Cert manager provided tls certs (#571)

* Make use of gardener provided TLS certificates

* ...

* Generate shorter commonName

* * remove commonName annotation
* shorten DNS name

* Try different annotations

* Add subdomain to commonName

* use wildcard in commonName

* Use proper dns name instead of wildcard

* Naming

* Set spilo_fsgroup to fix tls permission issue

* Add additional annotation

* Move annotations to shared LB when both are available

* Reset annotations if neccessary

* Update annotations

* Centralize logic

* ...

* Use certificate CR instead of gardener annotations

* Set temporariy default value for testing

* Add log

* AddToScheme

* Switch secret name to static string from docs

* * Make TLS subdomain configurable too
* Use (obfuscated) commonName in cert when tls subdomain is configured (and possibly publicly announced)

* Remove (test) default value

* Disable certificate creation when not configured

---------

Co-authored-by: Gerrit <[email protected]>

Author: eberlep

api/v1/postgres_types.go

@@ -420,7 +420,26 @@ func (p *Postgres) ToSharedSvcLBNamespacedName() *types.NamespacedName {
 	}
 }
 
-func (p *Postgres) ToDedicatedSvcLB(lbIP string, lbPort int32, standbyClustersSourceRanges []string) *corev1.Service {
+func (p *Postgres) EnableSharedSVCLB(enableForceSharedIP bool) bool {
+	if enableForceSharedIP {
+		// shared IP is forced, so force it. No more questions asked.
+		return true
+	}
+
+	if p.Spec.DedicatedLoadBalancerIP == nil {
+		// No dedicated ip set at all, enabled shared lb
+		return true
+	}
+
+	if *p.Spec.DedicatedLoadBalancerIP == "" {
+		// Empty IP set, enable shared lb
+		return true
+	}
+
+	return false
+}
+
+func (p *Postgres) ToDedicatedSvcLB(lbIP string, lbPort int32, standbyClustersSourceRanges []string, sharedSvcLbAlsoEnabled bool) *corev1.Service {
 	lb := &corev1.Service{}
 	lb.Spec.Type = "LoadBalancer"
 
@@ -430,6 +449,8 @@ func (p *Postgres) ToDedicatedSvcLB(lbIP string, lbPort int32, standbyClustersSo
 	lb.Name = p.ToDedicatedSvcLBName()
 	lb.SetLabels(SvcLoadBalancerLabel)
 
+	lb.Annotations = map[string]string{}
+
 	lbsr := []string{}
 	if p.HasSourceRanges() {
 		for _, src := range p.Spec.AccessList.SourceRanges {
@@ -485,6 +506,20 @@ func (p *Postgres) ToDedicatedSvcLBNamespacedName() *types.NamespacedName {
 	}
 }
 
+func (p *Postgres) EnableDedicatedSVCLB() bool {
+	if p.Spec.DedicatedLoadBalancerIP == nil {
+		// No dedicated ip set at all, disable dedicated lb
+		return false
+	}
+
+	if *p.Spec.DedicatedLoadBalancerIP == "" {
+		// Empty IP set, disable dedicated lb
+		return false
+	}
+
+	return true
+}
+
 func (p *Postgres) ToPeripheralResourceName() string {
 
 	return p.generateTeamID() + "-" + p.generateDatabaseName()
@@ -600,14 +635,29 @@ func (p *Postgres) ToPeripheralResourceNamespace() string {
 	return projectID + "-" + name
 }
 
+func (p *Postgres) ToDNSName(tlsSubDomain string) string {
+	// We only want letters and numbers
+	name := alphaNumericRegExp.ReplaceAllString(string(p.Name), "")
+	// Limit size
+	maxLen := 12
+	if len(name) > maxLen {
+		name = name[:maxLen]
+	}
+	return name + "." + tlsSubDomain
+}
+
+func (p *Postgres) ToTLSSecretName() string {
+	return "pg-tls"
+}
+
 func (p *Postgres) ToPeripheralResourceLookupKey() types.NamespacedName {
 	return types.NamespacedName{
 		Namespace: p.ToPeripheralResourceNamespace(),
 		Name:      p.ToPeripheralResourceName(),
 	}
 }
 
-func (p *Postgres) ToUnstructuredZalandoPostgresql(z *zalando.Postgresql, c *corev1.ConfigMap, sc string, pgParamBlockList map[string]bool, rbs *BackupConfig, srcDB *Postgres, patroniTTL, patroniLoopWait, patroniRetryTimeout uint32, dboIsSuperuser bool) (*unstructured.Unstructured, error) {
+func (p *Postgres) ToUnstructuredZalandoPostgresql(z *zalando.Postgresql, c *corev1.ConfigMap, sc string, pgParamBlockList map[string]bool, rbs *BackupConfig, srcDB *Postgres, patroniTTL, patroniLoopWait, patroniRetryTimeout uint32, dboIsSuperuser bool, enableTlsCert bool) (*unstructured.Unstructured, error) {
 	if z == nil {
 		z = &zalando.Postgresql{}
 	}
@@ -734,6 +784,12 @@ func (p *Postgres) ToUnstructuredZalandoPostgresql(z *zalando.Postgresql, c *cor
 		}
 	}
 
