession(kubectlConfig kubernetes.Interface, namespace strin
}

if cfg.SSL {
if cfg.SSLMode != "" {
if cfg.SSLMode != "" && cfg.SSLMode != "disable" {
err := os.MkdirAll(cfg.GetPGCertPath(), 0700)
if err != nil {
return nil, "", err
}
rootCertByte, err := util.GetSecrets(ctx, kubectlConfig, namespace, cfg.CaCertSecret.Name, cfg.CaCertSecret.Key)
if err != nil {
return nil, "", err
}
err = os.WriteFile(cfg.GetPGCertPath()+"/ca.crt", rootCertByte, 0600)
if err != nil {
return nil, "", err
}

serverCertByte, err := util.GetSecrets(ctx, kubectlConfig, namespace, cfg.ClientCertSecret.Name, cfg.ClientCertSecret.Key)
if err != nil {
return nil, "", err
}
err = os.WriteFile(cfg.GetPGCertPath()+"/tls.crt", serverCertByte, 0600)
if err != nil {
return nil, "", err
}

serverKeyByte, err := util.GetSecrets(ctx, kubectlConfig, namespace, cfg.ClientKeySecret.Name, cfg.ClientKeySecret.Key)
if err != nil {
return nil, "", err
}
err = os.WriteFile(cfg.GetPGCertPath()+"/tls.key", serverKeyByte, 0400)
if err != nil {
return nil, "", err
}

options := map[string]string{
"sslmode": cfg.SSLMode,
"sslmode": cfg.SSLMode,
"sslrootcert": cfg.GetPGCertPath() + "/ca.crt",
"sslkey": cfg.GetPGCertPath() + "/tls.key",
"sslcert": cfg.GetPGCertPath() + "/tls.crt",
}
settings.Options = options
}
Expand Down