From a865147b34ccf457e6dd6cc0c30966b98ef9a90d Mon Sep 17 00:00:00 2001 From: Neaj Morshad Date: Mon, 21 Oct 2024 12:23:31 +0600 Subject: [PATCH] finish standalone Signed-off-by: Neaj Morshad --- docs/examples/mssqlserver/tls/issuer.yaml | 4 +- ...one-ssl.yaml => mssql-standalone-tls.yaml} | 16 +- docs/guides/mssqlserver/tls/ag_cluster.md | 76 ++++++---- docs/guides/mssqlserver/tls/standalone.md | 143 ++++++++++++------ 4 files changed, 152 insertions(+), 87 deletions(-) rename docs/examples/mssqlserver/tls/{rd-standalone-ssl.yaml => mssql-standalone-tls.yaml} (52%) diff --git a/docs/examples/mssqlserver/tls/issuer.yaml b/docs/examples/mssqlserver/tls/issuer.yaml index c81245464..7a00e196d 100644 --- a/docs/examples/mssqlserver/tls/issuer.yaml +++ b/docs/examples/mssqlserver/tls/issuer.yaml @@ -1,8 +1,8 @@ apiVersion: cert-manager.io/v1 kind: Issuer metadata: - name: redis-ca-issuer + name: mssqlserver-ca-issuer namespace: demo spec: ca: - secretName: redis-ca + secretName: mssqlserver-ca \ No newline at end of file diff --git a/docs/examples/mssqlserver/tls/rd-standalone-ssl.yaml b/docs/examples/mssqlserver/tls/mssql-standalone-tls.yaml similarity index 52% rename from docs/examples/mssqlserver/tls/rd-standalone-ssl.yaml rename to docs/examples/mssqlserver/tls/mssql-standalone-tls.yaml index 28398aa2f..50bf7f7b2 100644 --- a/docs/examples/mssqlserver/tls/rd-standalone-ssl.yaml +++ b/docs/examples/mssqlserver/tls/mssql-standalone-tls.yaml @@ -1,15 +1,18 @@ -apiVersion: kubedb.com/v1 -kind: Redis +apiVersion: kubedb.com/v1alpha2 +kind: MSSQLServer metadata: - name: rd-tls + name: mssql-standalone-tls namespace: demo spec: - version: "6.2.14" + version: "2022-cu12" + replicas: 1 + storageType: Durable tls: issuerRef: - apiGroup: "cert-manager.io" + name: mssqlserver-ca-issuer kind: Issuer - name: redis-ca-issuer + apiGroup: "cert-manager.io" + clientTLS: true storage: storageClassName: "standard" accessModes: @@ -17,3 +20,4 @@ spec: resources: requests: storage: 1Gi + deletionPolicy: WipeOut \ No newline at end of file diff --git a/docs/guides/mssqlserver/tls/ag_cluster.md b/docs/guides/mssqlserver/tls/ag_cluster.md index 01acb288c..03aed981c 100644 --- a/docs/guides/mssqlserver/tls/ag_cluster.md +++ b/docs/guides/mssqlserver/tls/ag_cluster.md @@ -1,20 +1,20 @@ --- -title: MSSQLServer Sentinel TLS/SSL Encryption +title: SQL Server Availability Group TLS/SSL Encryption menu: docs_{{ .version }}: - identifier: ms-tls-sentinel - name: Sentinel + identifier: ms-tls-availability-group + name: Availability Group (HA Cluster) parent: ms-tls - weight: 20 + weight: 30 menu_name: docs_{{ .version }} section_menu_id: guides --- > New to KubeDB? Please start [here](/docs/README.md). -# Run SQL Server with TLS/SSL Encryption +# Run SQL Server Availability Group with TLS/SSL Encryption -KubeDB supports providing TLS/SSL encryption for MSSQLServer. This tutorial will show you how to use KubeDB to run a MSSQLServer database with TLS/SSL encryption. +KubeDB supports providing TLS/SSL encryption for MSSQLServer. This tutorial will show you how to use KubeDB to run a MSSQLServer with TLS/SSL encryption. ## Before You Begin @@ -24,6 +24,8 @@ KubeDB supports providing TLS/SSL encryption for MSSQLServer. This tutorial will - Now, install KubeDB cli on your workstation and KubeDB operator in your cluster following the steps [here](/docs/setup/README.md). +- Install [csi-driver-cacerts](https://github.com/kubeops/csi-driver-cacerts) which