Skip to content

Commit

Permalink
Add tls for Pgpool client
Browse files Browse the repository at this point in the history
Signed-off-by: MobarakHsn <[email protected]>
  • Loading branch information
MobarakHsn committed Apr 26, 2024
1 parent deb90f6 commit 5eed107
Show file tree
Hide file tree
Showing 64 changed files with 8,499 additions and 5,155 deletions.
4 changes: 2 additions & 2 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ require (
k8s.io/klog/v2 v2.120.1
kmodules.xyz/client-go v0.29.13
kmodules.xyz/custom-resources v0.29.1
kubedb.dev/apimachinery v0.44.1-0.20240418111017-ee6ba81797f6
kubedb.dev/apimachinery v0.44.1-0.20240426043050-8da02f74e197
sigs.k8s.io/controller-runtime v0.17.2
xorm.io/xorm v1.3.6
)
Expand Down Expand Up @@ -123,7 +123,7 @@ require (
k8s.io/utils v0.0.0-20240102154912-e7106e64919e // indirect
kmodules.xyz/apiversion v0.2.0 // indirect
kmodules.xyz/monitoring-agent-api v0.29.0 // indirect
kmodules.xyz/offshoot-api v0.29.0 // indirect
kmodules.xyz/offshoot-api v0.29.1 // indirect
kubeops.dev/petset v0.0.5 // indirect
modernc.org/memory v1.5.0 // indirect
modernc.org/token v1.1.0 // indirect
Expand Down
8 changes: 4 additions & 4 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -583,10 +583,10 @@ kmodules.xyz/custom-resources v0.29.1 h1:xiNylhs3ILRbcUhxxy306AOy9GMA4Mq7xFIptZK
kmodules.xyz/custom-resources v0.29.1/go.mod h1:829zDY1EjaxPP52h1T73LZx/vgv8Pld9/uTT/ViZTc0=
kmodules.xyz/monitoring-agent-api v0.29.0 h1:gpFl6OZrlMLb/ySMHdREI9EwGtnJ91oZBn9H1UFRwB4=
kmodules.xyz/monitoring-agent-api v0.29.0/go.mod h1:iNbvaMTgVFOI5q2LJtGK91j4Dmjv4ZRiRdasGmWLKQI=
kmodules.xyz/offshoot-api v0.29.0 h1:GHLhxxT9jU1N8+FvOCCeJNyU5g0duYS46UGrs6AHNLY=
kmodules.xyz/offshoot-api v0.29.0/go.mod h1:5NxhBblXoDHWStx9HCDJR2KFTwYjEZ7i1Id3jelIunw=
kubedb.dev/apimachinery v0.44.1-0.20240418111017-ee6ba81797f6 h1:VrQhjNOGtqmMiT7lMxIydlfhuL8Ya+uitzyvBbvToQ4=
kubedb.dev/apimachinery v0.44.1-0.20240418111017-ee6ba81797f6/go.mod h1:7daaaWragCFLV38plrrJtsOuzinBSX3enMpliqlm3Uo=
kmodules.xyz/offshoot-api v0.29.1 h1:Pm83nzYHbqfCYKPCHrK0io387yXTaBmSydoAP6nF0WU=
kmodules.xyz/offshoot-api v0.29.1/go.mod h1:SeGhKGXxNAy56cLnskEcLgCH+LRFN+MhJzvrZzPqUlM=
kubedb.dev/apimachinery v0.44.1-0.20240426043050-8da02f74e197 h1:Jpex6XHFMaRGxWbCB52PprrnCQENW1BTUTW2IxpemFw=
kubedb.dev/apimachinery v0.44.1-0.20240426043050-8da02f74e197/go.mod h1:0uGwbmD4XN00LeU236LLOgoocK+UBoB9ojdstnZeJd8=
kubeops.dev/petset v0.0.5 h1:VVXi39JhjondlbHyZ98z0MLp6VCmiCMinL59K48Y2zA=
kubeops.dev/petset v0.0.5/go.mod h1:ijtKT1HlAht2vBEZj5LW7C00XEs3B0d1VdCQgd5V4cA=
lukechampine.com/uint128 v1.1.1/go.mod h1:c4eWIwlEGaxC/+H1VguhU4PHXNWDCDMUlWdIWl2j1gk=
Expand Down
54 changes: 44 additions & 10 deletions pgpool/kubedb_client_builder.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,19 +20,21 @@ import (
"context"
"fmt"

api "kubedb.dev/apimachinery/apis/kubedb/v1alpha2"

_ "github.com/lib/pq"
core "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/types"
"k8s.io/klog/v2"
"kmodules.xyz/client-go/tools/certholder"
appbinding "kmodules.xyz/custom-resources/apis/appcatalog/v1alpha1"
api "kubedb.dev/apimachinery/apis/kubedb/v1alpha2"
"sigs.k8s.io/controller-runtime/pkg/client"
"xorm.io/xorm"
)

const (
DefaultBackendDBName = "postgres"
DefaultPgpoolPort = 9999
TLSModeDisable = "disable"
)

type KubeDBClientBuilder struct {
Expand Down Expand Up @@ -138,19 +140,51 @@ func (o *KubeDBClientBuilder) getBackendAuth() (string, string, error) {
}

func (o *KubeDBClientBuilder) getConnectionString() (string, error) {
user, pass, err := o.getBackendAuth()
if err != nil {
return "", err
}

if o.podName != "" {
o.url = o.getURL()
}
dnsName := o.url

if o.backendDBName == "" {
o.backendDBName = DefaultBackendDBName
}
//TODO ssl mode is disable now need to work on this after adding tls support
connector := fmt.Sprintf("user=%s password=%s host=%s port=%d connect_timeout=10 dbname=%s sslmode=%s", user, pass, o.url, DefaultPgpoolPort, o.backendDBName, TLSModeDisable)
return connector, nil

user, pass, err := o.getBackendAuth()
if err != nil {
return "", fmt.Errorf("DB basic auth is not found for backend PostgreSQL %v/%v", o.pgpool.Namespace, o.pgpool.Name)
}
cnnstr := ""
sslMode := o.pgpool.Spec.SSLMode

// sslMode == "prefer" and sslMode == "allow" don't have support for github.com/lib/pq postgres client. as we are using
// github.com/lib/pq postgres client utils for connecting our server we need to access with any of require , verify-ca, verify-full or disable.
// here we have chosen "require" sslmode to connect postgres as a client
if sslMode == api.PgpoolSSLModePrefer || sslMode == api.PgpoolSSLModeAllow {
sslMode = api.PgpoolSSLModeRequire
}
if o.pgpool.Spec.TLS != nil {
secretName := o.pgpool.GetCertSecretName(api.PgpoolClientCert)

var certSecret core.Secret
err := o.kc.Get(o.ctx, client.ObjectKey{Namespace: o.pgpool.Namespace, Name: secretName}, &certSecret)
if err != nil {
klog.Error(err, "failed to get certificate secret.", secretName)
return "", err
}

certs, _ := certholder.DefaultHolder.ForResource(api.SchemeGroupVersion.WithResource(api.ResourcePluralPgpool), o.pgpool.ObjectMeta)
paths, err := certs.Save(&certSecret)
if err != nil {
klog.Error(err, "failed to save certificate")
return "", err
}
if o.pgpool.Spec.ClientAuthMode == api.PgpoolClientAuthModeCert {
cnnstr = fmt.Sprintf("user=%s password=%s host=%s port=%d connect_timeout=10 dbname=%s sslmode=%s sslrootcert=%s sslcert=%s sslkey=%s", user, pass, dnsName, DefaultPgpoolPort, o.backendDBName, sslMode, paths.CACert, paths.Cert, paths.Key)
} else {
cnnstr = fmt.Sprintf("user=%s password=%s host=%s port=%d connect_timeout=10 dbname=%s sslmode=%s sslrootcert=%s", user, pass, dnsName, DefaultPgpoolPort, o.backendDBName, sslMode, paths.CACert)
}
} else {
cnnstr = fmt.Sprintf("user=%s password=%s host=%s port=%d connect_timeout=10 dbname=%s sslmode=%s", user, pass, dnsName, DefaultPgpoolPort, o.backendDBName, sslMode)
}
return cnnstr, nil
}
44 changes: 44 additions & 0 deletions vendor/kmodules.xyz/offshoot-api/api/v1/openapi_generated.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

19 changes: 19 additions & 0 deletions vendor/kmodules.xyz/offshoot-api/api/v1/types.go
Original file line number Diff line number Diff line change
Expand Up @@ -392,6 +392,25 @@ type ServicePort struct {
NodePort int32 `json:"nodePort,omitempty"`
}

// GatewayPort contains information on Gateway service's port.
type GatewayPort struct {
// The name of this port within the gateway service.
// +optional
Name string `json:"name,omitempty"`

// The port that will be exposed by the gateway service.
Port int32 `json:"port"`

// Number of the port to access the backend service.
// +optional
BackendServicePort int32 `json:"backendServicePort,omitempty"`

// The port on each node on which this gateway service is exposed when type is
// NodePort or LoadBalancer.
// +optional
NodePort int32 `json:"nodePort,omitempty"`
}

// Beware of MergeServicePorts
// ref: https://github.com/kmodules/client-go/blob/03dac1aea5084354127990a10d0b0e7529460dd5/core/v1/service.go#L103-L136
func PatchServicePorts(cur []core.ServicePort, desired []ServicePort) []core.ServicePort {
Expand Down
16 changes: 16 additions & 0 deletions vendor/kmodules.xyz/offshoot-api/api/v1/zz_generated.deepcopy.go

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
/*
Copyright AppsCode Inc. and Contributors
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package v1alpha1

import (
"fmt"

"kubedb.dev/apimachinery/apis"
"kubedb.dev/apimachinery/apis/catalog"
"kubedb.dev/apimachinery/crds"

"kmodules.xyz/client-go/apiextensions"
)

func (m MSSQLVersion) CustomResourceDefinition() *apiextensions.CustomResourceDefinition {
return crds.MustCustomResourceDefinition(SchemeGroupVersion.WithResource(ResourcePluralMSSQLVersion))
}

var _ apis.ResourceInfo = &MSSQLVersion{}

func (m MSSQLVersion) ResourceFQN() string {
return fmt.Sprintf("%s.%s", ResourcePluralMSSQLVersion, catalog.GroupName)
}

func (m MSSQLVersion) ResourceShortCode() string {
return ResourceCodeMSSQLVersion
}

func (m MSSQLVersion) ResourceKind() string {
return ResourceKindMSSQLVersion
}

func (m MSSQLVersion) ResourceSingular() string {
return ResourceSingularMSSQLVersion
}

func (m MSSQLVersion) ResourcePlural() string {
return ResourcePluralMSSQLVersion
}

func (m MSSQLVersion) ValidateSpecs() error {
if m.Spec.Version == "" || m.Spec.DB.Image == "" || m.Spec.Coordinator.Image == "" {
return fmt.Errorf(`at least one of the following specs is not set for MSSQLVersion "%v":
spec.version,
spec.coordinator.image,
spec.initContainer.image`, m.Name)
}
// TODO: add m.spec.exporter.image check FOR monitoring
return nil
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,106 @@
/*
Copyright 2023.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package v1alpha1

import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
appcat "kmodules.xyz/custom-resources/apis/appcatalog/v1alpha1"
)

const (
ResourceCodeMSSQLVersion = "msversion"
ResourceKindMSSQLVersion = "MSSQLVersion"
ResourceSingularMSSQLVersion = "mssqlversion"
ResourcePluralMSSQLVersion = "mssqlversions"
)

// +genclient
// +genclient:nonNamespaced
// +genclient:skipVerbs=updateStatus
// +k8s:openapi-gen=true
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

// +kubebuilder:object:root=true
// +kubebuilder:resource:path=mssqlversions,singular=mssqlversion,scope=Cluster,shortName=msversion,categories={datastore,kubedb,appscode}
// +kubebuilder:printcolumn:name="Version",type="string",JSONPath=".spec.version"
// +kubebuilder:printcolumn:name="DB_IMAGE",type="string",JSONPath=".spec.db.image"
// +kubebuilder:printcolumn:name="Deprecated",type="boolean",JSONPath=".spec.deprecated"
// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
type MSSQLVersion struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
Spec MSSQLVersionSpec `json:"spec,omitempty"`
}

// MSSQLVersionSpec defines the desired state of MSSQL Version
type MSSQLVersionSpec struct {
// Version
Version string `json:"version"`
// Database Image
DB MSSQLVersionDatabase `json:"db"`
// Coordinator Image
// +optional
Coordinator MSSQLCoordinator `json:"coordinator,omitempty"`
// Init container Image
InitContainer MSSQLInitContainer `json:"initContainer"`
// Deprecated versions usable but regarded as obsolete and best avoided, typically due to having been superseded.
// +optional
Deprecated bool `json:"deprecated,omitempty"`
// Stash defines backup and restore task definitions.
// +optional
Stash appcat.StashAddonSpec `json:"stash,omitempty"`
// SecurityContext is for the additional config for the DB container
// +optional
SecurityContext SecurityContext `json:"securityContext"`
// update constraints
UpdateConstraints UpdateConstraints `json:"updateConstraints,omitempty"`
}

// MSSQLVersionDatabase is the MSSQL Database image
type MSSQLVersionDatabase struct {
Image string `json:"image"`
}

// MSSQLCoordinator is the MSSQL coordinator Container image
type MSSQLCoordinator struct {
Image string `json:"image"`
}

// MSSQLInitContainer is the MSSQL Container initializer
type MSSQLInitContainer struct {
Image string `json:"image"`
}

// MSSQLVersionPodSecurityPolicy is the MSSQL pod security policies
type MSSQLVersionPodSecurityPolicy struct {
DatabasePolicyName string `json:"databasePolicyName"`
}

// MSSQLSecurityContext is for additional configuration for the MSSQL database container
type MSSQLSecurityContext struct {
RunAsUser *int64 `json:"runAsUser,omitempty"`
RunAsGroup *int64 `json:"runAsGroup,omitempty"`
}

// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

// MSSQLVersionList contains a list of MSSQLVersion
type MSSQLVersionList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []MSSQLVersion `json:"items"`
}
Loading

0 comments on commit 5eed107

Please sign in to comment.