feat(postgresql): TLS options via Secret

Adds support for configuring TLS options using the credentials Secret.
Very similar to how other providers are configured, this now also reads
the `clusterCA`, `clientCert` and `clientKey` keys from the Secret.

Integration tests are added, though they could be optimized to setup the
PostgreSQL database only once and modify the configuration as needed to
reduce the lenght of the tests, left as is for now.

Author: zregvart

cluster/local/postgresdb_functions.sh

@@ -137,6 +137,33 @@ EOF
   "${KUBECTL}" patch providers.pkg.crossplane.io/provider-sql --type=json --patch='[{"op":"add","path":"/spec/runtimeConfigRef","value":{"name":"postgres-tls"}}]'
 }
 
+setup_provider_config_postgres_inline_tls() {
+  echo_step "creating ProviderConfig for PostgresDb with inline TLS"
+  local yaml="$(cat <<EOF
+---
+apiVersion: postgresql.sql.crossplane.io/v1alpha1
+kind: ProviderConfig
+metadata:
+  name: default
+spec:
+  credentials:
+    source: PostgreSQLConnectionSecret
+    connectionSecretRef:
+      namespace: default
+      name: postgresdb-creds
+EOF
+  )"
+  echo "${yaml}" | "${KUBECTL}" apply -f -
+
+  # make use of the default debug-config DeploymentRuntimeConfig
+  "${KUBECTL}" patch providers.pkg.crossplane.io/provider-sql --type=json --patch='[{"op":"add","path":"/spec/runtimeConfigRef","value":{"name":"debug-config"}}]'
+
+  # add the clusterCA key from the postgresdb-postgresql-crt Secret created by
+  # Helm chart to the postgresdb-creds Secret
+  sslrootcert="$("${KUBECTL}" get secret postgresdb-postgresql-crt -o go-template='{{index .data "ca.crt"}}')"
+  "${KUBECTL}" patch secret postgresdb-creds --type='json' --patch='[{"op" : "add" ,"path" : "/data/clusterCA" ,"value" : "'"${sslrootcert}"'"}]'
+}
+
 setup_postgresdb_tests(){
 # install provider resources
 echo_step "creating PostgresDB Database resource"
@@ -306,6 +333,10 @@ delete_postgresdb_resources(){
 
   # make sure to delete the PVC, otherwise the password will be reused from the first installation
   "${KUBECTL}" delete --ignore-not-found=true pvc data-postgresdb-postgresql-0
+
+  "${KUBECTL}" delete --ignore-not-found=true service postgres-nodeport
+
+  "${KUBECTL}" delete --ignore-not-found=true secret -n crossplane-system postgresdb-postgresql-crt
 }
 
 integration_tests_postgres() {
@@ -329,4 +360,16 @@ integration_tests_postgres() {
     delete_postgresdb_resources
   }
   tls_tests
+
+  inline_tls_tests() {
+    local PGSSLMODE=require
+    setup_postgresdb_tls
+    setup_provider_config_postgres_inline_tls
+    check_tls_used
+    setup_observe_only_database
+    setup_postgresdb_tests
+    check_all_roles_privileges
+    delete_postgresdb_resources
+  }
+  inline_tls_tests
 }

pkg/clients/postgresql/postgresql.go

@@ -5,6 +5,7 @@ import (
 	"database/sql"
 	"errors"
 	"net/url"
+	"os"
 
 	"github.com/crossplane-contrib/provider-sql/pkg/clients/xsql"
 	"github.com/lib/pq"
@@ -55,17 +56,59 @@ func (o Options) queryString() string {
 	return values.Encode()
 }
 
