feat: DSPO handle db tls connections and configs

[HumairAK]

The issue resolved by this Pull Request:

Resolves for v1.6:

• https://issues.redhat.com/browse/RHOAIENG-1690
• https://issues.redhat.com/browse/RHOAIENG-2385

Description of your changes:

This change allows the DSPO to perform health checks against a tls
secured database. If the database is behind a self-signed cert, end user
can provide a ca-bundle either as a global cert (configmap named
"odh-trust-bundle" or via the ".caBundle" config option via the DSPA.

This change also exposes the "ExtraParams" field for DSP, meaning users
can now add ny DSN parameters when configuring a DB connection for DSP.
These params are utilized in the same manner by the DSPO when conducting
the health check to keep the behavior consistent.

NOTE that before external connections made a connection via tls:false, now it's enforced by default. To disable it, users will need to set customExtraParams to: {"tls":"true"} string.

Testing instructions

Deploy a secure/tls enabled s3/mariadb behind a self-signed cert (for example in a self-signed ocp cluster), provide these configs to the DSAP as external configs. Ensure they only accept tls based connections.

Deploy a cabundle as a configmap in the DSPA namespace:

kind: ConfigMap
apiVersion: v1
metadata:
  name: odh-trusted-ca-bundle
data:
  ca-bundle.crt: | 
      <your-bundle>

Deploy DSPA configured to leverage these connections via external db/object store connections.

Confirm DSPO is able conduct successfull health checks (if it deploys the DSPA pods then health checks worked), if it didn't, log the error here.

Confirm DSPA comes up successfully, in this change DSPO willl udpate the DSP server's configs to enable "tls" for db connections. Confirm this behavior by running a successful pipeline.

Confirm DSPA "simple" v1 still works (no external db/s3 configured).

Confirm setting "customExtraParams" in the DSPA's ".spec.database.customExtraParams". Provide wrong ca bundle, confirm it fails to deploy dspa, then set ".spec.database.customExtraParams" to {"tls":"true"}, it should work. Because the value is a json string, you should use | or >- to format the yaml value, example:

spec:
  dspVersion: v2
  database:
    customExtraParams: |                           
      {"tls": "skip-verify"} 

Checklist

• The commits are squashed in a cohesive manner and have meaningful messages.
• Testing instructions have been added in the PR body (for PRs involving changes that are not immediately obvious).
• The developer has manually tested the changes and verified that the changes work

[dsp-developers]

Change to PR detected. A new PR build was completed.
A new image has been built to help with testing out this PR: quay.io/opendatahub/data-science-pipelines-operator:pr-575

[amadhusu]

I was able to test and verify the first two test cases but not the last one with the new field "customExtraParams".

Confirm setting "customExtraParams" in the DSPA's ".spec.database.customExtraParams". Provide wrong ca bundle, confirm it fails to deploy dspa, then set ".spec.database.customExtraParams" to {"tls":"true"}, it should work.

[amadhusu]

Tested the customExtraParams after Humair's suggestion about the format. It works as expected.

[gregsheremeta]

i have some thoughts and nitpicks ... all of which we can deal with in a follow up

/lgtm

[gregsheremeta]

nitpick, not related, should extract

[gregsheremeta]

watching ConfigMap gobbles up memory doesn't it? Do we need to check for that and mitigate, possibly by increasing limits and or requests?

[HumairAK]

We added a similar watcher for a pod, and didn't notice a major uptick (a lot of this is internally cached and heavily optimized in k8s I believe), and pod events work queue is likely to be insanely longer than the configmap events

[HumairAK]

buut if it does cause issues, we will probably catch it in our perf testing and adjust accordingly

[gregsheremeta]

The extra params should be a struct that gets serialized to json when it needs to be. I guess it needs to by dynamic though, because you don't want to chase the mysql API. Hmm. Sprintf'ing the 'true' or 'false' specifically for tls feels weird when the field is named "DBDefaultExtraParams" and not "tlsEnabled". Not sure what the solution is but wanted to call out that it feels weird to me.

[HumairAK]

I actually did it that way at first, i.e. Extraparams was of type map[string]string but in our configmap template we need to render it as a string, the thing is we need to pass it in as a string anyways to render it in our go template configmap, I was torn on it, this method resulted in a lot less lines of code so I did it this way instead

[gregsheremeta]

local usually overrides global ... pinged you in slack about it

[gregsheremeta]

/lgtm

[gregsheremeta]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: amadhusu, gregsheremeta

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [gregsheremeta]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[dsp-developers]

Change to PR detected. A new PR build was completed.
A new image has been built to help with testing out this PR: quay.io/opendatahub/data-science-pipelines-operator:pr-575