redhat-appstudio · jgwest · Oct 16, 2023 · Sep 21, 2023 · Sep 21, 2023 · Sep 21, 2023
diff --git a/.github/workflows/static.yml b/.github/workflows/static.yml
@@ -188,7 +188,7 @@ jobs:
       - name: "Run migration tests to add data in database"
         run: |
           cd $GITHUB_WORKSPACE/utilities/db-migration/migration_test/add_test_values
-          go test $GITHUB_WORKSPACE/utilities/db-migration/migration_test/add_test_values -run "TestInitializeValues"
+          DEV_ONLY_ALLOW_NON_TLS_CONNECTION_TO_POSTGRESQL=true go test $GITHUB_WORKSPACE/utilities/db-migration/migration_test/add_test_values -run "TestInitializeValues"
 
       - name: "Migrate to latest version of database"
         run: |
@@ -198,7 +198,7 @@ jobs:
       - name: "Run migration tests to verify that data added is still present/valid in database"
         run: |
           cd $GITHUB_WORKSPACE/utilities/db-migration/migration_test/verify_test_values
-          go test $GITHUB_WORKSPACE/utilities/db-migration/migration_test/verify_test_values -run "TestVerifyDBValues"
+          DEV_ONLY_ALLOW_NON_TLS_CONNECTION_TO_POSTGRESQL=true go test $GITHUB_WORKSPACE/utilities/db-migration/migration_test/verify_test_values -run "TestVerifyDBValues"
 
   validate-db-migration:
     name: Check if migration schema matches with super schema.

diff --git a/Makefile b/Makefile
@@ -280,7 +280,7 @@ db-drop:
 	cd $(MAKEFILE_ROOT)/utilities/db-migration && go run main.go drop
 
 db-drop_smtable:
-	cd $(MAKEFILE_ROOT)/utilities/db-migration && go run main.go drop_smtable
+	cd $(MAKEFILE_ROOT)/utilities/db-migration && DEV_ONLY_ALLOW_NON_TLS_CONNECTION_TO_POSTGRESQL=true go run main.go drop_smtable
 
 db-migrate-downgrade:
 	cd $(MAKEFILE_ROOT)/utilities/db-migration && go run main.go downgrade_migration

diff --git a/backend-shared/Makefile b/backend-shared/Makefile
@@ -65,7 +65,7 @@ envtest: ## Download envtest-setup locally if necessary.
 	$(call go-get-tool,$(ENVTEST),sigs.k8s.io/controller-runtime/tools/setup-envtest@latest)
 
 test: fmt vet envtest ## Run tests.
-	ACK_GINKGO_DEPRECATIONS=1.16.4 KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) -p path)" go test -p=1 ./... -coverpkg=./... -coverprofile cover.out
+	ACK_GINKGO_DEPRECATIONS=1.16.4 KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) -p path)" DEV_ONLY_ALLOW_NON_TLS_CONNECTION_TO_POSTGRESQL=true go test -p=1 ./... -coverpkg=./... -coverprofile cover.out
 
 
 
diff --git a/backend-shared/db/postgres-integration.go b/backend-shared/db/postgres-integration.go
@@ -1,8 +1,10 @@
 package db
 
 import (
+	"crypto/tls"
 	"fmt"
 	"os"
+	"strings"
 
 	"github.com/go-pg/pg/extra/pgdebug"
 	"github.com/go-pg/pg/v10"
@@ -52,6 +54,12 @@ func ConnectToDatabaseWithPort(verbose bool, port int) (*pg.DB, error) {
 		Database: dbName,
 	}
 
+	if value, isSet := os.LookupEnv("DEV_ONLY_ALLOW_NON_TLS_CONNECTION_TO_POSTGRESQL"); !isSet || strings.ToLower(value) != "true" {
+		opts.TLSConfig = &tls.Config{
+			MinVersion: tls.VersionTLS12,
+		}
+	}
+
 	db := pg.Connect(opts)
 
 	if err := checkConn(db); err != nil {

diff --git a/backend/Makefile b/backend/Makefile
@@ -51,29 +51,29 @@ vet: ## Run go vet against code.
 	go vet ./...
 
 test: fmt vet envtest ## Run tests.
-	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) -p path)" go test -timeout=2m -p=1 ./... -coverprofile cover.out -coverpkg=./... -tags skiproutes
+	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) -p path)" DEV_ONLY_ALLOW_NON_TLS_CONNECTION_TO_POSTGRESQL=true go test -timeout=2m -p=1 ./... -coverprofile cover.out -coverpkg=./... -tags skiproutes
 
