tls provider updated, added self signed cert generation. updated new providers. And old database instance id system will be implemented soon

Author: hasirciogluhq

.DS_Store

@@ -1,9 +1,9 @@
 package core
 
 import (
-"context"
-"crypto/tls"
-"net"
+	"context"
+	"crypto/tls"
+	"net"
 )
 
 // RoutingMetadata contains information extracted from the protocol handshake
@@ -31,4 +31,5 @@ type ProtocolHandler interface {
 // It abstracts away the storage mechanism (K8s Secret, File, Vault, etc.).
 type TLSProvider interface {
 	GetCertificate(ctx context.Context) (*tls.Certificate, error)
+	Store(ctx context.Context, certPEM, keyPEM []byte) error
 }

cmd/proxy/internal/core/types.go

@@ -1,15 +1,15 @@
 package kubernetes
 
 import (
-"context"
-"fmt"
-"time"
-
-"github.com/hasirciogluhq/xdatabase-proxy/cmd/proxy/internal/core"
-corev1 "k8s.io/api/core/v1"
-"k8s.io/client-go/informers"
-"k8s.io/client-go/kubernetes"
-"k8s.io/client-go/tools/cache"
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/hasirciogluhq/xdatabase-proxy/cmd/proxy/internal/core"
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/client-go/informers"
+	"k8s.io/client-go/kubernetes"
+	"k8s.io/client-go/tools/cache"
 )
 
 type K8sResolver struct {

cmd/proxy/internal/discovery/kubernetes/resolver.go

@@ -1,18 +1,18 @@
 package kubernetes
 
 import (
-"context"
-"crypto/tls"
-"fmt"
+	"context"
+	"crypto/tls"
+	"fmt"
 
-corev1 "k8s.io/api/core/v1"
-metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-"k8s.io/client-go/kubernetes"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/kubernetes"
 )
 
 type K8sTLSProvider struct {
-	clientset *kubernetes.Clientset
-	namespace string
+	clientset  *kubernetes.Clientset
+	namespace  string
 	secretName string
 }
 
@@ -46,3 +46,26 @@ func (p *K8sTLSProvider) GetCertificate(ctx context.Context) (*tls.Certificate,
 
 	return &cert, nil
 }
+
+func (p *K8sTLSProvider) Store(ctx context.Context, certPEM, keyPEM []byte) error {
+	secret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      p.secretName,
+			Namespace: p.namespace,
+		},
+		Type: corev1.SecretTypeTLS,
+		Data: map[string][]byte{
+			corev1.TLSCertKey:       certPEM,
+			corev1.TLSPrivateKeyKey: keyPEM,
+		},
+	}
+
+	_, err := p.clientset.CoreV1().Secrets(p.namespace).Create(ctx, secret, metav1.CreateOptions{})
+	if err != nil {
+		// If it already exists, update it
+		if _, updateErr := p.clientset.CoreV1().Secrets(p.namespace).Update(ctx, secret, metav1.UpdateOptions{}); updateErr != nil {
+			return fmt.Errorf("failed to create or update secret %s/%s: %v (create err: %v)", p.namespace, p.secretName, updateErr, err)
+		}
+	}
+	return nil
+}

cmd/proxy/internal/discovery/kubernetes/tls.go

@@ -0,0 +1,38 @@
+package memory
+
+import (
+	"context"
+	"crypto/tls"
+	"os"
+	"sync"
+)
+
+// MemoryTLSProvider is a simple in-memory implementation for development
+type MemoryTLSProvider struct {
+	cert *tls.Certificate
+	mu   sync.RWMutex
+}
+
+func NewMemoryTLSProvider() *MemoryTLSProvider {
+	return &MemoryTLSProvider{}
+}
+
+func (p *MemoryTLSProvider) GetCertificate(ctx context.Context) (*tls.Certificate, error) {
+	p.mu.RLock()
+	defer p.mu.RUnlock()
+	if p.cert == nil {
+		return nil, os.ErrNotExist
+	}
+	return p.cert, nil
+}
+
+func (p *MemoryTLSProvider) Store(ctx context.Context, certPEM, keyPEM []byte) error {
+	p.mu.Lock()
+	defer p.mu.Unlock()
+	cert, err := tls.X509KeyPair(certPEM, keyPEM)
+	if err != nil {
+		return err
+	}
+	p.cert = &cert
+	return nil
+}

cmd/proxy/internal/discovery/memory/tls.go

@@ -1,9 +1,10 @@
 package filesystem
 
 import (
-"context"
-"crypto/tls"
-"fmt"
+	"context"
+	"crypto/tls"
+	"fmt"
+	"os"
 )
 
 type FileTLSProvider struct {
@@ -25,3 +26,13 @@ func (p *FileTLSProvider) GetCertificate(ctx context.Context) (*tls.Certificate,
 	}
 	return &cert, nil
 }
+
+func (p *FileTLSProvider) Store(ctx context.Context, certPEM, keyPEM []byte) error {
+	if err := os.WriteFile(p.CertFile, certPEM, 0644); err != nil {
+		return fmt.Errorf("failed to write cert file: %w", err)
+	}
+	if err := os.WriteFile(p.KeyFile, keyPEM, 0600); err != nil {
+		return fmt.Errorf("failed to write key file: %w", err)
+	}
+	return nil
+}

