From 2f6edf839f3cbc029c6846ebdadad0c3f26af490 Mon Sep 17 00:00:00 2001 From: Neaj Morshad Date: Thu, 14 Nov 2024 19:35:03 +0600 Subject: [PATCH] reconfigure tls guide wip tls added Signed-off-by: Neaj Morshad --- .../reconfigure-tls/ms-standalone.yaml | 32 + .../msops-reconfigure-ag-apply.yaml | 16 + .../reconfigure-tls/msops-reconfigure-ag.yaml | 14 + .../msops-reconfigure-standalone-apply.yaml | 16 + .../msops-reconfigure-standalone.yaml | 14 + .../mssqlserver-ag-cluster.yaml | 40 + .../reconfigure-tls/reconfigure-tls.md | 695 +++++++++--------- 7 files changed, 492 insertions(+), 335 deletions(-) create mode 100644 docs/examples/mssqlserver/reconfigure-tls/ms-standalone.yaml create mode 100644 docs/examples/mssqlserver/reconfigure-tls/msops-reconfigure-ag-apply.yaml create mode 100644 docs/examples/mssqlserver/reconfigure-tls/msops-reconfigure-ag.yaml create mode 100644 docs/examples/mssqlserver/reconfigure-tls/msops-reconfigure-standalone-apply.yaml create mode 100644 docs/examples/mssqlserver/reconfigure-tls/msops-reconfigure-standalone.yaml create mode 100644 docs/examples/mssqlserver/reconfigure-tls/mssqlserver-ag-cluster.yaml diff --git a/docs/examples/mssqlserver/reconfigure-tls/ms-standalone.yaml b/docs/examples/mssqlserver/reconfigure-tls/ms-standalone.yaml new file mode 100644 index 0000000000..e9ab5d95b7 --- /dev/null +++ b/docs/examples/mssqlserver/reconfigure-tls/ms-standalone.yaml @@ -0,0 +1,32 @@ +apiVersion: kubedb.com/v1alpha2 +kind: MSSQLServer +metadata: + name: ms-standalone + namespace: demo +spec: + version: "2022-cu12" + replicas: 1 + tls: + issuerRef: + name: mssqlserver-ca-issuer + kind: Issuer + apiGroup: "cert-manager.io" + clientTLS: false + podTemplate: + spec: + containers: + - name: mssql + env: + - name: ACCEPT_EULA + value: "Y" + - name: MSSQL_PID + value: Evaluation + storageType: Durable + storage: + storageClassName: "standard" + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + deletionPolicy: WipeOut \ No newline at end of file diff --git a/docs/examples/mssqlserver/reconfigure-tls/msops-reconfigure-ag-apply.yaml b/docs/examples/mssqlserver/reconfigure-tls/msops-reconfigure-ag-apply.yaml new file mode 100644 index 0000000000..b93d450d54 --- /dev/null +++ b/docs/examples/mssqlserver/reconfigure-tls/msops-reconfigure-ag-apply.yaml @@ -0,0 +1,16 @@ +apiVersion: ops.kubedb.com/v1alpha1 +kind: MSSQLServerOpsRequest +metadata: + name: msops-reconfigure-ag-apply + namespace: demo +spec: + type: Reconfigure + databaseRef: + name: mssqlserver-ag-cluster + configuration: + applyConfig: + mssql.conf: |- + [memory] + memorylimitmb = 3072 + timeout: 5m + apply: IfReady \ No newline at end of file diff --git a/docs/examples/mssqlserver/reconfigure-tls/msops-reconfigure-ag.yaml b/docs/examples/mssqlserver/reconfigure-tls/msops-reconfigure-ag.yaml new file mode 100644 index 0000000000..86d2b8283d --- /dev/null +++ b/docs/examples/mssqlserver/reconfigure-tls/msops-reconfigure-ag.yaml @@ -0,0 +1,14 @@ +apiVersion: ops.kubedb.com/v1alpha1 +kind: MSSQLServerOpsRequest +metadata: + name: msops-reconfigure-ag + namespace: demo +spec: + type: Reconfigure + databaseRef: + name: mssqlserver-ag-cluster + configuration: + configSecret: + name: new-custom-config + timeout: 5m + apply: IfReady \ No newline at end of file diff --git a/docs/examples/mssqlserver/reconfigure-tls/msops-reconfigure-standalone-apply.yaml b/docs/examples/mssqlserver/reconfigure-tls/msops-reconfigure-standalone-apply.yaml new file mode 100644 index 0000000000..0199028a1b --- /dev/null +++ b/docs/examples/mssqlserver/reconfigure-tls/msops-reconfigure-standalone-apply.yaml @@ -0,0 +1,16 @@ +apiVersion: ops.kubedb.com/v1alpha1 +kind: MSSQLServerOpsRequest +metadata: + name: msops-reconfigure-standalone-apply + namespace: demo +spec: + type: Reconfigure + databaseRef: + name: ms-standalone + configuration: + applyConfig: + mssql.conf: |- + [memory] + memorylimitmb = 3072 + timeout: 5m + apply: IfReady \ No newline at end of file diff --git a/docs/examples/mssqlserver/reconfigure-tls/msops-reconfigure-standalone.yaml b/docs/examples/mssqlserver/reconfigure-tls/msops-reconfigure-standalone.yaml new file mode 100644 index 0000000000..5c0f52531a --- /dev/null +++ b/docs/examples/mssqlserver/reconfigure-tls/msops-reconfigure-standalone.yaml @@ -0,0 +1,14 @@ +apiVersion: ops.kubedb.com/v1alpha1 +kind: MSSQLServerOpsRequest +metadata: + name: msops-reconfigure-standalone + namespace: demo +spec: + type: Reconfigure + databaseRef: + name: ms-standalone + configuration: + configSecret: + name: new-custom-config + timeout: 5m + apply: IfReady \ No newline at end of file diff --git a/docs/examples/mssqlserver/reconfigure-tls/mssqlserver-ag-cluster.yaml b/docs/examples/mssqlserver/reconfigure-tls/mssqlserver-ag-cluster.yaml new file mode 100644 index 0000000000..8407bb6fcf --- /dev/null +++ b/docs/examples/mssqlserver/reconfigure-tls/mssqlserver-ag-cluster.yaml @@ -0,0 +1,40 @@ +apiVersion: kubedb.com/v1alpha2 +kind: MSSQLServer +metadata: + name: mssqlserver-ag-cluster + namespace: demo +spec: + version: "2022-cu12" + configSecret: + name: ms-custom-config + replicas: 3 + topology: + mode: AvailabilityGroup + availabilityGroup: + databases: + - agdb1 + - agdb2 + tls: + issuerRef: + name: mssqlserver-ca-issuer + kind: Issuer + apiGroup: "cert-manager.io" + clientTLS: false + podTemplate: + spec: + containers: + - name: mssql + env: + - name: ACCEPT_EULA + value: "Y" + - name: MSSQL_PID + value: Developer + storageType: Durable + storage: + storageClassName: "standard" + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + deletionPolicy: WipeOut \ No newline at end of file diff --git a/docs/guides/mssqlserver/reconfigure-tls/reconfigure-tls.md b/docs/guides/mssqlserver/reconfigure-tls/reconfigure-tls.md index dd0eb321d5..dfcf1ad384 100644 --- a/docs/guides/mssqlserver/reconfigure-tls/reconfigure-tls.md +++ b/docs/guides/mssqlserver/reconfigure-tls/reconfigure-tls.md @@ -2,27 +2,27 @@ title: Reconfigure MSSQLServer TLS/SSL Encryption menu: docs_{{ .version }}: - identifier: mg-reconfigure-tls-rs - name: Reconfigure MSSQLServer TLS/SSL Encryption - parent: mg-reconfigure-tls - weight: 10 + identifier: ms-reconfigure-tls-standalone + name: Standalone + parent: ms-reconfigure-tls + weight: 20 menu_name: docs_{{ .version }} section_menu_id: guides --- > New to KubeDB? Please start [here](/docs/README.md). -# Reconfigure MSSQLServer TLS/SSL (Transport Encryption) +# Reconfigure Standalone MSSQLServer TLS/SSL (Transport Encryption) KubeDB supports reconfigure i.e. add, remove, update and rotation of TLS/SSL certificates for existing MSSQLServer database via a MSSQLServerOpsRequest. This tutorial will show you how to use KubeDB to reconfigure TLS/SSL encryption. ## Before You Begin -- At first, you need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. If you do not already have a cluster, you can create one by using [kind](https://kind.sigs.k8s.io/docs/user/quick-start/). +- You need to have a Kubernetes cluster, and the kubectl command-line tool must be configured to communicate with your cluster. If you do not already have a cluster, you can create one by using [kind](https://kind.sigs.k8s.io/docs/user/quick-start/). -- Install [`cert-manger`](https://cert-manager.io/docs/installation/) v1.0.0 or later to your cluster to manage your SSL/TLS certificates. +- Now, install KubeDB cli on your workstation and KubeDB operator in your cluster following the steps [here](/docs/setup/README.md). Make sure install with helm command including `--set global.featureGates.MSSQLServer=true` to ensure MSSQLServer CRD installation. -- Now, install KubeDB cli on your workstation and KubeDB operator in your cluster following the steps [here](/docs/setup/README.md). +- To configure TLS/SSL in `MSSQLServer`, `KubeDB` uses `cert-manager` to issue certificates. So first you have to make sure that the cluster has `cert-manager` installed. To install `cert-manager` in your cluster following steps [here](https://cert-manager.io/docs/installation/kubernetes/). - To keep things isolated, this tutorial uses a separate namespace called `demo` throughout this tutorial. @@ -31,276 +31,308 @@ KubeDB supports reconfigure i.e. add, remove, update and rotation of TLS/SSL cer namespace/demo created ``` -> Note: YAML files used in this tutorial are stored in [docs/examples/mssqlserver](https://github.com/kubedb/docs/tree/{{< param "info.version" >}}/docs/examples/mssqlserver) folder in GitHub repository [kubedb/docs](https://github.com/kubedb/docs). +> Note: YAML files used in this tutorial are stored in [docs/examples/mssqlserver](https://github.com/kubedb/docs/tree/{{< param "info.version" >}}/docs/examples/mssqlserver/reconfigure-tls) folder in GitHub repository [kubedb/docs](https://github.com/kubedb/docs). ## Add TLS to a MSSQLServer database Here, We are going to create a MSSQLServer database without TLS and then reconfigure the database to use TLS. +At first, we need to create an Issuer/ClusterIssuer which will be used to generate the certificate used for TLS configurations. + +### Create Issuer/ClusterIssuer + +Now, we are going to create an example `Issuer` that will be used throughout the duration of this tutorial. Alternatively, you can follow this [cert-manager tutorial](https://cert-manager.io/docs/configuration/ca/) to create your own `Issuer`. By following the below steps, we are going to create our desired issuer, + +- Start off by generating our ca-certificates using openssl, +```bash +openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ./ca.key -out ./ca.crt -subj "/CN=MSSQLServer/O=kubedb" +``` +- +- Create a secret using the certificate files we have just generated, +```bash +$ kubectl create secret tls mssqlserver-ca --cert=ca.crt --key=ca.key --namespace=demo +secret/mssqlserver-ca created +``` +Now, we are going to create