Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable client and server cert auth in postgresql #1160

Merged
merged 9 commits into from
May 25, 2017

Conversation

ashfall
Copy link
Contributor

@ashfall ashfall commented May 13, 2017

./buildscripts/integrationtest.sh postgresql should run cleanly after this change.

ashfall added 5 commits May 12, 2017 17:52
(For both client and server)
Status: Server cert validation is successful, client (notary signer and
server) fails.

Signed-off-by: Ashwini Oruganti <ashwini.oruganti@gmail.com>
Signed-off-by: Ashwini Oruganti <ashwini.oruganti@gmail.com>
Signed-off-by: Ashwini Oruganti <ashwini.oruganti@gmail.com>
Signed-off-by: Ashwini Oruganti <ashwini.oruganti@gmail.com>
Signed-off-by: Ashwini Oruganti <ashwini.oruganti@gmail.com>
@ashfall
Copy link
Contributor Author

ashfall commented May 13, 2017

Some thoughts:

TODO:

@cyli
Copy link
Contributor

cyli commented May 13, 2017

Could we add generating the certs to fixtures/regenerateTestingCerts.sh? These expire in a year, and having an automatic script to renew the certs would be awesome. (if we could make them expire in 2 or 3 years instead of 1, so that we have more time to notice and prevent tests from starting to inexplicably fail, that would be also great) :)

@cyli
Copy link
Contributor

cyli commented May 13, 2017

Looks like tests are failing because we have one more place we specify the DB_URL for db-specific unit tests :| https://github.com/docker/notary/blob/master/buildscripts/dbtests.sh#L19

@ashfall
Copy link
Contributor Author

ashfall commented May 13, 2017

Ah, thanks!

ashfall added 2 commits May 15, 2017 11:50
Signed-off-by: Ashwini Oruganti <ashwini.oruganti@gmail.com>
Signed-off-by: Ashwini Oruganti <ashwini.oruganti@gmail.com>
@ashfall ashfall force-pushed the postgresql-cert-auth branch from eaf300e to deb6db3 Compare May 15, 2017 20:21
Copy link
Contributor

@riyazdf riyazdf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks for tackling this! Looks like the postgres tests on circle are running into a connection error:

time="2017-05-15T20:26:12Z" level=fatal msg="Unable to connect to postgres://server@postgresql_tests:5432/notaryserver?sslmode=verify-ca&sslrootcert=/go/src/github.com/docker/notary/fixtures/database/ca.pem&sslcert=/go/src/github.com/docker/notary/fixtures/database/notary-server.pem&sslkey=/go/src/github.com/docker/notary/fixtures/database/notary-server-key.pem after 60 seconds" 

# started with TLS enabled.
set -e

sed -i "s/#ssl = off/ssl = on/" "$PGDATA"/postgresql.conf
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

for my own understanding: where does $PGDATA come from?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ashfall
Copy link
Contributor Author

ashfall commented May 15, 2017

@riyazdf Thanks for reviewing! It appears that the DBURL per #1160 (comment) doesn't lead to a successful connection, I am trying to figure out what might be different. (Since this script/setup is specifically for our CI, I'm unable to debug much locally. Any thoughts/insights?)

ashfall added 2 commits May 15, 2017 16:58
Signed-off-by: Ashwini Oruganti <ashwini.oruganti@gmail.com>
Signed-off-by: Ashwini Oruganti <ashwini.oruganti@gmail.com>
@riyazdf
Copy link
Contributor

riyazdf commented May 24, 2017

jenkins is back up now, I kicked off a new test run

@riyazdf
Copy link
Contributor

riyazdf commented May 25, 2017

jenkins, test this please

Copy link
Contributor

@cyli cyli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM on yubikey green

Copy link
Contributor

@riyazdf riyazdf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

one clarifying question but LGTM on green!

@@ -40,6 +40,7 @@ services:
- mdb
volumes:
- ./notarysql/postgresql-initdb.d:/docker-entrypoint-initdb.d
command: -l
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

for my own understanding: where does this come from? I didn't find this option on the official image description...tried searching around but couldn't find the flag elsewhere

Copy link
Contributor Author

@ashfall ashfall May 25, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Per https://www.postgresql.org/docs/9.5/static/app-postgres.html, -l "Enables secure connections using SSL.".

FWIW, I think ssl=on is implicit after passing -l, but since I was editing the conf for ssl_ca_file path, I thought it would be clearer to set ssl=on explicitly, in case anything changes silently in the future versions. (e.g. Not sure what happens if we use -l and ssl=off -- which one takes a higher priority is never mentioned. :( In fact, the docs that mention ssl=on never refer to -l, and vice versa.)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

awesome that helps a lot, thank you @ashfall!

@riyazdf riyazdf merged commit b54d322 into notaryproject:master May 25, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants