test(pgbouncer tls connection): add E2E test for PgBouncer and TLS connections

Connect to Postgres via PgBouncer against a cluster with different client
and server CA.

Co-authored-by: Armando Ruocco <armando.ruocco@enterprisedb.com>
Co-authored-by: Gabriele Quaresima <gabriele.quaresima@enterprisedb.com>
Co-authored-by: Francesco Canovai <francesco.canovai@enterprisedb.com>

Author: 4 people

tests/e2e/cnp_certificates_test.go

@@ -11,6 +11,7 @@ import (
 	"time"
 
 	corev1 "k8s.io/api/core/v1"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
@@ -85,7 +86,7 @@ var _ = Describe("Certificates", func() {
 
 			AssertDBConnectionFromAppPod(namespace, clusterName, sampleAppFile, appPod)
 
-			AssertCertificatesSecrets(namespace, clusterName, caSecName, tlsSecName, certs.CertTypeServer)
+			createAndAssertCertificatesSecrets(namespace, clusterName, caSecName, tlsSecName, certs.CertTypeServer, false)
 
 			By("switching to user-supplied server certificates", func() {
 				// Updating defaults certificates entries with user provided certificates,
@@ -124,7 +125,8 @@ var _ = Describe("Certificates", func() {
 			AssertCreateCluster(namespace, clusterName, sampleFile, env)
 
 			// Create certificates secret for client
-			AssertCertificatesSecrets(namespace, clusterName, caSecNameClient, tlsSecNameClient, certs.CertTypeClient)
+			createAndAssertCertificatesSecrets(namespace, clusterName, caSecNameClient, tlsSecNameClient,
+				certs.CertTypeClient, false)
 
 			By("switching to user-supplied client certificates", func() {
 				// Updating defaults certificates entries with user provided certificates,
@@ -162,9 +164,10 @@ var _ = Describe("Certificates", func() {
 			// Create cluster
 			AssertCreateCluster(namespace, clusterName, sampleFile, env)
 			// Create certificates secret for server
-			AssertCertificatesSecrets(namespace, clusterName, caSecName, tlsSecName, certs.CertTypeServer)
+			createAndAssertCertificatesSecrets(namespace, clusterName, caSecName, tlsSecName, certs.CertTypeServer, false)
 			// Create certificates secret for client
-			AssertCertificatesSecrets(namespace, clusterName, caSecNameClient, tlsSecNameClient, certs.CertTypeClient)
+			createAndAssertCertificatesSecrets(namespace, clusterName, caSecNameClient, tlsSecNameClient,
+				certs.CertTypeClient, false)
 
 			By("switching to user-supplied server and client certificates", func() {
 				// Updating defaults certificates entries with user provided certificates,
@@ -219,7 +222,7 @@ var _ = Describe("Certificates", func() {
 			// Create a cluster in a namespace that will be deleted after the test
 			err := env.CreateNamespace(namespace)
 			Expect(err).ToNot(HaveOccurred())
-			AssertCertificatesSecrets(namespace, clusterName, caSecName, tlsSecName, certs.CertTypeServer)
+			createAndAssertCertificatesSecrets(namespace, clusterName, caSecName, tlsSecName, certs.CertTypeServer, false)
 			AssertCreateCluster(namespace, clusterName, sampleFile, env)
 			AssertClientCertificatesSecretsUsingCnpPlugin(namespace, clusterName)
 			AssertDBConnectionFromAppPod(namespace, clusterName, sampleAppFileUserSuppliedCert, appPodUserSuppliedCert)
@@ -251,7 +254,8 @@ var _ = Describe("Certificates", func() {
 			Expect(err).ToNot(HaveOccurred())
 
 			// Create certificates secret for client
-			AssertCertificatesSecrets(namespace, clusterName, caSecNameClient, tlsSecNameClient, certs.CertTypeClient)
+			createAndAssertCertificatesSecrets(namespace, clusterName, caSecNameClient, tlsSecNameClient,
+				certs.CertTypeClient, false)
 			AssertCreateCluster(namespace, clusterName, sampleFile, env)
 			AssertDBConnectionFromAppPod(namespace, clusterName, sampleAppFileUserSuppliedCertClient, appPodUserSuppliedCert)
 		})
@@ -282,34 +286,26 @@ var _ = Describe("Certificates", func() {
 			Expect(err).ToNot(HaveOccurred())
 
 			// Create certificates secret for server
-			AssertCertificatesSecrets(namespace, clusterName, caSecName, tlsSecName, certs.CertTypeServer)
+			createAndAssertCertificatesSecrets(namespace, clusterName, caSecName, tlsSecName, certs.CertTypeServer, false)
 