will be used to add self-signed ca certificates to the OS trusted certificate store (eg, /etc/ssl/certs/ca-certificates.crt) + - To keep things isolated, this tutorial uses a separate namespace called `demo` throughout this tutorial. ```bash @@ -31,51 +33,61 @@ KubeDB supports providing TLS/SSL encryption for MSSQLServer. This tutorial will namespace/demo created ``` -> Note: YAML files used in this tutorial are stored in [docs/examples/mssqlserver](https://github.com/kubedb/docs/tree/{{< param "info.version" >}}/docs/examples/mssqlserver) folder in GitHub repository [kubedb/docs](https://github.com/kubedb/docs). +> Note: YAML files used in this tutorial are stored in [docs/examples/mssqlserver/tls](https://github.com/kubedb/docs/tree/{{< param "info.version" >}}/docs/examples/mssqlserver/tls) folder in GitHub repository [kubedb/docs](https://github.com/kubedb/docs). ## Overview -KubeDB uses following crd fields to enable SSL/TLS encryption in MSSQLServer and MSSQLServerSentinel. +KubeDB uses following crd fields to enable SSL/TLS encryption in MSSQLServer. - `spec:` - `tls:` - `issuerRef` - - `certificate` + - `certificates` + - `clientTLS` + + +- `issuerRef` is a reference to the `Issuer` or `ClusterIssuer` CR of [cert-manager](https://cert-manager.io/docs/concepts/issuer/) that will be used by `KubeDB` to generate necessary certificates. -There are two basic things to keep in mind when securing MSSQLServer using TLS in Sentinel Mode. + - `apiGroup` is the group name of the resource that is being referenced. Currently, the only supported value is `cert-manager.io`. + - `kind` is the type of resource that is being referenced. KubeDB supports both `Issuer` and `ClusterIssuer` as values for this field. + - `name` is the name of the resource (`Issuer` or `ClusterIssuer`) being referenced. -- Either Sentinel instance and MSSQLServer database both should have TLS enabled or both have TLS disabled. +- `clientTLS` This setting determines whether TLS (Transport Layer Security) is enabled for the MS SQL Server. + - If set to `true`, the sql server will be provisioned with `TLS`, and you will need to install the [csi-driver-cacerts](https://github.com/kubeops/csi-driver-cacerts) which will be used to add self-signed ca certificates to the OS trusted certificate store (/etc/ssl/certs/ca-certificates.crt). + - If set to `false`, TLS will not be enabled for SQL Server. However, the Issuer will still be used to configure a TLS-enabled WAL-G proxy server, which is necessary for performing SQL Server backup operations. -- If TLS enabled, both Sentinel instance and MSSQLServer database should use the same `Issuer`. If they are in different namespace, in order to use same issuer, the certificates should be signed using `ClusterIssuer` +- `certificates` (optional) are a list of certificates used to configure the server and/or client certificate. + +Read about the fields in details in [mssqlserver concept](/docs/guides/mssqlserver/concepts/mssqlserver.md). -Read about the fields in details in [mssqlserver concept](/docs/guides/mssqlserver/concepts/mssqlserver.md) and [mssqlserversentinel concept](/docs/guides/mssqlserver/concepts/mssqlserversentinel.md) ## Create Issuer/ ClusterIssuer -We are going to create an example `ClusterIssuer` that will be used throughout the duration of this tutorial to enable SSL/TLS in MSSQLServer. Alternatively, you can follow this [cert-manager