ingress-controller/config: remove redis (pomerium#835)

* ingress-controller/config: remove redis

* fix whitespace

apis/ingress/v1/deprecation.go

@@ -10,19 +10,13 @@ import (
 	"github.com/iancoleman/strcase"
 )
 
-var (
-	deprecatedFields = map[string]pom_cfg.FieldMsg{
-		"idp_directory_sync": {
-			DocsURL:       "https://docs.pomerium.com/docs/overview/upgrading#idp-directory-sync",
-			FieldCheckMsg: pom_cfg.FieldCheckMsgRemoved,
-			KeyAction:     pom_cfg.KeyActionWarn,
-		},
-		"redis": {
-			FieldCheckMsg: "not recommended for new deployments, use PostgreSQL",
-			KeyAction:     pom_cfg.KeyActionWarn,
-		},
-	}
-)
+var deprecatedFields = map[string]pom_cfg.FieldMsg{
+	"idp_directory_sync": {
+		DocsURL:       "https://docs.pomerium.com/docs/overview/upgrading#idp-directory-sync",
+		FieldCheckMsg: pom_cfg.FieldCheckMsgRemoved,
+		KeyAction:     pom_cfg.KeyActionWarn,
+	},
+}
 
 // GetDeprecations returns deprecation warnings
 func GetDeprecations(spec *PomeriumSpec) ([]pom_cfg.FieldMsg, error) {

apis/ingress/v1/deprecation_test.go

@@ -14,20 +14,17 @@ import (
 func TestDeprecations(t *testing.T) {
 	msgs, err := api.GetDeprecations(&api.PomeriumSpec{
 		Authenticate: new(api.Authenticate),
-		IdentityProvider: &api.IdentityProvider{Provider: "google", URL: proto.String("http://google.com"),
+		IdentityProvider: &api.IdentityProvider{
+			Provider: "google", URL: proto.String("http://google.com"),
 			ServiceAccountFromSecret: proto.String("secret"),
 			RefreshDirectory: &api.RefreshDirectorySettings{
 				Interval: v1.Duration{Duration: time.Minute},
 				Timeout:  v1.Duration{Duration: time.Minute},
-			}},
-		Certificates: []string{},
-		Secrets:      "",
-		Storage: &api.Storage{
-			Redis: &api.RedisStorage{
-				Secret: "redis",
 			},
 		},
+		Certificates: []string{},
+		Secrets:      "",
 	})
 	require.NoError(t, err)
-	require.Len(t, msgs, 3)
+	require.Len(t, msgs, 2)
 }

apis/ingress/v1/pomerium_types.go

@@ -79,35 +79,6 @@ type RefreshDirectorySettings struct {
 	Timeout metav1.Duration `json:"timeout"`
 }
 
-// RedisStorage defines REDIS databroker storage backend bootstrap parameters.
-// Redis is supported for legacy deployments, new deployments should use PostgreSQL.
-type RedisStorage struct {
-	// Secret specifies a name of a Secret that must contain
-	// <code>connection</code> key.
-	// +kubebuilder:validation:Required
-	// +kubebuilder:validation:Type=string
-	// +kubebuilder:validation:MinLength=1
-	// +kubebuilder:validation:Format="namespace/name"
-	Secret string `json:"secret"`
-	// TLSSecret should refer to a k8s secret of type <code>kubernetes.io/tls</code>
-	// that would be used to perform TLS connection to REDIS.
-	// +kubebuilder:validation:Optional
-	// +kubebuilder:validation:Type=string
-	// +kubebuilder:validation:MinLength=1
-	// +kubebuilder:validation:Format="namespace/name"
-	TLSSecret *string `json:"tlsSecret"`
-	// CASecret should refer to a k8s secret with key <code>ca.crt</code> that must be a PEM-encoded
-	// certificate authority to use when connecting to the databroker storage engine.
-	// +kubebuilder:validation:Optional
-	// +kubebuilder:validation:Type=string
-	// +kubebuilder:validation:Format="namespace/name"
-	CASecret *string `json:"caSecret"`
-	// TLSSkipVerify disables TLS certificate chain validation.
-	// +kubebuilder:validation:Optional
-	// +kubebuilder:validation:Type=boolean
-	TLSSkipVerify bool `json:"tlsSkipVerify"`
-}
-
 // PostgresStorage defines Postgres connection parameters.
 type PostgresStorage struct {
 	// Secret specifies a name of a Secret that must contain
@@ -144,13 +115,9 @@ type PostgresStorage struct {
 // Storage defines persistent storage option for the databroker
 // and is only applied for all-in-one pomerium bootstrap,
 // and has no effect for the split-mode deployment.
-// If Storage is specified, either `redis` or `postgresql` parameter should be set.
-// Omit setting storage to use in-memory storage implementation.
+// If Storage is specified, the `postgresql` parameter should be set.
+// Omit setting storage to use the in-memory storage implementation.
 type Storage struct {
-	// Redis defines REDIS connection parameters
-	// +kubebuilder:validation:Optional
-	Redis *RedisStorage `json:"redis" deprecated:"redis"`
-
 	// Postgres specifies PostgreSQL database connection parameters
 	// +kubebuilder:validation:Optional
 	Postgres *PostgresStorage `json:"postgres"`

