Adding SSL support to External Postgres

Makefile

@@ -199,6 +199,11 @@ test-cli-flow:
 	@echo "✅ test-cli-flow"
 .PHONY: test-cli-flow
 
+test-cli-flow-dev:
+	$(TIME) ./test/cli/test_cli_flow.sh --dev
+	@echo "✅ test-cli-flow-dev"
+.PHONY: test-cli-flow-dev
+
 test-core-config-map-flow:
 	$(TIME) ./test/cli/test_cli_flow.sh --check_core_config_map
 	@echo "✅ test-core-config-map-flow"

deploy/crds/noobaa.io_noobaas.yaml

@@ -1417,6 +1417,29 @@ spec:
                         type: object
                     type: object
                 type: object
+              externalPgSSLRequired:
+                description: ExternalPgSSLRequired (optional) holds an optional boolean
+                  to force ssl connections to the external Postgres DB
+                type: boolean
+              externalPgSSLSecret:
+                description: ExternalPgSSLSecret (optional) holds an optional secret
+                  with client key and cert used for connecting to external Postgres
+                  DB
+                properties:
+                  name:
+                    description: name is unique within a namespace to reference a
+                      secret resource.
+                    type: string
+                  namespace:
+                    description: namespace defines the space within which the secret
+                      name must be unique.
+                    type: string
+                type: object
+                x-kubernetes-map-type: atomic
+              externalPgSSLUnauthorized:
+                description: ExternalPgSSLUnauthorized (optional) holds an optional
+                  boolean to allow unauthorized connections to external Postgres DB
+                type: boolean
               externalPgSecret:
                 description: ExternalPgSecret (optional) holds an optional secret
                   with a url to an extrenal Postgres DB to be used

deploy/internal/deployment-endpoint.yaml

@@ -32,6 +32,10 @@ spec:
           secret:
             secretName: noobaa-s3-serving-cert
             optional: true
+        - name: external-db-ssl-secret
+          secret:
+            secretName: noobaa-external-db-cert
+            optional: true 
         - name: oidc-token
           projected:
             sources:
@@ -94,6 +98,8 @@ spec:
             - name: POSTGRES_USER
             - name: POSTGRES_PASSWORD
             - name: POSTGRES_CONNECTION_STRING
+            - name: POSTGRES_SSL_REQUIRED
+            - name: POSTGRES_SSL_UNAUTHORIZED
             - name: VIRTUAL_HOSTS
             - name: REGION
             - name: ENDPOINT_GROUP_ID
@@ -126,6 +132,9 @@ spec:
             - name: s3-secret
               mountPath: /etc/s3-secret
               readOnly: true
+            - name: external-db-ssl-secret
+              mountPath: /etc/external-db-secret
+              readOnly: true
             - name: noobaa-auth-token
               mountPath: /etc/noobaa-auth-token
               readOnly: true

deploy/internal/statefulset-core.yaml

@@ -33,6 +33,10 @@ spec:
           secret:
             secretName: noobaa-s3-serving-cert
             optional: true
+        - name: external-db-ssl-secret
+          secret:
+            secretName: noobaa-external-db-cert
+            optional: true 
         - name: noobaa-server
           secret:
             secretName: noobaa-server
@@ -59,6 +63,9 @@ spec:
             - name: s3-secret
               mountPath: /etc/s3-secret
               readOnly: true
+            - name: external-db-ssl-secret
+              mountPath: /etc/external-db-secret
+              readOnly: true
             - name: noobaa-server
               mountPath: /etc/noobaa-server
               readOnly: true
@@ -105,6 +112,8 @@ spec:
             - name: POSTGRES_USER
             - name: POSTGRES_PASSWORD
             - name: POSTGRES_CONNECTION_STRING
+            - name: POSTGRES_SSL_REQUIRED
+            - name: POSTGRES_SSL_UNAUTHORIZED
             - name: DB_TYPE
               value: mongodb
             - name: CONTAINER_PLATFORM

pkg/apis/noobaa/v1alpha1/noobaa_types.go

@@ -121,6 +121,18 @@ type NooBaaSpec struct {
 	// +optional
 	ExternalPgSecret *corev1.SecretReference `json:"externalPgSecret,omitempty"`
 
+	// ExternalPgSSLRequired (optional) holds an optional boolean to force ssl connections to the external Postgres DB
+	// +optional
+	ExternalPgSSLRequired bool `json:"externalPgSSLRequired,omitempty"`
+
+	// ExternalPgSSLUnauthorized (optional) holds an optional boolean to allow unauthorized connections to external Postgres DB
+	// +optional
+	ExternalPgSSLUnauthorized bool `json:"externalPgSSLUnauthorized,omitempty"`
+
+	// ExternalPgSSLSecret (optional) holds an optional secret with client key and cert used for connecting to external Postgres DB
+	// +optional
+	ExternalPgSSLSecret *corev1.SecretReference `json:"externalPgSSLSecret,omitempty"`
+
 	// DebugLevel (optional) sets the debug level
 	// +optional
 	// +kubebuilder:validation:Enum=all;nsfs;warn;default_level

pkg/backingstore/backingstore.go

@@ -242,6 +242,10 @@ const (
 	// Test ENV minimal resources
 	testEnvMinCPUString    string = "50m"
 	testEnvMinMemoryString string = "200Mi"
+
+	// Dev ENV minimal resources
+	devEnvMinCPUString    string = "500m"
+	devEnvMinMemoryString string = "500Mi"
 )
 
 // CmdCreatePVPool returns a CLI command

pkg/backingstore/reconciler.go

@@ -1397,6 +1397,7 @@ func (r *Reconciler) upgradeBackingStore(sts *appsv1.StatefulSet) error {
 }
 
 func (r *Reconciler) reconcileResources(src, dst *corev1.ResourceList, minCPU, minMem resource.Quantity) error {
+	log := r.Logger
 	cpu := minCPU
 	mem := minMem
 
@@ -1416,6 +1417,7 @@ func (r *Reconciler) reconcileResources(src, dst *corev1.ResourceList, minCPU, m
 			mem = qty
 		}
 	}
+	log.Infof("BackingStore %q was created with resurce cpu:%v mem:%v.", r.BackingStore.Name, cpu, mem)
 
 	(*dst)[corev1.ResourceCPU] = cpu
 	(*dst)[corev1.ResourceMemory] = mem
@@ -1431,5 +1433,9 @@ func getMinimalResourcesByEnv() (string, string) {
 		minCPUStringByEnv = testEnvMinCPUString
 		minMemoryStringByEnv = testEnvMinMemoryString
 	}
+	if util.IsDevEnv() {
+		minCPUStringByEnv = devEnvMinCPUString
+		minMemoryStringByEnv = devEnvMinMemoryString
+	}
 	return minCPUStringByEnv, minMemoryStringByEnv
 }

pkg/bundle/deploy.go

@@ -1465,7 +1465,7 @@ spec:
       status: {}
 `
 
-const Sha256_deploy_crds_noobaa_io_noobaas_yaml = "a4f5cbe942a050321ada72a0c77e61898d65000b6074e72d784cf1c0ef1816a3"
+const Sha256_deploy_crds_noobaa_io_noobaas_yaml = "ff8f0cf9e0a1429984e9518f0a143634644cfd0b1a955449d36917550ea060ce"
 
 const File_deploy_crds_noobaa_io_noobaas_yaml = `---
 apiVersion: apiextensions.k8s.io/v1
@@ -2886,6 +2886,29 @@ spec:
                         type: object
                     type: object
                 type: object
+              externalPgSSLRequired:
+                description: ExternalPgSSLRequired (optional) holds an optional boolean
+                  to force ssl connections to the external Postgres DB
+                type: boolean
+              externalPgSSLSecret:
+                description: ExternalPgSSLSecret (optional) holds an optional secret
+                  with client key and cert used for connecting to external Postgres
+                  DB
+                properties:
+                  name:
+                    description: name is unique within a namespace to reference a
+                      secret resource.
+                    type: string
+                  namespace:
+                    description: namespace defines the space within which the secret
+                      name must be unique.
+                    type: string
+                type: object
+                x-kubernetes-map-type: atomic
+              externalPgSSLUnauthorized:
+                description: ExternalPgSSLUnauthorized (optional) holds an optional
+                  boolean to allow unauthorized connections to external Postgres DB
+                type: boolean
               externalPgSecret:
                 description: ExternalPgSecret (optional) holds an optional secret
                   with a url to an extrenal Postgres DB to be used
@@ -3655,7 +3678,7 @@ data:
           su postgres -c "bash -x /usr/bin/run-postgresql"
 `
 
-const Sha256_deploy_internal_deployment_endpoint_yaml = "bdbc90cf86e4b67acccc7e7413522d46dacf1c2d04d1d5d5e823a2b45e5c9b97"
+const Sha256_deploy_internal_deployment_endpoint_yaml = "c6b23dc4cd61b35fcdd53df59074a95df46526823ebd42862289886c8b11ae0f"
 
 const File_deploy_internal_deployment_endpoint_yaml = `apiVersion: apps/v1
 kind: Deployment
@@ -3691,6 +3714,10 @@ spec:
           secret:
             secretName: noobaa-s3-serving-cert
             optional: true
+        - name: external-db-ssl-secret
+          secret:
+            secretName: noobaa-external-db-cert
+            optional: true 
         - name: oidc-token
           projected:
             sources:
@@ -3753,6 +3780,8 @@ spec:
             - name: POSTGRES_USER
             - name: POSTGRES_PASSWORD
             - name: POSTGRES_CONNECTION_STRING
+            - name: POSTGRES_SSL_REQUIRED
+            - name: POSTGRES_SSL_UNAUTHORIZED
             - name: VIRTUAL_HOSTS
             - name: REGION
             - name: ENDPOINT_GROUP_ID
@@ -3785,6 +3814,9 @@ spec:
             - name: s3-secret
               mountPath: /etc/s3-secret
               readOnly: true
+            - name: external-db-ssl-secret
+              mountPath: /etc/external-db-secret
+              readOnly: true
             - name: noobaa-auth-token
               mountPath: /etc/noobaa-auth-token
               readOnly: true
@@ -4672,7 +4704,7 @@ spec:
       noobaa-s3-svc: "true"
 `
 
-const Sha256_deploy_internal_statefulset_core_yaml = "7020d2a21cd88a51c9e1056c2aac33163f47168b4c1fb326497d22554e31392e"
+const Sha256_deploy_internal_statefulset_core_yaml = "d794c900f09e09b0e2be94869f5537271cbc2ab6d806d5182fb7fe2ff950b8ae"
 
 const File_deploy_internal_statefulset_core_yaml = `apiVersion: apps/v1
 kind: StatefulSet
@@ -4709,6 +4741,10 @@ spec:
           secret:
             secretName: noobaa-s3-serving-cert
             optional: true
+        - name: external-db-ssl-secret
+          secret:
+            secretName: noobaa-external-db-cert
+            optional: true 
         - name: noobaa-server
           secret:
             secretName: noobaa-server
@@ -4735,6 +4771,9 @@ spec:
             - name: s3-secret
               mountPath: /etc/s3-secret
               readOnly: true
+            - name: external-db-ssl-secret
+              mountPath: /etc/external-db-secret
+              readOnly: true
             - name: noobaa-server
               mountPath: /etc/noobaa-server
               readOnly: true
@@ -4781,6 +4820,8 @@ spec:
             - name: POSTGRES_USER
             - name: POSTGRES_PASSWORD
             - name: POSTGRES_CONNECTION_STRING
+            - name: POSTGRES_SSL_REQUIRED
+            - name: POSTGRES_SSL_UNAUTHORIZED
             - name: DB_TYPE
               value: mongodb
             - name: CONTAINER_PLATFORM

