Support TLS patroni endpoints

Author: omertahaoztop

.gitignore

@@ -10,3 +10,7 @@ coverage.html
 plugins/
 common/health/pluginpb
 *.coverprofile
+# Cache dirs
+.cache/
+.gocache/
+.modcache/

pgsqlHealth/cluster.go

@@ -106,8 +106,8 @@ func checkPatroniService() {
 // getClusterStatus retrieves the cluster status from the Patroni API
 // and returns the current and previous cluster statuses
 func getClusterStatus(patroniApiUrl string) (*Response, *Response) { // Added parameter
-	client := &http.Client{Timeout: time.Second * 10}
-	clusterURL := "http://" + patroniApiUrl + "/cluster" // Use passed parameter
+	client := getPatroniHTTPClient()
+	clusterURL := strings.TrimSuffix(patroniApiUrl, "/") + "/cluster" // Use passed parameter
 
 	resp, err := client.Get(clusterURL)
 	if err != nil {

pgsqlHealth/connection.go

@@ -12,17 +12,36 @@
 package pgsqlHealth
 
 import (
+	"crypto/tls"
+	"crypto/x509"
 	"database/sql"
 	"errors"
 	"fmt"
+	"net/http"
+	"net/url"
 	"os"
 	"strings"
+	"time"
 
 	_ "github.com/lib/pq"
 	"github.com/rs/zerolog/log"
 	"gopkg.in/yaml.v3"
 )
 
+var patroniHTTPClient *http.Client
+
+type patroniConf struct {
+	Name    string         `json:"name"`
+	Restapi patroniRestAPI `yaml:"restapi"`
+}
+
+type patroniRestAPI struct {
+	ConnectAddress string `yaml:"connect_address"`
+	CertFile       string `yaml:"certfile"`
+	KeyFile        string `yaml:"keyfile"`
+	CAFile         string `yaml:"cafile"`
+}
+
 // getPatroniUrl reads the Patroni configuration file and returns the REST API
 // connection address for the Patroni cluster
 func getPatroniUrl() (string, error) {
@@ -33,13 +52,6 @@ func getPatroniUrl() (string, error) {
 		return "", err
 	}
 
-	// Create a struct to hold the YAML data
-	type patroniConf struct {
-		Name    string `json:"name"`
-		Restapi struct {
-			ConnectAddress string `yaml:"connect_address"`
-		} `yaml:"restapi"`
-	}
 	var patroni patroniConf
 	// Unmarshal the YAML data into the struct
 	err = yaml.Unmarshal(data, &patroni)
@@ -49,7 +61,41 @@ func getPatroniUrl() (string, error) {
 	}
 	nodeName = patroni.Name
 
-	return patroni.Restapi.ConnectAddress, nil
+	connectAddress := strings.TrimSpace(patroni.Restapi.ConnectAddress)
+	if connectAddress == "" {
+		return "", errors.New("patroni restapi connect_address is empty")
+	}
+
+	tlsConfigured := patroni.Restapi.CertFile != "" || patroni.Restapi.KeyFile != "" || patroni.Restapi.CAFile != ""
+	hasScheme := strings.HasPrefix(connectAddress, "http://") || strings.HasPrefix(connectAddress, "https://")
+
+	if !hasScheme {
+		if tlsConfigured {
+			connectAddress = "https://" + connectAddress
+		} else {
+			connectAddress = "http://" + connectAddress
+		}
+	}
+
+	u, err := url.Parse(connectAddress)
+	if err != nil || u.Scheme == "" || u.Host == "" {
+		return "", fmt.Errorf("invalid patroni connect_address: %s", connectAddress)
+	}
+
+	// Keep only scheme://host[:port] portion to avoid double slashes when adding paths
+	baseURL := fmt.Sprintf("%s://%s", u.Scheme, u.Host)
+	if u.Path != "" && u.Path != "/" {
+		baseURL = fmt.Sprintf("%s%s", baseURL, strings.TrimSuffix(u.Path, "/"))
+	}
+
+	client, err := buildPatroniHTTPClient(patroni.Restapi, u.Hostname(), tlsConfigured)
+	if err != nil {
+		log.Error().Err(err).Str("component", "pgsqlHealth").Str("operation", "getPatroniUrl").Str("action", "build_patroni_http_client_failed").Msg("couldn't build patroni http client with provided certificates")
+		return "", err
+	}
+	patroniHTTPClient = client
+
+	return baseURL, nil
 }
 
 // Connect establishes a connection to the PostgreSQL database
@@ -127,3 +173,59 @@ func Connect() error {
 	Connection = db
 	return nil
 }
+
+func buildPatroniHTTPClient(restapi patroniRestAPI, serverName string, tlsConfigured bool) (*http.Client, error) {
+	if !tlsConfigured {
+		return &http.Client{Timeout: 10 * time.Second}, nil
+	}
+
+	tlsConfig := &tls.Config{
+		MinVersion: tls.VersionTLS12,
+	}
+
+	if serverName != "" {
+		tlsConfig.ServerName = serverName
+	}
+
+	if restapi.CAFile != "" {
+		caData, err := os.ReadFile(restapi.CAFile)
+		if err != nil {
+			return nil, fmt.Errorf("couldn't read patroni CA file: %w", err)
+		}
+
+		rootCAs, err := x509.SystemCertPool()
+		if err != nil || rootCAs == nil {
+			rootCAs = x509.NewCertPool()
+		}
+
+		if ok := rootCAs.AppendCertsFromPEM(caData); !ok {
+			return nil, fmt.Errorf("failed to append CA certificates from %s", restapi.CAFile)
+		}
+
+		tlsConfig.RootCAs = rootCAs
+	}
+
+	if restapi.CertFile != "" && restapi.KeyFile != "" {
+		clientCert, err := tls.LoadX509KeyPair(restapi.CertFile, restapi.KeyFile)
+		if err != nil {
+			return nil, fmt.Errorf("couldn't load patroni client certificate or key: %w", err)
+		}
+		tlsConfig.Certificates = []tls.Certificate{clientCert}
+	}
+
+	transport := &http.Transport{
+		TLSClientConfig: tlsConfig,
+	}
+
+	return &http.Client{
+		Timeout:   10 * time.Second,
+		Transport: transport,
+	}, nil
+}
+
+func getPatroniHTTPClient() *http.Client {
+	if patroniHTTPClient != nil {
+		return patroniHTTPClient
+	}
+	return &http.Client{Timeout: 10 * time.Second}
+}

pgsqlHealth/main.go

@@ -7,7 +7,6 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"net/http"
 	"os"
 	"os/exec"
 	"strings"
@@ -243,7 +242,8 @@ func Main(cmd *cobra.Command, args []string) {
 		}
 
 		// Get patroni role
-		patroniRole, err := http.Get("http://" + patroniApiUrl + "/patroni")
+		patroniClient := getPatroniHTTPClient()
+		patroniRole, err := patroniClient.Get(strings.TrimSuffix(patroniApiUrl, "/") + "/patroni")
 		if err != nil {
 			log.Error().Err(err).Str("component", "pgsqlHealth").Str("operation", "Main").Str("action", "get_patroni_role_failed").Msg("Error getting patroni role")
 		} else {