[SECURESIGN-3170] Support PostgreSQL as an optional backend database for Trillian

api/v1alpha1/trillian_types.go

@@ -60,12 +60,17 @@ type TrillianDB struct {
 	//+kubebuilder:default:=true
 	//+kubebuilder:validation:XValidation:rule=(self == oldSelf),message=Field is immutable
 	Create *bool `json:"create"`
+	// Whether to use PostgreSQL instead of MySQL/MariaDB
+	// If false (default), MySQL/MariaDB is expected.
+	//+kubebuilder:default:=false
+	//+optional
+	UsePostgreSQL bool `json:"usePostgreSQL"`
 	// Secret with values to be used to connect to an existing DB or to be used with the creation of a new DB
-	// mysql-host: The host of the MySQL server
-	// mysql-port: The port of the MySQL server
-	// mysql-user: The user to connect to the MySQL server
-	// mysql-password: The password to connect to the MySQL server
-	// mysql-database: The database to connect to
+	// db-host: The host of the MySQL/PostgreSQL server
+	// db-port: The port of the MySQL/PostgreSQL server
+	// db-user: The user to connect to the MySQL/PostgreSQL server
+	// db-password: The password to connect to the MySQL/PostgreSQL server
+	// db-name: The database to connect to
 	//+optional
 	DatabaseSecretRef *LocalObjectReference `json:"databaseSecretRef,omitempty"`
 	// PVC configuration

config/crd/bases/rhtas.redhat.com_securesigns.yaml

@@ -5363,11 +5363,11 @@ spec:
                       databaseSecretRef:
                         description: |-
                           Secret with values to be used to connect to an existing DB or to be used with the creation of a new DB
-                          mysql-host: The host of the MySQL server
-                          mysql-port: The port of the MySQL server
-                          mysql-user: The user to connect to the MySQL server
-                          mysql-password: The password to connect to the MySQL server
-                          mysql-database: The database to connect to
+                          db-host: The host of the MySQL/PostgreSQL server
+                          db-port: The port of the MySQL/PostgreSQL server
+                          db-user: The user to connect to the MySQL/PostgreSQL server
+                          db-password: The password to connect to the MySQL/PostgreSQL server
+                          db-name: The database to connect to
                         properties:
                           name:
                             description: |-
@@ -5483,6 +5483,12 @@ spec:
                         x-kubernetes-validations:
                         - message: privateKeyRef cannot be empty
                           rule: (!has(self.certificateRef) || has(self.privateKeyRef))
+                      usePostgreSQL:
+                        default: false
+                        description: |-
+                          Whether to use PostgreSQL instead of MySQL/MariaDB
+                          If false (default), MySQL/MariaDB is expected.
+                        type: boolean
                     required:
                     - create
                     type: object

config/crd/bases/rhtas.redhat.com_trillians.yaml

@@ -65,11 +65,11 @@ spec:
                   databaseSecretRef:
                     description: |-
                       Secret with values to be used to connect to an existing DB or to be used with the creation of a new DB
-                      mysql-host: The host of the MySQL server
-                      mysql-port: The port of the MySQL server
-                      mysql-user: The user to connect to the MySQL server
-                      mysql-password: The password to connect to the MySQL server
-                      mysql-database: The database to connect to
+                      db-host: The host of the MySQL/PostgreSQL server
+                      db-port: The port of the MySQL/PostgreSQL server
+                      db-user: The user to connect to the MySQL/PostgreSQL server
+                      db-password: The password to connect to the MySQL/PostgreSQL server
+                      db-name: The database to connect to
                     properties:
                       name:
                         description: |-
@@ -183,6 +183,12 @@ spec:
                     x-kubernetes-validations:
                     - message: privateKeyRef cannot be empty
                       rule: (!has(self.certificateRef) || has(self.privateKeyRef))
+                  usePostgreSQL:
+                    default: false
+                    description: |-
+                      Whether to use PostgreSQL instead of MySQL/MariaDB
+                      If false (default), MySQL/MariaDB is expected.
+                    type: boolean
                 required:
                 - create
                 type: object
@@ -2442,11 +2448,11 @@ spec:
                   databaseSecretRef:
                     description: |-
                       Secret with values to be used to connect to an existing DB or to be used with the creation of a new DB
-                      mysql-host: The host of the MySQL server
-                      mysql-port: The port of the MySQL server
-                      mysql-user: The user to connect to the MySQL server
-                      mysql-password: The password to connect to the MySQL server
-                      mysql-database: The database to connect to
+                      db-host: The host of the MySQL/PostgreSQL server
+                      db-port: The port of the MySQL/PostgreSQL server
+                      db-user: The user to connect to the MySQL/PostgreSQL server
+                      db-password: The password to connect to the MySQL/PostgreSQL server
+                      db-name: The database to connect to
                     properties:
                       name:
                         description: |-
@@ -2560,6 +2566,12 @@ spec:
                     x-kubernetes-validations:
                     - message: privateKeyRef cannot be empty
                       rule: (!has(self.certificateRef) || has(self.privateKeyRef))
+                  usePostgreSQL:
+                    default: false
+                    description: |-
+                      Whether to use PostgreSQL instead of MySQL/MariaDB
+                      If false (default), MySQL/MariaDB is expected.
+                    type: boolean
                 required:
                 - create
                 type: object

