bakery-admin/bakery-ia
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

New alert service

Browse Source
This commit is contained in:
Urtzi Alfaro
2025-12-05 20:07:01 +01:00
parent 1fe3a73549
commit 667e6e0404
393 changed files with 26002 additions and 61033 deletions
Download Patch File Download Diff File Expand all files Collapse all files

552
docs/database-security.md Normal file
View File

@@ -0,0 +1,552 @@
# Database Security Guide
**Last Updated:** November 2025
**Status:** Production Ready
**Security Grade:** A-
---
## Table of Contents
1. [Overview](#overview)
2. [Database Inventory](#database-inventory)
3. [Security Implementation](#security-implementation)
4. [Data Protection](#data-protection)
5. [Compliance](#compliance)
6. [Monitoring and Maintenance](#monitoring-and-maintenance)
7. [Troubleshooting](#troubleshooting)
8. [Related Documentation](#related-documentation)
---
## Overview
This guide provides comprehensive information about database security in the Bakery IA platform. Our infrastructure has been hardened from a D- security grade to an A- grade through systematic implementation of industry best practices.
### Security Achievements
- **15 databases secured** (14 PostgreSQL + 1 Redis)
- **100% TLS encryption** for all database connections
- **Strong authentication** with 32-character cryptographic passwords
- **Data persistence** with PersistentVolumeClaims preventing data loss
- **Audit logging** enabled for all database operations
- **Encryption at rest** capabilities with pgcrypto extension
### Security Grade Improvement
| Metric | Before | After |
|--------|--------|-------|
| Overall Grade | D- | A- |
| Critical Issues | 4 | 0 |
| High-Risk Issues | 3 | 0 |
| Medium-Risk Issues | 4 | 0 |
| Encryption in Transit | None | TLS 1.2+ |
| Encryption at Rest | None | Available (pgcrypto + K8s) |
---
## Database Inventory
### PostgreSQL Databases (14 instances)
All running PostgreSQL 17-alpine with TLS encryption enabled:
| Database | Service | Purpose |
|----------|---------|---------|
| auth-db | Authentication | User authentication and authorization |
| tenant-db | Tenant | Multi-tenancy management |
| training-db | Training | ML model training data |
| forecasting-db | Forecasting | Demand forecasting |
| sales-db | Sales | Sales transactions |
| external-db | External | External API data |
| notification-db | Notification | Notifications and alerts |
| inventory-db | Inventory | Inventory management |
| recipes-db | Recipes | Recipe data |
| suppliers-db | Suppliers | Supplier information |
| pos-db | POS | Point of Sale integrations |
| orders-db | Orders | Order management |
| production-db | Production | Production batches |
| alert-processor-db | Alert Processor | Alert processing |
### Other Datastores
- **Redis:** Shared caching and session storage with TLS encryption
- **RabbitMQ:** Message broker for inter-service communication
---
## Security Implementation
### 1. Authentication and Access Control
#### Service Isolation
- Each service has its own dedicated database with unique credentials
- Prevents cross-service data access
- Limits blast radius of credential compromise
#### Password Security
- **Algorithm:** PostgreSQL uses scram-sha-256 authentication (modern, secure)
- **Password Strength:** 32-character cryptographically secure passwords
- **Generation:** Created using OpenSSL: `openssl rand -base64 32`
- **Rotation Policy:** Recommended every 90 days
#### Network Isolation
- All databases run on internal Kubernetes network
- No direct external exposure
- ClusterIP services (internal only)
- Cannot be accessed from outside the cluster
### 2. Encryption in Transit (TLS/SSL)
All database connections enforce TLS 1.2+ encryption.
