THREESCALE-11156 add tls env var to zync and system deployments

[austincunningham]

Issue

THREESCALE-11156

What

Add database client side tls to 3scale

Verification

• Setup Postgres clone this repo https://github.com/austincunningham/postgres and follow instructions to setup system-database and zync
• checkout this branch

# install crd's
make install
# create project
oc new-project 3scale-test
# get the wildcarddomain
DOMAIN=$(oc get routes console -n openshift-console -o json | jq -r '.status.ingress[0].routerCanonicalHostname' | sed 's/router-default.//')
# create s3 secret
oc apply -f - <<EOF
---
kind: Secret
apiVersion: v1
metadata:
  name: s3-credentials
data:
  AWS_ACCESS_KEY_ID: UkVQTEFDRV9NRQ==
  AWS_BUCKET: UkVQTEFDRV9NRQ==
  AWS_REGION: UkVQTEFDRV9NRQ==
  AWS_SECRET_ACCESS_KEY: UkVQTEFDRV9NRQ==
type: Opaque
EOF

kubectl apply -f - <<EOF                    
---                                    
apiVersion: apps.3scale.net/v1alpha1   
kind: APIManager                     
metadata:
  name: apimanager-sample
spec:
  system:
    systemDatabaseTLSEnabled: true
    database:
      postgresql: {}
    fileStorage:
      simpleStorageService:
        configurationSecretRef:
          name: s3-credentials
  zync:
    zyncDatabaseTLSEnabled: true
  wildcardDomain: $DOMAIN
  externalComponents:
    backend:
      redis: true
    system:
      database: true
      redis: true
    zync:
      database: true
EOF

• Setup the system-database and zync secrets with sslmode disabled (need to be run from the postgres repo as thats where the certs are created)

oc create secret generic zync \
  --namespace=3scale-test \
  --from-literal=DATABASE_SSL_MODE=verify-ca \
  --from-literal=DATABASE_URL=postgresql://postgres:[email protected]/zync_production \
  --from-literal=ZYNC_DATABASE_PASSWORD=postgres \
  --from-file=DB_SSL_CA=rootCA.crt \
  --from-file=DB_SSL_CERT=client.crt \
  --from-file=DB_SSL_KEY=client.key 

oc create secret generic system-database \
  --from-literal=DATABASE_SSL_MODE=verify-ca \
  --from-literal=URL=postgresql://postgres:[email protected]/system \
  --from-literal=DB_USER=postgres \
  --from-literal=DB_PASSWORD=postgres \
  --from-file=DB_SSL_CA=rootCA.crt \
  --from-file=DB_SSL_CERT=client.crt \
  --from-file=DB_SSL_KEY=client.key 

• Create the default redis and wait for the deployments to be up

 make cluster/create/system-redis
 make cluster/create/backend-redis

• Run the operator locally

make run

• zync-que may crash as the database needs some bootstrapping, exec into the pod and run the bootstrap, Not tls related as happens without tls enabled.

bin/rails db:create

• wait for the install to complete
• exec into the zync and system pods to to confirm the env vars have been set e.g.

# get the pod name
 oc get po
NAME                                     READY   STATUS      RESTARTS   AGE
apicast-production-6d4d589848-shlls      1/1     Running     0          3h5m
apicast-staging-767df4cbd8-m2kf5         1/1     Running     0          3h5m
backend-cron-6bbd4d5846-hmc7r            1/1     Running     0          3h5m
backend-listener-9df5df447-842qk         1/1     Running     0          3h5m
backend-redis-b59dd94cb-pksk7            1/1     Running     0          3h5m
backend-worker-64d47694b8-89q2g          1/1     Running     0          3h5m
system-app-85c4d98dd-j9mtr               3/3     Running     0          4m40s
system-app-post-884dp                    0/1     Completed   0          3h3m
system-app-pre-wlzrd                     0/1     Completed   0          3h5m
system-memcache-6b4df58598-q6mzj         1/1     Running     0          3h5m
system-redis-bf8db486d-h5bq9             1/1     Running     0          3h5m
system-searchd-659bffb8f4-swf4g          1/1     Running     0          5m50s
system-searchd-manticore-reindex-5jjb4   0/1     Completed   0          3h5m
system-sidekiq-59cc7dd9ff-l6pxg          1/1     Running     0          5m53s
zync-6f49fb7c5c-2pltl                    0/1     Init:0/2    0          7m51s
zync-que-fdd4d69f7-7gxdx                 1/1     Running     0          7m50s
#e.g. exec and run printenv to check the envars
oc exec -it zync-que-fdd4d69f7-7gxdx -- printenv | grep DATABASE_SSL
Defaulted container "que" out of: que, set-permissions (init)
DATABASE_SSL_KEY=/tls/tls.key
DATABASE_SSL_MODE=verify-ca
DATABASE_SSL_CA=/tls/ca.crt
DATABASE_SSL_CERT=/tls/tls.crt