cmd/proxy/internal/storage/filesystem/tls.go

@@ -0,0 +1,43 @@
+package utils
+
+import (
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"math/big"
+	"time"
+)
+
+// GenerateSelfSignedCert generates a self-signed certificate and private key.
+// It returns the PEM-encoded certificate and private key bytes.
+func GenerateSelfSignedCert() ([]byte, []byte, error) {
+	priv, err := rsa.GenerateKey(rand.Reader, 2048)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	template := x509.Certificate{
+		SerialNumber: big.NewInt(1),
+		Subject: pkix.Name{
+			Organization: []string{"xdatabase-proxy"},
+		},
+		NotBefore: time.Now(),
+		NotAfter:  time.Now().Add(time.Hour * 24 * 365),
+
+		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
+		BasicConstraintsValid: true,
+	}
+
+	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
+	if err != nil {
+		return nil, nil, err
+	}
+
+	certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
+	keyPEM := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)})
+
+	return certPEM, keyPEM, nil
+}

cmd/proxy/internal/utils/cert.go

@@ -2,24 +2,18 @@ package main
 
 import (
 	"context"
-	"crypto/rand"
-	"crypto/rsa"
 	"crypto/tls"
-	"crypto/x509"
-	"crypto/x509/pkix"
-	"encoding/pem"
 	"log"
-	"math/big"
 	"net"
 	"os"
-	"time"
 
 	"github.com/hasirciogluhq/xdatabase-proxy/cmd/proxy/internal/api"
 	"github.com/hasirciogluhq/xdatabase-proxy/cmd/proxy/internal/core"
 	"github.com/hasirciogluhq/xdatabase-proxy/cmd/proxy/internal/discovery/kubernetes"
 	"github.com/hasirciogluhq/xdatabase-proxy/cmd/proxy/internal/discovery/memory"
 	"github.com/hasirciogluhq/xdatabase-proxy/cmd/proxy/internal/protocol/postgresql"
 	"github.com/hasirciogluhq/xdatabase-proxy/cmd/proxy/internal/storage/filesystem"
+	"github.com/hasirciogluhq/xdatabase-proxy/cmd/proxy/internal/utils"
 
 	k8s "k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/tools/clientcmd"
@@ -115,13 +109,21 @@ func main() {
 		log.Printf("Using Kubernetes TLS provider (secret: %s/%s)", namespace, secretName)
 		tlsProvider = kubernetes.NewK8sTLSProvider(clientset, namespace, secretName)
 	} else {
-		// Priority 3: Self-Signed (Development/Default)
-		log.Println("Using Self-Signed Memory TLS provider (Development Mode)")
-		cert, err := generateSelfSignedCert()
+		log.Println("Using Memory TLS provider (Default)")
+		tlsProvider = memory.NewMemoryTLSProvider()
+	}
+
+	// Check if we should generate and store a self-signed certificate
+	if os.Getenv("TLS_ENABLE_SELF_SIGNED") == "true" {
+		log.Println("TLS_ENABLE_SELF_SIGNED is true. Generating and storing self-signed certificate...")
+		certPEM, keyPEM, err := utils.GenerateSelfSignedCert()
 		if err != nil {
 			log.Fatalf("Failed to generate self-signed cert: %v", err)
 		}
-		tlsProvider = &memoryTLSProvider{cert: &cert}
+
+		if err := tlsProvider.Store(context.Background(), certPEM, keyPEM); err != nil {
+			log.Fatalf("Failed to store self-signed cert: %v", err)
+		}
 	}
 
 	// Load initial certificate
@@ -162,42 +164,3 @@ func main() {
 		log.Fatalf("Server error: %v", err)
 	}
 }
-
-// memoryTLSProvider is a simple in-memory implementation for development
-type memoryTLSProvider struct {
-	cert *tls.Certificate
-}
-
-func (p *memoryTLSProvider) GetCertificate(ctx context.Context) (*tls.Certificate, error) {
-	return p.cert, nil
-}
-
-func generateSelfSignedCert() (tls.Certificate, error) {
-	priv, err := rsa.GenerateKey(rand.Reader, 2048)
-	if err != nil {
-		return tls.Certificate{}, err
-	}
-
-	template := x509.Certificate{
-		SerialNumber: big.NewInt(1),
-		Subject: pkix.Name{
-			Organization: []string{"xdatabase-proxy"},
-		},
-		NotBefore: time.Now(),
-		NotAfter:  time.Now().Add(time.Hour * 24 * 365),
-
-		KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
-		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
-		BasicConstraintsValid: true,
-	}
-
-	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
-	if err != nil {
-		return tls.Certificate{}, err
-	}
-
-	certPEM := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
-	keyPEM := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv)})
-
-	return tls.X509KeyPair(certPEM, keyPEM)
-}

cmd/proxy/main.go

@@ -1 +1 @@
-POSTGRESQL_PROXY_ENABLED=true STATIC_BACKENDS=dblocal=localhost:5432 TLS_CERT_FILE=./tls.cert TLS_KEY_FILE=./tls.key POSTGRESQL_PROXY_START_PORT=7878 go run ./cmd/proxy/main.go
+POSTGRESQL_PROXY_ENABLED=true STATIC_BACKENDS=dblocal=localhost:5432 TLS_CERT_FILE=./tls.cert TLS_KEY_FILE=./tls.key POSTGRESQL_PROXY_START_PORT=7878 TLS_ENABLE_SELF_SIGNED=true go run ./cmd/proxy/main.go