Merge branch 'main' into K8SPG-984-k8s-upgrade

Author: valmiranogueira

cmd/postgres-operator/main.go

@@ -34,7 +34,6 @@ import (
 	"github.com/percona/percona-postgresql-operator/v2/internal/controller/runtime"
 	"github.com/percona/percona-postgresql-operator/v2/internal/controller/standalone_pgadmin"
 	"github.com/percona/percona-postgresql-operator/v2/internal/feature"
-	"github.com/percona/percona-postgresql-operator/v2/internal/initialize"
 	"github.com/percona/percona-postgresql-operator/v2/internal/logging"
 	"github.com/percona/percona-postgresql-operator/v2/internal/naming"
 	"github.com/percona/percona-postgresql-operator/v2/internal/upgradecheck"
@@ -175,6 +174,7 @@ func addControllersToManager(ctx context.Context, mgr manager.Manager) error {
 	if cm.Controller() == nil {
 		return errors.New("missing controller in manager")
 	}
+	r.Controller = cm.Controller()
 
 	if err := mgr.GetFieldIndexer().IndexField(
 		context.Background(),
@@ -288,7 +288,7 @@ func initManager(ctx context.Context) (runtime.Options, error) {
 	log := logging.FromContext(ctx)
 
 	options := runtime.Options{}
-	options.Cache.SyncPeriod = initialize.Pointer(time.Hour)
+	options.Cache.SyncPeriod = new(time.Hour)
 
 	options.HealthProbeBindAddress = ":8081"
 

e2e-tests/functions

@@ -1142,6 +1142,11 @@ deploy_cert_manager() {
 	until kubectl get validatingwebhookconfiguration cert-manager-webhook -o jsonpath='{.webhooks[0].clientConfig.caBundle}' | grep -q '[A-Za-z0-9+/=]'; do
 		sleep 5
 	done
+
+	echo "Waiting for cert-manager webhook service to have endpoints..."
+	until kubectl -n cert-manager get endpoints cert-manager-webhook -o jsonpath='{.subsets[*].addresses}' | grep -q '.'; do
+		sleep 5
+	done
 }
 
 destroy_cert_manager() {

e2e-tests/tests/cert-manager-tls/00-deploy-operator.yaml

@@ -1,6 +1,5 @@
 apiVersion: kuttl.dev/v1beta1
 kind: TestStep
-timeout: 10
 commands:
   - script: |-
       set -o errexit
@@ -9,7 +8,7 @@ commands:
       source ../../functions
       init_temp_dir # do this only in the first TestStep
 
-      deploy_cert_manager
+      destroy_cert_manager
       deploy_operator
       deploy_client
-      deploy_cmctl
+    timeout: 120

e2e-tests/tests/cert-manager-tls/01-assert.yaml

@@ -58,34 +58,6 @@ metadata:
 status:
   succeeded: 1
 ---
-apiVersion: upstream.pgv2.percona.com/v1beta1
-kind: PostgresCluster
-metadata:
-  name: cert-manager-tls
-  ownerReferences:
-    - apiVersion: pgv2.percona.com/v2
-      kind: PerconaPGCluster
-      name: cert-manager-tls
-      controller: true
-      blockOwnerDeletion: true
-  finalizers:
-    - postgres-operator.crunchydata.com/finalizer
-status:
-  instances:
-    - name: instance1
-      readyReplicas: 3
-      replicas: 3
-      updatedReplicas: 3
-  observedGeneration: 1
-  pgbackrest:
-    repos:
-      - name: repo1
-        stanzaCreated: true
-  proxy:
-    pgBouncer:
-      readyReplicas: 3
-      replicas: 3
----
 apiVersion: pgv2.percona.com/v2
 kind: PerconaPGCluster
 metadata:
@@ -101,4 +73,4 @@ status:
       size: 3
     ready: 3
     size: 3
-  state: ready
+  state: ready