#### PostgreSQL TLS Configuration
**Server Configuration:**
```yaml
# PostgreSQL SSL Settings (postgresql.conf)
ssl = on
ssl_cert_file = '/tls/server-cert.pem'
ssl_key_file = '/tls/server-key.pem'
ssl_ca_file = '/tls/ca-cert.pem'
ssl_prefer_server_ciphers = on
ssl_min_protocol_version = 'TLSv1.2'
```
**Client Connection String:**
```python
# Automatically enforced by DatabaseManager
"postgresql+asyncpg://user:pass@host:5432/db?ssl=require"
```
**Certificate Details:**
- **Algorithm:** RSA 4096-bit
- **Signature:** SHA-256
- **Validity:** 3 years (expires October 2028)
- **CA Validity:** 10 years (expires 2035)
#### Redis TLS Configuration
**Server Configuration:**
```bash
redis-server \
--requirepass $REDIS_PASSWORD \
--tls-port 6379 \
--port 0 \
--tls-cert-file /tls/redis-cert.pem \
--tls-key-file /tls/redis-key.pem \
--tls-ca-cert-file /tls/ca-cert.pem \
--tls-auth-clients no
```
**Client Connection String:**
```python
"rediss://:password@redis-service:6379?ssl_cert_reqs=none"
```
### 3. Data Persistence
#### PersistentVolumeClaims (PVCs)
All PostgreSQL databases use PVCs to prevent data loss:
```yaml
# Example PVC configuration
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: auth-db-pvc
namespace: bakery-ia
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi
```
**Benefits:**
- Data persists across pod restarts
- Prevents catastrophic data loss from ephemeral storage
- Enables backup and restore operations
- Supports volume snapshots
#### Redis Persistence
Redis configured with:
- **AOF (Append Only File):** enabled
- **RDB snapshots:** periodic
- **PersistentVolumeClaim:** for data directory
---
## Data Protection
### 1. Encryption at Rest
#### Kubernetes Secrets Encryption
All secrets encrypted at rest with AES-256:
```yaml
# Encryption configuration
apiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources:
- secrets
providers:
- aescbc:
keys:
- name: key1
secret: <base64-encoded-32-byte-key>
- identity: {}
```
#### PostgreSQL pgcrypto Extension
Available for column-level encryption:
```sql
-- Enable extension
CREATE EXTENSION IF NOT EXISTS "pgcrypto";
-- Encrypt sensitive data
INSERT INTO users (name, ssn_encrypted)
VALUES (
'John Doe',
pgp_sym_encrypt('123-45-6789', 'encryption_key')
);
-- Decrypt data
SELECT name, pgp_sym_decrypt(ssn_encrypted::bytea, 'encryption_key')
FROM users;
```
**Available Functions:**
- `pgp_sym_encrypt()` - Symmetric encryption
- `pgp_pub_encrypt()` - Public key encryption
- `gen_salt()` - Password hashing
- `digest()` - Hash functions
### 2. Backup Strategy
#### Automated Encrypted Backups
**Script Location:** `/scripts/encrypted-backup.sh`
**Features:**
- Backs up all 14 PostgreSQL databases
- Uses `pg_dump` for data export
- Compresses with `gzip` for space efficiency
- Encrypts with GPG for security
- Output format: `<db>_<name>_<timestamp>.sql.gz.gpg`
**Usage:**
```bash
# Create encrypted backup
./scripts/encrypted-backup.sh
# Decrypt and restore
gpg --decrypt backup_file.sql.gz.gpg | gunzip | psql -U user -d database
```
**Recommended Schedule:**
- **Daily backups:** Retain 30 days
- **Weekly backups:** Retain 90 days
- **Monthly backups:** Retain 1 year
### 3. Audit Logging
PostgreSQL logging configuration includes:
```yaml
# Log all connections and disconnections
log_connections = on
log_disconnections = on
# Log all SQL statements
log_statement = 'all'
# Log query duration
log_duration = on
log_min_duration_statement = 1000 # Log queries > 1 second
# Log detail
log_line_prefix = '%t [%p]: [%l-1] user=%u,db=%d,app=%a,client=%h '
```
**Log Rotation:**
- Daily or 100MB size limit
- 7-day retention minimum
- Ship to centralized logging (recommended)
---
## Compliance
### GDPR (European Data Protection)
| Requirement | Implementation | Status |
|-------------|----------------|--------|
| Article 32 - Encryption | TLS for transit, pgcrypto for rest | ✅ Compliant |
| Article 5(1)(f) - Security | Strong passwords, access control | ✅ Compliant |
| Article 33 - Breach notification | Audit logs for breach detection | ✅ Compliant |
