Adds registration to unencumber PGO-431

Author: Anthony Landreth

cmd/postgres-operator/main.go

@@ -130,10 +130,15 @@ func main() {
 func addControllersToManager(mgr manager.Manager, openshift bool, log logr.Logger) {
 	pgReconciler := &postgrescluster.Reconciler{
 		Client:      mgr.GetClient(),
+		IsOpenShift: openshift,
 		Owner:       postgrescluster.ControllerName,
+		PGOVersion:  versionString,
 		Recorder:    mgr.GetEventRecorderFor(postgrescluster.ControllerName),
-		Tracer:      otel.Tracer(postgrescluster.ControllerName),
-		IsOpenShift: openshift,
+		// TODO(tlandreth) Replace the contents of cpk_rsa_key.pub with a key from a
+		// Crunchy authorization server.
+		Registration:    util.GetRegistration(os.Getenv("RSA_KEY"), os.Getenv("TOKEN_PATH"), log),
+		RegistrationURL: os.Getenv("REGISTRATION_URL"),
+		Tracer:          otel.Tracer(postgrescluster.ControllerName),
 	}
 
 	if err := pgReconciler.SetupWithManager(mgr); err != nil {

cpk_rsa_key.pub

@@ -0,0 +1,9 @@
+-----BEGIN PUBLIC KEY-----
+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu1SU1LfVLPHCozMxH2Mo
+4lgOEePzNm0tRgeLezV6ffAt0gunVTLw7onLRnrq0/IzW7yWR7QkrmBL7jTKEn5u
++qKhbwKfBstIs+bMY2Zkp18gnTxKLxoS2tFczGkPLPgizskuemMghRniWaoLcyeh
+kd3qqGElvW/VDL5AaWTg0nLVkjRo9z+40RQzuVaE8AkAFmxZzow3x+VJYKdjykkJ
+0iT9wCS0DRTXu269V264Vf/3jvredZiKRkgwlL9xNAwxXFg0x/XFw005UWVRIkdg
+cKWTjpBP2dPwVZ4WWC+9aGVd+Gyn1o0CLelf4rEjGoXbAAEgAqeGUxrcIlbjXfbc
+mwIDAQAB
+-----END PUBLIC KEY-----

go.mod

@@ -5,6 +5,7 @@ go 1.19
 require (
 	github.com/evanphx/json-patch/v5 v5.6.0
 	github.com/go-logr/logr v1.2.2
+	github.com/golang-jwt/jwt/v5 v5.0.0
 	github.com/google/go-cmp v0.5.9
 	github.com/google/uuid v1.3.0
 	github.com/onsi/ginkgo/v2 v2.0.0

go.sum

@@ -189,6 +189,8 @@ github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zV
 github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
+github.com/golang-jwt/jwt/v5 v5.0.0 h1:1n1XNM9hk7O9mnQoNBGolZvzebBQ7p93ULHRc28XJUE=
+github.com/golang-jwt/jwt/v5 v5.0.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/glog v1.0.0/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4=
 github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=

internal/config/config.go

@@ -36,6 +36,9 @@ func RegistrationRequired() bool {
 
 // Get the version of CPK that applied the first RegistrationRequired status to this cluster.
 func RegistrationRequiredBy(cluster *v1beta1.PostgresCluster) string {
+	if cluster.Status.RegistrationRequired == nil {
+		return ""
+	}
 	return cluster.Status.RegistrationRequired.PGOVersion
 }
 

internal/controller/postgrescluster/controller.go

@@ -21,6 +21,7 @@ import (
 	"io"
 	"os"
 	"strconv"
+	"time"
 
 	"github.com/pkg/errors"
 	"go.opentelemetry.io/otel/trace"
@@ -50,6 +51,7 @@ import (
 	"github.com/crunchydata/postgres-operator/internal/pgmonitor"
 	"github.com/crunchydata/postgres-operator/internal/pki"
 	"github.com/crunchydata/postgres-operator/internal/postgres"
+	"github.com/crunchydata/postgres-operator/internal/util"
 	"github.com/crunchydata/postgres-operator/pkg/apis/postgres-operator.crunchydata.com/v1beta1"
 )
 
@@ -61,15 +63,17 @@ const (
 // Reconciler holds resources for the PostgresCluster reconciler
 type Reconciler struct {
 	Client      client.Client
-	Owner       client.FieldOwner
-	Recorder    record.EventRecorder
-	Tracer      trace.Tracer
 	IsOpenShift bool
-
-	PodExec func(
+	Owner       client.FieldOwner
+	PGOVersion  string
+	PodExec     func(
 		namespace, pod, container string,
 		stdin io.Reader, stdout, stderr io.Writer, command ...string,
 	) error
+	Recorder        record.EventRecorder
+	Registration    util.Registration
+	RegistrationURL string
+	Tracer          trace.Tracer
 }
 
 // +kubebuilder:rbac:groups="",resources="events",verbs={create,patch}
@@ -209,13 +213,17 @@ func (r *Reconciler) Reconcile(
 		return result, err
 	}
 
-	if config.RegistrationRequired() {
+	if config.RegistrationRequired() && !r.registrationValid() {
 		if !registrationRequiredStatusFound(cluster) {
-			addRegistrationRequiredStatus(cluster)
+			addRegistrationRequiredStatus(cluster, r.PGOVersion)
 			return patchClusterStatus()
 		}
 
-		if shouldEncumberReconciliation(cluster) {
+		if r.tokenAuthenticationFailed() {
+			r.Recorder.Event(cluster, corev1.EventTypeWarning, "Token Authentication Failed", "See "+r.RegistrationURL+" for details.")
+		}
+
+		if shouldEncumberReconciliation(r.Registration.Authenticated, cluster, r.PGOVersion) {
 			emitEncumbranceWarning(cluster, r)
 			// Encumbrance is just an early return from the reconciliation loop.
 			return patchClusterStatus()
@@ -224,6 +232,17 @@ func (r *Reconciler) Reconcile(
 		}
 	}
 
+	if config.RegistrationRequired() && r.registrationValid() {
+		if tokenRequiredConditionFound(cluster) {
+			meta.RemoveStatusCondition(&cluster.Status.Conditions, v1beta1.TokenRequired)
+		}
+
+		if registrationRequiredStatusFound(cluster) {
+			cluster.Status.RegistrationRequired = nil
+			r.Recorder.Event(cluster, corev1.EventTypeNormal, "Token Verified", "Thank you for registering your installation of Crunchy Postgres for Kubernetes.")
+		}
+	}
+
 	// if the cluster is paused, set a condition and return
 	if cluster.Spec.Paused != nil && *cluster.Spec.Paused {
 		meta.SetStatusCondition(&cluster.Status.Conditions, metav1.Condition{
@@ -390,6 +409,20 @@ func (r *Reconciler) Reconcile(
 	return patchClusterStatus()
 }
 
+func (r *Reconciler) tokenAuthenticationFailed() bool {
+	return r.Registration.TokenFileFound && r.Registration.Authenticated
+}
+
+func (r *Reconciler) registrationValid() bool {
+	expiry := r.Registration.Exp
+	authenticated := r.Registration.Authenticated
+	// Use epoch time in seconds, consistent with RFC 7519.
+	now := time.Now().Unix()
+	expired := expiry < now
+
+	return authenticated && !expired
+}
+
 // deleteControlled safely deletes object when it is controlled by cluster.
 func (r *Reconciler) deleteControlled(
 	ctx context.Context, cluster *v1beta1.PostgresCluster, object client.Object,