Add Neo4j TLS (#220)

Signed-off-by: Fazle Rabbi Sarker <fazlerabbi@appscode.com>
Signed-off-by: souravbiswassanto <saurov@appscode.com>
Co-authored-by: souravbiswassanto <saurov@appscode.com>

Author: fr-sarker

go.mod

@@ -44,7 +44,7 @@ require (
 	k8s.io/klog/v2 v2.130.1
 	kmodules.xyz/client-go v0.34.2
 	kmodules.xyz/custom-resources v0.34.0
-	kubedb.dev/apimachinery v0.61.0-rc.0
+	kubedb.dev/apimachinery v0.61.0-rc.0.0.20260220081356-913319e2ecb3
 	sigs.k8s.io/controller-runtime v0.22.4
 	xorm.io/xorm v1.3.11
 )
@@ -71,10 +71,11 @@ require (
 )
 
 require (
-	filippo.io/edwards25519 v1.1.0 // indirect
+	filippo.io/edwards25519 v1.1.1 // indirect
 	github.com/ClickHouse/ch-go v0.69.0 // indirect
 	github.com/Masterminds/semver v1.5.0 // indirect
 	github.com/andybalholm/brotli v1.2.0 // indirect
+	github.com/armon/circbuf v0.0.0-20190214190532-5111143e8da2 // indirect
 	github.com/asaskevich/govalidator v0.0.0-20230301143203-a9d515a09cc2 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/blang/semver/v4 v4.0.0 // indirect
@@ -85,6 +86,7 @@ require (
 	github.com/cockroachdb/errors v1.9.1 // indirect
 	github.com/cockroachdb/logtags v0.0.0-20211118104740-dabe8e521a4f // indirect
 	github.com/cockroachdb/redact v1.1.3 // indirect
+	github.com/codegangsta/inject v0.0.0-20150114235600-33e0aa1cb7c0 // indirect
 	github.com/containerd/cgroups/v3 v3.0.3 // indirect
 	github.com/coreos/go-semver v0.3.1 // indirect
 	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
@@ -242,8 +244,10 @@ require (
 	golang.org/x/time v0.14.0 // indirect
 	golang.org/x/tools v0.40.0 // indirect
 	gomodules.xyz/clock v0.0.0-20200817085942-06523dba733f // indirect
+	gomodules.xyz/go-sh v0.2.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.5.0 // indirect
 	gomodules.xyz/mergo v0.3.13 // indirect
+	gomodules.xyz/restic v0.1.0 // indirect
 	gomodules.xyz/sync v0.1.0 // indirect
 	gomodules.xyz/wait v0.2.0 // indirect
 	gomodules.xyz/x v0.0.17 // indirect
@@ -269,7 +273,7 @@ require (
 	kubeops.dev/operator-shard-manager v0.0.5 // indirect
 	kubeops.dev/petset v0.0.15 // indirect
 	kubeops.dev/sidekick v0.0.12 // indirect
-	kubestash.dev/apimachinery v0.23.1-0.20260209084525-80db980e861f // indirect
+	kubestash.dev/apimachinery v0.24.0-rc.0 // indirect
 	open-cluster-management.io/api v1.1.1-0.20251222023835-510285203ee6 // indirect
 	sigs.k8s.io/gateway-api v1.4.0 // indirect
 	sigs.k8s.io/json v0.0.0-20250730193827-2d320260d730 // indirect

