feat: add custom tls config support to mysql

[silphid]

Description of your changes

This PR adds support for custom TLS configuration to mysql implementation. In provider config file, if tls is set to custom, it reads custom TLS configuration from tlsConfig property, reading CA cert and client key/pair from K8s secret(s), and registering that config in mysql driver under the custom key.

Even though the mysql driver allows for multiple tls config key/value pairs, in the context of the provider it didn't appear to make sense to allow user to configure multiple TLS configurations and select only one of them, therefore the tlsConfig property is not a map, but rather a single config entry.

I have:

• Read and followed Crossplane's [contribution process].
• Run make reviewable to ensure this PR is ready for review.

How has this code been tested

Because e2e tests require a totally different setup with a TLS-enabled mariaDB instance (but with same test cases), the current test script was duplicated and modified to add TLS, making sure that make test-integration runs both the no-tls and tls test scripts. It would be possible to refactor both scripts to combine them together and reduce duplication of setup and test code, however to the cost of readability. Let me know if that is a blocker and I will address it, I just didn't want to introduce more complexity in e2e test script until you confirm that's really what you prefer.

[silphid]

(left a few comments in-line here to explain some of the decisions)

[silphid]

This was broken down onto two lines instead of && because that silenced all errors in up alpha xpkg command and continued with rest of script in case of failures.

[silphid]

This is probably a better way to generate a random password, because the previous approach was generating errors:

tr: write error: Broken pipe
tr: write error

because head had to truncate its input stream and close its pipe, which tr complained about. It was still working OK, even with the error message, probably because set -o pipefail is not set.

[silphid]

On macOS, the wc -l command is outputting the count with leading/trailing whitespace, which made that check wait infinitely.

[chlunde]

probably also depending on PATH and brew packages, because I didn't notice anything on my mac :) But since this works on linux and in CI here I totally approve on the change 👍

[silphid]

This was also not ever timing out (only on macOS?), because doing integer operations/comparisons requires this special syntax.

[silphid]

A dedicated test user is required in order to specifically require X509 on it, but not for admin user, which is also used for health probes without TLS.

[silphid]

Note that --require-secure-transport=ON is not sufficient to require client to also provide its cert, we must also turn on REQUIRE X509 on specific users (see below).

[silphid]

insecureSkipVerify is to be used only here in e2e tests, because certs are self-signed, otherwise server would reject its own cert.

[silphid]

Used an error constant for consistency here, even though Crossplane contribution guidelines no longer recommend using them.

[silphid]

@Duologic @chlunde @iainlane sorry for pinging you directly, I saw you seem to have been active here recently. Would just appreciate your cue on whether you think such a PR is likely to be reviewed on the short term, or if we should rather assume that we'll need to build and use our own fork for the next few months? Thanks! 🙏

[chlunde]

you may consider enforcing this
https://kubernetes.io/docs/reference/using-api/cel/

[silphid]

That would be an interesting exercise, but I have never used CEL, would need to read up on it and learn it, so I'd maybe hope to get away with it! 😅

[chlunde]

Looks like "custom" is a global key here. I think this must have a unique name per DB if you connect to two databases?

[silphid]

Good catch! 👍 I have now fixed it by making the key suffixed with provider config name, in order to support multiple configs.

[chlunde]

Question: can and should this be called in newDB instead? It's something you always have to call before newDB? 🤔

[silphid]

We could merge the two, but I see newDB as a non-failing function with no external calls, no error result, etc, and I also perceive those two functions as conceptually different. We would need to refactor newDB considerably, along with corresponding unit tests, as it would slightly affect its scope/role. I tried to be as little intrusive as possible with my changes, but if we commonly decide that they should be merged together, I will tackle that refactoring.

[chlunde]

@silphid not sure if we should duplicate the full integration test, because there's also talk about adding PG integration tests.

Two ideas:

• Create a common library script with at least functions for "setup cluster + install provider" and "teardown cluster", and reuse that code by importing it as a library using source
• Have a main driver script to run integration tests, calls smaller "integration_test_mysql_tls.sh", integration_test_mysql_no_tls.sh, integration_test_postgresql.sh, before cleanup. Each script can assume a working and "fairly clean" cluster. Each script must cleanup the cluster (but keep the provider installed).

@Duologic @Bastichou what do you think?

[Duologic]

Thanks for this, I don't have any objections on either proposals, I gladly follow what ya'll think is a good path forward.

Thanks @chlunde for the review, I'm lacking bandwidth to review this but don't mind rubberstamping your approval and get this merged.

@silphid don't forget to sign the DCO ;)

[silphid]

@silphid not sure if we should duplicate the full integration test, because there's also talk about adding PG integration tests.

All right, I went ahead and refactored all integration tests into more modular shell functions. I kept them inline for now, as we only have mysql tests, but eventually if we add tests for PG, they would be easy to extract into other files that could be sourced. I'm pretty satisfied with the result, which is IMO much cleaner and readable. Let me know what you think! :)

[silphid]

@chlunde @Duologic I just rebased on latest master, resolved conflicts and signed all commits (also see my above comments/improvements). Anything else I should do before you can run the workflow again?

[silphid]

@chlunde I appreciate everyone is busy with their own projects, with little spare time left, but if it was possible to get a quick review on this one, I would be extremely grateful! 🙏☀️ We're hoping to start using those changes via the official release channel, but otherwise the plan is to setup the CI/CD for our fork internally, which I would sincerely prefer to avoid, if possible! 😅

[chlunde]

Cool, as far as I can see this looks good. I'm not a MySQL user so I can't fully vet this (and not a maintainer of provider-sql).

FYI @Duologic

@silphid when merged to main, there will be a image built even if there is no release, so it is possible to install it in a cluster without duplicating the pipeline.

[silphid]

@chlunde @Duologic still says it needs approval from a reviewer with write access.

[silphid]

Bump @chlunde @Duologic.

Would so much appreciate your review and ideally unblocking the execution of the checks/workflows! 🙏

[silphid]

Last bump @chlunde @Duologic 🤞 before we move on to setting up the build and publishing of our own fork, as a last resort.