vshn · TheBigLee · Feb 4, 2025 · Feb 4, 2025
diff --git a/pkg/comp-functions/functions/vshnpostgres/user_management.go b/pkg/comp-functions/functions/vshnpostgres/user_management.go
@@ -26,7 +26,7 @@ func UserManagement(ctx context.Context, comp *vshnv1.VSHNPostgreSQL, svc *runti
 		return nil
 	}
 
-	addProviderConfig(comp, svc)
+	addProviderConfig(comp, svc, comp.Spec.Parameters.Service.TLS.Enabled)
 
 	for _, access := range comp.Spec.Parameters.Service.Access {
 
@@ -138,7 +138,7 @@ func addConnectionDetail(comp common.Composite, svc *runtime.ServiceRuntime, sec
 	}
 }
 
-func addProviderConfig(comp common.Composite, svc *runtime.ServiceRuntime) {
+func addProviderConfig(comp common.Composite, svc *runtime.ServiceRuntime, tlsEnabled bool) {
 	cd := svc.GetConnectionDetails()
 
 	secret := &corev1.Secret{
@@ -163,14 +163,18 @@ func addProviderConfig(comp common.Composite, svc *runtime.ServiceRuntime) {
 		svc.Log.Error(err, "cannot set credential secret for provider-sql")
 	}
 
+	sslMode := "disable"
+	if tlsEnabled {
+		sslMode = "required"
+	}
 	config := &pgv1alpha1.ProviderConfig{
 		ObjectMeta: metav1.ObjectMeta{
 			Name: comp.GetName(),
 		},
 		Spec: pgv1alpha1.ProviderConfigSpec{
 			// Porvider-SQL doesn't support passing certificates to the config
 			// se we're stuck with require, which doesn't actually verify the certs.
-			SSLMode: ptr.To("require"),
+			SSLMode: &sslMode,
 			Credentials: pgv1alpha1.ProviderCredentials{
 				Source: "PostgreSQLConnectionSecret",
 				ConnectionSecretRef: &xpv1.SecretReference{

diff --git a/pkg/comp-functions/functions/vshnpostgres/user_management_test.go b/pkg/comp-functions/functions/vshnpostgres/user_management_test.go
@@ -20,7 +20,7 @@ func Test_addProviderConfig(t *testing.T) {
 	// when
 	comp := &vshnv1.VSHNPostgreSQL{}
 	assert.NoError(t, svc.GetObservedComposite(comp))
-	addProviderConfig(comp, svc)
+	addProviderConfig(comp, svc, comp.Spec.Parameters.Service.TLS.Enabled)
 
 	// then
 	secret := &corev1.Secret{}
@@ -29,6 +29,27 @@ func Test_addProviderConfig(t *testing.T) {
 	config := &pgv1alpha1.ProviderConfig{}
 	assert.NoError(t, svc.GetDesiredKubeObject(config, comp.GetName()+"-providerconfig"))
 	assert.Equal(t, comp.GetInstanceNamespace(), secret.GetNamespace())
+	assert.Equal(t, *config.Spec.SSLMode, "required")
+
+}
+
+func Test_tlsDisabled(t *testing.T) {
+	// given
+	svc := commontest.LoadRuntimeFromFile(t, "vshn-postgres/usermanagement/02-tls-disabled.yaml")
+
+	// when
+	comp := &vshnv1.VSHNPostgreSQL{}
+	assert.NoError(t, svc.GetObservedComposite(comp))
+	addProviderConfig(comp, svc, comp.Spec.Parameters.Service.TLS.Enabled)
+
+	// then
+	secret := &corev1.Secret{}
+	assert.NoError(t, svc.GetDesiredKubeObject(secret, comp.GetName()+"-provider-conf-credentials"))
+
+	config := &pgv1alpha1.ProviderConfig{}
+	assert.NoError(t, svc.GetDesiredKubeObject(config, comp.GetName()+"-providerconfig"))
+	assert.Equal(t, comp.GetInstanceNamespace(), secret.GetNamespace())
+	assert.Equal(t, *config.Spec.SSLMode, "disable")
 
 }
 

diff --git a/test/functions/vshn-postgres/usermanagement/01-emptyaccess.yaml b/test/functions/vshn-postgres/usermanagement/01-emptyaccess.yaml
@@ -21,7 +21,10 @@ desired:
           crossplane.io/composite: pgsql-gc9x4
         name: pgsql-gc9x4
       spec:
-        parameters: null
+        parameters:
+          service:
+            tls:
+              enabled: true
         writeConnectionSecretToRef: {}
       status: {}
 observed:
@@ -47,6 +50,9 @@ observed:
           crossplane.io/composite: pgsql-gc9x4
         name: pgsql-gc9x4
       spec:
-        parameters: null
+        parameters:
+          service:
+            tls:
+              enabled: true
         writeConnectionSecretToRef: {}
       status: {}
diff --git a/test/functions/vshn-postgres/usermanagement/02-tls-disabled.yaml b/test/functions/vshn-postgres/usermanagement/02-tls-disabled.yaml
@@ -0,0 +1,58 @@
+desired:
+  composite:
+    connection_details:
+      POSTGRESQL_USER: cm9vdA== #root
+      POSTGRESQL_PASSWORD: cm9vdA== #root
+      POSTGRESQL_HOST: bG9jYWxob3N0IC1uCg== #localhost
+      POSTGRESQL_PORT: NTQzMgo=
+    resource:
+      apiVersion: vshn.appcat.vshn.io/v1
+      kind: XVSHNPostgreSQL
+      metadata:
+        creationTimestamp: "2023-03-21T16:52:31Z"
+        finalizers:
+        - composite.apiextensions.crossplane.io
+        generateName: pgsql-
+        generation: 13
+        labels:
+          appuio.io/organization: vshn
+          crossplane.io/claim-name: pgsql
+          crossplane.io/claim-namespace: unit-test
+          crossplane.io/composite: pgsql-gc9x4
+        name: pgsql-gc9x4
+      spec:
+        parameters:
+          service:
+            tls:
+              enabled: false
+        writeConnectionSecretToRef: {}
+      status: {}
+observed:
+  composite:
+    connection_details:
+      POSTGRESQL_USER: cm9vdA== #root
+      POSTGRESQL_PASSWORD: cm9vdA== #root
+      POSTGRESQL_HOST: bG9jYWxob3N0IC1uCg== #localhost
+      POSTGRESQL_PORT: NTQzMgo=
+    resource:
+      apiVersion: vshn.appcat.vshn.io/v1
+      kind: XVSHNPostgreSQL
+      metadata:
+        creationTimestamp: "2023-03-21T16:52:31Z"
+        finalizers:
+        - composite.apiextensions.crossplane.io
+        generateName: pgsql-
+        generation: 13
+        labels:
+          appuio.io/organization: vshn
+          crossplane.io/claim-name: pgsql
+          crossplane.io/claim-namespace: unit-test
+          crossplane.io/composite: pgsql-gc9x4
+        name: pgsql-gc9x4
+      spec:
+        parameters:
+          service:
+            tls:
+              enabled: false
+        writeConnectionSecretToRef: {}
+      status: {}