Merge pull request #104 from supabase/tls

Enable TLS when a replicator connects to the database

Author: imor

Diff for: Cargo.toml

@@ -32,6 +32,7 @@ prost = { version = "0.13.1", default-features = false }
 rand = { version = "0.8.5", default-features = false }
 reqwest = { version = "0.12", default-features = false }
 rustls = { version = "0.23.12", default-features = false }
+rustls-pemfile = { version = "2.2.0", default-features = false }
 rustyline = { version = "14.0.0", default-features = false }
 secrecy = { version = "0.8.0", default-features = false }
 serde = { version = "1.0", default-features = false }
@@ -40,6 +41,7 @@ sqlx = { version = "0.8.2", default-features = false }
 thiserror = "1.0"
 tokio = { version = "1.38", default-features = false }
 tokio-postgres = { git = "https://github.com/imor/rust-postgres", default-features = false, rev = "20265ef38e32a06f76b6f9b678e2077fc2211f6b" }
+tokio-postgres-rustls = { git = "https://github.com/imor/tokio-postgres-rustls", default-features = false }
 tracing = { version = "0.1", default-features = false }
 tracing-actix-web = { version = "0.7", default-features = false }
 tracing-bunyan-formatter = { version = "0.3", default-features = false }

Diff for: api/src/k8s_client.rs

@@ -60,6 +60,8 @@ pub trait K8sClient {
 
     async fn delete_bq_secret(&self, prefix: &str) -> Result<(), K8sError>;
 
+    async fn get_config_map(&self, config_map_name: &str) -> Result<ConfigMap, K8sError>;
+
     async fn create_or_update_config_map(
         &self,
         prefix: &str,
@@ -95,6 +97,7 @@ const CONFIG_MAP_NAME_SUFFIX: &str = "replicator-config";
 const STATEFUL_SET_NAME_SUFFIX: &str = "replicator";
 const CONTAINER_NAME_SUFFIX: &str = "replicator";
 const NAMESPACE_NAME: &str = "replicator-data-plane";
+pub const TRUSTED_ROOT_CERT_CONFIG_MAP_NAME: &str = "trusted-root-certs-config";
 
 impl HttpK8sClient {
     pub async fn new() -> Result<HttpK8sClient, K8sError> {
@@ -218,6 +221,18 @@ impl K8sClient for HttpK8sClient {
         Ok(())
     }
 
+    async fn get_config_map(&self, config_map_name: &str) -> Result<ConfigMap, K8sError> {
+        info!("getting config map");
+        let config_map = match self.config_maps_api.get(config_map_name).await {
+            Ok(config_map) => config_map,
+            Err(e) => {
+                return Err(e.into());
+            }
+        };
+        info!("got config map");
+        Ok(config_map)
+    }
+
     async fn create_or_update_config_map(
         &self,
         prefix: &str,

Diff for: api/src/replicator_config.rs

@@ -89,16 +89,26 @@ pub struct BatchConfig {
     pub max_fill_secs: u64,
 }
 
+#[derive(Debug, serde::Serialize, serde::Deserialize, PartialEq, Eq)]
+pub struct TlsConfig {
+    /// trusted root certificates in PEM format
+    pub trusted_root_certs: String,
+
+    /// true when TLS is enabled
+    pub enabled: bool,
+}
+
 #[derive(Debug, serde::Serialize, serde::Deserialize, PartialEq, Eq)]
 pub struct Config {
     pub source: SourceConfig,
     pub sink: SinkConfig,
     pub batch: BatchConfig,
+    pub tls: TlsConfig,
 }
 
 #[cfg(test)]
 mod tests {
-    use crate::replicator_config::{BatchConfig, Config, SinkConfig, SourceConfig};
+    use crate::replicator_config::{BatchConfig, Config, SinkConfig, SourceConfig, TlsConfig};
 
