From da8aefb1f0dc723c3d371fa20fbdd93cabc1b3e9 Mon Sep 17 00:00:00 2001
From: Johann Wagner <johann@wagnerdevelopment.de>
Date: Mon, 23 Mar 2020 15:31:31 +0100
Subject: [PATCH] Introducing configurable ssl options for external postgres
 databases

We added an option to configure sslmode in the postgres client. We also do
not add the certificate files to the containers, if they are not given.
This allows us to configure the postgres connection indivudally.

Fixes #1817

Changelog: added
MR: 1227
---
 charts/gitlab/templates/_geo.tpl        | 22 +++++++++++-----
 charts/gitlab/templates/_postgresql.tpl | 22 ++++++++++++----
 doc/advanced/external-db/index.md       |  3 ++-
 templates/_checkConfig.tpl              | 35 +++++++++++++++++++++++++
 4 files changed, 70 insertions(+), 12 deletions(-)

diff --git a/charts/gitlab/templates/_geo.tpl b/charts/gitlab/templates/_geo.tpl
index 7ccb207ed2..eac29cccd3 100644
--- a/charts/gitlab/templates/_geo.tpl
+++ b/charts/gitlab/templates/_geo.tpl
@@ -51,10 +51,18 @@ Consumed as part of "gitlab.geo.database.yml", no check of `global.geo.secondary
 */}}
 {{- define "gitlab.geo.psql.ssl.config" -}}
 {{- if .Values.global.geo.psql.ssl }}
-sslmode: verify-ca
+sslmode: {{ .Values.global.geo.psql.ssl.mode | default "verify-ca" | quote }}
+{{-   if .Values.global.geo.psql.ssl.secret }}
+{{-     if .Values.global.geo.psql.ssl.serverCA }}
 sslrootcert: '/etc/gitlab/postgres/ssl/geo-server-ca.pem'
+{{-     end -}}
+{{-     if .Values.global.geo.psql.ssl.clientCertificate }}
 sslcert: '/etc/gitlab/postgres/ssl/geo-client-certificate.pem'
+{{-     end -}}
+{{-     if .Values.global.geo.psql.ssl.clientKey }}
 sslkey: '/etc/gitlab/postgres/ssl/geo-client-key.pem'
+{{-     end -}}
+{{-   end -}}
 {{- end -}}
 {{- end -}}
 
@@ -63,20 +71,22 @@ Returns volume definition of a secret containing information required for
 a mutual TLS connection to the Geo Secondary DB.
 */}}
 {{- define "gitlab.geo.psql.ssl.volume" -}}
-{{- if and ( include "gitlab.geo.secondary" $ ) .Values.global.geo.psql.ssl }}
+{{- if and ( include "gitlab.geo.secondary" $ ) (.Values.global.geo.psql.ssl) }}
+{{-   if .Values.global.geo.psql.ssl.secret }}
 - name: geo-postgresql-ssl-secrets
   projected:
     defaultMode: 400
     sources:
     - secret:
-        name: {{ .Values.global.geo.psql.ssl.secret | required "Missing required secret containing SQL SSL certificates and keys. Make sure to set `global.geo.psql.ssl.secret`" }}
+        name: {{ .Values.global.geo.psql.ssl.secret }}
         items:
-          - key: {{ .Values.global.geo.psql.ssl.serverCA | required "Missing required key name of SQL server certificate. Make sure to set `global.geo.psql.ssl.serverCA`" }}
+          - key: {{ .Values.global.geo.psql.ssl.serverCA  }}
             path: geo-server-ca.pem
-          - key: {{ .Values.global.geo.psql.ssl.clientCertificate | required "Missing required key name of SQL client certificate. Make sure to set `global.geo.psql.ssl.clientCertificate`" }}
+          - key: {{ .Values.global.geo.psql.ssl.clientCertificate  }}
             path: geo-client-certificate.pem
-          - key: {{ .Values.global.geo.psql.ssl.clientKey | required "Missing required key name of SQL client key file. Make sure to set `global.geo.psql.ssl.clientKey`" }}
+          - key: {{ .Values.global.geo.psql.ssl.clientKey  }}
             path: geo-client-key.pem
+{{-   end -}}
 {{- end -}}
 {{- end -}}
 