+	if enableTlsCert {
+		z.Spec.TLS = &zalando.TLSDescription{
+			SecretName: p.ToTLSSecretName(),
+		}
+	}
+
 	jsonZ, err := runtime.DefaultUnstructuredConverter.ToUnstructured(z)
 	if err != nil {
 		return nil, fmt.Errorf("failed to convert to unstructured zalando postgresql: %w", err)

api/v1/postgres_types_test.go

@@ -349,7 +349,7 @@ func TestPostgresRestoreTimestamp_ToUnstructuredZalandoPostgresql(t *testing.T)
 			p := &Postgres{
 				Spec: tt.spec,
 			}
-			got, _ := p.ToUnstructuredZalandoPostgresql(nil, tt.c, tt.sc, tt.pgParamBlockList, tt.rbs, tt.srcDB, 130, 10, 60, false)
+			got, _ := p.ToUnstructuredZalandoPostgresql(nil, tt.c, tt.sc, tt.pgParamBlockList, tt.rbs, tt.srcDB, 130, 10, 60, false, false)
 
 			jsonZ, err := runtime.DefaultUnstructuredConverter.ToUnstructured(got)
 			if err != nil {

controllers/postgres_controller.go

@@ -46,6 +46,9 @@ import (
 	pg "github.com/fi-ts/postgreslet/api/v1"
 	"github.com/fi-ts/postgreslet/pkg/lbmanager"
 	"github.com/fi-ts/postgreslet/pkg/operatormanager"
+
+	cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
+	cmmeta "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
 )
 
 const (
@@ -93,6 +96,9 @@ type PostgresReconciler struct {
 	InitDBJobConfigMapName              string
 	EnableBootstrapStandbyFromS3        bool
 	EnableSuperUserForDBO               bool
+	EnableCustomTLSCert                 bool
+	TLSClusterIssuer                    string
+	TLSSubDomain                        string
 }
 
 // Reconcile is the entry point for postgres reconciliation.
@@ -237,6 +243,12 @@ func (r *PostgresReconciler) Reconcile(ctx context.Context, req ctrl.Request) (c
 		}
 	}
 
+	// Request certificate, if neccessary
+	if err := r.createOrUpdateCertificate(log, ctx, instance); err != nil {
+		r.recorder.Eventf(instance, "Warning", "Error", "failed to create certificate request: %v", err)
+		return ctrl.Result{}, fmt.Errorf("error while creating certificate request: %w", err)
+	}
+
 	// Make sure the postgres secrets exist, if necessary
 	if err := r.ensurePostgresSecrets(log, ctx, instance); err != nil {
 		r.recorder.Eventf(instance, "Warning", "Error", "failed to create postgres secrets: %v", err)
@@ -373,7 +385,7 @@ func (r *PostgresReconciler) createOrUpdateZalandoPostgresql(ctx context.Context
 			return fmt.Errorf("failed to fetch zalando postgresql: %w", err)
 		}
 
-		u, err := instance.ToUnstructuredZalandoPostgresql(nil, sidecarsCM, r.StorageClass, r.PgParamBlockList, restoreBackupConfig, restoreSourceInstance, patroniTTL, patroniLoopWait, patroniRetryTimeout, r.EnableSuperUserForDBO)
+		u, err := instance.ToUnstructuredZalandoPostgresql(nil, sidecarsCM, r.StorageClass, r.PgParamBlockList, restoreBackupConfig, restoreSourceInstance, patroniTTL, patroniLoopWait, patroniRetryTimeout, r.EnableSuperUserForDBO, r.EnableCustomTLSCert)
 		if err != nil {
 			return fmt.Errorf("failed to convert to unstructured zalando postgresql: %w", err)
 		}
@@ -389,7 +401,7 @@ func (r *PostgresReconciler) createOrUpdateZalandoPostgresql(ctx context.Context
 	// Update zalando postgresql
 	mergeFrom := client.MergeFrom(rawZ.DeepCopy())
 
