[installer, gitpod-db] Introduce database.ssl.ca

[geropl]

Description

This allows Gitpod to directly created SSL encrypted connections to MySQL databases.

For testing 👇 there are two environments:

• preview on this branch (w/o SSL)
• the AWS release test instance (deployed from this branch with the deps: external flag) with external RDS with SSL.
  • It uses the default jobs config, with two changes:
    • a secret named database-ssl and an attribute ca.crt that contains the cert (chain) to validate the RDS certificate
    • the installer config slightly adjust to:

     database:
       inCluster: false
       external:
           ...
       ssl:
         customCa:
           kind: secret
           name: database-ssl
    

Related Issue(s)

Fixes #12012

How to test

• sign in and start a workspace in the preview env (w/o SSL): works as expected
• sign in and start a workspace* got to notification settings in the AWS release test install and change them (WITH SSL required): works as well! ✔️

*: there is an odd content-init error I get on the AWS realease test env. @nandajavarma any idea where that might come from? 🤔

Release Notes

Allow specifying CA certificate to configure SSL secured database connections

Documentation

Werft options:

• /werft with-local-preview
  If enabled this will build install/preview
• /werft with-preview
• /werft with-large-vm
• /werft with-integration-tests=all
  Valid options are all, workspace, webapp, ide, jetbrains, vscode, ssh

[werft-gitpod-dev-com]

started the job as gitpod-build-gpl-12012-ssl.14 because the annotations in the pull request description changed
(with .werft/ from main)

[geropl]

@mrzarquon @mrsimonemms Could you help me test this change? I think the quickest would be if you could point me to an AWS installation and show me how to configure it with the certs from here &deploy it...? 🤔

Update: Ok, got it working thanks to @mrsimonemms and @nandajavarma 🙏 !
See the description for test instructions. ☝️

[mrsimonemms]

@geropl looks good, but it could do with a cluster validation check to ensure the secret is uploaded and valid.

It'll be something like:

if cfg.Config.Database.SSL != nil && cfg.Config.Database.SSL.CustomCA != nil {
	secretName := cfg.Config.Database.SSL.CustomCA.Name
	res = append(res, cluster.CheckSecret(secretName, cluster.CheckSecretRequiredData("<some key1>", "<some key2>")))
}

The <some key1> <some key2> are the keys you want to ensure are present in the secret.

[mrsimonemms]

One question, but happy with the change

[easyCZ]

LGTM % modulo dropping custom from the references. All options are custom, there shouldn't be a need to duplicate that in the name.

/hold

[easyCZ]

Suggested change

	CustomCACert string
	CACert string

[easyCZ]

Just feels we don't need to push the "custom" part into this

[easyCZ]

Likewise here, I'd drop the custom.

[geropl]

Yeah, good point. So far I have been torn we because I'd have to partially retest. But I think you're right. 💯

[geropl]

Ok. Done, and re-tested: works.

[geropl]

/unhold

ref