e2e-tests/tests/cert-manager-tls/01-create-cluster.yaml

@@ -1,6 +1,5 @@
 apiVersion: kuttl.dev/v1beta1
 kind: TestStep
-timeout: 10
 commands:
   - script: |-
       set -o errexit
@@ -9,4 +8,5 @@ commands:
       source ../../functions
 
       get_cr "cert-manager-tls" \
-        | kubectl -n "${NAMESPACE}" apply -f -
+        | kubectl -n "${NAMESPACE}" apply -f -
+    timeout: 10

e2e-tests/tests/cert-manager-tls/02-verify-internal-pki.yaml

@@ -0,0 +1,47 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: |-
+      set -o errexit
+      set -o xtrace
+
+      source ../../functions
+
+      root_ca_annotation=$(kubectl -n "$NAMESPACE" get secret cert-manager-tls-cluster-cert \
+        -o jsonpath='{.metadata.annotations.cert-manager\.io/certificate-name}' 2>/dev/null || true)
+
+      if [[ -n "$root_ca_annotation" ]]; then
+          echo "Root CA secret has cert-manager annotation but cert-manager is not installed!"
+          exit 1
+      fi
+
+      cert_count=$(kubectl -n "$NAMESPACE" get certificate 2>/dev/null | grep -c cert-manager-tls || true)
+      if [[ "$cert_count" -gt 0 ]]; then
+          echo "Found cert-manager Certificate resources but cert-manager should not be installed"
+          exit 1
+      fi
+
+      instance_sts=$(kubectl -n "$NAMESPACE" get sts \
+        -l postgres-operator.crunchydata.com/cluster=cert-manager-tls,postgres-operator.crunchydata.com/instance-set=instance1 \
+        -o jsonpath='{.items[*].metadata.name}')
+
+      for sts_name in $instance_sts; do
+          secret_name="${sts_name}-certs"
+
+          cm_annotation=$(kubectl -n "$NAMESPACE" get secret "$secret_name" \
+            -o jsonpath='{.metadata.annotations.cert-manager\.io/certificate-name}' 2>/dev/null || true)
+          if [[ -n "$cm_annotation" ]]; then
+              echo "Instance secret $secret_name has cert-manager annotation unexpectedly"
+              exit 1
+          fi
+
+          for key in dns.crt dns.key patroni.ca-roots patroni.crt-combined; do
+              escaped_key="${key//./\\.}"
+              val=$(kubectl -n "$NAMESPACE" get secret "$secret_name" -o jsonpath="{.data.${escaped_key}}")
+              if [[ -z "$val" ]]; then
+                  echo "Instance secret $secret_name is missing key: $key"
+                  exit 1
+              fi
+          done
+      done
+    timeout: 60

e2e-tests/tests/cert-manager-tls/03-verify-tls-secrets.yaml

@@ -1,125 +1,31 @@
 apiVersion: kuttl.dev/v1beta1
 kind: TestStep
-timeout: 120
 commands:
   - script: |-
       set -o errexit
       set -o xtrace
 
       source ../../functions
 
-      verify_secret_data() {
-          local secret_name="$1"
-          shift
-          for key in "$@"; do
-              escaped_key="${key//./\\.}"
-            val=$(kubectl -n "$NAMESPACE" get secret "$secret_name" -o jsonpath="{.data.${escaped_key}}")
-              if [[ -z "$val" ]]; then
-                  echo "Secret $secret_name is missing key: $key"
-                  return 1
-              fi
-          done
-      }
+      ssl_info=$(run_psql_local "SHOW ssl;" "postgres:$(get_psql_user_pass cert-manager-tls-pguser-postgres)@$(get_psql_user_host cert-manager-tls-pguser-postgres)")
 
