diff --git a/pkg/comp-functions/functions/vshnpostgres/user_management.go b/pkg/comp-functions/functions/vshnpostgres/user_management.go index edc57caaf0..1a54f7a5eb 100644 --- a/pkg/comp-functions/functions/vshnpostgres/user_management.go +++ b/pkg/comp-functions/functions/vshnpostgres/user_management.go @@ -26,7 +26,7 @@ func UserManagement(ctx context.Context, comp *vshnv1.VSHNPostgreSQL, svc *runti return nil } - addProviderConfig(comp, svc) + addProviderConfig(comp, svc, comp.Spec.Parameters.Service.TLS.Enabled) for _, access := range comp.Spec.Parameters.Service.Access { @@ -138,7 +138,7 @@ func addConnectionDetail(comp common.Composite, svc *runtime.ServiceRuntime, sec } } -func addProviderConfig(comp common.Composite, svc *runtime.ServiceRuntime) { +func addProviderConfig(comp common.Composite, svc *runtime.ServiceRuntime, tlsEnabled bool) { cd := svc.GetConnectionDetails() secret := &corev1.Secret{ @@ -163,6 +163,10 @@ func addProviderConfig(comp common.Composite, svc *runtime.ServiceRuntime) { svc.Log.Error(err, "cannot set credential secret for provider-sql") } + sslMode := "disable" + if tlsEnabled { + sslMode = "required" + } config := &pgv1alpha1.ProviderConfig{ ObjectMeta: metav1.ObjectMeta{ Name: comp.GetName(), @@ -170,7 +174,7 @@ func addProviderConfig(comp common.Composite, svc *runtime.ServiceRuntime) { Spec: pgv1alpha1.ProviderConfigSpec{ // Porvider-SQL doesn't support passing certificates to the config // se we're stuck with require, which doesn't actually verify the certs. - SSLMode: ptr.To("require"), + SSLMode: &sslMode, Credentials: pgv1alpha1.ProviderCredentials{ Source: "PostgreSQLConnectionSecret", ConnectionSecretRef: &xpv1.SecretReference{ diff --git a/pkg/comp-functions/functions/vshnpostgres/user_management_test.go b/pkg/comp-functions/functions/vshnpostgres/user_management_test.go index ae75f3e895..8cb06c017b 100644 --- a/pkg/comp-functions/functions/vshnpostgres/user_management_test.go +++ b/pkg/comp-functions/functions/vshnpostgres/user_management_test.go @@ -20,7 +20,7 @@ func Test_addProviderConfig(t *testing.T) { // when comp := &vshnv1.VSHNPostgreSQL{} assert.NoError(t, svc.GetObservedComposite(comp)) - addProviderConfig(comp, svc) + addProviderConfig(comp, svc, comp.Spec.Parameters.Service.TLS.Enabled) // then secret := &corev1.Secret{} @@ -29,6 +29,27 @@ func Test_addProviderConfig(t *testing.T) { config := &pgv1alpha1.ProviderConfig{} assert.NoError(t, svc.GetDesiredKubeObject(config, comp.GetName()+"-providerconfig")) assert.Equal(t, comp.GetInstanceNamespace(), secret.GetNamespace()) + assert.Equal(t, *config.Spec.SSLMode, "required") + +} + +func Test_tlsDisabled(t *testing.T) { + // given + svc := commontest.LoadRuntimeFromFile(t, "vshn-postgres/usermanagement/02-tls-disabled.yaml") + + // when + comp := &vshnv1.VSHNPostgreSQL{} + assert.NoError(t, svc.GetObservedComposite(comp)) + addProviderConfig(comp, svc, comp.Spec.Parameters.Service.TLS.Enabled) + + // then + secret := &corev1.Secret{} + assert.NoError(t, svc.GetDesiredKubeObject(secret, comp.GetName()+"-provider-conf-credentials")) + + config := &pgv1alpha1.ProviderConfig{} + assert.NoError(t, svc.GetDesiredKubeObject(config, comp.GetName()+"-providerconfig")) + assert.Equal(t, comp.GetInstanceNamespace(), secret.GetNamespace()) + assert.Equal(t, *config.Spec.SSLMode, "disable") } diff --git a/test/functions/vshn-postgres/usermanagement/01-emptyaccess.yaml b/test/functions/vshn-postgres/usermanagement/01-emptyaccess.yaml index 499184bee9..414a2a528f 100644 --- a/test/functions/vshn-postgres/usermanagement/01-emptyaccess.yaml +++ b/test/functions/vshn-postgres/usermanagement/01-emptyaccess.yaml @@ -21,7 +21,10 @@ desired: crossplane.io/composite: pgsql-gc9x4 name: pgsql-gc9x4 spec: - parameters: null + parameters: + service: + tls: + enabled: true writeConnectionSecretToRef: {} status: {} observed: @@ -47,6 +50,9 @@ observed: crossplane.io/composite: pgsql-gc9x4 name: pgsql-gc9x4 spec: - parameters: null + parameters: + service: + tls: + enabled: true writeConnectionSecretToRef: {} status: {} diff --git a/test/functions/vshn-postgres/usermanagement/02-tls-disabled.yaml b/test/functions/vshn-postgres/usermanagement/02-tls-disabled.yaml new file mode 100644 index 0000000000..cd8ea5b3c5 --- /dev/null +++ b/test/functions/vshn-postgres/usermanagement/02-tls-disabled.yaml @@ -0,0 +1,58 @@ +desired: + composite: + connection_details: + POSTGRESQL_USER: cm9vdA== #root + POSTGRESQL_PASSWORD: cm9vdA== #root + POSTGRESQL_HOST: bG9jYWxob3N0IC1uCg== #localhost + POSTGRESQL_PORT: NTQzMgo= + resource: + apiVersion: vshn.appcat.vshn.io/v1 + kind: XVSHNPostgreSQL + metadata: + creationTimestamp: "2023-03-21T16:52:31Z" + finalizers: + - composite.apiextensions.crossplane.io + generateName: pgsql- + generation: 13 + labels: + appuio.io/organization: vshn + crossplane.io/claim-name: pgsql + crossplane.io/claim-namespace: unit-test + crossplane.io/composite: pgsql-gc9x4 + name: pgsql-gc9x4 + spec: + parameters: + service: + tls: + enabled: false + writeConnectionSecretToRef: {} + status: {} +observed: + composite: + connection_details: + POSTGRESQL_USER: cm9vdA== #root + POSTGRESQL_PASSWORD: cm9vdA== #root + POSTGRESQL_HOST: bG9jYWxob3N0IC1uCg== #localhost + POSTGRESQL_PORT: NTQzMgo= + resource: + apiVersion: vshn.appcat.vshn.io/v1 + kind: XVSHNPostgreSQL + metadata: + creationTimestamp: "2023-03-21T16:52:31Z" + finalizers: + - composite.apiextensions.crossplane.io + generateName: pgsql- + generation: 13 + labels: + appuio.io/organization: vshn + crossplane.io/claim-name: pgsql + crossplane.io/claim-namespace: unit-test + crossplane.io/composite: pgsql-gc9x4 + name: pgsql-gc9x4 + spec: + parameters: + service: + tls: + enabled: false + writeConnectionSecretToRef: {} + status: {}