Remove TDE/Hardened support code

Issue: PGO-2811

Author: tjmoore4

internal/config/config.go

@@ -19,32 +19,6 @@ func defaultFromEnv(value, key string) string {
 	return value
 }
 
-// FetchKeyCommand returns the fetch_key_cmd value stored in the encryption_key_command
-// variable used to enable TDE.
-func FetchKeyCommand(spec *v1beta1.PostgresClusterSpec) string {
-	if config := spec.Config; config != nil {
-		if parameters := config.Parameters; parameters != nil {
-			if v, ok := parameters["encryption_key_command"]; ok {
-				return v.String()
-			}
-		}
-	}
-
-	if spec.Patroni != nil {
-		if configuration := spec.Patroni.DynamicConfiguration; configuration != nil {
-			if postgresql, ok := configuration["postgresql"].(map[string]any); ok {
-				if parameters, ok := postgresql["parameters"].(map[string]any); ok {
-					if parameters["encryption_key_command"] != nil {
-						return fmt.Sprintf("%s", parameters["encryption_key_command"])
-					}
-				}
-			}
-		}
-	}
-
-	return ""
-}
-
 // Red Hat Marketplace requires operators to use environment variables be used
 // for any image other than the operator itself. Those variables must start with
 // "RELATED_IMAGE_" so that OSBS can transform their tag values into digests

internal/config/config_test.go

@@ -14,118 +14,6 @@ import (
 	"github.com/crunchydata/postgres-operator/pkg/apis/postgres-operator.crunchydata.com/v1beta1"
 )
 
-func TestFetchKeyCommand(t *testing.T) {
-	t.Run("missing", func(t *testing.T) {
-		spec1 := v1beta1.PostgresClusterSpec{}
-		assert.Assert(t, FetchKeyCommand(&spec1) == "")
-
-		spec2 := v1beta1.PostgresClusterSpec{
-			Patroni: &v1beta1.PatroniSpec{},
-		}
-		assert.Assert(t, FetchKeyCommand(&spec2) == "")
-
-		spec3 := v1beta1.PostgresClusterSpec{
-			Patroni: &v1beta1.PatroniSpec{
-				DynamicConfiguration: map[string]any{},
-			},
-		}
-		assert.Assert(t, FetchKeyCommand(&spec3) == "")
-
-		spec4 := v1beta1.PostgresClusterSpec{
-			Patroni: &v1beta1.PatroniSpec{
-				DynamicConfiguration: map[string]any{
-					"postgresql": map[string]any{},
-				},
-			},
-		}
-		assert.Assert(t, FetchKeyCommand(&spec4) == "")
-
-		spec5 := v1beta1.PostgresClusterSpec{
-			Patroni: &v1beta1.PatroniSpec{
-				DynamicConfiguration: map[string]any{
-					"postgresql": map[string]any{
-						"parameters": map[string]any{},
-					},
-				},
-			},
-		}
-		assert.Assert(t, FetchKeyCommand(&spec5) == "")
-	})
-
-	t.Run("blank", func(t *testing.T) {
-		var spec1 v1beta1.PostgresClusterSpec
-		require.UnmarshalInto(t, &spec1, `{
-			patroni: {
-				dynamicConfiguration: {
-					postgresql: {
-						parameters: {
-							encryption_key_command: "",
-						},
-					},
-				},
-			},
-		}`)
-		assert.Equal(t, "", FetchKeyCommand(&spec1))
-
-		var spec2 v1beta1.PostgresClusterSpec
-		require.UnmarshalInto(t, &spec2, `{
-			config: {
-				parameters: {
-					encryption_key_command: "",
-				},
-			},
-		}`)
-		assert.Equal(t, "", FetchKeyCommand(&spec2))
-	})
-
-	t.Run("exists", func(t *testing.T) {
-		var spec1 v1beta1.PostgresClusterSpec
-		require.UnmarshalInto(t, &spec1, `{
-			patroni: {
-				dynamicConfiguration: {
-					postgresql: {
-						parameters: {
-							encryption_key_command: "echo mykey",
-						},
-					},
-				},
-			},
-		}`)
-		assert.Equal(t, "echo mykey", FetchKeyCommand(&spec1))
-
-		var spec2 v1beta1.PostgresClusterSpec
-		require.UnmarshalInto(t, &spec2, `{
-			config: {
-				parameters: {
-					encryption_key_command: "cat somefile",
-				},
-			},
-		}`)
-		assert.Equal(t, "cat somefile", FetchKeyCommand(&spec2))
-	})
-
-	t.Run("config.parameters takes precedence", func(t *testing.T) {
-		var spec v1beta1.PostgresClusterSpec
-		require.UnmarshalInto(t, &spec, `{
-			config: {
-				parameters: {
-					encryption_key_command: "cat somefile",
-				},
-			},
-			patroni: {
-				dynamicConfiguration: {
-					postgresql: {
-						parameters: {
-							encryption_key_command: "echo mykey",
-						},
-					},
-				},
-			},
-		}`)
-		assert.Equal(t, "cat somefile", FetchKeyCommand(&spec))
-	})
-}
-
 func TestPGAdminContainerImage(t *testing.T) {
 	cluster := &v1beta1.PostgresCluster{}
 

internal/controller/pgupgrade/jobs.go

@@ -22,7 +22,6 @@ import (
 	"github.com/crunchydata/postgres-operator/internal/initialize"
 	"github.com/crunchydata/postgres-operator/internal/naming"
 	"github.com/crunchydata/postgres-operator/internal/postgres"
-	"github.com/crunchydata/postgres-operator/internal/shell"
 	"github.com/crunchydata/postgres-operator/pkg/apis/postgres-operator.crunchydata.com/v1beta1"
 )
 
@@ -37,7 +36,7 @@ func pgUpgradeJob(upgrade *v1beta1.PGUpgrade) metav1.ObjectMeta {
 
 // upgradeCommand returns an entrypoint that prepares the filesystem for
 // and performs a PostgreSQL major version upgrade using pg_upgrade.
-func upgradeCommand(spec *v1beta1.PGUpgradeSettings, fetchKeyCommand string) []string {
+func upgradeCommand(spec *v1beta1.PGUpgradeSettings) []string {
 	argJobs := fmt.Sprintf(` --jobs=%d`, max(1, spec.Jobs))
 	argMethod := cmp.Or(map[string]string{
 		"Clone":         ` --clone`,
@@ -48,11 +47,6 @@ func upgradeCommand(spec *v1beta1.PGUpgradeSettings, fetchKeyCommand string) []s
 	oldVersion := spec.FromPostgresVersion
 	newVersion := spec.ToPostgresVersion
 
-	var argEncryptionKeyCommand string
-	if fetchKeyCommand != "" {
-		argEncryptionKeyCommand = ` --encryption-key-command=` + shell.QuoteWord(fetchKeyCommand)
-	}
-
 	args := []string{fmt.Sprint(oldVersion), fmt.Sprint(newVersion)}
 	script := strings.Join([]string{
 		// Exit immediately when a pipeline or subshell exits non-zero or when expanding an unset variable.
@@ -138,7 +132,7 @@ func upgradeCommand(spec *v1beta1.PGUpgradeSettings, fetchKeyCommand string) []s
 		`checksums=$(if [[ "${checksums}" -gt 0 ]]; then echo '--data-checksums'; elif [[ "${new_version}" -ge 18 ]]; then echo '--no-data-checksums'; fi)`,
 
 		`section 'Step 3 of 7: Initializing new data directory...'`,
-		`PGDATA="${new_data}" "${new_bin}/initdb" --allow-group-access ${checksums}` + argEncryptionKeyCommand,
+		`PGDATA="${new_data}" "${new_bin}/initdb" --allow-group-access ${checksums}`,
 
 		// Read the configured value then quote it; every single-quote U+0027 is replaced by two.
 		//
@@ -186,8 +180,7 @@ func largestWholeCPU(resources corev1.ResourceRequirements) int64 {
 // directory of the startup instance.
 func (r *PGUpgradeReconciler) generateUpgradeJob(
 	ctx context.Context, upgrade *v1beta1.PGUpgrade,
-	startup *appsv1.StatefulSet, fetchKeyCommand string,
-) *batchv1.Job {
+	startup *appsv1.StatefulSet) *batchv1.Job {
 	job := &batchv1.Job{}
 	job.SetGroupVersionKind(batchv1.SchemeGroupVersion.WithKind("Job"))
 
@@ -252,7 +245,7 @@ func (r *PGUpgradeReconciler) generateUpgradeJob(
 		VolumeMounts:    database.VolumeMounts,
 
 		// Use our upgrade command and the specified image and resources.
-		Command:         upgradeCommand(settings, fetchKeyCommand),
+		Command:         upgradeCommand(settings),
 		Image:           pgUpgradeContainerImage(upgrade),
 		ImagePullPolicy: upgrade.Spec.ImagePullPolicy,
 		Resources:       upgrade.Spec.Resources,

internal/controller/pgupgrade/jobs_test.go

@@ -85,7 +85,7 @@ func TestUpgradeCommand(t *testing.T) {
 			{Spec: 10, Args: "--jobs=10"},
 		} {
 			spec := &v1beta1.PGUpgradeSettings{Jobs: tt.Spec}
-			command := upgradeCommand(spec, "")
+			command := upgradeCommand(spec)
 			assert.Assert(t, len(command) > 3)
 			assert.DeepEqual(t, []string{"bash", "-c", "--"}, command[:3])
 
@@ -109,7 +109,7 @@ func TestUpgradeCommand(t *testing.T) {
 			{Spec: "CopyFileRange", Args: "--copy-file-range"},
 		} {
 			spec := &v1beta1.PGUpgradeSettings{TransferMethod: tt.Spec}
-			command := upgradeCommand(spec, "")
+			command := upgradeCommand(spec)
 			assert.Assert(t, len(command) > 3)
 			assert.DeepEqual(t, []string{"bash", "-c", "--"}, command[:3])
 
@@ -158,7 +158,7 @@ func TestGenerateUpgradeJob(t *testing.T) {
 		},
 	}
 
-	job := reconciler.generateUpgradeJob(ctx, upgrade, startup, "")
+	job := reconciler.generateUpgradeJob(ctx, upgrade, startup)
 	assert.Assert(t, cmp.MarshalMatches(job, `
 apiVersion: batch/v1
 kind: Job
@@ -267,13 +267,9 @@ status: {}
 		}))
 		ctx := feature.NewContext(context.Background(), gate)
 
-		job := reconciler.generateUpgradeJob(ctx, upgrade, startup, "")
+		job := reconciler.generateUpgradeJob(ctx, upgrade, startup)
 		assert.Assert(t, cmp.MarshalContains(job, `--jobs=2`))
 	})
-
-	tdeJob := reconciler.generateUpgradeJob(ctx, upgrade, startup, "echo testKey")
-	assert.Assert(t, cmp.MarshalContains(tdeJob,
-		`PGDATA="${new_data}" "${new_bin}/initdb" --allow-group-access ${checksums} --encryption-key-command='echo testKey'`))
 }
 
 func TestGenerateRemoveDataJob(t *testing.T) {

internal/controller/pgupgrade/pgupgrade_controller.go

@@ -19,7 +19,6 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/handler"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
 
-	"github.com/crunchydata/postgres-operator/internal/config"
 	"github.com/crunchydata/postgres-operator/internal/controller/runtime"
 	"github.com/crunchydata/postgres-operator/internal/logging"
 	"github.com/crunchydata/postgres-operator/internal/naming"
@@ -431,7 +430,7 @@ func (r *PGUpgradeReconciler) Reconcile(ctx context.Context, upgrade *v1beta1.PG
 	// TODO: error from apply could mean that the job exists with a different spec.
 	if err == nil && !upgradeJobComplete {
 		err = errors.WithStack(runtime.Apply(ctx, r.Writer,
-			r.generateUpgradeJob(ctx, upgrade, world.ClusterPrimary, config.FetchKeyCommand(&world.Cluster.Spec))))
+			r.generateUpgradeJob(ctx, upgrade, world.ClusterPrimary)))
 	}
 
 	// Create the jobs to remove the data from the replicas, as long as

internal/controller/postgrescluster/pgbackrest.go

@@ -1262,9 +1262,6 @@ func (r *Reconciler) reconcileRestoreJob(ctx context.Context,
 
 	params := postgres.NewParameterSet()
 	postgres.SetHugePages(cluster, params)
-	if fetchKeyCommand := config.FetchKeyCommand(&cluster.Spec); fetchKeyCommand != "" {
-		params.Add("encryption_key_command", fetchKeyCommand)
-	}
 
 	// NOTE (andrewlecuyer): Forcing users to put each argument separately might prevent the need
 	// to do any escaping or use eval.

internal/patroni/config.go

@@ -13,7 +13,6 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	"sigs.k8s.io/yaml"
 
-	"github.com/crunchydata/postgres-operator/internal/config"
 	"github.com/crunchydata/postgres-operator/internal/initialize"
 	"github.com/crunchydata/postgres-operator/internal/naming"
 	"github.com/crunchydata/postgres-operator/internal/postgres"
@@ -228,14 +227,6 @@ func DynamicConfiguration(
 		"use_slots": false,
 	}
 
-	// When TDE is configured, override the pg_rewind binary name to point
-	// to the wrapper script.
-	if config.FetchKeyCommand(spec) != "" {
-		postgresql["bin_name"] = map[string]any{
-			"pg_rewind": "/tmp/pg_rewind_tde.sh",
-		}
-	}
-
 	// Copy the "postgresql" section over the above defaults.
 	if section, ok := root["postgresql"].(map[string]any); ok {
 		maps.Copy(postgresql, section)
@@ -575,11 +566,6 @@ func instanceYAML(
 				"waldir=" + postgres.WALDirectory(cluster, instance),
 			}
 
-			// Append the encryption key command, if provided.
-			if ekc := config.FetchKeyCommand(&cluster.Spec); ekc != "" {
-				initdb = append(initdb, fmt.Sprintf("encryption-key-command=%s", ekc))
-			}
-
 			// Populate some "bootstrap" fields to initialize the cluster.
 			// When Patroni is already bootstrapped, this section is ignored.
 			// - https://github.com/zalando/patroni/blob/v2.0.2/docs/SETTINGS.rst#bootstrap-configuration

internal/patroni/config_test.go

@@ -525,31 +525,6 @@ func TestDynamicConfiguration(t *testing.T) {
 				},
 			},
 		},
-		{
-			name: "config.parameters: tde enabled",
-			spec: `{
-				config: {
-					parameters: {
-						encryption_key_command: echo one,
-					},
-				},
-			}`,
-			params: parameters(map[string]string{
-				"encryption_key_command": "echo one",
-			}),
-			expected: map[string]any{
-				"loop_wait": int32(10),
-				"ttl":       int32(30),
-				"postgresql": map[string]any{
-					"bin_name": map[string]any{"pg_rewind": string("/tmp/pg_rewind_tde.sh")},
-					"parameters": map[string]string{
-						"encryption_key_command": "echo one",
-					},
-					"use_pg_rewind": bool(true),
-					"use_slots":     bool(false),
-				},
-			},
-		},
 	} {
 		t.Run(tt.name, func(t *testing.T) {
 			cluster := new(v1beta1.PostgresCluster)
@@ -729,41 +704,6 @@ postgresql:
   pgpass: /tmp/.pgpass
   use_unix_socket: true
 restapi: {}
-tags: {}
-	`, "\t\n")+"\n")
-
-	cluster.Spec.Patroni = &v1beta1.PatroniSpec{
-		DynamicConfiguration: map[string]any{
-			"postgresql": map[string]any{
-				"parameters": map[string]any{
-					"encryption_key_command": "echo test",
-				},
-			},
-		},
-	}
-
-	datawithTDE, err := instanceYAML(cluster, instance, nil)
-	assert.NilError(t, err)
-	assert.Equal(t, datawithTDE, strings.Trim(`
-# Generated by postgres-operator. DO NOT EDIT.
-# Your changes will not be saved.
-bootstrap:
-  initdb:
-  - allow-group-access
-  - data-checksums
-  - encoding=UTF8
-  - waldir=/pgdata/pg12_wal
-  - encryption-key-command=echo test
-  method: initdb
-kubernetes: {}
-postgresql:
-  basebackup:
-  - waldir=/pgdata/pg12_wal
-  create_replica_methods:
-  - basebackup
-  pgpass: /tmp/.pgpass
-  use_unix_socket: true
-restapi: {}
 tags: {}
 	`, "\t\n")+"\n")