Support SSL configurations of mysql connections

[mrzarquon]

Is your feature request related to a problem? Please describe

Currently gitpod-db service only takes basic credentials which is counter to many corporate requirements around best practices for access. Without it users have to raise an exception to be allowed to install it.

The mysql library gitpod-db uses exposes a configurable ssl setting, including RDS specific configuration that loads the AmazonAWS certificates.

The only other change appears to be in our db migration job, which would need to be modifiable in cases where SSL is used, since it is performing a mysql cli command.

Describe the behaviour you'd like

Allow the user to enable at minimum --ssl-mode=VERIFY_IDENTITY and --ssl-ca=custom-ca.crt level of options to their mysql configuration part of the Gitpod installation.

If it is an RDS mysql instance, the user should be able to specify that.

[jldec]

Scheduled for investigation.

[geropl]

I started to look into this in this draft PR.

So far, it allows to set an optional installer config at database.ssl.ca that configures all DB-accessing code to configure a custom CA for verifying SSL connections. It's not tested yet, but should be straight forward.

@mrzarquon Does that solve you usecase?

As far as I understand the semantics of the "'Amazon RDS' profile" option in typeorm, it's a special case that eases the configuration, because it pulls the CA from a certain AWS-controlled destination.
But I don't think we should start pulling up that implementation detail into installer if we can avoid it with a more general approach (specifying a custom CA value).

[mrzarquon]

@geropl Thinking about this, while the rds option for the mysql option fast tracks that specific use case, for doing test connections, we'd still need the CA exposed there (maybe we extract it from the module?).

Downside of using the CA upload method is we then encode the CA into the users gitpod configuration file, so they will need to know to refresh that in 2 years when it expires:

% openssl x509 -enddate -noout -in us-east-2-bundle.pem
notAfter=Aug 22 17:08:50 2024 GMT

The RDS option just uses what is stored in the mysql library which is updated regularly, so we can ensure we keep the mysql module up to date and the ssl ca updates come along for free.

[geropl]

the CA into the users gitpod configuration file

This is actually an oversight on my end: it should be a Secret on the control plane, really. Fixing the PR.

so they will need to know to refresh that in 2 years when it expires:

Yes, cert renewal can be solve with external tools like cert-manager, for instance.

FWIW: Some cloud providers (like) GCP offer SSL proxies to encrypt traffic between k8s cluster workloads and DBs. Maybe AWS has something similar?

[geropl]

#12777 is now in a state where we could test and merge it.

Before we actually do this: @mrzarquon Could you have a look at the changes and see if that would solve you problem? The installer config now allows to reference a secret to read the custom CA from.

[geropl]

Dropping assignment here while waiting for more input/feedback.

[mrzarquon]

@geropl the secret reference works for me, refreshing the CA contents is likely not what cert-manager is equipped to do (it is about updating and refreshing client certificates from a CA, but not refreshing a generic secret that happens to be a CA pubkey by downloading a new pub key from a url endpoint.)

[geropl]

Clartified the requirements with @mrzarquon here (internal thread).

Scheduling this once this has been clarified. ✔️