feat(postgresql): add TLS related options

This adds `sslCert`, `sslKey` and `sslRootCert` options to the
PostgreSQL `ProviderConfig` needed to establish a connection to a
database that either uses non-public certificates or requires client
certificate authentication.

I've opted to create the `Options` struct to hold these and the existing
`sslMode` parameter, this will allow adding other options[1] easier in
the future.

[1] https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-PARAMKEYWORDS

Signed-off-by: Zoran Regvart <[email protected]>

Author: zregvart

apis/postgresql/v1alpha1/provider_types.go

@@ -19,6 +19,8 @@ package v1alpha1
 import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
+	"github.com/crossplane-contrib/provider-sql/pkg/clients"
+	"github.com/crossplane-contrib/provider-sql/pkg/clients/postgresql"
 	xpv1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
 )
 
@@ -36,6 +38,24 @@ type ProviderConfigSpec struct {
 	// +kubebuilder:default=verify-full
 	// +kubebuilder:validation:Optional
 	SSLMode *string `json:"sslMode,omitempty"`
+	// Path to the certificate used for client authentication
+	// +kubebuilder:validation:Optional
+	SSLCert *string `json:"sslCert,omitempty"`
+	// Path to the key used for client authentication
+	// +kubebuilder:validation:Optional
+	SSLKey *string `json:"sslKey,omitempty"`
+	// Path to the CA certificate(s) used for verifying the server certificate
+	// +kubebuilder:validation:Optional
+	SSLRootCert *string `json:"sslRootCert,omitempty"`
+}
+
+func (s ProviderConfigSpec) Options() postgresql.Options {
+	return postgresql.Options{
+		SSLMode:     clients.ToString(s.SSLMode),
+		SSLCert:     clients.ToString(s.SSLCert),
+		SSLKey:      clients.ToString(s.SSLKey),
+		SSLRootCert: clients.ToString(s.SSLRootCert),
+	}
 }
 
 const (

apis/postgresql/v1alpha1/zz_generated.deepcopy.go

@@ -84,6 +84,12 @@ spec:
                   Defines the database name used to set up a connection to the provided
                   PostgreSQL instance. Same as PGDATABASE environment variable.
                 type: string
+              sslCert:
+                description: Path to the certificate used for client authentication
+                type: string
+              sslKey:
+                description: Path to the key used for client authentication
+                type: string
               sslMode:
                 default: verify-full
                 description: |-
@@ -95,6 +101,10 @@ spec:
                 - verify-ca
                 - verify-full
                 type: string
+              sslRootCert:
+                description: Path to the CA certificate(s) used for verifying the
+                  server certificate
+                type: string
             required:
             - credentials
             type: object

package/crds/postgresql.sql.crossplane.io_providerconfigs.yaml

@@ -23,31 +23,62 @@ type postgresDB struct {
 	dsn      string
 	endpoint string
 	port     string
-	sslmode  string
+	options  Options
+}
+
+type Options struct {
+	SSLMode     string
+	SSLCert     string
+	SSLKey      string
+	SSLRootCert string
+}
+
+func (o Options) queryString() string {
+	values := url.Values{}
+
+	if o.SSLMode != "" {
+		values.Add("sslmode", o.SSLMode)
+	}
+
+	if o.SSLCert != "" {
+		values.Add("sslcert", o.SSLCert)
+	}
+
+	if o.SSLKey != "" {
+		values.Add("sslkey", o.SSLKey)
+	}
+
+	if o.SSLRootCert != "" {
+		values.Add("sslrootcert", o.SSLRootCert)
+	}
+
+	return values.Encode()
 }
 
 // New returns a new PostgreSQL database client. The default database name is
 // an empty string. The underlying pq library will default to either using the
 // value of PGDATABASE, or if unset, the hardcoded string 'postgres'.
-// The sslmode defines the mode used to set up the connection for the provider.
-func New(creds map[string][]byte, database, sslmode string) xsql.DB {
+// The options provide additional settings to set up the connection for the
+// provider.
+func New(creds map[string][]byte, database string, options Options) xsql.DB {
 	// TODO(negz): Support alternative connection secret formats?
 	endpoint := string(creds[xpv1.ResourceCredentialsSecretEndpointKey])
 	port := string(creds[xpv1.ResourceCredentialsSecretPortKey])
 	username := string(creds[xpv1.ResourceCredentialsSecretUserKey])
 	password := string(creds[xpv1.ResourceCredentialsSecretPasswordKey])
-	dsn := DSN(username, password, endpoint, port, database, sslmode)
+
+	dsn := DSN(username, password, endpoint, port, database, options.queryString())
 
 	return postgresDB{
 		dsn:      dsn,
 		endpoint: endpoint,
 		port:     port,
-		sslmode:  sslmode,
+		options:  options,
 	}
 }
 
 // DSN returns the DSN URL
-func DSN(username, password, endpoint, port, database, sslmode string) string {
+func DSN(username, password, endpoint, port, database, options string) string {
 	// Use net/url UserPassword to encode the username and password
 	// This will ensure that any special characters in the username or password
 	// are percent-encoded for use in the user info portion of the DSN URL
@@ -57,7 +88,8 @@ func DSN(username, password, endpoint, port, database, sslmode string) string {
 		endpoint + ":" +
 		port + "/" +
 		database +
-		"?sslmode=" + sslmode
+		"?" + options
+
 }
 
 // ExecTx executes an array of queries, committing if all are successful and
@@ -130,10 +162,13 @@ func (c postgresDB) Scan(ctx context.Context, q xsql.Query, dest ...interface{})
 // GetConnectionDetails returns the connection details for a user of this DB
 func (c postgresDB) GetConnectionDetails(username, password string) managed.ConnectionDetails {
 	return managed.ConnectionDetails{
-		xpv1.ResourceCredentialsSecretUserKey:     []byte(username),
-		xpv1.ResourceCredentialsSecretPasswordKey: []byte(password),
-		xpv1.ResourceCredentialsSecretEndpointKey: []byte(c.endpoint),
-		xpv1.ResourceCredentialsSecretPortKey:     []byte(c.port),
+		xpv1.ResourceCredentialsSecretUserKey:       []byte(username),
+		xpv1.ResourceCredentialsSecretPasswordKey:   []byte(password),
+		xpv1.ResourceCredentialsSecretEndpointKey:   []byte(c.endpoint),
+		xpv1.ResourceCredentialsSecretPortKey:       []byte(c.port),
+		xpv1.ResourceCredentialsSecretClientCertKey: []byte(c.options.SSLCert),
+		xpv1.ResourceCredentialsSecretClientKeyKey:  []byte(c.options.SSLKey),
+		xpv1.ResourceCredentialsSecretCAKey:         []byte(c.options.SSLRootCert),
 	}
 }
 

pkg/clients/postgresql/postgresql.go

@@ -12,8 +12,44 @@ func TestDSNURLEscaping(t *testing.T) {
 	rawPass := "password^"
 	encPass := "password%5E"
 	sslmode := "require"
-	dsn := DSN(user, rawPass, endpoint, port, db, sslmode)
+	options := Options{
+		SSLMode: sslmode,
+	}
+	dsn := DSN(user, rawPass, endpoint, port, db, options.queryString())
 	if dsn != "postgres://"+user+":"+encPass+"@"+endpoint+":"+port+"/"+db+"?sslmode="+sslmode {
 		t.Errorf("DSN string did not match expected output with userinfo URL encoded")
 	}
 }
+
+func TestOptionsToQueryString(t *testing.T) {
+	cases := []struct {
+		name     string
+		given    Options
+		expected string
+	}{
+		{
+			name:     "empty",
+			given:    Options{},
+			expected: "",
+		},
+		{
+			name: "everything",
+			given: Options{
+				SSLMode:     "require",
+				SSLCert:     "/path/to/ssl.crt",
+				SSLKey:      "/path/to/ssl.key",
+				SSLRootCert: "/path/to/ca.crt",
+			},
+			expected: "sslcert=%2Fpath%2Fto%2Fssl.crt&sslkey=%2Fpath%2Fto%2Fssl.key&sslmode=require&sslrootcert=%2Fpath%2Fto%2Fca.crt",
+		},
+	}
+
+	for _, c := range cases {
+		t.Run(c.name, func(t *testing.T) {
+			got := c.given.queryString()
+			if c.expected != got {
+				t.Errorf("Expected query string to be %q, but it was %q", c.expected, got)
+			}
+		})
+	}
+}

pkg/clients/postgresql/postgresql_test.go

@@ -40,7 +40,6 @@ import (
 	"github.com/crossplane/crossplane-runtime/pkg/resource"
 
 	"github.com/crossplane-contrib/provider-sql/apis/postgresql/v1alpha1"
-	"github.com/crossplane-contrib/provider-sql/pkg/clients"
 	"github.com/crossplane-contrib/provider-sql/pkg/clients/postgresql"
 	"github.com/crossplane-contrib/provider-sql/pkg/clients/xsql"
 )
@@ -93,7 +92,7 @@ func Setup(mgr ctrl.Manager, o xpcontroller.Options) error {
 type connector struct {
 	kube  client.Client
 	usage resource.Tracker
-	newDB func(creds map[string][]byte, database string, sslmode string) xsql.DB
+	newDB func(creds map[string][]byte, database string, options postgresql.Options) xsql.DB
 }
 
 func (c *connector) Connect(ctx context.Context, mg resource.Managed) (managed.ExternalClient, error) {
@@ -126,7 +125,7 @@ func (c *connector) Connect(ctx context.Context, mg resource.Managed) (managed.E
 		return nil, errors.Wrap(err, errGetSecret)
 	}
 
-	return &external{db: c.newDB(s.Data, pc.Spec.DefaultDatabase, clients.ToString(pc.Spec.SSLMode))}, nil
+	return &external{db: c.newDB(s.Data, pc.Spec.DefaultDatabase, pc.Spec.Options())}, nil
 }
 
 type external struct{ db xsql.DB }

pkg/controller/postgresql/database/reconciler.go

@@ -32,6 +32,7 @@ import (
 	"github.com/crossplane/crossplane-runtime/pkg/resource"
 	"github.com/crossplane/crossplane-runtime/pkg/test"
 
+	"github.com/crossplane-contrib/provider-sql/pkg/clients/postgresql"
 	"github.com/crossplane-contrib/provider-sql/pkg/clients/xsql"
 )
 
@@ -64,7 +65,7 @@ func TestConnect(t *testing.T) {
 	type fields struct {
 		kube  client.Client
 		usage resource.Tracker
-		newDB func(creds map[string][]byte, database string, sslmode string) xsql.DB
+		newDB func(creds map[string][]byte, database string, options postgresql.Options) xsql.DB
 	}
 
 	type args struct {

pkg/controller/postgresql/database/reconciler_test.go

@@ -36,7 +36,6 @@ import (
 	"github.com/crossplane/crossplane-runtime/pkg/resource"
 
 	"github.com/crossplane-contrib/provider-sql/apis/postgresql/v1alpha1"
-	"github.com/crossplane-contrib/provider-sql/pkg/clients"
 	"github.com/crossplane-contrib/provider-sql/pkg/clients/postgresql"
 	"github.com/crossplane-contrib/provider-sql/pkg/clients/xsql"
 )
@@ -85,7 +84,7 @@ func Setup(mgr ctrl.Manager, o xpcontroller.Options) error {
 type connector struct {
 	kube  client.Client
 	usage resource.Tracker
-	newDB func(creds map[string][]byte, database string, sslmode string) xsql.DB
+	newDB func(creds map[string][]byte, database string, options postgresql.Options) xsql.DB
 }
 
 func (c *connector) Connect(ctx context.Context, mg resource.Managed) (managed.ExternalClient, error) {
@@ -118,13 +117,15 @@ func (c *connector) Connect(ctx context.Context, mg resource.Managed) (managed.E
 		return nil, errors.Wrap(err, errGetSecret)
 	}
 
+	options := pc.Spec.Options()
+
 	// We do not want to create an extension on the default DB
 	// if the user was expecting a database name to be resolved.
 	if cr.Spec.ForProvider.Database != nil {
-		return &external{db: c.newDB(s.Data, *cr.Spec.ForProvider.Database, clients.ToString(pc.Spec.SSLMode))}, nil
+		return &external{db: c.newDB(s.Data, *cr.Spec.ForProvider.Database, options)}, nil
 	}
 
-	return &external{db: c.newDB(s.Data, pc.Spec.DefaultDatabase, clients.ToString(pc.Spec.SSLMode))}, nil
+	return &external{db: c.newDB(s.Data, pc.Spec.DefaultDatabase, options)}, nil
 }
 
 type external struct{ db xsql.DB }

pkg/controller/postgresql/extension/reconciler.go

@@ -32,6 +32,7 @@ import (
 	"github.com/crossplane/crossplane-runtime/pkg/resource"
 	"github.com/crossplane/crossplane-runtime/pkg/test"
 
+	"github.com/crossplane-contrib/provider-sql/pkg/clients/postgresql"
 	"github.com/crossplane-contrib/provider-sql/pkg/clients/xsql"
 )
 
@@ -64,7 +65,7 @@ func TestConnect(t *testing.T) {
 	type fields struct {
 		kube  client.Client
 		usage resource.Tracker
-		newDB func(creds map[string][]byte, database string, sslmode string) xsql.DB
+		newDB func(creds map[string][]byte, database string, options postgresql.Options) xsql.DB
 	}
 
 	type args struct {

pkg/controller/postgresql/extension/reconciler_test.go

@@ -37,7 +37,6 @@ import (
 	"github.com/crossplane/crossplane-runtime/pkg/resource"
 
 	"github.com/crossplane-contrib/provider-sql/apis/postgresql/v1alpha1"
-	"github.com/crossplane-contrib/provider-sql/pkg/clients"
 	"github.com/crossplane-contrib/provider-sql/pkg/clients/postgresql"
 	"github.com/crossplane-contrib/provider-sql/pkg/clients/xsql"
 )
@@ -94,7 +93,7 @@ func Setup(mgr ctrl.Manager, o xpcontroller.Options) error {
 type connector struct {
 	kube  client.Client
 	usage resource.Tracker
-	newDB func(creds map[string][]byte, database string, sslmode string) xsql.DB
+	newDB func(creds map[string][]byte, database string, options postgresql.Options) xsql.DB
 }
 
 func (c *connector) Connect(ctx context.Context, mg resource.Managed) (managed.ExternalClient, error) {
@@ -127,7 +126,7 @@ func (c *connector) Connect(ctx context.Context, mg resource.Managed) (managed.E
 		return nil, errors.Wrap(err, errGetSecret)
 	}
 	return &external{
-		db:   c.newDB(s.Data, pc.Spec.DefaultDatabase, clients.ToString(pc.Spec.SSLMode)),
+		db:   c.newDB(s.Data, pc.Spec.DefaultDatabase, pc.Spec.Options()),
 		kube: c.kube,
 	}, nil
 }