Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add mutual TLS (mTLS) support for remote database connections in PhpMyAdmin #448

Merged
merged 20 commits into from
Jan 7, 2025

Conversation

LordRobinCbz
Copy link
Contributor

Problem:
In the context of mutual TLS (mTLS), it is currently not possible to define a list of files to configure the connection between PhpMyAdmin and one or more database servers or services.

Proposed Solution:
My idea is to introduce the ability to configure specific PhpMyAdmin parameters to allow mTLS connections to secure services.

To achieve this, I built upon existing syntax and implemented an approach that encodes the necessary files (CA, CERT, and KEY) in Base64 format. These files can then be passed to PhpMyAdmin using environment variables.

Potential Question: Why not use a volume instead of environment variables?
In a hyperscaler context such as Kubernetes, creating NFS volumes can pose significant challenges for many users. Managing environment variables is often simpler and more portable than managing volumes. Additionally, adding volumes introduces statefulness to PhpMyAdmin, which can be problematic for certain infrastructures. Using environment variables resolves these issues and keeps PhpMyAdmin stateless.

Note:
This is my first open-source pull request, so I am not entirely sure if I’m following the correct process. I kindly ask for your understanding. I am also more active on GitLab than GitHub, so feel free to reach out if you need more information about me.

Thank you for your time and consideration!

LordRobinCbz and others added 2 commits December 11, 2024 14:44
feat:(config.inc.php/docker-entrypoint.sh): Add support for mTLS to a remote server/cluster/service
@LordRobinCbz
Copy link
Contributor Author

LordRobinCbz commented Dec 16, 2024

Hello @williamdes , I am sorry to have to you ask you such a thing, but can you see my proposal please ?

The related issue is here: #449

README.md Outdated Show resolved Hide resolved
LordRobinCbz and others added 5 commits December 21, 2024 16:22
… TLS logic from entrypoint to php configuration files
fix(config.inc.php/docker-entrypoint.sh,dockerfile,helpers.php): Move TLS logic from entrypoint to php configuration files
… TLS logic from entrypoint to php configuration files, in all other build
fix(config.inc.php/docker-entrypoint.sh,dockerfile,helpers.php): Move TLS logic from entrypoint to php configuration files, in all other build
apache/helpers.php Outdated Show resolved Hide resolved
apache/helpers.php Outdated Show resolved Hide resolved
apache/config.inc.php Outdated Show resolved Hide resolved
LordRobinCbz and others added 2 commits December 21, 2024 21:40
Co-authored-by: William Desportes <williamdes@wdes.fr>
add types to function parameters

Co-authored-by: William Desportes <williamdes@wdes.fr>
apache/helpers.php Outdated Show resolved Hide resolved
apache/helpers.php Outdated Show resolved Hide resolved
Remove the custom exception

Co-authored-by: William Desportes <williamdes@wdes.fr>
Copy link
Member

@williamdes williamdes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@williamdes
Copy link
Member

If you can also open a PR to the QA_5_2 branch of /~https://github.com/phpmyadmin/phpmyadmin/blob/QA_5_2/doc/setup.rst#installing-using-docker to add the new ENVs that would be great. Else I will do it

I guess an example using /~https://github.com/phpmyadmin/phpmyadmin/blob/QA_5_2/doc/config.rst#amazon-rds-aurora-with-ssl could clarify how to use this feature.

…ates, add PMA_SSLS in the README and add PMA_SSL_DIR to set output path for certificate generation
@LordRobinCbz
Copy link
Contributor Author

If you can also open a PR to the QA_5_2 branch of /~https://github.com/phpmyadmin/phpmyadmin/blob/QA_5_2/doc/setup.rst#installing-using-docker to add the new ENVs that would be great. Else I will do it

I guess an example using /~https://github.com/phpmyadmin/phpmyadmin/blob/QA_5_2/doc/config.rst#amazon-rds-aurora-with-ssl could clarify how to use this feature.

So, if I understand correctly, you wan't to me to open a PR for PhpMyAdmin application and add mTLS support in the installing-using-docker section of the setup.rst.

If yes, I am your men.

@LordRobinCbz
Copy link
Contributor Author

If you can also open a PR to the QA_5_2 branch of /~https://github.com/phpmyadmin/phpmyadmin/blob/QA_5_2/doc/setup.rst#installing-using-docker to add the new ENVs that would be great. Else I will do it

I guess an example using /~https://github.com/phpmyadmin/phpmyadmin/blob/QA_5_2/doc/config.rst#amazon-rds-aurora-with-ssl could clarify how to use this feature.

Here the PR about documentation adds: phpmyadmin/phpmyadmin#19465

Many thanks for your time and consideration

Copy link
Member

@williamdes williamdes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks quite good
Merci Robin !

