Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Access to containerized instances of postgres #174

Open
mrjones-plip opened this issue Oct 24, 2024 · 2 comments · May be fixed by #177
Open

Access to containerized instances of postgres #174

mrjones-plip opened this issue Oct 24, 2024 · 2 comments · May be fixed by #177
Labels
Type: Feature Add something new

Comments

@mrjones-plip
Copy link
Contributor

mrjones-plip commented Oct 24, 2024
edited
Loading

Is your feature request related to a problem? Please describe.
CHT Sync deployments that use the built in postgres container in either Docker or Kubernetes (k8s) will need an easy way allow remote access to postgres server for either external dashboards (eg superset) or end users looking to do data analysis.

In both k8s and docker, postgres service is not remotely accessible, an intentional secure-by-default design.

Describe the solution you'd like
A sidecar service, which can be used in both Kubernetes and Docker, would be a great way to allow easy access to postgres. The sidecar would likely expose SSH, or some other tunneling service, for which an initial connection could be made (eg an SSH tunnel) and then postgres connections could be made on top of/through this.

Describe alternatives you've considered
Ephemeral access could be granted by admins who can run kubectl to create an account knowing it will get deleted when the container gets rebooted. Another solution might be to set up an autossh sidecar that exposes the postgres service on some other, external infrastracture.

Additional context
Medic is currently deploying CHT Sync internally for MoH Togo. Instead of using the deprecated, monolithic install of Postgres which has old couch2pg running directly on it, we'd like to use a more modern architecture where each CHT Core deployment gets it's own postgres and CHT Sync instance. This new style of deployment makes it very hard to do both persistent and ad hoc sql queries. This will be greatly simplified if we provide an out of the box solution which is both easy to configure and easy to deploy.
@mrjones-plip mrjones-plip added the Type: Feature Add something new label Oct 24, 2024
@mrjones-plip
Copy link
Contributor Author

mrjones-plip commented Oct 24, 2024
edited
Loading

Current thinking is:

  1. use AuthorizedKeysCommand which runs a user defined command and accepting username as the argument and returns valid SSH key(s) to use for authentication
  2. always return an emergency "break-the-glass" key
  3. given the username, see if it's in our GH org, and if yes, see if that user has SSH keys, if yes, return those
  4. allow for a list of extra username:key pairs to be baked in, or set as config in values.yaml - this allows external partners
  5. set shell to /bin/false (or something similar) - to only allow tunnels and no shell commands.

@mrjones-plip
Copy link
Contributor Author

mrjones-plip commented Oct 25, 2024
edited
Loading

Doing some prototyping and noticing:

  • we may want to try and persist host key or some other house keeping around host key generation. otherwise users will see this the n+1 time the connect and the server has been recreated (a common occurrence in container land!): 
    ssh test@localhost -p 2222 -o PubkeyAuthentication=no -o PreferredAuthentications=password              
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@             
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
  • we should be sure to TBD harden SSH, but:
    • disable password login
    • disable root login
    • disable weak ciphers
    • require keys (same as disable passwords)
    • moar?
  • while a bit out of date, I was able to build an image with alpine:latest from this repo (currently pinned to alpine:3.11.6 from ~4 years ago). It has a lot of well thought out ideas on how to structure env vars and such!

mrjones-plip added a commit that referenced this issue Oct 25, 2024
@mrjones-plip
Create a bastion Dockerfile and compose file per #174
6fc82e5
@mrjones-plip mrjones-plip linked a pull request Oct 28, 2024 that will close this issue
Draft
4 tasks
mrjones-plip added a commit to medic/cht-docs that referenced this issue Nov 9, 2024
@mrjones-plip
Add steps to use docker bastion host per #medic/cht-sync/issues/174
dd2fc8f
@mrjones-plip mrjones-plip mentioned this issue Nov 9, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Type: Feature Add something new
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

feat(#174): bastion Dockerfile and compose file medic/cht-sync
1 participant
@mrjones-plip