Implemented support for TLS and ServerCA handling for cloudmemorystore

Signed-off-by: Andrew Jakubowski <[email protected]>

apis/cache/v1beta1/cloudmemorystore_instance_types.go

@@ -38,6 +38,14 @@ type CloudMemorystoreInstanceParameters struct {
 	// +immutable
 	Tier string `json:"tier"`
 
+	// TransitEncryptionMode specifies TLS encryption mode for Redis service.
+	// For TRANSIT_ENCRYPTION_MODE_UNSPECIFIED the TLS in transit encryption is not set.
+	// If set to SERVER_AUTHENTICATION the client-to-server traffic encryption is enabled.
+	// Encription is disabled if the value is DISABLED
+	// https://cloud.google.com/memorystore/docs/redis/about-in-transit-encryption
+	// +optional
+	TransitEncryptionMode string `json:"transitEncryptionMode,omitempty"`
+
 	// Redis memory size in GiB.
 	MemorySizeGB int64 `json:"memorySizeGb"`
 
@@ -135,6 +143,28 @@ type CloudMemorystoreInstanceParameters struct {
 	AuthEnabled *bool `json:"authEnabled,omitempty"`
 }
 
+type ServerCACertsObservation struct {
+
+	// Cert is the certificate in the PEM format.
+	Cert string `json:"cert,omitempty"`
+
+	// CreateTime: Output only. The time when the certificate was created in
+	// RFC 3339 (https://tools.ietf.org/html/rfc3339) format, for example
+	// `2020-05-18T00:00:00.094Z`.
+	CreateTime string `json:"createTime,omitempty"`
+
+	// ExpireTime: Output only. The time when the certificate expires in RFC
+	// 3339 (https://tools.ietf.org/html/rfc3339) format, for example
+	// `2020-05-18T00:00:00.094Z`.
+	ExpireTime string `json:"expireTime,omitempty"`
+
+	// SerialNumber: Serial number, as extracted from the certificate.
+	SerialNumber string `json:"serialNumber,omitempty"`
+
+	// Sha1Fingerprint: Sha1 Fingerprint of the certificate.
+	Sha1Fingerprint string `json:"sha1Fingerprint,omitempty"`
+}
+
 // CloudMemorystoreInstanceObservation is used to show the observed state of the
 // CloudMemorystore resource on GCP.
 type CloudMemorystoreInstanceObservation struct {
@@ -195,6 +225,13 @@ type CloudMemorystoreInstanceObservation struct {
 	// for a given instance so should be checked before each import/export
 	// operation.
 	PersistenceIAMIdentity string `json:"persistenceIamIdentity,omitempty"`
+
+	// Status of in tranit encyption mode the redis service is configured with
+	TransitEncryptionMode string `json:"transitEncryptionMode,omitempty"`
+
+	// ServerCaCerts: Output only. List of server CA certificates for the
+	// instance.
+	ServerCaCerts []*ServerCACertsObservation `json:"serverCaCerts,omitempty"`
 }
 
