diff --git a/docs/examples/mssqlserver/tls/issuer.yaml b/docs/examples/mssqlserver/tls/issuer.yaml index c812454645..7a00e196d9 100644 --- a/docs/examples/mssqlserver/tls/issuer.yaml +++ b/docs/examples/mssqlserver/tls/issuer.yaml @@ -1,8 +1,8 @@ apiVersion: cert-manager.io/v1 kind: Issuer metadata: - name: redis-ca-issuer + name: mssqlserver-ca-issuer namespace: demo spec: ca: - secretName: redis-ca + secretName: mssqlserver-ca \ No newline at end of file diff --git a/docs/examples/mssqlserver/tls/rd-standalone-ssl.yaml b/docs/examples/mssqlserver/tls/mssql-standalone-tls.yaml similarity index 52% rename from docs/examples/mssqlserver/tls/rd-standalone-ssl.yaml rename to docs/examples/mssqlserver/tls/mssql-standalone-tls.yaml index 28398aa2f7..50bf7f7b2a 100644 --- a/docs/examples/mssqlserver/tls/rd-standalone-ssl.yaml +++ b/docs/examples/mssqlserver/tls/mssql-standalone-tls.yaml @@ -1,15 +1,18 @@ -apiVersion: kubedb.com/v1 -kind: Redis +apiVersion: kubedb.com/v1alpha2 +kind: MSSQLServer metadata: - name: rd-tls + name: mssql-standalone-tls namespace: demo spec: - version: "6.2.14" + version: "2022-cu12" + replicas: 1 + storageType: Durable tls: issuerRef: - apiGroup: "cert-manager.io" + name: mssqlserver-ca-issuer kind: Issuer - name: redis-ca-issuer + apiGroup: "cert-manager.io" + clientTLS: true storage: storageClassName: "standard" accessModes: @@ -17,3 +20,4 @@ spec: resources: requests: storage: 1Gi + deletionPolicy: WipeOut \ No newline at end of file diff --git a/docs/guides/mssqlserver/tls/standalone.md b/docs/guides/mssqlserver/tls/standalone.md index 4fa6658eee..b6d5221204 100644 --- a/docs/guides/mssqlserver/tls/standalone.md +++ b/docs/guides/mssqlserver/tls/standalone.md @@ -2,9 +2,9 @@ title: MSSQLServer Standalone TLS/SSL Encryption menu: docs_{{ .version }}: - identifier: ms-tls-standalone + identifier: mssql-standalone-tls-standalone name: Standalone - parent: ms-tls + parent: mssql-standalone-tls weight: 20 menu_name: docs_{{ .version }} section_menu_id: guides @@ -12,9 +12,9 @@ section_menu_id: guides > New to KubeDB? Please start [here](/docs/README.md). -# Run MSSQLServer with TLS/SSL (Transport Encryption) +# Run SQL Server with TLS/SSL (Transport Encryption) -KubeDB supports providing TLS/SSL encryption for MSSQLServer. This tutorial will show you how to use KubeDB to run a MSSQLServer database with TLS/SSL encryption. +KubeDB supports providing TLS/SSL encryption for MSSQLServer. This tutorial will show you how to use KubeDB to run a MSSQLServer with TLS/SSL encryption. ## Before You Begin @@ -24,6 +24,8 @@ KubeDB supports providing TLS/SSL encryption for MSSQLServer. This tutorial will - Now, install KubeDB cli on your workstation and KubeDB operator in your cluster following the steps [here](/docs/setup/README.md). +- Install [csi-driver-cacerts](https://github.com/kubeops/csi-driver-cacerts) which will be used to add self-signed ca certificates to the OS trusted certificate store (eg, /etc/ssl/certs/ca-certificates.crt) + - To keep things isolated, this tutorial uses a separate namespace called `demo` throughout this tutorial. ```bash @@ -31,7 +33,7 @@ KubeDB supports providing TLS/SSL encryption for MSSQLServer. This tutorial will namespace/demo created ``` -> Note: YAML files used in this tutorial are stored in [docs/examples/mssqlserver](https://github.com/kubedb/docs/tree/{{< param "info.version" >}}/docs/examples/mssqlserver) folder in GitHub repository [kubedb/docs](https://github.com/kubedb/docs). +> Note: YAML files used in this tutorial are stored in [docs/examples/mssqlserver/tls](https://github.com/kubedb/docs/tree/{{< param "info.version" >}}/docs/examples/mssqlserver/tls) folder in GitHub repository [kubedb/docs](https://github.com/kubedb/docs). ## Overview @@ -40,15 +42,30 @@ KubeDB uses following crd fields to enable SSL/TLS encryption in MSSQLServer. - `spec:` - `tls:` - `issuerRef` - - `certificate` + - `certificates` + - `clientTLS` + + +- `issuerRef` is a reference to the `Issuer` or `ClusterIssuer` CR of [cert-manager](https://cert-manager.io/docs/concepts/issuer/) that will be used by `KubeDB` to generate necessary certificates. + + - `apiGroup` is the group name of the resource that is being referenced. Currently, the only supported value is `cert-manager.io`. + - `kind` is the type of resource that is being referenced. KubeDB supports both `Issuer` and `ClusterIssuer` as values for this field. + - `name` is the name of the resource (`Issuer` or `ClusterIssuer`) being referenced. + +- `clientTLS` This setting determines whether TLS (Transport Layer Security) is enabled for the MS SQL Server. + - If set to `true`, the sql server will be provisioned with `TLS`, and you will need to install the [csi-driver-cacerts](https://github.com/kubeops/csi-driver-cacerts) which will be used to add self-signed ca certificates to the OS trusted certificate store (/etc/ssl/certs/ca-certificates.crt). + - If set to `false`, TLS will not be enabled for SQL Server. However, the Issuer will still be used to configure a TLS-enabled WAL-G proxy server, which is necessary for performing SQL Server backup operations. + +- `certificates` (optional) are a list of certificates used to configure the server and/or client certificate. + +Read about the fields in details in [mssqlserver concept](/docs/guides/mssqlserver/concepts/mssqlserver.md). -Read about the fields in details in [mssqlserver concept](/docs/guides/mssqlserver/concepts/mssqlserver.md), ## Create Issuer/ ClusterIssuer We are going to create an example `Issuer` that will be used throughout the duration of this tutorial to enable SSL/TLS in MSSQLServer. Alternatively, you can follow this [cert-manager tutorial](https://cert-manager.io/docs/configuration/ca/) to create your own `Issuer`. -- Start off by generating you ca certificates using openssl. +- Start off by generating you CA certificates using openssl. ```bash openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ./ca.key -out ./ca.crt -subj "/CN=mssqlserver/O=kubedb" @@ -88,18 +105,21 @@ issuer.cert-manager.io/mssqlserver-ca-issuer created Below is the YAML for MSSQLServer Standalone. ```yaml -apiVersion: kubedb.com/v1 +apiVersion: kubedb.com/v1alpha2 kind: MSSQLServer metadata: - name: ms-tls + name: mssql-standalone-tls namespace: demo spec: - version: "6.2.14" + version: "2022-cu12" + replicas: 1 + storageType: Durable tls: issuerRef: - apiGroup: "cert-manager.io" - kind: Issuer name: mssqlserver-ca-issuer + kind: Issuer + apiGroup: "cert-manager.io" + clientTLS: true storage: storageClassName: "standard" accessModes: @@ -107,22 +127,24 @@ spec: resources: requests: storage: 1Gi + deletionPolicy: WipeOut ``` ### Deploy MSSQLServer Standalone ```bash -$ kubectl create -f https://github.com/kubedb/docs/raw/{{< param "info.version" >}}/docs/examples/mssqlserver/tls/ms-standalone-ssl.yaml -mssqlserver.kubedb.com/ms-tls created +$ kubectl create -f https://github.com/kubedb/docs/raw/{{< param "info.version" >}}/docs/examples/mssqlserver/tls/mssql-standalone-tls.yaml +mssqlserver.kubedb.com/mssql-standalone-tls created ``` -Now, wait until `ms-tls` has status `Ready`. i.e, +Now, wait until `mssql-standalone-tls` has status `Ready`. i.e, ```bash $ watch kubectl get ms -n demo -Every 2.0s: kubectl get mssqlserver -n demo -NAME VERSION STATUS AGE -ms-tls 6.2.14 Ready 14s +Every 2.0s: kubectl get ms -n demo + +NAME VERSION STATUS AGE +mssql-standalone-tls 2022-cu12 Ready 3m30s ``` ### Verify TLS/SSL in MSSQLServer Standalone @@ -130,49 +152,76 @@ ms-tls 6.2.14 Ready 14s Now, connect to this database by exec into a pod and verify if `tls` has been set up as intended. ```bash -$ kubectl describe secret -n demo ms-tls-client-cert -Name: ms-tls-client-cert +$ kubectl describe secret -n demo mssql-standalone-tls-client-cert +Name: mssql-standalone-tls-client-cert Namespace: demo Labels: app.kubernetes.io/component=database - app.kubernetes.io/instance=ms-tls + app.kubernetes.io/instance=mssql-standalone-tls app.kubernetes.io/managed-by=kubedb.com - app.kubernetes.io/name=mssqlserveres.kubedb.com + app.kubernetes.io/name=mssqlservers.kubedb.com + controller.cert-manager.io/fao=true Annotations: cert-manager.io/alt-names: - cert-manager.io/certificate-name: ms-tls-client-cert - cert-manager.io/common-name: default + cert-manager.io/certificate-name: mssql-standalone-tls-client-cert + cert-manager.io/common-name: mssql cert-manager.io/ip-sans: cert-manager.io/issuer-group: cert-manager.io cert-manager.io/issuer-kind: Issuer cert-manager.io/issuer-name: mssqlserver-ca-issuer + cert-manager.io/subject-organizationalunits: client + cert-manager.io/subject-organizations: kubedb cert-manager.io/uri-sans: Type: kubernetes.io/tls Data ==== -ca.crt: 1147 bytes -tls.crt: 1127 bytes -tls.key: 1675 bytes +ca.crt: 1164 bytes +tls.crt: 1180 bytes +tls.key: 1679 bytes ``` -Now, we can connect using tls certs to connect to the mssqlserver and write some data +Now, we can connect with tls to the mssqlserver and write some data + +```bash +$ kubectl get secret -n demo mssql-standalone-tls-auth -o jsonpath='{.data.\username}' | base64 -d +sa + +$ kubectl get secret -n demo mssql-standalone-tls-auth -o jsonpath='{.data.\password}' | base64 -d +C2vU3HOCWY0hQHaj +``` ```bash -$ kubectl exec -it -n demo ms-tls-0 -c mssqlserver -- bash - -# Trying to connect without tls certificates -root@ms-tls-0:/data# mssqlserver-cli -127.0.0.1:6379> -127.0.0.1:6379> set hello world -# Can not write data -Error: Connection reset by peer - -# Trying to connect with tls certificates -root@ms-tls-0:/data# mssqlserver-cli --tls --cert "/certs/client.crt" --key "/certs/client.key" --cacert "/certs/ca.crt" -127.0.0.1:6379> -127.0.0.1:6379> set hello world -OK -127.0.0.1:6379> exit +$ kubectl exec -it -n demo mssql-standalone-tls-0 -c mssql -- bash +mssql@mssql-standalone-tls-0:/$ /opt/mssql-tools/bin/sqlcmd -S localhost -U sa -P "C2vU3HOCWY0hQHaj" -N +1> select name from sys.databases +2> go +name +-------------------------------------------------------------------------------------------------------------------------------- +master +tempdb +model +msdb +kubedb_system + +(5 rows affected) +1> create database tls_test +2> go +1> use tls_test +2> go +Changed database context to 'tls_test'. +1> CREATE TABLE Data (ID INT, NAME NVARCHAR(255), AGE INT); +2> go +1> INSERT INTO Data(ID, Name, Age) VALUES (1, 'John Doe', 25), (2, 'Jane Smith', 30); +2> go +(2 rows affected) +1> select * from data +2> go +ID NAME AGE +----------- -------------------------------------------- +1 John Doe 25 +2 Jane Smith 30 +(2 rows affected) +1> ``` ## Cleaning up @@ -180,11 +229,11 @@ OK To clean up the Kubernetes resources created by this tutorial, run: ```bash -$ kubectl patch -n demo mssqlserver/ms-tls -p '{"spec":{"deletionPolicy":"WipeOut"}}' --type="merge" -mssqlserver.kubedb.com/ms-tls patched +$ kubectl patch -n demo mssqlserver/mssql-standalone-tls -p '{"spec":{"deletionPolicy":"WipeOut"}}' --type="merge" +mssqlserver.kubedb.com/mssql-standalone-tls patched -$ kubectl delete -n demo mssqlserver ms-tls -mssqlserver.kubedb.com "ms-tls" deleted +$ kubectl delete -n demo mssqlserver mssql-standalone-tls +mssqlserver.kubedb.com "mssql-standalone-tls" deleted $ kubectl delete issuer -n demo mssqlserver-ca-issuer issuer.cert-manager.io "mssqlserver-ca-issuer" deleted @@ -193,4 +242,4 @@ issuer.cert-manager.io "mssqlserver-ca-issuer" deleted ## Next Steps - Detail concepts of [MSSQLServer object](/docs/guides/mssqlserver/concepts/mssqlserver.md). -- [Backup and Restore](/docs/guides/mssqlserver/backup/overview/index.md) MSSQLServer databases using KubeStash. . \ No newline at end of file +- [Backup and Restore](/docs/guides/mssqlserver/backup/overview/index.md) MSSQLServer databases using KubeStash. \ No newline at end of file