Add an end-to-end test for PgBouncer TLS

Issue: [sc-13017]

Author: cbandy

testing/kuttl/e2e/pgbouncer/00--cluster.yaml

@@ -1,29 +1,20 @@
 apiVersion: postgres-operator.crunchydata.com/v1beta1
 kind: PostgresCluster
 metadata:
-  name: pgbouncer-test
+  name: proxied
+  labels: { postgres-operator-test: kuttl }
 spec:
   postgresVersion: 14
   instances:
     - name: instance1
       replicas: 2
-      dataVolumeClaimSpec:
-        accessModes:
-        - "ReadWriteOnce"
-        resources:
-          requests:
-            storage: 1Gi
+      dataVolumeClaimSpec: { accessModes: [ReadWriteOnce], resources: { requests: { storage: 1Gi } } }
   backups:
     pgbackrest:
       repos:
       - name: repo1
         volume:
-          volumeClaimSpec:
-            accessModes:
-            - "ReadWriteOnce"
-            resources:
-              requests:
-                storage: 1Gi
+          volumeClaimSpec: { accessModes: [ReadWriteOnce], resources: { requests: { storage: 1Gi } } }
   proxy:
     pgBouncer:
       replicas: 1

testing/kuttl/e2e/pgbouncer/00-assert.yaml

@@ -1,7 +1,7 @@
 apiVersion: postgres-operator.crunchydata.com/v1beta1
 kind: PostgresCluster
 metadata:
-  name: pgbouncer-test
+  name: proxied
 status:
   instances:
     - name: instance1
@@ -12,4 +12,4 @@ status:
 apiVersion: v1
 kind: Service
 metadata:
-  name: pgbouncer-test-pgbouncer
+  name: proxied-pgbouncer

testing/kuttl/e2e/pgbouncer/01--psql-connect.yaml

@@ -2,11 +2,14 @@ apiVersion: batch/v1
 kind: Job
 metadata:
   name: psql-connect
+  labels: { postgres-operator-test: kuttl }
 spec:
+  backoffLimit: 3
   template:
+    metadata:
+      labels: { postgres-operator-test: kuttl }
     spec:
-      backoffLimit: 3
-      restartPolicy: "OnFailure"
+      restartPolicy: Never
       containers:
         - name: psql
           image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres:centos8-14.1-0
@@ -20,19 +23,19 @@ spec:
           - name: PGSSLROOTCERT
             value: "/tmp/certs/ca.crt"
           - name: PGHOST
-            valueFrom: { secretKeyRef: { name: pgbouncer-test-pguser-pgbouncer-test, key: pgbouncer-host } }
+            valueFrom: { secretKeyRef: { name: proxied-pguser-proxied, key: pgbouncer-host } }
           - name: PGPORT
-            valueFrom: { secretKeyRef: { name: pgbouncer-test-pguser-pgbouncer-test, key: pgbouncer-port } }
+            valueFrom: { secretKeyRef: { name: proxied-pguser-proxied, key: pgbouncer-port } }
           - name: PGDATABASE
-            valueFrom: { secretKeyRef: { name: pgbouncer-test-pguser-pgbouncer-test, key: dbname } }
+            valueFrom: { secretKeyRef: { name: proxied-pguser-proxied, key: dbname } }
           - name: PGUSER
-            valueFrom: { secretKeyRef: { name: pgbouncer-test-pguser-pgbouncer-test, key: user } }
+            valueFrom: { secretKeyRef: { name: proxied-pguser-proxied, key: user } }
           - name: PGPASSWORD
-            valueFrom: { secretKeyRef: { name: pgbouncer-test-pguser-pgbouncer-test, key: password } }
+            valueFrom: { secretKeyRef: { name: proxied-pguser-proxied, key: password } }
           volumeMounts:
           - name: certs
             mountPath: "/tmp/certs"
       volumes:
       - name: certs
         secret:
-          secretName: pgbouncer-test-cluster-cert
+          secretName: proxied-cluster-cert

testing/kuttl/e2e/pgbouncer/10--read-certificate.yaml

@@ -0,0 +1,28 @@
+---
+# Print the certificate presented by PgBouncer.
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: read-cert-before
+  labels: { postgres-operator-test: kuttl }
+spec:
+  backoffLimit: 1
+  template:
+    metadata:
+      labels: { postgres-operator-test: kuttl }
+    spec:
+      restartPolicy: Never
+      containers:
+        - name: openssl
+          image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres:centos8-14.1-0
+          env:
+            - name: PGHOST
+              valueFrom: { secretKeyRef: { name: proxied-pguser-proxied, key: pgbouncer-host } }
+            - name: PGPORT
+              valueFrom: { secretKeyRef: { name: proxied-pguser-proxied, key: pgbouncer-port } }
+          command:
+            - bash
+            - -ceu
+            - |
+              openssl s_client --connect '$(PGHOST):$(PGPORT)' --starttls postgres < /dev/null 2> /dev/null |
+              openssl x509 --noout --text

testing/kuttl/e2e/pgbouncer/10-assert.yaml

@@ -0,0 +1,8 @@
+---
+# Wait for the job to complete.
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: read-cert-before
+status:
+  succeeded: 1

testing/kuttl/e2e/pgbouncer/11--open-connection.yaml

@@ -0,0 +1,43 @@
+---
+# Connect through PgBouncer and wait long enough for TLS certificates to rotate.
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: psql-open-connection
+  labels: { postgres-operator-test: kuttl }
+spec:
+  backoffLimit: 1
+  template:
+    metadata:
+      labels: { postgres-operator-test: kuttl }
+    spec:
+      restartPolicy: Never
+      volumes:
+        # TODO(cbandy): Provide a CA bundle that clients can use for verification.
+        - { name: tls, secret: { secretName: proxied-cluster-cert } }
+      containers:
+        - name: psql
+          image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres:centos8-14.1-0
+          env:
+            # Connect through PgBouncer.
+            - name: PGURI
+              valueFrom: { secretKeyRef: { name: proxied-pguser-proxied, key: pgbouncer-uri } }
+
+            # Verify the certificate presented by PgBouncer.
+            - { name: PGSSLMODE, value: verify-full }
+            - { name: PGSSLROOTCERT, value: /mnt/ca.crt }
+
+          volumeMounts:
+            - { name: tls, mountPath: /mnt }
+
+          command:
+            - psql
+            - $(PGURI)
+            - -qAt
+            - --set=ON_ERROR_STOP=1
+
+            # Print connection details.
+            - --command=SELECT pid, backend_start FROM pg_stat_activity WHERE pid = pg_backend_pid();
+
+            # Wait here so later test steps can see this open connection.
+            - --command=SELECT pg_sleep_for('5 minutes');

testing/kuttl/e2e/pgbouncer/11-assert.yaml

@@ -0,0 +1,18 @@
+---
+# Wait for the job to start.
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: psql-open-connection
+status:
+  active: 1
+
+---
+# Wait for the pod to start.
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    job-name: psql-open-connection
+status:
+  phase: Running

testing/kuttl/e2e/pgbouncer/12--rotate-certificate.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: |
+      BEFORE=$(date -u +%FT%TZ)
+
+      # Wipe out the stored PgBouncer certificate.
+      kubectl patch --namespace "${NAMESPACE}" secret/proxied-pgbouncer \
+        --patch '{"data":{"pgbouncer-frontend.crt":""}}'
+
+      # Wait for the certificate to be regenerated then loaded.
+      until
+        kubectl logs --namespace "${NAMESPACE}" deployment.apps/proxied-pgbouncer \
+          --container pgbouncer-config --since-time "${BEFORE}" | grep 'Loaded'
+      do
+        sleep 1
+      done

testing/kuttl/e2e/pgbouncer/13--read-certificate.yaml

@@ -0,0 +1,28 @@
+---
+# Print the certificate presented by PgBouncer.
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: read-cert-after
+  labels: { postgres-operator-test: kuttl }
+spec:
+  backoffLimit: 1
+  template:
+    metadata:
+      labels: { postgres-operator-test: kuttl }
+    spec:
+      restartPolicy: Never
+      containers:
+        - name: openssl
+          image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres:centos8-14.1-0
+          env:
+            - name: PGHOST
+              valueFrom: { secretKeyRef: { name: proxied-pguser-proxied, key: pgbouncer-host } }
+            - name: PGPORT
+              valueFrom: { secretKeyRef: { name: proxied-pguser-proxied, key: pgbouncer-port } }
+          command:
+            - bash
+            - -ceu
+            - |
+              openssl s_client --connect '$(PGHOST):$(PGPORT)' --starttls postgres < /dev/null 2> /dev/null |
+              openssl x509 --noout --text

testing/kuttl/e2e/pgbouncer/13-assert.yaml

@@ -0,0 +1,8 @@
+---
+# Wait for the job to complete.
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: read-cert-after
+status:
+  succeeded: 1