-      retry 12 5 verify_secret_data cert-manager-tls-cluster-ca-cert tls.crt tls.key ca.crt
-
-      ca_secret_type=$(kubectl -n "$NAMESPACE" get secret cert-manager-tls-cluster-ca-cert -o jsonpath='{.type}')
-      if [[ "$ca_secret_type" != "kubernetes.io/tls" ]]; then
-          echo "CA secret type is incorrect: $ca_secret_type (expected kubernetes.io/tls)"
-          exit 1
-      fi
-
-      ca_issuer_name=$(kubectl -n "$NAMESPACE" get secret cert-manager-tls-cluster-ca-cert -o jsonpath='{.metadata.annotations.cert-manager\.io/issuer-name}')
-      if [[ "$ca_issuer_name" != "cert-manager-tls-ca-issuer" ]]; then
-          echo "CA secret issuer annotation is incorrect: $ca_issuer_name"
-          exit 1
-      fi
-
-      retry 12 5 verify_secret_data cert-manager-tls-cluster-cert tls.crt tls.key ca.crt
-
-      cluster_secret_type=$(kubectl -n "$NAMESPACE" get secret cert-manager-tls-cluster-cert -o jsonpath='{.type}')
-      if [[ "$cluster_secret_type" != "kubernetes.io/tls" ]]; then
-          echo "Cluster TLS secret type is incorrect: $cluster_secret_type (expected kubernetes.io/tls)"
-          exit 1
-      fi
-
-      cluster_issuer_name=$(kubectl -n "$NAMESPACE" get secret cert-manager-tls-cluster-cert -o jsonpath='{.metadata.annotations.cert-manager\.io/issuer-name}')
-      if [[ "$cluster_issuer_name" != "cert-manager-tls-tls-issuer" ]]; then
-          echo "Cluster TLS secret issuer annotation is incorrect: $cluster_issuer_name"
-          exit 1
-      fi
-
-      retry 12 5 verify_secret_data cert-manager-tls-pgbouncer-frontend-tls tls.crt tls.key ca.crt
-
-      pgb_secret_type=$(kubectl -n "$NAMESPACE" get secret cert-manager-tls-pgbouncer-frontend-tls -o jsonpath='{.type}')
-      if [[ "$pgb_secret_type" != "kubernetes.io/tls" ]]; then
-          echo "PgBouncer TLS secret type is incorrect: $pgb_secret_type (expected kubernetes.io/tls)"
-          exit 1
-      fi
-
-      pgb_issuer_name=$(kubectl -n "$NAMESPACE" get secret cert-manager-tls-pgbouncer-frontend-tls -o jsonpath='{.metadata.annotations.cert-manager\.io/issuer-name}')
-      if [[ "$pgb_issuer_name" != "cert-manager-tls-tls-issuer" ]]; then
-          echo "PgBouncer TLS secret issuer annotation is incorrect: $pgb_issuer_name"
+      if [[ "$ssl_info" != *"on"* ]]; then
+          echo "SSL is not enabled on PostgreSQL with internal PKI"
           exit 1
       fi
 
-      retry 12 5 verify_secret_data cert-manager-tls-pgbackrest-client-tls tls.crt tls.key
+      repl_ssl_count=$(run_psql_local \
+        "SELECT count(*) FROM pg_stat_ssl s JOIN pg_stat_replication r ON s.pid = r.pid WHERE s.ssl = true;" \
+        "postgres:$(get_psql_user_pass cert-manager-tls-pguser-postgres)@cert-manager-tls-primary")
+      repl_ssl_count=$(echo "$repl_ssl_count" | tr -d '[:space:]')
 
-      pgbr_client_issuer=$(kubectl -n "$NAMESPACE" get secret cert-manager-tls-pgbackrest-client-tls -o jsonpath='{.metadata.annotations.cert-manager\.io/issuer-name}')
-      if [[ "$pgbr_client_issuer" != "cert-manager-tls-tls-issuer" ]]; then
-          echo "pgBackRest client TLS secret issuer annotation is incorrect: $pgbr_client_issuer"
+      if [[ "$repl_ssl_count" -lt 1 ]]; then
+          echo "No SSL replication connections found with internal PKI, got: $repl_ssl_count"
           exit 1
       fi
 
