Merge branch 'AbhiK_tcps_support' into 'master'

Single Instance Database TCPS support

See merge request rac-docker-dev/oracle-database-operator!218

Author: yunus-qureshi

apis/database/v1alpha1/oraclerestdataservice_webhook.go

@@ -39,7 +39,6 @@
 package v1alpha1
 
 import (
-
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"

apis/database/v1alpha1/singleinstancedatabase_types.go

@@ -57,14 +57,17 @@ type SingleInstanceDatabaseSpec struct {
 	// +k8s:openapi-gen=true
 	// +kubebuilder:validation:Pattern=`^[a-zA-Z0-9]+$`
 	// +kubebuilder:validation:MaxLength:=12
-	Sid                string            `json:"sid,omitempty"`
-	Charset            string            `json:"charset,omitempty"`
-	Pdbname            string            `json:"pdbName,omitempty"`
-	LoadBalancer       bool              `json:"loadBalancer,omitempty"`
-	ServiceAnnotations map[string]string `json:"serviceAnnotations,omitempty"`
-	FlashBack          bool              `json:"flashBack,omitempty"`
-	ArchiveLog         bool              `json:"archiveLog,omitempty"`
-	ForceLogging       bool              `json:"forceLog,omitempty"`
+	Sid                   string            `json:"sid,omitempty"`
+	Charset               string            `json:"charset,omitempty"`
+	Pdbname               string            `json:"pdbName,omitempty"`
+	LoadBalancer          bool              `json:"loadBalancer,omitempty"`
+	ServicePort           int               `json:"servicePort,omitempty"`
+	ServiceAnnotations    map[string]string `json:"serviceAnnotations,omitempty"`
+	FlashBack             bool              `json:"flashBack,omitempty"`
+	ArchiveLog            bool              `json:"archiveLog,omitempty"`
+	ForceLogging          bool              `json:"forceLog,omitempty"`
+	EnableTCPS            bool              `json:"enableTCPS,omitempty"`
+	TcpsCertRenewInterval string            `json:"tcpsCertRenewInterval,omitempty"`
 
 	CloneFrom            string `json:"cloneFrom,omitempty"`
 	ReadinessCheckPeriod int    `json:"readinessCheckPeriod,omitempty"`
@@ -146,6 +149,10 @@ type SingleInstanceDatabaseStatus struct {
 	PdbConnectString string `json:"pdbConnectString,omitempty"`
 	ApexInstalled    bool   `json:"apexInstalled,omitempty"`
 	PrebuiltDB       bool   `json:"prebuiltDB,omitempty"`
+	// +kubebuilder:default:=false
+	IsTcpsEnabled         bool   `json:"isTcpsEnabled"`
+	CertCreationTimestamp string `json:"certCreationTimestamp,omitempty"`
+	CertRenewDuration     string `json:"certRenewDuration,omitempty"`
 
 	// +patchMergeKey=type
 	// +patchStrategy=merge

apis/database/v1alpha1/singleinstancedatabase_webhook.go

@@ -40,6 +40,7 @@ package v1alpha1
 
 import (
 	"strings"
+	"time"
 
 	dbcommons "github.com/oracle/oracle-database-operator/commons/database"
 
@@ -234,6 +235,32 @@ func (r *SingleInstanceDatabase) ValidateCreate() error {
 		}
 	}
 