an `Issuer` using the `mssqlserver-ca` secret that contains the ca-certificate we have just created. Below is the YAML of the `Issuer` CR that we are going to create, + +```yaml +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: mssqlserver-ca-issuer + namespace: demo +spec: + ca: + secretName: mssqlserver-ca +``` + +Let’s create the `Issuer` CR we have shown above, +```bash +$ kubectl create -f https://github.com/kubedb/docs/raw/{{< param "info.version" >}}/docs/examples/mssqlserver/standalone/mssqlserver-ca-issuer.yaml +issuer.cert-manager.io/mssqlserver-ca-issuer created +``` + ### Deploy MSSQLServer without TLS -In this section, we are going to deploy a MSSQLServer Replicaset database without TLS. In the next few sections we will reconfigure TLS using `MSSQLServerOpsRequest` CRD. Below is the YAML of the `MSSQLServer` CR that we are going to create, +In this section, we are going to deploy a MSSQLServer Standalone database without TLS. In the next few sections we will reconfigure TLS using `MSSQLServerOpsRequest` CRD. Below is the YAML of the `MSSQLServer` CR that we are going to create, ```yaml -apiVersion: kubedb.com/v1 +apiVersion: kubedb.com/v1alpha2 kind: MSSQLServer metadata: - name: mg-rs + name: ms-standalone namespace: demo spec: - version: "4.4.26" - replicas: 3 - replicaSet: - name: rs0 + version: "2022-cu12" + replicas: 1 + tls: + issuerRef: + name: mssqlserver-ca-issuer + kind: Issuer + apiGroup: "cert-manager.io" + clientTLS: false + podTemplate: + spec: + containers: + - name: mssql + env: + - name: ACCEPT_EULA + value: "Y" + - name: MSSQL_PID + value: Evaluation + storageType: Durable storage: storageClassName: "standard" accessModes: - - ReadWriteOnce + - ReadWriteOnce resources: requests: storage: 1Gi + deletionPolicy: WipeOut ``` Let's create the `MSSQLServer` CR we have shown above, ```bash -$ kubectl create -f https://github.com/kubedb/docs/raw/{{< param "info.version" >}}/docs/examples/mssqlserver/reconfigure-tls/mg-replicaset.yaml -mssqlserver.kubedb.com/mg-rs created +$ kubectl create -f https://github.com/kubedb/docs/raw/{{< param "info.version" >}}/docs/examples/mssqlserver/reconfigure-tls/ms-standalone.yaml +mssqlserver.kubedb.com/ms-standalone created ``` -Now, wait until `mg-replicaset` has status `Ready`. i.e, +Now, wait until `ms-standalone` has status `Ready`. i.e, ```bash -$ kubectl get mg -n demo -NAME VERSION STATUS AGE -mg-rs 4.4.26 Ready 10m - -$ kubectl dba describe mssqlserver mg-rs -n demo -Name: mg-rs -Namespace: demo -CreationTimestamp: Thu, 11 Mar 2021 13:25:05 +0600 -Labels: -Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"kubedb.com/v1","kind":"MSSQLServer","metadata":{"annotations":{},"name":"mg-rs","namespace":"demo"},"spec":{"replicaSet":{"name":"rs0"... -Replicas: 3 total -Status: Ready -StorageType: Durable -Volume: - StorageClass: standard - Capacity: 1Gi - Access Modes: RWO -Paused: false -Halted: false -Termination Policy: Delete - -PetSet: - Name: mg-rs - CreationTimestamp: Thu, 11 Mar 2021 13:25:05 +0600 - Labels: app.kubernetes.io/component=database - app.kubernetes.io/instance=mg-rs - app.kubernetes.io/managed-by=kubedb.com - app.kubernetes.io/name=mssqlservers.kubedb.com - Annotations: - Replicas: 824639275080 desired | 3 total - Pods Status: 3 Running / 0 Waiting / 0 Succeeded / 0 Failed - -Service: - Name: mg-rs - Labels: app.kubernetes.io/component=database - app.kubernetes.io/instance=mg-rs - app.kubernetes.io/managed-by=kubedb.com - app.kubernetes.io/name=mssqlservers.kubedb.com - Annotations: - Type: ClusterIP - IP: 10.96.70.27 - Port: primary 27017/TCP - TargetPort: db/TCP - Endpoints: 10.244.0.63:27017 - -Service: - Name: mg-rs-pods - Labels: app.kubernetes.io/component=database - app.kubernetes.io/instance=mg-rs - app.kubernetes.io/managed-by=kubedb.com - app.kubernetes.io/name=mssqlservers.kubedb.com - Annotations: - Type: ClusterIP - IP: None - Port: db 27017/TCP - TargetPort: db/TCP - Endpoints: 10.244.0.63:27017,10.244.0.65:27017,10.244.0.67:27017 - -Auth Secret: - Name: mg-rs-auth - Labels: app.kubernetes.io/component=database - app.kubernetes.io/instance=mg-rs - app.kubernetes.io/managed-by=kubedb.com - app.kubernetes.io/name=mssqlservers.kubedb.com - Annotations: - Type: Opaque - Data: - password: 16 bytes - username: 4 bytes - -AppBinding: - Metadata: - Annotations: - kubectl.kubernetes.io/last-applied-configuration: {"apiVersion":"kubedb.com/v1","kind":"MSSQLServer","metadata":{"annotations":{},"name":"mg-rs","namespace":"demo"},"spec":{"replicaSet":{"name":"rs0"},"replicas":3,"storage":{"accessModes":["ReadWriteOnce"],"resources":{"requests":{"storage":"1Gi"}},"storageClassName":"standard"},"version":"4.4.26"}} - - Creation Timestamp: 2021-03-11T07:26:44Z - Labels: - app.kubernetes.io/component: database - app.kubernetes.io/instance: mg-rs - app.kubernetes.io/managed-by: kubedb.com - app.kubernetes.io/name: mssqlservers.kubedb.com - Name: mg-rs - Namespace: demo - Spec: - Client Config: - Service: - Name: mg-rs - Port: 27017 - Scheme: mssqlserver - Parameters: - API Version: config.kubedb.com/v1alpha1 - Kind: MongoConfiguration - Replica Sets: - host-0: rs0/mg-rs-0.mg-rs-pods.demo.svc,mg-rs-1.mg-rs-pods.demo.svc,mg-rs-2.mg-rs-pods.demo.svc - Stash: - Addon: - Backup Task: - Name: mssqlserver-backup-4.4.6-v6 - Restore Task: - Name: mssqlserver-restore-4.4.6-v6 - Secret: - Name: mg-rs-auth - Type: kubedb.com/mssqlserver - Version: 4.4.26 +$ kubectl get ms -n demo +NAME VERSION STATUS AGE +ms-standalone 2022-cu12 Ready 4m3s +$ kubectl describe ms -n demo ms-standalone +Name: ms-standalone +Namespace: demo +Labels: +Annotations: +API Version: kubedb.com/v1alpha2 +Kind: MSSQLServer +Metadata: + Creation Timestamp: 2024-11-14T12:45:36Z + Finalizers: + kubedb.com + Generation: 2 + Resource Version: 438804 + UID: 83ebe191-3754-41af-8d86-ed211bf9c31c +Spec: + Auth Secret: + Name: ms-standalone-auth + Deletion Policy: WipeOut + Health Checker: + Failure Threshold: 1 + Period Seconds: 10 + Timeout Seconds: 10 + Pod Template: + Controller: + Metadata: + Spec: + Containers: + Env: + Name: ACCEPT_EULA + Value: Y + Name: MSSQL_PID + Value: Evaluation + Name: mssql + Resources: + Limits: + Memory: 4Gi + Requests: + Cpu: 500m + Memory: 4Gi + Security Context: + Allow Privilege Escalation: false + Capabilities: + Add: + NET_BIND_SERVICE + Drop: + ALL + Run As Group: 10001 + Run As Non Root: true + Run As User: 10001 + Seccomp Profile: + Type: RuntimeDefault + Init Containers: + Name: mssql-init + Resources: + Limits: + Memory: 512Mi + Requests: + Cpu: 200m + Memory: 512Mi + Security Context: + Allow Privilege Escalation: false + Capabilities: + Drop: + ALL + Run As Group: 10001 + Run As Non Root: true + Run As User: 10001 + Seccomp Profile: + Type: RuntimeDefault + Pod Placement Policy: + Name: default + Security Context: + Fs Group: 10001 + Replicas: 1 + Storage: + Access Modes: + ReadWriteOnce + Resources: + Requests: + Storage: 1Gi + Storage Class Name: standard + Storage Type: Durable + Tls: + Certificates: + Alias: server + Secret Name: ms-standalone-server-cert + Subject: + Organizational Units: + server + Organizations: + kubedb + Alias: client + Secret Name: ms-standalone-client-cert + Subject: + Organizational Units: + client + Organizations: + kubedb + Client TLS: false + Issuer Ref: + API Group: cert-manager.io + Kind: Issuer + Name: mssqlserver-ca-issuer + Version: 2022-cu12 +Status: + Conditions: + Last Transition Time: 2024-11-14T12:45:36Z + Message: The KubeDB operator has started the provisioning of MSSQLServer: demo/ms-standalone + Observed Generation: 1 + Reason: DatabaseProvisioningStartedSuccessfully + Status: True + Type: ProvisioningStarted + Last Transition Time: 2024-11-14T12:46:36Z + Message: All replicas are ready for MSSQLServer demo/ms-standalone + Observed Generation: 2 + Reason: AllReplicasReady + Status: True + Type: ReplicaReady + Last Transition Time: 2024-11-14T12:46:46Z + Message: database demo/ms-standalone is accepting connection + Observed Generation: 2 + Reason: AcceptingConnection + Status: True + Type: AcceptingConnection + Last Transition Time: 2024-11-14T12:46:46Z + Message: database demo/ms-standalone is ready + Observed Generation: 2 + Reason: AllReplicasReady + Status: True + Type: Ready + Last Transition Time: 2024-11-14T12:47:06Z + Message: The MSSQLServer: demo/ms-standalone is successfully provisioned. + Observed Generation: 2 + Reason: DatabaseSuccessfullyProvisioned + Status: True + Type: Provisioned + Phase: Ready Events: - Type Reason Age From Message - ---- ------ ---- ---- ------- - Normal Successful 14m MSSQLServer operator Successfully created stats service - Normal Successful 14m MSSQLServer operator Successfully created Service - Normal Successful 14m MSSQLServer operator Successfully stats service - Normal Successful 14m MSSQLServer operator Successfully stats service - Normal Successful 13m MSSQLServer operator Successfully stats service - Normal Successful 13m MSSQLServer operator Successfully stats service - Normal Successful 13m MSSQLServer operator Successfully stats service - Normal Successful 13m MSSQLServer operator Successfully stats service - Normal Successful 13m MSSQLServer operator Successfully stats service - Normal Successful 12m MSSQLServer operator Successfully stats service - Normal Successful 12m MSSQLServer operator Successfully patched PetSet demo/mg-rs -``` - -Now, we can connect to this database through [mongo-shell](https://docs.mssqlserver.com/v4.2/mongo/) and verify that the TLS is disabled. - + Type Reason Age From Message + ---- ------ ---- ---- ------- + Normal Successful 4m20s KubeDB Ops-manager Operator Successfully created MSSQLServer server certificates + Normal Successful 4m20s KubeDB Ops-manager Operator Successfully created MSSQLServer client certificates -```bash -$ kubectl get secrets -n demo mg-rs-auth -o jsonpath='{.data.