Additional TCPS features

Author: Abhishek Kumar

apis/database/v1alpha1/singleinstancedatabase_types.go

@@ -61,7 +61,8 @@ type SingleInstanceDatabaseSpec struct {
 	Charset               string            `json:"charset,omitempty"`
 	Pdbname               string            `json:"pdbName,omitempty"`
 	LoadBalancer          bool              `json:"loadBalancer,omitempty"`
-	ServicePort           int               `json:"servicePort,omitempty"`
+	ListenerPort          int               `json:"listenerPort,omitempty"`
+	TcpsListenerPort      int               `json:"tcpsListenerPort,omitempty"`
 	ServiceAnnotations    map[string]string `json:"serviceAnnotations,omitempty"`
 	FlashBack             bool              `json:"flashBack,omitempty"`
 	ArchiveLog            bool              `json:"archiveLog,omitempty"`
@@ -131,28 +132,31 @@ type SingleInstanceDatabaseStatus struct {
 	DatafilesPatched     string            `json:"datafilesPatched,omitempty"`
 	ConnectString        string            `json:"connectString,omitempty"`
 	ClusterConnectString string            `json:"clusterConnectString,omitempty"`
+	TcpsConnectString    string            `json:"tcpsConnectString,omitempty"`
 	StandbyDatabases     map[string]string `json:"standbyDatabases,omitempty"`
 	// +kubebuilder:default:="false"
-	DatafilesCreated string `json:"datafilesCreated,omitempty"`
-	Sid              string `json:"sid,omitempty"`
-	Edition          string `json:"edition,omitempty"`
-	Charset          string `json:"charset,omitempty"`
-	Pdbname          string `json:"pdbName,omitempty"`
-	InitSgaSize      int    `json:"initSgaSize,omitempty"`
-	InitPgaSize      int    `json:"initPgaSize,omitempty"`
-	CloneFrom        string `json:"cloneFrom,omitempty"`
-	FlashBack        string `json:"flashBack,omitempty"`
-	ArchiveLog       string `json:"archiveLog,omitempty"`
-	ForceLogging     string `json:"forceLog,omitempty"`
-	OemExpressUrl    string `json:"oemExpressUrl,omitempty"`
-	OrdsReference    string `json:"ordsReference,omitempty"`
-	PdbConnectString string `json:"pdbConnectString,omitempty"`
-	ApexInstalled    bool   `json:"apexInstalled,omitempty"`
-	PrebuiltDB       bool   `json:"prebuiltDB,omitempty"`
+	DatafilesCreated     string `json:"datafilesCreated,omitempty"`
+	Sid                  string `json:"sid,omitempty"`
+	Edition              string `json:"edition,omitempty"`
+	Charset              string `json:"charset,omitempty"`
+	Pdbname              string `json:"pdbName,omitempty"`
+	InitSgaSize          int    `json:"initSgaSize,omitempty"`
+	InitPgaSize          int    `json:"initPgaSize,omitempty"`
+	CloneFrom            string `json:"cloneFrom,omitempty"`
+	FlashBack            string `json:"flashBack,omitempty"`
+	ArchiveLog           string `json:"archiveLog,omitempty"`
+	ForceLogging         string `json:"forceLog,omitempty"`
+	OemExpressUrl        string `json:"oemExpressUrl,omitempty"`
+	OrdsReference        string `json:"ordsReference,omitempty"`
+	PdbConnectString     string `json:"pdbConnectString,omitempty"`
+	TcpsPdbConnectString string `json:"tcpsPdbConnectString,omitempty"`
+	ApexInstalled        bool   `json:"apexInstalled,omitempty"`
+	PrebuiltDB           bool   `json:"prebuiltDB,omitempty"`
 	// +kubebuilder:default:=false
 	IsTcpsEnabled         bool   `json:"isTcpsEnabled"`
 	CertCreationTimestamp string `json:"certCreationTimestamp,omitempty"`
-	CertRenewDuration     string `json:"certRenewDuration,omitempty"`
+	CertRenewInterval     string `json:"certRenewInterval,omitempty"`
+	ClientWalletLoc       string `json:"clientWalletLoc,omitempty"`
 
