feat(db): enable JDBC TLS configuration

cryostatio · Jan 17, 2025 · 7f0ee2a · 7f0ee2a
1 parent 7f7dfd6
commit 7f0ee2a
Show file tree

Hide file tree

Showing 4 changed files with 102 additions and 73 deletions.
diff --git a/bundle/manifests/cryostat-operator.clusterserviceversion.yaml b/bundle/manifests/cryostat-operator.clusterserviceversion.yaml
@@ -30,7 +30,7 @@ metadata:
     capabilities: Seamless Upgrades
     categories: Monitoring, Developer Tools
     containerImage: quay.io/cryostat/cryostat-operator:4.0.0-dev
-    createdAt: "2025-01-14T19:21:36Z"
+    createdAt: "2025-01-17T20:06:56Z"
     description: JVM monitoring and profiling tool
     operatorframework.io/initialization-resource: |-
       {

diff --git a/internal/controllers/common/resource_definitions/resource_definitions.go b/internal/controllers/common/resource_definitions/resource_definitions.go
@@ -526,6 +526,17 @@ func NewPodForCR(cr *model.CryostatInstance, specs *ServiceSpecs, imageTags *Ima
 				},
 			},
 		)
+
+		dbTlsVolume := corev1.Volume{
+			Name: "database-tls-secret",
+			VolumeSource: corev1.VolumeSource{
+				Secret: &corev1.SecretVolumeSource{
+					SecretName:  tls.DatabaseSecret,
+					DefaultMode: &readOnlyMode,
+				},
+			},
+		}
+		volumes = append(volumes, dbTlsVolume)
 	}
 
 	// Project certificate secrets into deployment
@@ -655,14 +666,16 @@ func NewPodForCR(cr *model.CryostatInstance, specs *ServiceSpecs, imageTags *Ima
 func NewPodForDatabase(cr *model.CryostatInstance, imageTags *ImageTags, tls *TLSConfig, openshift bool, fsGroup int64) *corev1.PodSpec {
 	container := []corev1.Container{NewDatabaseContainer(cr, imageTags.DatabaseImageTag, tls)}
 
-	volumes := newVolumeForDatabse(cr)
+	volumes := newVolumeForDatabase(cr)
 
 	if tls != nil {
+		readOnlyMode := int32(0440)
 		secretVolume := corev1.Volume{
 			Name: "database-tls-secret",
 			VolumeSource: corev1.VolumeSource{
 				Secret: &corev1.SecretVolumeSource{
-					SecretName: tls.DatabaseSecret,
+					SecretName:  tls.DatabaseSecret,
+					DefaultMode: &readOnlyMode,
 				},
 			},
 		}
@@ -1259,10 +1272,6 @@ func NewCoreContainer(cr *model.CryostatInstance, specs *ServiceSpecs, imageTag
 			Name:  "QUARKUS_DATASOURCE_USERNAME",
 			Value: "cryostat",
 		},
-		{
-			Name:  "QUARKUS_DATASOURCE_JDBC_URL",
-			Value: fmt.Sprintf("jdbc:postgresql://%s-database.%s.svc.cluster.local:5432/cryostat", cr.Name, cr.InstallNamespace),
-		},
 		{
 			Name:  "STORAGE_BUCKETS_ARCHIVE_NAME",
 			Value: "archivedrecordings",
@@ -1476,6 +1485,25 @@ func NewCoreContainer(cr *model.CryostatInstance, specs *ServiceSpecs, imageTag
 		}
 		mounts = append(mounts, mount)
 	}
+	if tls != nil {
+		pathPrefix := "/var/run/secrets/operator.cryostat.io"
+		tlsPath := fmt.Sprintf("%s/%s", pathPrefix, tls.DatabaseSecret)
+		tlsSecretMount := corev1.VolumeMount{
+			Name:      "database-tls-secret",
+			MountPath: tlsPath,
+			ReadOnly:  true,
+		}
+		mounts = append(mounts, tlsSecretMount)
+		envs = append(envs, corev1.EnvVar{
+			Name:  "QUARKUS_DATASOURCE_JDBC_URL",
+			Value: fmt.Sprintf("jdbc:postgresql://%s-database.%s.svc.cluster.local:5432/cryostat?ssl=true&sslmode=verify-full&sslcert=&sslrootcert=%s/ca.crt", cr.Name, cr.InstallNamespace, tlsPath),
+		})
+	} else {
+		envs = append(envs, corev1.EnvVar{
+			Name:  "QUARKUS_DATASOURCE_JDBC_URL",
+			Value: fmt.Sprintf("jdbc:postgresql://%s-database.%s.svc.cluster.local:5432/cryostat", cr.Name, cr.InstallNamespace),
+		})
+	}
 