pkg/operator/operator.go

@@ -122,6 +122,15 @@ func RunInstall(cmd *cobra.Command, args []string) {
 		})
 		c.Deployment.Spec.Template.Spec.Containers[0].Env = operatorContainer.Env
 	}
+	devEnv, _ := cmd.Flags().GetBool("dev")
+	if devEnv {
+		operatorContainer := c.Deployment.Spec.Template.Spec.Containers[0]
+		operatorContainer.Env = append(operatorContainer.Env, corev1.EnvVar{
+			Name:  "DEV_ENV",
+			Value: "true",
+		})
+		c.Deployment.Spec.Template.Spec.Containers[0].Env = operatorContainer.Env
+	}
 
 	admission, _ := cmd.Flags().GetBool("admission")
 	if admission {

pkg/options/options.go

@@ -101,6 +101,20 @@ var MongoDbURL = ""
 // it can be overridden for testing or different url.
 var PostgresDbURL = ""
 
+// PostgresSSLRequired is used to force noobaa to work with SSL with external pgsql
+// when using an external postgres DB.
+var PostgresSSLRequired = false
+
+// PostgresSSLSelfSigned is used to allow noobaa to work with self-signed SSL with external pgsql
+// when using an external postgres DB.
+var PostgresSSLSelfSigned = false
+
+// PostgresSSLKey is used for providing the path to the client SSL key file when working with external pgsql
+var PostgresSSLKey = ""
+
+// PostgresSSLCert is used for providing the path to the client SSL cert file when working with external pgsql
+var PostgresSSLCert = ""
+
 // DebugLevel can be used to override the default debug level
 var DebugLevel = "default_level"
 
@@ -232,6 +246,22 @@ func init() {
 		&PostgresDbURL, "postgres-url",
 		PostgresDbURL, "url for postgresql",
 	)
+	FlagSet.BoolVar(
+		&PostgresSSLRequired, "pg-ssl-required",
+		false, "Force noobaa to work with ssl (external postgres - server-side) [if server cert is self-signed, needs to add --ssl-unauthorized]",
+	)
+	FlagSet.BoolVar(
+		&PostgresSSLSelfSigned, "pg-ssl-unauthorized",
+		false, "Allow the client to work with self-signed ssl (external postgres - server-side)",
+	)
+	FlagSet.StringVar(
+		&PostgresSSLKey, "pg-ssl-key",
+		PostgresSSLKey, "ssl key for postgres (client-side cert - need to be signed by external pg accepted CA)",
+	)
+	FlagSet.StringVar(
+		&PostgresSSLCert, "pg-ssl-cert",
+		PostgresSSLCert, "ssl cert for postgres (client-side cert - need to be signed by external pg accepted CA)",
+	)
 	FlagSet.StringVar(
 		&DebugLevel, "debug-level",
 		DebugLevel, "The type of debug sets that the system prints (all, nsfs, warn, default_level)",

pkg/system/phase2_creating.go

@@ -458,6 +458,14 @@ func (r *Reconciler) setDesiredCoreEnv(c *corev1.Container) {
 					},
 				}
 			}
+		case "POSTGRES_SSL_REQUIRED":
+			if r.NooBaa.Spec.DBType == "postgres" && r.NooBaa.Spec.ExternalPgSSLRequired {
+				c.Env[j].Value = "true"
+			}
+		case "POSTGRES_SSL_UNAUTHORIZED":
+			if r.NooBaa.Spec.DBType == "postgres" && r.NooBaa.Spec.ExternalPgSSLUnauthorized {
+				c.Env[j].Value = "true"
+			}
 		case "NOOBAA_ROOT_SECRET":
 			c.Env[j].Value = r.SecretRootMasterKey
 		case "NODE_EXTRA_CA_CERTS":