config/default/images.env

@@ -1,5 +1,5 @@
-RELATED_IMAGE_TRILLIAN_LOG_SIGNER=registry.redhat.io/rhtas/trillian-logsigner-rhel9@sha256:358d52e57faf07d7876f53902496e6926c39a9ac1f52a3b7dc1fab0d9d6d97c0
-RELATED_IMAGE_TRILLIAN_LOG_SERVER=registry.redhat.io/rhtas/trillian-logserver-rhel9@sha256:9ecb8cbb0e1a1d3043a377992ad1795f01ae7491b04ea8e9914263361fc9d51c
+RELATED_IMAGE_TRILLIAN_LOG_SIGNER=registry.redhat.io/rhtas/trillian-logsigner-rhel9@sha256:7aee902e70f430f7502b99efc2b7bea8786879e9842d1b4d8d24795f7ff4a143
+RELATED_IMAGE_TRILLIAN_LOG_SERVER=registry.redhat.io/rhtas/trillian-logserver-rhel9@sha256:729f2fc77d37d1c45811daddbd1bddd2e5ccf4b9598489a5f728727f84bc2ef7
 RELATED_IMAGE_TRILLIAN_DB=registry.redhat.io/rhtas/trillian-database-rhel9@sha256:1295d965ba4f2415742e5b1f858abcac8b03d45708051bc51f28a0e70ce1d417
 RELATED_IMAGE_TRILLIAN_NETCAT=registry.redhat.io/openshift4/ose-tools-rhel9@sha256:47eec19e875c3db11a31ccf4c199ef52cf0d2df3b7c424868f55f9e0d0dd43df
 RELATED_IMAGE_CREATETREE=registry.redhat.io/rhtas/createtree-rhel9@sha256:bcfc0d077428a5587c8f0cbb4e066684db1bceab06476ffcb5017d153d117269

internal/controller/trillian/actions/constants.go

@@ -30,9 +30,9 @@ const (
 	MetricsPortName = "metrics"
 
 	SecretRootPassword = "mysql-root-password"
-	SecretPassword     = "mysql-password"
-	SecretDatabaseName = "mysql-database"
-	SecretUser         = "mysql-user"
-	SecretPort         = "mysql-port"
-	SecretHost         = "mysql-host"
+	SecretPassword     = "db-password"
+	SecretDatabaseName = "db-name"
+	SecretUser         = "db-user"
+	SecretPort         = "db-port"
+	SecretHost         = "db-host"
 )

internal/controller/trillian/utils/server-deployment.go

@@ -53,7 +53,7 @@ func ensureInitContainer(instance *v1alpha1.Trillian) func(*apps.Deployment) err
 		initContainer := kubernetes.FindInitContainerByNameOrCreate(&dp.Spec.Template.Spec, "wait-for-trillian-db")
 		initContainer.Image = images.Registry.Get(images.TrillianNetcat)
 
-		hostnameEnv := kubernetes.FindEnvByNameOrCreate(initContainer, "MYSQL_HOSTNAME")
+		hostnameEnv := kubernetes.FindEnvByNameOrCreate(initContainer, "DB_HOSTNAME")
 		hostnameEnv.ValueFrom = &core.EnvVarSource{
 			SecretKeyRef: &core.SecretKeySelector{
 				Key: actions.SecretHost,
@@ -63,7 +63,7 @@ func ensureInitContainer(instance *v1alpha1.Trillian) func(*apps.Deployment) err
 			},
 		}
 
-		portEnv := kubernetes.FindEnvByNameOrCreate(initContainer, "MYSQL_PORT")
+		portEnv := kubernetes.FindEnvByNameOrCreate(initContainer, "DB_PORT")
 		portEnv.ValueFrom = &core.EnvVarSource{
 			SecretKeyRef: &core.SecretKeySelector{
 				Key: actions.SecretPort,
@@ -75,7 +75,7 @@ func ensureInitContainer(instance *v1alpha1.Trillian) func(*apps.Deployment) err
 		initContainer.Command = []string{
 			"sh",
 			"-c",
-			"until nc -z -v -w30 $MYSQL_HOSTNAME $MYSQL_PORT; do echo \"Waiting for MySQL to start\"; sleep 5; done;",
+			"until nc -z -v -w30 $DB_HOSTNAME $DB_PORT; do echo \"Waiting for database to start\"; sleep 5; done;",
 		}
 
 		return nil
@@ -126,24 +126,35 @@ func ensureDeployment(instance *v1alpha1.Trillian, image string, name string, sa
 		container := kubernetes.FindContainerByNameOrCreate(&template.Spec, name)
 		container.Image = image
 
-		container.Args = append([]string{
-			"--storage_system=mysql",
-			"--quota_system=mysql",
-			"--mysql_uri=$(MYSQL_USER):$(MYSQL_PASSWORD)@tcp($(MYSQL_HOSTNAME):$(MYSQL_PORT))/$(MYSQL_DATABASE)",
-			"--mysql_max_conns=30",
-			"--mysql_max_idle_conns=10",
+		if instance.Spec.Db.UsePostgreSQL {
+			container.Args = append([]string{
+				"--storage_system=postgresql",
+				"--quota_system=postgresql",
+				"--postgresql_uri=postgresql://$(DB_USER):$(DB_PASSWORD)@$(DB_HOSTNAME):$(DB_PORT)/$(DB_NAME)",
+			}, args...)
+		} else {
+			container.Args = append([]string{
+				"--storage_system=mysql",
+				"--quota_system=mysql",
+				"--mysql_uri=$(DB_USER):$(DB_PASSWORD)@tcp($(DB_HOSTNAME):$(DB_PORT))/$(DB_NAME)",
+				"--mysql_max_conns=30",
+				"--mysql_max_idle_conns=10",
+			}, args...)
+		}
+
+		container.Args = append(container.Args, []string{
 			"--rpc_endpoint=0.0.0.0:" + strconv.Itoa(int(actions.ServerPort)),
 			"--http_endpoint=0.0.0.0:" + strconv.Itoa(int(actions.MetricsPort)),
 			"--alsologtostderr",
-		}, args...)
+		}...)
 
 		if instance.Spec.MaxRecvMessageSize != nil {
 			container.Args = append(container.Args, "--max_msg_size_bytes", fmt.Sprintf("%d", *instance.Spec.MaxRecvMessageSize))
 		}
 
 		//Ports = containerPorts
 		// Env variables from secret trillian-mysql
-		userEnv := kubernetes.FindEnvByNameOrCreate(container, "MYSQL_USER")
+		userEnv := kubernetes.FindEnvByNameOrCreate(container, "DB_USER")
 		userEnv.ValueFrom = &core.EnvVarSource{
 			SecretKeyRef: &core.SecretKeySelector{
 				Key: actions.SecretUser,
@@ -153,7 +164,7 @@ func ensureDeployment(instance *v1alpha1.Trillian, image string, name string, sa
 			},
 		}
 
-		passwordEnv := kubernetes.FindEnvByNameOrCreate(container, "MYSQL_PASSWORD")
+		passwordEnv := kubernetes.FindEnvByNameOrCreate(container, "DB_PASSWORD")
 		passwordEnv.ValueFrom = &core.EnvVarSource{
 			SecretKeyRef: &core.SecretKeySelector{
 				Key: actions.SecretPassword,
@@ -163,7 +174,7 @@ func ensureDeployment(instance *v1alpha1.Trillian, image string, name string, sa
 			},
 		}
 
-		hostEnv := kubernetes.FindEnvByNameOrCreate(container, "MYSQL_HOSTNAME")
+		hostEnv := kubernetes.FindEnvByNameOrCreate(container, "DB_HOSTNAME")
 		hostEnv.ValueFrom = &core.EnvVarSource{
 			SecretKeyRef: &core.SecretKeySelector{
 				Key: actions.SecretHost,
@@ -173,7 +184,7 @@ func ensureDeployment(instance *v1alpha1.Trillian, image string, name string, sa
 			},
 		}
 
-		containerPortEnv := kubernetes.FindEnvByNameOrCreate(container, "MYSQL_PORT")
+		containerPortEnv := kubernetes.FindEnvByNameOrCreate(container, "DB_PORT")
 		containerPortEnv.ValueFrom = &core.EnvVarSource{
 			SecretKeyRef: &core.SecretKeySelector{
 				Key: actions.SecretPort,
@@ -183,7 +194,7 @@ func ensureDeployment(instance *v1alpha1.Trillian, image string, name string, sa
 			},
 		}
 
-		dbEnv := kubernetes.FindEnvByNameOrCreate(container, "MYSQL_DATABASE")
+		dbEnv := kubernetes.FindEnvByNameOrCreate(container, "DB_NAME")
 		dbEnv.ValueFrom = &core.EnvVarSource{
 			SecretKeyRef: &core.SecretKeySelector{
 				Key: actions.SecretDatabaseName,
@@ -225,13 +236,17 @@ func ensureDeployment(instance *v1alpha1.Trillian, image string, name string, sa
 func WithTlsDB(instance *v1alpha1.Trillian, caPath string, name string) func(*apps.Deployment) error {
 	return func(dp *apps.Deployment) error {
 		c := kubernetes.FindContainerByNameOrCreate(&dp.Spec.Template.Spec, name)
-		c.Args = append(c.Args, "--mysql_tls_ca", caPath)
-
-		mysqlServerName := "$(MYSQL_HOSTNAME)." + instance.Namespace + ".svc"
-		if !*instance.Spec.Db.Create {
-			mysqlServerName = "$(MYSQL_HOSTNAME)"
+		if instance.Spec.Db.UsePostgreSQL {
+			c.Args = append(c.Args, "--postgresql_tls_ca", caPath)
+		} else {
+			c.Args = append(c.Args, "--mysql_tls_ca", caPath)
+
+			mysqlServerName := "$(DB_HOSTNAME)." + instance.Namespace + ".svc"
+			if !*instance.Spec.Db.Create {
+				mysqlServerName = "$(DB_HOSTNAME)"
+			}
+			c.Args = append(c.Args, "--mysql_server_name", mysqlServerName)
 		}
-		c.Args = append(c.Args, "--mysql_server_name", mysqlServerName)
 		return nil
 	}
 }

test/e2e/byodb_test.go

@@ -57,7 +57,7 @@ var _ = Describe("Securesign install with byodb", Ordered, func() {
 								LocalObjectReference: v1.LocalObjectReference{
 									Name: dbAuth,
 								},
-								Key: "mysql-user",
+								Key: "db-user",
 							}},
 						},
 						{
@@ -66,7 +66,7 @@ var _ = Describe("Securesign install with byodb", Ordered, func() {
 								LocalObjectReference: v1.LocalObjectReference{
 									Name: dbAuth,
 								},
-								Key: "mysql-password",
+								Key: "db-password",
 							}},
 						},
 						{
@@ -75,7 +75,7 @@ var _ = Describe("Securesign install with byodb", Ordered, func() {
 								LocalObjectReference: v1.LocalObjectReference{
 									Name: dbAuth,
 								},
-								Key: "mysql-database",
+								Key: "db-name",
 							}},
 						},
 						{
@@ -187,12 +187,12 @@ func createDB(ctx context.Context, cli runtimeCli.Client, ns string, secretRef s
 	err = cli.Create(ctx, &v1.Secret{
 		ObjectMeta: metav1.ObjectMeta{Namespace: ns, Name: secretRef},
 		Data: map[string][]byte{
-			"mysql-database":      []byte("my_db"),
-			"mysql-host":          []byte("my-mysql"),
-			"mysql-password":      []byte("password"),
-			"mysql-port":          []byte("3300"),
+			"db-name":             []byte("my_db"),
+			"db-host":             []byte("my-mysql"),
+			"db-password":         []byte("password"),
+			"db-port":             []byte("3300"),
 			"mysql-root-password": []byte("password"),
-			"mysql-user":          []byte("mysql"),
+			"db-user":             []byte("mysql"),
 		},
 	})
 	if err != nil {
@@ -275,7 +275,7 @@ func createDB(ctx context.Context, cli runtimeCli.Client, ns string, secretRef s
 								LocalObjectReference: v1.LocalObjectReference{
 									Name: secretRef,
 								},
-								Key: "mysql-user",
+								Key: "db-user",
 							}},
 						},
 						{
@@ -284,7 +284,7 @@ func createDB(ctx context.Context, cli runtimeCli.Client, ns string, secretRef s
 								LocalObjectReference: v1.LocalObjectReference{
 									Name: secretRef,
 								},
-								Key: "mysql-password",
+								Key: "db-password",
 							}},
 						},
 						{
@@ -293,7 +293,7 @@ func createDB(ctx context.Context, cli runtimeCli.Client, ns string, secretRef s
 								LocalObjectReference: v1.LocalObjectReference{
 									Name: secretRef,
 								},
-								Key: "mysql-database",
+								Key: "db-name",
 							}},
 						},
 					},