 	// +patchMergeKey=type
 	// +patchStrategy=merge
@@ -172,6 +176,8 @@ type SingleInstanceDatabaseStatus struct {
 // +kubebuilder:printcolumn:JSONPath=".status.role",name="Role",type="string",priority=1
 // +kubebuilder:printcolumn:JSONPath=".status.releaseUpdate",name="Version",type="string"
 // +kubebuilder:printcolumn:JSONPath=".status.connectString",name="Connect Str",type="string"
+// +kubebuilder:printcolumn:JSONPath=".status.tcpsConnectString",name="TCPS Connect Str",type="string"
+// +kubebuilder:printcolumn:JSONPath=".status.tcpsPdbConnectString",name="TCPS Pdb Connect Str",type="string", priority=1
 // +kubebuilder:printcolumn:JSONPath=".status.pdbConnectString",name="Pdb Connect Str",type="string",priority=1
 // +kubebuilder:printcolumn:JSONPath=".status.oemExpressUrl",name="Oem Express Url",type="string"
 

apis/database/v1alpha1/singleinstancedatabase_webhook.go

@@ -235,14 +235,24 @@ func (r *SingleInstanceDatabase) ValidateCreate() error {
 		}
 	}
 
-	// servicePort validation
+	// servicePort and tcpServicePort validation
 	if !r.Spec.LoadBalancer {
 		// NodePort service is expected. In this case servicePort should be in range 30000-32767
-		if r.Spec.ServicePort != 0 && (r.Spec.ServicePort < 30000 || r.Spec.ServicePort > 32767) {
+		if r.Spec.ListenerPort != 0 && (r.Spec.ListenerPort < 30000 || r.Spec.ListenerPort > 32767) {
 			allErrs = append(allErrs,
-				field.Invalid(field.NewPath("spec").Child("servicePort"), r.Spec.ServicePort,
-					"servicePort should be in 30000-32767 range."))
+				field.Invalid(field.NewPath("spec").Child("listenerPort"), r.Spec.ListenerPort,
+					"listenerPort should be in 30000-32767 range."))
 		}
+		if r.Spec.TcpsListenerPort != 0 && (r.Spec.TcpsListenerPort < 30000 || r.Spec.TcpsListenerPort > 32767) {
+			allErrs = append(allErrs,
+				field.Invalid(field.NewPath("spec").Child("tcpsListenerPort"), r.Spec.TcpsListenerPort,
+					"tcpsListenerPort should be in 30000-32767 range."))
+		}
+	}
+	if r.Spec.ListenerPort != 0 && r.Spec.TcpsListenerPort != 0 && r.Spec.ListenerPort == r.Spec.TcpsListenerPort {
+		allErrs = append(allErrs,
+			field.Invalid(field.NewPath("spec").Child("tcpsListenerPort"), r.Spec.TcpsListenerPort,
+				"listenerPort and tcpsListenerPort can not be equal."))
 	}
 
 	// Certificate Renew Duration Validation

commons/database/constants.go

@@ -495,3 +495,6 @@ const DisableTcpsCMD string = "$ORACLE_BASE/$CONFIG_TCPS_FILE disable"
 
 // TCPS clientWallet update command
 const ClientWalletUpdate string = "sed -i -e 's/HOST.*$/HOST=%s)/g' -e 's/PORT.*$/PORT=%d)/g' ${ORACLE_BASE}/oradata/clientWallet/${ORACLE_SID}/tnsnames.ora"
+
+// TCPS clientWallet location
+const ClientWalletLocation string = "/opt/oracle/oradata/clientWallet/%s"