go.sum

@@ -1,6 +1,6 @@
 cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
-filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
-filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
+filippo.io/edwards25519 v1.1.1 h1:YpjwWWlNmGIDyXOn8zLzqiD+9TyIlPhGFG96P39uBpw=
+filippo.io/edwards25519 v1.1.1/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
 gitea.com/xorm/sqlfiddle v0.0.0-20180821085327-62ce714f951a h1:lSA0F4e9A2NcQSqGqTOXqu2aRi/XEQxDCBwM8yJtE6s=
 gitea.com/xorm/sqlfiddle v0.0.0-20180821085327-62ce714f951a/go.mod h1:EXuID2Zs0pAQhH8yz+DNjUbjppKQzKFAn28TMYPB6IU=
 github.com/AndreasBriese/bbloom v0.0.0-20190306092124-e2d15f34fcf9/go.mod h1:bOvUY6CB00SOBii9/FifXqc0awNKxLFCL/+pkDPuyl8=
@@ -46,6 +46,8 @@ github.com/andybalholm/brotli v1.2.0 h1:ukwgCxwYrmACq68yiUqwIWnGY0cTPox/M94sVwTo
 github.com/andybalholm/brotli v1.2.0/go.mod h1:rzTDkvFWvIrjDXZHkuS16NPggd91W3kUSvPlQ1pLaKY=
 github.com/apache/thrift v0.14.1 h1:Yh8v0hpCj63p5edXOLaqTJW0IJ1p+eMW6+YSOqw1d6s=
 github.com/apache/thrift v0.14.1/go.mod h1:cp2SuWMxlEZw2r+iP2GNCdIi4C1qmUzdZFSVb+bacwQ=
+github.com/armon/circbuf v0.0.0-20190214190532-5111143e8da2 h1:7Ip0wMmLHLRJdrloDxZfhMm0xrLXZS8+COSu2bXmEQs=
+github.com/armon/circbuf v0.0.0-20190214190532-5111143e8da2/go.mod h1:3U/XgcO3hCbHZ8TKRvWD2dDTCfh9M9ya+I9JpbB7O8o=
 github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8=
 github.com/asaskevich/govalidator v0.0.0-20200907205600-7a23bdc65eef/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
 github.com/asaskevich/govalidator v0.0.0-20210307081110-f21760c49a8d/go.mod h1:WaHUgvxTVq04UNunO+XhnAqY/wQc+bxr74GqbsZ/Jqw=
@@ -101,6 +103,7 @@ github.com/cockroachdb/logtags v0.0.0-20211118104740-dabe8e521a4f h1:6jduT9Hfc0n
 github.com/cockroachdb/logtags v0.0.0-20211118104740-dabe8e521a4f/go.mod h1:Vz9DsVWQQhf3vs21MhPMZpMGSht7O/2vFW2xusFUVOs=
 github.com/cockroachdb/redact v1.1.3 h1:AKZds10rFSIj7qADf0g46UixK8NNLwWTNdCIGS5wfSQ=
 github.com/cockroachdb/redact v1.1.3/go.mod h1:BVNblN9mBWFyMyqK1k3AAiSxhvhfK2oOZZ2lK+dpvRg=
+github.com/codegangsta/inject v0.0.0-20150114235600-33e0aa1cb7c0 h1:sDMmm+q/3+BukdIpxwO365v/Rbspp2Nt5XntgQRXq8Q=
 github.com/codegangsta/inject v0.0.0-20150114235600-33e0aa1cb7c0/go.mod h1:4Zcjuz89kmFXt9morQgcfYZAYZ5n8WHjt81YYWIwtTM=
 github.com/containerd/cgroups/v3 v3.0.3 h1:S5ByHZ/h9PMe5IOQoN7E+nMc2UcLEM/V48DGDJ9kip0=
 github.com/containerd/cgroups/v3 v3.0.3/go.mod h1:8HBe7V3aWGLFPd/k03swSIsGjZhHI2WzJmticMgVuz0=
@@ -1009,12 +1012,16 @@ golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gomodules.xyz/clock v0.0.0-20200817085942-06523dba733f h1:hTyhR4r+tj1Uq7/PpFxLTzbeA0LhMVp7bEYfhkzFjdY=
 gomodules.xyz/clock v0.0.0-20200817085942-06523dba733f/go.mod h1:K3m7N+nBOlf91/tpv8REUGwsAgaKFwElQCuiLhm12AQ=
+gomodules.xyz/go-sh v0.2.0 h1:DMQHTsnhrcFDFAIpuFq+ThGNvWjB/NYrsFZLv5RPcUs=
+gomodules.xyz/go-sh v0.2.0/go.mod h1:N8IrjNiYppUI/rxENYrWD6FOrSxSyEZnIekPEWM7LP0=