+func (o *Options) withSecretData(data map[string][]byte) error {
+	set := func(key string, to *string) error {
+		v, ok := data[key]
+
+		if !ok {
+			return nil
+		}
+
+		f, err := os.CreateTemp("", key)
+		if err != nil {
+			return err
+		}
+		defer f.Close()
+
+		if _, err := f.Write(v); err != nil {
+			return err
+		}
+
+		*to = f.Name()
+
+		return nil
+	}
+
+	if err := set(xpv1.ResourceCredentialsSecretClientCertKey, &o.SSLCert); err != nil {
+		return err
+	}
+
+	if err := set(xpv1.ResourceCredentialsSecretClientKeyKey, &o.SSLKey); err != nil {
+		return err
+	}
+
+	if err := set(xpv1.ResourceCredentialsSecretCAKey, &o.SSLRootCert); err != nil {
+		return err
+	}
+
+	return nil
+}
+
 // New returns a new PostgreSQL database client. The default database name is
 // an empty string. The underlying pq library will default to either using the
 // value of PGDATABASE, or if unset, the hardcoded string 'postgres'.
 // The options provide additional settings to set up the connection for the
 // provider.
-func New(creds map[string][]byte, database string, options Options) xsql.DB {
+func New(data map[string][]byte, database string, options Options) (xsql.DB, error) {
 	// TODO(negz): Support alternative connection secret formats?
-	endpoint := string(creds[xpv1.ResourceCredentialsSecretEndpointKey])
-	port := string(creds[xpv1.ResourceCredentialsSecretPortKey])
-	username := string(creds[xpv1.ResourceCredentialsSecretUserKey])
-	password := string(creds[xpv1.ResourceCredentialsSecretPasswordKey])
+	endpoint := string(data[xpv1.ResourceCredentialsSecretEndpointKey])
+	port := string(data[xpv1.ResourceCredentialsSecretPortKey])
+	username := string(data[xpv1.ResourceCredentialsSecretUserKey])
+	password := string(data[xpv1.ResourceCredentialsSecretPasswordKey])
+
+	if err := options.withSecretData(data); err != nil {
+		return nil, err
+	}
 
 	dsn := DSN(username, password, endpoint, port, database, options.queryString())
 
@@ -74,7 +117,7 @@ func New(creds map[string][]byte, database string, options Options) xsql.DB {
 		endpoint: endpoint,
 		port:     port,
 		options:  options,
-	}
+	}, nil
 }
 
 // DSN returns the DSN URL

pkg/clients/postgresql/postgresql_test.go

@@ -1,7 +1,27 @@
 package postgresql
 
 import (
+	"os"
 	"testing"
+
+	v1 "github.com/crossplane/crossplane-runtime/apis/common/v1"
+)
+
+const (
+	cert = `-----BEGIN CERTIFICATE-----
+MIIE/zCCAuegAwIBAgIUaQ2NqCCwap45bHpheQkI8ogei9wwDQYJKoZIhvcNAQEL
+nttUIJXC4NaaNY8xpwYBQF+Qm/Fkr68f2PbEQKp5MH1SI6U=
+-----END CERTIFICATE-----`
+
+	key = `-----BEGIN PRIVATE KEY-----
+MIIJQQIBADANBgkqhkiG9w0BAQEFAASCCSswggknAgEAAoICAQDBLPQTfvYTlFE1
+cX7ME/e2Dw2PsBiJYZaE7Nt/J1U5
+-----END PRIVATE KEY-----`
+
+	ca = `-----BEGIN CERTIFICATE-----
+MIIE+zCCAuOgAwIBAgIUSGfXbm4N5zBbvOo3tKJHMwxMu7YwDQYJKoZIhvcNAQEL
+tayuDzWN/5JRcsY3WSewY9kAzwLCXWzY9GzvBcRrPQ==
+-----END CERTIFICATE-----`
 )
 
 func TestDSNURLEscaping(t *testing.T) {
@@ -22,6 +42,16 @@ func TestDSNURLEscaping(t *testing.T) {
 }
 
 func TestOptionsToQueryString(t *testing.T) {
+	tmpdir := t.TempDir()
+	os.Setenv("TMPDIR", tmpdir)
+
+	inline := Options{}
+	inline.withSecretData(map[string][]byte{
+		v1.ResourceCredentialsSecretClientCertKey: []byte(cert),
+		v1.ResourceCredentialsSecretClientKeyKey:  []byte(key),
+		v1.ResourceCredentialsSecretCAKey:         []byte(ca),
+	})
+
 	cases := []struct {
 		name     string
 		given    Options

pkg/controller/postgresql/database/reconciler.go

@@ -45,10 +45,11 @@ import (
 )
 
 const (
-	errTrackPCUsage = "cannot track ProviderConfig usage"
-	errGetPC        = "cannot get ProviderConfig"
-	errNoSecretRef  = "ProviderConfig does not reference a credentials Secret"
-	errGetSecret    = "cannot get credentials Secret"
+	errTrackPCUsage     = "cannot track ProviderConfig usage"
+	errGetPC            = "cannot get ProviderConfig"
+	errNoSecretRef      = "ProviderConfig does not reference a credentials Secret"
+	errGetSecret        = "cannot get credentials Secret"
+	errCreateConnection = "cannot configure connection"
 
 	errNotDatabase       = "managed resource is not a Database custom resource"
 	errSelectDB          = "cannot select database"
@@ -92,7 +93,7 @@ func Setup(mgr ctrl.Manager, o xpcontroller.Options) error {
 type connector struct {
 	kube  client.Client
 	usage resource.Tracker
-	newDB func(creds map[string][]byte, database string, options postgresql.Options) xsql.DB
+	newDB func(creds map[string][]byte, database string, options postgresql.Options) (xsql.DB, error)
 }
 
 func (c *connector) Connect(ctx context.Context, mg resource.Managed) (managed.ExternalClient, error) {
@@ -125,7 +126,12 @@ func (c *connector) Connect(ctx context.Context, mg resource.Managed) (managed.E
 		return nil, errors.Wrap(err, errGetSecret)
 	}
 
-	return &external{db: c.newDB(s.Data, pc.Spec.DefaultDatabase, pc.Spec.Options())}, nil
+	db, err := c.newDB(s.Data, pc.Spec.DefaultDatabase, pc.Spec.Options())
+	if err != nil {
+		return nil, errors.Wrap(err, errCreateConnection)
+	}
+
+	return &external{db}, nil
 }
 
 type external struct{ db xsql.DB }

pkg/controller/postgresql/database/reconciler_test.go

@@ -65,7 +65,7 @@ func TestConnect(t *testing.T) {
 	type fields struct {
 		kube  client.Client
 		usage resource.Tracker
-		newDB func(creds map[string][]byte, database string, options postgresql.Options) xsql.DB
+		newDB func(creds map[string][]byte, database string, options postgresql.Options) (xsql.DB, error)
 	}
 
 	type args struct {

pkg/controller/postgresql/extension/reconciler.go

@@ -84,7 +84,7 @@ func Setup(mgr ctrl.Manager, o xpcontroller.Options) error {
 type connector struct {
 	kube  client.Client
 	usage resource.Tracker
-	newDB func(creds map[string][]byte, database string, options postgresql.Options) xsql.DB
+	newDB func(creds map[string][]byte, database string, options postgresql.Options) (xsql.DB, error)
 }
 
 func (c *connector) Connect(ctx context.Context, mg resource.Managed) (managed.ExternalClient, error) {
@@ -122,10 +122,18 @@ func (c *connector) Connect(ctx context.Context, mg resource.Managed) (managed.E
 	// We do not want to create an extension on the default DB
 	// if the user was expecting a database name to be resolved.
 	if cr.Spec.ForProvider.Database != nil {
-		return &external{db: c.newDB(s.Data, *cr.Spec.ForProvider.Database, options)}, nil
+		db, err := c.newDB(s.Data, *cr.Spec.ForProvider.Database, options)
+		if err != nil {
+			return nil, err
+		}
+		return &external{db}, nil
 	}
 
-	return &external{db: c.newDB(s.Data, pc.Spec.DefaultDatabase, options)}, nil
+	db, err := c.newDB(s.Data, pc.Spec.DefaultDatabase, options)
+	if err != nil {
+		return nil, err
+	}
+	return &external{db}, nil
 }
 
 type external struct{ db xsql.DB }

pkg/controller/postgresql/extension/reconciler_test.go

@@ -65,7 +65,7 @@ func TestConnect(t *testing.T) {
 	type fields struct {
 		kube  client.Client
 		usage resource.Tracker
-		newDB func(creds map[string][]byte, database string, options postgresql.Options) xsql.DB
+		newDB func(creds map[string][]byte, database string, options postgresql.Options) (xsql.DB, error)
 	}
 
 	type args struct {

pkg/controller/postgresql/grant/reconciler.go

@@ -42,10 +42,11 @@ import (
 )
 
