Added cert renewal logic, enable/disable TCPs, creation of clusterIP service for ORDS/APEX installation

Signed-off-by: abhisbyk <[email protected]>

Author: abhisbyk

apis/database/v1alpha1/oraclerestdataservice_webhook.go

@@ -39,7 +39,6 @@
 package v1alpha1
 
 import (
-
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"

apis/database/v1alpha1/singleinstancedatabase_types.go

@@ -149,7 +149,9 @@ type SingleInstanceDatabaseStatus struct {
 	ApexInstalled    bool   `json:"apexInstalled,omitempty"`
 	PrebuiltDB       bool   `json:"prebuiltDB,omitempty"`
 	// +kubebuilder:default:=false
-	IsTcpsEnabled bool `json:"isTcpsEnabled"`
+	IsTcpsEnabled         bool   `json:"isTcpsEnabled"`
+	TcpsPort              int    `json:"tcpsPort,omitempty"`
+	CertCreationTimestamp string `json:"certCreationTimestamp,omitempty"`
 
 	// +patchMergeKey=type
 	// +patchStrategy=merge

commons/database/constants.go

@@ -38,6 +38,8 @@
 
 package commons
 
+const DEFAULT_LISTENER_PORT int32 = 1521
+
 const ORACLE_UID int64 = 54321
 
 const ORACLE_GUID int64 = 54321
@@ -318,12 +320,12 @@ const InitORDSCMD string = "if [ -f $ORDS_HOME/config/ords/defaults.xml ]; then
 	"\numask 022"
 
 const GetSessionInfoSQL string = "select s.sid || ',' || s.serial# as Info FROM v\\$session s, v\\$process p " +
-	"WHERE (s.username = 'ORDS_PUBLIC_USER' or "+
-	       "s.username = 'APEX_PUBLIC_USER' or "+
-		   "s.username = 'APEX_REST_PUBLIC_USER' or "+
-		   "s.username = 'APEX_LISTENER' or "+
-	       "s.username = 'C##_DBAPI_CDB_ADMIN' or "+
-		   "s.username = 'C##_DBAPI_PDB_ADMIN' ) AND p.addr(+) = s.paddr;"
+	"WHERE (s.username = 'ORDS_PUBLIC_USER' or " +
+	"s.username = 'APEX_PUBLIC_USER' or " +
+	"s.username = 'APEX_REST_PUBLIC_USER' or " +
+	"s.username = 'APEX_LISTENER' or " +
+	"s.username = 'C##_DBAPI_CDB_ADMIN' or " +
+	"s.username = 'C##_DBAPI_PDB_ADMIN' ) AND p.addr(+) = s.paddr;"
 
 const KillSessionSQL string = "alter system kill session '%[1]s';"
 
@@ -426,13 +428,12 @@ const ConfigureApexRest string = "if [ -f ${ORDS_HOME}/config/apex/apex_rest_con
 	"echo -e \"%[1]s\n%[1]s\" | %[2]s ; else echo \"Apex Folder doesn't exist\" ; fi ;"
 
 const AlterApexUsers string = "\nALTER SESSION SET CONTAINER=%[2]s;" +
-	"\n ALTER USER APEX_PUBLIC_USER IDENTIFIED BY \\\"%[1]s\\\" ACCOUNT UNLOCK; "+
+	"\n ALTER USER APEX_PUBLIC_USER IDENTIFIED BY \\\"%[1]s\\\" ACCOUNT UNLOCK; " +
 	"\n ALTER USER APEX_REST_PUBLIC_USER IDENTIFIED BY \\\"%[1]s\\\" ACCOUNT UNLOCK;" +
 	"\n ALTER USER APEX_LISTENER IDENTIFIED BY \\\"%[1]s\\\" ACCOUNT UNLOCK;" +
 	"\nexec APEX_UTIL.set_workspace(p_workspace => 'INTERNAL');" +
 	"\nexec APEX_UTIL.EDIT_USER(p_user_id => APEX_UTIL.GET_USER_ID('ADMIN'), p_user_name  => 'ADMIN', p_web_password => '%[1]s', p_new_password => '%[1]s');\n"
 
-
 const CopyApexImages string = " ( while true; do  sleep 60; echo \"Copying Apex Images...\" ; done ) & mkdir -p /opt/oracle/oradata/${ORACLE_SID^^}_ORDS/apex/images && " +
 	" cp -R /opt/oracle/oradata/${ORACLE_SID^^}/apex/images/* /opt/oracle/oradata/${ORACLE_SID^^}_ORDS/apex/images; chown -R oracle:oinstall /opt/oracle/oradata/${ORACLE_SID^^}_ORDS/apex; kill -9 $!;"
 
@@ -480,3 +481,12 @@ const SetApexUsers string = "\numask 177" +
 
 // Get Sid, Pdbname, Edition for prebuilt db
 const GetSidPdbEditionCMD string = "echo $ORACLE_SID,$ORACLE_PDB,$ORACLE_EDITION,Edition;"
+
+// Command to enable TCPS as a formatted string. The parameter would be the port at which TCPS is enabled.
+const EnableTcpsCMD string = "$ORACLE_BASE/$CONFIG_TCPS_FILE %d"
+
+// Command for TCPS certs renewal to prevent their expiry. It is same as the EnableTcpsCMD
+const RenewCertsCMD string = EnableTcpsCMD
+
+// Command to disable TCPS
+const DisableTcpsCMD string = "$ORACLE_BASE/$CONFIG_TCPS_FILE disable"

commons/database/utils.go

@@ -50,6 +50,7 @@ import (
 	"unicode"
 
 	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/types"
@@ -673,3 +674,18 @@ func ApexPasswordValidator(pwd string) bool {
 
 	return hasMinLen && hasUpper && hasLower && hasNumber && hasSpecial
 }
+
+// Function for patching the K8s service with the payload.
+// Patch strategy used: Strategic Merge Patch
+func PatchService(config *rest.Config, namespace string, ctx context.Context, req ctrl.Request, svcName string, payload string) error {
+	log := ctrllog.FromContext(ctx).WithValues("patchService", req.NamespacedName)
+	client, err := kubernetes.NewForConfig(config)
+	if err != nil {
+		log.Error(err, "config error")
+	}
+
+	// Trying to patch the service resource using Strategic Merge strategy
+	log.Info("Patching the service", "Service", svcName)
+	_, err = client.CoreV1().Services(namespace).Patch(ctx, svcName, types.StrategicMergePatchType, []byte(payload), metav1.PatchOptions{})
+	return err
+}

config/crd/bases/database.oracle.com_singleinstancedatabases.yaml

@@ -175,6 +175,8 @@ spec:
                 type: boolean
               archiveLog:
                 type: string
+              certCreationTimestamp:
+                type: string
               charset:
                 type: string
               cloneFrom:
@@ -283,6 +285,9 @@ spec:
                 type: integer
               initSgaSize:
                 type: integer
+              isTcpsEnabled:
+                default: false
+                type: boolean
               nodes:
                 items:
                   type: string
@@ -329,7 +334,10 @@ spec:
                 type: object
               status:
                 type: string
+              tcpsPort:
+                type: integer
             required:
+            - isTcpsEnabled
             - persistence
             type: object
         type: object