• Add that the watch-by label has been applied to zync and system-database secret

oc label secret zync apimanager.apps.3scale.net/watched-by=apimanager -n <operator-namespace>
oc label secret system-database apimanager.apps.3scale.net/watched-by=apimanager -n <operator-namespace>

• update the zync and system-database secrets key value DATABASE_SSL_MODE=disable

NOTE: side note the flag is different for MySQL which is disabled

• exec into the zync and system pods to to confirm the env vars have been set e.g.

# get the pod name
 oc get po
NAME                                     READY   STATUS      RESTARTS   AGE
apicast-production-6d4d589848-shlls      1/1     Running     0          3h5m
apicast-staging-767df4cbd8-m2kf5         1/1     Running     0          3h5m
backend-cron-6bbd4d5846-hmc7r            1/1     Running     0          3h5m
backend-listener-9df5df447-842qk         1/1     Running     0          3h5m
backend-redis-b59dd94cb-pksk7            1/1     Running     0          3h5m
backend-worker-64d47694b8-89q2g          1/1     Running     0          3h5m
system-app-85c4d98dd-j9mtr               3/3     Running     0          4m40s
system-app-post-884dp                    0/1     Completed   0          3h3m
system-app-pre-wlzrd                     0/1     Completed   0          3h5m
system-memcache-6b4df58598-q6mzj         1/1     Running     0          3h5m
system-redis-bf8db486d-h5bq9             1/1     Running     0          3h5m
system-searchd-659bffb8f4-swf4g          1/1     Running     0          5m50s
system-searchd-manticore-reindex-5jjb4   0/1     Completed   0          3h5m
system-sidekiq-59cc7dd9ff-l6pxg          1/1     Running     0          5m53s
zync-6f49fb7c5c-2pltl                    0/1     Init:0/2    0          7m51s
zync-que-fdd4d69f7-7gxdx                 1/1     Running     0          7m50s
#e.g. exec and run printenv to check the envars
oc exec -it zync-que-fdd4d69f7-7gxdx -- printenv | grep DATABASE_SSL
Defaulted container "que" out of: que, set-permissions (init)
DATABASE_SSL_KEY=/tls/tls.key
DATABASE_SSL_MODE=disable
DATABASE_SSL_CA=/tls/ca.crt
DATABASE_SSL_CERT=/tls/tls.crt

[austincunningham]

/test test-e2e

[austincunningham]

/test test-e2e

[MStokluska]

as discussed, let's move the creation of empty keys + validation of keys + validation of values here: https://github.com/3scale/3scale-operator/blob/master/pkg/3scale/amp/operator/highavailability_options_provider.go#L29

[austincunningham]

Agree its better if the reconciler catches this.

[austincunningham]

Yes the secret validation should check if the secret values are populated in the highavailability reconcile and populate with an empty string if not set and return an error.

Two things here

• It doesn't look like highavailability_options_provider GetHighAvailabilityOptions() handles zync database at the moment (maybe because spec.highavaibility is deprecated). Can add the functionally but am now doubting this is the correct place to do so.
• And may still leave the helper to populate the env vars that are not available in the secret .
  i.e. the env vars in the secret have actual certs where as the env var that are used have paths to certs

[MStokluska]

is this required

[austincunningham]

Think it was commented during some debugging . So I would say its required.

