min-tls settings for postgres (#865)

* introduce override variables for postgres min-tls version * set min-tls version for CS and maestro to 1.2 https://issues.redhat.com/browse/ARO-12468 Signed-off-by: Gerd Oberlechner <[email protected]>
Azure · Nov 21, 2024 · 5fdc3d9 · 5fdc3d9
1 parent 2a053ee
commit 5fdc3d9
Show file tree

Hide file tree

Showing 10 changed files with 47 additions and 2 deletions.
diff --git a/config/config.schema.json b/config/config.schema.json
@@ -41,6 +41,10 @@
               },
               "private": {
                 "type": "boolean"
+              },
+              "minTLSVersion": {
+                "type": "string",
+                "enum": ["TLSV1.2", "TLSV1.3"]
               }
             },
             "required": [
@@ -245,6 +249,10 @@
               },
               "serverVersion": {
                 "type": "string"
+              },
+              "minTLSVersion": {
+                "type": "string",
+                "enum": ["TLSV1.2", "TLSV1.3"]
               }
             },
             "additionalProperties": false,
@@ -569,4 +577,4 @@
       "svcAcrName",
       "vnetAddressPrefix"
     ]
-  }
+  }
diff --git a/config/config.yaml b/config/config.yaml
@@ -57,6 +57,7 @@ defaults:
       serverStorageSizeGB: '32'
       deploy: true
       private: false
+      minTLSVersion: 'TLSV1.2'
     restrictIstioIngress: true
     consumerName: hcp-underlay-{{ .ctx.regionShort }}-mgmt-{{ .ctx.stamp }}
 
@@ -67,6 +68,7 @@ defaults:
       name: arohcp-cs-{{ .ctx.regionShort }}
       deploy: true
       private: false
+      minTLSVersion: 'TLSV1.2'
 
   # Image Sync
   imageSync:

diff --git a/config/public-cloud-cs-pr.json b/config/public-cloud-cs-pr.json
@@ -10,6 +10,7 @@
     "imageTag": "aac7623",
     "postgres": {
       "deploy": true,
+      "minTLSVersion": "TLSV1.2",
       "name": "arohcp-cs-cspr",
       "private": false
     }
@@ -61,6 +62,7 @@
     "keyVaultName": "arohcp-maestro-cspr",
     "postgres": {
       "deploy": false,
+      "minTLSVersion": "TLSV1.2",
       "name": "arohcp-maestro-cspr",
       "private": false,
       "serverStorageSizeGB": "32",

diff --git a/config/public-cloud-dev.json b/config/public-cloud-dev.json
@@ -10,6 +10,7 @@
     "imageTag": "aac7623",
     "postgres": {
       "deploy": true,
+      "minTLSVersion": "TLSV1.2",
       "name": "arohcp-cs-dev",
       "private": false
     }
@@ -61,6 +62,7 @@
     "keyVaultName": "arohcp-maestro-dev",
     "postgres": {
       "deploy": false,
+      "minTLSVersion": "TLSV1.2",
       "name": "arohcp-maestro-dev",
       "private": false,
       "serverStorageSizeGB": "32",

diff --git a/config/public-cloud-personal-dev.json b/config/public-cloud-personal-dev.json
@@ -10,6 +10,7 @@
     "imageTag": "aac7623",
     "postgres": {
       "deploy": false,
+      "minTLSVersion": "TLSV1.2",
       "name": "arohcp-cs-usw3tst",
       "private": false
     }
@@ -61,6 +62,7 @@
     "keyVaultName": "arohcp-maestro-usw3tst",
     "postgres": {
       "deploy": false,
+      "minTLSVersion": "TLSV1.2",
       "name": "arohcp-maestro-usw3tst",
       "private": false,
       "serverStorageSizeGB": "32",

diff --git a/dev-infrastructure/configurations/svc-cluster.tmpl.bicepparam b/dev-infrastructure/configurations/svc-cluster.tmpl.bicepparam
@@ -17,13 +17,15 @@ param maestroKeyVaultName = '{{ .maestro.keyVaultName }}'
 param maestroEventGridNamespacesName = '{{ .maestro.eventgridName }}'
 param maestroCertDomain = '{{ .maestro.certDomain}}'
 param maestroPostgresServerName = '{{ .maestro.postgres.name }}'
+param maestroPostgresServerMinTLSVersion = '{{ .maestro.postgres.minTLSVersion }}'
 param maestroPostgresServerVersion = '{{ .maestro.postgres.serverVersion }}'
 param maestroPostgresServerStorageSizeGB = {{ .maestro.postgres.serverStorageSizeGB }}
 param deployMaestroPostgres = {{ .maestro.postgres.deploy }}
 param maestroPostgresPrivate = {{ .maestro.postgres.private }}
 
 param deployCsInfra = {{ .clusterService.postgres.deploy }}
 param csPostgresServerName = '{{ .clusterService.postgres.name }}'
+param csPostgresServerMinTLSVersion = '{{ .clusterService.postgres.minTLSVersion }}'
 param clusterServicePostgresPrivate = {{ .clusterService.postgres.private }}
 
 param serviceKeyVaultName = '{{ .serviceKeyVault.name }}'

diff --git a/dev-infrastructure/modules/cluster-service.bicep b/dev-infrastructure/modules/cluster-service.bicep
@@ -13,6 +13,9 @@ param csDatabaseName string = 'clusters-service'
 @description('The name of the Postgres server for CS')
 param postgresServerName string
 
