Add support for RDS using a Secret in the installer

Author: aledbf

lib/database.ts

@@ -3,7 +3,6 @@ import * as rds from '@aws-cdk/aws-rds';
 import * as cdk from '@aws-cdk/core';
 import { SecretValue } from '@aws-cdk/core';
 import * as ssm from '@aws-cdk/aws-ssm';
-import { ParameterGroup } from '@aws-cdk/aws-rds';
 
 export interface DatabaseProps extends cdk.StackProps {
     readonly clusterName: string;
@@ -17,18 +16,14 @@ export interface DatabaseProps extends cdk.StackProps {
 
 export class Database extends cdk.Stack {
     readonly credentials: string
-    readonly endpoint: string
-    readonly username: string
-    readonly port: string
-    readonly database: string
-    readonly region: string
 
     constructor(scope: cdk.Construct, id: string, props: DatabaseProps) {
         super(scope, id, props);
 
+        const rdsVersion = rds.MysqlEngineVersion.VER_5_7;
         const parameterGroup = new rds.ParameterGroup(this, "DBParameterGroup", {
             engine: props.instanceEngine ?? rds.DatabaseInstanceEngine.mysql({
-                version: rds.MysqlEngineVersion.VER_5_7,
+                version: rdsVersion,
             }),
             parameters: {
                 explicit_defaults_for_timestamp: "OFF"
@@ -37,13 +32,13 @@ export class Database extends cdk.Stack {
 
         // TODO: remove when the gitpod helm chart supports using secrets from ssm
         this.credentials = ssm.StringParameter.valueForStringParameter(
-            this, `/gitpod/cluster/${props.clusterName}/region/${props.vpc.stack.region}`, 1);
+            this, `/gitpod/cluster/${props.clusterName}/region/${props.vpc.stack.region}`);
 
         const instance = new rds.DatabaseInstance(this, 'Gitpod', {
             vpc: props.vpc,
-            vpcPlacement: { subnetType: ec2.SubnetType.PRIVATE },
+            vpcSubnets: { subnetType: ec2.SubnetType.PRIVATE_WITH_NAT },
             engine: props.instanceEngine ?? rds.DatabaseInstanceEngine.mysql({
-                version: rds.MysqlEngineVersion.VER_5_7,
+                version: rdsVersion,
             }),
             storageEncrypted: true,
             backupRetention: props.backupRetention ?? cdk.Duration.days(7),
@@ -67,10 +62,17 @@ export class Database extends cdk.Stack {
         // allow from the whole vpc cidr
         instance.connections.allowFrom(ec2.Peer.ipv4(props.vpc.vpcCidrBlock), ec2.Port.tcp(3306));
 
-        this.endpoint = instance.dbInstanceEndpointAddress;
-        this.username = props.username;
-        this.port = '3306';
-        this.database = 'gitpod';
-        this.region = props.vpc.stack.region;
+        new cdk.CfnOutput(this, "MysqlEndpoint", {
+            value: instance.dbInstanceEndpointAddress,
+            exportName: "MysqlEndpoint",
+        });
+        new cdk.CfnOutput(this, "MysqlUsername", {
+            value: props.username,
+            exportName: "MysqlUsername",
+        });
+        new cdk.CfnOutput(this, "MysqlPort", {
+            value: '3306',
+            exportName: "MysqlPort",
+        });
     }
 }

lib/services.ts

@@ -3,10 +3,9 @@ import * as cdk from '@aws-cdk/core'
 import * as ec2 from '@aws-cdk/aws-ec2'
 
 import { Database } from './database';
-import { Registry } from './registry';
+//import { Registry } from './registry';
 
 export class ServicesStack extends cdk.Stack {
-    //readonly database: Database
     //readonly registry: Registry
 
     constructor(scope: cdk.Construct, id: string, props: cdk.StackProps) {
@@ -17,16 +16,16 @@ export class ServicesStack extends cdk.Stack {
             vpcName: `eksctl-${process.env.CLUSTER_NAME}-cluster/VPC`,
             isDefault: false
         });
-        /*
+
         // create RDS database for gitpod
-        this.database = new Database(this, 'RDS', {
+        const database = new Database(this, 'RDS', {
             env: props.env,
             clusterName: `${process.env.CLUSTER_NAME}`,
             vpc,
             username: 'gitpod'
         })
-        this.database.node.addDependency(vpc);
-        */
+        database.node.addDependency(vpc);
+
         // create permissions to access S3 buckets
         /*
         this.registry = new Registry(this, 'Registry', {

setup.sh

@@ -141,15 +141,19 @@ function install() {
     # Restart tigera-operator
     kubectl delete pod -n tigera-operator -l k8s-app=tigera-operator > /dev/null 2>&1
 
-    # TODO: remove once we can reference a secret in the helm chart.
+    MYSQL_GITPOD_USERNAME="gitpod"
+    MYSQL_GITPOD_PASSWORD=$(openssl rand -hex 18)
+    MYSQL_GITPOD_SECRET="mysql-gitpod-token"
+    MYSQL_GITPOD_ENCRYPTION_KEY='[{"name":"general","version":1,"primary":true,"material":"4uGh1q8y2DYryJwrVMHs0kWXJlqvHWWt/KJuNi04edI="}]'
+
     # generated password cannot excede 41 characters (RDS limitation)
-    #SSM_KEY="/gitpod/cluster/${CLUSTER_NAME}/region/${AWS_REGION}"
-    #${AWS_CMD} ssm put-parameter \
-    #    --overwrite \
-    #    --name "${SSM_KEY}" \
-    #    --type String \
-    #    --value "$(date +%s | sha256sum | base64 | head -c 35 ; echo)" \
-    #    --region "${AWS_REGION}" > /dev/null 2>&1
+    SSM_KEY="/gitpod/cluster/${CLUSTER_NAME}/region/${AWS_REGION}"
+    ${AWS_CMD} ssm put-parameter \
+        --overwrite \
+        --name "${SSM_KEY}" \
+        --type String \
+        --value "${MYSQL_GITPOD_PASSWORD}" \
+        --region "${AWS_REGION}" > /dev/null 2>&1
 
     # deploy CDK stacks
     cdk deploy \
@@ -162,7 +166,7 @@ function install() {
         --outputs-file cdk-outputs.json \
         --all
 
-    # TLS termination is done in the ALB
+    # TLS termination is done in the ALB.
     cat <<EOF | kubectl apply -f -
 apiVersion: cert-manager.io/v1
 kind: Certificate
@@ -181,12 +185,25 @@ spec:
   secretName: https-certificates
 EOF
 
+    echo "Create database secret..."
+    kubectl create secret generic "${MYSQL_GITPOD_SECRET}" \
+        --from-literal=encryptionKeys="${MYSQL_GITPOD_ENCRYPTION_KEY}" \
+        --from-literal=host="$(jq -r '. | to_entries[] | select(.key | startswith("ServicesRDS")).value.MysqlEndpoint ' < cdk-outputs.json)" \
+        --from-literal=password="${MYSQL_GITPOD_PASSWORD}" \
+        --from-literal=port="3306" \
+        --from-literal=username="${MYSQL_GITPOD_USERNAME}" \
+        --dry-run=client -o yaml | \
+        kubectl replace --force -f -
+
     local CONFIG_FILE="${DIR}/gitpod-config.yaml"
     gitpod-installer init > "${CONFIG_FILE}"
 
     yq e -i ".certificate.name = \"https-certificates\"" "${CONFIG_FILE}"
     yq e -i ".domain = \"${DOMAIN}\"" "${CONFIG_FILE}"
     yq e -i ".metadata.region = \"${AWS_REGION}\"" "${CONFIG_FILE}"
+    yq e -i ".database.inCluster = false" "${CONFIG_FILE}"
+    yq e -i ".database.external.certificate.kind = \"secret\"" "${CONFIG_FILE}"
+    yq e -i ".database.external.certificate.name = \"${MYSQL_GITPOD_SECRET}\"" "${CONFIG_FILE}"
     yq e -i '.workspace.runtime.containerdRuntimeDir = "/var/lib/containerd/io.containerd.runtime.v2.task/k8s.io"' "${CONFIG_FILE}"
 
     gitpod-installer \