     #[test]
     pub fn deserialize_settings_test() {
@@ -122,6 +132,10 @@ mod tests {
             "batch": {
                 "max_size": 1000,
                 "max_fill_secs": 10
+            },
+            "tls": {
+                "trusted_root_certs": "",
+                "enabled": false
             }
         }"#;
         let actual = serde_json::from_str::<Config>(settings);
@@ -143,6 +157,10 @@ mod tests {
                 max_size: 1000,
                 max_fill_secs: 10,
             },
+            tls: TlsConfig {
+                trusted_root_certs: "".to_string(),
+                enabled: false,
+            },
         };
         assert!(actual.is_ok());
         assert_eq!(expected, actual.unwrap());
@@ -168,8 +186,12 @@ mod tests {
                 max_size: 1000,
                 max_fill_secs: 10,
             },
+            tls: TlsConfig {
+                trusted_root_certs: "".to_string(),
+                enabled: false,
+            },
         };
-        let expected = r#"{"source":{"postgres":{"host":"localhost","port":5432,"name":"postgres","username":"postgres","slot_name":"replicator_slot","publication":"replicator_publication"}},"sink":{"big_query":{"project_id":"project-id","dataset_id":"dataset-id"}},"batch":{"max_size":1000,"max_fill_secs":10}}"#;
+        let expected = r#"{"source":{"postgres":{"host":"localhost","port":5432,"name":"postgres","username":"postgres","slot_name":"replicator_slot","publication":"replicator_publication"}},"sink":{"big_query":{"project_id":"project-id","dataset_id":"dataset-id"}},"batch":{"max_size":1000,"max_fill_secs":10},"tls":{"trusted_root_certs":"","enabled":false}}"#;
         let actual = serde_json::to_string(&actual);
         assert!(actual.is_ok());
         assert_eq!(expected, actual.unwrap());

Diff for: api/src/routes/pipelines.rs

@@ -22,7 +22,7 @@ use crate::{
         sources::{source_exists, Source, SourceConfig, SourcesDbError},
     },
     encryption::EncryptionKey,
-    k8s_client::{HttpK8sClient, K8sClient, K8sError, PodPhase},
+    k8s_client::{HttpK8sClient, K8sClient, K8sError, PodPhase, TRUSTED_ROOT_CERT_CONFIG_MAP_NAME},
     replicator_config,
     routes::extract_tenant_id,
 };
@@ -72,6 +72,9 @@ enum PipelineError {
 
     #[error("sinks db error: {0}")]
     SinksDb(#[from] SinksDbError),
+
+    #[error("trusted root certs config not found")]
+    TrustedRootCertsConfigMissing,
 }
 
 impl PipelineError {
@@ -95,7 +98,8 @@ impl ResponseError for PipelineError {
             | PipelineError::NoDefaultImageFound
             | PipelineError::SourcesDb(_)
             | PipelineError::SinksDb(_)
-            | PipelineError::K8sError(_) => StatusCode::INTERNAL_SERVER_ERROR,
+            | PipelineError::K8sError(_)
+            | PipelineError::TrustedRootCertsConfigMissing => StatusCode::INTERNAL_SERVER_ERROR,
             PipelineError::PipelineNotFound(_) => StatusCode::NOT_FOUND,
             PipelineError::TenantId(_)
             | PipelineError::SourceNotFound(_)
@@ -362,7 +366,8 @@ pub async fn start_pipeline(
     let (pipeline, replicator, image, source, sink) =
         read_data(&pool, tenant_id, pipeline_id, &encryption_key).await?;
 
-    let (secrets, config) = create_configs(source.config, sink.config, pipeline)?;
+    let (secrets, config) =
+        create_configs(&k8s_client, source.config, sink.config, pipeline).await?;
     let prefix = create_prefix(tenant_id, replicator.id);
 
     create_or_update_secrets(&k8s_client, &prefix, secrets).await?;
@@ -497,7 +502,8 @@ async fn read_data(
     Ok((pipeline, replicator, image, source, sink))
 }
 
-fn create_configs(
+async fn create_configs(
+    k8s_client: &Arc<HttpK8sClient>,
     source_config: SourceConfig,
     sink_config: SinkConfig,
     pipeline: Pipeline,
@@ -546,10 +552,26 @@ fn create_configs(
         max_fill_secs: batch_config.max_fill_secs,
     };
 
+    let trusted_root_certs_cm = k8s_client
+        .get_config_map(TRUSTED_ROOT_CERT_CONFIG_MAP_NAME)
+        .await?;
+    let data = trusted_root_certs_cm
+        .data
+        .ok_or(PipelineError::TrustedRootCertsConfigMissing)?;
+    let trusted_root_certs = data
+        .get("trusted_root_certs")
+        .ok_or(PipelineError::TrustedRootCertsConfigMissing)?;
+
+    let tls_config = replicator_config::TlsConfig {
+        trusted_root_certs: trusted_root_certs.clone(),
+        enabled: true,
+    };
+
     let config = replicator_config::Config {
         source: source_config,
         sink: sink_config,
         batch: batch_config,
+        tls: tls_config,
     };
 
     Ok((secrets, config))

Diff for: pg_replicate/Cargo.toml

@@ -45,6 +45,7 @@ tokio-postgres = { workspace = true, features = [
     "with-uuid-1",
     "with-serde_json-1",
 ] }
+tokio-postgres-rustls = { workspace = true }
 tracing = { workspace = true, default-features = true }
 uuid = { workspace = true, features = ["v4"] }
 

Diff for: pg_replicate/examples/bigquery.rs

@@ -9,6 +9,7 @@ use pg_replicate::{
         PipelineAction,
     },
     table::TableName,
+    SslMode,
 };
 use tracing::error;
 use tracing_subscriber::{layer::SubscriberExt, util::SubscriberInitExt};
@@ -129,6 +130,8 @@ async fn main_impl() -> Result<(), Box<dyn Error>> {
                 &db_args.db_name,
                 &db_args.db_username,
                 db_args.db_password,
+                SslMode::Disable,
+                vec![],
                 None,
                 TableNamesFrom::Vec(table_names),
             )
@@ -145,6 +148,8 @@ async fn main_impl() -> Result<(), Box<dyn Error>> {
                 &db_args.db_name,
                 &db_args.db_username,
                 db_args.db_password,
+                SslMode::Disable,
+                vec![],
                 Some(slot_name),
                 TableNamesFrom::Publication(publication),
             )

Diff for: pg_replicate/examples/duckdb.rs

@@ -9,6 +9,7 @@ use pg_replicate::{
         PipelineAction,
     },
     table::TableName,
+    SslMode,
 };
 use tracing::error;
 use tracing_subscriber::{layer::SubscriberExt, util::SubscriberInitExt};
@@ -123,6 +124,8 @@ async fn main_impl() -> Result<(), Box<dyn Error>> {
                 &db_args.db_name,
                 &db_args.db_username,
                 db_args.db_password,
+                SslMode::Disable,
+                vec![],
                 None,
                 TableNamesFrom::Vec(table_names),
             )
@@ -139,6 +142,8 @@ async fn main_impl() -> Result<(), Box<dyn Error>> {
                 &db_args.db_name,
                 &db_args.db_username,
                 db_args.db_password,
+                SslMode::Disable,
+                vec![],
                 Some(slot_name),
                 TableNamesFrom::Publication(publication),
             )