diff --git a/charts/gitlab/templates/_postgresql.tpl b/charts/gitlab/templates/_postgresql.tpl
index b6a4572324..ee4bc6e703 100644
--- a/charts/gitlab/templates/_postgresql.tpl
+++ b/charts/gitlab/templates/_postgresql.tpl
@@ -4,10 +4,16 @@ with the PostgreSQL database.
 */}}
 {{- define "gitlab.psql.ssl.config" -}}
 {{- if .Values.global.psql.ssl }}
-sslmode: verify-ca
+sslmode: {{ .Values.global.psql.ssl.mode | default "verify-ca" | quote }}
+{{-   if .Values.global.psql.ssl.serverCA }}
 sslrootcert: '/etc/gitlab/postgres/ssl/server-ca.pem'
+{{-   end -}}
+{{-   if .Values.global.psql.ssl.clientCertificate }}
 sslcert: '/etc/gitlab/postgres/ssl/client-certificate.pem'
+{{-   end -}}
+{{-   if .Values.global.psql.ssl.clientKey }}
 sslkey: '/etc/gitlab/postgres/ssl/client-key.pem'
+{{-   end -}}
 {{- end -}}
 {{- end -}}
 
@@ -17,19 +23,21 @@ a mutual TLS connection.
 */}}
 {{- define "gitlab.psql.ssl.volume" -}}
 {{- if .Values.global.psql.ssl }}
+{{-   if .Values.global.psql.ssl.secret  }}
 - name: postgresql-ssl-secrets
   projected:
     defaultMode: 400
     sources:
     - secret:
-        name: {{ .Values.global.psql.ssl.secret | required "Missing required secret containing SQL SSL certificates and keys. Make sure to set `global.psql.ssl.secret`" }}
+        name: {{ .Values.global.psql.ssl.secret }}
         items:
-          - key: {{ .Values.global.psql.ssl.serverCA | required "Missing required key name of SQL server certificate. Make sure to set `global.psql.ssl.serverCA`" }}
+          - key: {{ .Values.global.psql.ssl.serverCA }}
             path: server-ca.pem
-          - key: {{ .Values.global.psql.ssl.clientCertificate | required "Missing required key name of SQL client certificate. Make sure to set `global.psql.ssl.clientCertificate`" }}
+          - key: {{ .Values.global.psql.ssl.clientCertificate }}
             path: client-certificate.pem
-          - key: {{ .Values.global.psql.ssl.clientKey | required "Missing required key name of SQL client key file. Make sure to set `global.psql.ssl.clientKey`" }}
+          - key: {{ .Values.global.psql.ssl.clientKey }}
             path: client-key.pem
+{{-   end -}}
 {{- end -}}
 {{- end -}}
 
@@ -38,9 +46,11 @@ Returns mount definition for the volume mount definition above.
 */}}
 {{- define "gitlab.psql.ssl.volumeMount" -}}
 {{- if .Values.global.psql.ssl }}
+{{-   if .Values.global.psql.ssl.secret  }}
 - name: postgresql-ssl-secrets
   mountPath: '/etc/postgresql/ssl/'
   readOnly: true
+{{-   end -}}
 {{- end -}}
 {{- end -}}
 
@@ -51,12 +61,14 @@ it sets the permissions correctly.
 */}}
 {{- define "gitlab.psql.ssl.initScript" -}}
 {{- if .Values.global.psql.ssl }}
+{{-   if .Values.global.psql.ssl.secret  }}
 if [ -d /etc/postgresql/ssl ]; then
   mkdir -p /${secret_dir}/postgres/ssl
   cp -v -r -L /etc/postgresql/ssl/* /${secret_dir}/postgres/ssl/
   chmod 600 /${secret_dir}/postgres/ssl/*
   chmod 700 /${secret_dir}/postgres/ssl
 fi
+{{-   end -}}
 {{- end -}}
 {{- end -}}
 {{/*
diff --git a/doc/advanced/external-db/index.md b/doc/advanced/external-db/index.md
index 297a31a111..12a5408c10 100644
--- a/doc/advanced/external-db/index.md
+++ b/doc/advanced/external-db/index.md
@@ -53,8 +53,9 @@ Items below can be further customized if you are not using the defaults:
 - `global.psql.database`: The name of the database.
 - `global.psql.username`: The user with access to the database.
 