 ##@ Build
 
 build: generate fmt vet ## Build manager binary.
 	CGO_ENABLED=0 GOOS=$(OS) GOARCH=$(ARCH) go build -o bin/manager main.go
 
 run: manifests generate fmt vet ## Run a controller from your host.
-	ENABLE_APPPROJECT_ISOLATION=true DISABLE_APPSTUDIO_WEBHOOK=true go run ./main.go --zap-log-level info --zap-time-encoding=rfc3339nano
+	ENABLE_APPPROJECT_ISOLATION=true DISABLE_APPSTUDIO_WEBHOOK=true DEV_ONLY_ALLOW_NON_TLS_CONNECTION_TO_POSTGRESQL=true go run ./main.go --zap-log-level info --zap-time-encoding=rfc3339nano
 
 run-no-self-heal: manifests generate fmt vet ## Run a controller from your host.
-	ENABLE_APPPROJECT_ISOLATION=true SELF_HEAL_INTERVAL=0 DISABLE_APPSTUDIO_WEBHOOK=true go run ./main.go --zap-log-level info --zap-time-encoding=rfc3339nano
+	SELF_HEAL_INTERVAL=0 ENABLE_APPPROJECT_ISOLATION=true DISABLE_APPSTUDIO_WEBHOOK=true DEV_ONLY_ALLOW_NON_TLS_CONNECTION_TO_POSTGRESQL=true go run ./main.go --zap-log-level info --zap-time-encoding=rfc3339nano
 
 runexec: ## Run a controller from your host using exe in current folder
 ifeq (,$(wildcard ./main))
 runexec: manifests generate fmt vet
 	@echo Building and running backend
 	CGO_ENABLED=0 GOOS=$(OS) GOARCH=$(ARCH) go build main.go
-	ENABLE_APPPROJECT_ISOLATION=true DISABLE_APPSTUDIO_WEBHOOK=true ./main --zap-log-level info --zap-time-encoding=rfc3339nano
+	ENABLE_APPPROJECT_ISOLATION=true DISABLE_APPSTUDIO_WEBHOOK=true DEV_ONLY_ALLOW_NON_TLS_CONNECTION_TO_POSTGRESQL=true ./main --zap-log-level info --zap-time-encoding=rfc3339nano
 else
 runexec:
 	@echo Running backend using existing main executable.
-	ENABLE_APPPROJECT_ISOLATION=true DISABLE_APPSTUDIO_WEBHOOK=true ./main --zap-log-level info --zap-time-encoding=rfc3339nano
+	ENABLE_APPPROJECT_ISOLATION=true DISABLE_APPSTUDIO_WEBHOOK=true DEV_ONLY_ALLOW_NON_TLS_CONNECTION_TO_POSTGRESQL=true ./main --zap-log-level info --zap-time-encoding=rfc3339nano
 endif
 
 # more on controller log level configuration: https://sdk.operatorframework.io/docs/building-operators/golang/references/logging/

diff --git a/cluster-agent/Makefile b/cluster-agent/Makefile
@@ -103,30 +103,30 @@ vet: ## Run go vet against code.
 	go vet ./...
 
 test: fmt vet envtest ## Run tests.
-	ACK_GINKGO_DEPRECATIONS=1.16.4 KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) -p path)" go test -p=1 ./... -coverpkg=./... -coverprofile cover.out
+	ACK_GINKGO_DEPRECATIONS=1.16.4 KUBEBUILDER_ASSETS="$(shell $(ENVTEST) use $(ENVTEST_K8S_VERSION) -p path)" DEV_ONLY_ALLOW_NON_TLS_CONNECTION_TO_POSTGRESQL=true go test -p=1 ./... -coverpkg=./... -coverprofile cover.out
 
 ##@ Build
 
 build: generate fmt vet ## Build manager binary.
 	CGO_ENABLED=0 GOOS=$(OS) GOARCH=$(ARCH) go build -o bin/manager main.go
 
 run: manifests generate fmt vet ## Run a controller from your host.
-	ENABLE_APPPROJECT_ISOLATION=true go run ./main.go --zap-log-level info --zap-time-encoding=rfc3339nano
+	ENABLE_APPPROJECT_ISOLATION=true DEV_ONLY_ALLOW_NON_TLS_CONNECTION_TO_POSTGRESQL=true go run ./main.go --zap-log-level info --zap-time-encoding=rfc3339nano
 # more on controller log level configuration: https://sdk.operatorframework.io/docs/building-operators/golang/references/logging/
 
 run-no-self-heal: manifests generate fmt vet ## Run a controller from your host.
-	ENABLE_APPPROJECT_ISOLATION=true SELF_HEAL_INTERVAL=0 KUBECONFIG=${WORKLOAD_KUBECONFIG} go run ./main.go --zap-log-level info --zap-time-encoding=rfc3339nano
+	SELF_HEAL_INTERVAL=0 ENABLE_APPPROJECT_ISOLATION=true DEV_ONLY_ALLOW_NON_TLS_CONNECTION_TO_POSTGRESQL=true  KUBECONFIG=${WORKLOAD_KUBECONFIG} go run ./main.go --zap-log-level info --zap-time-encoding=rfc3339nano
 
 runexec: ## Run a controller from your host using exe in current folder
 ifeq (,$(wildcard ./main))
 runexec: manifests generate fmt vet
 	@echo Building and running cluster-agent
 	CGO_ENABLED=0 GOOS=$(OS) GOARCH=$(ARCH) go build ./main.go
-	ENABLE_APPPROJECT_ISOLATION=true main --zap-log-level info --zap-time-encoding=rfc3339nano
+	ENABLE_APPPROJECT_ISOLATION=true DEV_ONLY_ALLOW_NON_TLS_CONNECTION_TO_POSTGRESQL=true main --zap-log-level info --zap-time-encoding=rfc3339nano
 else
 runexec:
 	@echo Running cluster-agent using existing main executable.
-	 ENABLE_APPPROJECT_ISOLATION=true main --zap-log-level info --zap-time-encoding=rfc3339nano
+	 ENABLE_APPPROJECT_ISOLATION=true DEV_ONLY_ALLOW_NON_TLS_CONNECTION_TO_POSTGRESQL=true main --zap-log-level info --zap-time-encoding=rfc3339nano
 endif
 
 chaos-run: manifests generate fmt vet ## Chaos Engineering: Simulate a controller that restarts every ~33 seconds.

diff --git a/manifests/overlays/appstudio-staging-cluster/backend-deployment-patch.yaml b/manifests/overlays/appstudio-staging-cluster/backend-deployment-patch.yaml
@@ -39,6 +39,8 @@ spec:
             secretKeyRef:
               key: postgresql-password
               name: gitops-postgresql-staging
+        - name: DEV_ONLY_ALLOW_NON_TLS_CONNECTION_TO_POSTGRESQL
+          value: "true"
         image: ${COMMON_IMAGE}
         livenessProbe:
           httpGet:

diff --git a/manifests/overlays/appstudio-staging-cluster/cluster-agent-deployment-patch.yaml b/manifests/overlays/appstudio-staging-cluster/cluster-agent-deployment-patch.yaml
@@ -26,6 +26,8 @@ spec:
             secretKeyRef:
               key: postgresql-password
               name: gitops-postgresql-staging
+        - name: DEV_ONLY_ALLOW_NON_TLS_CONNECTION_TO_POSTGRESQL
+          value: "true"
         image: ${COMMON_IMAGE}
         livenessProbe:
           httpGet:

diff --git a/manifests/overlays/k8s-env-e2e/backend-deployment-patch.yaml b/manifests/overlays/k8s-env-e2e/backend-deployment-patch.yaml
@@ -8,6 +8,8 @@ spec:
     spec:
       containers:
       - env:
+        - name: DEV_ONLY_ALLOW_NON_TLS_CONNECTION_TO_POSTGRESQL
+          value: "true"
         - name: SELF_HEAL_INTERVAL
           value: "0"
         name: manager
diff --git a/manifests/overlays/k8s-env-e2e/cluster-agent-deployment-patch.yaml b/manifests/overlays/k8s-env-e2e/cluster-agent-deployment-patch.yaml
@@ -8,6 +8,8 @@ spec:
     spec:
       containers:
       - env:
+        - name: DEV_ONLY_ALLOW_NON_TLS_CONNECTION_TO_POSTGRESQL
+          value: "true"
         - name: SELF_HEAL_INTERVAL
           value: "0"
         name: manager
diff --git a/manifests/overlays/k8s-env/backend-deployment-patch.yaml b/manifests/overlays/k8s-env/backend-deployment-patch.yaml
@@ -0,0 +1,13 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: gitops-core-service-controller-manager
+  namespace: gitops
+spec:
+  template:
+    spec:
+      containers:
+      - env:
+        - name: DEV_ONLY_ALLOW_NON_TLS_CONNECTION_TO_POSTGRESQL
+          value: "true"
+        name: manager
diff --git a/manifests/overlays/k8s-env/cluster-agent-deployment-patch.yaml b/manifests/overlays/k8s-env/cluster-agent-deployment-patch.yaml
@@ -0,0 +1,13 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: gitops-service-agent-controller-manager
+  namespace: gitops
+spec:
+  template:
+    spec:
+      containers:
+      - env:
+        - name: DEV_ONLY_ALLOW_NON_TLS_CONNECTION_TO_POSTGRESQL
+          value: "true"
+        name: manager
diff --git a/manifests/overlays/k8s-env/kustomization.yaml b/manifests/overlays/k8s-env/kustomization.yaml
@@ -11,6 +11,10 @@ resources:
 - ../../base/postgresql-staging
 # - ../../base/gitops-service-argocd
 
+patchesStrategicMerge:
+- backend-deployment-patch.yaml
+- cluster-agent-deployment-patch.yaml
+
 # Uncomment to use a custom image:
 
 # images:

diff --git a/tests-e2e/Makefile b/tests-e2e/Makefile
@@ -33,7 +33,7 @@ help: ## Display this help.
 
 .PHONY: test
 test: ## Run E2E tests.
-	ENABLE_APPPROJECT_ISOLATION="true" go test -v -p=1 -timeout=100m -race -count=1 -coverprofile=coverage.out ./...	
+	ENABLE_APPPROJECT_ISOLATION="true" DEV_ONLY_ALLOW_NON_TLS_CONNECTION_TO_POSTGRESQL=true go test -v -p=1 -timeout=100m -race -count=1 -coverprofile=coverage.out ./...
 
 # go-get-tool will 'go install' any package $2 and install it to $1.
 PROJECT_DIR := $(shell dirname $(abspath $(lastword $(MAKEFILE_LIST))))