oracle tls complete after review

go.mod

@@ -34,13 +34,13 @@ require (
 	go.mongodb.org/mongo-driver v1.14.0
 	go.virtual-secrets.dev/apimachinery v0.0.1
 	gomodules.xyz/pointer v0.1.0
-	k8s.io/api v0.32.3
-	k8s.io/apimachinery v0.32.3
-	k8s.io/client-go v0.32.3
+	k8s.io/api v0.32.8
+	k8s.io/apimachinery v0.32.8
+	k8s.io/client-go v0.32.8
 	k8s.io/klog/v2 v2.130.1
-	kmodules.xyz/client-go v0.32.7
+	kmodules.xyz/client-go v0.32.9
 	kmodules.xyz/custom-resources v0.32.2
-	kubedb.dev/apimachinery v0.59.0
+	kubedb.dev/apimachinery v0.59.1-0.20251204132717-657fbb84a6dd
 	sigs.k8s.io/controller-runtime v0.20.4
 	xorm.io/xorm v1.3.9
 )
@@ -161,17 +161,17 @@ require (
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	k8s.io/apiextensions-apiserver v0.32.3 // indirect
+	k8s.io/apiextensions-apiserver v0.32.8 // indirect
 	k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff // indirect
 	k8s.io/utils v0.0.0-20241210054802-24370beab758 // indirect
 	kmodules.xyz/apiversion v0.2.0 // indirect
-	kmodules.xyz/monitoring-agent-api v0.32.1 // indirect
+	kmodules.xyz/monitoring-agent-api v0.32.4 // indirect
 	kmodules.xyz/objectstore-api v0.32.0 // indirect
 	kmodules.xyz/offshoot-api v0.32.0 // indirect
 	kmodules.xyz/prober v0.32.0 // indirect
 	kmodules.xyz/resource-metadata v0.32.1 // indirect
 	kubeops.dev/operator-shard-manager v0.0.3 // indirect
-	kubeops.dev/petset v0.0.12 // indirect
+	kubeops.dev/petset v0.0.14 // indirect
 	kubeops.dev/sidekick v0.0.11 // indirect
 	kubestash.dev/apimachinery v0.21.0 // indirect
 	modernc.org/memory v1.5.0 // indirect