@williamdes
Copy link
Member

I am writing tests for the feature 🤞🏻
Maybe tomorrow I will be finished and can merge all this work

@williamdes
Copy link
Member

Update: I am still trying to find a solution for MySQL to deny the login, and then it can prove the test works

@LordRobinCbz
Copy link
Contributor Author

LordRobinCbz commented Jan 6, 2025

Update: I am still trying to find a solution for MySQL to deny the login, and then it can prove the test works

When MariaDB/MySQL is waiting for mTLS, the server close the request without "real" response (closed by peer).
So I guess to perform the test we need a working mTLS server.

I have tested on my installations, as my first screen show it up. But I agree that only a real automated test can proove that the system is working or not.

I will try somthing on my side with a new docker-compose file and self signed certificates with 100 years validity

Copy link
Member

@MauricioFauth MauricioFauth left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@LordRobinCbz
Copy link
Contributor Author

LordRobinCbz commented Jan 7, 2025

Hello @williamdes ,
I've just seen that you open an error on bitnami.

Seems weir to see that nobody have seen this bug before. No one use mTLS with containers ?

My tests was done with my "installation", my bad on this side again: I didn't said my MariaDB service is a Galera + MaxScale cluster and not a Docker pod.

@williamdes
Copy link
Member

Seems weir to see that anyone have seen this bug before. No one use mTLS with containers ?

Looks like it :/

My tests was done with my "installation", my bad on this side again: I didn't said my MariaDB service is a Galera + MaxScale cluster and not a Docker pod.

good to know, that should be okay
Well, I am merging this anyway. I doubt there is more to fix now

@williamdes williamdes merged commit e1fe998 into phpmyadmin:master Jan 7, 2025
4 of 39 checks passed
williamdes added a commit that referenced this pull request Jan 7, 2025
@williamdes
Copy link
Member

Please try and verify that the merged result works 🙏🏻
So I can send it to the Docker official repository
I will test myself and at work, but in much more days

@williamdes williamdes self-assigned this Jan 7, 2025
@LordRobinCbz
Copy link
Contributor Author

LordRobinCbz commented Jan 7, 2025

Please try and verify that the merged result works 🙏🏻 So I can send it to the Docker official repository I will test myself and at work, but in much more days

okay, I will build localy and connect PMA to my dev cluster.
tomorrow I will work on a K8S deployment and verify with my val/prod.

It not taste as a "full victory", but I hope its enought. As you said.

See you tomorrow for report.

@williamdes

This comment was marked as off-topic.

@LordRobinCbz

This comment was marked as off-topic.

@LordRobinCbz
Copy link
Contributor Author

LordRobinCbz commented Jan 7, 2025

Hum, yes.
Here my Ansible automation to install and configure my MariaDB/MaxScale cluster:
https://gitlab.com/cbz-d-velop/public-ansible/ansible-playbook-labocbz-deploy-mariadb-cluster

I can build a Docker image with a working mTLS connexion.
But I can't promise to maintain such an image. I dont know how to do with very long terms

@williamdes
Copy link
Member

EDIT because of miss understood

Yeah nervermind, I will validate this at work with Amazon Aurora RDS using SSL only that we already have setup

I can build a Docker image with a working mTLS connexion.

No need for something public, a validation that it works for you will be all I need to open a PR at Docker and get this into phpmyadmin:latest

@LordRobinCbz
Copy link
Contributor Author

EDIT because of miss understood

Yeah nervermind, I will validate this at work with Amazon Aurora RDS using SSL only that we already have setup

I can build a Docker image with a working mTLS connexion.

No need for something public, a validation that it works for you will be all I need to open a PR at Docker and get this into phpmyadmin:latest

Will be done tomorrow :)

@williamdes
Copy link
Member

This got accepted in Docker official: docker-library/official-images#17398
It should build soon, I hope everything works fine 🙏🏻
Builds: https://doi-janky.infosiftr.net/job/multiarch/job/amd64/job/phpmyadmin/

I will report back here, as soon as I test it at work

@LordRobinCbz
Copy link
Contributor Author

Hello

Okay, I will check builds and when the new one will be available I will check on my side.

I ve opened another PR on php side to enable HTTPS. I hope it will be merge asap.

If so, I will open another PR here to document HTTPS configuration :)

@LordRobinCbz
Copy link
Contributor Author

One build have been done this morning, but I dont see mTLS parameters in the docker hub page and in the image analysis layer :/

@williamdes
Copy link
Member

I ve opened another PR on php side to enable HTTPS. I hope it will be merge asap.

