Skip to content

Commit

Permalink
finish standalone
Browse files Browse the repository at this point in the history
Signed-off-by: Neaj Morshad <[email protected]>
  • Loading branch information
Neaj-Morshad-101 committed Oct 21, 2024
1 parent 068c7c4 commit 7b72fc9
Show file tree
Hide file tree
Showing 3 changed files with 110 additions and 57 deletions.
4 changes: 2 additions & 2 deletions docs/examples/mssqlserver/tls/issuer.yaml
Original file line number Diff line number Diff line change
@@ -1,8 +1,8 @@
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: redis-ca-issuer
name: mssqlserver-ca-issuer
namespace: demo
spec:
ca:
secretName: redis-ca
secretName: mssqlserver-ca
Original file line number Diff line number Diff line change
@@ -1,19 +1,23 @@
apiVersion: kubedb.com/v1
kind: Redis
apiVersion: kubedb.com/v1alpha2
kind: MSSQLServer
metadata:
name: rd-tls
name: mssql-standalone-tls
namespace: demo
spec:
version: "6.2.14"
version: "2022-cu12"
replicas: 1
storageType: Durable
tls:
issuerRef:
apiGroup: "cert-manager.io"
name: mssqlserver-ca-issuer
kind: Issuer
name: redis-ca-issuer
apiGroup: "cert-manager.io"
clientTLS: true
storage:
storageClassName: "standard"
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
deletionPolicy: WipeOut
147 changes: 98 additions & 49 deletions docs/guides/mssqlserver/tls/standalone.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,19 +2,19 @@
title: MSSQLServer Standalone TLS/SSL Encryption
menu:
docs_{{ .version }}:
identifier: ms-tls-standalone
identifier: mssql-standalone-tls-standalone
name: Standalone
parent: ms-tls
parent: mssql-standalone-tls
weight: 20
menu_name: docs_{{ .version }}
section_menu_id: guides
---

> New to KubeDB? Please start [here](/docs/README.md).
# Run MSSQLServer with TLS/SSL (Transport Encryption)
# Run SQL Server with TLS/SSL (Transport Encryption)

KubeDB supports providing TLS/SSL encryption for MSSQLServer. This tutorial will show you how to use KubeDB to run a MSSQLServer database with TLS/SSL encryption.
KubeDB supports providing TLS/SSL encryption for MSSQLServer. This tutorial will show you how to use KubeDB to run a MSSQLServer with TLS/SSL encryption.

## Before You Begin

Expand All @@ -24,14 +24,16 @@ KubeDB supports providing TLS/SSL encryption for MSSQLServer. This tutorial will

- Now, install KubeDB cli on your workstation and KubeDB operator in your cluster following the steps [here](/docs/setup/README.md).

- Install [csi-driver-cacerts](https://github.com/kubeops/csi-driver-cacerts) which will be used to add self-signed ca certificates to the OS trusted certificate store (eg, /etc/ssl/certs/ca-certificates.crt)

- To keep things isolated, this tutorial uses a separate namespace called `demo` throughout this tutorial.

```bash
$ kubectl create ns demo
namespace/demo created
```

> Note: YAML files used in this tutorial are stored in [docs/examples/mssqlserver](https://github.com/kubedb/docs/tree/{{< param "info.version" >}}/docs/examples/mssqlserver) folder in GitHub repository [kubedb/docs](https://github.com/kubedb/docs).
> Note: YAML files used in this tutorial are stored in [docs/examples/mssqlserver/tls](https://github.com/kubedb/docs/tree/{{< param "info.version" >}}/docs/examples/mssqlserver/tls) folder in GitHub repository [kubedb/docs](https://github.com/kubedb/docs).
## Overview

Expand All @@ -40,15 +42,30 @@ KubeDB uses following crd fields to enable SSL/TLS encryption in MSSQLServer.
- `spec:`
- `tls:`
- `issuerRef`
- `certificate`
- `certificates`
- `clientTLS`


- `issuerRef` is a reference to the `Issuer` or `ClusterIssuer` CR of [cert-manager](https://cert-manager.io/docs/concepts/issuer/) that will be used by `KubeDB` to generate necessary certificates.

