Skip to content

database/postgres: add inline certificate authentication fields#28024

Merged
fairclothjm merged 7 commits intomainfrom
postgres-ssl-plugin-fields
Aug 9, 2024
Merged

database/postgres: add inline certificate authentication fields#28024
fairclothjm merged 7 commits intomainfrom
postgres-ssl-plugin-fields

Conversation

@fairclothjm
Copy link
Copy Markdown
Contributor

@fairclothjm fairclothjm commented Aug 7, 2024
edited
Loading

This PR adds support for inline TLS configuration.

We add new fields to the plugin's config endpoint: tls_certificate, tls_private_key and tls_ca. These fields will take certificate data as a string. This allows Vault Operators and/or development teams to configure TLS when they do not have access to the Vault Server.

Here is an example of configuring TLS inline via the new fields on the plugin’s config endpoint:

CONN_URL="user='{{username}}' database='postgres' \
  host='localhost' port='5432' sslmode='verify-full'"

vault write database/config/postgres-db \
  plugin_name=postgresql-database-plugin \
  allowed_roles="*" \
  connection_url="$CONN_URL" \
  username=client \
  tls_certificate="@/path/to/client.crt" \
  tls_private_key="@/path/to/client.key" \
  tls_ca="@/path/to/ca.crt"

The @ in the CLI argument indicates a path to a file on disk to be read.

@fairclothjm fairclothjm added this to the 1.18.0-rc milestone Aug 7, 2024
@fairclothjm fairclothjm requested a review from a team as a code owner August 7, 2024 22:15
@github-actions github-actions bot added the hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed label Aug 7, 2024
@fairclothjm fairclothjm force-pushed the postgres-ssl-plugin-fields branch from da01aee to 83748a8 Compare August 7, 2024 22:16
@github-actions
Copy link
Copy Markdown

github-actions bot commented Aug 7, 2024
edited
Loading

CI Results:
All Go tests succeeded! ✅

fairclothjm
fairclothjm commented Aug 7, 2024
View reviewed changes
sdk/database/helper/connutil/cloudsql.go Outdated
Copy link
Copy Markdown
Contributor Author

@fairclothjm fairclothjm Aug 7, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

moved to sql.go

@github-actions
Copy link
Copy Markdown

github-actions bot commented Aug 7, 2024
edited
Loading

Build Results:
All builds succeeded! ✅

@fairclothjm fairclothjm force-pushed the postgres-ssl-plugin-fields branch from 83748a8 to 889ed2f Compare August 7, 2024 22:17
fairclothjm
fairclothjm commented Aug 7, 2024
View reviewed changes
sdk/database/helper/connutil/postgres.go
// Deprecated: OpenPostgres will be removed in a future version of the Vault SDK.
func OpenPostgres(driverName, connString string) (*sql.DB, error) {
// Deprecated: openPostgres will be removed in a future version of the Vault SDK.
func openPostgres(driverName, connString string) (*sql.DB, error) {
Copy link
Copy Markdown
Contributor Author

@fairclothjm fairclothjm Aug 7, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was only exported for tests but I decided we should not export this so the test usage was removed. This code path is tested however because it is called indirectly by our tests.

vinay-gopalan
vinay-gopalan approved these changes Aug 8, 2024
View reviewed changes
Copy link
Copy Markdown
Contributor

@vinay-gopalan vinay-gopalan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM! Had 1 question, but non-blocking

plugins/database/postgresql/postgresql.go Outdated
}
tlsConfig.Certificates = []tls.Certificate{cert}
p.TLSConfig = tlsConfig
} else {
Copy link
Copy Markdown
Contributor

@vinay-gopalan vinay-gopalan Aug 8, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are sslcert and sslkey always required to have a TLS config? Should it be possible for the user to only set the sslrootcert? If not, wondering if it is worth returning an error to the user saying that the TLS Cert and Private Key need to be added

This is for the case if the user sets the sslrootcert but does not set either the sslcert or sslkey, then p.TLSConfig will be nil, and we would not use any info decoded in L112-L119. Since it would be under the hood I was wondering if it would be worth surfacing that we will ignore the root cert because of missing info in the config

Copy link
Copy Markdown
Contributor Author

@fairclothjm fairclothjm Aug 8, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Great question! I considered this briefly as I was writing this code but never came back to it.

Setting only sslrootcert is a legit use case. This is useful when you want the client to verify the server certificate. See https://www.postgresql.org/docs/16/libpq-ssl.html#LIBQ-SSL-CERTIFICATES

I will update this flow to allow for this use case. 👍

@fairclothjm fairclothjm merged commit 3fcb1a6 into main Aug 9, 2024
@fairclothjm fairclothjm deleted the postgres-ssl-plugin-fields branch August 9, 2024 19:20
@fairclothjm fairclothjm mentioned this pull request Sep 5, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vinay-gopalan vinay-gopalan vinay-gopalan approved these changes

Assignees

No one assigned

Labels

hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed

Projects

None yet

Milestone

1.18.0-rc

Development

Successfully merging this pull request may close these issues.

2 participants

@fairclothjm @vinay-gopalan