 // A CloudMemorystoreInstanceSpec defines the desired state of a

package/crds/cache.gcp.crossplane.io_cloudmemorystoreinstances.yaml

@@ -157,6 +157,13 @@ spec:
                     - BASIC
                     - STANDARD_HA
                     type: string
+                  transitEncryptionMode:
+                    description: TransitEncryptionMode specifies tls encription mode
+                      for redis service. For TRANSIT_ENCRYPTION_MODE_UNSPECIFIED the
+                      tls in transit encription is not set. If set to SERVER_AUTHENTICATION
+                      the client to server traffic encription is enabled. Encription
+                      is disabled if the value is DISABLED https://cloud.google.com/memorystore/docs/redis/about-in-transit-encryption
+                    type: string
                 required:
                 - memorySizeGb
                 - region
@@ -375,6 +382,33 @@ spec:
                     description: The port number of the exposed Redis endpoint.
                     format: int64
                     type: integer
+                  serverCaCerts:
+                    description: 'ServerCaCerts: Output only. List of server CA certificates
+                      for the instance.'
+                    items:
+                      properties:
+                        cert:
+                          description: 'Cert: PEM representation.'
+                          type: string
+                        createTime:
+                          description: 'CreateTime: Output only. The time when the
+                            certificate was created in RFC 3339 (https://tools.ietf.org/html/rfc3339)
+                            format, for example `2020-05-18T00:00:00.094Z`.'
+                          type: string
+                        expireTime:
+                          description: 'ExpireTime: Output only. The time when the
+                            certificate expires in RFC 3339 (https://tools.ietf.org/html/rfc3339)
+                            format, for example `2020-05-18T00:00:00.094Z`.'
+                          type: string
+                        serialNumber:
+                          description: 'SerialNumber: Serial number, as extracted
+                            from the certificate.'
+                          type: string
+                        sha1Fingerprint:
+                          description: 'Sha1Fingerprint: Sha1 Fingerprint of the certificate.'
+                          type: string
+                      type: object
+                    type: array
                   state:
                     description: "State: Output only. The current state of this instance.
                       \n Possible values: \"STATE_UNSPECIFIED\" - Not set. \"CREATING\"
@@ -393,6 +427,10 @@ spec:
                     description: Additional information about the current status of
                       this instance, if available.
                     type: string
+                  transitEncryptionMode:
+                    description: Status of in tranit encyption mode the redis service
+                      is configured with
+                    type: string
                 type: object
               conditions:
                 description: Conditions of the resource.

pkg/clients/cloudmemorystore/cloudmemorystore.go

@@ -78,6 +78,7 @@ func GenerateRedisInstance(name string, s v1beta1.CloudMemorystoreInstanceParame
 	r.AuthorizedNetwork = gcp.StringValue(s.AuthorizedNetwork)
 	r.ConnectMode = gcp.StringValue(s.ConnectMode)
 	r.AuthEnabled = gcp.BoolValue(s.AuthEnabled)
+	r.TransitEncryptionMode = s.TransitEncryptionMode
 }
 
 // GenerateObservation is used to produce an observation object from GCP's Redis
@@ -91,6 +92,16 @@ func GenerateObservation(r redis.Instance) v1beta1.CloudMemorystoreInstanceObser
 		State:                  r.State,
 		StatusMessage:          r.StatusMessage,
 		PersistenceIAMIdentity: r.PersistenceIamIdentity,
+		TransitEncryptionMode:  r.TransitEncryptionMode,
+	}
+	for _, val := range r.ServerCaCerts {
+		o.ServerCaCerts = append(o.ServerCaCerts, &v1beta1.ServerCACertsObservation{
+			Cert:            val.Cert,
+			CreateTime:      val.CreateTime,
+			ExpireTime:      val.ExpireTime,
+			SerialNumber:    val.SerialNumber,
+			Sha1Fingerprint: val.Sha1Fingerprint,
+		})
 	}
 	t, err := time.Parse(time.RFC3339, r.CreateTime)
 	if err != nil {

pkg/clients/cloudmemorystore/cloudmemorystore_test.go

@@ -31,8 +31,10 @@ const (
 
 var (
 	authorizedNetwork = "default"
-
-	redisConfigs = map[string]string{"cool": "socool"}
+	redisVersion      = "REDIS_6_X"
+	redisConfigs      = map[string]string{"cool": "socool"}
+	tlsMode           = "SERVER_AUTHENTICATION"
+	tlsModeDefault    = "DEFAULT"
 )
 
 func TestIsUpToDate(t *testing.T) {
@@ -139,6 +141,27 @@ func TestIsUpToDate(t *testing.T) {
 			},
 			want: want{upToDate: true, isErr: false},
 		},
+		{
+			name: "TlsEnabled",
+			id:   fullName,
+			kube: &v1beta1.CloudMemorystoreInstance{
+				Spec: v1beta1.CloudMemorystoreInstanceSpec{
+					ForProvider: v1beta1.CloudMemorystoreInstanceParameters{
+						RedisVersion:          &redisVersion,
+						MemorySizeGB:          memorySizeGB,
+						TransitEncryptionMode: tlsMode,
+					},
+				},
+			},
+			gcp: &redis.Instance{
+				Name:                  fullName,
+				RedisVersion:          redisVersion,
+				MemorySizeGb:          memorySizeGB,
+				AuthorizedNetwork:     authorizedNetwork,
+				TransitEncryptionMode: tlsMode,
+			},
+			want: want{upToDate: true, isErr: false},
+		},
 	}
 
 	for _, tc := range cases {