+	// servicePort validation
+	if !r.Spec.LoadBalancer {
+		// NodePort service is expected. In this case servicePort should be in range 30000-32767
+		if r.Spec.ServicePort != 0 && (r.Spec.ServicePort < 30000 || r.Spec.ServicePort > 32767) {
+			allErrs = append(allErrs,
+				field.Invalid(field.NewPath("spec").Child("servicePort"), r.Spec.ServicePort,
+					"servicePort should be in 30000-32767 range."))
+		}
+	}
+
+	// Certificate Renew Duration Validation
+	if r.Spec.TcpsCertRenewInterval != "" {
+		duration, err := time.ParseDuration(r.Spec.TcpsCertRenewInterval)
+		if err != nil {
+			allErrs = append(allErrs,
+				field.Invalid(field.NewPath("spec").Child("tcpsCertRenewInterval"), r.Spec.TcpsCertRenewInterval,
+					"Please provide valid string to parse the tcpsCertRenewInterval."))
+		}
+		maxLimit, _ := time.ParseDuration("26280h")
+		minLimit, _ := time.ParseDuration("1m")
+		if duration > maxLimit || duration < minLimit {
+			allErrs = append(allErrs,
+				field.Invalid(field.NewPath("spec").Child("tcpsCertRenewInterval"), r.Spec.TcpsCertRenewInterval,
+					"Please specify tcpsCertRenewInterval in the range: 1m to 26280h"))
+		}
+	}
 	if len(allErrs) == 0 {
 		return nil
 	}

commons/database/constants.go

@@ -38,6 +38,10 @@
 
 package commons
 
+const CONTAINER_LISTENER_PORT int32 = 1521
+
+const CONTAINER_TCPS_PORT int32 = 1522
+
 const ORACLE_UID int64 = 54321
 
 const ORACLE_GUID int64 = 54321
@@ -318,12 +322,12 @@ const InitORDSCMD string = "if [ -f $ORDS_HOME/config/ords/defaults.xml ]; then
 	"\numask 022"
 
 const GetSessionInfoSQL string = "select s.sid || ',' || s.serial# as Info FROM v\\$session s, v\\$process p " +
-	"WHERE (s.username = 'ORDS_PUBLIC_USER' or "+
-	       "s.username = 'APEX_PUBLIC_USER' or "+
-		   "s.username = 'APEX_REST_PUBLIC_USER' or "+
-		   "s.username = 'APEX_LISTENER' or "+
-	       "s.username = 'C##_DBAPI_CDB_ADMIN' or "+
-		   "s.username = 'C##_DBAPI_PDB_ADMIN' ) AND p.addr(+) = s.paddr;"
+	"WHERE (s.username = 'ORDS_PUBLIC_USER' or " +
+	"s.username = 'APEX_PUBLIC_USER' or " +
+	"s.username = 'APEX_REST_PUBLIC_USER' or " +
+	"s.username = 'APEX_LISTENER' or " +
+	"s.username = 'C##_DBAPI_CDB_ADMIN' or " +
+	"s.username = 'C##_DBAPI_PDB_ADMIN' ) AND p.addr(+) = s.paddr;"
 
 const KillSessionSQL string = "alter system kill session '%[1]s';"
 
@@ -426,13 +430,12 @@ const ConfigureApexRest string = "if [ -f ${ORDS_HOME}/config/apex/apex_rest_con
 	"echo -e \"%[1]s\n%[1]s\" | %[2]s ; else echo \"Apex Folder doesn't exist\" ; fi ;"
 
 const AlterApexUsers string = "\nALTER SESSION SET CONTAINER=%[2]s;" +
-	"\n ALTER USER APEX_PUBLIC_USER IDENTIFIED BY \\\"%[1]s\\\" ACCOUNT UNLOCK; "+
+	"\n ALTER USER APEX_PUBLIC_USER IDENTIFIED BY \\\"%[1]s\\\" ACCOUNT UNLOCK; " +
 	"\n ALTER USER APEX_REST_PUBLIC_USER IDENTIFIED BY \\\"%[1]s\\\" ACCOUNT UNLOCK;" +
 	"\n ALTER USER APEX_LISTENER IDENTIFIED BY \\\"%[1]s\\\" ACCOUNT UNLOCK;" +
 	"\nexec APEX_UTIL.set_workspace(p_workspace => 'INTERNAL');" +
 	"\nexec APEX_UTIL.EDIT_USER(p_user_id => APEX_UTIL.GET_USER_ID('ADMIN'), p_user_name  => 'ADMIN', p_web_password => '%[1]s', p_new_password => '%[1]s');\n"
 