-      retry 12 5 verify_secret_data cert-manager-tls-pgbackrest-repo-tls tls.crt tls.key
-
-      pgbr_repo_issuer=$(kubectl -n "$NAMESPACE" get secret cert-manager-tls-pgbackrest-repo-tls -o jsonpath='{.metadata.annotations.cert-manager\.io/issuer-name}')
-      if [[ "$pgbr_repo_issuer" != "cert-manager-tls-tls-issuer" ]]; then
-          echo "pgBackRest repo TLS secret issuer annotation is incorrect: $pgbr_repo_issuer"
-          exit 1
-      fi
-
-      retry 12 5 verify_secret_data cert-manager-tls-pgbackrest pgbackrest.ca-roots pgbackrest-client.crt pgbackrest-client.key pgbackrest-repo-host.crt pgbackrest-repo-host.key
-
-      pgbr_client_cert_in_secret=$(kubectl -n "$NAMESPACE" get secret cert-manager-tls-pgbackrest -o jsonpath='{.data.pgbackrest-client\.crt}')
-      pgbr_client_cert_from_cm=$(kubectl -n "$NAMESPACE" get secret cert-manager-tls-pgbackrest-client-tls -o jsonpath='{.data.tls\.crt}')
-      if [[ "$pgbr_client_cert_in_secret" != "$pgbr_client_cert_from_cm" ]]; then
-          echo "pgBackRest main secret client cert does not match cert-manager-issued cert"
-          exit 1
-      fi
-
-      pgbr_repo_cert_in_secret=$(kubectl -n "$NAMESPACE" get secret cert-manager-tls-pgbackrest -o jsonpath='{.data.pgbackrest-repo-host\.crt}')
-      pgbr_repo_cert_from_cm=$(kubectl -n "$NAMESPACE" get secret cert-manager-tls-pgbackrest-repo-tls -o jsonpath='{.data.tls\.crt}')
-      if [[ "$pgbr_repo_cert_in_secret" != "$pgbr_repo_cert_from_cm" ]]; then
-          echo "pgBackRest main secret repo cert does not match cert-manager-issued cert"
-          exit 1
-      fi
-
-      retry 12 5 verify_secret_data cert-manager-tls-pgbouncer pgbouncer-frontend.crt pgbouncer-frontend.key pgbouncer-frontend.ca-roots
-
-      pgb_cert_in_secret=$(kubectl -n "$NAMESPACE" get secret cert-manager-tls-pgbouncer -o jsonpath='{.data.pgbouncer-frontend\.crt}')
-      pgb_cert_from_cm=$(kubectl -n "$NAMESPACE" get secret cert-manager-tls-pgbouncer-frontend-tls -o jsonpath='{.data.tls\.crt}')
-      if [[ "$pgb_cert_in_secret" != "$pgb_cert_from_cm" ]]; then
-          echo "pgBouncer main secret frontend cert does not match cert-manager-issued cert"
-          exit 1
-      fi
-
-      instance_sts=$(kubectl -n "$NAMESPACE" get sts -l postgres-operator.crunchydata.com/cluster=cert-manager-tls,postgres-operator.crunchydata.com/instance-set=instance1 -o jsonpath='{.items[*].metadata.name}')
-      for sts_name in $instance_sts; do
-          secret_name="${sts_name}-certs"
-
-          secret_type=$(kubectl -n "$NAMESPACE" get secret "$secret_name" -o jsonpath='{.type}')
-          if [[ "$secret_type" != "kubernetes.io/tls" ]]; then
-              echo "Instance secret $secret_name type is incorrect: $secret_type (expected kubernetes.io/tls)"
-              exit 1
-          fi
-
-          issuer_name=$(kubectl -n "$NAMESPACE" get secret "$secret_name" -o jsonpath='{.metadata.annotations.cert-manager\.io/issuer-name}')
-          if [[ "$issuer_name" != "cert-manager-tls-tls-issuer" ]]; then
-              echo "Instance secret $secret_name issuer annotation is incorrect: $issuer_name"
-              exit 1
-          fi
+      pg_cert_serial=$(run_comand_on_pod "openssl s_client -connect cert-manager-tls-primary:5432 -starttls postgres <<< '' 2>/dev/null | openssl x509 -noout -serial" | tr -d '[:space:]')
 
-          verify_secret_data "$secret_name" tls.crt tls.key dns.crt dns.key patroni.ca-roots patroni.crt-combined pgbackrest-server.crt pgbackrest-server.key
-          echo "Instance secret $secret_name is valid"
-      done
+      kubectl create configmap -n "${NAMESPACE}" internal-pki-cert-serial \
+        --from-literal=pg-serial="$pg_cert_serial"
+    timeout: 30

e2e-tests/tests/cert-manager-tls/04-write-data.yaml

@@ -13,4 +13,5 @@ commands:
 
       run_psql_local \
         '\c myapp \\\ INSERT INTO myApp (id) VALUES (100500)' \
-        "postgres:$(get_psql_user_pass cert-manager-tls-pguser-postgres)@$(get_psql_user_host cert-manager-tls-pguser-postgres)"
+        "postgres:$(get_psql_user_pass cert-manager-tls-pguser-postgres)@$(get_psql_user_host cert-manager-tls-pguser-postgres)"
+    timeout: 30

e2e-tests/tests/cert-manager-tls/05-deploy-cert-manager.yaml

@@ -0,0 +1,16 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: |-
+      set -o errexit
+      set -o xtrace
+
+      source ../../functions
+
+      deploy_cert_manager
+      deploy_cmctl
+
+      kubectl -n "$NAMESPACE" delete pod -l postgres-operator.crunchydata.com/role=pgbouncer,postgres-operator.crunchydata.com/cluster=cert-manager-tls
+
+      wait_cluster_consistency cert-manager-tls
+    timeout: 120

e2e-tests/tests/cert-manager-tls/06-verify-internal-pki-preserved.yaml

@@ -0,0 +1,46 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: |-
+      set -o errexit
+      set -o xtrace
+
+      source ../../functions
+
+      root_ca_annotation=$(kubectl -n "$NAMESPACE" get secret cert-manager-tls-cluster-cert \
+        -o jsonpath='{.metadata.annotations.cert-manager\.io/certificate-name}' 2>/dev/null || true)
+
+      if [[ -n "$root_ca_annotation" ]]; then
+          echo "FAIL: Root CA secret was taken over by cert-manager!"
+          exit 1
+      fi
+
+      cert_count=$(kubectl -n "$NAMESPACE" get certificate 2>/dev/null | grep -c cert-manager-tls || true)
+      if [[ "$cert_count" -gt 0 ]]; then
+          echo "FAIL: cert-manager Certificate resources were created for the existing cluster"
+          exit 1
+      fi
+
+      instance_sts=$(kubectl -n "$NAMESPACE" get sts \
+        -l postgres-operator.crunchydata.com/cluster=cert-manager-tls,postgres-operator.crunchydata.com/instance-set=instance1 \
+        -o jsonpath='{.items[*].metadata.name}')
+
+      for sts_name in $instance_sts; do
+          secret_name="${sts_name}-certs"
+
+          cm_annotation=$(kubectl -n "$NAMESPACE" get secret "$secret_name" \
+            -o jsonpath='{.metadata.annotations.cert-manager\.io/certificate-name}' 2>/dev/null || true)
+          if [[ -n "$cm_annotation" ]]; then
+              echo "FAIL: Instance secret $secret_name was taken over by cert-manager"
+              exit 1
+          fi
+      done
+
+      pg_cert_serial=$(run_comand_on_pod "openssl s_client -connect cert-manager-tls-primary:5432 -starttls postgres <<< '' 2>/dev/null | openssl x509 -noout -serial" | tr -d '[:space:]')
+      pg_cert_serial_before=$(kubectl -n "$NAMESPACE" get configmap internal-pki-cert-serial -o jsonpath='{.data.pg-serial}')
+
+      if [[ "$pg_cert_serial" != "$pg_cert_serial_before" ]]; then
+          echo "FAIL: PostgreSQL certificate changed after cert-manager installation!"
+          exit 1
+      fi
+    timeout: 60