Disabling the cert renewal logic if tcpsCertRenewInterval is not given in the yaml file, default 2 years

Signed-off-by: abhisbyk <[email protected]>

Author: abhisbyk

apis/database/v1alpha1/singleinstancedatabase_types.go

@@ -57,17 +57,17 @@ type SingleInstanceDatabaseSpec struct {
 	// +k8s:openapi-gen=true
 	// +kubebuilder:validation:Pattern=`^[a-zA-Z0-9]+$`
 	// +kubebuilder:validation:MaxLength:=12
-	Sid                string            `json:"sid,omitempty"`
-	Charset            string            `json:"charset,omitempty"`
-	Pdbname            string            `json:"pdbName,omitempty"`
-	LoadBalancer       bool              `json:"loadBalancer,omitempty"`
-	ServicePort        int               `json:"servicePort,omitempty"`
-	ServiceAnnotations map[string]string `json:"serviceAnnotations,omitempty"`
-	FlashBack          bool              `json:"flashBack,omitempty"`
-	ArchiveLog         bool              `json:"archiveLog,omitempty"`
-	ForceLogging       bool              `json:"forceLog,omitempty"`
-	EnableTCPS         bool              `json:"enableTCPS,omitempty"`
-	CertRenewDuration  string            `json:"certRenewDuration,omitempty"`
+	Sid                   string            `json:"sid,omitempty"`
+	Charset               string            `json:"charset,omitempty"`
+	Pdbname               string            `json:"pdbName,omitempty"`
+	LoadBalancer          bool              `json:"loadBalancer,omitempty"`
+	ServicePort           int               `json:"servicePort,omitempty"`
+	ServiceAnnotations    map[string]string `json:"serviceAnnotations,omitempty"`
+	FlashBack             bool              `json:"flashBack,omitempty"`
+	ArchiveLog            bool              `json:"archiveLog,omitempty"`
+	ForceLogging          bool              `json:"forceLog,omitempty"`
+	EnableTCPS            bool              `json:"enableTCPS,omitempty"`
+	TcpsCertRenewInterval string            `json:"tcpsCertRenewInterval,omitempty"`
 
 	CloneFrom            string `json:"cloneFrom,omitempty"`
 	ReadinessCheckPeriod int    `json:"readinessCheckPeriod,omitempty"`

apis/database/v1alpha1/singleinstancedatabase_webhook.go

@@ -246,25 +246,21 @@ func (r *SingleInstanceDatabase) ValidateCreate() error {
 	}
 
 	// Certificate Renew Duration Validation
-	if r.Spec.CertRenewDuration != "" {
-		duration, err := time.ParseDuration(r.Spec.CertRenewDuration)
+	if r.Spec.TcpsCertRenewInterval != "" {
+		duration, err := time.ParseDuration(r.Spec.TcpsCertRenewInterval)
 		if err != nil {
 			allErrs = append(allErrs,
-				field.Invalid(field.NewPath("spec").Child("certRenewDuration"), r.Spec.CertRenewDuration,
-					"Please provide valid string to parse the certRenewDuration."))
+				field.Invalid(field.NewPath("spec").Child("tcpsCertRenewInterval"), r.Spec.TcpsCertRenewInterval,
+					"Please provide valid string to parse the tcpsCertRenewInterval."))
 		}
 		maxLimit, _ := time.ParseDuration("26280h")
 		minLimit, _ := time.ParseDuration("1m")
 		if duration > maxLimit || duration < minLimit {
 			allErrs = append(allErrs,
-				field.Invalid(field.NewPath("spec").Child("certRenewDuration"), r.Spec.CertRenewDuration,
-					"Please specify certRenewDuration in the range: 1m to 26280h"))
+				field.Invalid(field.NewPath("spec").Child("tcpsCertRenewInterval"), r.Spec.TcpsCertRenewInterval,
+					"Please specify tcpsCertRenewInterval in the range: 1m to 26280h"))
 		}
-	} else {
-		// Setting the default value
-		r.Spec.CertRenewDuration = "26280h"
 	}
-
 	if len(allErrs) == 0 {
 		return nil
 	}