-
 const CopyApexImages string = " ( while true; do  sleep 60; echo \"Copying Apex Images...\" ; done ) & mkdir -p /opt/oracle/oradata/${ORACLE_SID^^}_ORDS/apex/images && " +
 	" cp -R /opt/oracle/oradata/${ORACLE_SID^^}/apex/images/* /opt/oracle/oradata/${ORACLE_SID^^}_ORDS/apex/images; chown -R oracle:oinstall /opt/oracle/oradata/${ORACLE_SID^^}_ORDS/apex; kill -9 $!;"
 
@@ -480,3 +483,15 @@ const SetApexUsers string = "\numask 177" +
 
 // Get Sid, Pdbname, Edition for prebuilt db
 const GetSidPdbEditionCMD string = "echo $ORACLE_SID,$ORACLE_PDB,$ORACLE_EDITION,Edition;"
+
+// Command to enable TCPS as a formatted string. The parameter would be the port at which TCPS is enabled.
+const EnableTcpsCMD string = "$ORACLE_BASE/$CONFIG_TCPS_FILE"
+
+// Command for TCPS certs renewal to prevent their expiry. It is same as the EnableTcpsCMD
+const RenewCertsCMD string = EnableTcpsCMD
+
+// Command to disable TCPS
+const DisableTcpsCMD string = "$ORACLE_BASE/$CONFIG_TCPS_FILE disable"
+
+// TCPS clientWallet update command
+const ClientWalletUpdate string = "sed -i -e 's/HOST.*$/HOST=%s)/g' -e 's/PORT.*$/PORT=%d)/g' ${ORACLE_BASE}/oradata/clientWallet/${ORACLE_SID}/tnsnames.ora"

commons/database/utils.go

@@ -50,6 +50,7 @@ import (
 	"unicode"
 
 	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/types"
@@ -673,3 +674,18 @@ func ApexPasswordValidator(pwd string) bool {
 
 	return hasMinLen && hasUpper && hasLower && hasNumber && hasSpecial
 }
+
+// Function for patching the K8s service with the payload.
+// Patch strategy used: Strategic Merge Patch
+func PatchService(config *rest.Config, namespace string, ctx context.Context, req ctrl.Request, svcName string, payload string) error {
+	log := ctrllog.FromContext(ctx).WithValues("patchService", req.NamespacedName)
+	client, err := kubernetes.NewForConfig(config)
+	if err != nil {
+		log.Error(err, "config error")
+	}
+
+	// Trying to patch the service resource using Strategic Merge strategy
+	log.Info("Patching the service", "Service", svcName)
+	_, err = client.CoreV1().Services(namespace).Patch(ctx, svcName, types.StrategicMergePatchType, []byte(payload), metav1.PatchOptions{})
+	return err
+}

config/crd/bases/database.oracle.com_singleinstancedatabases.yaml

@@ -77,6 +77,8 @@ spec:
                 type: object
               archiveLog:
                 type: boolean
+              certRenewDuration:
+                type: string
               charset:
                 type: string
               cloneFrom:
@@ -87,6 +89,8 @@ spec:
                 - enterprise
                 - express
                 type: string
+              enableTCPS:
+                type: boolean
               flashBack:
                 type: boolean
               forceLog:
@@ -154,6 +158,8 @@ spec:
                 additionalProperties:
                   type: string
                 type: object
+              servicePort:
+                type: integer
               sid:
                 description: SID must be alphanumeric (no special characters, only
                   a-z, A-Z, 0-9), and no longer than 12 characters.
@@ -171,6 +177,10 @@ spec:
                 type: boolean
               archiveLog:
                 type: string
+              certCreationTimestamp:
+                type: string
+              certRenewDuration:
+                type: string
               charset:
                 type: string
               cloneFrom:
@@ -279,6 +289,9 @@ spec:
                 type: integer
               initSgaSize:
                 type: integer
+              isTcpsEnabled:
+                default: false
+                type: boolean
               nodes:
                 items:
                   type: string
@@ -326,6 +339,7 @@ spec:
               status:
                 type: string
             required:
+            - isTcpsEnabled
             - persistence
             type: object
         type: object

config/samples/sidb/singleinstancedatabase.yaml

@@ -44,6 +44,15 @@ spec:
   ## Enable/Disable ForceLogging
   forceLog: false
 
+  ## Enable TCPS
+  enableTCPS: false
+
+  ## TCPS Certificate Renewal Interval: The time after which TCPS certificate will be renewed if TCPS connections are enabled.
+  ## tcpsCertRenewInterval can be in hours(h), minutes(m) and seconds(s); e.g. 17520h, 8760h etc.
+  ## Maximum value is 26280h (3 years), Minimum value is 1m; Default value is 17520h (2 years)
+  ## If this field is commented out/removed from the yaml, it will disable the auto-renewal feature for TCPS certificate
+  tcpsCertRenewInterval: 17520h
+
   ## NA if cloning from a SourceDB (cloneFrom is set)
   ## Specify both sgaSize and pgaSize (in MB) or dont specify both
   ## Specify Non-Zero value to use
@@ -79,6 +88,11 @@ spec:
   ## Type of service . Applicable on cloud enviroments only
   ## if loadBalService : false, service type = "NodePort" else "LoadBalancer"
   loadBalancer: false
+  
+  ## If loadBalancer is enabled, the servicePort is the load balancer port number
+  ## If loadBalancer is disabled, the servicePort is the NodePort(should be in range 30000-32767)
+  #servicePort: 30001
+
   ## Service Annotations (Cloud provider specific), for configuring the service (e.g. private LoadBalancer service)
   #serviceAnnotations:
   #  service.beta.kubernetes.io/oci-load-balancer-internal: "true"

config/samples/sidb/singleinstancedatabase_tcps.yaml

@@ -0,0 +1,70 @@
+#
+# Copyright (c) 2022, Oracle and/or its affiliates.
+# Licensed under the Universal Permissive License v 1.0 as shown at http://oss.oracle.com/licenses/upl.
+#
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: db-admin-secret
+  namespace: default
+type: Opaque
+stringData:
+  # Specify your DB password here
+  oracle_pwd: 
+
+---
+
+apiVersion: database.oracle.com/v1alpha1
+kind: SingleInstanceDatabase
+metadata:
+  # Creates base sidb-sample. Use singleinstancedatabase_clone.yaml for cloning
+  #                           and singleinstancedatabase_patch.yaml for patching
+  name: sidb-sample
+  namespace: default
+spec:
+  
+  ## Use only alphanumeric characters for sid
+  sid: ORCL1
+
+  ## DB edition.
+  edition: enterprise
+
+  ## Secret containing SIDB password mapped to secretKey 
+  adminPassword:
+    secretName: db-admin-secret
+
+  ## DB character set
+  charset: AL32UTF8
+
+  ## PDB name
+  pdbName: orclpdb1
+
+  ## Enable/Disable ArchiveLog. Should be true to allow DB cloning
+  archiveLog: true
+
+  ## Enable TCPS
+  enableTCPS: true
+
+  ## TCPS Certificate Renewal Interval: The time after which TCPS certificate will be renewed if TCPS connections are enabled.
+  ## tcpsCertRenewInterval can be in hours(h), minutes(m) and seconds(s); e.g. 17520h, 8760h etc.
+  ## Maximum value is 26280h (3 years), Minimum value is 1m; Default value is 17520h (2 years)
+  ## If this field is commented out/removed from the yaml, it will disable the auto-renewal feature for TCPS certificate
+  tcpsCertRenewInterval: 17520h
+
+  ## Database image details
+  image:
+    pullFrom: container-registry.oracle.com/database/enterprise:latest
+    pullSecrets: oracle-container-registry-secret
+
+  ## size is the required minimum size of the persistent volume
+  ## storageClass is specified for automatic volume provisioning
+  ## accessMode can only accept one of ReadWriteOnce, ReadWriteMany
+  persistence:
+    size: 100Gi
+    ## oci-bv applies to OCI block volumes. Use "standard" storageClass for dynamic provisioning in Minikube. Update as appropriate for other cloud service providers
+    storageClass: "oci-bv"
+    accessMode: "ReadWriteOnce"
+
+  ## Count of Database Pods.
+  replicas: 1