From 3e488fe0ad1f3fe6dc6ddbf81f2df7489aaa0a92 Mon Sep 17 00:00:00 2001
From: Andrew Azores <aazores@redhat.com>
Date: Mon, 30 Oct 2023 17:03:55 -0400
Subject: [PATCH] feat(db): inherit from scl image, enforce PG_ENCRYPT_KEY
 (#129)

---
 db/Dockerfile                                 | 10 ++++-
 db/entrypoint.bash                            |  9 ++++
 db/include/postgresql-cfg/pgcrypto.conf       |  1 +
 db/include/postgresql-init/pgcrypto.sh        |  3 ++
 db/pgcrypto.sql                               |  1 -
 smoketest/compose/db.yml                      | 14 ++----
 smoketest/k8s/cryostat-deployment.yaml        |  6 ++-
 smoketest/k8s/s3-deployment.yaml              |  2 +-
 src/main/resources/application-dev.properties | 24 +++++++++++
 .../resources/application-test.properties     | 24 +++++++++++
 src/main/resources/application.properties     | 19 --------
 .../cryostat/credentials/CredentialsIT.java   | 21 +++++++++
 .../cryostat/credentials/CredentialsTest.java | 43 +++++++++++++++++++
 13 files changed, 143 insertions(+), 34 deletions(-)
 create mode 100755 db/entrypoint.bash
 create mode 100644 db/include/postgresql-cfg/pgcrypto.conf
 create mode 100755 db/include/postgresql-init/pgcrypto.sh
 delete mode 100644 db/pgcrypto.sql
 create mode 100644 src/test/java/io/cryostat/credentials/CredentialsIT.java
 create mode 100644 src/test/java/io/cryostat/credentials/CredentialsTest.java

diff --git a/db/Dockerfile b/db/Dockerfile
index 6ceae02d8..d9b41142e 100644
--- a/db/Dockerfile
+++ b/db/Dockerfile
@@ -1,2 +1,8 @@
-FROM docker.io/library/postgres:15
-COPY ./pgcrypto.sql /docker-entrypoint-initdb.d/
+FROM quay.io/sclorg/postgresql-15-c8s:latest
+
+ENTRYPOINT ["/usr/local/bin/cryostat-db-entrypoint.bash"]
+
+ENV POSTGRESQL_LOG_DESTINATION=/dev/stderr
+
+COPY ./entrypoint.bash /usr/local/bin/cryostat-db-entrypoint.bash
+COPY ./include /opt/app-root/src/
diff --git a/db/entrypoint.bash b/db/entrypoint.bash
new file mode 100755
index 000000000..1806c58d2
--- /dev/null
+++ b/db/entrypoint.bash
@@ -0,0 +1,9 @@
+#!/usr/bin/env bash
+
+if [ "$1" = "postgres" ]; then
+    shift
+fi
+
+exec /usr/bin/run-postgresql \
+    -c encrypt.key="${PG_ENCRYPT_KEY?:\$PG_ENCRYPT_KEY must be set and non-empty}" \
+    "$@"
diff --git a/db/include/postgresql-cfg/pgcrypto.conf b/db/include/postgresql-cfg/pgcrypto.conf
new file mode 100644
index 000000000..47109c0c9
--- /dev/null
+++ b/db/include/postgresql-cfg/pgcrypto.conf
@@ -0,0 +1 @@
+shared_preload_libraries='pgcrypto'
diff --git a/db/include/postgresql-init/pgcrypto.sh b/db/include/postgresql-init/pgcrypto.sh
new file mode 100755
index 000000000..b549fe51a
--- /dev/null
+++ b/db/include/postgresql-init/pgcrypto.sh
@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+
+psql -d template1 -c "CREATE EXTENSION IF NOT EXISTS pgcrypto WITH SCHEMA public CASCADE;"
diff --git a/db/pgcrypto.sql b/db/pgcrypto.sql
deleted file mode 100644
index 9744c615d..000000000
--- a/db/pgcrypto.sql
+++ /dev/null
@@ -1 +0,0 @@
-CREATE EXTENSION IF NOT EXISTS pgcrypto;
diff --git a/smoketest/compose/db.yml b/smoketest/compose/db.yml
index b72812d61..33bd8ed58 100644
--- a/smoketest/compose/db.yml
+++ b/smoketest/compose/db.yml
@@ -3,28 +3,22 @@ services:
   cryostat:
     environment:
       QUARKUS_HIBERNATE_ORM_DATABASE_GENERATION: drop-and-create
-      QUARKUS_DATASOURCE_DB_KIND: postgresql
       QUARKUS_DATASOURCE_USERNAME: cryostat3
       QUARKUS_DATASOURCE_PASSWORD: cryostat3
       QUARKUS_DATASOURCE_JDBC_URL: jdbc:postgresql://db:5432/cryostat3
   db:
     image: quay.io/cryostat/cryostat3-db:dev
     build: ../../db
-    entrypoint:
-      - /usr/local/bin/docker-entrypoint.sh
-    command:
-      - postgres
-      - -c
-      - encrypt.key=REPLACEME
     hostname: db
     expose:
       - "5432"
     environment:
-      POSTGRES_USER: cryostat3
-      POSTGRES_PASSWORD: cryostat3
+      POSTGRESQL_USER: cryostat3
+      POSTGRESQL_PASSWORD: cryostat3
+      POSTGRESQL_DATABASE: cryostat3
       PG_ENCRYPT_KEY: REPLACEME
     volumes:
-      - postgresql:/var/lib/postgresql/data
+      - postgresql:/var/lib/pgsql/data
     restart: always
     healthcheck:
       test: pg_isready -U cryostat3 -d cryostat3 || exit 1
diff --git a/smoketest/k8s/cryostat-deployment.yaml b/smoketest/k8s/cryostat-deployment.yaml
index f499b43e4..381dc46d4 100644
--- a/smoketest/k8s/cryostat-deployment.yaml
+++ b/smoketest/k8s/cryostat-deployment.yaml
@@ -57,8 +57,12 @@ spec:
               value: cryostat3
             - name: QUARKUS_HIBERNATE_ORM_DATABASE_GENERATION
               value: drop-and-create
+            - name: QUARKUS_S3_AWS_CREDENTIALS_STATIC_PROVIDER_ACCESS_KEY_ID
+              value: minioroot
+            - name: QUARKUS_S3_AWS_CREDENTIALS_STATIC_PROVIDER_SECRET_ACCESS_KEY
+              value: minioroot
             - name: QUARKUS_S3_AWS_CREDENTIALS_TYPE
-              value: default
+              value: static
             - name: QUARKUS_S3_AWS_REGION
               value: us-east-1
             - name: QUARKUS_S3_ENDPOINT_OVERRIDE
diff --git a/smoketest/k8s/s3-deployment.yaml b/smoketest/k8s/s3-deployment.yaml
index f9e2438a8..18baf2657 100644
--- a/smoketest/k8s/s3-deployment.yaml
+++ b/smoketest/k8s/s3-deployment.yaml
@@ -64,7 +64,7 @@ spec:
               name: minio-data
             - mountPath: /certs
               name: minio-certs
-      hostname: minio
+      hostname: s3
       restartPolicy: Always
       volumes:
         - name: minio-data
diff --git a/src/main/resources/application-dev.properties b/src/main/resources/application-dev.properties
index 41b8c8d35..87642863f 100644
--- a/src/main/resources/application-dev.properties
+++ b/src/main/resources/application-dev.properties
@@ -17,3 +17,27 @@ quarkus.log.category."org.jboss.resteasy.reactive.common.core.AbstractResteasyRe
 cryostat.discovery.jdp.enabled=true
 cryostat.discovery.podman.enabled=true
 cryostat.discovery.docker.enabled=true
+
+quarkus.datasource.devservices.enabled=true
+quarkus.datasource.devservices.image-name=quay.io/cryostat/cryostat3-db
+
+# !!! prod databases must set this configuration parameter some other way via a secret !!!
