Update Cloud SQL sample apps with SSL example (#2361)

* Update Cloud SQL sample apps with SSL example

* Lint.

* Update region tag.

* Move certs folder into mysql\mysql.

* Update Dockerfile WORKDIR and COPY certs.

* Update mysql sslmode to verify-full.

* Lint.

Author: jsimonweb

cloud-sql/mysql/mysql/Dockerfile

@@ -7,7 +7,7 @@
 FROM node:10-slim
 
 # Create and change to the app directory.
-WORKDIR /usr/src/app
+WORKDIR /app
 
 # Copy application dependency manifests to the container image.
 # A wildcard is used to ensure both package.json AND package-lock.json are copied.
@@ -19,6 +19,9 @@ COPY package*.json ./
 # RUN npm ci --only=production
 RUN npm install --production
 
+# Copy any certificates if present.
+COPY ./certs /app/certs
+
 # Copy local code to the container image.
 COPY . ./
 

cloud-sql/mysql/mysql/certs/.gitkeep

@@ -16,6 +16,7 @@
 
 const express = require('express');
 const mysql = require('promise-mysql');
+const fs = require('fs');
 
 const app = express();
 app.set('view engine', 'pug');
@@ -41,13 +42,37 @@ const logger = winston.createLogger({
   transports: [new winston.transports.Console(), loggingWinston],
 });
 
+// [START cloud_sql_mysql_mysql_create_tcp_sslcerts]
+const createTcpPoolSslCerts = async config => {
+  // Extract host and port from socket address
+  const dbSocketAddr = process.env.DB_HOST.split(':');
+
+  // Establish a connection to the database
+  return mysql.createPool({
+    user: process.env.DB_USER, // e.g. 'my-db-user'
+    password: process.env.DB_PASS, // e.g. 'my-db-password'
+    database: process.env.DB_NAME, // e.g. 'my-database'
+    host: dbSocketAddr[0], // e.g. '127.0.0.1'
+    port: dbSocketAddr[1], // e.g. '3306'
+    ssl: {
+      sslmode: 'verify-full',
+      ca: fs.readFileSync(process.env.DB_ROOT_CERT), // e.g., '/path/to/my/server-ca.pem'
+      key: fs.readFileSync(process.env.DB_KEY), // e.g. '/path/to/my/client-key.pem'
+      cert: fs.readFileSync(process.env.DB_CERT), // e.g. '/path/to/my/client-cert.pem'
+    },
+    // ... Specify additional properties here.
+    ...config,
+  });
+};
+// [END cloud_sql_mysql_mysql_create_tcp_sslcerts]
+
 // [START cloud_sql_mysql_mysql_create_tcp]
 const createTcpPool = async config => {
   // Extract host and port from socket address
   const dbSocketAddr = process.env.DB_HOST.split(':');
 
   // Establish a connection to the database
-  return await mysql.createPool({
+  return mysql.createPool({
     user: process.env.DB_USER, // e.g. 'my-db-user'
     password: process.env.DB_PASS, // e.g. 'my-db-password'
     database: process.env.DB_NAME, // e.g. 'my-database'
@@ -64,7 +89,7 @@ const createUnixSocketPool = async config => {
   const dbSocketPath = process.env.DB_SOCKET_PATH || '/cloudsql';
 
   // Establish a connection to the database
-  return await mysql.createPool({
+  return mysql.createPool({
     user: process.env.DB_USER, // e.g. 'my-db-user'
     password: process.env.DB_PASS, // e.g. 'my-db-password'
     database: process.env.DB_NAME, // e.g. 'my-database'
@@ -106,9 +131,13 @@ const createPool = async () => {
     // [END cloud_sql_mysql_mysql_backoff]
   };
   if (process.env.DB_HOST) {
-    return await createTcpPool(config);
+    if (process.env.DB_ROOT_CERT) {
+      return createTcpPoolSslCerts(config);
+    } else {
+      return createTcpPool(config);
+    }
   } else {
-    return await createUnixSocketPool(config);
+    return createUnixSocketPool(config);
   }
 };
 

cloud-sql/mysql/mysql/server.js

@@ -7,7 +7,7 @@
 FROM node:10-slim
 
 # Create and change to the app directory.
-WORKDIR /usr/src/app
+WORKDIR /app
 
 # Copy application dependency manifests to the container image.
 # A wildcard is used to ensure both package.json AND package-lock.json are copied.
@@ -19,6 +19,9 @@ COPY package*.json ./
 # RUN npm ci --only=production
 RUN npm install --production
 
+# Copy any certificates if present.
+COPY ./certs /app/certs
+
 # Copy local code to the container image.
 COPY . ./
 

cloud-sql/postgres/knex/Dockerfile

@@ -19,6 +19,7 @@ const process = require('process');
 
 const express = require('express');
 const Knex = require('knex');
+const fs = require('fs');
 
 const app = express();
 app.set('view engine', 'pug');
@@ -62,6 +63,33 @@ app.use(async (req, res, next) => {
   }
 });
 
+// [START cloud_sql_postgres_knex_create_tcp_sslcerts]
+const createTcpPoolSslCerts = async config => {
+  // Extract host and port from socket address
+  const dbSocketAddr = process.env.DB_HOST.split(':'); // e.g. '127.0.0.1:5432'
+
+  // Establish a connection to the database
+  return Knex({
+    client: 'pg',
+    connection: {
+      user: process.env.DB_USER, // e.g. 'my-user'
+      password: process.env.DB_PASS, // e.g. 'my-user-password'
+      database: process.env.DB_NAME, // e.g. 'my-database'
+      host: dbSocketAddr[0], // e.g. '127.0.0.1'
+      port: dbSocketAddr[1], // e.g. '5432'
+      ssl: {
+        rejectUnauthorized: false,
+        ca: fs.readFileSync(process.env.DB_ROOT_CERT), // e.g., '/path/to/my/server-ca.pem'
+        key: fs.readFileSync(process.env.DB_KEY), // e.g. '/path/to/my/client-key.pem'
+        cert: fs.readFileSync(process.env.DB_CERT), // e.g. '/path/to/my/client-cert.pem'
+      },
+    },
+    // ... Specify additional properties here.
+    ...config,
+  });
+};
+// [END cloud_sql_postgres_knex_create_tcp_sslcerts]
+
 // [START cloud_sql_postgres_knex_create_tcp]
 const createTcpPool = async config => {
   // Extract host and port from socket address
@@ -140,7 +168,11 @@ const createPool = async () => {
   // [END cloud_sql_postgres_knex_backoff]
 
   if (process.env.DB_HOST) {
-    return createTcpPool(config);
+    if (process.env.DB_ROOT_CERT) {
+      return createTcpPoolSslCerts(config);
+    } else {
+      return createTcpPool(config);
+    }
   } else {
     return createUnixSocketPool(config);
   }