 const (
-	errTrackPCUsage = "cannot track ProviderConfig usage"
-	errGetPC        = "cannot get ProviderConfig"
-	errNoSecretRef  = "ProviderConfig does not reference a credentials Secret"
-	errGetSecret    = "cannot get credentials Secret"
+	errTrackPCUsage     = "cannot track ProviderConfig usage"
+	errGetPC            = "cannot get ProviderConfig"
+	errNoSecretRef      = "ProviderConfig does not reference a credentials Secret"
+	errGetSecret        = "cannot get credentials Secret"
+	errCreateConnection = "cannot configure connection"
 
 	errNotGrant     = "managed resource is not a Grant custom resource"
 	errSelectGrant  = "cannot select grant"
@@ -93,7 +94,7 @@ func Setup(mgr ctrl.Manager, o xpcontroller.Options) error {
 type connector struct {
 	kube  client.Client
 	usage resource.Tracker
-	newDB func(creds map[string][]byte, database string, options postgresql.Options) xsql.DB
+	newDB func(creds map[string][]byte, database string, options postgresql.Options) (xsql.DB, error)
 }
 
 func (c *connector) Connect(ctx context.Context, mg resource.Managed) (managed.ExternalClient, error) {
@@ -125,8 +126,14 @@ func (c *connector) Connect(ctx context.Context, mg resource.Managed) (managed.E
 	if err := c.kube.Get(ctx, types.NamespacedName{Namespace: ref.Namespace, Name: ref.Name}, s); err != nil {
 		return nil, errors.Wrap(err, errGetSecret)
 	}
+
+	db, err := c.newDB(s.Data, pc.Spec.DefaultDatabase, pc.Spec.Options())
+	if err != nil {
+		return nil, errors.Wrap(err, errCreateConnection)
+	}
+
 	return &external{
-		db:   c.newDB(s.Data, pc.Spec.DefaultDatabase, pc.Spec.Options()),
+		db:   db,
 		kube: c.kube,
 	}, nil
 }

pkg/controller/postgresql/grant/reconciler_test.go

@@ -75,7 +75,7 @@ func TestConnect(t *testing.T) {
 	type fields struct {
 		kube  client.Client
 		usage resource.Tracker
-		newDB func(creds map[string][]byte, database string, options postgresql.Options) xsql.DB
+		newDB func(creds map[string][]byte, database string, options postgresql.Options) (xsql.DB, error)
 	}
 
 	type args struct {

pkg/controller/postgresql/role/reconciler.go

@@ -47,10 +47,11 @@ import (
 )
 
 const (
-	errTrackPCUsage = "cannot track ProviderConfig usage"
-	errGetPC        = "cannot get ProviderConfig"
-	errNoSecretRef  = "ProviderConfig does not reference a credentials Secret"
-	errGetSecret    = "cannot get credentials Secret"
+	errTrackPCUsage     = "cannot track ProviderConfig usage"
+	errGetPC            = "cannot get ProviderConfig"
+	errNoSecretRef      = "ProviderConfig does not reference a credentials Secret"
+	errGetSecret        = "cannot get credentials Secret"
+	errCreateConnection = "cannot configure connection"
 
 	errNotRole                 = "managed resource is not a Role custom resource"
 	errSelectRole              = "cannot select role"
@@ -94,7 +95,7 @@ func Setup(mgr ctrl.Manager, o xpcontroller.Options) error {
 type connector struct {
 	kube  client.Client
 	usage resource.Tracker
-	newDB func(creds map[string][]byte, database string, options postgresql.Options) xsql.DB
+	newDB func(creds map[string][]byte, database string, options postgresql.Options) (xsql.DB, error)
 }
 
 func (c *connector) Connect(ctx context.Context, mg resource.Managed) (managed.ExternalClient, error) {
@@ -127,8 +128,13 @@ func (c *connector) Connect(ctx context.Context, mg resource.Managed) (managed.E
 		return nil, errors.Wrap(err, errGetSecret)
 	}
 
+	db, err := c.newDB(s.Data, pc.Spec.DefaultDatabase, pc.Spec.Options())
+	if err != nil {
+		return nil, errors.Wrap(err, errCreateConnection)
+	}
+
 	return &external{
-		db:   c.newDB(s.Data, pc.Spec.DefaultDatabase, pc.Spec.Options()),
+		db:   db,
 		kube: c.kube,
 	}, nil
 }