[austincunningham]

having reviewed its not required.

[MStokluska]

Use external databases only - is that correct?

[austincunningham]

fair point we are only using external from now on.

[MStokluska]

Use external databases only - is that correct? Should we mention here what the TLSEnabled is doing rather than what it should be used with?

[austincunningham]

agree

[MStokluska]

Suggested change

	DB_SSL_KEY | SSL Key | Required to set TLS Database connection. Only for TLS |
	| DB_SSL_KEY | SSL Key | Required to set TLS Database connection. Only for TLS |

[MStokluska]

Suggested change

	DB_SSL_KEY | SSL Key | Required to set TLS Database connection. Only for TLS |
	| DB_SSL_KEY | SSL Key | Required to set TLS Database connection. Only for TLS |

[MStokluska]

Suggested change

	DB_SSL_KEY | SSL Key | Required to set TLS Database connection. Only for TLS |
	| DB_SSL_KEY | SSL Key | Required to set TLS Database connection. Only for TLS |

[MStokluska]

Suggested change

	In ApiManager CR we set the boolean to enable TLS configuration for the respictive databases
	In ApiManager CR set the boolean to enable TLS configuration for the respective databases

[MStokluska]

Suggested change

	We pass the cert files in via the respective secret i.e. system-database & zync
	Pass the cert files in via the respective secret i.e. system-database & zync

[MStokluska]

Or, the operator passes the cert files to the respective deployments via the database secrets i.e. system-database & zync

[MStokluska]

I was getting the following error in the operator:

Secret field 'DATABASE_SSL_CERT' is required in secret 'system-database'

I think the ha filter needs some tidying up. WDYT?

[austincunningham]

Yea probably using the wrong variable in the error.

[austincunningham]

yep https://github.com/3scale/3scale-operator/pull/1026/files#diff-e194f3db6df5c75dc590ada2df59ed3728f3a3bd3af55478cee45bd02d28d573R240-R242
they are pointing at the wrong variable .

[MStokluska]

All of the above seems apicast related only, why have the system/zync db TLS stuff in this file?

[austincunningham]

Just following the add watch secret user guide https://github.com/3scale/3scale-operator/blob/master/doc/development.md#adding-new-watched-secrets . Mentioned it to Carl at the time. Seemed happy for it to live here.

[MStokluska]

so we are only setting paths if the value is non-empty - and when it is empty, we are returning "".
In case of having 2/3 created successfully (with values) - am I understanding it correctly that we are still going to just mount them, with 2/3 having the right values and 1/3 having empty string as value?
If so, the TLS validation will fail on the component level anyway so I'm trying to understand what is the benefit of doing this check and if it would be better to do it earlier (at ha level), keys exist + values are non-empty = add to volume for component validation of TLS, if keys exist + values are empty - do not even attempt to mount since we know this is going to be incorrect?

[austincunningham]

No Mounts will have been created already with the cert values from the secret.

This called when we are creating the env var , so believe it is the correct place to set them as they don't exist prior to this. System and Zync can only consume the path to the cert and not the cert itself.
The flow secret has the cert, those certs gets mounted , we then create env var that have the path to the mounted cert. These env var are what is used by system and zync to connect to the db with TLS.

As for the empty value check this will be caught In the HA reconciller so may be redundant to have the check here. But it causes no harm

[MStokluska]

Looks good but just few more concerns:

1. Zync-que doesn't start up with TLS, the solution like you mention is to run "bin/rails db:create" - can we clarify that it is expected for the db to exists when using external dbs for zync?
2. Setting the tlsEnabled to "false" doesn't remove the envars (probably need the env mutator)
3. When TLS is on and Keys are missing, the issue can be identified by looking at operator logs, I think it would be nice to have it it APIManager status instead - but let's do it as a follow up Jira
4. When TLS values are missing, the error is picked up at the component level. That is fine for now I think, but would be nice to create a follow up Jira.

Point 3/4 might be evaluated by preflights for fresh installs but for on-going, I think we need the follow ups created.

[MStokluska]

why are we adding the --insecure here? It seems to be working fine without it...but maybe I'm doing something wrong,.

[MStokluska]

same as above