+@description('The minimum TLS version for the Postgres server')
+param postgresServerMinTLSVersion string
+
 param postgresServerPrivate bool
 
 param privateEndpointSubnetId string = ''
@@ -38,6 +41,7 @@ module postgres 'postgres/postgres.bicep' = {
       }
     ]
     version: '12'
+    minTLSVersion: postgresServerMinTLSVersion
     configurations: [
       // some configs taked over from the CS RDS instance
       // https://gitlab.cee.redhat.com/service/app-interface/-/blob/fc95453b1e0eaf162089525f5b94b6dc1e6a091f/resources/terraform/resources/ocm/clusters-service-production-rds-parameter-group-pg12.yml

diff --git a/dev-infrastructure/modules/maestro/maestro-server.bicep b/dev-infrastructure/modules/maestro/maestro-server.bicep
@@ -22,6 +22,9 @@ param deployPostgres bool
 @description('The name of the Postgres server for Maestro')
 param postgresServerName string
 
+@description('The version of the Postgres server for Maestro')
+param postgresServerMinTLSVersion string
+
 @description('The version of the Postgres server for Maestro')
 param postgresServerVersion string
 
@@ -71,6 +74,7 @@ module postgres '../postgres/postgres.bicep' = if (deployPostgres) {
   name: '${deployment().name}-postgres'
   params: {
     name: postgresServerName
+    minTLSVersion: postgresServerMinTLSVersion
     databaseAdministrators: [
       // add the dedicated admin managed identity as administrator
       // this one is going to be used to manage DB access

diff --git a/dev-infrastructure/modules/postgres/postgres.bicep b/dev-infrastructure/modules/postgres/postgres.bicep
@@ -9,6 +9,7 @@ param location string = resourceGroup().location
 
 param sku string = 'Standard_D2s_v3'
 param tier string = 'GeneralPurpose'
+param minTLSVersion string
 
 type DatabaseAdministrators = {
   principalId: string
@@ -145,6 +146,16 @@ resource postgres_config 'Microsoft.DBforPostgreSQL/flexibleServers/configuratio
   }
 ]
 
+resource postgres_min_tls 'Microsoft.DBforPostgreSQL/flexibleServers/configurations@2023-12-01-preview' = {
+  name: 'ssl_min_protocol_version'
+  parent: postgres
+  properties: {
+    source: 'user-override'
+    value: minTLSVersion
+  }
+  dependsOn: [postgres_config]
+}
+
 @batchSize(1)
 resource postgres_database 'Microsoft.DBforPostgreSQL/flexibleServers/databases@2023-12-01-preview' = [
   for database in databases: {
@@ -154,7 +165,7 @@ resource postgres_database 'Microsoft.DBforPostgreSQL/flexibleServers/databases@
       charset: database.charset
       collation: database.collation
     }
-    dependsOn: [postgres_config]
+    dependsOn: [postgres_min_tls]
   }
 ]
 

diff --git a/dev-infrastructure/templates/svc-cluster.bicep b/dev-infrastructure/templates/svc-cluster.bicep
@@ -73,6 +73,9 @@ param deployCsInfra bool
 @maxLength(60)
 param csPostgresServerName string
 
+@description('The minimum TLS version for the Postgres server for CS')
+param csPostgresServerMinTLSVersion string
+
 @description('If true, make the CS Postgres instance private')
 param clusterServicePostgresPrivate bool = true
 
@@ -89,6 +92,9 @@ param maestroPostgresServerName string
 @description('The version of the Postgres server for Maestro')
 param maestroPostgresServerVersion string
 
+@description('The minimum TLS version for the Postgres server for Maestro')
+param maestroPostgresServerMinTLSVersion string
+
 @description('The size of the Postgres server for Maestro')
 param maestroPostgresServerStorageSizeGB int
 
@@ -223,6 +229,7 @@ module maestroServer '../modules/maestro/maestro-server.bicep' = {
     deployPostgres: deployMaestroPostgres
     postgresServerName: maestroPostgresServerName
     postgresServerVersion: maestroPostgresServerVersion
+    postgresServerMinTLSVersion: maestroPostgresServerMinTLSVersion
     postgresServerStorageSizeGB: maestroPostgresServerStorageSizeGB
     privateEndpointSubnetId: svcCluster.outputs.aksNodeSubnetId
     privateEndpointVnetId: svcCluster.outputs.aksVnetId
@@ -283,6 +290,7 @@ module cs '../modules/cluster-service.bicep' = if (deployCsInfra) {
   params: {
     location: location
     postgresServerName: csPostgresServerName
+    postgresServerMinTLSVersion: csPostgresServerMinTLSVersion
     privateEndpointSubnetId: svcCluster.outputs.aksNodeSubnetId
     privateEndpointVnetId: svcCluster.outputs.aksVnetId
     postgresServerPrivate: clusterServicePostgresPrivate