 	probeHandler := corev1.ProbeHandler{
 		HTTPGet: &corev1.HTTPGetAction{
@@ -1800,43 +1828,20 @@ func NewDatabaseContainer(cr *model.CryostatInstance, imageTag string, tls *TLSC
 		},
 	}
 
-	// TODO
-	/**
-	if tls != nil {
-		tlsEnvs := []corev1.EnvVar{
-			{
-				Name:  "QUARKUS_DATASOURCE_REACTIVE_TRUST_ALL",
-				Value: "true",
-			},
-			{
-				Name:  "QUARKUS_DATASOURCE_REACTIVE_KEY_CERTIFICATE_PEM_KEYS",
-				Value: fmt.Sprintf("/var/run/secrets/operator.cryostat.io/%s-database-tls/tls.key", cr.Name),
-			},
-			{
-				Name:  "QUARKUS_DATASOURCE_REACTIVE_KEY_CERTIFICATE_PEM_CERTS",
-				Value: fmt.Sprintf("/var/run/secrets/operator.cryostat.io/%s-database-tls/tls.crt", cr.Name),
-			},
-			{
-				Name:  "QUARKUS_DATASOURCE_REACTIVE_URL",
-				Value: fmt.Sprintf("https://%s-database:5432", cr.Name),
-			},
-		}
-		envs = append(envs, tlsEnvs...)
+	args := []string{}
 
+	if tls != nil {
+		pathPrefix := "/var/run/secrets/operator.cryostat.io"
+		tlsPath := fmt.Sprintf("%s/%s", pathPrefix, tls.DatabaseSecret)
 		tlsSecretMount := corev1.VolumeMount{
 			Name:      "database-tls-secret",
-			MountPath: "/var/run/secrets/operator.cryostat.io/" + tls.DatabaseSecret,
+			MountPath: tlsPath,
 			ReadOnly:  true,
 		}
-
 		mounts = append(mounts, tlsSecretMount)
-	} else {
-		envs = append(envs, corev1.EnvVar{
-			Name:  "QUARKUS_DATASOURCE_REACTIVE_URL",
-			Value: fmt.Sprintf("http://%s-database:5432", cr.Name),
-		})
+
+		args = append(args, "-c", "ssl=on", "-c", fmt.Sprintf("ssl_cert_file=%s/tls.crt", tlsPath), "-c", fmt.Sprintf("ssl_key_file=%s/tls.key", tlsPath))
 	}
-	**/
 
 	return corev1.Container{
 		Name:            cr.Name + "-db",
@@ -1845,6 +1850,7 @@ func NewDatabaseContainer(cr *model.CryostatInstance, imageTag string, tls *TLSC
 		VolumeMounts:    mounts,
 		SecurityContext: containerSc,
 		Env:             envs,
+		Args:            args,
 		Ports: []corev1.ContainerPort{
 			{
 				ContainerPort: constants.DatabasePort,
@@ -2041,7 +2047,7 @@ func newVolumeForCR(cr *model.CryostatInstance) []corev1.Volume {
 	}
 }
 