 			// Create certificates secret for client
-			AssertCertificatesSecrets(namespace, clusterName, caSecNameClient, tlsSecNameClient, certs.CertTypeClient)
+			createAndAssertCertificatesSecrets(namespace, clusterName, caSecNameClient, tlsSecNameClient,
+				certs.CertTypeClient, false)
 			AssertCreateCluster(namespace, clusterName, sampleFile, env)
 			AssertDBConnectionFromAppPod(namespace, clusterName, sampleUserSuppliedCertClientServer, appPodUserSuppliedCert)
 		})
 	})
 })
 
-func AssertCertificatesSecrets(namespace, clusterName, caSecName, tlsSecName, certType string) {
-	// creating root CA certificates
-	cluster := &apiv1.Cluster{}
-	cluster.Namespace = namespace
-	cluster.Name = clusterName
-	secret := &corev1.Secret{}
-	err := env.Client.Get(env.Ctx, client.ObjectKey{Namespace: namespace, Name: caSecName}, secret)
-	Expect(err).To(HaveOccurred())
-
-	caPair, err := certs.CreateRootCA(cluster.Name, namespace)
-	Expect(err).ToNot(HaveOccurred())
+func createAndAssertCertificatesSecrets(
+	namespace, clusterName, caSecName, tlsSecName, certType string, includeCAPrivateKey bool) {
+	cluster, caPair := createSecretCA(namespace, clusterName, caSecName, includeCAPrivateKey)
 
-	caSecret := caPair.GenerateCASecret(namespace, caSecName)
-	// delete the key from the CA, as it is not needed in this case
-	delete(caSecret.Data, certs.CAPrivateKeyKey)
-	err = env.Client.Create(env.Ctx, caSecret)
-	Expect(err).ToNot(HaveOccurred())
+	assertCACertificateCreation(namespace, certType, caPair, cluster, tlsSecName)
+}
 
+func assertCACertificateCreation(namespace string, certType string, caPair *certs.KeyPair,
+	cluster *apiv1.Cluster, tlsSecName string) {
 	if certType == certs.CertTypeServer {
 		By("creating server TLS certificate", func() {
 			serverPair, err := caPair.CreateAndSignPair(cluster.GetServiceReadWriteName(), certs.CertTypeServer,
@@ -342,6 +338,29 @@ func AssertCertificatesSecrets(namespace, clusterName, caSecName, tlsSecName, ce
 	}
 }
 
+func createSecretCA(namespace string, clusterName string, caSecName string, includeCAPrivateKey bool) (
+	*apiv1.Cluster, *certs.KeyPair) {
+	// creating root CA certificates
+	cluster := &apiv1.Cluster{}
+	cluster.Namespace = namespace
+	cluster.Name = clusterName
+	secret := &corev1.Secret{}
+	err := env.Client.Get(env.Ctx, client.ObjectKey{Namespace: namespace, Name: caSecName}, secret)
+	Expect(apierrors.IsNotFound(err)).To(BeTrue())
+
+	caPair, err := certs.CreateRootCA(cluster.Name, namespace)
+	Expect(err).ToNot(HaveOccurred())
+
+	caSecret := caPair.GenerateCASecret(namespace, caSecName)
+	// delete the key from the CA, as it is not needed in this case
+	if !includeCAPrivateKey {
+		delete(caSecret.Data, certs.CAPrivateKeyKey)
+	}
+	err = env.Client.Create(env.Ctx, caSecret)
+	Expect(err).ToNot(HaveOccurred())
+	return cluster, caPair
+}
+
 func AssertClientCertificatesSecretsUsingCnpPlugin(namespace, clusterName string) {
 	clientCertName := "cluster-cert"
 	By("creating a client Certificate using the 'kubectl-cnp' plugin", func() {

tests/e2e/fixtures/pgbouncer/pgbouncer_separate_client_server_ca/.gitignore

@@ -0,0 +1 @@
+cluster-user-supplied-client-server-certificates.yaml

tests/e2e/fixtures/pgbouncer/pgbouncer_separate_client_server_ca/cluster-user-supplied-client-server-certificates.yaml.template

@@ -0,0 +1,33 @@
+apiVersion: postgresql.k8s.enterprisedb.io/v1
+kind: Cluster
+metadata:
+  name: pgbouncer-separate-client-server-ca
+spec:
+  instances: 3
+
+  postgresql:
+    parameters:
+      work_mem: "8MB"
+      log_checkpoints: "on"
+      log_lock_waits: "on"
+      log_min_duration_statement: '1000'
+      log_statement: 'ddl'
+      log_temp_files: '1024'
+      log_autovacuum_min_duration: '1s'
+      log_replication_commands: 'on'
+
+  certificates:
+    serverCASecret: my-postgresql-server-ca
+    serverTLSSecret: my-postgresql-server
+    clientCASecret: my-postgresql-client-ca
+    replicationTLSSecret: my-postgresql-client
+
+  bootstrap:
+    initdb:
+      database: app
+      owner: app
+
+  # Persistent storage configuration
+  storage:
+    storageClass: ${E2E_DEFAULT_STORAGE_CLASS}
+    size: 1Gi

tests/e2e/fixtures/pgbouncer/pgbouncer_separate_client_server_ca/pgbouncer-pooler-tls-ro.yaml

@@ -0,0 +1,12 @@
+apiVersion: postgresql.k8s.enterprisedb.io/v1
+kind: Pooler
+metadata:
+  name: pooler-connection-tls-ro
+spec:
+  cluster:
+    name: pgbouncer-separate-client-server-ca
+
+  instances: 1
+  type: ro
+  pgbouncer:
+    poolMode: session

tests/e2e/fixtures/pgbouncer/pgbouncer_separate_client_server_ca/pgbouncer-pooler-tls-rw.yaml

@@ -0,0 +1,12 @@
+apiVersion: postgresql.k8s.enterprisedb.io/v1
+kind: Pooler
+metadata:
+  name: pooler-connection-tls-rw
+spec:
+  cluster:
+    name: pgbouncer-separate-client-server-ca
+
+  instances: 1
+  type: rw
+  pgbouncer:
+    poolMode: session

tests/e2e/pgbouncer_test.go

@@ -12,6 +12,7 @@ import (
 	appsv1 "k8s.io/api/apps/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
+	"github.com/EnterpriseDB/cloud-native-postgresql/pkg/certs"
 	"github.com/EnterpriseDB/cloud-native-postgresql/pkg/specs/pgbouncer"
 	"github.com/EnterpriseDB/cloud-native-postgresql/pkg/utils"
 	"github.com/EnterpriseDB/cloud-native-postgresql/tests"
@@ -104,6 +105,53 @@ var _ = Describe("PGBouncer Connections", func() {
 				poolerCertificateROSampleFile, false)
 		})
 	})
+
+	It("can connect to Postgres via pgbouncer against a cluster with separate client and server CA", func() {
+		const (
+			folderPath                    = fixturesDir + "/pgbouncer/pgbouncer_separate_client_server_ca/"
+			sampleFileWithCertificate     = folderPath + "cluster-user-supplied-client-server-certificates.yaml"
+			poolerCertificateROSampleFile = folderPath + "pgbouncer-pooler-tls-ro.yaml"
+			poolerCertificateRWSampleFile = folderPath + "pgbouncer-pooler-tls-rw.yaml"
+			caSecName                     = "my-postgresql-server-ca"
+			tlsSecName                    = "my-postgresql-server"
+			tlsSecNameClient              = "my-postgresql-client"
+			caSecNameClient               = "my-postgresql-client-ca"
+		)
+		// Create a cluster in a namespace that will be deleted after the test
+		namespace = "pgbouncer-separate-certificates"
+		err := env.CreateNamespace(namespace)
+		Expect(err).ToNot(HaveOccurred())
+		clusterName, err = env.GetResourceNameFromYAML(sampleFileWithCertificate)
+		Expect(err).ToNot(HaveOccurred())
+
+		// Create certificates secret for server
+		createAndAssertCertificatesSecrets(namespace, clusterName,
+			caSecName, tlsSecName, certs.CertTypeServer, true)
+
+		// Create certificates secret for client
+		createAndAssertCertificatesSecrets(namespace, clusterName,
+			caSecNameClient, tlsSecNameClient, certs.CertTypeClient, true)
+
+		AssertCreateCluster(namespace, clusterName, sampleFileWithCertificate, env)
+
+		By("setting up read write type pgbouncer pooler", func() {
+			createAndAssertPgBouncerPoolerIsSetUp(namespace, poolerCertificateRWSampleFile, 1)
+		})
+
+		By("setting up read only type pgbouncer pooler", func() {
+			createAndAssertPgBouncerPoolerIsSetUp(namespace, poolerCertificateROSampleFile, 1)
+		})
+
+		By("verifying read and write connections using pgbouncer service", func() {
+			assertReadWriteConnectionUsingPgBouncerService(namespace, clusterName,
+				poolerCertificateRWSampleFile, true)
+		})
+
+		By("verifying read connections using pgbouncer service", func() {
+			assertReadWriteConnectionUsingPgBouncerService(namespace, clusterName,
+				poolerCertificateROSampleFile, false)
+		})
+	})
 })
 
 var _ = Describe("PgBouncer Pooler Resources", func() {