- `apiGroup` is the group name of the resource that is being referenced. Currently, the only supported value is `cert-manager.io`.
- `kind` is the type of resource that is being referenced. KubeDB supports both `Issuer` and `ClusterIssuer` as values for this field.
- `name` is the name of the resource (`Issuer` or `ClusterIssuer`) being referenced.

- `clientTLS` This setting determines whether TLS (Transport Layer Security) is enabled for the MS SQL Server.
- If set to `true`, the sql server will be provisioned with `TLS`, and you will need to install the [csi-driver-cacerts](https://github.com/kubeops/csi-driver-cacerts) which will be used to add self-signed ca certificates to the OS trusted certificate store (/etc/ssl/certs/ca-certificates.crt).
- If set to `false`, TLS will not be enabled for SQL Server. However, the Issuer will still be used to configure a TLS-enabled WAL-G proxy server, which is necessary for performing SQL Server backup operations.

- `certificates` (optional) are a list of certificates used to configure the server and/or client certificate.

Read about the fields in details in [mssqlserver concept](/docs/guides/mssqlserver/concepts/mssqlserver.md).

Read about the fields in details in [mssqlserver concept](/docs/guides/mssqlserver/concepts/mssqlserver.md),

## Create Issuer/ ClusterIssuer

We are going to create an example `Issuer` that will be used throughout the duration of this tutorial to enable SSL/TLS in MSSQLServer. Alternatively, you can follow this [cert-manager tutorial](https://cert-manager.io/docs/configuration/ca/) to create your own `Issuer`.

- Start off by generating you ca certificates using openssl.
- Start off by generating you CA certificates using openssl.

```bash
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ./ca.key -out ./ca.crt -subj "/CN=mssqlserver/O=kubedb"
Expand Down Expand Up @@ -88,103 +105,135 @@ issuer.cert-manager.io/mssqlserver-ca-issuer created
Below is the YAML for MSSQLServer Standalone.

```yaml
apiVersion: kubedb.com/v1
apiVersion: kubedb.com/v1alpha2
kind: MSSQLServer
metadata:
name: ms-tls
name: mssql-standalone-tls
namespace: demo
spec:
version: "6.2.14"
version: "2022-cu12"
replicas: 1
storageType: Durable
tls:
issuerRef:
apiGroup: "cert-manager.io"
kind: Issuer
name: mssqlserver-ca-issuer
kind: Issuer
apiGroup: "cert-manager.io"
clientTLS: true
storage:
storageClassName: "standard"
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
deletionPolicy: WipeOut
```

### Deploy MSSQLServer Standalone

```bash
$ kubectl create -f https://github.com/kubedb/docs/raw/{{< param "info.version" >}}/docs/examples/mssqlserver/tls/ms-standalone-ssl.yaml
mssqlserver.kubedb.com/ms-tls created
$ kubectl create -f https://github.com/kubedb/docs/raw/{{< param "info.version" >}}/docs/examples/mssqlserver/tls/mssql-standalone-tls.yaml
mssqlserver.kubedb.com/mssql-standalone-tls created
```

Now, wait until `ms-tls` has status `Ready`. i.e,
Now, wait until `mssql-standalone-tls` has status `Ready`. i.e,

```bash
$ watch kubectl get ms -n demo
Every 2.0s: kubectl get mssqlserver -n demo
NAME VERSION STATUS AGE
ms-tls 6.2.14 Ready 14s
Every 2.0s: kubectl get ms -n demo
NAME VERSION STATUS AGE
mssql-standalone-tls 2022-cu12 Ready 3m30s
```

### Verify TLS/SSL in MSSQLServer Standalone

Now, connect to this database by exec into a pod and verify if `tls` has been set up as intended.

```bash
$ kubectl describe secret -n demo ms-tls-client-cert
Name: ms-tls-client-cert
$ kubectl describe secret -n demo mssql-standalone-tls-client-cert
Name: mssql-standalone-tls-client-cert
Namespace: demo
Labels: app.kubernetes.io/component=database
app.kubernetes.io/instance=ms-tls
app.kubernetes.io/instance=mssql-standalone-tls
app.kubernetes.io/managed-by=kubedb.com
app.kubernetes.io/name=mssqlserveres.kubedb.com
app.kubernetes.io/name=mssqlservers.kubedb.com
controller.cert-manager.io/fao=true
Annotations: cert-manager.io/alt-names:
cert-manager.io/certificate-name: ms-tls-client-cert
cert-manager.io/common-name: default
cert-manager.io/certificate-name: mssql-standalone-tls-client-cert
cert-manager.io/common-name: mssql
cert-manager.io/ip-sans:
cert-manager.io/issuer-group: cert-manager.io
cert-manager.io/issuer-kind: Issuer
cert-manager.io/issuer-name: mssqlserver-ca-issuer
cert-manager.io/subject-organizationalunits: client
cert-manager.io/subject-organizations: kubedb
cert-manager.io/uri-sans:
Type: kubernetes.io/tls
Data
====
ca.crt: 1147 bytes
tls.crt: 1127 bytes
tls.key: 1675 bytes
ca.crt: 1164 bytes
tls.crt: 1180 bytes
tls.key: 1679 bytes
```

Now, we can connect using tls certs to connect to the mssqlserver and write some data
Now, we can connect with tls to the mssqlserver and write some data

```bash
$ kubectl get secret -n demo mssql-standalone-tls-auth -o jsonpath='{.data.\username}' | base64 -d
sa
$ kubectl get secret -n demo mssql-standalone-tls-auth -o jsonpath='{.data.\password}' | base64 -d
C2vU3HOCWY0hQHaj
```

```bash
$ kubectl exec -it -n demo ms-tls-0 -c mssqlserver -- bash
# Trying to connect without tls certificates
root@ms-tls-0:/data# mssqlserver-cli
127.0.0.1:6379>
127.0.0.1:6379> set hello world
# Can not write data
Error: Connection reset by peer
# Trying to connect with tls certificates
root@ms-tls-0:/data# mssqlserver-cli --tls --cert "/certs/client.crt" --key "/certs/client.key" --cacert "/certs/ca.crt"
127.0.0.1:6379>
127.0.0.1:6379> set hello world
OK
127.0.0.1:6379> exit
$ kubectl exec -it -n demo mssql-standalone-tls-0 -c mssql -- bash
mssql@mssql-standalone-tls-0:/$ /opt/mssql-tools/bin/sqlcmd -S localhost -U sa -P "C2vU3HOCWY0hQHaj" -N
1> select name from sys.databases
2> go
name
--------------------------------------------------------------------------------------------------------------------------------
master
tempdb
model
msdb
kubedb_system
(5 rows affected)
1> create database tls_test
2> go
1> use tls_test
2> go
Changed database context to 'tls_test'.
1> CREATE TABLE Data (ID INT, NAME NVARCHAR(255), AGE INT);
2> go
1> INSERT INTO Data(ID, Name, Age) VALUES (1, 'John Doe', 25), (2, 'Jane Smith', 30);
2> go
(2 rows affected)
1> select * from data
2> go
ID NAME AGE
----------- --------------------------------------------
1 John Doe 25
2 Jane Smith 30
(2 rows affected)
1>
```

## Cleaning up

To clean up the Kubernetes resources created by this tutorial, run:

```bash
$ kubectl patch -n demo mssqlserver/ms-tls -p '{"spec":{"deletionPolicy":"WipeOut"}}' --type="merge"
mssqlserver.kubedb.com/ms-tls patched
$ kubectl patch -n demo mssqlserver/mssql-standalone-tls -p '{"spec":{"deletionPolicy":"WipeOut"}}' --type="merge"
mssqlserver.kubedb.com/mssql-standalone-tls patched
$ kubectl delete -n demo mssqlserver ms-tls
mssqlserver.kubedb.com "ms-tls" deleted
$ kubectl delete -n demo mssqlserver mssql-standalone-tls
mssqlserver.kubedb.com "mssql-standalone-tls" deleted
$ kubectl delete issuer -n demo mssqlserver-ca-issuer
issuer.cert-manager.io "mssqlserver-ca-issuer" deleted
Expand All @@ -193,4 +242,4 @@ issuer.cert-manager.io "mssqlserver-ca-issuer" deleted
## Next Steps

- Detail concepts of [MSSQLServer object](/docs/guides/mssqlserver/concepts/mssqlserver.md).
- [Backup and Restore](/docs/guides/mssqlserver/backup/overview/index.md) MSSQLServer databases using KubeStash. .
- [Backup and Restore](/docs/guides/mssqlserver/backup/overview/index.md) MSSQLServer databases using KubeStash.

0 comments on commit 7b72fc9

Please sign in to comment.