-func newVolumeForDatabse(cr *model.CryostatInstance) []corev1.Volume {
+func newVolumeForDatabase(cr *model.CryostatInstance) []corev1.Volume {
 	var volumeSource corev1.VolumeSource
 	if useEmptyDir(cr) {
 		emptyDir := cr.Spec.StorageOptions.EmptyDir

diff --git a/internal/controllers/reconciler_test.go b/internal/controllers/reconciler_test.go
@@ -3613,6 +3613,7 @@ func (t *cryostatTestInput) checkDatabaseContainer(container *corev1.Container,
 	}
 	Expect(container.Ports).To(ConsistOf(t.NewDatabasePorts()))
 	Expect(container.Env).To(ConsistOf(t.NewDatabaseEnvironmentVariables(dbSecretProvided)))
+	Expect(container.Args).To(ConsistOf(t.NewDatabaseArgs()))
 	Expect(container.EnvFrom).To(BeEmpty())
 	Expect(container.VolumeMounts).To(ConsistOf(t.NewDatabaseVolumeMounts()))
 	Expect(container.ReadinessProbe).To(Equal(t.NewDatabaseReadinessProbe()))

diff --git a/internal/test/resources.go b/internal/test/resources.go
@@ -1710,10 +1710,6 @@ func (r *TestResources) NewCoreEnvironmentVariables(reportsUrl string, ingress b
 			Name:  "QUARKUS_DATASOURCE_USERNAME",
 			Value: "cryostat",
 		},
-		{
-			Name:  "QUARKUS_DATASOURCE_JDBC_URL",
-			Value: fmt.Sprintf("jdbc:postgresql://%s-database.%s.svc.cluster.local:5432/cryostat", r.Name, r.Namespace),
-		},
 		{
 			Name:  "STORAGE_BUCKETS_ARCHIVE_NAME",
 			Value: "archivedrecordings",
@@ -1775,6 +1771,17 @@ func (r *TestResources) NewCoreEnvironmentVariables(reportsUrl string, ingress b
 			Value: "$(QUARKUS_S3_AWS_CREDENTIALS_STATIC_PROVIDER_SECRET_ACCESS_KEY)",
 		},
 	}
+	if r.TLS {
+		envs = append(envs, corev1.EnvVar{
+			Name:  "QUARKUS_DATASOURCE_JDBC_URL",
+			Value: fmt.Sprintf("jdbc:postgresql://%s-database.%s.svc.cluster.local:5432/cryostat?ssl=true&sslmode=verify-full&sslcert=&sslrootcert=/var/run/secrets/operator.cryostat.io/%s-database-tls/ca.crt", r.Name, r.Namespace, r.Name),
+		})
+	} else {
+		envs = append(envs, corev1.EnvVar{
+			Name:  "QUARKUS_DATASOURCE_JDBC_URL",
+			Value: fmt.Sprintf("jdbc:postgresql://%s-database.%s.svc.cluster.local:5432/cryostat", r.Name, r.Namespace),
+		})
+	}
 
 	envs = append(envs, r.NewTargetDiscoveryEnvVars(hasPortConfig, builtInDiscoveryDisabled, builtInPortConfigDisabled)...)
 
@@ -2027,30 +2034,26 @@ func (r *TestResources) NewDatabaseEnvironmentVariables(dbSecretProvided bool) [
 			},
 		},
 	}
-	/**
-	if r.TLS {
-		envs = append(envs, corev1.EnvVar{
-			Name:  "QUARKUS_DATASOURCE_REACTIVE_TRUST_ALL",
-			Value: "true",
-		}, corev1.EnvVar{
-			Name:  "QUARKUS_DATASOURCE_REACTIVE_KEY_CERTIFICATE_PEM_KEYS",
-			Value: fmt.Sprintf("/var/run/secrets/operator.cryostat.io/%s-database-tls/tls.key", r.Name),
-		}, corev1.EnvVar{
-			Name:  "QUARKUS_DATASOURCE_REACTIVE_KEY_CERTIFICATE_PEM_CERTS",
-			Value: fmt.Sprintf("/var/run/secrets/operator.cryostat.io/%s-database-tls/tls.crt", r.Name),
-		}, corev1.EnvVar{
-			Name:  "QUARKUS_DATASOURCE_REACTIVE_URL",
-			Value: fmt.Sprintf("https://%s-database:5432", r.Name),
-		})
-	} else {
-		envs = append(envs, corev1.EnvVar{
-			Name:  "QUARKUS_DATASOURCE_REACTIVE_URL",
-			Value: fmt.Sprintf("http://%s-database:5432", r.Name),
-		})
-	}**/
 	return envs
 }
 
