-
Notifications
You must be signed in to change notification settings - Fork 454
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add mutual TLS (mTLS) support for remote database connections in PhpMyAdmin #448
Conversation
… remote server/cluster/service
feat:(config.inc.php/docker-entrypoint.sh): Add support for mTLS to a remote server/cluster/service
Hello @williamdes , I am sorry to have to you ask you such a thing, but can you see my proposal please ? The related issue is here: #449 |
… TLS logic from entrypoint to php configuration files
fix(config.inc.php/docker-entrypoint.sh,dockerfile,helpers.php): Move TLS logic from entrypoint to php configuration files
… TLS logic from entrypoint to php configuration files, in all other build
fix(config.inc.php/docker-entrypoint.sh,dockerfile,helpers.php): Move TLS logic from entrypoint to php configuration files, in all other build
Co-authored-by: William Desportes <williamdes@wdes.fr>
add types to function parameters Co-authored-by: William Desportes <williamdes@wdes.fr>
Remove the custom exception Co-authored-by: William Desportes <williamdes@wdes.fr>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You need to change /~https://github.com/phpmyadmin/docker/blob/master/config.inc.php
and /~https://github.com/phpmyadmin/docker/blob/master/Dockerfile-alpine.template
and /~https://github.com/phpmyadmin/docker/blob/master/Dockerfile-debian.template
And run ./update to sync the changes to all files
I like your work, and will also use it at work for Amazon RDS
If you can also open a PR to the QA_5_2 branch of /~https://github.com/phpmyadmin/phpmyadmin/blob/QA_5_2/doc/setup.rst#installing-using-docker to add the new ENVs that would be great. Else I will do it I guess an example using /~https://github.com/phpmyadmin/phpmyadmin/blob/QA_5_2/doc/config.rst#amazon-rds-aurora-with-ssl could clarify how to use this feature. |
…ates, add PMA_SSLS in the README and add PMA_SSL_DIR to set output path for certificate generation
So, if I understand correctly, you wan't to me to open a PR for PhpMyAdmin application and add mTLS support in the installing-using-docker section of the setup.rst. If yes, I am your men. |
Here the PR about documentation adds: phpmyadmin/phpmyadmin#19465 Many thanks for your time and consideration |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks quite good
Merci Robin !
I am writing tests for the feature 🤞🏻 |
Update: I am still trying to find a solution for MySQL to deny the login, and then it can prove the test works |
When MariaDB/MySQL is waiting for mTLS, the server close the request without "real" response (closed by peer). I have tested on my installations, as my first screen show it up. But I agree that only a real automated test can proove that the system is working or not. I will try somthing on my side with a new docker-compose file and self signed certificates with 100 years validity |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Hello @williamdes , Seems weir to see that nobody have seen this bug before. No one use mTLS with containers ? My tests was done with my "installation", my bad on this side again: I didn't said my MariaDB service is a Galera + MaxScale cluster and not a Docker pod. |
Looks like it :/
good to know, that should be okay |
Please try and verify that the merged result works 🙏🏻 |
okay, I will build localy and connect PMA to my dev cluster. It not taste as a "full victory", but I hope its enought. As you said. See you tomorrow for report. |
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
This comment was marked as off-topic.
Hum, yes. I can build a Docker image with a working mTLS connexion. |
Yeah nervermind, I will validate this at work with Amazon Aurora RDS using SSL only that we already have setup
No need for something public, a validation that it works for you will be all I need to open a PR at Docker and get this into |
Will be done tomorrow :) |
This got accepted in Docker official: docker-library/official-images#17398 I will report back here, as soon as I test it at work |
Hello Okay, I will check builds and when the new one will be available I will check on my side. I ve opened another PR on php side to enable HTTPS. I hope it will be merge asap. If so, I will open another PR here to document HTTPS configuration :) |
One build have been done this morning, but I dont see mTLS parameters in the docker hub page and in the image analysis layer :/ |
Can you link it here ?
Because I need to open a PR to /~https://github.com/docker-library/docs/tree/master/phpmyadmin and stitch the actual docs into it |
It is live !
|
here the link of the PR, to add HTTPS support to php:apache2 |
Good news, the testing phase is going fine. |
Hello @williamdes, As you can see, it's correct and working :) Notice: K8s needs a base64 encoded string to set up a secret, so for base64 strings (e.g., CAS), we need to encode the CA in base64, get the string, add a ",", and encode the whole string in base64. It seems tricky, but it's working! For me, the next step is to add support for Redis in mTLS in order to make the application scalable. I'll note it for my future self. |
I did not test yet the base64 part. But are you saying it is
Maybe use Valkey or KeyDB ? |
Yes its work with base64 string, as wanted. But to test in Kubernetes (my use case), to setup secret object in K8S cluster, strings have to be encoded in base64. So as our new vars need base64, you need to encore 2 times to set your secret. Its only for K8S secrets
The helpers.php file create multiples files inside the container when we load the PMA application, so I dont think the container can be read only (if you use mTLS). For Redis and the php.ini file, I think the best solution if to edit the php image to add suport for Redis, so PMA will extends these configurations (as I done for HTTPS). |
So, finally, for me it's working without any modifications. My use case is completed and I can use PMA. So I think we are done here. It was a great pleasure to add some new features to a Docker tool/application used by full stack developers, students, new developers, etc., around the world and on a solution used by multiple providers. It's a great achievement for me. Many thanks. |
Tests pushed as ab37078 and they did pass: /~https://github.com/phpmyadmin/docker/actions/runs/12778155949/job/35620415452
I was very pleased with your contribution and work on the feedback.
Yes, I have to add the documentation in the main repo: phpmyadmin/phpmyadmin#19465 and on Docker Hub (docker-library/docs#2527) and this will be fully done |
Problem:
In the context of mutual TLS (mTLS), it is currently not possible to define a list of files to configure the connection between PhpMyAdmin and one or more database servers or services.
Proposed Solution:
My idea is to introduce the ability to configure specific PhpMyAdmin parameters to allow mTLS connections to secure services.
To achieve this, I built upon existing syntax and implemented an approach that encodes the necessary files (CA, CERT, and KEY) in Base64 format. These files can then be passed to PhpMyAdmin using environment variables.
Potential Question: Why not use a volume instead of environment variables?
In a hyperscaler context such as Kubernetes, creating NFS volumes can pose significant challenges for many users. Managing environment variables is often simpler and more portable than managing volumes. Additionally, adding volumes introduces statefulness to PhpMyAdmin, which can be problematic for certain infrastructures. Using environment variables resolves these issues and keeps PhpMyAdmin stateless.
Note:
This is my first open-source pull request, so I am not entirely sure if I’m following the correct process. I kindly ask for your understanding. I am also more active on GitLab than GitHub, so feel free to reach out if you need more information about me.
Thank you for your time and consideration!