Improve teh securty of teh DB

2025-10-19 19:22:37 +02:00
parent 62971c07d7
commit 05da20357d
87 changed files with 7998 additions and 932 deletions
--- a/infrastructure/kubernetes/base/components/databases/recipes-db.yaml
+++ b/infrastructure/kubernetes/base/components/databases/recipes-db.yaml
@@ -19,9 +19,31 @@ spec:
        app.kubernetes.io/name: recipes-db
        app.kubernetes.io/component: database
    spec:
+      securityContext:
+        fsGroup: 70
+      initContainers:
+      - name: fix-tls-permissions
+        image: busybox:latest
+        securityContext:
+          runAsUser: 0
+        command: ['sh', '-c']
+        args:
+        - |
+          cp /tls-source/* /tls/
+          chmod 600 /tls/server-key.pem
+          chmod 644 /tls/server-cert.pem /tls/ca-cert.pem
+          chown 70:70 /tls/*
+          ls -la /tls/
+        volumeMounts:
+        - name: tls-certs-source
+          mountPath: /tls-source
+          readOnly: true
+        - name: tls-certs-writable
+          mountPath: /tls
      containers:
      - name: postgres
        image: postgres:17-alpine
+        command: ["docker-entrypoint.sh", "-c", "config_file=/etc/postgresql/postgresql.conf"]
        ports:
        - containerPort: 5432
          name: postgres
@@ -48,11 +70,24 @@ spec:
              key: POSTGRES_INITDB_ARGS
        - name: PGDATA
          value: /var/lib/postgresql/data/pgdata
+        - name: POSTGRES_HOST_SSL
+          value: "on"
+        - name: PGSSLCERT
+          value: /tls/server-cert.pem
+        - name: PGSSLKEY
+          value: /tls/server-key.pem
+        - name: PGSSLROOTCERT
+          value: /tls/ca-cert.pem
        volumeMounts:
        - name: postgres-data
          mountPath: /var/lib/postgresql/data
        - name: init-scripts
          mountPath: /docker-entrypoint-initdb.d
+        - name: tls-certs-writable
+          mountPath: /tls
+        - name: postgres-config
+          mountPath: /etc/postgresql
+          readOnly: true
        resources:
          requests:
            memory: "256Mi"
@@ -82,10 +117,19 @@ spec:
          failureThreshold: 3
      volumes:
      - name: postgres-data
-        emptyDir: {}
+        persistentVolumeClaim:
+          claimName: recipes-db-pvc
      - name: init-scripts
        configMap:
          name: postgres-init-config
+      - name: tls-certs-source
+        secret:
+          secretName: postgres-tls
+      - name: tls-certs-writable
+        emptyDir: {}
+      - name: postgres-config
+        configMap:
+          name: postgres-logging-config

 ---
 apiVersion: v1
@@ -107,3 +151,19 @@ spec:
    app.kubernetes.io/name: recipes-db
    app.kubernetes.io/component: database

+
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: recipes-db-pvc
+  namespace: bakery-ia
+  labels:
+    app.kubernetes.io/name: recipes-db
+    app.kubernetes.io/component: database
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 2Gi