+quarkus.datasource.devservices.container-env.PG_ENCRYPT_KEY=examplekey
+quarkus.datasource.devservices.container-env.POSTGRESQL_USER=quarkus
+quarkus.datasource.devservices.container-env.POSTGRESQL_PASSWORD=quarkus
+quarkus.datasource.devservices.container-env.POSTGRESQL_DATABASE=quarkus
+quarkus.datasource.devservices.username=quarkus
+quarkus.datasource.devservices.password=quarkus
+quarkus.datasource.devservices.db-name=quarkus
+# !!!
+
+quarkus.s3.devservices.enabled=true
+quarkus.s3.devservices.buckets=archivedrecordings
+# FIXME the following overrides should not be required, but currently seem to help with testcontainers reliability
+quarkus.aws.devservices.localstack.image-name=localstack/localstack:2.1.0
+quarkus.aws.devservices.localstack.container-properties.START_WEB=0
+quarkus.aws.devservices.localstack.container-properties.SERVICES=s3
+quarkus.aws.devservices.localstack.container-properties.EAGER_SERVICE_LOADING=1
+quarkus.aws.devservices.localstack.container-properties.SKIP_SSL_CERT_DOWNLOAD=1
+quarkus.aws.devservices.localstack.container-properties.SKIP_INFRA_DOWNLOADS=1
+quarkus.aws.devservices.localstack.container-properties.DISABLE_EVENTS=1
diff --git a/src/main/resources/application-test.properties b/src/main/resources/application-test.properties
index b11f2edd8..d2fc74d6b 100644
--- a/src/main/resources/application-test.properties
+++ b/src/main/resources/application-test.properties
@@ -9,3 +9,27 @@ grafana-dashboard.url=http://grafana:3000
 grafana-datasource.url=http://jfr-datasource:8080
 
 quarkus.test.env.JAVA_OPTS_APPEND=-Dquarkus.http.host=0.0.0.0 -Djava.util.logging.manager=org.jboss.logmanager.LogManager -Dcom.sun.management.jmxremote.autodiscovery=true -Dcom.sun.management.jmxremote -Dcom.sun.management.jmxremote.port=9091 -Dcom.sun.management.jmxremote.rmi.port=9091 -Djava.rmi.server.hostname=127.0.0.1 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false -Dcom.sun.management.jmxremote.local.only=false
+
+quarkus.datasource.devservices.enabled=true
+quarkus.datasource.devservices.image-name=quay.io/cryostat/cryostat3-db
+
+# !!! prod databases must set this configuration parameter some other way via a secret !!!
+quarkus.datasource.devservices.container-env.PG_ENCRYPT_KEY=examplekey
+quarkus.datasource.devservices.container-env.POSTGRESQL_USER=quarkus
+quarkus.datasource.devservices.container-env.POSTGRESQL_PASSWORD=quarkus
+quarkus.datasource.devservices.container-env.POSTGRESQL_DATABASE=quarkus
+quarkus.datasource.devservices.username=quarkus
+quarkus.datasource.devservices.password=quarkus
+quarkus.datasource.devservices.db-name=quarkus
+# !!!