tutorial](https://cert-manager.io/docs/configuration/ca/) to create your own `ClusterIssuer`. +We are going to create an example `Issuer` that will be used throughout the duration of this tutorial to enable SSL/TLS in MSSQLServer. Alternatively, you can follow this [cert-manager tutorial](https://cert-manager.io/docs/configuration/ca/) to create your own `Issuer`. -- Start off by generating you can certificate using openssl. +- Start off by generating you CA certificates using openssl. ```bash openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ./ca.key -out ./ca.crt -subj "/CN=mssqlserver/O=kubedb" ``` -- Now create a ca-secret using the certificate files you have just generated. The secret should be created in `cert-manager` namespace to create the `ClusterIssuer`. +- Now create a ca-secret using the certificate files you have just generated. ```bash -$ kubectl create secret tls mssqlserver-ca \ +kubectl create secret tls mssqlserver-ca \ --cert=ca.crt \ --key=ca.key \ - --namespace=cert-manager + --namespace=demo ``` -Now, create an `ClusterIssuer` using the `ca-secret` you have just created. The `YAML` file looks like this: +Now, create an `Issuer` using the `ca-secret` you have just created. The `YAML` file looks like this: ```yaml apiVersion: cert-manager.io/v1 -kind: ClusterIssuer +kind: Issuer metadata: name: mssqlserver-ca-issuer + namespace: demo spec: ca: secretName: mssqlserver-ca @@ -84,16 +96,16 @@ spec: Apply the `YAML` file: ```bash -$ kubectl create -f https://github.com/kubedb/docs/raw/{{< param "info.version" >}}/docs/examples/mssqlserver/tls/clusterissuer.yaml -clusterissuer.cert-manager.io/mssqlserver-ca-issuer created +$ kubectl create -f https://github.com/kubedb/docs/raw/{{< param "info.version" >}}/docs/examples/mssqlserver/tls/issuer.yaml +issuer.cert-manager.io/mssqlserver-ca-issuer created ``` -## TLS/SSL encryption in Sentinel +## TLS/SSL encryption in SQL Server Availability Group -Below is the YAML for MSSQLServer in Sentinel Mode. +Below is the YAML for MSSQLServer in Availability Group Mode. ```yaml apiVersion: kubedb.com/v1 -kind: MSSQLServerSentinel +kind: MSSQLServerAvailability Group metadata: name: sen-tls namespace: demo @@ -114,7 +126,7 @@ spec: storage: 1Gi ``` -### Deploy MSSQLServer in Sentinel Mode +### Deploy MSSQLServer in Availability Group Mode ```bash $ kubectl create -f https://github.com/kubedb/docs/raw/{{< param "info.version" >}}/docs/examples/mssqlserver/tls/sentinel-ssl.yaml @@ -130,7 +142,7 @@ NAME VERSION STATUS AGE sen-tls 6.2.14 Ready 111s ``` -### Verify TLS/SSL in MSSQLServer in Sentinel Mode +### Verify TLS/SSL in MSSQLServer in Availability Group Mode Now, connect to this database by exec into a pod and verify if `tls` has been set up as intended. @@ -160,9 +172,9 @@ tls.crt: 1127 bytes tls.key: 1675 bytes ``` -## TLS/SSL encryption in MSSQLServer in Sentinel Mode +## TLS/SSL encryption in MSSQLServer in Availability Group Mode -Below is the YAML for MSSQLServer in Sentinel Mode. +Below is the YAML for MSSQLServer in Availability Group Mode. ```yaml apiVersion: kubedb.com/v1 kind: MSSQLServer @@ -171,7 +183,7 @@ metadata: namespace: demo spec: version: "6.2.14" - mode: Sentinel + mode: Availability Group replicas: 3 sentinelRef: name: sen-tls @@ -190,7 +202,7 @@ spec: storage: 1Gi ``` -### Deploy MSSQLServer in Sentinel Mode +### Deploy MSSQLServer in Availability Group Mode ```bash $ kubectl create -f https://github.com/kubedb/docs/raw/{{< param "info.version" >}}/docs/examples/mssqlserver/tls/ms-sentinel.yaml @@ -206,7 +218,7 @@ NAME VERSION STATUS AGE ms-tls 6.2.14 Ready 2m14s ``` -### Verify TLS/SSL in MSSQLServer in Sentinel Mode +### Verify TLS/SSL in MSSQLServer in Availability Group Mode Now, connect to this database by exec into a pod and verify if `tls` has been set up as intended. diff --git a/docs/guides/mssqlserver/tls/standalone.md b/docs/guides/mssqlserver/tls/standalone.md index 4fa6658ee..234364d9e 100644 --- a/docs/guides/mssqlserver/tls/standalone.md +++ b/docs/guides/mssqlserver/tls/standalone.md @@ -12,9 +12,9 @@ section_menu_id: guides > New to KubeDB? Please start [here](/docs/README.md). -# Run MSSQLServer with TLS/SSL (Transport Encryption) +# Run SQL Server Standalone with TLS/SSL (Transport Encryption) -KubeDB supports providing TLS/SSL encryption for MSSQLServer. This tutorial will show you how to use KubeDB to run a MSSQLServer database with TLS/SSL encryption. +KubeDB supports providing TLS/SSL encryption for MSSQLServer. This tutorial will show you how to use KubeDB to run a MSSQLServer with TLS/SSL encryption. ## Before You Begin @@ -24,6 +24,8 @@ KubeDB supports providing TLS/SSL encryption for MSSQLServer. This tutorial will - Now, install KubeDB cli on your workstation and KubeDB operator in your cluster following the steps [here](/docs/setup/README.md). +- Install [csi-driver-cacerts](https://github.com/kubeops/csi-driver-cacerts) which will be used to add self-signed ca certificates to the OS trusted certificate store (eg, /etc/ssl/certs/ca-certificates.crt) + - To keep things isolated, this tutorial uses a separate namespace called `demo` throughout this tutorial. ```bash @@ -31,7 +33,7 @@ KubeDB supports providing TLS/SSL encryption for MSSQLServer. This tutorial will namespace/demo created ``` -> Note: YAML files used in this tutorial are stored in [docs/examples/mssqlserver](https://github.com/kubedb/docs/tree/{{< param "info.version" >}}/docs/examples/mssqlserver) folder in GitHub repository [kubedb/docs](https://github.com/kubedb/docs). +> Note: YAML files used in this tutorial are stored in [docs/examples/mssqlserver/tls](https://github.com/kubedb/docs/tree/{{< param "info.version" >}}/docs/examples/mssqlserver/tls) folder in GitHub repository [kubedb/docs](https://github.com/kubedb/docs). ## Overview @@ -40,15 +42,30 @@ KubeDB uses following crd fields to enable SSL/TLS encryption in MSSQLServer. - `spec:` - `tls:` - `issuerRef` - - `certificate` + - `certificates` + - `clientTLS` + + +- `issuerRef` is a reference to the `Issuer` or `ClusterIssuer` CR of [cert-manager](https://cert-manager.io/docs/concepts/issuer/) that will be used by `KubeDB` to generate necessary certificates. + + - `apiGroup` is the group name of the resource that is being referenced. Currently, the only supported value is `cert-manager.io`. + - `kind` is the type of resource that is being referenced. KubeDB supports both `Issuer` and `ClusterIssuer` as values for this field. + - `name` is the name of the resource (`Issuer` or `ClusterIssuer`) being referenced. + +- `clientTLS` This setting determines whether TLS (Transport Layer Security) is enabled for the MS SQL Server. + - If set to `true`, the sql server will be provisioned with `TLS`, and you will need to install the [csi-driver-cacerts](https://github.com/kubeops/csi-driver-cacerts) which will be used to add self-signed ca certificates to the OS trusted certificate store (/etc/ssl/certs/ca-certificates.crt). + - If set to `false`, TLS will not be enabled for SQL Server. However, the Issuer will still be used to configure a TLS-enabled WAL-G proxy server, which is necessary for performing SQL Server backup operations. + +- `certificates` (optional) are a list of certificates used to configure the server and/or client certificate. + +Read about the fields in details in [mssqlserver concept](/docs/guides/mssqlserver/concepts/mssqlserver.md). -Read about the fields in details in [mssqlserver concept](/docs/guides/mssqlserver/concepts/mssqlserver.md), ## Create Issuer/ ClusterIssuer We are going to create an example `Issuer` that will be used throughout the duration of this tutorial to enable SSL/TLS in MSSQLServer. Alternatively, you can follow this [cert-manager tutorial](https://cert-manager.io/docs/configuration/ca/) to create your own `Issuer`. -- Start off by generating you ca certificates using openssl. +- Start off by generating you CA certificates using openssl. ```bash openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ./ca.key -out ./ca.crt -subj "/CN=mssqlserver/O=kubedb" @@ -88,18 +105,21 @@ issuer.cert-manager.io/mssqlserver-ca-issuer created Below is the YAML for MSSQLServer Standalone. ```yaml -apiVersion: kubedb.com/v1 +apiVersion: kubedb.com/v1alpha2 kind: MSSQLServer metadata: - name: ms-tls + name: mssql-standalone-tls namespace: demo spec: - version: "6.2.14" + version: "2022-cu12" + replicas: 1 + storageType: Durable tls: issuerRef: - apiGroup: "cert-manager.io" - kind: Issuer name: mssqlserver-ca-issuer + kind: Issuer + apiGroup: "cert-manager.io" + clientTLS: true storage: storageClassName: "standard" accessModes: @@ -107,22 +127,24 @@ spec: resources: requests: storage: 1Gi + deletionPolicy: WipeOut ``` ### Deploy MSSQLServer Standalone ```bash -$ kubectl create -f https://github.com/kubedb/docs/raw/{{< param "info.version" >}}/docs/examples/mssqlserver/tls/ms-standalone-ssl.yaml -mssqlserver.kubedb.com/ms-tls created +$ kubectl create -f https://github.com/kubedb/docs/raw/{{< param "info.version" >}}/docs/examples/mssqlserver/tls/mssql-standalone-tls.yaml +mssqlserver.kubedb.com/mssql-standalone-tls created ``` -Now, wait until `ms-tls` has status `Ready`. i.e, +Now, wait until `mssql-standalone-tls` has status `Ready`. i.e, ```bash $ watch kubectl get ms -n demo -Every 2.0s: kubectl get mssqlserver -n demo -NAME VERSION STATUS AGE -ms-tls 6.2.14 Ready 14s +Every 2.0s: kubectl get ms -n demo + +NAME VERSION STATUS AGE +mssql-standalone-tls 2022-cu12 Ready 3m30s ``` ### Verify TLS/SSL in MSSQLServer Standalone @@ -130,49 +152,76 @@ ms-tls 6.2.14 Ready 14s Now, connect to this database by exec into a pod and verify if `tls` has been set up as intended. ```bash -$ kubectl describe secret -n demo ms-tls-client-cert -Name: ms-tls-client-cert +$ kubectl describe secret -n demo mssql-standalone-tls-client-cert +Name: mssql-standalone-tls-client-cert Namespace: demo Labels: app.kubernetes.io/component=database - app.kubernetes.io/instance=ms-tls + app.kubernetes.io/instance=mssql-standalone-tls app.kubernetes.io/managed-by=kubedb.com - app.kubernetes.io/name=mssqlserveres.kubedb.com + app.kubernetes.io/name=mssqlservers.kubedb.com + controller.cert-manager.io/fao=true Annotations: cert-manager.io/alt-names: - cert-manager.io/certificate-name: ms-tls-client-cert - cert-manager.io/common-name: default + cert-manager.io/certificate-name: mssql-standalone-tls-client-cert + cert-manager.io/common-name: mssql cert-manager.io/ip-sans: cert-manager.io/issuer-group: cert-manager.io cert-manager.io/issuer-kind: Issuer cert-manager.io/issuer-name: mssqlserver-ca-issuer + cert-manager.io/subject-organizationalunits: client + cert-manager.io/subject-organizations: kubedb cert-manager.io/uri-sans: Type: kubernetes.io/tls Data ==== -ca.crt: 1147 bytes -tls.crt: 1127 bytes -tls.key: 1675 bytes +ca.crt: 1164 bytes +tls.crt: 1180 bytes +tls.key: 1679 bytes ``` -Now, we can connect using tls certs to connect to the mssqlserver and write some data +Now, we can connect with tls to the mssqlserver and write some data + +```bash +$ kubectl get secret -n demo mssql-standalone-tls-auth -o jsonpath='{.data.\username}' | base64 -d +sa + +$ kubectl get secret -n demo mssql-standalone-tls-auth -o jsonpath='{.data.\password}' | base64 -d +C2vU3HOCWY0hQHaj +``` ```bash -$ kubectl exec -it -n demo ms-tls-0 -c mssqlserver -- bash - -# Trying to connect without tls certificates -root@ms-tls-0:/data# mssqlserver-cli -127.0.0.1:6379> -127.0.0.1:6379> set hello world -# Can not write data -Error: Connection reset by peer - -# Trying to connect with tls certificates -root@ms-tls-0:/data# mssqlserver-cli --tls --cert "/certs/client.crt" --key "/certs/client.key" --cacert "/certs/ca.crt" -127.0.0.1:6379> -127.0.0.1:6379> set hello world -OK -127.0.0.1:6379> exit +$ kubectl exec -it -n demo mssql-standalone-tls-0 -c mssql -- bash +mssql@mssql-standalone-tls-0:/$ /opt/mssql-tools/bin/sqlcmd -S localhost -U sa -P "C2vU3HOCWY0hQHaj" -N +1> select name from sys.databases +2> go +name +-------------------------------------------------------------------------------------------------------------------------------- +master +tempdb +model +msdb +kubedb_system + +(5 rows affected) +1> create database tls_test +2> go +1> use tls_test +2> go +Changed database context to 'tls_test'. +1> CREATE TABLE Data (ID INT, NAME NVARCHAR(255), AGE INT); +2> go +1> INSERT INTO Data(ID, Name, Age) VALUES (1, 'John Doe', 25), (2, 'Jane Smith', 30); +2> go +(2 rows affected) +1> select * from data +2> go +ID NAME AGE +----------- -------------------------------------------- +1 John Doe 25 +2 Jane Smith 30 +(2 rows affected) +1> ``` ## Cleaning up @@ -180,11 +229,11 @@ OK To clean up the Kubernetes resources created by this tutorial, run: ```bash -$ kubectl patch -n demo mssqlserver/ms-tls -p '{"spec":{"deletionPolicy":"WipeOut"}}' --type="merge" -mssqlserver.kubedb.com/ms-tls patched +$ kubectl patch -n demo mssqlserver/mssql-standalone-tls -p '{"spec":{"deletionPolicy":"WipeOut"}}' --type="merge" +mssqlserver.kubedb.com/mssql-standalone-tls patched -$ kubectl delete -n demo mssqlserver ms-tls -mssqlserver.kubedb.com "ms-tls" deleted +$ kubectl delete -n demo mssqlserver mssql-standalone-tls +mssqlserver.kubedb.com "mssql-standalone-tls" deleted $ kubectl delete issuer -n demo mssqlserver-ca-issuer issuer.cert-manager.io "mssqlserver-ca-issuer" deleted @@ -193,4 +242,4 @@ issuer.cert-manager.io "mssqlserver-ca-issuer" deleted ## Next Steps - Detail concepts of [MSSQLServer object](/docs/guides/mssqlserver/concepts/mssqlserver.md). -- [Backup and Restore](/docs/guides/mssqlserver/backup/overview/index.md) MSSQLServer databases using KubeStash. . \ No newline at end of file +- [Backup and Restore](/docs/guides/mssqlserver/backup/overview/index.md) MSSQLServer databases using KubeStash. \ No newline at end of file