-	u, err := instance.ToUnstructuredZalandoPostgresql(rawZ, sidecarsCM, r.StorageClass, r.PgParamBlockList, restoreBackupConfig, restoreSourceInstance, patroniTTL, patroniLoopWait, patroniRetryTimeout, r.EnableSuperUserForDBO)
+	u, err := instance.ToUnstructuredZalandoPostgresql(rawZ, sidecarsCM, r.StorageClass, r.PgParamBlockList, restoreBackupConfig, restoreSourceInstance, patroniTTL, patroniLoopWait, patroniRetryTimeout, r.EnableSuperUserForDBO, r.EnableCustomTLSCert)
 	if err != nil {
 		return fmt.Errorf("failed to convert to unstructured zalando postgresql: %w", err)
 	}
@@ -1710,3 +1722,34 @@ func (r *PostgresReconciler) ensureInitDBJob(log logr.Logger, ctx context.Contex
 
 	return nil
 }
+
+func (r *PostgresReconciler) createOrUpdateCertificate(log logr.Logger, ctx context.Context, instance *pg.Postgres) error {
+	if r.TLSClusterIssuer == "" {
+		log.V(debugLogLevel).Info("certificate skipped")
+		return nil
+	}
+
+	commonName := instance.ToPeripheralResourceName()
+	if r.TLSSubDomain != "" {
+		commonName = instance.ToDNSName(r.TLSSubDomain)
+	}
+
+	c := &cmapi.Certificate{ObjectMeta: metav1.ObjectMeta{Name: instance.ToPeripheralResourceName(), Namespace: instance.ToPeripheralResourceNamespace()}}
+	if _, err := controllerutil.CreateOrUpdate(ctx, r.SvcClient, c, func() error {
+		c.Spec = cmapi.CertificateSpec{
+			CommonName: commonName,
+			SecretName: instance.ToTLSSecretName(),
+			IssuerRef: cmmeta.ObjectReference{
+				Group: "cert-manager.io",
+				Kind:  "ClusterIssuer",
+				Name:  r.TLSClusterIssuer,
+			},
+		}
+		return nil
+	}); err != nil {
+		return fmt.Errorf("unable to create or update certificate: %w", err)
+	}
+
+	log.V(debugLogLevel).Info("certificate created or updated")
+	return nil
+}

controllers/status_controller.go

@@ -97,13 +97,14 @@ func (r *StatusReconciler) Reconcile(ctx context.Context, req ctrl.Request) (ctr
 	}
 
 	log.V(debugLogLevel).Info("updating socket")
-	if owner.Spec.DedicatedLoadBalancerIP == nil {
+	if !owner.EnableDedicatedSVCLB() {
 		// no dedicated load balancer configured, use the shared one
 		shared := &corev1.Service{}
 		if err := r.SvcClient.Get(ctx, *owner.ToSharedSvcLBNamespacedName(), shared); err == nil {
 			// update IP and port
 			owner.Status.Socket.IP = shared.Spec.LoadBalancerIP
 			owner.Status.Socket.Port = shared.Spec.Ports[0].Port
+			owner.Status.AdditionalSockets = []pg.Socket{} // reset additional sockets
 
 		} else {
 			// Todo: Handle errors other than `NotFound`

go.mod

@@ -3,6 +3,7 @@ module github.com/fi-ts/postgreslet
 go 1.22
 
 require (
+	github.com/cert-manager/cert-manager v1.10.0
 	github.com/go-logr/logr v1.2.4
 	github.com/google/uuid v1.3.0
 	github.com/metal-stack/firewall-controller v1.3.0
@@ -12,10 +13,10 @@ require (
 	github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring v0.56.2
 	github.com/spf13/viper v1.12.0
 	github.com/zalando/postgres-operator v1.7.0
-	k8s.io/api v0.25.0
-	k8s.io/apiextensions-apiserver v0.25.0
-	k8s.io/apimachinery v0.25.0
-	k8s.io/client-go v0.25.0
+	k8s.io/api v0.25.2
+	k8s.io/apiextensions-apiserver v0.25.2
+	k8s.io/apimachinery v0.25.2
+	k8s.io/client-go v0.25.2
 	k8s.io/utils v0.0.0-20221108210102-8e77b1f39fe2
 	sigs.k8s.io/controller-runtime v0.13.1
 )
@@ -73,7 +74,7 @@ require (
 	go.uber.org/atomic v1.10.0 // indirect
 	go.uber.org/multierr v1.8.0 // indirect
 	go.uber.org/zap v1.23.0 // indirect
-	golang.org/x/crypto v0.0.0-20220622213112-05595931fe9d // indirect
+	golang.org/x/crypto v0.0.0-20220924013350-4ba4fb4dd9e7 // indirect
 	golang.org/x/mod v0.10.0 // indirect
 	golang.org/x/net v0.10.0 // indirect
 	golang.org/x/oauth2 v0.2.0 // indirect
@@ -90,9 +91,10 @@ require (
 	gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 // indirect
 	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/component-base v0.25.0 // indirect
+	k8s.io/component-base v0.25.2 // indirect
 	k8s.io/klog/v2 v2.80.1 // indirect
-	k8s.io/kube-openapi v0.0.0-20220803162953-67bda5d908f1 // indirect
+	k8s.io/kube-openapi v0.0.0-20220803164354-a70c9af30aea // indirect
+	sigs.k8s.io/gateway-api v0.5.0 // indirect
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
 	sigs.k8s.io/yaml v1.3.0 // indirect