config/crd/bases/database.oracle.com_singleinstancedatabases.yaml

@@ -33,6 +33,13 @@ spec:
     - jsonPath: .status.connectString
       name: Connect Str
       type: string
+    - jsonPath: .status.tcpsConnectString
+      name: TCPS Connect Str
+      type: string
+    - jsonPath: .status.tcpsPdbConnectString
+      name: TCPS Pdb Connect Str
+      priority: 1
+      type: string
     - jsonPath: .status.pdbConnectString
       name: Pdb Connect Str
       priority: 1
@@ -77,8 +84,6 @@ spec:
                 type: object
               archiveLog:
                 type: boolean
-              certRenewDuration:
-                type: string
               charset:
                 type: string
               cloneFrom:
@@ -122,6 +127,8 @@ spec:
                   sgaTarget:
                     type: integer
                 type: object
+              listenerPort:
+                type: integer
               loadBalancer:
                 type: boolean
               nodeSelector:
@@ -158,14 +165,16 @@ spec:
                 additionalProperties:
                   type: string
                 type: object
-              servicePort:
-                type: integer
               sid:
                 description: SID must be alphanumeric (no special characters, only
                   a-z, A-Z, 0-9), and no longer than 12 characters.
                 maxLength: 12
                 pattern: ^[a-zA-Z0-9]+$
                 type: string
+              tcpsCertRenewInterval:
+                type: string
+              tcpsListenerPort:
+                type: integer
             required:
             - image
             type: object
@@ -179,10 +188,12 @@ spec:
                 type: string
               certCreationTimestamp:
                 type: string
-              certRenewDuration:
+              certRenewInterval:
                 type: string
               charset:
                 type: string
+              clientWalletLoc:
+                type: string
               cloneFrom:
                 type: string
               clusterConnectString:
@@ -338,6 +349,10 @@ spec:
                 type: object
               status:
                 type: string
+              tcpsConnectString:
+                type: string
+              tcpsPdbConnectString:
+                type: string
             required:
             - isTcpsEnabled
             - persistence

config/samples/sidb/singleinstancedatabase.yaml

@@ -89,9 +89,13 @@ spec:
   ## if loadBalService : false, service type = "NodePort" else "LoadBalancer"
   loadBalancer: false
 
-  ## If loadBalancer is enabled, the servicePort is the load balancer port number
-  ## If loadBalancer is disabled, the servicePort is the NodePort(should be in range 30000-32767)
-  #servicePort: 30001
+  ## 'listenerPort' and 'tcpsListenerPort' fields customizes port cofigurations for normal and tcps database listeners
+  ## 'tcpsListenerPort' will come in effect only when 'enableTCPS' field is set
+  ## If loadBalancer is enabled, the listenerPort, tcpsListenerPort will be the load balancer ports
+  ## If loadBalancer is disabled, the listenerPort, tcpsListenerPort will be the node ports(should be in range 30000-32767)
+  ## If enableTCPS is set, and listenerPort is commented/not mentioned in the YAML file, only TCPS endpoint will be exposed
+  #listenerPort: 30001
+  #tcpsListenerPort: 30002
 
   ## Service Annotations (Cloud provider specific), for configuring the service (e.g. private LoadBalancer service)
   #serviceAnnotations:

controllers/database/oraclerestdataservice_controller.go

@@ -582,7 +582,7 @@ func (r *OracleRestDataServiceReconciler) instantiatePodSpec(m *dbapi.OracleRest
 				{
 					Name:    "init-permissions",
 					Image:   m.Spec.Image.PullFrom,
-					Command: []string{"/bin/sh", "-c", fmt.Sprintf("chown %d:%d /opt/oracle/ords/config/ords", int(dbcommons.ORACLE_UID), int(dbcommons.DBA_GUID))},
+					Command: []string{"/bin/sh", "-c", fmt.Sprintf("chown %d:%d /opt/oracle/ords/config/ords || true", int(dbcommons.ORACLE_UID), int(dbcommons.DBA_GUID))},
 					SecurityContext: &corev1.SecurityContext{
 						// User ID 0 means, root user
 						RunAsUser: func() *int64 { i := int64(0); return &i }(),
@@ -728,6 +728,7 @@ func (r *OracleRestDataServiceReconciler) instantiatePodSpec(m *dbapi.OracleRest
 			SecurityContext: &corev1.PodSecurityContext{
 				RunAsUser:  func() *int64 { i := int64(dbcommons.ORACLE_UID); return &i }(),
 				RunAsGroup: func() *int64 { i := int64(dbcommons.DBA_GUID); return &i }(),
+				FSGroup:    func() *int64 { i := int64(dbcommons.DBA_GUID); return &i }(),
 			},
 
 			ImagePullSecrets: []corev1.LocalObjectReference{