\username}' | base64 -d -root - -$ kubectl get secrets -n demo mg-rs-auth -o jsonpath='{.data.\password}' | base64 -d -U6(h_pYrekLZ2OOd - -$ kubectl exec -it mg-rs-0 -n demo -- mongo admin -u root -p 'U6(h_pYrekLZ2OOd' -rs0:PRIMARY> db.adminCommand({ getParameter:1, sslMode:1 }) -{ - "sslMode" : "disabled", - "ok" : 1, - "$clusterTime" : { - "clusterTime" : Timestamp(1615468344, 1), - "signature" : { - "hash" : BinData(0,"Xdclj9Y67WKZ/oTDGT/E1XzOY28="), - "keyId" : NumberLong("6938294279689207810") - } - }, - "operationTime" : Timestamp(1615468344, 1) -} ``` -We can verify from the above output that TLS is disabled for this database. +Now, connect to this database by exec into a pod and verify the TLS is disabled. -### Create Issuer/ ClusterIssuer +> when we connect using the sqlcmd tool, the -N option is available with [s|m|o] parameters, where 's' stands for strict, 'm' for mandatory, and 'o' for optional. The default setting is mandatory. -Now, We are going to create an example `Issuer` that will be used to enable SSL/TLS in MSSQLServer. Alternatively, you can follow this [cert-manager tutorial](https://cert-manager.io/docs/configuration/ca/) to create your own `Issuer`. - -- Start off by generating a ca certificates using openssl. ```bash -$ openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ./ca.key -out ./ca.crt -subj "/CN=ca/O=kubedb" -Generating a RSA private key -................+++++ -........................+++++ -writing new private key to './ca.key' ------ -``` +$ kubectl get secrets -n demo ms-standalone-auth -o jsonpath='{.data.\username}' | base64 -d +sa -- Now we are going to create a ca-secret using the certificate files that we have just generated. +$ kubectl get secrets -n demo ms-standalone-auth -o jsonpath='{.data.\password}' | base64 -d +b1HLv9EV4CaSalX6 -```bash -$ kubectl create secret tls mongo-ca \ - --cert=ca.crt \ - --key=ca.key \ - --namespace=demo -secret/mongo-ca created -``` +$ kubectl exec -it -n demo ms-standalone-0 -c mssql -- bash +mssql@ms-standalone-0:/$ cat /var/opt/mssql/mssql.conf +[language] +lcid = 1033 +mssql@ms-standalone-0:/$ /opt/mssql-tools/bin/sqlcmd -S localhost -U sa -P "b1HLv9EV4CaSalX6" -N +Sqlcmd: Error: Microsoft ODBC Driver 17 for SQL Server : SSL Provider: [error:0A000086:SSL routines::certificate verify failed:self-signed certificate]. +Sqlcmd: Error: Microsoft ODBC Driver 17 for SQL Server : Client unable to establish connection. -Now, Let's create an `Issuer` using the `mongo-ca` secret that we have just created. The `YAML` file looks like this: -```yaml -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: mg-issuer - namespace: demo -spec: - ca: - secretName: mongo-ca +So Now, we have to connect with -C [Trust Server Certificate] +mssql@ms-standalone-0:/$ /opt/mssql-tools/bin/sqlcmd -S localhost -U sa -P "b1HLv9EV4CaSalX6" -N -C +1> ``` -Let's apply the `YAML` file: - -```bash -$ kubectl create -f https://github.com/kubedb/docs/raw/{{< param "info.version" >}}/docs/examples/mssqlserver/reconfigure-tls/issuer.yaml -issuer.cert-manager.io/mg-issuer created -``` +We can verify from the above output that TLS is disabled for this database, `mssql.conf` file has no tls configuration. +Now we will enable tls configuration using MSSQLServerOpsRequest ### Create MSSQLServerOpsRequest -In order to add TLS to the database, we have to create a `MSSQLServerOpsRequest` CRO with our created issuer. Below is the YAML of the `MSSQLServerOpsRequest` CRO that we are going to create, +In order to add TLS to the database, we have to create a `MSSQLServerOpsRequest` CRO with our issuer. Below is the YAML of the `MSSQLServerOpsRequest` CRO that we are going to create, ```yaml apiVersion: ops.kubedb.com/v1alpha1 kind: MSSQLServerOpsRequest metadata: - name: mops-add-tls + name: msops-add-tls namespace: demo spec: type: ReconfigureTLS databaseRef: - name: mg-rs + name: ms-standalone tls: issuerRef: - name: mg-issuer + name: mssqlserver-ca-issuer kind: Issuer apiGroup: "cert-manager.io" certificates: - alias: client subject: organizations: - - mongo + - mssqlserver organizationalUnits: - client - readinessCriteria: - oplogMaxLagSeconds: 20 - objectsCountDiffPercentage: 10 + clientTLS: true timeout: 5m apply: IfReady ``` Here, -- `spec.databaseRef.name` specifies that we are performing reconfigure TLS operation on `mg-rs` database. +- `spec.databaseRef.name` specifies that we are performing reconfigure TLS operation on `ms-standalone` database. - `spec.type` specifies that we are performing `ReconfigureTLS` on our database. - `spec.tls.issuerRef` specifies the issuer name, kind and api group. - `spec.tls.certificates` specifies the certificates. You can learn more about this field from [here](/docs/guides/mssqlserver/concepts/mssqlserver.md#spectls). @@ -308,8 +340,8 @@ Here, Let's create the `MSSQLServerOpsRequest` CR we have shown above, ```bash -$ kubectl apply -f https://github.com/kubedb/docs/raw/{{< param "info.version" >}}/docs/examples/mssqlserver/reconfigure-tls/mops-add-tls.yaml -mssqlserveropsrequest.ops.kubedb.com/mops-add-tls created +$ kubectl apply -f https://github.com/kubedb/docs/raw/{{< param "info.version" >}}/docs/examples/mssqlserver/reconfigure-tls/msops-add-tls.yaml +mssqlserveropsrequest.ops.kubedb.com/msops-add-tls created ``` #### Verify TLS Enabled Successfully @@ -317,67 +349,33 @@ mssqlserveropsrequest.ops.kubedb.com/mops-add-tls created Let's wait for `MSSQLServerOpsRequest` to be `Successful`. Run the following command to watch `MSSQLServerOpsRequest` CRO, ```bash -$ kubectl get mssqlserveropsrequest -n demo -Every 2.0s: kubectl get mssqlserveropsrequest -n demo -NAME TYPE STATUS AGE -mops-add-tls ReconfigureTLS Successful 91s +$ watch kubectl get msops -n demo +Every 2.0s: kubectl get msops -n demo + +NAME TYPE STATUS AGE +msops-add-tls ReconfigureTLS Successful 115s ``` We can see from the above output that the `MSSQLServerOpsRequest` has succeeded. If we describe the `MSSQLServerOpsRequest` we will get an overview of the steps that were followed. ```bash -$ kubectl describe mssqlserveropsrequest -n demo mops-add-tls -Name: mops-add-tls +$ kubectl describe mssqlserveropsrequest -n demo msops-add-tls +Name: msops-add-tls Namespace: demo Labels: Annotations: API Version: ops.kubedb.com/v1alpha1 Kind: MSSQLServerOpsRequest Metadata: - Creation Timestamp: 2021-03-11T13:32:18Z + Creation Timestamp: 2024-11-15T11:48:03Z Generation: 1 - Managed Fields: - API Version: ops.kubedb.com/v1alpha1 - Fields Type: FieldsV1 - fieldsV1: - f:metadata: - f:annotations: - .: - f:kubectl.kubernetes.io/last-applied-configuration: - f:spec: - .: - f:databaseRef: - .: - f:name: - f:tls: - .: - f:certificates: - f:issuerRef: - .: - f:apiGroup: - f:kind: - f:name: - f:type: - Manager: kubectl-client-side-apply - Operation: Update - Time: 2021-03-11T13:32:18Z - API Version: ops.kubedb.com/v1alpha1 - Fields Type: FieldsV1 - fieldsV1: - f:status: - .: - f:conditions: - f:observedGeneration: - f:phase: - Manager: kubedb-enterprise - Operation: Update - Time: 2021-03-11T13:32:19Z - Resource Version: 488264 - Self Link: /apis/ops.kubedb.com/v1alpha1/namespaces/demo/mssqlserveropsrequests/mops-add-tls - UID: 0024ec16-0d43-4686-a2d7-1cdeb96e41a5 + Resource Version: 491162 + UID: 007ad725-0a3f-4290-8814-d85592cfc247 Spec: + Apply: IfReady Database Ref: - Name: mg-rs + Name: ms-standalone + Timeout: 5m Tls: Certificates: Alias: client @@ -385,96 +383,123 @@ Spec: Organizational Units: client Organizations: - mongo + mssqlserver + Client TLS: true Issuer Ref: API Group: cert-manager.io Kind: Issuer - Name: mg-issuer + Name: mssqlserver-ca-issuer Type: ReconfigureTLS Status: Conditions: - Last Transition Time: 2021-03-11T13:32:19Z - Message: MSSQLServer ops request is reconfiguring TLS + Last Transition Time: 2024-11-15T11:48:03Z + Message: MSSQLServer ops-request has started to reconfigure tls for mssqlserver nodes Observed Generation: 1 Reason: ReconfigureTLS Status: True Type: ReconfigureTLS - Last Transition Time: 2021-03-11T13:32:25Z - Message: Successfully Updated PetSets + Last Transition Time: 2024-11-15T11:48:06Z + Message: Successfully paused database Observed Generation: 1 - Reason: TLSAdded + Reason: DatabasePauseSucceeded Status: True - Type: TLSAdded - Last Transition Time: 2021-03-11T13:34:25Z - Message: Successfully Restarted ReplicaSet nodes + Type: DatabasePauseSucceeded + Last Transition Time: 2024-11-15T11:48:16Z + Message: Successfully synced all certificates Observed Generation: 1 - Reason: RestartReplicaSet + Reason: CertificateSynced Status: True - Type: RestartReplicaSet - Last Transition Time: 2021-03-11T13:34:25Z - Message: Successfully Reconfigured TLS + Type: CertificateSynced + Last Transition Time: 2024-11-15T11:48:11Z + Message: get certificate; ConditionStatus:True + Observed Generation: 1 + Status: True + Type: GetCertificate + Last Transition Time: 2024-11-15T11:48:11Z + Message: check ready condition; ConditionStatus:True + Observed Generation: 1 + Status: True + Type: CheckReadyCondition + Last Transition Time: 2024-11-15T11:48:11Z + Message: issuing condition; ConditionStatus:True + Observed Generation: 1 + Status: True + Type: IssuingCondition + Last Transition Time: 2024-11-15T11:48:21Z + Message: successfully reconciled the MSSQLServer with tls configuration + Observed Generation: 1 + Reason: UpdatePetSets + Status: True + Type: UpdatePetSets + Last Transition Time: 2024-11-15T11:49:06Z + Message: Successfully restarted all nodes + Observed Generation: 1 + Reason: RestartNodes + Status: True + Type: RestartNodes + Last Transition Time: 2024-11-15T11:48:26Z + Message: get pod; ConditionStatus:True; PodName:ms-standalone-0 + Observed Generation: 1 + Status: True + Type: GetPod--ms-standalone-0 + Last Transition Time: 2024-11-15T11:48:26Z + Message: evict pod; ConditionStatus:True; PodName:ms-standalone-0 + Observed Generation: 1 + Status: True + Type: EvictPod--ms-standalone-0 + Last Transition Time: 2024-11-15T11:49:01Z + Message: check pod running; ConditionStatus:True; PodName:ms-standalone-0 + Observed Generation: 1 + Status: True + Type: CheckPodRunning--ms-standalone-0 + Last Transition Time: 2024-11-15T11:49:07Z + Message: Successfully completed reconfigureTLS for mssqlserver. Observed Generation: 1 Reason: Successful Status: True Type: Successful Observed Generation: 1 Phase: Successful -Events: - Type Reason Age From Message - ---- ------ ---- ---- ------- - Normal PauseDatabase 2m10s KubeDB Ops-manager operator Pausing MSSQLServer demo/mg-rs - Normal PauseDatabase 2m10s KubeDB Ops-manager operator Successfully paused MSSQLServer demo/mg-rs - Normal TLSAdded 2m10s KubeDB Ops-manager operator Successfully Updated PetSets - Normal RestartReplicaSet 10s KubeDB Ops-manager operator Successfully Restarted ReplicaSet nodes - Normal ResumeDatabase 10s KubeDB Ops-manager operator Resuming MSSQLServer demo/mg-rs - Normal ResumeDatabase 10s KubeDB Ops-manager operator Successfully resumed MSSQLServer demo/mg-rs - Normal Successful 10s KubeDB Ops-manager operator Successfully Reconfigured TLS ``` -Now, Let's exec into a database primary node and find out the username to connect in a mongo shell, +Now, Let's exec into a database node -```bash -$ kubectl exec -it mg-rs-2 -n demo bash -root@mgo-rs-tls-2:/$ ls /var/run/mssqlserver/tls -ca.crt client.pem mongo.pem -root@mgo-rs-tls-2:/$ openssl x509 -in /var/run/mssqlserver/tls/client.pem -inform PEM -subject -nameopt RFC2253 -noout -subject=CN=root,OU=client,O=mongo -``` -Now, we can connect using `CN=root,OU=client,O=mongo` as root to connect to the mongo shell of the master pod, ```bash -root@mgo-rs-tls-2:/$ mongo --tls --tlsCAFile /var/run/mssqlserver/tls/ca.crt --tlsCertificateKeyFile /var/run/mssqlserver/tls/client.pem admin --host localhost --authenticationMechanism MONGODB-X509 --authenticationDatabase='$external' -u "CN=root,OU=client,O=mongo" --quiet -rs0:PRIMARY> +$ kubectl exec -it ms-standalone-0 -n demo -c mssql -- bash +mssql@ms-standalone-0:/$ ls /var/opt/mssql/tls +ca.crt client.crt client.key server.crt server.key +mssql@ms-standalone-0:/$ openssl x509 -in /var/opt/mssql/tls/client.crt -inform PEM -subject -nameopt RFC2253 -noout +subject=CN=mssql,OU=client,O=mssqlserver +mssql@ms-standalone-0:/$ cat /var/opt/mssql/mssql.conf +[language] +lcid = 1033 +[network] +forceencryption = 1 +tlscert = /var/opt/mssql/tls/server.crt +tlskey = /var/opt/mssql/tls/server.key +tlsprotocols = 1.2,1.1,1.0 +mssql@ms-standalone-0:/$ /opt/mssql-tools/bin/sqlcmd -S localhost -U sa -P l2mGQRMETAS96QRb -N +1> ``` -We are connected to the mongo shell. Let's run some command to verify the sslMode and the user, +We can verify from the above output that TLS is enabled for this database, `mssql.conf` file has tls configurations. So, TLS is enabled successfully to this database. -```bash -rs0:PRIMARY> db.adminCommand({ getParameter:1, sslMode:1 }) -{ - "sslMode" : "requireSSL", - "ok" : 1, - "$clusterTime" : { - "clusterTime" : Timestamp(1615472249, 1), - "signature" : { - "hash" : BinData(0,"AAAAAAAAAAAAAAAAAAAAAAAAAAA="), - "keyId" : NumberLong(0) - } - }, - "operationTime" : Timestamp(1615472249, 1) -} -``` -We can see from the above output that, `sslMode` is set to `requireSSL`. So, database TLS is enabled successfully to this database. + + + +start from here. .... + ## Rotate Certificate Now we are going to rotate the certificate of this database. First let's check the current expiration date of the certificate. ```bash -$ kubectl exec -it mg-rs-2 -n demo bash -root@mg-rs-2:/# openssl x509 -in /var/run/mssqlserver/tls/client.pem -inform PEM -enddate -nameopt RFC2253 -noout +$ kubectl exec -it ms-standalone-2 -n demo bash +root@ms-standalone-2:/# openssl x509 -in /var/run/mssqlserver/tls/client.pem -inform PEM -enddate -nameopt RFC2253 -noout notAfter=Jun 9 13:32:20 2021 GMT ``` @@ -493,14 +518,14 @@ metadata: spec: type: ReconfigureTLS databaseRef: - name: mg-rs + name: ms-standalone tls: rotateCertificates: true ``` Here, -- `spec.databaseRef.name` specifies that we are performing reconfigure TLS operation on `mg-rs` database. +- `spec.databaseRef.name` specifies that we are performing reconfigure TLS operation on `ms-standalone` database. - `spec.type` specifies that we are performing `ReconfigureTLS` on our database. - `spec.tls.rotateCertificates` specifies that we want to rotate the certificate of this database. @@ -571,7 +596,7 @@ Metadata: UID: 6d96ead2-a868-47d8-85fb-77eecc9a96b4 Spec: Database Ref: - Name: mg-rs + Name: ms-standalone Tls: Rotate Certificates: true Type: ReconfigureTLS @@ -620,8 +645,8 @@ Events: Now, let's check the expiration date of the certificate. ```bash -$ kubectl exec -it mg-rs-2 -n demo bash -root@mg-rs-2:/# openssl x509 -in /var/run/mssqlserver/tls/client.pem -inform PEM -enddate -nameopt RFC2253 -noout +$ kubectl exec -it ms-standalone-2 -n demo bash +root@ms-standalone-2:/# openssl x509 -in /var/run/mssqlserver/tls/client.pem -inform PEM -enddate -nameopt RFC2253 -noout notAfter=Jun 9 16:17:55 2021 GMT ``` @@ -658,7 +683,7 @@ Now, Let's create a new `Issuer` using the `mongo-new-ca` secret that we have ju apiVersion: cert-manager.io/v1 kind: Issuer metadata: - name: mg-new-issuer + name: ms-new-issuer namespace: demo spec: ca: @@ -669,7 +694,7 @@ Let's apply the `YAML` file: ```bash $ kubectl create -f https://github.com/kubedb/docs/raw/{{< param "info.version" >}}/docs/examples/mssqlserver/reconfigure-tls/new-issuer.yaml -issuer.cert-manager.io/mg-new-issuer created +issuer.cert-manager.io/ms-new-issuer created ``` ### Create MSSQLServerOpsRequest @@ -685,17 +710,17 @@ metadata: spec: type: ReconfigureTLS databaseRef: - name: mg-rs + name: ms-standalone tls: issuerRef: - name: mg-new-issuer + name: ms-new-issuer kind: Issuer apiGroup: "cert-manager.io" ``` Here, -- `spec.databaseRef.name` specifies that we are performing reconfigure TLS operation on `mg-rs` database. +- `spec.databaseRef.name` specifies that we are performing reconfigure TLS operation on `ms-standalone` database. - `spec.type` specifies that we are performing `ReconfigureTLS` on our database. - `spec.tls.issuerRef` specifies the issuer name, kind and api group. @@ -770,12 +795,12 @@ Metadata: UID: cdfe8a7d-52ef-466c-a5dd-97e74ad598ca Spec: Database Ref: - Name: mg-rs + Name: ms-standalone Tls: Issuer Ref: API Group: cert-manager.io Kind: Issuer - Name: mg-new-issuer + Name: ms-new-issuer Type: ReconfigureTLS Status: Conditions: @@ -816,8 +841,8 @@ Events: Now, Let's exec into a database node and find out the ca subject to see if it matches the one we have provided. ```bash -$ kubectl exec -it mg-rs-2 -n demo bash -root@mgo-rs-tls-2:/$ openssl x509 -in /var/run/mssqlserver/tls/ca.crt -inform PEM -subject -nameopt RFC2253 -noout +$ kubectl exec -it ms-standalone-2 -n demo bash +root@ms o-rs-tls-2:/$ openssl x509 -in /var/run/mssqlserver/tls/ca.crt -inform PEM -subject -nameopt RFC2253 -noout subject=O=kubedb-updated,CN=ca-updated ``` @@ -840,14 +865,14 @@ metadata: spec: type: ReconfigureTLS databaseRef: - name: mg-rs + name: ms-standalone tls: remove: true ``` Here, -- `spec.databaseRef.name` specifies that we are performing reconfigure TLS operation on `mg-rs` database. +- `spec.databaseRef.name` specifies that we are performing reconfigure TLS operation on `ms-standalone` database. - `spec.type` specifies that we are performing `ReconfigureTLS` on our database. - `spec.tls.remove` specifies that we want to remove tls from this database. @@ -918,7 +943,7 @@ Metadata: UID: 99184cc4-1595-4f0f-b8eb-b65c5d0e86a6 Spec: Database Ref: - Name: mg-rs + Name: ms-standalone Tls: Remove: true Type: ReconfigureTLS @@ -953,19 +978,19 @@ Status: Events: Type Reason Age From Message ---- ------ ---- ---- ------- - Normal PauseDatabase 2m5s KubeDB Ops-manager operator Pausing MSSQLServer demo/mg-rs - Normal PauseDatabase 2m5s KubeDB Ops-manager operator Successfully paused MSSQLServer demo/mg-rs + Normal PauseDatabase 2m5s KubeDB Ops-manager operator Pausing MSSQLServer demo/ms-standalone + Normal PauseDatabase 2m5s KubeDB Ops-manager operator Successfully paused MSSQLServer demo/ms-standalone Normal TLSRemoved 2m5s KubeDB Ops-manager operator Successfully Updated PetSets Normal RestartReplicaSet 35s KubeDB Ops-manager operator Successfully Restarted ReplicaSet nodes - Normal ResumeDatabase 35s KubeDB Ops-manager operator Resuming MSSQLServer demo/mg-rs - Normal ResumeDatabase 35s KubeDB Ops-manager operator Successfully resumed MSSQLServer demo/mg-rs + Normal ResumeDatabase 35s KubeDB Ops-manager operator Resuming MSSQLServer demo/ms-standalone + Normal ResumeDatabase 35s KubeDB Ops-manager operator Successfully resumed MSSQLServer demo/ms-standalone Normal Successful 35s KubeDB Ops-manager operator Successfully Reconfigured TLS ``` Now, Let's exec into the database primary node and find out that TLS is disabled or not. ```bash -$ kubectl exec -it -n demo mg-rs-1 -- mongo admin -u root -p 'U6(h_pYrekLZ2OOd' +$ kubectl exec -it -n demo ms-standalone-1 -- mongo admin -u root -p 'U6(h_pYrekLZ2OOd' rs0:PRIMARY> db.adminCommand({ getParameter:1, sslMode:1 }) { "sslMode" : "disabled", @@ -988,9 +1013,9 @@ So, we can see from the above that, output that tls is disabled successfully. To cleanup the Kubernetes resources created by this tutorial, run: ```bash -kubectl delete mssqlserver -n demo mg-rs -kubectl delete issuer -n demo mg-issuer mg-new-issuer -kubectl delete mssqlserveropsrequest mops-add-tls mops-remove mops-rotate mops-change-issuer +kubectl delete mssqlserver -n demo ms-standalone +kubectl delete issuer -n demo ms-issuer ms-new-issuer +kubectl delete mssqlserveropsrequest msops-add-tls mops-remove mops-rotate mops-change-issuer kubectl delete ns demo ```