+func (r *TestResources) NewDatabaseArgs() []string {
+	args := []string{}
+
+	if r.TLS {
+		args = append(args,
+			"-c",
+			"ssl=on",
+			"-c",
+			fmt.Sprintf("ssl_cert_file=/var/run/secrets/operator.cryostat.io/%s-database-tls/tls.crt", r.Name),
+			"-c",
+			fmt.Sprintf("ssl_key_file=/var/run/secrets/operator.cryostat.io/%s-database-tls/tls.key", r.Name),
+		)
+	}
+
+	return args
+}
+
 func (r *TestResources) NewAuthProxyEnvironmentVariables(authOptions *operatorv1beta2.AuthorizationOptions) []corev1.EnvVar {
 	envs := []corev1.EnvVar{}
 
@@ -2290,6 +2293,15 @@ func (r *TestResources) NewCoreVolumeMounts() []corev1.VolumeMount {
 			MountPath: "/truststore/operator",
 		},
 	}
+	if r.TLS {
+		mounts = append(mounts,
+			corev1.VolumeMount{
+				Name:      "database-tls-secret",
+				ReadOnly:  true,
+				MountPath: fmt.Sprintf("/var/run/secrets/operator.cryostat.io/%s-database-tls", r.Name),
+			},
+		)
+	}
 	return mounts
 }
 
@@ -2323,15 +2335,14 @@ func (r *TestResources) NewDatabaseVolumeMounts() []corev1.VolumeMount {
 			SubPath:   "postgres",
 		})
 
-	// TODO
-	// if r.TLS {
-	// 	mounts = append(mounts,
-	// 		corev1.VolumeMount{
-	// 			Name:      "database-tls-secret",
-	// 			MountPath: fmt.Sprintf("/var/run/secrets/operator.cryostat.io/%s-database-tls", r.Name),
-	// 			ReadOnly:  true,
-	// 		})
-	// }
+	if r.TLS {
+		mounts = append(mounts,
+			corev1.VolumeMount{
+				Name:      "database-tls-secret",
+				MountPath: fmt.Sprintf("/var/run/secrets/operator.cryostat.io/%s-database-tls", r.Name),
+				ReadOnly:  true,
+			})
+	}
 	return mounts
 }
 
@@ -2813,6 +2824,15 @@ func (r *TestResources) newVolumes(certProjections []corev1.VolumeProjection) []
 					},
 				},
 			},
+			corev1.Volume{
+				Name: "database-tls-secret",
+				VolumeSource: corev1.VolumeSource{
+					Secret: &corev1.SecretVolumeSource{
+						SecretName:  r.Name + "-database-tls",
+						DefaultMode: &readOnlymode,
+					},
+				},
+			},
 		)
 	}
 
@@ -2880,11 +2900,13 @@ func (r *TestResources) NewDatabaseVolumes() []corev1.Volume {
 	}
 
 	if r.TLS {
+		readOnlyMode := int32(0440)
 		volumes = append(volumes, corev1.Volume{
 			Name: "database-tls-secret",
 			VolumeSource: corev1.VolumeSource{
 				Secret: &corev1.SecretVolumeSource{
-					SecretName: r.Name + "-database-tls",
+					SecretName:  r.Name + "-database-tls",
+					DefaultMode: &readOnlyMode,
 				},
 			},
 		})