 gomodules.xyz/jsonpatch/v2 v2.5.0 h1:JELs8RLM12qJGXU4u/TO3V25KW8GreMKl9pdkk14RM0=
 gomodules.xyz/jsonpatch/v2 v2.5.0/go.mod h1:AH3dM2RI6uoBZxn3LVrfvJ3E0/9dG4cSrbuBJT4moAY=
 gomodules.xyz/mergo v0.3.13 h1:q6cL/MMXZH/MrR2+yjSihFFq6UifXqjwaqI48B6cMEM=
 gomodules.xyz/mergo v0.3.13/go.mod h1:F/2rKC7j0URTnHUKDiTiLcGdLMhdv8jK2Za3cRTUVmc=
 gomodules.xyz/pointer v0.1.0 h1:sG2UKrYVSo6E3r4itAjXfPfe4fuXMi0KdyTHpR3vGCg=
 gomodules.xyz/pointer v0.1.0/go.mod h1:sPLsC0+yLTRecUiC5yVlyvXhZ6LAGojNCRWNNqoplvo=
+gomodules.xyz/restic v0.1.0 h1:CWf2yxPqM6VeNj57ao1QSxrUDEjziv9ewl7YnKe3eB8=
+gomodules.xyz/restic v0.1.0/go.mod h1:Api8DksK5irIRJGjnxt7wSxsJ6AsSu3i97bQVRaQ5zs=
 gomodules.xyz/sync v0.1.0 h1:Y7vHOtMrqN9FojRwkCQdC17dKL1fVx+6xb7WdfnXX58=
 gomodules.xyz/sync v0.1.0/go.mod h1:kv570yCdknyiZ8Y94uaRFGBC5E47TV/5A7PD9jlnJoQ=
 gomodules.xyz/wait v0.2.0 h1:HnRIh+cvIrrKIFaXoYznCVVirv2/2xu3KzjSzsQmYAY=
@@ -1124,16 +1131,16 @@ kmodules.xyz/prober v0.34.0 h1:ElZkZYCjLaytAA0M8EH42To7i9gh1IIX+d0qfaIohys=
 kmodules.xyz/prober v0.34.0/go.mod h1:rsu/fxxfNxY70GDbH6Ju8G66459hi7AhWSSBoiIp8ic=
 kmodules.xyz/resource-metadata v0.42.1 h1:RxAi354cKOeCVLoZI+WjR+tooU4lEq/axIafm1SYa20=
 kmodules.xyz/resource-metadata v0.42.1/go.mod h1:xntcQko2QLbLEHwGE4TQ7I/80fcBQzcexbep97Akstk=
-kubedb.dev/apimachinery v0.61.0-rc.0 h1:jxmBu5wndg2hj2vFDLoYrdbat1fYApLV571tNsV1f6I=
-kubedb.dev/apimachinery v0.61.0-rc.0/go.mod h1:2zrZDkZyxlEcRaFqQlQLpXSwlDFoYgLQcCy4jY6vU6Q=
+kubedb.dev/apimachinery v0.61.0-rc.0.0.20260220081356-913319e2ecb3 h1:/N+z8e8QIDW6cCtpBe9MyYLTq36KePq0X3j7vqhnpTI=
+kubedb.dev/apimachinery v0.61.0-rc.0.0.20260220081356-913319e2ecb3/go.mod h1:zI/nWwbrBNEcB9pTGOJVG83BiOPbwXas4CsCWLzzX7Y=
 kubeops.dev/operator-shard-manager v0.0.5 h1:i7VnyUfIa9u3RQhSTVWNsooXcgmrWWxJyI9gJ10onE8=
 kubeops.dev/operator-shard-manager v0.0.5/go.mod h1:NE6GzlhwLRiwiUUpqi4Uf+J7e/gniITM0uJnE5r1mzY=
 kubeops.dev/petset v0.0.15 h1:iwTRFAp0RNw0A87sw2c97UZ6WIA9H/nhJBpDhXLa7fk=
 kubeops.dev/petset v0.0.15/go.mod h1:sw96WiXfzhpmKpXj4a5AdmEHs0Bx4QMhf+iW15zY4Gg=
 kubeops.dev/sidekick v0.0.12 h1:pmUjQLZDKxgREiM6z0PogLR1aDbgvkE9jRjbxG6dEt0=
 kubeops.dev/sidekick v0.0.12/go.mod h1:RU7QH3E8DOLw15rBYlOOJSyczuwAnVVtYyZjJb00UB8=
-kubestash.dev/apimachinery v0.23.1-0.20260209084525-80db980e861f h1:nti4U+hCA4VH4+Fc9D9/AEpw2/nHkUgyAhZrLkpfMfQ=
-kubestash.dev/apimachinery v0.23.1-0.20260209084525-80db980e861f/go.mod h1:zJEjHjd/nYcXFSW+RfGbLxZMJK41IOWjQGosoAWZDRg=
+kubestash.dev/apimachinery v0.24.0-rc.0 h1:JRVGCjDvJo0qEQLpuP6gNKmFEgBbp+e20qUsnhYNA+c=
+kubestash.dev/apimachinery v0.24.0-rc.0/go.mod h1:Y+/8u+3kPWBuaVchmUn4/AlaGW0nLUZh57JWwvNiDlE=
 lukechampine.com/uint128 v1.2.0 h1:mBi/5l91vocEN8otkC5bDLhi2KdCticRiwbdB0O+rjI=
 lukechampine.com/uint128 v1.2.0/go.mod h1:c4eWIwlEGaxC/+H1VguhU4PHXNWDCDMUlWdIWl2j1gk=
 modernc.org/cc/v3 v3.40.0 h1:P3g79IUS/93SYhtoeaHW+kRCIrYaxJ27MFPv+7kaTOw=

