support SSL connections to db instance

lib/kompost/kompo/postgres/controller/database_controller.ex

@@ -170,7 +170,9 @@ defmodule Kompost.Kompo.Postgres.Controller.DatabaseController do
     data =
       Map.merge(user_env, %{
         DB_HOST: Keyword.fetch!(conn_args, :hostname),
-        DB_PORT: "#{Keyword.fetch!(conn_args, :port)}"
+        DB_PORT: "#{Keyword.fetch!(conn_args, :port)}",
+        DB_SSL: "#{conn_args[:ssl]}",
+        DB_SSL_VERIFY: "#{conn_args[:ssl_opts][:verify] == :verify_peer}"
       })
 
     user_secret =

lib/kompost/kompo/postgres/controller/instance_controller.ex

@@ -81,7 +81,11 @@ defmodule Kompost.Kompo.Postgres.Controller.InstanceController do
        port: spec["port"],
        username: spec["username"],
        password: spec["plainPassword"],
-       database: "postgres"
+       database: "postgres",
+       ssl: spec["ssl"]["enabled"] || false,
+       ssl_opts: [
+         verify: (spec["ssl"]["enabled"] || "verify_none") |> String.to_atom()
+       ]
      ]}
   end
 

lib/kompost/kompo/postgres/v1alpha1/postgres_instance.ex

@@ -39,8 +39,17 @@ defmodule Kompost.Kompo.Postgres.V1Alpha1.PostgresInstance do
                   key:
                     type: string
               plainPassword:
-                  type: string
-                  description: "It's not safe to save passwords in plaintext. Consider using passwordSecretRef instead."
+                type: string
+                description: "It's not safe to save passwords in plaintext. Consider using passwordSecretRef instead."
+              ssl:
+                type: object
+                properties:
+                  enabled:
+                    type: boolean
+                    description: "Set to true if ssl should be used."
+                  verify:
+                    type: string
+                    description: "'verify_none' or 'verify_peer'. Defaults to 'verify_none'"
       """a
     )
     |> add_observed_generation_status()

lib/kompost/kompo/postgres/webhooks/admission_control_handler.ex

@@ -20,6 +20,21 @@ defmodule Kompost.Kompo.Postgres.Webhooks.AdmissionControlHandler do
   end
 
   validate "kompost.chuge.li/v1alpha1/postgresclusterinstances", conn do
+    try do
+      NamespaceAccess.allowed_namespaces!(conn.request["object"])
+
+      conn
+      |> check_allowed_values(~w(spec ssl verify), ~w(verify_none verify_peer), ".spec.verify")
+    catch
+      %Regex.CompileError{} = error ->
+        deny(
+          conn,
+          ~s(Invalid regular expression in the annotation "kompost.chuge.li/allowed_namespaces": #{Exception.message(error)})
+        )
+    end
+  end
+
+  validate "kompost.chuge.li/v1alpha1/postgresinstances", conn do
     try do
       NamespaceAccess.allowed_namespaces!(conn.request["object"])
       conn

test/kompost/kompo/postgres/controller/database_controller_integration_test.exs

@@ -129,7 +129,9 @@ defmodule Kompost.Kompo.Postgres.Controller.DatabaseControllerIntegrationTest do
           "DB_NAME" => database,
           "DB_PASS" => password,
           "DB_PORT" => port,
-          "DB_USER" => username
+          "DB_USER" => username,
+          "DB_SSL" => "false",
+          "DB_SSL_VERIFY" => "false"
         } = Map.new(data, fn {key, value} -> {key, Base.decode64!(value)} end)
 
         conn_args = [

test/kompost/kompo/temporal/controller/api_server_controller_integration_test.exs

@@ -72,11 +72,7 @@ defmodule Kompost.Kompo.Temporal.Controller.ApiServerControllerIntegrationTest d
         |> ResourceHelper.api_server(@namespace)
         |> GlobalResourceHelper.k8s_apply!(conn)
 
-      created_resource =
-        GlobalResourceHelper.wait_until_observed!(created_resource, conn, timeout)
-
-      conditions = Map.new(created_resource["status"]["conditions"], &{&1["type"], &1})
-      assert "True" == conditions["Connected"]["status"]
+      GlobalResourceHelper.wait_for_condition!(created_resource, conn, "Connected", timeout)
     end
   end
 end