Add CA cert information to the credentials secret

controllers/credentials_secret.go

@@ -7,7 +7,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
-func credentialsSecretForDefaultDBUser(owner client.Object, db *godo.Database) *corev1.Secret {
+func credentialsSecretForDefaultDBUser(owner client.Object, db *godo.Database, ca *godo.DatabaseCA) *corev1.Secret {
 	secret := &corev1.Secret{
 		TypeMeta: metav1.TypeMeta{
 			APIVersion: "v1",
@@ -29,6 +29,10 @@ func credentialsSecretForDefaultDBUser(owner client.Object, db *godo.Database) *
 		secret.StringData["private_uri"] = db.PrivateConnection.URI
 	}
 
+	if ca != nil && len(ca.Certificate) > 0 {
+		secret.StringData["ca.crt"] = string(ca.Certificate)
+	}
+
 	return secret
 }
 

controllers/databasecluster_controller.go

@@ -135,7 +135,13 @@ func (r *DatabaseClusterReconciler) reconcileNewDB(ctx context.Context, cluster
 	cluster.Status.CreatedAt = metav1.NewTime(db.CreatedAt)
 	cluster.Status.Status = db.Status
 
-	err = r.ensureOwnedObjects(ctx, cluster, db)
+	ca, _, err := r.GodoClient.Databases.GetCA(ctx, db.ID)
+	if err != nil {
+		ll.Error(err, "unable to get database CA")
+		return ctrl.Result{}, fmt.Errorf("getting database CA: %v", err)
+	}
+
+	err = r.ensureOwnedObjects(ctx, cluster, db, ca)
 	if err != nil {
 		ll.Error(err, "unable to ensure DB-related objects")
 		return ctrl.Result{}, fmt.Errorf("ensuring DB-related objects: %v", err)
@@ -154,6 +160,12 @@ func (r *DatabaseClusterReconciler) reconcileExistingDB(ctx context.Context, clu
 		return ctrl.Result{}, fmt.Errorf("getting existing DB cluster: %v", err)
 	}
 
+	ca, _, err := r.GodoClient.Databases.GetCA(ctx, db.ID)
+	if err != nil {
+		ll.Error(err, "unable to get existing database database CA")
+		return ctrl.Result{}, fmt.Errorf("getting existing database CA: %v", err)
+	}
+
 	// Resize if either of the size parameters in the spec has changed.
 	if db.NumNodes != int(cluster.Spec.NumNodes) || db.SizeSlug != cluster.Spec.Size {
 		ll.Info("resizing database",
@@ -189,7 +201,7 @@ func (r *DatabaseClusterReconciler) reconcileExistingDB(ctx context.Context, clu
 		}
 	}
 
-	err = r.ensureOwnedObjects(ctx, cluster, db)
+	err = r.ensureOwnedObjects(ctx, cluster, db, ca)
 	if err != nil {
 		ll.Error(err, "unable to ensure DB-related objects")
 		return ctrl.Result{}, fmt.Errorf("ensuring DB-related objects: %v", err)
@@ -218,7 +230,7 @@ func (r *DatabaseClusterReconciler) reconcileDeletedDB(ctx context.Context, clus
 	return ctrl.Result{}, nil
 }
 
-func (r *DatabaseClusterReconciler) ensureOwnedObjects(ctx context.Context, cluster *v1alpha1.DatabaseCluster, db *godo.Database) error {
+func (r *DatabaseClusterReconciler) ensureOwnedObjects(ctx context.Context, cluster *v1alpha1.DatabaseCluster, db *godo.Database, ca *godo.DatabaseCA) error {
 	objs := []client.Object{}
 	if db.Connection != nil {
 		objs = append(objs, connectionConfigMapForDB("-connection", cluster, db.Connection))
@@ -231,7 +243,7 @@ func (r *DatabaseClusterReconciler) ensureOwnedObjects(ctx context.Context, clus
 		// MongoDB doesn't return the default user password with the DB except
 		// on creation. Don't update the credentials if the password is empty,
 		// but create the secret if we have the password.
-		objs = append(objs, credentialsSecretForDefaultDBUser(cluster, db))
+		objs = append(objs, credentialsSecretForDefaultDBUser(cluster, db, ca))
 	}
 
 	for _, obj := range objs {

controllers/databaseclusterreference_controller.go

@@ -113,7 +113,13 @@ func (r *DatabaseClusterReferenceReconciler) Reconcile(ctx context.Context, req
 	ref.Status.Status = db.Status
 	ref.Status.CreatedAt = metav1.NewTime(db.CreatedAt)
 
-	err = r.ensureOwnedObjects(ctx, &ref, db)
+	ca, _, err := r.GodoClient.Databases.GetCA(ctx, db.ID)
+	if err != nil {
+		ll.Error(err, "unable to get existing database CA")
+		return ctrl.Result{}, fmt.Errorf("getting existing database CA: %v", err)
+	}
+
+	err = r.ensureOwnedObjects(ctx, &ref, db, ca)
 	if err != nil {
 		ll.Error(err, "unable to ensure DB-related objects")
 		return ctrl.Result{}, fmt.Errorf("ensuring DB-related objects: %v", err)
@@ -122,7 +128,7 @@ func (r *DatabaseClusterReferenceReconciler) Reconcile(ctx context.Context, req
 	return ctrl.Result{RequeueAfter: clusterReferenceRefreshTime}, nil
 }
 
-func (r *DatabaseClusterReferenceReconciler) ensureOwnedObjects(ctx context.Context, cluster *v1alpha1.DatabaseClusterReference, db *godo.Database) error {
+func (r *DatabaseClusterReferenceReconciler) ensureOwnedObjects(ctx context.Context, cluster *v1alpha1.DatabaseClusterReference, db *godo.Database, ca *godo.DatabaseCA) error {
 	objs := []client.Object{}
 	if db.Connection != nil {
 		objs = append(objs, connectionConfigMapForDB("-connection", cluster, db.Connection))
@@ -135,7 +141,7 @@ func (r *DatabaseClusterReferenceReconciler) ensureOwnedObjects(ctx context.Cont
 		// MongoDB doesn't return the default user password with the DB except
 		// on creation. Don't update the credentials if the password is empty,
 		// but create the secret if we have the password.
-		objs = append(objs, credentialsSecretForDefaultDBUser(cluster, db))
+		objs = append(objs, credentialsSecretForDefaultDBUser(cluster, db, ca))
 	}
 
 	for _, obj := range objs {

fakegodo/databases.go

@@ -60,7 +60,10 @@ func (f *FakeDatabasesService) Get(_ context.Context, dbUUID string) (*godo.Data
 
 // GetCA ...
 func (f *FakeDatabasesService) GetCA(_ context.Context, _ string) (*godo.DatabaseCA, *godo.Response, error) {
-	panic("not implemented")
+	ca := godo.DatabaseCA{
+		Certificate: []byte{01, 02, 03, 04, 05},
+	}
+	return &ca, okResponse, nil
 }
 
 // Create ...