add reconfigure-tls for pgbouncer (#1384)

Signed-off-by: Hiranmoy Das Chowdhury <hiranmoy@appscode.com>
kubedb · Jan 25, 2025 · 2e16351 · 2e16351
1 parent a790052
commit 2e16351
Show file tree

Hide file tree

Showing 7 changed files with 122 additions and 14 deletions.
diff --git a/apis/kubedb/v1/pgbouncer_types.go b/apis/kubedb/v1/pgbouncer_types.go
@@ -232,8 +232,8 @@ const (
 )
 
 // PgBouncerClientAuthMode represents the ClientAuthMode of PgBouncer clusters ( replicaset )
-// We are allowing md5, scram-sha-256, cert as ClientAuthMode
-// +kubebuilder:validation:Enum=md5;scram-sha-256;cert;
+// We are allowing md5, scram-sha-256 as ClientAuthMode
+// +kubebuilder:validation:Enum=md5;scram-sha-256;
 type PgBouncerClientAuthMode string
 
 const (
@@ -248,9 +248,4 @@ const (
 	// and supports storing passwords on the server in a cryptographically hashed form that is thought to be secure.
 	// This is the most secure of the currently provided methods, but it is not supported by older client libraries.
 	PgBouncerClientAuthModeScram PgBouncerClientAuthMode = "scram-sha-256"
-
-	// ClientAuthModeCert represents `cert clientcert=1` auth mode where client need to provide cert and private key for authentication.
-	// When server is config with this auth method. Client can't connect with pgbouncer server with password. They need
-	// to Send the client cert and client key certificate for authentication.
-	PgBouncerClientAuthModeCert PgBouncerClientAuthMode = "cert"
 )
diff --git a/apis/ops/v1alpha1/openapi_generated.go b/apis/ops/v1alpha1/openapi_generated.go
diff --git a/apis/ops/v1alpha1/pgbouncer_ops_types.go b/apis/ops/v1alpha1/pgbouncer_ops_types.go
@@ -18,6 +18,8 @@ limitations under the License.
 package v1alpha1
 
 import (
+	dbapi "kubedb.dev/apimachinery/apis/kubedb/v1"
+
 	core "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
@@ -63,7 +65,7 @@ type PgBouncerOpsRequestSpec struct {
 	// Specifies information necessary for custom configuration of PgBouncer
 	Configuration *PgBouncerCustomConfigurationSpec `json:"configuration,omitempty"`
 	// Specifies information necessary for configuring TLS
-	TLS *TLSSpec `json:"tls,omitempty"`
+	TLS *PgBouncerTLSSpec `json:"tls,omitempty"`
 	// Specifies information necessary for configuring authSecret of the database
 	Authentication *AuthSpec `json:"authentication,omitempty"`
 	// Specifies information necessary for restarting database
@@ -75,8 +77,8 @@ type PgBouncerOpsRequestSpec struct {
 	Apply ApplyOption `json:"apply,omitempty"`
 }
 
-// +kubebuilder:validation:Enum=HorizontalScaling;VerticalScaling;UpdateVersion;Reconfigure;RotateAuth;Restart
-// ENUM(HorizontalScaling, VerticalScaling, UpdateVersion, Reconfigure, RotateAuth, Restart)
+// +kubebuilder:validation:Enum=HorizontalScaling;VerticalScaling;UpdateVersion;Reconfigure;RotateAuth;Restart;ReconfigureTLS
+// ENUM(HorizontalScaling, VerticalScaling, UpdateVersion, Reconfigure, RotateAuth, Restart, ReconfigureTLS)
 type PgBouncerOpsRequestType string
 
 type PgBouncerUpdateVersionSpec struct {
@@ -105,6 +107,18 @@ type PgBouncerCustomConfiguration struct {
 	RemoveCustomConfig bool                       `json:"removeCustomConfig,omitempty"`
 }
 
+type PgBouncerTLSSpec struct {
+	TLSSpec `json:",inline,omitempty"`
+
+	// SSLMode for both standalone and clusters. [disable;allow;prefer;require;verify-ca;verify-full]
+	// +optional
+	SSLMode dbapi.PgBouncerSSLMode `json:"sslMode,omitempty"`
+
+	// ClientAuthMode for sidecar or sharding. (default will be md5. [md5;scram])
+	// +optional
+	ClientAuthMode dbapi.PgBouncerClientAuthMode `json:"clientAuthMode,omitempty"`
+}
+
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
 // PgBouncerOpsRequestList is a list of PgBouncerOpsRequests

diff --git a/apis/ops/v1alpha1/pgbouncer_ops_types_enum.go b/apis/ops/v1alpha1/pgbouncer_ops_types_enum.go
diff --git a/apis/ops/v1alpha1/zz_generated.deepcopy.go b/apis/ops/v1alpha1/zz_generated.deepcopy.go
diff --git a/crds/kubedb.com_pgbouncers.yaml b/crds/kubedb.com_pgbouncers.yaml
@@ -80,7 +80,6 @@ spec:
                     enum:
                     - md5
                     - scram-sha-256
-                    - cert
                     type: string
                   defaultPoolSize:
                     format: int64

diff --git a/crds/ops.kubedb.com_pgbounceropsrequests.yaml b/crds/ops.kubedb.com_pgbounceropsrequests.yaml
@@ -183,6 +183,11 @@ spec:
                       - alias
                       type: object
                     type: array
+                  clientAuthMode:
+                    enum:
+                    - md5
+                    - scram-sha-256
+                    type: string
                   issuerRef:
                     properties:
                       apiGroup:
@@ -200,6 +205,15 @@ spec:
                     type: boolean
                   rotateCertificates:
                     type: boolean
+                  sslMode:
+                    enum:
+                    - disable
+                    - allow
+                    - prefer
+                    - require
+                    - verify-ca
+                    - verify-full
+                    type: string
                 type: object
               type:
                 enum:
@@ -209,6 +223,7 @@ spec:
                 - Reconfigure
                 - RotateAuth
                 - Restart
+                - ReconfigureTLS
                 type: string
               updateVersion:
                 properties: