diff --git a/controllers/credentials_secret.go b/controllers/credentials_secret.go index 4c663272..66ce0ffb 100644 --- a/controllers/credentials_secret.go +++ b/controllers/credentials_secret.go @@ -7,7 +7,7 @@ import ( "sigs.k8s.io/controller-runtime/pkg/client" ) -func credentialsSecretForDefaultDBUser(owner client.Object, db *godo.Database) *corev1.Secret { +func credentialsSecretForDefaultDBUser(owner client.Object, db *godo.Database, ca *godo.DatabaseCA) *corev1.Secret { secret := &corev1.Secret{ TypeMeta: metav1.TypeMeta{ APIVersion: "v1", @@ -29,6 +29,10 @@ func credentialsSecretForDefaultDBUser(owner client.Object, db *godo.Database) * secret.StringData["private_uri"] = db.PrivateConnection.URI } + if ca != nil && len(ca.Certificate) > 0 { + secret.StringData["ca.crt"] = string(ca.Certificate) + } + return secret } diff --git a/controllers/databasecluster_controller.go b/controllers/databasecluster_controller.go index a76e7cc3..c71a65f4 100644 --- a/controllers/databasecluster_controller.go +++ b/controllers/databasecluster_controller.go @@ -135,7 +135,13 @@ func (r *DatabaseClusterReconciler) reconcileNewDB(ctx context.Context, cluster cluster.Status.CreatedAt = metav1.NewTime(db.CreatedAt) cluster.Status.Status = db.Status - err = r.ensureOwnedObjects(ctx, cluster, db) + ca, _, err := r.GodoClient.Databases.GetCA(ctx, db.ID) + if err != nil { + ll.Error(err, "unable to get database CA") + return ctrl.Result{}, fmt.Errorf("getting database CA: %v", err) + } + + err = r.ensureOwnedObjects(ctx, cluster, db, ca) if err != nil { ll.Error(err, "unable to ensure DB-related objects") return ctrl.Result{}, fmt.Errorf("ensuring DB-related objects: %v", err) @@ -154,6 +160,12 @@ func (r *DatabaseClusterReconciler) reconcileExistingDB(ctx context.Context, clu return ctrl.Result{}, fmt.Errorf("getting existing DB cluster: %v", err) } + ca, _, err := r.GodoClient.Databases.GetCA(ctx, db.ID) + if err != nil { + ll.Error(err, "unable to get existing database database CA") + return ctrl.Result{}, fmt.Errorf("getting existing database CA: %v", err) + } + // Resize if either of the size parameters in the spec has changed. if db.NumNodes != int(cluster.Spec.NumNodes) || db.SizeSlug != cluster.Spec.Size { ll.Info("resizing database", @@ -189,7 +201,7 @@ func (r *DatabaseClusterReconciler) reconcileExistingDB(ctx context.Context, clu } } - err = r.ensureOwnedObjects(ctx, cluster, db) + err = r.ensureOwnedObjects(ctx, cluster, db, ca) if err != nil { ll.Error(err, "unable to ensure DB-related objects") return ctrl.Result{}, fmt.Errorf("ensuring DB-related objects: %v", err) @@ -218,7 +230,7 @@ func (r *DatabaseClusterReconciler) reconcileDeletedDB(ctx context.Context, clus return ctrl.Result{}, nil } -func (r *DatabaseClusterReconciler) ensureOwnedObjects(ctx context.Context, cluster *v1alpha1.DatabaseCluster, db *godo.Database) error { +func (r *DatabaseClusterReconciler) ensureOwnedObjects(ctx context.Context, cluster *v1alpha1.DatabaseCluster, db *godo.Database, ca *godo.DatabaseCA) error { objs := []client.Object{} if db.Connection != nil { objs = append(objs, connectionConfigMapForDB("-connection", cluster, db.Connection)) @@ -231,7 +243,7 @@ func (r *DatabaseClusterReconciler) ensureOwnedObjects(ctx context.Context, clus // MongoDB doesn't return the default user password with the DB except // on creation. Don't update the credentials if the password is empty, // but create the secret if we have the password. - objs = append(objs, credentialsSecretForDefaultDBUser(cluster, db)) + objs = append(objs, credentialsSecretForDefaultDBUser(cluster, db, ca)) } for _, obj := range objs { diff --git a/controllers/databaseclusterreference_controller.go b/controllers/databaseclusterreference_controller.go index 24a132db..fc029f88 100644 --- a/controllers/databaseclusterreference_controller.go +++ b/controllers/databaseclusterreference_controller.go @@ -113,7 +113,13 @@ func (r *DatabaseClusterReferenceReconciler) Reconcile(ctx context.Context, req ref.Status.Status = db.Status ref.Status.CreatedAt = metav1.NewTime(db.CreatedAt) - err = r.ensureOwnedObjects(ctx, &ref, db) + ca, _, err := r.GodoClient.Databases.GetCA(ctx, db.ID) + if err != nil { + ll.Error(err, "unable to get existing database CA") + return ctrl.Result{}, fmt.Errorf("getting existing database CA: %v", err) + } + + err = r.ensureOwnedObjects(ctx, &ref, db, ca) if err != nil { ll.Error(err, "unable to ensure DB-related objects") return ctrl.Result{}, fmt.Errorf("ensuring DB-related objects: %v", err) @@ -122,7 +128,7 @@ func (r *DatabaseClusterReferenceReconciler) Reconcile(ctx context.Context, req return ctrl.Result{RequeueAfter: clusterReferenceRefreshTime}, nil } -func (r *DatabaseClusterReferenceReconciler) ensureOwnedObjects(ctx context.Context, cluster *v1alpha1.DatabaseClusterReference, db *godo.Database) error { +func (r *DatabaseClusterReferenceReconciler) ensureOwnedObjects(ctx context.Context, cluster *v1alpha1.DatabaseClusterReference, db *godo.Database, ca *godo.DatabaseCA) error { objs := []client.Object{} if db.Connection != nil { objs = append(objs, connectionConfigMapForDB("-connection", cluster, db.Connection)) @@ -135,7 +141,7 @@ func (r *DatabaseClusterReferenceReconciler) ensureOwnedObjects(ctx context.Cont // MongoDB doesn't return the default user password with the DB except // on creation. Don't update the credentials if the password is empty, // but create the secret if we have the password. - objs = append(objs, credentialsSecretForDefaultDBUser(cluster, db)) + objs = append(objs, credentialsSecretForDefaultDBUser(cluster, db, ca)) } for _, obj := range objs { diff --git a/fakegodo/databases.go b/fakegodo/databases.go index 17bf6a99..015635ce 100644 --- a/fakegodo/databases.go +++ b/fakegodo/databases.go @@ -60,7 +60,10 @@ func (f *FakeDatabasesService) Get(_ context.Context, dbUUID string) (*godo.Data // GetCA ... func (f *FakeDatabasesService) GetCA(_ context.Context, _ string) (*godo.DatabaseCA, *godo.Response, error) { - panic("not implemented") + ca := godo.DatabaseCA{ + Certificate: []byte{01, 02, 03, 04, 05}, + } + return &ca, okResponse, nil } // Create ...