feat: [DBOPS-928]: SSL Connection issues with MongoDB Database DevOps #9646
Conversation
hemanthbsridhar
requested review from
stephenatwell,
HarnessTheChaos,
archit-harness,
anshul-harness and
ankittiwari-harness
as code owners
|
|
| @@ -0,0 +1,226 @@ | |||
| --- | |||
| title: DB Devops MongoDB SSL | |||
There was a problem hiding this comment.
add this page as subpage for setup connectors
There was a problem hiding this comment.
I don't think it is a good idea to add it under setting up of connectors since it is specific to JDBC connectors.
I feel a better approach is to create SSL parent page and Mongo SSL as the sub page.
Let me know your thoughts.
|
|
||
| ### TLS | ||
|
|
||
| * `root_ca.crt` file is available |
There was a problem hiding this comment.
we should have prerequisites section and explain what is root_ca.crt, if not present how he can get it
There was a problem hiding this comment.
what is your opinion on creating on the below structure
SSL
- Pre-requisites
- MongoSSL
pre-requisites will have steps on creation of keys and common delegate configuration
|
|
||
| #### Secret Configuration | ||
|
|
||
| We will create a secret with the `root_ca.crt` |
There was a problem hiding this comment.
who is we? harnss or customer should do it? if us, customer doesn't care about it
There was a problem hiding this comment.
we is the customer.
Will remove the word we to remove confusion
|
|
||
| #### Delegate Configuration | ||
|
|
||
| Ensure that the [common delegate configuration](#common-delegate-configuration) is done before moving on to the next steps |
There was a problem hiding this comment.
we should mention mount cert from delegate to build pods
|
|
||
| **IMPORTANT NOTE** : The value of the `DESTINATION_CA_PATH` environment variable has to be : `/etc/ssl/certs/dbops/root_ca.crt` | ||
|
|
||
| #### JDBC Test Connection |
There was a problem hiding this comment.
we should take inspiration from https://developer.harness.io/docs/continuous-integration/use-ci/set-up-build-infrastructure/k8s-build-infrastructure/configure-a-kubernetes-build-farm-to-use-self-signed-certificates/ to clearly know what does customer need to do
|
Please check the Execution Link of the Pipeline for the Website Draft URL. This is located in the Preview Step behind the Harness VPN and also is available in #hdh_alerts. E.g Website Draft URL: https://unique-id--harness-developer.netlify.app. Current Draft URL is: https://67caf11732a614391f2cfb17--harness-developer.netlify.app |
hemanthbsridhar
force-pushed
the
feat/DBOPS-928
branch
from
0808269 to
a00970c
Compare
|
Please check the Execution Link of the Pipeline for the Website Draft URL. This is located in the Preview Step behind the Harness VPN and also is available in #hdh_alerts. E.g Website Draft URL: https://unique-id--harness-developer.netlify.app. Current Draft URL is: https://67cc34fb32a61449fd2cfae6--harness-developer.netlify.app |
|
Please check the Execution Link of the Pipeline for the Website Draft URL. This is located in the Preview Step behind the Harness VPN and also is available in #hdh_alerts. E.g Website Draft URL: https://unique-id--harness-developer.netlify.app. Current Draft URL is: https://67cc35e3e67f894b62eca011--harness-developer.netlify.app |
hemanthbsridhar
force-pushed
the
feat/DBOPS-928
branch
from
a00970c to
12cf4c3
Compare
|
Please check the Execution Link of the Pipeline for the Website Draft URL. This is located in the Preview Step behind the Harness VPN and also is available in #hdh_alerts. E.g Website Draft URL: https://unique-id--harness-developer.netlify.app. Current Draft URL is: https://67ceefc9b6fd7e16ba1f7afa--harness-developer.netlify.app |
hemanthbsridhar
force-pushed
the
feat/DBOPS-928
branch
from
12cf4c3 to
d6fca40
Compare
|
Please check the Execution Link of the Pipeline for the Website Draft URL. This is located in the Preview Step behind the Harness VPN and also is available in #hdh_alerts. E.g Website Draft URL: https://unique-id--harness-developer.netlify.app. Current Draft URL is: https://67cef2d2b68a7d006c423000--harness-developer.netlify.app |
hemanthbsridhar
force-pushed
the
feat/DBOPS-928
branch
from
d6fca40 to
53665f2
Compare
|
Please check the Execution Link of the Pipeline for the Website Draft URL. This is located in the Preview Step behind the Harness VPN and also is available in #hdh_alerts. E.g Website Draft URL: https://unique-id--harness-developer.netlify.app. Current Draft URL is: https://67cef5c05bca6c007d6df681--harness-developer.netlify.app |
| | **GOOGLE SPANNER** | `jdbc:cloudspanner:/projects/{project-id}/instances/{instance-id}/databases/{database-name}?lenient=true` | | ||
| | Database | JDBC URL Format | | ||
| |--------------------|----------------------------------------------------------------------------------------------------------------------------| | ||
| | **ORACLE** | `jdbc:oracle:thin:@//host:port/FREEPDB1` | |
There was a problem hiding this comment.
we should review all connection string because {} are not added at correct places to know what customer needs to replace plus what is constant
| * `client.crt` and `client.key` is available | ||
| * To know more about generating client certificates, follow steps: 1 to 3 from [create_client certificate](https://developer.harness.io/docs/platform/delegates/secure-delegates/delegate-mtls-support/#create-a-client-certificate) | ||
|
|
||
| ### Generating PKCS12 |
There was a problem hiding this comment.
generating pkcs12 for client
There was a problem hiding this comment.
lets remove pkcs for ci builds
| execute the below command to generate pkcs12 file | ||
|
|
||
| ```shell | ||
| openssl pkcs12 -export -in client.crt -inkey client.key -out client.p12 -name mongo-client -password pass:changeit |
There was a problem hiding this comment.
can we say this is step1 and base64 encode is step2.