go.sum

@@ -546,14 +546,14 @@ gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C
 gopkg.in/yaml.v3 v3.0.0/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
-k8s.io/api v0.32.3 h1:Hw7KqxRusq+6QSplE3NYG4MBxZw1BZnq4aP4cJVINls=
-k8s.io/api v0.32.3/go.mod h1:2wEDTXADtm/HA7CCMD8D8bK4yuBUptzaRhYcYEEYA3k=
-k8s.io/apiextensions-apiserver v0.32.3 h1:4D8vy+9GWerlErCwVIbcQjsWunF9SUGNu7O7hiQTyPY=
-k8s.io/apiextensions-apiserver v0.32.3/go.mod h1:8YwcvVRMVzw0r1Stc7XfGAzB/SIVLunqApySV5V7Dss=
-k8s.io/apimachinery v0.32.3 h1:JmDuDarhDmA/Li7j3aPrwhpNBA94Nvk5zLeOge9HH1U=
-k8s.io/apimachinery v0.32.3/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE=
-k8s.io/client-go v0.32.3 h1:RKPVltzopkSgHS7aS98QdscAgtgah/+zmpAogooIqVU=
-k8s.io/client-go v0.32.3/go.mod h1:3v0+3k4IcT9bXTc4V2rt+d2ZPPG700Xy6Oi0Gdl2PaY=
+k8s.io/api v0.32.8 h1:PhuKPnqsaXYuwmLXRLAmdDJ9EZ2R2kEbOZTq4UE3lGc=
+k8s.io/api v0.32.8/go.mod h1:gdRZQ4zXGawr9YrJ5OjTl7aR3TD0mTowtFsqFtpCDXo=
+k8s.io/apiextensions-apiserver v0.32.8 h1:iYIIaZmn/BMTwzGYRZnYZysaKB4t2TL3O+0yhmbXE2U=
+k8s.io/apiextensions-apiserver v0.32.8/go.mod h1:GTGskWgcBo/7boX33zcS8JY6vaG4s728AdbQPxtheVk=
+k8s.io/apimachinery v0.32.8 h1:95I+2jX71Tev+C+UlhNbmKfv+A/TQII42HLskiHZpBg=
+k8s.io/apimachinery v0.32.8/go.mod h1:GpHVgxoKlTxClKcteaeuF1Ul/lDVb74KpZcxcmLDElE=
+k8s.io/client-go v0.32.8 h1:BkSFWUtRz/BbE3DJF98KPg7ix6lwMnIQ9DnHw3iWiSw=
+k8s.io/client-go v0.32.8/go.mod h1:vGkCzRxZ7BuRX2zdW7+kOwCdcgOkq9omDWb26wk/sE0=
 k8s.io/klog/v2 v2.130.1 h1:n9Xl7H1Xvksem4KFG4PYbdQCQxqc/tTUyrgXaOhHSzk=
 k8s.io/klog/v2 v2.130.1/go.mod h1:3Jpz1GvMt720eyJH1ckRHK1EDfpxISzJ7I9OYgaDtPE=
 k8s.io/kube-openapi v0.0.0-20250318190949-c8a335a9a2ff h1:/usPimJzUKKu+m+TE36gUyGcf03XZEP0ZIKgKj35LS4=
@@ -562,12 +562,12 @@ k8s.io/utils v0.0.0-20241210054802-24370beab758 h1:sdbE21q2nlQtFh65saZY+rRM6x6aJ
 k8s.io/utils v0.0.0-20241210054802-24370beab758/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0=
 kmodules.xyz/apiversion v0.2.0 h1:vAQYqZFm4xu4pbB1cAdHbFEPES6EQkcR4wc06xdTOWk=
 kmodules.xyz/apiversion v0.2.0/go.mod h1:oPX8g8LvlPdPX3Yc5YvCzJHQnw3YF/X4/jdW0b1am80=
-kmodules.xyz/client-go v0.32.7 h1:vBAbp8vs4coYRhY4wqm1Hw/eBEDiVU238AyMLSoRJ1c=
-kmodules.xyz/client-go v0.32.7/go.mod h1:ZwLnc7UqEXUNSe43n/SnER6+7YAQCu38L2te6YefoHU=
+kmodules.xyz/client-go v0.32.9 h1:iZVhmTuMybHR7THGqnkbQdAJEOJCtZ9Ry9cY8TBvTJI=
+kmodules.xyz/client-go v0.32.9/go.mod h1:ZwLnc7UqEXUNSe43n/SnER6+7YAQCu38L2te6YefoHU=
 kmodules.xyz/custom-resources v0.32.2 h1:NkRqL/4AWHiXdT5WKFcJlBcvRuoNdeYIrBGvQIRJRn4=
 kmodules.xyz/custom-resources v0.32.2/go.mod h1:YKFNcsFQU7Z3AcPvYVCdFtgAdWiG1Wd1HQMOxCrAoWc=
-kmodules.xyz/monitoring-agent-api v0.32.1 h1:F0cm5NJWfgiANw3eiKkXXSXoClMBpAolMXE/N7Xts74=
-kmodules.xyz/monitoring-agent-api v0.32.1/go.mod h1:zgRKiJcuK7FOHy0Y1TsONRbJfgnPCs8t4Zh/6Afr+yU=
+kmodules.xyz/monitoring-agent-api v0.32.4 h1:JGm2bvHfAXHAf7EKjFrNDG3f7+QFpYV2Mvgj3RDVRhw=
+kmodules.xyz/monitoring-agent-api v0.32.4/go.mod h1:NkCiNP05EWrsjTTU2Npova/Sm27+I8vwUXqXVCmBbQ4=
 kmodules.xyz/objectstore-api v0.32.0 h1:A45lWKNb+02fJV1Mo4IDIpC1hWvLh/wuHKErovxKmQw=
 kmodules.xyz/objectstore-api v0.32.0/go.mod h1:N2SXdUU+YjXwG64UATYg+OoFYQ+p2MhX8B5TTKBeTf8=
 kmodules.xyz/offshoot-api v0.32.0 h1:gogc5scSZe2JoXtZof72UGRl3Tit0kFaFRMkLLT1D8o=
@@ -576,12 +576,12 @@ kmodules.xyz/prober v0.32.0 h1:8Z6pFRAu8kP0wwX2BooPCRy2SE6ZkUMHQmZDH5VUEGY=
 kmodules.xyz/prober v0.32.0/go.mod h1:h0fH4m9DaIwuNZq85zOlWUvBycyy4LvCPMUUhpS3iSE=
 kmodules.xyz/resource-metadata v0.32.1 h1:hWQbL0Xb+GaF7qn+rY0CNh7FUfKZw29VBUKTxjHFGYI=
 kmodules.xyz/resource-metadata v0.32.1/go.mod h1:wHC24BVzKb1gzkDCSI5l9CXK4AKD5gMamxEqVys50lI=
-kubedb.dev/apimachinery v0.59.0 h1:6daQ4dS6xayoyaZ67N5NXxOD1wH4H7v5JKPSwjPDbAk=
-kubedb.dev/apimachinery v0.59.0/go.mod h1:cdAy0z4ED/iunIQprmaB4yCSxgBkFaT5fcOT/ogxl0Q=
+kubedb.dev/apimachinery v0.59.1-0.20251204132717-657fbb84a6dd h1:AUYMIXpbpV3VqxKa63Wy4czifZy7VDWcUoQArZ3a11A=
+kubedb.dev/apimachinery v0.59.1-0.20251204132717-657fbb84a6dd/go.mod h1:8zu7zUBEd2PQsI0JZJFmxzglf63zxbwlAJIJlY77UqM=
 kubeops.dev/operator-shard-manager v0.0.3 h1:Z2YOAfyQIjvHMwT4O56lR0l9z25s2tCVDO22u/XuYnw=
 kubeops.dev/operator-shard-manager v0.0.3/go.mod h1:2oRq5vnCaUxzE+qIiRuzB34PlqahiynE+sYqWu6AMIY=
-kubeops.dev/petset v0.0.12 h1:NSFEeuckBVm44f3cAL4HhcQWvnfOE4qgbfug7+FEyaY=
-kubeops.dev/petset v0.0.12/go.mod h1:akG9QH1JaOZQcuQKEKWvkVWI8P3im/5O554aTRvB6Y0=
+kubeops.dev/petset v0.0.14 h1:Lk3prjtm5AgR44qr2SX8elx6sF9PK1G0GYlv8AZd9OY=
+kubeops.dev/petset v0.0.14/go.mod h1:X10jcvIjjP9HIa8ezh9PjtaXvFfk2zT+JmmO/S+7uhA=
 kubeops.dev/sidekick v0.0.11 h1:OydXdIH6cYSiWxKIWvrywk95WhhHSERkc7RNPOmTekc=
 kubeops.dev/sidekick v0.0.11/go.mod h1:90KMNmJOPoMKHbrdC1cpEsMx+1KjTea/lHDAbGRDzHc=
 kubestash.dev/apimachinery v0.21.0 h1:2qHROfY6RdxNjoEPm2yzQOuaqKlIeEMEn7bP+a/xezQ=