neo4j/kubedb_client_builder.go

@@ -18,12 +18,15 @@ package neo4j
 
 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"errors"
 	"fmt"
 	"strings"
 	"time"
 
 	"kubedb.dev/apimachinery/apis/kubedb"
+	v1api "kubedb.dev/apimachinery/apis/kubedb/v1"
 	api "kubedb.dev/apimachinery/apis/kubedb/v1alpha2"
 	apiutils "kubedb.dev/apimachinery/pkg/utils"
 
@@ -34,6 +37,7 @@ import (
 	kerr "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/klog/v2"
+	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
@@ -53,6 +57,11 @@ func NewKubeDBClientBuilder(kc client.Client, db *api.Neo4j) *KubeDBClientBuilde
 	}
 }
 
+func (o *KubeDBClientBuilder) WithPodName(podName string) *KubeDBClientBuilder {
+	o.podName = podName
+	return o
+}
+
 func (o *KubeDBClientBuilder) WithContext(ctx context.Context) *KubeDBClientBuilder {
 	o.ctx = ctx
 	return o
@@ -64,32 +73,8 @@ func (o *KubeDBClientBuilder) WithLog(log logr.Logger) *KubeDBClientBuilder {
 }
 
 func (o *KubeDBClientBuilder) GetNeo4jClient() (*Client, error) {
-	// Guard against nil receiver or missing required fields to avoid nil deref
-	if o == nil {
-		return nil, fmt.Errorf("KubeDBClientBuilder is nil")
-	}
-	if o.db == nil {
-		return nil, fmt.Errorf("neo4j object is nil")
-	}
-	if o.kc == nil {
-		return nil, fmt.Errorf("kubernetes client is nil")
-	}
-	// Ensure context is non-nil
-	if o.ctx == nil {
-		o.ctx = context.TODO()
-	}
-	// Get domain and fallback to cluster.local if not found
-	domain := apiutils.FindDomain()
-	if domain == "" {
-		domain = "cluster.local"
-	}
-
 	// Construct URL - use default service if podName not provided
-	if o.podName != "" {
-		o.url = fmt.Sprintf("neo4j://%s.%s.%s.svc.%s:%d", o.podName, o.db.GoverningServiceName(), o.db.Namespace, domain, kubedb.Neo4jBoltPort)
-	} else {
-		o.url = fmt.Sprintf("neo4j://%s.%s.svc.%s:%d", o.db.ServiceName(), o.db.Namespace, domain, kubedb.Neo4jBoltPort)
-	}
+	o.url = o.buildConnectionURL()
 
 	klog.V(3).Infof("Attempting to connect to Neo4j at: %s", o.url)
 
@@ -128,13 +113,53 @@ func (o *KubeDBClientBuilder) GetNeo4jClient() (*Client, error) {
 		klog.Info("Security is disabled for Neo4j, no credentials will be used.")
 	}
 
