From 09006d275e3d02fbc006695ce04bef48f770e091 Mon Sep 17 00:00:00 2001 From: ashraful Date: Mon, 22 Apr 2024 12:20:15 +0600 Subject: [PATCH] Add SingleStore TLS Signed-off-by: ashraful --- go.mod | 2 +- go.sum | 4 +- singlestore/kubedb_client_builder.go | 28 ++--- .../apis/kubedb/v1alpha2/constants.go | 43 +++++-- .../apis/kubedb/v1alpha2/openapi_generated.go | 22 +++- .../apis/kubedb/v1alpha2/pgpool_helpers.go | 78 ++++++++++++ .../apis/kubedb/v1alpha2/pgpool_types.go | 73 +++++++++++ .../apis/kubedb/v1alpha2/pgpool_webhook.go | 45 +++++++ .../kubedb/v1alpha2/singlestore_helpers.go | 53 +++++++- .../kubedb/v1alpha2/singlestore_webhook.go | 2 + .../kubedb/v1alpha2/zz_generated.deepcopy.go | 5 + .../apimachinery/crds/kubedb.com_pgpools.yaml | 117 ++++++++++++++++++ vendor/modules.txt | 2 +- 13 files changed, 435 insertions(+), 39 deletions(-) diff --git a/go.mod b/go.mod index fa70ef598..fb0e20423 100644 --- a/go.mod +++ b/go.mod @@ -26,7 +26,7 @@ require ( k8s.io/klog/v2 v2.120.1 kmodules.xyz/client-go v0.29.13 kmodules.xyz/custom-resources v0.29.1 - kubedb.dev/apimachinery v0.44.1-0.20240425042236-6efef42b8792 + kubedb.dev/apimachinery v0.44.1-0.20240426055822-7fb3d5619cd2 sigs.k8s.io/controller-runtime v0.17.2 xorm.io/xorm v1.3.6 ) diff --git a/go.sum b/go.sum index 8f3d50edb..ed720897c 100644 --- a/go.sum +++ b/go.sum @@ -609,8 +609,8 @@ kmodules.xyz/monitoring-agent-api v0.29.0 h1:gpFl6OZrlMLb/ySMHdREI9EwGtnJ91oZBn9 kmodules.xyz/monitoring-agent-api v0.29.0/go.mod h1:iNbvaMTgVFOI5q2LJtGK91j4Dmjv4ZRiRdasGmWLKQI= kmodules.xyz/offshoot-api v0.29.1 h1:Pm83nzYHbqfCYKPCHrK0io387yXTaBmSydoAP6nF0WU= kmodules.xyz/offshoot-api v0.29.1/go.mod h1:SeGhKGXxNAy56cLnskEcLgCH+LRFN+MhJzvrZzPqUlM= -kubedb.dev/apimachinery v0.44.1-0.20240425042236-6efef42b8792 h1:WNzbq7rB18pla0OkJszSg1eWZ2/VNZmdf6YNq97WRSU= -kubedb.dev/apimachinery v0.44.1-0.20240425042236-6efef42b8792/go.mod h1:0uGwbmD4XN00LeU236LLOgoocK+UBoB9ojdstnZeJd8= +kubedb.dev/apimachinery v0.44.1-0.20240426055822-7fb3d5619cd2 h1:Mv6PlqBRD3YimORjoC8f2VqGFNfGFgFHrmlpsNfZcug= +kubedb.dev/apimachinery v0.44.1-0.20240426055822-7fb3d5619cd2/go.mod h1:0uGwbmD4XN00LeU236LLOgoocK+UBoB9ojdstnZeJd8= kubeops.dev/petset v0.0.5 h1:VVXi39JhjondlbHyZ98z0MLp6VCmiCMinL59K48Y2zA= kubeops.dev/petset v0.0.5/go.mod h1:ijtKT1HlAht2vBEZj5LW7C00XEs3B0d1VdCQgd5V4cA= lukechampine.com/uint128 v1.1.1/go.mod h1:c4eWIwlEGaxC/+H1VguhU4PHXNWDCDMUlWdIWl2j1gk= diff --git a/singlestore/kubedb_client_builder.go b/singlestore/kubedb_client_builder.go index bcaabf08f..492120156 100644 --- a/singlestore/kubedb_client_builder.go +++ b/singlestore/kubedb_client_builder.go @@ -18,10 +18,12 @@ package singlestore import ( "context" + "crypto/tls" + "crypto/x509" "database/sql" "fmt" - _ "github.com/go-sql-driver/mysql" + sql_driver "github.com/go-sql-driver/mysql" core "k8s.io/api/core/v1" "k8s.io/klog/v2" api "kubedb.dev/apimachinery/apis/kubedb/v1alpha2" @@ -147,10 +149,10 @@ func (o *KubeDBClientBuilder) getConnectionString() (string, error) { } tlsConfig := "" - /*if o.db.Spec.RequireSSL && o.db.Spec.TLS != nil { + if o.db.Spec.TLS != nil { // get client-secret var clientSecret core.Secret - err := o.kc.Get(o.ctx, client.ObjectKey{Namespace: o.db.GetNamespace(), Name: o.db.GetCertSecretName(api.MySQLClientCert)}, &clientSecret) + err := o.kc.Get(o.ctx, client.ObjectKey{Namespace: o.db.GetNamespace(), Name: o.db.GetCertSecretName(api.SinglestoreClientCert)}, &clientSecret) if err != nil { return "", err } @@ -168,19 +170,15 @@ func (o *KubeDBClientBuilder) getConnectionString() (string, error) { clientCert = append(clientCert, cert) // tls custom setup - if o.db.Spec.RequireSSL { - err = sql_driver.RegisterTLSConfig(api.MySQLTLSConfigCustom, &tls.Config{ - RootCAs: certPool, - Certificates: clientCert, - }) - if err != nil { - return "", err - } - tlsConfig = fmt.Sprintf("tls=%s", api.MySQLTLSConfigCustom) - } else { - tlsConfig = fmt.Sprintf("tls=%s", api.MySQLTLSConfigSkipVerify) + err = sql_driver.RegisterTLSConfig(api.SinglestoreTLSConfigCustom, &tls.Config{ + RootCAs: certPool, + Certificates: clientCert, + }) + if err != nil { + return "", err } - }*/ + tlsConfig = fmt.Sprintf("tls=%s", api.SinglestoreTLSConfigCustom) + } connector := fmt.Sprintf("%v:%v@tcp(%s:%d)/%s?%s", user, pass, o.url, 3306, "memsql", tlsConfig) return connector, nil diff --git a/vendor/kubedb.dev/apimachinery/apis/kubedb/v1alpha2/constants.go b/vendor/kubedb.dev/apimachinery/apis/kubedb/v1alpha2/constants.go index 80bb6a7d8..74486e486 100644 --- a/vendor/kubedb.dev/apimachinery/apis/kubedb/v1alpha2/constants.go +++ b/vendor/kubedb.dev/apimachinery/apis/kubedb/v1alpha2/constants.go @@ -326,19 +326,22 @@ const ( SinglestoreDatabasePortName = "db" SinglestorePrimaryServicePortName = "primary" SinglestoreStudioPortName = "studio" - SinglestoreDatabasePort = 3306 - SinglestoreStudioPort = 8081 - SinglestoreExporterPort = 9104 - SinglestoreRootUserName = "ROOT_USERNAME" - SinglestoreRootPassword = "ROOT_PASSWORD" - SinglestoreRootUser = "root" - DatabasePodMaster = "Master" - DatabasePodAggregator = "Aggregator" - DatabasePodLeaf = "Leaf" - PetSetTypeAggregator = "aggregator" - PetSetTypeLeaf = "leaf" - SinglestoreDatabaseHealth = "singlestore_health" - SinglestoreTableHealth = "singlestore_health_table" + + SinglestoreDatabasePort = 3306 + SinglestoreStudioPort = 8081 + SinglestoreExporterPort = 9104 + + SinglestoreRootUserName = "ROOT_USERNAME" + SinglestoreRootPassword = "ROOT_PASSWORD" + SinglestoreRootUser = "root" + DatabasePodMaster = "Master" + DatabasePodAggregator = "Aggregator" + DatabasePodLeaf = "Leaf" + PetSetTypeAggregator = "aggregator" + PetSetTypeLeaf = "leaf" + + SinglestoreDatabaseHealth = "singlestore_health" + SinglestoreTableHealth = "singlestore_health_table" SinglestoreCoordinatorContainerName = "singlestore-coordinator" SinglestoreContainerName = "singlestore" @@ -352,6 +355,14 @@ const ( SinglestoreVolumeMountPathInitScript = "/scripts" SinglestoreVolumeNameData = "data" SinglestoreVolumeMountPathData = "/var/lib/memsql" + SinglestoreVolumeNameTLS = "tls-volume" + SinglestoreVolumeMountPathTLS = "/etc/memsql/certs" + + SinglestoreTLSConfigCustom = "custom" + SinglestoreTLSConfigSkipVerify = "skip-verify" + SinglestoreTLSConfigTrue = "true" + SinglestoreTLSConfigFalse = "false" + SinglestoreTLSConfigPreferred = "preferred" // =========================== MSSQL Constants ============================ MSSQLSAUser = "sa" @@ -560,10 +571,16 @@ const ( EnvPgpoolService = "PGPOOL_SERVICE" EnvPgpoolServicePort = "PGPOOL_SERVICE_PORT" EnvPgpoolSSLMode = "SSLMODE" + EnvPgpoolExporterConnectionString = "DATA_SOURCE_NAME" PgpoolDefaultSSLMode = "disable" PgpoolExporterContainerName = "exporter" PgpoolAuthUsername = "pcp" SyncPeriod = 10 + PgpoolTlsVolumeName = "certs" + PgpoolTlsVolumeMountPath = "/config/tls" + PgpoolExporterTlsVolumeName = "exporter-certs" + PgpoolExporterTlsVolumeMountPath = "/tls/certs" + PgpoolRootUser = "postgres" // ========================================== ZooKeeper Constants =================================================// KubeDBZooKeeperRoleName = "kubedb:zookeeper-version-reader" diff --git a/vendor/kubedb.dev/apimachinery/apis/kubedb/v1alpha2/openapi_generated.go b/vendor/kubedb.dev/apimachinery/apis/kubedb/v1alpha2/openapi_generated.go index f9e5d5769..4493084a8 100644 --- a/vendor/kubedb.dev/apimachinery/apis/kubedb/v1alpha2/openapi_generated.go +++ b/vendor/kubedb.dev/apimachinery/apis/kubedb/v1alpha2/openapi_generated.go @@ -28798,12 +28798,32 @@ func schema_apimachinery_apis_kubedb_v1alpha2_PgpoolSpec(ref common.ReferenceCal Ref: ref("k8s.io/api/core/v1.LocalObjectReference"), }, }, + "sslMode": { + SchemaProps: spec.SchemaProps{ + Description: "SSLMode for both standalone and clusters. [disable;allow;prefer;require;verify-ca;verify-full]", + Type: []string{"string"}, + Format: "", + }, + }, + "clientAuthMode": { + SchemaProps: spec.SchemaProps{ + Description: "ClientAuthMode for sidecar or sharding. (default will be md5. [md5;scram;cert])", + Type: []string{"string"}, + Format: "", + }, + }, + "tls": { + SchemaProps: spec.SchemaProps{ + Description: "TLS contains tls configurations for client and server.", + Ref: ref("kmodules.xyz/client-go/api/v1.TLSConfig"), + }, + }, }, Required: []string{"version", "postgresRef"}, }, }, Dependencies: []string{ - "k8s.io/api/core/v1.LocalObjectReference", "kmodules.xyz/client-go/api/v1.HealthCheckSpec", "kmodules.xyz/client-go/api/v1.ObjectReference", "kmodules.xyz/monitoring-agent-api/api/v1.AgentSpec", "kmodules.xyz/offshoot-api/api/v2.PodTemplateSpec", "kubedb.dev/apimachinery/apis/kubedb/v1alpha2.NamedServiceTemplateSpec", "kubedb.dev/apimachinery/apis/kubedb/v1alpha2.PgpoolConfiguration", "kubedb.dev/apimachinery/apis/kubedb/v1alpha2.SecretReference"}, + "k8s.io/api/core/v1.LocalObjectReference", "kmodules.xyz/client-go/api/v1.HealthCheckSpec", "kmodules.xyz/client-go/api/v1.ObjectReference", "kmodules.xyz/client-go/api/v1.TLSConfig", "kmodules.xyz/monitoring-agent-api/api/v1.AgentSpec", "kmodules.xyz/offshoot-api/api/v2.PodTemplateSpec", "kubedb.dev/apimachinery/apis/kubedb/v1alpha2.NamedServiceTemplateSpec", "kubedb.dev/apimachinery/apis/kubedb/v1alpha2.PgpoolConfiguration", "kubedb.dev/apimachinery/apis/kubedb/v1alpha2.SecretReference"}, } } diff --git a/vendor/kubedb.dev/apimachinery/apis/kubedb/v1alpha2/pgpool_helpers.go b/vendor/kubedb.dev/apimachinery/apis/kubedb/v1alpha2/pgpool_helpers.go index 672811576..5a05b79f2 100644 --- a/vendor/kubedb.dev/apimachinery/apis/kubedb/v1alpha2/pgpool_helpers.go +++ b/vendor/kubedb.dev/apimachinery/apis/kubedb/v1alpha2/pgpool_helpers.go @@ -19,6 +19,7 @@ package v1alpha2 import ( "context" "fmt" + "strings" "kubedb.dev/apimachinery/apis" catalog "kubedb.dev/apimachinery/apis/catalog/v1alpha1" @@ -32,10 +33,12 @@ import ( "k8s.io/apimachinery/pkg/labels" "k8s.io/apimachinery/pkg/types" "k8s.io/klog/v2" + kmapi "kmodules.xyz/client-go/api/v1" "kmodules.xyz/client-go/apiextensions" core_util "kmodules.xyz/client-go/core/v1" meta_util "kmodules.xyz/client-go/meta" "kmodules.xyz/client-go/policy/secomp" + appcat "kmodules.xyz/custom-resources/apis/appcatalog/v1alpha1" mona "kmodules.xyz/monitoring-agent-api/api/v1" ofst "kmodules.xyz/offshoot-api/api/v2" pslister "kubeops.dev/petset/client/listers/apps/v1" @@ -69,6 +72,10 @@ func (p *Pgpool) ConfigSecretName() string { return meta_util.NameWithSuffix(p.OffshootName(), "config") } +func (p *Pgpool) TLSSecretName() string { + return meta_util.NameWithSuffix(p.OffshootName(), "tls-certs") +} + func (p *Pgpool) ServiceAccountName() string { return p.OffshootName() } @@ -203,6 +210,66 @@ func (p *Pgpool) ServiceLabels(alias ServiceAlias, extraLabels ...map[string]str return p.offshootLabels(meta_util.OverwriteKeys(p.OffshootSelectors(), extraLabels...), svcTemplate.Labels) } +func (p *Pgpool) GetSSLMODE(appBinding *appcat.AppBinding) (PgpoolSSLMode, error) { + if appBinding.Spec.ClientConfig.Service == nil { + return PgpoolSSLModeDisable, nil + } + sslmodeString := appBinding.Spec.ClientConfig.Service.Query + if sslmodeString == "" { + return PgpoolSSLModeDisable, nil + } + temps := strings.Split(sslmodeString, "=") + if len(temps) != 2 { + return "", fmt.Errorf("the sslmode is not valid. please provide the valid template. the temlpate should be like this: sslmode=") + } + return PgpoolSSLMode(strings.TrimSpace(temps[1])), nil +} + +func (p *Pgpool) IsBackendTLSEnabled() (bool, error) { + apb := appcat.AppBinding{} + err := DefaultClient.Get(context.TODO(), types.NamespacedName{ + Name: p.Spec.PostgresRef.Name, + Namespace: p.Spec.PostgresRef.Namespace, + }, &apb) + if err != nil { + return false, err + } + sslMode, err := p.GetSSLMODE(&apb) + if err != nil { + return false, err + } + if apb.Spec.TLSSecret != nil || len(apb.Spec.ClientConfig.CABundle) > 0 || sslMode != PgpoolSSLModeDisable { + return true, nil + } + return false, nil +} + +// CertificateName returns the default certificate name and/or certificate secret name for a certificate alias +func (p *Pgpool) CertificateName(alias PgpoolCertificateAlias) string { + return meta_util.NameWithSuffix(p.Name, fmt.Sprintf("%s-cert", string(alias))) +} + +// GetCertSecretName returns the secret name for a certificate alias if any provide, +// otherwise returns default certificate secret name for the given alias. +func (p *Pgpool) GetCertSecretName(alias PgpoolCertificateAlias) string { + if p.Spec.TLS != nil { + name, ok := kmapi.GetCertificateSecretName(p.Spec.TLS.Certificates, string(alias)) + if ok { + return name + } + } + return p.CertificateName(alias) +} + +func (p *Pgpool) SetTLSDefaults() { + if p.Spec.TLS == nil || p.Spec.TLS.IssuerRef == nil { + return + } + p.Spec.TLS.Certificates = kmapi.SetMissingSecretNameForCertificate(p.Spec.TLS.Certificates, string(PgpoolServerCert), p.CertificateName(PgpoolServerCert)) + p.Spec.TLS.Certificates = kmapi.SetMissingSecretNameForCertificate(p.Spec.TLS.Certificates, string(PgpoolClientCert), p.CertificateName(PgpoolClientCert)) + p.Spec.TLS.Certificates = kmapi.SetMissingSecretNameForCertificate(p.Spec.TLS.Certificates, string(PgpoolMetricsExporterCert), p.CertificateName(PgpoolMetricsExporterCert)) +} + func (p *Pgpool) SetSecurityContext(ppVersion *catalog.PgpoolVersion, podTemplate *ofst.PodTemplateSpec) { if podTemplate == nil { return @@ -272,6 +339,16 @@ func (p *Pgpool) SetDefaults() { p.Spec.PodTemplate.Spec.Containers = []core.Container{} } + if p.Spec.TLS != nil { + if p.Spec.SSLMode == "" { + p.Spec.SSLMode = PgpoolSSLModeVerifyFull + } + } else { + if p.Spec.SSLMode == "" { + p.Spec.SSLMode = PgpoolSSLModeDisable + } + } + ppVersion := catalog.PgpoolVersion{} err := DefaultClient.Get(context.TODO(), types.NamespacedName{ Name: p.Spec.Version, @@ -297,6 +374,7 @@ func (p *Pgpool) SetDefaults() { } } + p.SetTLSDefaults() p.SetHealthCheckerDefaults() p.SetSecurityContext(&ppVersion, p.Spec.PodTemplate) p.setContainerResourceLimits(p.Spec.PodTemplate) diff --git a/vendor/kubedb.dev/apimachinery/apis/kubedb/v1alpha2/pgpool_types.go b/vendor/kubedb.dev/apimachinery/apis/kubedb/v1alpha2/pgpool_types.go index 50d3d8344..80ef7813f 100644 --- a/vendor/kubedb.dev/apimachinery/apis/kubedb/v1alpha2/pgpool_types.go +++ b/vendor/kubedb.dev/apimachinery/apis/kubedb/v1alpha2/pgpool_types.go @@ -111,6 +111,17 @@ type PgpoolSpec struct { // +kubebuilder:default={name: "default"} // +optional PodPlacementPolicy *core.LocalObjectReference `json:"podPlacementPolicy,omitempty"` + + // SSLMode for both standalone and clusters. [disable;allow;prefer;require;verify-ca;verify-full] + SSLMode PgpoolSSLMode `json:"sslMode,omitempty"` + + // ClientAuthMode for sidecar or sharding. (default will be md5. [md5;scram;cert]) + // +kubebuilder:default=md5 + ClientAuthMode PgpoolClientAuthMode `json:"clientAuthMode,omitempty"` + + // TLS contains tls configurations for client and server. + // +optional + TLS *kmapi.TLSConfig `json:"tls,omitempty"` } // PgpoolStatus defines the observed state of Pgpool @@ -148,3 +159,65 @@ type PgpoolList struct { meta.ListMeta `json:"metadata,omitempty"` Items []Pgpool `json:"items"` } + +// +kubebuilder:validation:Enum=server;client;metrics-exporter +type PgpoolCertificateAlias string + +const ( + PgpoolServerCert PgpoolCertificateAlias = "server" + PgpoolClientCert PgpoolCertificateAlias = "client" + PgpoolMetricsExporterCert PgpoolCertificateAlias = "metrics-exporter" +) + +// ref: https://www.postgresql.org/docs/13/libpq-ssl.html +// +kubebuilder:validation:Enum=disable;allow;prefer;require;verify-ca;verify-full +type PgpoolSSLMode string + +const ( + // PgpoolSSLModeDisable represents `disable` sslMode. It ensures that the server does not use TLS/SSL. + PgpoolSSLModeDisable PgpoolSSLMode = "disable" + + // PgpoolSSLModeAllow represents `allow` sslMode. I don't care about security, + // but I will pay the overhead of encryption if the server insists on it. + PgpoolSSLModeAllow PgpoolSSLMode = "allow" + + // PgpoolSSLModePrefer represents `preferSSL` sslMode. + // I don't care about encryption, but I wish to pay the overhead of encryption if the server supports it. + PgpoolSSLModePrefer PgpoolSSLMode = "prefer" + + // PgpoolSSLModeRequire represents `requiteSSL` sslmode. I want my data to be encrypted, and I accept the overhead. + // I trust that the network will make sure I always connect to the server I want. + PgpoolSSLModeRequire PgpoolSSLMode = "require" + + // PgpoolSSLModeVerifyCA represents `verify-ca` sslmode. I want my data encrypted, and I accept the overhead. + // I want to be sure that I connect to a server that I trust. + PgpoolSSLModeVerifyCA PgpoolSSLMode = "verify-ca" + + // PgpoolSSLModeVerifyFull represents `verify-full` sslmode. I want my data encrypted, and I accept the overhead. + // I want to be sure that I connect to a server I trust, and that it's the one I specify. + PgpoolSSLModeVerifyFull PgpoolSSLMode = "verify-full" +) + +// PgpoolClientAuthMode represents the ClientAuthMode of Pgpool clusters ( replicaset ) +// ref: https://www.postgresql.org/docs/12/auth-methods.html +// +kubebuilder:validation:Enum=md5;scram;cert +type PgpoolClientAuthMode string + +const ( + // PgpoolClientAuthModeMD5 uses a custom less secure challenge-response mechanism. + // It prevents password sniffing and avoids storing passwords on the server in plain text but provides no protection + // if an attacker manages to steal the password hash from the server. + // Also, the MD5 hash algorithm is nowadays no longer considered secure against determined attacks + PgpoolClientAuthModeMD5 PgpoolClientAuthMode = "md5" + + // PgpoolClientAuthModeScram performs SCRAM-SHA-256 authentication, as described in RFC 7677. + // It is a challenge-response scheme that prevents password sniffing on untrusted connections + // and supports storing passwords on the server in a cryptographically hashed form that is thought to be secure. + // This is the most secure of the currently provided methods, but it is not supported by older client libraries. + PgpoolClientAuthModeScram PgpoolClientAuthMode = "scram" + + // PgpoolClientAuthModeCert represents `cert clientcert=1` auth mode where client need to provide cert and private key for authentication. + // When server is config with this auth method. Client can't connect with pgpool server with password. They need + // to Send the client cert and client key certificate for authentication. + PgpoolClientAuthModeCert PgpoolClientAuthMode = "cert" +) diff --git a/vendor/kubedb.dev/apimachinery/apis/kubedb/v1alpha2/pgpool_webhook.go b/vendor/kubedb.dev/apimachinery/apis/kubedb/v1alpha2/pgpool_webhook.go index 59ac256b6..018ece3b6 100644 --- a/vendor/kubedb.dev/apimachinery/apis/kubedb/v1alpha2/pgpool_webhook.go +++ b/vendor/kubedb.dev/apimachinery/apis/kubedb/v1alpha2/pgpool_webhook.go @@ -31,6 +31,7 @@ import ( "k8s.io/apimachinery/pkg/types" "k8s.io/apimachinery/pkg/util/validation/field" kmapi "kmodules.xyz/client-go/api/v1" + appcat "kmodules.xyz/custom-resources/apis/appcatalog/v1alpha1" ofst "kmodules.xyz/offshoot-api/api/v2" ctrl "sigs.k8s.io/controller-runtime" logf "sigs.k8s.io/controller-runtime/pkg/log" @@ -120,6 +121,48 @@ func (p *Pgpool) ValidateCreateOrUpdate() field.ErrorList { )) } + apb := appcat.AppBinding{} + err := DefaultClient.Get(context.TODO(), types.NamespacedName{ + Name: p.Spec.PostgresRef.Name, + Namespace: p.Spec.PostgresRef.Namespace, + }, &apb) + if err != nil { + errorList = append(errorList, field.Invalid(field.NewPath("spec").Child("postgresRef"), + p.Name, + err.Error(), + )) + } + + backendSSL, err := p.IsBackendTLSEnabled() + if err != nil { + errorList = append(errorList, field.Invalid(field.NewPath("spec").Child("postgresRef"), + p.Name, + err.Error(), + )) + } + + if p.Spec.TLS == nil && backendSSL { + errorList = append(errorList, field.Required(field.NewPath("spec").Child("tls"), + "`spec.tls` must be set because backend postgres is tls enabled", + )) + } + + if p.Spec.TLS == nil { + if p.Spec.SSLMode != "disable" { + errorList = append(errorList, field.Invalid(field.NewPath("spec").Child("sslMode"), + p.Name, + "Tls is not enabled, enable it to use this sslMode", + )) + } + + if p.Spec.ClientAuthMode == "cert" { + errorList = append(errorList, field.Invalid(field.NewPath("spec").Child("clientAuthMode"), + p.Name, + "Tls is not enabled, enable it to use this clientAuthMode", + )) + } + } + if p.Spec.Replicas != nil { if *p.Spec.Replicas <= 0 { errorList = append(errorList, field.Required(field.NewPath("spec").Child("replicas"), @@ -207,6 +250,7 @@ func PgpoolValidateVersion(p *Pgpool) error { var PgpoolReservedVolumes = []string{ PgpoolConfigVolumeName, + PgpoolTlsVolumeName, } func PgpoolValidateVolumes(p *Pgpool) error { @@ -278,4 +322,5 @@ func PgpoolValidateVolumesMountPaths(podTemplate *ofst.PodTemplateSpec) error { var PgpoolReservedVolumesMountPaths = []string{ PgpoolConfigSecretMountPath, + PgpoolTlsVolumeMountPath, } diff --git a/vendor/kubedb.dev/apimachinery/apis/kubedb/v1alpha2/singlestore_helpers.go b/vendor/kubedb.dev/apimachinery/apis/kubedb/v1alpha2/singlestore_helpers.go index 185931923..1ab309d89 100644 --- a/vendor/kubedb.dev/apimachinery/apis/kubedb/v1alpha2/singlestore_helpers.go +++ b/vendor/kubedb.dev/apimachinery/apis/kubedb/v1alpha2/singlestore_helpers.go @@ -118,7 +118,36 @@ func (s singlestoreStatsService) Scheme() string { } func (s singlestoreStatsService) TLSConfig() *promapi.TLSConfig { - return nil + if s.Spec.TLS == nil { + return nil + } + return &promapi.TLSConfig{ + SafeTLSConfig: promapi.SafeTLSConfig{ + CA: promapi.SecretOrConfigMap{ + Secret: &core.SecretKeySelector{ + LocalObjectReference: core.LocalObjectReference{ + Name: s.GetCertSecretName(SinglestoreClientCert), + }, + Key: CACert, + }, + }, + Cert: promapi.SecretOrConfigMap{ + Secret: &core.SecretKeySelector{ + LocalObjectReference: core.LocalObjectReference{ + Name: s.GetCertSecretName(SinglestoreClientCert), + }, + Key: core.TLSCertKey, + }, + }, + KeySecret: &core.SecretKeySelector{ + LocalObjectReference: core.LocalObjectReference{ + Name: s.GetCertSecretName(SinglestoreClientCert), + }, + Key: core.TLSPrivateKeyKey, + }, + InsecureSkipVerify: false, + }, + } } func (s Singlestore) StatsService() mona.StatsAccessor { @@ -251,6 +280,23 @@ func (s *Singlestore) SetHealthCheckerDefaults() { } } +// CertificateName returns the default certificate name and/or certificate secret name for a certificate alias +func (s *Singlestore) CertificateName(alias SinglestoreCertificateAlias) string { + return metautil.NameWithSuffix(s.Name, fmt.Sprintf("%s-cert", string(alias))) +} + +// GetCertSecretName returns the secret name for a certificate alias if any +// otherwise returns default certificate secret name for the given alias. +func (s *Singlestore) GetCertSecretName(alias SinglestoreCertificateAlias) string { + if s.Spec.TLS != nil { + name, ok := kmapi.GetCertificateSecretName(s.Spec.TLS.Certificates, string(alias)) + if ok { + return name + } + } + return s.CertificateName(alias) +} + func (s *Singlestore) GetAuthSecretName() string { if s.Spec.AuthSecret != nil && s.Spec.AuthSecret.Name != "" { return s.Spec.AuthSecret.Name @@ -461,11 +507,6 @@ func (s *Singlestore) SetTLSDefaults() { s.Spec.TLS.Certificates = kmapi.SetMissingSecretNameForCertificate(s.Spec.TLS.Certificates, string(SinglestoreClientCert), s.CertificateName(SinglestoreClientCert)) } -// CertificateName returns the default certificate name and/or certificate secret name for a certificate alias -func (s *Singlestore) CertificateName(alias SinglestoreCertificateAlias) string { - return metautil.NameWithSuffix(s.Name, fmt.Sprintf("%s-cert", string(alias))) -} - func (s *Singlestore) ReplicasAreReady(lister pslister.PetSetLister) (bool, string, error) { // Desire number of petSets expectedItems := 1 diff --git a/vendor/kubedb.dev/apimachinery/apis/kubedb/v1alpha2/singlestore_webhook.go b/vendor/kubedb.dev/apimachinery/apis/kubedb/v1alpha2/singlestore_webhook.go index 2bb627e9d..f2171cb01 100644 --- a/vendor/kubedb.dev/apimachinery/apis/kubedb/v1alpha2/singlestore_webhook.go +++ b/vendor/kubedb.dev/apimachinery/apis/kubedb/v1alpha2/singlestore_webhook.go @@ -215,6 +215,7 @@ var sdbReservedVolumes = []string{ SinglestoreVolumeNameCustomConfig, SinglestoreVolmeNameInitScript, SinglestoreVolumeNameData, + SinglestoreVolumeNameTLS, } var sdbReservedVolumesMountPaths = []string{ @@ -222,6 +223,7 @@ var sdbReservedVolumesMountPaths = []string{ SinglestoreVolumeMountPathInitScript, SinglestoreVolumeMountPathCustomConfig, SinglestoreVolumeMountPathUserInitScript, + SinglestoreVolumeMountPathTLS, } func sdbValidateVersion(s *Singlestore) error { diff --git a/vendor/kubedb.dev/apimachinery/apis/kubedb/v1alpha2/zz_generated.deepcopy.go b/vendor/kubedb.dev/apimachinery/apis/kubedb/v1alpha2/zz_generated.deepcopy.go index 954242631..c3a775534 100644 --- a/vendor/kubedb.dev/apimachinery/apis/kubedb/v1alpha2/zz_generated.deepcopy.go +++ b/vendor/kubedb.dev/apimachinery/apis/kubedb/v1alpha2/zz_generated.deepcopy.go @@ -3603,6 +3603,11 @@ func (in *PgpoolSpec) DeepCopyInto(out *PgpoolSpec) { *out = new(corev1.LocalObjectReference) **out = **in } + if in.TLS != nil { + in, out := &in.TLS, &out.TLS + *out = new(apiv1.TLSConfig) + (*in).DeepCopyInto(*out) + } return } diff --git a/vendor/kubedb.dev/apimachinery/crds/kubedb.com_pgpools.yaml b/vendor/kubedb.dev/apimachinery/crds/kubedb.com_pgpools.yaml index df1320d51..ffd0f4a30 100644 --- a/vendor/kubedb.dev/apimachinery/crds/kubedb.com_pgpools.yaml +++ b/vendor/kubedb.dev/apimachinery/crds/kubedb.com_pgpools.yaml @@ -54,6 +54,13 @@ spec: type: string type: object x-kubernetes-map-type: atomic + clientAuthMode: + default: md5 + enum: + - md5 + - scram + - cert + type: string configSecret: properties: name: @@ -3718,6 +3725,15 @@ spec: - alias type: object type: array + sslMode: + enum: + - disable + - allow + - prefer + - require + - verify-ca + - verify-full + type: string syncUsers: type: boolean terminationPolicy: @@ -3727,6 +3743,107 @@ spec: - WipeOut - DoNotTerminate type: string + tls: + properties: + certificates: + items: + properties: + alias: + type: string + dnsNames: + items: + type: string + type: array + duration: + type: string + emailAddresses: + items: + type: string + type: array + ipAddresses: + items: + type: string + type: array + issuerRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + privateKey: + properties: + encoding: + enum: + - PKCS1 + - PKCS8 + type: string + type: object + renewBefore: + type: string + secretName: + type: string + subject: + properties: + countries: + items: + type: string + type: array + localities: + items: + type: string + type: array + organizationalUnits: + items: + type: string + type: array + organizations: + items: + type: string + type: array + postalCodes: + items: + type: string + type: array + provinces: + items: + type: string + type: array + serialNumber: + type: string + streetAddresses: + items: + type: string + type: array + type: object + uris: + items: + type: string + type: array + required: + - alias + type: object + type: array + issuerRef: + properties: + apiGroup: + type: string + kind: + type: string + name: + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: object version: type: string required: diff --git a/vendor/modules.txt b/vendor/modules.txt index c09ef16a6..d1909d03c 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1467,7 +1467,7 @@ kmodules.xyz/monitoring-agent-api/api/v1 ## explicit; go 1.22.0 kmodules.xyz/offshoot-api/api/v1 kmodules.xyz/offshoot-api/api/v2 -# kubedb.dev/apimachinery v0.44.1-0.20240425042236-6efef42b8792 +# kubedb.dev/apimachinery v0.44.1-0.20240426055822-7fb3d5619cd2 ## explicit; go 1.22.0 kubedb.dev/apimachinery/apis kubedb.dev/apimachinery/apis/catalog