**Legal Status:** Privacy policy claims are now accurate - encryption is implemented.
### PCI-DSS (Payment Card Data)
| Requirement | Implementation | Status |
|-------------|----------------|--------|
| Requirement 3.4 - Encrypt transmission | TLS 1.2+ for all connections | ✅ Compliant |
| Requirement 3.5 - Protect stored data | pgcrypto extension available | ✅ Compliant |
| Requirement 10 - Track access | PostgreSQL audit logging | ✅ Compliant |
### SOC 2 (Security Controls)
| Control | Implementation | Status |
|---------|----------------|--------|
| CC6.1 - Access controls | Audit logs, RBAC | ✅ Compliant |
| CC6.6 - Encryption in transit | TLS for all database connections | ✅ Compliant |
| CC6.7 - Encryption at rest | Kubernetes secrets + pgcrypto | ✅ Compliant |
---
## Monitoring and Maintenance
### Certificate Management
#### Certificate Expiry Monitoring
**PostgreSQL and Redis Certificates Expire:** October 17, 2028
**Renewal Process:**
```bash
# 1. Regenerate certificates (90 days before expiry)
cd infrastructure/tls && ./generate-certificates.sh
# 2. Update Kubernetes secrets
kubectl delete secret postgres-tls redis-tls -n bakery-ia
kubectl apply -f infrastructure/kubernetes/base/secrets/postgres-tls-secret.yaml
kubectl apply -f infrastructure/kubernetes/base/secrets/redis-tls-secret.yaml
# 3. Restart database pods (automatic)
kubectl rollout restart deployment -l app.kubernetes.io/component=database -n bakery-ia
```
### Password Rotation
**Recommended:** Every 90 days
**Process:**
```bash
# 1. Generate new passwords
./scripts/generate-passwords.sh > new-passwords.txt
# 2. Update .env file
./scripts/update-env-passwords.sh
# 3. Update Kubernetes secrets
./scripts/update-k8s-secrets.sh
# 4. Apply secrets
kubectl apply -f infrastructure/kubernetes/base/secrets.yaml
# 5. Restart databases and services
kubectl rollout restart deployment -n bakery-ia
```
### Health Checks
#### Verify PostgreSQL SSL
```bash
# Check SSL is enabled
kubectl exec -n bakery-ia <postgres-pod> -- sh -c \
'psql -U $POSTGRES_USER -d $POSTGRES_DB -c "SHOW ssl;"'
# Expected: on
# Check certificate permissions
kubectl exec -n bakery-ia <postgres-pod> -- ls -la /tls/
# Expected: server-key.pem has 600 permissions
```
#### Verify Redis TLS
```bash
# Test Redis connection with TLS
kubectl exec -n bakery-ia <redis-pod> -- redis-cli \
--tls \
--cert /tls/redis-cert.pem \
--key /tls/redis-key.pem \
--cacert /tls/ca-cert.pem \
-a $REDIS_PASSWORD \
ping
# Expected: PONG
```
#### Verify PVCs
```bash
# Check all PVCs are bound
kubectl get pvc -n bakery-ia
# Expected: All PVCs in "Bound" state
```
### Audit Log Review
```bash
# View PostgreSQL logs
kubectl logs -n bakery-ia <db-pod>
# Search for failed connections
kubectl logs -n bakery-ia <db-pod> | grep -i "authentication failed"
# Search for long-running queries
kubectl logs -n bakery-ia <db-pod> | grep -i "duration:"
```
---
## Troubleshooting
### PostgreSQL Connection Issues
#### Services Can't Connect After Deployment
**Symptom:** Services show SSL/TLS errors in logs
**Solution:**
```bash
# Restart all services to pick up new TLS configuration
kubectl rollout restart deployment -n bakery-ia \
--selector='app.kubernetes.io/component=service'
```