oracle/kubedb_client_builder.go

@@ -20,12 +20,15 @@ import (
 	"context"
 	"database/sql"
 	"fmt"
+	"net/url"
+	"os"
+	"path/filepath"
 
 	olddbapi "kubedb.dev/apimachinery/apis/kubedb/v1alpha2"
 	apiutils "kubedb.dev/apimachinery/pkg/utils"
 
 	"github.com/pkg/errors"
-	_ "github.com/sijms/go-ora/v2" // Oracle driver
+	go_ora "github.com/sijms/go-ora/v2"
 	core "k8s.io/api/core/v1"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 )
@@ -37,6 +40,7 @@ type OracleClientBuilder struct {
 	port    int32
 	service string
 	ctx     context.Context
+	wallet  string
 }
 
 func NewOracleClientBuilder(kc client.Client, db *olddbapi.Oracle) *OracleClientBuilder {
@@ -66,6 +70,11 @@ func (o *OracleClientBuilder) WithContext(ctx context.Context) *OracleClientBuil
 	return o
 }
 
+func (o *OracleClientBuilder) WithWallet(wallet string) *OracleClientBuilder {
+	o.wallet = wallet
+	return o
+}
+
 func (o *OracleClientBuilder) GetOracleClient() (*sql.DB, error) {
 	if o.ctx == nil {
 		o.ctx = context.Background()
@@ -76,6 +85,7 @@ func (o *OracleClientBuilder) GetOracleClient() (*sql.DB, error) {
 		return nil, err
 	}
 
+	// Fallback to standard connection (with wallet if configured)
 	db, err := sql.Open("oracle", connStr)
 	if err != nil {
 		return nil, fmt.Errorf("failed to open Oracle connection: %v", err)
@@ -99,16 +109,69 @@ func (o *OracleClientBuilder) getConnectionString() (string, error) {
 		return "", fmt.Errorf("failed to get auth credentials for Oracle %s/%s: %v", o.db.Namespace, o.db.Name, err)
 	}
 
-	url := o.url
-	if url == "" {
-		url = PrimaryServiceDNS(o.db)
+	serverURL := o.url
+	if serverURL == "" {
+		serverURL = PrimaryServiceDNS(o.db)
 	}
 	// Use the provided URL (e.g., service DNS)
-	host := fmt.Sprintf("%v:%v/%v", url, o.port, o.service)
+	host := fmt.Sprintf("%v:%v/%v", serverURL, o.port, o.service)
 
 	// Construct basic connection string
-	connStr := fmt.Sprintf("oracle://%s:%s@%s", user, pass, host)
+	connStr := ""
+
+	if o.db.Spec.TCPSConfig != nil && o.db.Spec.TCPSConfig.TLS != nil {
+		// Constract connection string with wallet
+		dbname := o.db.Name
+		dstDir := o.wallet
+		if dstDir == "" {
+			dstDir = fmt.Sprintf("/tmp/%s/.tls-wallet", dbname)
+
+			if err := os.MkdirAll(dstDir, 0o755); err != nil {
+				fmt.Printf("[ERROR] Failed to create wallet directory: %v\n", err)
+			}
+
+			// Read the TLS secret from Kubernetes
+			var tlsSecret core.Secret
+			secretName := o.db.Name + "-tls-wallet"
+			if err := o.kc.Get(o.ctx, client.ObjectKey{Namespace: o.db.Namespace, Name: secretName}, &tlsSecret); err != nil {
+				return "", fmt.Errorf("failed to get TLS secret %s: %v", secretName, err)
+			}
+
+			// Extract and save all files in the secret data
+			for filename, data := range tlsSecret.Data {
+				filePath := filepath.Join(dstDir, filename)
+				if err := os.WriteFile(filePath, data, 0o600); err != nil {
+					return "", fmt.Errorf("failed to write wallet file %s: %v", filename, err)
+				}
+			}
 
+		}
+
+		// Get service name from database spec
+		service := "ORCL"
+		if o.db.Spec.Listener != nil && o.db.Spec.Listener.Service != nil {
+			service = *o.db.Spec.Listener.Service
+		}
+
+		// Build connection string with SSL enabled
+		baseURL := go_ora.BuildUrl(serverURL, int(o.port), service, user, pass, nil)
+
+		// Add SSL parameters with proper URL encoding
+		params := url.Values{}
+		params.Add("SSL", "true")
+		params.Add("SSL VERIFY", "false")
+		params.Add("WALLET", dstDir)
+		params.Add("WALLET PASSWORD", pass)
+
+		// Build final connection string with parameters
+		connStr = baseURL + "?" + params.Encode()
+		for _, fname := range []string{"cwallet.sso", "ewallet.p12", "server.p12"} {
+			filepath.Join(dstDir, fname)
+		}
+	} else {
+		// Construct basic connection string without wallet
+		connStr = fmt.Sprintf("oracle://%s:%s@%s", user, pass, host)
+	}
 	return connStr, nil
 }
 

vendor/kmodules.xyz/client-go/Makefile

@@ -58,7 +58,7 @@ ARCH := $(if $(GOARCH),$(GOARCH),$(shell go env GOARCH))
 BASEIMAGE_PROD   ?= gcr.io/distroless/static-debian12
 BASEIMAGE_DBG    ?= debian:12
 
-GO_VERSION       ?= 1.24
+GO_VERSION       ?= 1.25
 BUILD_IMAGE      ?= ghcr.io/appscode/golang-dev:$(GO_VERSION)
 
 OUTBIN = bin/$(OS)_$(ARCH)/$(BIN)

vendor/kmodules.xyz/monitoring-agent-api/api/v1/appbinding.go

@@ -16,6 +16,10 @@ limitations under the License.
 
 package v1
 
+import (
+	kmapi "kmodules.xyz/client-go/api/v1"
+)
+
 type GrafanaConfig struct {
 	URL         string        `json:"url"`
 	Service     ServiceSpec   `json:"service"`
@@ -73,3 +77,46 @@ type GrafanaContext struct {
 	FolderID   *int64 `json:"folderID,omitempty"`
 	Datasource string `json:"datasource,omitempty"`
 }
+
+type Prometheus struct {
+	AppBindingRef   *kmapi.ObjectReference `json:"appBindingRef,omitempty"`
+	*ConnectionSpec `json:",inline,omitempty"`
+}
+
+// ConnectionSpec is the spec for app
+type ConnectionSpec struct {
+	// ClientConfig defines how to communicate with the app.
+	// Required
+	ClientConfig `json:",inline"`
+
+	// Secret is the name of the secret to create in the AppBinding's
+	// namespace that will hold the credentials associated with the AppBinding.
+	AuthSecret *kmapi.ObjectReference `json:"authSecret,omitempty"`
+
+	// TLSSecret is the name of the secret that will hold
+	// the client certificate and private key associated with the AppBinding.
+	TLSSecret *kmapi.ObjectReference `json:"tlsSecret,omitempty"`
+}
+
+// ClientConfig contains the information to make a connection with an app
+type ClientConfig struct {
+	// `url` gives the location of the app, in standard URL form
+	// (`[scheme://]host:port/path`). Exactly one of `url` or `service`
+	// must be specified.
+	// +optional
+	URL string `json:"url"`
+
+	// InsecureSkipTLSVerify disables TLS certificate verification when communicating with this app.
+	// This is strongly discouraged.  You should use the CABundle instead.
+	InsecureSkipTLSVerify bool `json:"insecureSkipTLSVerify,omitempty"`
+
+	// CABundle is a PEM encoded CA bundle which will be used to validate the serving certificate of this app.
+	// +optional
+	CABundle []byte `json:"caBundle,omitempty"`
+
+	// ServerName is used to verify the hostname on the returned
+	// certificates unless InsecureSkipVerify is given. It is also included
+	// in the client's handshake to support virtual hosting unless it is
+	// an IP address.
+	ServerName string `json:"serverName,omitempty"`
+}

vendor/kmodules.xyz/monitoring-agent-api/api/v1/helpers.go

@@ -17,12 +17,17 @@ limitations under the License.
 package v1
 
 import (
+	"errors"
 	"fmt"
 
 	"kmodules.xyz/client-go/policy/secomp"
+	app_api "kmodules.xyz/custom-resources/apis/appcatalog/v1alpha1"
+	appcatalog "kmodules.xyz/custom-resources/apis/appcatalog/v1alpha1"
 
 	"gomodules.xyz/pointer"
 	core "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/ptr"
 )
 
 func (agent *AgentSpec) SetDefaults() {
@@ -86,3 +91,50 @@ func GrafanaDatasource(isDefault bool, clusterName, projectId string) string {
 	}
 	return fmt.Sprintf("%s-%s", clusterName, projectId)
 }
+
+func (c *ConnectionSpec) ToAppBinding() (*appcatalog.AppBinding, error) {
+	var ns string
+	if c.AuthSecret != nil {
+		if c.AuthSecret.Namespace == "" {
+			return nil, errors.New("auth secret namespace not set")
+		}
+		ns = c.AuthSecret.Namespace
+	}
+	if c.TLSSecret != nil {
+		if c.TLSSecret.Namespace == "" {
+			return nil, errors.New("tls secret namespace not set")
+		}
+		if ns != "" && ns != c.TLSSecret.Namespace {
+			return nil, errors.New("tls secret namespace does not match auth secret namespace")
+		}
+	}
+
+	app := appcatalog.AppBinding{
+		TypeMeta: metav1.TypeMeta{},
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "<generated>",
+			Namespace: ns,
+		},
+		Spec: appcatalog.AppBindingSpec{
+			ClientConfig: appcatalog.ClientConfig{
+				URL:                   ptr.To(c.URL),
+				InsecureSkipTLSVerify: c.InsecureSkipTLSVerify,
+				CABundle:              c.CABundle,
+				ServerName:            c.ServerName,
+			},
+		},
+	}
+	if c.AuthSecret != nil {
+		app.Spec.Secret = &app_api.TypedLocalObjectReference{
+			Kind: "Secret", // It will create circular dependency, If we use Kubedb Constant .
+			Name: c.AuthSecret.Name,
+		}
+	}
+	if c.TLSSecret != nil {
+		app.Spec.TLSSecret = &app_api.TypedLocalObjectReference{
+			Kind: "Secret",
+			Name: c.TLSSecret.Name,
+		}
+	}
+	return &app, nil
+}