Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support setting ssl client certificate information via environment variables #574

Merged
merged 3 commits into from
Aug 16, 2024
Merged

Support setting ssl client certificate information via environment variables #574

merged 3 commits into from
Aug 16, 2024

Conversation

soupi
Copy link
Contributor

@soupi soupi commented Aug 16, 2024

What

We'd like to support setting ssl certificate information via environment variables.

How

  1. We create a new function, get_connect_options, which will read both the uri and the ssl information, and use it and connect_with everywhere instead of connect with just the uri. We make sure all operations using configuration version 5 including the connector and the cli use get_connect_options (except tests).
  2. We read the client_cert, client_key and root_cert from the environment and put them directly into the sqlx connection options.

How we tested this

We used this article as a guide on how to set up postgres+certs with docker.

After running all of the commands, we had to do the following as well:

$ certstrap request-cert --common-name postgresdb  --domain localhost
$ cp certs/out/myCA.crt out/
$ cp certs/out/myCA.key out/
$ certstrap sign postgresdb --CA myCA

Then, we added the following environment variables:

$ export CLIENT_CERT="$(cat /tmp/ssl/out/postgresdb.crt)"
$ export CLIENT_KEY="$(cat /tmp/ssl/out/postgresdb.key)"
$ export ROOT_CERT="$(cat /tmp/ssl/certs/out/myCA.crt)"

Initialized and updated the connector:

$ mdkir /tmp/ssltest
$ CONNECTION_URI="postgresql://postgres:postgres@localhost:64009/postgres?sslmode=verify-ca" target/debug/ndc-postgres-cli --context /tmp/ssltest initialize
$ CONNECTION_URI="postgresql://postgres:postgres@localhost:64009/postgres?sslmode=verify-ca" target/debug/ndc-postgres-cli --context /tmp/ssltest update

Added a native query:

$ echo "select 'gil' as "name", 35 as 'age'" > /tmp/ssltest/a.sql

$ CONNECTION_URI="postgresql://postgres:postgres@localhost:64009/postgres?sslmode=verify-ca" target/debug/ndc-postgres-cli --context /tmp/ssltest native-operation create --kind query --operation-path a.sql

Started the connector:

CONNECTION_URI="postgresql://postgres:postgres@localhost:64009/postgres?sslmode=verify-ca" target/debug/ndc-postgres serve --configuration /tmp/ssltest

And ran a query:

curl -X POST \
    -H 'Host: example.hasura.app' \
    -H 'Content-Type: application/json' \
    -H 'x-hasura-role: admin' \
    http://localhost:8080/query \
    -d '{ "collection": "a", "query": { "fields": { "name": { "type": "column", "column": "name" } } }, "arguments": {}, "collection_relationships": {} }' | jq

@soupi soupi changed the title Allow accepting ssl information via environment variable Support accepting ssl information via environment variables Aug 16, 2024
@soupi soupi changed the title Support accepting ssl information via environment variables Support setting ssl client certificate information via environment variables Aug 16, 2024
SamirTalwar
SamirTalwar approved these changes Aug 16, 2024
View reviewed changes
Copy link
Contributor

@SamirTalwar SamirTalwar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great!

I would love to see an automated test at some point.

crates/configuration/src/connect.rs
root_certificate,
})
}
_ => None,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we log a warning if some, but not all, are None?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Will create a ticket.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://linear.app/hasura/issue/APIPG-774/when-some-but-not-all-ssl-client-cert-variables-are-set-emit-a-warning

danieljharvey
danieljharvey approved these changes Aug 16, 2024
View reviewed changes
Copy link
Contributor

@danieljharvey danieljharvey left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nice!

@soupi soupi added this pull request to the merge queue Aug 16, 2024
Merged via the queue into main with commit 2566620 Aug 16, 2024
29 checks passed
@soupi soupi deleted the gil/ssl-certs branch August 16, 2024 14:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@SamirTalwar SamirTalwar SamirTalwar approved these changes

@danieljharvey danieljharvey danieljharvey approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@soupi @SamirTalwar @danieljharvey