Can you link it here ?

but I dont see mTLS parameters in the docker hub page

Because I need to open a PR to /~https://github.com/docker-library/docs/tree/master/phpmyadmin and stitch the actual docs into it

@williamdes
Copy link
Member

One build have been done this morning, but I dont see mTLS parameters in the docker hub page and in the image analysis layer :/

It is live !

docker run --rm  -it phpmyadmin:5.2.1 ls -lah /etc/phpmyadmin
total 28K
drwxr-xr-x 1 root     root     4.0K Jan 14 03:18 .
drwxr-xr-x 1 root     root     4.0K Jan 14 12:33 ..
-rw-r--r-- 1 www-data www-data 8.3K Jan 14 03:17 config.inc.php
-rw-r--r-- 1 www-data www-data 1.9K Jan 14 03:17 helpers.php
drwxr-xr-x 2 www-data www-data 4.0K Jan 14 03:18 ssl

@LordRobinCbz
Copy link
Contributor Author

I ve opened another PR on php side to enable HTTPS. I hope it will be merge asap.

Can you link it here ?

but I dont see mTLS parameters in the docker hub page

Because I need to open a PR to /~https://github.com/docker-library/docs/tree/master/phpmyadmin and stitch the actual docs into it

here the link of the PR, to add HTTPS support to php:apache2
docker-library/php#1559

@williamdes
Copy link
Member

Good news, the testing phase is going fine.
Right now tests are passing for SSL connection, adding more and I will push

@LordRobinCbz
Copy link
Contributor Author

LordRobinCbz commented Jan 14, 2025

Hello @williamdes,
I've deployed the new Docker image and this is the result in my production K8s cluster:
image

From my ArgoCD:
image

As you can see, it's correct and working :)

Notice: K8s needs a base64 encoded string to set up a secret, so for base64 strings (e.g., CAS), we need to encode the CA in base64, get the string, add a ",", and encode the whole string in base64. It seems tricky, but it's working!

For me, the next step is to add support for Redis in mTLS in order to make the application scalable. I'll note it for my future self.

@williamdes
Copy link
Member

Notice: K8s needs a base64 encoded string to set up a secret, so for base64 strings (e.g., CAS), we need to encode the CA in base64, get the string, add a ",", and encode the whole string in base64. It seems tricky, but it's working!

I did not test yet the base64 part. But are you saying it is base64(`<base 64 cert>,`) ?
I expect it to work like <base 64 cert> for only one host

For me, the next step is to add support for Redis in mTLS in order to make the application scalable. I'll note it for my future self.

Maybe use Valkey or KeyDB ?
Feel free to post a php.ini configuration example as some users of Docker may find interesting to store sessions elsewhere.
And maybe by the same occasion make the containers read only

@LordRobinCbz
Copy link
Contributor Author

I did not test yet the base64 part. But are you saying it is base64(`<base 64 cert>,`) ? I expect it to work like <base 64 cert> for only one host

Yes its work with base64 string, as wanted. But to test in Kubernetes (my use case), to setup secret object in K8S cluster, strings have to be encoded in base64. So as our new vars need base64, you need to encore 2 times to set your secret. Its only for K8S secrets

Maybe use Valkey or KeyDB ? Feel free to post a php.ini configuration example as some users of Docker may find interesting to store sessions elsewhere. And maybe by the same occasion make the containers read only

The helpers.php file create multiples files inside the container when we load the PMA application, so I dont think the container can be read only (if you use mTLS).

For Redis and the php.ini file, I think the best solution if to edit the php image to add suport for Redis, so PMA will extends these configurations (as I done for HTTPS).

@LordRobinCbz
Copy link
Contributor Author

So, finally, for me it's working without any modifications. My use case is completed and I can use PMA. So I think we are done here.

It was a great pleasure to add some new features to a Docker tool/application used by full stack developers, students, new developers, etc., around the world and on a solution used by multiple providers.

It's a great achievement for me. Many thanks.

@williamdes
Copy link
Member

williamdes commented Jan 14, 2025

Tests pushed as ab37078 and they did pass: /~https://github.com/phpmyadmin/docker/actions/runs/12778155949/job/35620415452

It was a great pleasure to add some new features to a Docker tool/application used by full stack developers, students, new developers, etc., around the world and on a solution used by multiple providers.
It's a great achievement for me. Many thanks.

I was very pleased with your contribution and work on the feedback.
Thank you for contributing !

So, finally, for me it's working without any modifications. My use case is completed and I can use PMA. So I think we are done here.

Yes, I have to add the documentation in the main repo: phpmyadmin/phpmyadmin#19465 and on Docker Hub (docker-library/docs#2527) and this will be fully done

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants