Oracle TCPS Support

Signed-off-by: SajjadSadi074 <[email protected]>

Author: souravbiswassanto

go.mod

@@ -32,12 +32,12 @@ require (
 	github.com/sijms/go-ora/v2 v2.8.24
 	go.mongodb.org/mongo-driver v1.14.0
 	go.virtual-secrets.dev/apimachinery v0.0.1
-	k8s.io/api v0.32.3
-	k8s.io/apimachinery v0.32.3
+	k8s.io/api v0.32.8
+	k8s.io/apimachinery v0.32.8
 	k8s.io/klog/v2 v2.130.1
-	kmodules.xyz/client-go v0.32.7
-	kmodules.xyz/custom-resources v0.32.0
-	kubedb.dev/apimachinery v0.58.0
+	kmodules.xyz/client-go v0.32.9
+	kmodules.xyz/custom-resources v0.32.2
+	kubedb.dev/apimachinery v0.59.1-0.20251204132717-657fbb84a6dd
 	sigs.k8s.io/controller-runtime v0.20.4
 	xorm.io/xorm v1.3.9
 )
@@ -151,15 +151,15 @@ require (
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/apiextensions-apiserver v0.32.3 // indirect
-	k8s.io/client-go v0.32.3 // indirect
+	k8s.io/apiextensions-apiserver v0.32.8 // indirect
+	k8s.io/client-go v0.32.8 // indirect
 	k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff // indirect
 	k8s.io/utils v0.0.0-20241210054802-24370beab758 // indirect
 	kmodules.xyz/apiversion v0.2.0 // indirect
-	kmodules.xyz/monitoring-agent-api v0.32.1 // indirect
+	kmodules.xyz/monitoring-agent-api v0.32.4 // indirect
 	kmodules.xyz/offshoot-api v0.32.0 // indirect
 	kubeops.dev/operator-shard-manager v0.0.3 // indirect
-	kubeops.dev/petset v0.0.12 // indirect
+	kubeops.dev/petset v0.0.14 // indirect
 	kubeops.dev/sidekick v0.0.11 // indirect
 	modernc.org/memory v1.5.0 // indirect
 	modernc.org/token v1.1.0 // indirect

go.sum

@@ -526,14 +526,14 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C
 gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-k8s.io/api v0.32.3 h1:Hw7KqxRusq+6QSplE3NYG4MBxZw1BZnq4aP4cJVINls=
-k8s.io/api v0.32.3/go.mod h1:2wEDTXADtm/HA7CCMD8D8bK4yuBUptzaRhYcYEEYA3k=
-k8s.io/apiextensions-apiserver v0.32.3 h1:4D8vy+9GWerlErCwVIbcQjsWunF9SUGNu7O7hiQTyPY=
-k8s.io/apiextensions-apiserver v0.32.3/go.mod h1:8YwcvVRMVzw0r1Stc7XfGAzB/SIVLunqApySV5V7Dss=
-k8s.io/apimachinery v0.32.3 h1:JmDuDarhDmA/Li7j3aPrwhpNBA94Nvk5zLeOge9HH1U=
-k8s.io/apimachinery v0.32.3/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE=
-k8s.io/client-go v0.32.3 h1:RKPVltzopkSgHS7aS98QdscAgtgah/+zmpAogooIqVU=
-k8s.io/client-go v0.32.3/go.mod h1:3v0+3k4IcT9bXTc4V2rt+d2ZPPG700Xy6Oi0Gdl2PaY=
+k8s.io/api v0.32.8 h1:PhuKPnqsaXYuwmLXRLAmdDJ9EZ2R2kEbOZTq4UE3lGc=
+k8s.io/api v0.32.8/go.mod h1:gdRZQ4zXGawr9YrJ5OjTl7aR3TD0mTowtFsqFtpCDXo=
+k8s.io/apiextensions-apiserver v0.32.8 h1:iYIIaZmn/BMTwzGYRZnYZysaKB4t2TL3O+0yhmbXE2U=
+k8s.io/apiextensions-apiserver v0.32.8/go.mod h1:GTGskWgcBo/7boX33zcS8JY6vaG4s728AdbQPxtheVk=
+k8s.io/apimachinery v0.32.8 h1:95I+2jX71Tev+C+UlhNbmKfv+A/TQII42HLskiHZpBg=
+k8s.io/apimachinery v0.32.8/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE=
+k8s.io/client-go v0.32.8 h1:BkSFWUtRz/BbE3DJF98KPg7ix6lwMnIQ9DnHw3iWiSw=
+k8s.io/client-go v0.32.8/go.mod h1:vGkCzRxZ7BuRX2zdW7+kOwCdcgOkq9omDWb26wk/sE0=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
 k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff h1:/usPimJzUKKu+m+TE36gUyGcf03XZEP0ZIKgKj35LS4=
@@ -542,20 +542,20 @@ k8s.io/utils v0.0.0-20241210054802-24370beab758 h1:sdbE21q2nlQtFh65saZY+rRM6x6aJ
 k8s.io/utils v0.0.0-20241210054802-24370beab758/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 kmodules.xyz/apiversion v0.2.0 h1:vAQYqZFm4xu4pbB1cAdHbFEPES6EQkcR4wc06xdTOWk=
 kmodules.xyz/apiversion v0.2.0/go.mod h1:oPX8g8LvlPdPX3Yc5YvCzJHQnw3YF/X4/jdW0b1am80=
-kmodules.xyz/client-go v0.32.7 h1:vBAbp8vs4coYRhY4wqm1Hw/eBEDiVU238AyMLSoRJ1c=
-kmodules.xyz/client-go v0.32.7/go.mod h1:ZwLnc7UqEXUNSe43n/SnER6+7YAQCu38L2te6YefoHU=
-kmodules.xyz/custom-resources v0.32.0 h1:wzmJTtswO+OmvtqYc70pVoopZyt5UJHKTom4Jh6bfhM=
-kmodules.xyz/custom-resources v0.32.0/go.mod h1:aLFrfbUKS+AkKtxFYWpPGzuLNarRtGlkHwC07APHba8=
-kmodules.xyz/monitoring-agent-api v0.32.1 h1:F0cm5NJWfgiANw3eiKkXXSXoClMBpAolMXE/N7Xts74=
-kmodules.xyz/monitoring-agent-api v0.32.1/go.mod h1:zgRKiJcuK7FOHy0Y1TsONRbJfgnPCs8t4Zh/6Afr+yU=
+kmodules.xyz/client-go v0.32.9 h1:iZVhmTuMybHR7THGqnkbQdAJEOJCtZ9Ry9cY8TBvTJI=
+kmodules.xyz/client-go v0.32.9/go.mod h1:ZwLnc7UqEXUNSe43n/SnER6+7YAQCu38L2te6YefoHU=
+kmodules.xyz/custom-resources v0.32.2 h1:NkRqL/4AWHiXdT5WKFcJlBcvRuoNdeYIrBGvQIRJRn4=
+kmodules.xyz/custom-resources v0.32.2/go.mod h1:YKFNcsFQU7Z3AcPvYVCdFtgAdWiG1Wd1HQMOxCrAoWc=
+kmodules.xyz/monitoring-agent-api v0.32.4 h1:JGm2bvHfAXHAf7EKjFrNDG3f7+QFpYV2Mvgj3RDVRhw=
+kmodules.xyz/monitoring-agent-api v0.32.4/go.mod h1:NkCiNP05EWrsjTTU2Npova/Sm27+I8vwUXqXVCmBbQ4=
 kmodules.xyz/offshoot-api v0.32.0 h1:gogc5scSZe2JoXtZof72UGRl3Tit0kFaFRMkLLT1D8o=
 kmodules.xyz/offshoot-api v0.32.0/go.mod h1:tled7OxYZ3SkUJcrVFVVYyd+zXjsRSEm1R6Q3k4gcx0=
-kubedb.dev/apimachinery v0.58.0 h1:bsDqWcYsfjbZ6Ca4PyXbKr7jj3dhzzlPBS5NfQ9CD+I=
-kubedb.dev/apimachinery v0.58.0/go.mod h1:t6BwVURkvyLKpx7teRZ20hBkjAgF8JB1CCLSjBbbPqo=
+kubedb.dev/apimachinery v0.59.1-0.20251204132717-657fbb84a6dd h1:AUYMIXpbpV3VqxKa63Wy4czifZy7VDWcUoQArZ3a11A=
+kubedb.dev/apimachinery v0.59.1-0.20251204132717-657fbb84a6dd/go.mod h1:8zu7zUBEd2PQsI0JZJFmxzglf63zxbwlAJIJlY77UqM=
 kubeops.dev/operator-shard-manager v0.0.3 h1:Z2YOAfyQIjvHMwT4O56lR0l9z25s2tCVDO22u/XuYnw=
 kubeops.dev/operator-shard-manager v0.0.3/go.mod h1:2oRq5vnCaUxzE+qIiRuzB34PlqahiynE+sYqWu6AMIY=
-kubeops.dev/petset v0.0.12 h1:NSFEeuckBVm44f3cAL4HhcQWvnfOE4qgbfug7+FEyaY=
-kubeops.dev/petset v0.0.12/go.mod h1:akG9QH1JaOZQcuQKEKWvkVWI8P3im/5O554aTRvB6Y0=
+kubeops.dev/petset v0.0.14 h1:Lk3prjtm5AgR44qr2SX8elx6sF9PK1G0GYlv8AZd9OY=
+kubeops.dev/petset v0.0.14/go.mod h1:X10jcvIjjP9HIa8ezh9PjtaXvFfk2zT+JmmO/S+7uhA=
 kubeops.dev/sidekick v0.0.11 h1:OydXdIH6cYSiWxKIWvrywk95WhhHSERkc7RNPOmTekc=
 kubeops.dev/sidekick v0.0.11/go.mod h1:90KMNmJOPoMKHbrdC1cpEsMx+1KjTea/lHDAbGRDzHc=
 lukechampine.com/uint128 v1.2.0 h1:mBi/5l91vocEN8otkC5bDLhi2KdCticRiwbdB0O+rjI=

oracle/kubedb_client_builder.go

@@ -2,14 +2,18 @@ package postgres
 
 import (
 	"context"
+	"crypto/tls"
 	"database/sql"
 	"fmt"
+	"net/url"
+	"os"
+	"path/filepath"
 
 	olddbapi "kubedb.dev/apimachinery/apis/kubedb/v1alpha2"
 	apiutils "kubedb.dev/apimachinery/pkg/utils"
 
 	"github.com/pkg/errors"
-	_ "github.com/sijms/go-ora/v2" // Oracle driver
+	go_ora "github.com/sijms/go-ora/v2"
 	core "k8s.io/api/core/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
@@ -21,6 +25,7 @@ type OracleClientBuilder struct {
 	port    int32
 	service string
 	ctx     context.Context
+	wallet  string
 }
 
 func NewOracleClientBuilder(kc client.Client, db *olddbapi.Oracle) *OracleClientBuilder {
@@ -50,6 +55,11 @@ func (o *OracleClientBuilder) WithContext(ctx context.Context) *OracleClientBuil
 	return o
 }
 
+func (o *OracleClientBuilder) WithWallet(wallet string) *OracleClientBuilder {
+	o.wallet = wallet
+	return o
+}
+
 func (o *OracleClientBuilder) GetOracleClient() (*sql.DB, error) {
 	if o.ctx == nil {
 		o.ctx = context.Background()
@@ -60,6 +70,7 @@ func (o *OracleClientBuilder) GetOracleClient() (*sql.DB, error) {
 		return nil, err
 	}
 
+	// Fallback to standard connection (with wallet if configured)
 	db, err := sql.Open("oracle", connStr)
 	if err != nil {
 		return nil, fmt.Errorf("failed to open Oracle connection: %v", err)
@@ -83,16 +94,69 @@ func (o *OracleClientBuilder) getConnectionString() (string, error) {
 		return "", fmt.Errorf("failed to get auth credentials for Oracle %s/%s: %v", o.db.Namespace, o.db.Name, err)
 	}
 
-	url := o.url
-	if url == "" {
-		url = PrimaryServiceDNS(o.db)
+	serverURL := o.url
+	if serverURL == "" {
+		serverURL = PrimaryServiceDNS(o.db)
 	}
 	// Use the provided URL (e.g., service DNS)
-	host := fmt.Sprintf("%v:%v/%v", url, o.port, o.service)
+	host := fmt.Sprintf("%v:%v/%v", serverURL, o.port, o.service)
 
 	// Construct basic connection string
-	connStr := fmt.Sprintf("oracle://%s:%s@%s", user, pass, host)
+	connStr := ""
+
+	if o.db.Spec.TCPSConfig != nil && o.db.Spec.TCPSConfig.TLS != nil {
+		// Constract connection string with wallet
+		dbname := o.db.Name
+		dstDir := o.wallet
+		if dstDir == "" {
+			dstDir = fmt.Sprintf("/tmp/%s/.tls-wallet", dbname)
+
+			if err := os.MkdirAll(dstDir, 0o755); err != nil {
+				fmt.Printf("[ERROR] Failed to create wallet directory: %v\n", err)
+			}
+
+			// Read the TLS secret from Kubernetes
+			var tlsSecret core.Secret
+			secretName := o.db.Name + "-tls-wallet"
+			if err := o.kc.Get(o.ctx, client.ObjectKey{Namespace: o.db.Namespace, Name: secretName}, &tlsSecret); err != nil {
+				return "", fmt.Errorf("failed to get TLS secret %s: %v", secretName, err)
+			}
+
+			// Extract and save all files in the secret data
+			for filename, data := range tlsSecret.Data {
+				filePath := filepath.Join(dstDir, filename)
+				if err := os.WriteFile(filePath, data, 0o600); err != nil {
+					return "", fmt.Errorf("failed to write wallet file %s: %v", filename, err)
+				}
+			}
+
+		}
+
+		// Get service name from database spec
+		service := "ORCL"
+		if o.db.Spec.Listener != nil && o.db.Spec.Listener.Service != nil {
+			service = *o.db.Spec.Listener.Service
+		}
+
+		// Build connection string with SSL enabled
+		baseURL := go_ora.BuildUrl(serverURL, int(o.port), service, user, pass, nil)
 
+		// Add SSL parameters with proper URL encoding
+		params := url.Values{}
+		params.Add("SSL", "true")
+		params.Add("SSL VERIFY", "false")
+		params.Add("WALLET", dstDir)
+		params.Add("WALLET PASSWORD", pass)
+
+		// Build final connection string with parameters
+		connStr = baseURL + "?" + params.Encode()
+		for _, fname := range []string{"cwallet.sso", "ewallet.p12", "server.p12"} {
+			filepath.Join(dstDir, fname)
+		}
+	} else {
+		// Construct basic connection string without wallet
+		connStr = fmt.Sprintf("oracle://%s:%s@%s", user, pass, host)
+	}
 	return connStr, nil
 }
 
@@ -115,6 +179,23 @@ func (o *OracleClientBuilder) getOracleAuthCredentials() (string, string, error)
 	return username, password, nil
 }
 
+// getTLSConfig creates a TLS configuration without client certificates
+// Since SSL_CLIENT_AUTHENTICATION = FALSE on the server, we don't need client certs
+func (o *OracleClientBuilder) getTLSConfig() (*tls.Config, error) {
+	// Create a basic TLS config that accepts any server certificate
+	// Match Oracle server's configuration:
+	// - SSL_VERSION = 1.2
+	// - SSL_CLIENT_AUTHENTICATION = FALSE
+	tlsConfig := &tls.Config{
+		InsecureSkipVerify: true, // Accept server's self-signed certificate
+		MinVersion:         tls.VersionTLS12,
+		MaxVersion:         tls.VersionTLS12,
+		// Let Go negotiate cipher suites - it will use compatible RSA+AES ciphers
+	}
+
+	return tlsConfig, nil
+}
+
 // PrimaryServiceDNS make primary host dns with require template
 func PrimaryServiceDNS(db *olddbapi.Oracle) string {
 	return fmt.Sprintf("%v.%v.svc.%s", db.ServiceName(), db.Namespace, apiutils.FindDomain())

vendor/kmodules.xyz/client-go/Makefile

@@ -58,7 +58,7 @@ ARCH := $(if $(GOARCH),$(GOARCH),$(shell go env GOARCH))
 BASEIMAGE_PROD   ?= gcr.io/distroless/static-debian12
 BASEIMAGE_DBG    ?= debian:12
 
-GO_VERSION       ?= 1.24
+GO_VERSION       ?= 1.25
 BUILD_IMAGE      ?= ghcr.io/appscode/golang-dev:$(GO_VERSION)
 
 OUTBIN = bin/$(OS)_$(ARCH)/$(BIN)

vendor/kmodules.xyz/client-go/api/v1/cluster_enum.go

@@ -68,7 +68,7 @@ type AppBindingSpec struct {
 
 	// Secret is the name of the secret to create in the AppBinding's
 	// namespace that will hold the credentials associated with the AppBinding.
-	Secret *core.LocalObjectReference `json:"secret,omitempty"`
+	Secret *TypedLocalObjectReference `json:"secret,omitempty"`
 
 	// List of transformations that should be applied to the credentials
 	// associated with the ServiceBinding before they are inserted into the Secret.
@@ -90,7 +90,7 @@ type AppBindingSpec struct {
 
 	// TLSSecret is the name of the secret that will hold
 	// the client certificate and private key associated with the AppBinding.
-	TLSSecret *core.LocalObjectReference `json:"tlsSecret,omitempty"`
+	TLSSecret *TypedLocalObjectReference `json:"tlsSecret,omitempty"`
 }
 
 type AppType string
@@ -175,6 +175,21 @@ type ServiceReference struct {
 	Query string `json:"query,omitempty"`
 }
 
+// +structType=atomic
+type TypedLocalObjectReference struct {
+	// APIGroup is the group for the resource being referenced.
+	// If APIGroup is not specified, the specified Kind must be in the core API group.
+	// For any other third-party types, APIGroup is required.
+	// +optional
+	// +kubebuilder:default=""
+	APIGroup string `json:"apiGroup"`
+	// Kind is the type of resource being referenced
+	// +kubebuilder:default="Secret"
+	Kind string `json:"kind"`
+	// Name is the name of resource being referenced
+	Name string `json:"name"`
+}
+
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
 // AppBindingList is a list of Apps