Merge branch 'AbhiK_tcps_bugfix4' into 'master'

TCPS connections bugfixes

See merge request rac-docker-dev/oracle-database-operator!227

Author: yunus-qureshi

apis/database/v1alpha1/singleinstancedatabase_webhook.go

@@ -250,10 +250,10 @@ func (r *SingleInstanceDatabase) ValidateCreate() error {
 		}
 	} else {
 		// LoadBalancer Service is expected.
-		if r.Spec.EnableTCPS && r.Spec.TcpsListenerPort == 0 && r.Spec.ListenerPort == 1522 {
+		if r.Spec.EnableTCPS && r.Spec.TcpsListenerPort == 0 && r.Spec.ListenerPort == int(dbcommons.CONTAINER_TCPS_PORT) {
 			allErrs = append(allErrs,
 				field.Invalid(field.NewPath("spec").Child("listenerPort"), r.Spec.ListenerPort,
-					"listenerPort can not be 1522 as the default port for tcpsListenerPort is 1522."))
+					"listenerPort can not be 2484 as the default port for tcpsListenerPort is 2484."))
 		}
 	}
 	if r.Spec.EnableTCPS && r.Spec.ListenerPort != 0 && r.Spec.TcpsListenerPort != 0 && r.Spec.ListenerPort == r.Spec.TcpsListenerPort {
@@ -271,11 +271,11 @@ func (r *SingleInstanceDatabase) ValidateCreate() error {
 					"Please provide valid string to parse the tcpsCertRenewInterval."))
 		}
 		maxLimit, _ := time.ParseDuration("26280h")
-		minLimit, _ := time.ParseDuration("5m")
+		minLimit, _ := time.ParseDuration("24h")
 		if duration > maxLimit || duration < minLimit {
 			allErrs = append(allErrs,
 				field.Invalid(field.NewPath("spec").Child("tcpsCertRenewInterval"), r.Spec.TcpsCertRenewInterval,
-					"Please specify tcpsCertRenewInterval in the range: 5m to 26280h"))
+					"Please specify tcpsCertRenewInterval in the range: 24h to 26280h"))
 		}
 	}
 	if len(allErrs) == 0 {

commons/database/constants.go

@@ -40,7 +40,7 @@ package commons
 
 const CONTAINER_LISTENER_PORT int32 = 1521
 
-const CONTAINER_TCPS_PORT int32 = 1522
+const CONTAINER_TCPS_PORT int32 = 2484
 
 const ORACLE_UID int64 = 54321
 
@@ -513,7 +513,7 @@ const LsnrPort string = "\"name\": \"listener\", \"protocol\": \"TCP\", \"port\"
 const LsnrNodePort string = "\"name\": \"listener\", \"protocol\": \"TCP\", \"port\": 1521, \"nodePort\": %d"
 
 // Payload section for TCPS port
-const TcpsPort string = "\"name\": \"listener-tcps\", \"protocol\": \"TCP\", \"port\": %d, \"targetPort\": 1522"
+const TcpsPort string = "\"name\": \"listener-tcps\", \"protocol\": \"TCP\", \"port\": %d, \"targetPort\": 2484"
 
 // Payload section for TCPS node port
-const TcpsNodePort string = "\"name\": \"listener-tcps\", \"protocol\": \"TCP\", \"port\": 1522, \"nodePort\": %d"
+const TcpsNodePort string = "\"name\": \"listener-tcps\", \"protocol\": \"TCP\", \"port\": 2484, \"nodePort\": %d"

config/samples/sidb/singleinstancedatabase.yaml

@@ -49,7 +49,7 @@ spec:
 
   ## TCPS Certificate Renewal Interval: The time after which TCPS certificate will be renewed if TCPS connections are enabled.
   ## tcpsCertRenewInterval can be in hours(h), minutes(m) and seconds(s); e.g. 17520h, 8760h etc.
-  ## Maximum value is 26280h (3 years), Minimum value is 5m; Default value is 17520h (2 years)
+  ## Maximum value is 26280h (3 years), Minimum value is 24h; Default value is 17520h (2 years)
   ## If this field is commented out/removed from the yaml, it will disable the auto-renewal feature for TCPS certificate
   tcpsCertRenewInterval: 17520h
 

config/samples/sidb/singleinstancedatabase_tcps.yaml

@@ -36,7 +36,7 @@ spec:
 
   ## TCPS Certificate Renewal Interval: The time after which TCPS certificate will be renewed if TCPS connections are enabled.
   ## tcpsCertRenewInterval can be in hours(h), minutes(m) and seconds(s); e.g. 17520h, 8760h etc.
-  ## Maximum value is 26280h (3 years), Minimum value is 5m; Default value is 17520h (2 years)
+  ## Maximum value is 26280h (3 years), Minimum value is 24h; Default value is 17520h (2 years)
   ## If this field is commented out/removed from the yaml, it will disable the auto-renewal feature for TCPS certificate
   tcpsCertRenewInterval: 17520h
 

docs/sidb/README.md

@@ -520,14 +520,6 @@ Alternatively, you can use the following command:
 ```bash
 kubectl patch --type=merge singleinstancedatabases.database.oracle.com sidb-sample -p '{"spec": {"enableTCPS": true}}'
 ```
-
-When TCPS connections are enabled, a Kubernetes event is published notifying the same. This event can be seen by any one of the following commands:
-```bash
-kubectl describe singleinstancedatabases.database.oracle.com sidb-sample
-
-kubectl get events
-```
-
 Once TCPS connections are enabled, the database connect string will change accordingly. The TCPS connections status can also be queried by the following command:
 ```bash
 kubectl get singleinstancedatabase sidb-sample -o "jsonpath={.status.isTcpsEnabled}"
@@ -548,26 +540,22 @@ The following steps are required to connect the Database using TCPS:
   ```bash
   sqlplus sys@ORCL1 as sysdba
   ```
-- Alternatively, you can use the following SQL\*Plus command to connect using TCPS without setting TNS_ADMIN environment variable:
-  ```bash
-  sqlplus sys@tcps://<TCPS Connect String>?wallet_location=<Downloaded Wallet Directory>
-  ```
-  Here, TCPS connect string can be found by using the following command:
-  ```bash
-  kubectl get singleinstancedatabase sidb-sample -o "jsonpath={.status.TcpsConnectString}"
-  ```
 **NOTE:**
 - Only database server authentication is supported (no mTLS).
 - When TCPS is enabled, a self-signed certificate is generated and stored inside the wallets. For users' convenience, a client-side wallet is generated and stored at `/opt/oracle/oradata/clientWallet/$ORACLE_SID` location in the pod.
 - The self-signed certificate used with TCPS has validity for 2 years. After the certificate is expired, it will be renewed by the `OraOperator` automatically. You need to download the wallet again after the auto-renewal.
-- You can set the certificate renew interval with the help of `tcpsCertRenewInterval` field in the **[config/samples/sidb/singleinstancedatabase.yaml](../../config/samples/sidb/singleinstancedatabase.yaml)** file. The minimum accepted value is 5m, and the maximum value is 26280h (3 years). The certificates used with TCPS will automatically be renewed after this interval. If this field is omitted/commented in the yaml file, the certificates will not be renewed automatically.
+- You can set the certificate renew interval with the help of `tcpsCertRenewInterval` field in the **[config/samples/sidb/singleinstancedatabase.yaml](../../config/samples/sidb/singleinstancedatabase.yaml)** file. The minimum accepted value is 24h, and the maximum value is 26280h (3 years). The certificates used with TCPS will automatically be renewed after this interval. If this field is omitted/commented in the yaml file, the certificates will not be renewed automatically.
+- When the certificate gets created/renewed, the `.status.certCreationTimestamp` status variable gets updated accordingly. You can see this timestamp by using the following command:
+  ```bash
+  kubectl get singleinstancedatabase sidb-sample  -o "jsonpath={.status.certCreationTimestamp}"
+  ```
 
 ### Specifying Custom Ports
 As mentioned in the section [Setup Database with LoadBalancer](#setup-database-with-loadbalancer), there are two kubernetes services possible for the database: NodePort and LoadBalancer. You can specify which port to use with these services by editing the `listenerPort` and `tcpsListenerPort` fields of the [config/samples/sidb/singleinstancedatabase.yaml](../../config/samples/sidb/singleinstancedatabase.yaml) file.
 
 `listenerPort` is intended for normal database connections. Similarly, `tcpsListenerPort` is intended for TCPS database connections.
 
-If the `LoadBalancer` is enabled, the `listenerPort`, and `tcpsListenerPort` will be the opened ports on the Load Balancer for normal and TCPS database connections respectively.
+If the `LoadBalancer` is enabled, the `listenerPort`, and `tcpsListenerPort` will be the opened ports on the Load Balancer for normal and TCPS database connections respectively. The default values of `listenerPort` and `tcpsListenerPort` are 1521 and 2484 respectively when the `LoadBalancer` is enabled. 
 
 In case of `NodePort` service, `listenerPort`, and `tcpsListenerPort` will be the opened ports on the Kubernetes nodes for for normal and TCPS database connections respectively. In this case, the allowed range for the `listenerPort`, and `tcpsListenerPort` is 30000-32767.