-If you use a mutual TLS connection to the database:
+If you use a TLS or mutual TLS connection to the database, you can use the following options:
 
+- `global.psql.ssl.mode`: Defines the [SSL mode](https://www.postgresql.org/docs/11/libpq-ssl.html) of the PostgreSQL connection. Defaults to "verify-ca" if SSL is enabled, otherwise it is not set.
 - `global.psql.ssl.secret`: A secret containing client certificate, key and certificate authority.
 - `global.psql.ssl.serverCA`: The key inside the secret referring the certificate authority (CA).
 - `global.psql.ssl.clientCertificate`: The key inside the secret referring the client certificate.
diff --git a/templates/_checkConfig.tpl b/templates/_checkConfig.tpl
index 3a0d7b9235..bb6d8a1cf8 100644
--- a/templates/_checkConfig.tpl
+++ b/templates/_checkConfig.tpl
@@ -34,6 +34,8 @@ Due to gotpl scoping, we can't make use of `range`, so we have to add action lin
 {{- $messages = append $messages (include "gitlab.checkConfig.sidekiq.routingRules" .) -}}
 {{- $messages = append $messages (include "gitlab.checkConfig.appConfig.maxRequestDurationSeconds" .) -}}
 {{- $messages = append $messages (include "gitlab.checkConfig.gitaly.extern.repos" .) -}}
+{{- $messages = append $messages (include "gitlab.checkConfig.psql.ssl" .) -}}
+{{- $messages = append $messages (include "gitlab.checkConfig.geo.database.ssl" .) -}}
 {{- $messages = append $messages (include "gitlab.checkConfig.geo.database" .) -}}
 {{- $messages = append $messages (include "gitlab.checkConfig.geo.secondary.database" .) -}}
 {{- $messages = append $messages (include "gitlab.task-runner.replicas" .) -}}
@@ -248,6 +250,39 @@ sidekiq:
 {{- end -}}
 {{/* END gitlab.checkConfig.sidekiq.routingRules */}}
 
+{{/* Ensure secrets are correctly configured if provided */}}
+{{- define "gitlab.checkConfig.database.ssl" -}}
+{{- if .ssl -}}
+{{- if .ssl.secret -}}
+{{-   if not .ssl.serverCA }}
+{{ .item }}: SSL enabled, No CA provided
+    Missing required key name of SQL server certificate. Make sure to set `[...].ssl.serverCA`.
+{{    end -}}
+{{-   if not .ssl.clientCertificate }}
+psql: No client certificate provided
+    Missing required key name of SQL client certificate. Make sure to set `[...].ssl.clientCertificate`.
+{{    end -}}
+{{-   if not .ssl.clientKey }}
+psql: No client key provided
+    Missing required key name of SQL client key file. Make sure to set `[...].ssl.clientKey`.
+{{    end -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+{{/* END gitlab.checkConfig.database.ssl */}}
+
+{{/* Ensure secrets are correctly configured for PostgreSQL database */}}
+{{- define "gitlab.checkConfig.psql.ssl" -}}
+{{- include "gitlab.checkConfig.database.ssl" (dict "ssl" $.Values.global.psql.ssl "item" "psql") -}}
+{{- end -}}
+{{/* END gitlab.psql.ssl */}}
+
+{{/* Ensure secrets are correctly configured if Geo PostgreSQL database */}}
+{{- define "gitlab.checkConfig.geo.database.ssl" -}}
+{{- include "gitlab.checkConfig.database.ssl" (dict "ssl" $.Values.global.geo.psql.ssl "item" "geo.psql") -}}
+{{- end -}}
+{{/* END gitlab.geo.database.ssl */}}
+
 {{/*
 Ensure a database is configured when using Geo
 listen over TLS */}}
-- 
GitLab