+
+quarkus.s3.devservices.enabled=true
+quarkus.s3.devservices.buckets=archivedrecordings
+# FIXME the following overrides should not be required, but currently seem to help with testcontainers reliability
+quarkus.aws.devservices.localstack.image-name=localstack/localstack:2.1.0
+quarkus.aws.devservices.localstack.container-properties.START_WEB=0
+quarkus.aws.devservices.localstack.container-properties.SERVICES=s3
+quarkus.aws.devservices.localstack.container-properties.EAGER_SERVICE_LOADING=1
+quarkus.aws.devservices.localstack.container-properties.SKIP_SSL_CERT_DOWNLOAD=1
+quarkus.aws.devservices.localstack.container-properties.SKIP_INFRA_DOWNLOADS=1
+quarkus.aws.devservices.localstack.container-properties.DISABLE_EVENTS=1
diff --git a/src/main/resources/application.properties b/src/main/resources/application.properties
index cee3043e4..57c1358d9 100644
--- a/src/main/resources/application.properties
+++ b/src/main/resources/application.properties
@@ -51,27 +51,8 @@ quarkus.security.users.embedded.roles.user=read,write
 quarkus.security.users.embedded.users.reader=reader
 quarkus.security.users.embedded.roles.reader=read
 
-quarkus.datasource.db-kind=postgresql
-quarkus.datasource.db-version=13.0
-quarkus.datasource.devservices.enabled=true
-quarkus.datasource.devservices.image-name=quay.io/cryostat/cryostat3-db
-
-# !!! prod databases must set this configuration parameter some other way via a secret !!!
-quarkus.datasource.devservices.command=postgres -c encrypt.key=REPLACEME
-# !!!
-
 storage.buckets.archives.name=archivedrecordings
 storage.buckets.archives.expiration-label=expiration
-quarkus.s3.devservices.enabled=true
-quarkus.s3.devservices.buckets=archivedrecordings
-# FIXME the following overrides should not be required, but currently seem to help with testcontainers reliability
-quarkus.aws.devservices.localstack.image-name=localstack/localstack:2.1.0
-quarkus.aws.devservices.localstack.container-properties.START_WEB=0
-quarkus.aws.devservices.localstack.container-properties.SERVICES=s3
-quarkus.aws.devservices.localstack.container-properties.EAGER_SERVICE_LOADING=1
-quarkus.aws.devservices.localstack.container-properties.SKIP_SSL_CERT_DOWNLOAD=1
-quarkus.aws.devservices.localstack.container-properties.SKIP_INFRA_DOWNLOADS=1
-quarkus.aws.devservices.localstack.container-properties.DISABLE_EVENTS=1
 
 quarkus.quinoa.build-dir=dist
 quarkus.quinoa.enable-spa-routing=true
diff --git a/src/test/java/io/cryostat/credentials/CredentialsIT.java b/src/test/java/io/cryostat/credentials/CredentialsIT.java
new file mode 100644
index 000000000..93adca0a8
--- /dev/null
+++ b/src/test/java/io/cryostat/credentials/CredentialsIT.java
@@ -0,0 +1,21 @@
+/*
+ * Copyright The Cryostat Authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.cryostat.credentials;
+
+import io.quarkus.test.junit.QuarkusIntegrationTest;
+
+@QuarkusIntegrationTest
+public class CredentialsIT extends CredentialsTest {}
diff --git a/src/test/java/io/cryostat/credentials/CredentialsTest.java b/src/test/java/io/cryostat/credentials/CredentialsTest.java
new file mode 100644
index 000000000..dfa267dc4
--- /dev/null
+++ b/src/test/java/io/cryostat/credentials/CredentialsTest.java
@@ -0,0 +1,43 @@
+/*
+ * Copyright The Cryostat Authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package io.cryostat.credentials;
+
+import static io.cryostat.TestUtils.givenBasicAuth;
+
+import java.util.List;
+
+import io.quarkus.test.common.http.TestHTTPEndpoint;
+import io.quarkus.test.junit.QuarkusTest;
+import org.hamcrest.Matchers;
+import org.junit.jupiter.api.Test;
+
+@QuarkusTest
+@TestHTTPEndpoint(Credentials.class)
+public class CredentialsTest {
+
+    @Test
+    public void testHealth() {
+        givenBasicAuth()
+                .when()
+                .get()
+                .then()
+                .statusCode(200)
+                .body(
+                        "meta.type", Matchers.equalTo("application/json"),
+                        "meta.status", Matchers.equalTo("OK"),
+                        "data.result", Matchers.equalTo(List.of()));
+    }
+}