And below step2 you can add note blue color section why we are doing so
|
|
||
| ### Secret Configuration | ||
|
|
||
| Create a secret using `root_ca.crt` and `client_pkcs12.txt`( base64 encoded value of the `client.p12` file ) |
There was a problem hiding this comment.
this secret needs to be created on delegate?
There was a problem hiding this comment.
kubernetes secret used within the delegate and mounted onto the build pods later.
| Create a secret using `root_ca.crt` and `client_pkcs12.txt`( base64 encoded value of the `client.p12` file ) | ||
|
|
||
| ```shell | ||
| kubectl create secret -n namespace generic db-ops-ssl-secret --from-file root_ca.crt --from-file client_pkcs12.txt |
There was a problem hiding this comment.
did we check why we cant use this directly?
kubectl create secret -n generic client-certificate
--from-file client.crt=client.crt
--from-file client.key=client.key
There was a problem hiding this comment.
we can't upload client crt and client key to the keystore.
There was a problem hiding this comment.
we can only upload the pkcs12 file to the keystore.
There was a problem hiding this comment.
what if we get both crt and key and create this pkcs on our side? then the steps remain same for customer?
| For default trustStore and keyStore | ||
|
|
||
| ```shell | ||
| - name: JAVA_TOOL_OPTIONS |
There was a problem hiding this comment.
why will we need this? if we are using default truststore and keystore?
There was a problem hiding this comment.
Because default keystore is not set by default in the system properties unlike trustStore
There was a problem hiding this comment.
then we should mention this path is configurable, default values should be these if you are running jdk >= 17.0.0
There was a problem hiding this comment.
give ref to truststore override of delegate
| * To know more about generating CA certificates, [create_ca certificate](https://developer.harness.io/docs/platform/delegates/secure-delegates/delegate-mtls-support/#create-a-ca-certificate) | ||
| * `client.crt` and `client.key` is available | ||
| * To know more about generating client certificates, follow steps: 1 to 3 from [create_client certificate](https://developer.harness.io/docs/platform/delegates/secure-delegates/delegate-mtls-support/#create-a-client-certificate) | ||
|
|
There was a problem hiding this comment.
- in prequisites you can mention to use CI_MOUNT_VOLUMES only to copy cert (reason )as we need to different certs and key for mtls
after prequiisites you can add,
ssl for git clone
add steps, and add ref link
There was a problem hiding this comment.
|
|
||
| ## Pre-requisites | ||
| * `root_ca.crt` file is available | ||
| * To know more about generating CA certificates, [create_ca certificate](https://developer.harness.io/docs/platform/delegates/secure-delegates/delegate-mtls-support/#create-a-ca-certificate) |
There was a problem hiding this comment.
add this root_ca.crt into the ca.bundle and give ref to ci docs
|
|
||
| ```shell | ||
| - name: ADDITIONAL_CERTS_PATH | ||
| value: "/opt/harness-delegate/ca-bundle/root_ca.crt" |
There was a problem hiding this comment.
keep this till bundle path
| - name: ADDITIONAL_CERTS_PATH | ||
| value: "/opt/harness-delegate/ca-bundle/root_ca.crt" | ||
| - name: CI_MOUNT_VOLUMES | ||
| value: "/opt/harness-delegate/ca-bundle/root_ca.crt:/etc/ssl/certs/dbops/root_ca.crt,/opt/harness-delegate/ca-bundle/client_pkcs12.txt:/etc/ssl/certs/dbops/client_pkcs12.txt" |
There was a problem hiding this comment.
copy bundle into root_ca.crt
| value: "/opt/harness-delegate/ca-bundle/root_ca.crt:/etc/ssl/certs/dbops/root_ca.crt,/opt/harness-delegate/ca-bundle/client_pkcs12.txt:/etc/ssl/certs/dbops/client_pkcs12.txt" | ||
| ``` | ||
|
|
||
| **IMPORTANT NOTE**: |
|
|
||
| * The destination paths during mount in `CI_MOUNT_VOLUMES` has to be | ||
| * `/etc/ssl/certs/dbops/root_ca.crt` | ||
| * `/etc/ssl/certs/dbops/client_pkcs12.txt` |
| keytool -importcert -file /opt/harness-delegate/ca-bundle/root_ca.crt -keystore $JAVA_HOME/lib/security/cacerts -alias "mongodb_ssl" -storepass changeit -noprompt | ||
| ``` | ||
|
|
||
| The trustStore and keyStore details are added as part of `JAVA_TOOL_OPTIONS` environment variable. |
There was a problem hiding this comment.
change to use JAVA_OPTS
Thanks for contributing to the Harness Developer Hub! Our code owners will review your submission.
Description
PR lifecycle
We aim to merge PRs within one week or less, but delays happen sometimes.
If your PR is open longer than two weeks without any human activity, please tag a code owner in a comment.
PRs must meet these requirements to be merged: