Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add test case for SQLInstance SSL configuration #2653

Merged
merged 2 commits into from
Sep 10, 2024
Merged

Add test case for SQLInstance SSL configuration #2653

merged 2 commits into from
Sep 10, 2024

Conversation

jasonvigil
Copy link
Collaborator

No description provided.

@jasonvigil jasonvigil requested a review from yuwenma September 9, 2024 18:27
yuwenma
yuwenma reviewed Sep 9, 2024
View reviewed changes
pkg/test/resourcefixture/testdata/basic/sql/v1beta1/sqlinstance/sqlinstance-ssl/update.yaml
ipConfiguration:
sslMode: ENCRYPTED_ONLY
# When `sslMode=ENCRYPTED_ONLY`, the legacy `requireSsl` flag must be false or cleared.
requireSsl: false
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What happens if

  • ssLmode: ENCRYPTED_ONLY and requireSsl: true, will the SQL server returns a reasonable error?
  • ssLmode: ENCRYPTED_ONLY and requireSsl unset (not configured in spec), will KCC or the SQL server returns any message? I think we shall allow this case, that better aligns with the "cleared" concept and shall be covered by this test.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What happens if

  • ssLmode: ENCRYPTED_ONLY and requireSsl: true, will the SQL server returns a reasonable error?

Yeah, the server returns this error:
"""
failed to create instance sqlinstance-ssl-test: googleapi: Error 400: Invalid request: For a Postgres instance, sslMode value ENCRYPTED_ONLY and requireSsl value true are conflicting. When sslMode=ENCRYPTED_ONLY, requireSsl must be false. When requireSsl=true, sslMode must be TRUSTED_CLIENT_CERTIFICATE_REQUIRED. It's recommended that you only set sslMode.
"""

  • ssLmode: ENCRYPTED_ONLY and requireSsl unset (not configured in spec), will KCC or the SQL server returns any message? I think we shall allow this case, that better aligns with the "cleared" concept and shall be covered by this test.

We do allow this case; it works as expected. The limitation is from the GCP API, not from direct controller / KCC validation. The reason I added this test case (with legacy field requireSsl: false) was to highlight this potential mistake a user could make. The API quirks are documented here: https://cloud.google.com/sql/docs/mysql/admin-api/rest/v1/instances#ipconfiguration

Also just updated the test case to remove sslMode from create.yaml, and remove requireSsl from update.yaml.

Copy link
Collaborator

@yuwenma yuwenma Sep 9, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cool.
For unset, I think what we want to verify is that create.yaml has requireSsl: true and ssLmode: <valid value> , the then update.yaml unset the requireSsl, this should pass because the update "unset" the requireSsl rather than "unchange" it. Does it make sense?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, updated!

yuwenma
yuwenma reviewed Sep 9, 2024
View reviewed changes
Copy link
Collaborator

@yuwenma yuwenma left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have some questions for clarification, otherwise looks good!

@jasonvigil jasonvigil mentioned this pull request Sep 9, 2024
Merged
@yuwenma
Copy link
Collaborator

yuwenma commented Sep 10, 2024

/lgtm
/approve

@google-oss-prow google-oss-prow bot added the lgtm label Sep 10, 2024
@google-oss-prow Google OSS Prow
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: yuwenma

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@google-oss-prow google-oss-prow bot merged commit 8266a1c into GoogleCloudPlatform:master Sep 10, 2024
15 checks passed
@jasonvigil jasonvigil deleted the sqlinstance-ssl branch September 10, 2024 21:22
@yuwenma yuwenma added this to the 1.123 milestone Oct 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yuwenma yuwenma yuwenma left review comments

Assignees

@yuwenma yuwenma

Labels
approved lgtm service:sql
Projects
None yet
Milestone
1.123
Development

Successfully merging this pull request may close these issues.
2 participants
@jasonvigil @yuwenma