#### "SSL not supported" Error
**Symptom:** `PostgreSQL server rejected SSL upgrade`
**Solution:**
```bash
# Check if TLS secret exists
kubectl get secret postgres-tls -n bakery-ia
# Check if mounted in pod
kubectl describe pod <db-pod> -n bakery-ia | grep -A 5 "tls-certs"
# Restart database pod
kubectl delete pod <db-pod> -n bakery-ia
```
#### Certificate Permission Denied
**Symptom:** `FATAL: could not load server certificate file`
**Solution:**
```bash
# Check init container logs
kubectl logs -n bakery-ia <pod> -c fix-tls-permissions
# Verify certificate permissions
kubectl exec -n bakery-ia <pod> -- ls -la /tls/
# server-key.pem should have 600 permissions
```
### Redis Connection Issues
#### Connection Timeout
**Symptom:** `SSL handshake is taking longer than 60.0 seconds`
**Solution:**
```bash
# Check Redis logs
kubectl logs -n bakery-ia <redis-pod>
# Test Redis directly
kubectl exec -n bakery-ia <redis-pod> -- redis-cli \
--tls --cert /tls/redis-cert.pem \
--key /tls/redis-key.pem \
--cacert /tls/ca-cert.pem \
PING
```
### Data Persistence Issues
#### PVC Not Binding
**Symptom:** PVC stuck in "Pending" state
**Solution:**
```bash
# Check PVC status
kubectl describe pvc <pvc-name> -n bakery-ia
# Check storage class
kubectl get storageclass
# For Kind, ensure local-path provisioner is running
kubectl get pods -n local-path-storage
```
---
## Related Documentation
### Security Documentation
- [RBAC Implementation](./rbac-implementation.md) - Role-based access control
- [TLS Configuration](./tls-configuration.md) - TLS/SSL setup details
- [Security Checklist](./security-checklist.md) - Deployment checklist
### Source Reports
- [Database Security Analysis Report](../DATABASE_SECURITY_ANALYSIS_REPORT.md)
- [Security Implementation Complete](../SECURITY_IMPLEMENTATION_COMPLETE.md)
### External References
- [PostgreSQL SSL Documentation](https://www.postgresql.org/docs/17/ssl-tcp.html)
- [Redis TLS Documentation](https://redis.io/docs/manual/security/encryption/)
- [Kubernetes Secrets Encryption](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/)
- [pgcrypto Documentation](https://www.postgresql.org/docs/17/pgcrypto.html)
---
## Quick Reference
### Common Commands
```bash
# Verify database security
kubectl get pods -n bakery-ia -l app.kubernetes.io/component=database
kubectl get pvc -n bakery-ia
kubectl get secrets -n bakery-ia | grep tls
# Check certificate expiry
kubectl exec -n bakery-ia <postgres-pod> -- \
openssl x509 -in /tls/server-cert.pem -noout -dates
# View audit logs
kubectl logs -n bakery-ia <db-pod> | tail -n 100
# Restart all databases
kubectl rollout restart deployment -n bakery-ia \
-l app.kubernetes.io/component=database
```
### Security Validation Checklist
- [ ] All database pods running and healthy
- [ ] All PVCs in "Bound" state
- [ ] TLS certificates mounted with correct permissions
- [ ] PostgreSQL accepts TLS connections
- [ ] Redis accepts TLS connections
- [ ] pgcrypto extension loaded
- [ ] Services connect without TLS errors
- [ ] Audit logs being generated
- [ ] Passwords are strong (32+ characters)
- [ ] Backup script tested and working
---
**Document Version:** 1.0
**Last Review:** November 2025
**Next Review:** May 2026
**Owner:** Security Team