Switch from H2 to PostgreSQL (#2)

* Switch from H2 to PostgreSQL * Correct database image repository name * Bump chart version number
portswigger-cloud · Jun 25, 2024 · 2ddada2 · 2ddada2
1 parent 40ec871
commit 2ddada2
Show file tree

Hide file tree

Showing 7 changed files with 106 additions and 25 deletions.
diff --git a/charts/burpsuite/Chart.yaml b/charts/burpsuite/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: burpsuite
 description: Scan it all. With the enterprise-enabled dynamic web vulnerability scanner.
 type: application
-version: 0.0.8
+version: 0.1.0
 kubeVersion: ">=1.24.0-0"
 keywords:
   - burpsuite

diff --git a/charts/burpsuite/templates/_helpers.tpl b/charts/burpsuite/templates/_helpers.tpl
@@ -164,11 +164,58 @@ Fetch given field from existing web secret or generate a new random value
 {{- end -}}
 {{- end -}}
 
+{{/*
+Fetch given field from existing enterprise secret or generate a new random value
+*/}}
+{{- define "burpsuite.database.fetchOrCreateSecretField" -}}
+{{- $context := index . 0 -}}
+{{- $secretFieldName := index . 1 -}}
+
+{{- $secretObj := (lookup "v1" "Secret" $context.Release.Namespace  "database-env") | default dict }}
+{{- $secretData := (get $secretObj "data") | default dict }}
+{{- $secretFieldValue := (get $secretData $secretFieldName) | default (randAlphaNum 30 | b64enc) }}
+{{- $secretFieldValue -}}
+{{- end -}}
 
+{{- define "burpsuite.database.secretValue" -}}
+{{- $context := index . 0 -}}
+{{- $suppliedValue := index . 1 -}}
+{{- $secretFieldName := index . 2 -}}
+{{- if $suppliedValue -}}
+{{ $suppliedValue | b64enc }}
+{{- else -}}
+{{ include "burpsuite.database.fetchOrCreateSecretField"  (list $context $secretFieldName) }}
+{{- end -}}
+{{- end -}}
+
+{{- define "burpsuite.database.image" -}}
+{{- if .Values.database.image.sha256 -}}
+{{- printf "%s/%s:%s@sha256:%s" (.Values.database.image.registry | default .Values.global.image.registry) .Values.database.image.repository .Values.database.image.tag (trimPrefix "sha256:" .Values.database.image.sha256) }}
+{{- else -}}
+{{- printf "%s/%s:%s" (.Values.database.image.registry | default .Values.global.image.registry) .Values.database.image.repository .Values.database.image.tag }}
+{{- end -}}
+{{- end -}}
+
+{{- define "burpsuite.database.init" -}}
+{{- $enterpriseUserPassword := include "burpsuite.enterprise.secretValue" (list . .Values.database.users.enterprise.password "BSEE_ADMIN_REPOSITORY_PASSWORD") -}}
+{{- $scannerUserPassword := include "burpsuite.enterprise.secretValue" (list . .Values.database.users.scanner.password "BSEE_AGENT_REPOSITORY_PASSWORD") }}
+CREATE USER {{ .Values.database.users.enterprise.username }} PASSWORD '{{ $enterpriseUserPassword }}';
+CREATE USER {{ .Values.database.users.scanner.username }} PASSWORD '{{ $scannerUserPassword }}';
+
+CREATE DATABASE burp_enterprise;
+ALTER DATABASE burp_enterprise OWNER TO {{ .Values.database.users.enterprise.username }};
+GRANT ALL ON DATABASE burp_enterprise TO {{ .Values.database.users.enterprise.username }};
+
+\c burp_enterprise
+
+CREATE SCHEMA burp_enterprise AUTHORIZATION {{ .Values.database.users.enterprise.username }};
+GRANT USAGE ON SCHEMA burp_enterprise TO {{ .Values.database.users.scanner.username }};
+ALTER USER {{ .Values.database.users.scanner.username }} SET search_path = "burp_enterprise";
+{{- end -}}
 
 {{- define "burpsuite.database.url" -}}
-{{- if .Values.database.h2.enabled -}}
-jdbc:h2:tcp://localhost:9092/mem:bsee;DB_CLOSE_DELAY=-1
+{{- if .Values.database.useEmbedded -}}
+jdbc:postgresql://localhost:5432/burp_enterprise
 {{- else -}}
 {{ .Values.database.externalUrl }}
 {{- end -}}

diff --git a/charts/burpsuite/templates/_podtemplate.tpl b/charts/burpsuite/templates/_podtemplate.tpl
@@ -31,8 +31,8 @@ spec:
     {{- include "burpsuite.enterprise.initContainerTemplates" . | nindent 4 }}
     {{- include "burpsuite.web.initContainerTemplates" . | nindent 4 }}
   containers:
-    {{- if .Values.database.h2.enabled -}}
-    {{- include "burpsuite.h2db.containerTemplate" . | nindent 4 }}
+    {{- if .Values.database.useEmbedded -}}
+    {{- include "burpsuite.database.containerTemplate" . | nindent 4 }}
     {{- end -}}
     {{- include "burpsuite.enterprise.containerTemplate" . | nindent 4 }}
     {{- include "burpsuite.web.containerTemplate" . | nindent 4 }}
@@ -59,4 +59,9 @@ spec:
   - name: tmp
     emptyDir:
       sizeLimit: 1Gi
+  {{- if .Values.database.useEmbedded }}
+  - name: database-vol
+    secret:
+      secretName: database-vol
+  {{- end }}
 {{- end }}
diff --git a/...uite/templates/h2/_containerstemplate.tpl → ...templates/database/_containertemplate.tpl b/...uite/templates/h2/_containerstemplate.tpl → ...templates/database/_containertemplate.tpl
@@ -1,16 +1,7 @@
-{{- define "burpsuite.h2db.containerTemplate" -}}
-- image: {{ include "burpsuite.web.image" . }}
+{{- define "burpsuite.database.containerTemplate" -}}
+- image: {{ include "burpsuite.database.image" . }}
   imagePullPolicy: Always
-  name: h2
-  command:
-    - /usr/local/burpsuite_enterprise/jre/bin/java
-  args:
-    - -cp
-    - /usr/local/burpsuite_enterprise/lib/h2-1.4.197.jar
-    - org.h2.tools.Server
-    - -tcp
-    - -tcpPort
-    - "9092"
+  name: database
   resources:
     requests:
       memory: 128Mi
@@ -19,33 +10,41 @@
     limits:
       memory: 128Mi
   ports:
-    - name: h2
-      containerPort: 9092
+    - name: postgres
+      containerPort: 5432
   startupProbe:
     tcpSocket:
-      port: h2
+      port: postgres
     failureThreshold: 60
     periodSeconds: 5
     timeoutSeconds: 2
   livenessProbe:
     tcpSocket:
-      port: h2
+      port: postgres
     failureThreshold: 3
     periodSeconds: 10
     timeoutSeconds: 2
     successThreshold: 1
   readinessProbe:
     tcpSocket:
-      port: h2
+      port: postgres
     failureThreshold: 1
     periodSeconds: 10
     timeoutSeconds: 2
     successThreshold: 1
+  envFrom:
+    - secretRef:
+        name: database-env
+  volumeMounts:
+    - name: database-vol
+      mountPath: /docker-entrypoint-initdb.d
   securityContext:
+    runAsUser: 999
+    runAsGroup: 999
     capabilities:
       drop:
       - ALL
-    readOnlyRootFilesystem: true
+    readOnlyRootFilesystem: false
     allowPrivilegeEscalation: false
     runAsNonRoot: true
 {{- end -}}
diff --git a/charts/burpsuite/templates/database/env-secret.yaml b/charts/burpsuite/templates/database/env-secret.yaml
@@ -0,0 +1,13 @@
+{{- if .Values.database.useEmbedded -}}
+{{- $postgresPassword := include "burpsuite.database.fetchOrCreateSecretField" (list . "POSTGRES_PASSWORD") }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: database-env
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/component: database
+{{ include "burpsuite.labels" . | indent 4 }}
+data:
+  POSTGRES_PASSWORD: {{ $postgresPassword }}
+{{- end -}}
diff --git a/charts/burpsuite/templates/database/vol-secret.yaml b/charts/burpsuite/templates/database/vol-secret.yaml
@@ -0,0 +1,12 @@
+{{- if .Values.database.useEmbedded -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: database-vol
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/component: database
+{{ include "burpsuite.labels" . | indent 4 }}
+data:
+  init.sql: {{ include "burpsuite.database.init" . | b64enc }}
+{{- end -}}
diff --git a/charts/burpsuite/values.yaml b/charts/burpsuite/values.yaml
@@ -133,8 +133,13 @@ email:
 ## @section Database settings
 ##
 database:
-  h2:
-    enabled: false
+  useEmbedded: false
+
+  image:
+    registry: ""
+    repository: "docker/library/postgres"
+    tag: "16"
+    sha256: ""
 
   externalUrl: "jdbc:postgresql://postgres-rw:5432/burp_enterprise"
   externalCredentials: false