Fixes #10234 - Postgres SSL Certificate fix (#10300)

Signed-off-by: Rajshekar Reddy <reddymh@gmail.com>
argoproj · Feb 7, 2023 · 5d0db00 · 5d0db00
1 parent 52b9952
commit 5d0db00
Show file tree

Hide file tree

Showing 3 changed files with 52 additions and 4 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -101,6 +101,8 @@ FROM gcr.io/distroless/static as workflow-controller
 
 USER 8737
 
+WORKDIR /home/argo
+
 COPY hack/ssh_known_hosts /etc/ssh/
 COPY hack/nsswitch.conf /etc/
 COPY --chown=8737 --from=workflow-controller-build /go/src/github.com/argoproj/argo-workflows/dist/workflow-controller /bin/

diff --git a/config/config.go b/config/config.go
@@ -232,8 +232,19 @@ func (c DatabaseConfig) GetHostname() string {
 
 type PostgreSQLConfig struct {
  DatabaseConfig
- SSL bool `json:"ssl,omitempty"`
- SSLMode string `json:"sslMode,omitempty"`
+ SSL bool `json:"ssl,omitempty"`
+ SSLMode string `json:"sslMode,omitempty"`
+ CaCertSecret apiv1.SecretKeySelector `json:"caCertSecret,omitempty"`
+ ClientCertSecret apiv1.SecretKeySelector `json:"clientCertSecret,omitempty"`
+ ClientKeySecret apiv1.SecretKeySelector `json:"clientKeySecret,omitempty"`
+ CertPath string `json:"certPath"`
+}
+
+func (c PostgreSQLConfig) GetPGCertPath() string {
+ if c.CertPath != "" {
+ return c.CertPath
+ }
+ return "/home/argo/pgcerts"
 }
 
 type MySQLConfig struct {

diff --git a/persist/sqldb/sqldb.go b/persist/sqldb/sqldb.go
@@ -3,6 +3,7 @@ package sqldb
 import (
  "context"
  "fmt"
+ "os"
  "time"
 
  "k8s.io/client-go/kubernetes"
@@ -53,9 +54,43 @@ func CreatePostGresDBSession(kubectlConfig kubernetes.Interface, namespace strin
  }
 
  if cfg.SSL {
- if cfg.SSLMode != "" {
+ if cfg.SSLMode != "" && cfg.SSLMode != "disable" {
+ err := os.MkdirAll(cfg.GetPGCertPath(), 0700)
+ if err != nil {
+ return nil, "", err
+ }
+ rootCertByte, err := util.GetSecrets(ctx, kubectlConfig, namespace, cfg.CaCertSecret.Name, cfg.CaCertSecret.Key)
+ if err != nil {
+ return nil, "", err
+ }
+ err = os.WriteFile(cfg.GetPGCertPath()+"/ca.crt", rootCertByte, 0600)
+ if err != nil {
+ return nil, "", err
+ }
+
+ serverCertByte, err := util.GetSecrets(ctx, kubectlConfig, namespace, cfg.ClientCertSecret.Name, cfg.ClientCertSecret.Key)
+ if err != nil {
+ return nil, "", err
+ }
+ err = os.WriteFile(cfg.GetPGCertPath()+"/tls.crt", serverCertByte, 0600)
+ if err != nil {
+ return nil, "", err
+ }
+
+ serverKeyByte, err := util.GetSecrets(ctx, kubectlConfig, namespace, cfg.ClientKeySecret.Name, cfg.ClientKeySecret.Key)
+ if err != nil {
+ return nil, "", err
+ }
+ err = os.WriteFile(cfg.GetPGCertPath()+"/tls.key", serverKeyByte, 0400)
+ if err != nil {
+ return nil, "", err
+ }
+
  options := map[string]string{
- "sslmode": cfg.SSLMode,
+ "sslmode": cfg.SSLMode,
+ "sslrootcert": cfg.GetPGCertPath() + "/ca.crt",
+ "sslkey": cfg.GetPGCertPath() + "/tls.key",
+ "sslcert": cfg.GetPGCertPath() + "/tls.crt",
  }
  settings.Options = options
  }