Diff for: pg_replicate/examples/stdout.rs

@@ -9,6 +9,7 @@ use pg_replicate::{
         PipelineAction,
     },
     table::TableName,
+    SslMode,
 };
 use tracing::error;
 use tracing_subscriber::{layer::SubscriberExt, util::SubscriberInitExt};
@@ -99,6 +100,8 @@ async fn main_impl() -> Result<(), Box<dyn Error>> {
                 &db_args.db_name,
                 &db_args.db_username,
                 db_args.db_password,
+                SslMode::Disable,
+                vec![],
                 None,
                 TableNamesFrom::Vec(table_names),
             )
@@ -115,6 +118,8 @@ async fn main_impl() -> Result<(), Box<dyn Error>> {
                 &db_args.db_name,
                 &db_args.db_username,
                 db_args.db_password,
+                SslMode::Disable,
+                vec![],
                 Some(slot_name),
                 TableNamesFrom::Publication(publication),
             )

Diff for: pg_replicate/src/clients/postgres.rs

@@ -2,12 +2,14 @@ use std::collections::HashMap;
 
 use pg_escape::{quote_identifier, quote_literal};
 use postgres_replication::LogicalReplicationStream;
+use rustls::{pki_types::CertificateDer, ClientConfig};
 use thiserror::Error;
 use tokio_postgres::{
-    config::ReplicationMode,
+    config::{ReplicationMode, SslMode},
     types::{Kind, PgLsn, Type},
     Client as PostgresClient, Config, CopyOutStream, NoTls, SimpleQueryMessage,
 };
+use tokio_postgres_rustls::MakeRustlsConnect;
 use tracing::{info, warn};
 
 use crate::table::{ColumnSchema, TableId, TableName, TableSchema};
@@ -53,6 +55,9 @@ pub enum ReplicationClientError {
 
     #[error("failed to create slot")]
     FailedToCreateSlot,
+
+    #[error("rustls error: {0}")]
+    RustlsError(#[from] rustls::Error),
 }
 
 impl ReplicationClient {
@@ -64,7 +69,7 @@ impl ReplicationClient {
         username: &str,
         password: Option<String>,
     ) -> Result<ReplicationClient, ReplicationClientError> {
-        info!("connecting to postgres");
+        info!("connecting to postgres without TLS");
 
         let mut config = Config::new();
         config
@@ -95,6 +100,58 @@ impl ReplicationClient {
         })
     }
 
+    /// Connect to a postgres database in logical replication mode with TLS
+    pub async fn connect_tls(
+        host: &str,
+        port: u16,
+        database: &str,
+        username: &str,
+        password: Option<String>,
+        ssl_mode: SslMode,
+        trusted_root_certs: Vec<CertificateDer<'static>>,
+    ) -> Result<ReplicationClient, ReplicationClientError> {
+        info!("connecting to postgres with TLS");
+
+        let mut config = Config::new();
+        config
+            .host(host)
+            .port(port)
+            .dbname(database)
+            .user(username)
+            .ssl_mode(ssl_mode)
+            .replication_mode(ReplicationMode::Logical);
+
+        if let Some(password) = password {
+            config.password(password);
+        }
+
+        let mut root_store = rustls::RootCertStore::empty();
+        for trusted_root_cert in trusted_root_certs {
+            root_store.add(trusted_root_cert)?;
+        }
+        let tls_config = ClientConfig::builder()
+            .with_root_certificates(root_store)
+            .with_no_client_auth();
+
+        let tls = MakeRustlsConnect::new(tls_config);
+
+        let (postgres_client, connection) = config.connect(tls).await?;
+
+        tokio::spawn(async move {
+            info!("waiting for connection to terminate");
+            if let Err(e) = connection.await {
+                warn!("connection error: {}", e);
+            }
+        });
+
+        info!("successfully connected to postgres");
+
+        Ok(ReplicationClient {
+            postgres_client,
+            in_txn: false,
+        })
+    }
+
     /// Starts a read-only trasaction with repeatable read isolation level
     pub async fn begin_readonly_transaction(&mut self) -> Result<(), ReplicationClientError> {
         self.postgres_client

Diff for: pg_replicate/src/lib.rs

@@ -2,3 +2,4 @@ pub mod clients;
 pub mod conversions;
 pub mod pipeline;
 pub mod table;
+pub use tokio_postgres::config::SslMode;