+	tlsConfig := &tls.Config{}
+
+	if o.db.Spec.TLS != nil && o.db.Spec.TLS.Bolt.Mode != api.TLSModeDisabled {
+		certSecret := &core.Secret{}
+		err := o.kc.Get(o.ctx, types.NamespacedName{
+			Namespace: o.db.Namespace,
+			Name:      o.db.GetCertSecretName(api.Neo4jCertificateTypeClient),
+		}, certSecret)
+		if err != nil {
+			if kerr.IsNotFound(err) {
+				klog.Error(err, "Client certificate secret not found")
+				return nil, errors.New("client certificate secret is not found")
+			}
+			klog.Error(err, "Failed to get client certificate Secret")
+			return nil, err
+		}
+
+		// get tls cert, clientCA and rootCA for tls config
+		clientCA := x509.NewCertPool()
+		rootCA := x509.NewCertPool()
+
+		crt, err := tls.X509KeyPair(certSecret.Data[core.TLSCertKey], certSecret.Data[core.TLSPrivateKeyKey])
+		if err != nil {
+			klog.Error(err, "Failed to parse private key pair")
+			return nil, err
+		}
+		clientCA.AppendCertsFromPEM(certSecret.Data[v1api.TLSCACertFileName])
+		rootCA.AppendCertsFromPEM(certSecret.Data[v1api.TLSCACertFileName])
+		tlsConfig = &tls.Config{
+			Certificates: []tls.Certificate{crt},
+			ClientAuth:   tls.RequireAndVerifyClientCert,
+			ClientCAs:    clientCA,
+			RootCAs:      rootCA,
+			MaxVersion:   tls.VersionTLS13,
+		}
+	}
+
 	// Create driver and check for errors immediately
 	driver, err := neo4j.NewDriverWithContext(o.url, neo4j.BasicAuth(dbUser, dbPassword, ""), func(c *config.Config) {
 		c.SocketConnectTimeout = 60 * time.Second
 		c.ConnectionAcquisitionTimeout = 60 * time.Second
 		c.MaxTransactionRetryTime = 60 * time.Second
 		c.MaxConnectionLifetime = 30 * time.Minute
-		c.MaxConnectionPoolSize = 100
+		c.MaxConnectionPoolSize = 20
+		if o.db.Spec.TLS != nil {
+			c.TlsConfig = tlsConfig
+		}
 	})
 	if o.db.Spec.DisableSecurity {
 		driver, err = neo4j.NewDriverWithContext(o.url, neo4j.NoAuth())
@@ -152,7 +177,12 @@ func (o *KubeDBClientBuilder) GetNeo4jClient() (*Client, error) {
 		return nil, err
 	}
 
-	fmt.Println("Connection established.")
+	log := ctrl.Log.WithValues(api.ResourceSingularNeo4j, types.NamespacedName{
+		Namespace: o.db.Namespace,
+		Name:      o.db.OffshootName(),
+	})
+
+	log.V(2).Info("Connection established successfully to Neo4j at: %s", o.url)
 
 	return &Client{
 		DriverWithContext: driver,
@@ -163,3 +193,17 @@ func (c *Client) ExecuteQuery(ctx context.Context, query string, params map[stri
 	return neo4j.ExecuteQuery(ctx, c, query, params, neo4j.EagerResultTransformer,
 		neo4j.ExecuteQueryWithDatabase(dbName))
 }
+
+func (o *KubeDBClientBuilder) buildConnectionURL() string {
+	scheme := "neo4j"
+
+	if o.db.Spec.TLS != nil && o.db.Spec.TLS.Bolt.Mode != api.TLSModeDisabled {
+		scheme = "neo4j+s"
+	}
+
+	if o.podName != "" {
+		return fmt.Sprintf("%s://%s.%s.%s.svc.%s:%d", scheme, o.podName, o.db.OffshootName(), o.db.Namespace, apiutils.FindDomain(), kubedb.Neo4jBoltPort)
+	}
+
+	return fmt.Sprintf("%s://%s.%s.svc.%s:%d", scheme, o.db.ServiceName(), o.db.Namespace, apiutils.FindDomain(), kubedb.Neo4jBoltPort)
+}