config/samples/sidb/singleinstancedatabase.yaml

@@ -47,9 +47,9 @@ spec:
   ## Enable TCPS
   enableTCPS: false
 
-  ## Certificate Renewal Duration: The time after which certificates will be renewed if TCPS connections are enabled; can be in hours(h), minutes(m) and seconds(s)
-  ## Maximum value is 26280h (3 years), Minimum value is 1m
-  #certRenewDuration: 26280h
+  ## TCPS Certificate Renewal Interval: The time after which TCPS certificate will be renewed if TCPS connections are enabled; can be in hours(h), minutes(m) and seconds(s)
+  ## Maximum value is 26280h (3 years), Minimum value is 1m; Default value is 17520h (2 years)
+  certRenewDuration: 17520h
 
   ## NA if cloning from a SourceDB (cloneFrom is set)
   ## Specify both sgaSize and pgaSize (in MB) or dont specify both

config/samples/sidb/singleinstancedatabase_tcps.yaml

@@ -0,0 +1,68 @@
+#
+# Copyright (c) 2022, Oracle and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl.
+#
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: db-admin-secret
+  namespace: default
+type: Opaque
+stringData:
+  # Specify your DB password here
+  oracle_pwd: 
+
+---
+
+apiVersion: database.oracle.com/v1alpha1
+kind: SingleInstanceDatabase
+metadata:
+  # Creates base sidb-sample. Use singleinstancedatabase_clone.yaml for cloning
+  #                           and singleinstancedatabase_patch.yaml for patching
+  name: sidb-sample
+  namespace: default
+spec:
+  
+  ## Use only alphanumeric characters for sid
+  sid: ORCL1
+
+  ## DB edition.
+  edition: enterprise
+
+  ## Secret containing SIDB password mapped to secretKey 
+  adminPassword:
+    secretName: db-admin-secret
+
+  ## DB character set
+  charset: AL32UTF8
+
+  ## PDB name
+  pdbName: orclpdb1
+
+  ## Enable/Disable ArchiveLog. Should be true to allow DB cloning
+  archiveLog: true
+
+  ## Enable TCPS
+  enableTCPS: true
+
+  ## TCPS Certificate Renewal Interval: The time after which TCPS certificate will be renewed if TCPS connections are enabled; can be in hours(h), minutes(m) and seconds(s)
+  ## Maximum value is 26280h (3 years), Minimum value is 1m; Default value is 17520h (2 years)
+  certRenewDuration: 17520h
+
+  ## Database image details
+  image:
+    pullFrom: container-registry.oracle.com/database/enterprise:latest
+    pullSecrets: oracle-container-registry-secret
+
+  ## size is the required minimum size of the persistent volume
+  ## storageClass is specified for automatic volume provisioning
+  ## accessMode can only accept one of ReadWriteOnce, ReadWriteMany
+  persistence:
+    size: 100Gi
+    ## oci-bv applies to OCI block volumes. Use "standard" storageClass for dynamic provisioning in Minikube. Update as appropriate for other cloud service providers
+    storageClass: "oci-bv"
+    accessMode: "ReadWriteOnce"
+
+  ## Count of Database Pods.
+  replicas: 1

controllers/database/singleinstancedatabase_controller.go

@@ -1841,7 +1841,7 @@ func (r *SingleInstanceDatabaseReconciler) configTcps(m *dbapi.SingleInstanceDat
 		eventMsg = "TCPS Enabled."
 		r.Recorder.Eventf(m, corev1.EventTypeNormal, eventReason, eventMsg)
 
-		requeueDuration, _ := time.ParseDuration(m.Spec.CertRenewDuration)
+		requeueDuration, _ := time.ParseDuration(m.Spec.TcpsCertRenewInterval)
 		requeueDuration += func() time.Duration { requeueDuration, _ := time.ParseDuration("1s"); return requeueDuration }()
 		futureRequeue = ctrl.Result{Requeue: true, RequeueAfter: requeueDuration}
 
@@ -1874,12 +1874,11 @@ func (r *SingleInstanceDatabaseReconciler) configTcps(m *dbapi.SingleInstanceDat
 		eventMsg = "TCPS Disabled."
 		r.Recorder.Eventf(m, corev1.EventTypeNormal, eventReason, eventMsg)
 
-	} else if m.Spec.EnableTCPS && m.Status.IsTcpsEnabled {
+	} else if m.Spec.EnableTCPS && m.Status.IsTcpsEnabled && m.Spec.TcpsCertRenewInterval != "" {
 		// Cert Renewal Logic
-		// Certificates are renewed when 10 days remain for certs expiry
 		certCreationTimestamp, _ := time.Parse(time.RFC3339, m.Status.CertCreationTimestamp)
 		duration := time.Since(certCreationTimestamp)
-		allowdDuration, _ := time.ParseDuration(m.Spec.CertRenewDuration)
+		allowdDuration, _ := time.ParseDuration(m.Spec.TcpsCertRenewInterval)
 		if duration > allowdDuration {
 			m.Status.Status = dbcommons.StatusUpdating
 			r.Status().Update(ctx, m)
@@ -1898,16 +1897,16 @@ func (r *SingleInstanceDatabaseReconciler) configTcps(m *dbapi.SingleInstanceDat
 			eventMsg := "TCPS Certificates Renewed at time %s,"
 			r.Recorder.Eventf(m, corev1.EventTypeNormal, eventReason, eventMsg, time.Now().Format(time.RFC3339))
 
-			requeueDuration, _ := time.ParseDuration(m.Spec.CertRenewDuration)
+			requeueDuration, _ := time.ParseDuration(m.Spec.TcpsCertRenewInterval)
 			requeueDuration += func() time.Duration { requeueDuration, _ := time.ParseDuration("1s"); return requeueDuration }()
 			futureRequeue = ctrl.Result{Requeue: true, RequeueAfter: requeueDuration}
 		}
-		if m.Status.CertRenewDuration != m.Spec.CertRenewDuration {
-			requeueDuration, _ := time.ParseDuration(m.Spec.CertRenewDuration)
+		if m.Status.CertRenewDuration != m.Spec.TcpsCertRenewInterval {
+			requeueDuration, _ := time.ParseDuration(m.Spec.TcpsCertRenewInterval)
 			requeueDuration += func() time.Duration { requeueDuration, _ := time.ParseDuration("1s"); return requeueDuration }()
 			futureRequeue = ctrl.Result{Requeue: true, RequeueAfter: requeueDuration}
 
-			m.Status.CertRenewDuration = m.Spec.CertRenewDuration
+			m.Status.CertRenewDuration = m.Spec.TcpsCertRenewInterval
 		}
 		// update clientWallet
 		err := r.updateClientWallet(m, readyPod, ctx, req)

docs/sidb/README.md

@@ -551,8 +551,8 @@ The following steps are required to connect the Database using TCPS:
   ```
 **NOTE:**
 - Only database server authentication is supported (no mTLS).
-- When TCPS is enabled, a self-signed certificate is generated and stored inside the wallets. For users' convenience, a client-side wallet is generated and stored at `/opt/oracle/oradata/clientWallet/$ORACLE_SID` location.
-- The self-signed certificate used with TCPS has validity for 3 years. After the certificate is expired, it will be renewed by the `OraOperator` automatically. You need to download the wallet again after the auto-renewal.
+- When TCPS is enabled, a self-signed certificate is generated and stored inside the wallets. For users' convenience, a client-side wallet is generated and stored at `/opt/oracle/oradata/clientWallet/$ORACLE_SID` location in the pod.
+- The self-signed certificate used with TCPS has validity for 2 years. After the certificate is expired, it will be renewed by the `OraOperator` automatically. You need to download the wallet again after the auto-renewal.
 
 ### Specifying Custom Ports
 As mentioned in the section [Setup Database with LoadBalancer](#setup-database-with-loadbalancer), there are two kubernetes services possible for the database: NodePort and LoadBalancer. You can specify which port to use with these services by editing the `servicePort` field of the [config/samples/sidb/singleinstancedatabase.yaml](../../config/samples/sidb/singleinstancedatabase.yaml) file.