config/crd/bases/ingress.pomerium.io_pomerium.yaml

@@ -289,36 +289,6 @@ spec:
                     required:
                     - secret
                     type: object
-                  redis:
-                    description: Redis defines REDIS connection parameters
-                    properties:
-                      caSecret:
-                        description: CASecret should refer to a k8s secret with key
-                          <code>ca.crt</code> that must be a PEM-encoded certificate
-                          authority to use when connecting to the databroker storage
-                          engine.
-                        format: namespace/name
-                        type: string
-                      secret:
-                        description: Secret specifies a name of a Secret that must
-                          contain <code>connection</code> key.
-                        format: namespace/name
-                        minLength: 1
-                        type: string
-                      tlsSecret:
-                        description: TLSSecret should refer to a k8s secret of type
-                          <code>kubernetes.io/tls</code> that would be used to perform
-                          TLS connection to REDIS.
-                        format: namespace/name
-                        minLength: 1
-                        type: string
-                      tlsSkipVerify:
-                        description: TLSSkipVerify disables TLS certificate chain
-                          validation.
-                        type: boolean
-                    required:
-                    - secret
-                    type: object
                 type: object
               timeouts:
                 description: Timeout specifies the <a href="https://www.pomerium.com/docs/reference/global-timeouts">global

controllers/settings/fetch.go

@@ -126,15 +126,7 @@ func fetchConfigSecrets(ctx context.Context, client client.Client, cfg *model.Co
 				return nil
 			}
 
-			if r := s.Storage.Redis; r != nil {
-				if err := applyAll(
-					apply("connection", required(&r.Secret), &cfg.StorageSecrets.Secret),
-					apply("tls", optional(r.TLSSecret), &cfg.StorageSecrets.TLS),
-					apply("ca", optional(r.CASecret), &cfg.StorageSecrets.CA),
-				); err != nil {
-					return fmt.Errorf("redis: %w", err)
-				}
-			} else if p := s.Storage.Postgres; p != nil {
+			if p := s.Storage.Postgres; p != nil {
 				if err := applyAll(
 					apply("connection", required(&p.Secret), &cfg.StorageSecrets.Secret),
 					apply("tls", optional(p.TLSSecret), &cfg.StorageSecrets.TLS),
@@ -143,7 +135,7 @@ func fetchConfigSecrets(ctx context.Context, client client.Client, cfg *model.Co
 					return fmt.Errorf("postgresql: %w", err)
 				}
 			} else {
-				return fmt.Errorf("if storage is specified, either redis or postgres storage should be provided")
+				return fmt.Errorf("if storage is specified, postgres storage should be provided")
 			}
 
 			return cfg.StorageSecrets.Validate()

controllers/settings/fetch_test.go

@@ -42,25 +42,6 @@ func TestFetchConstraints(t *testing.T) {
 	}{
 		"idp-secrets":       {},
 		"bootstrap-secrets": {},
-		"redis": {
-			corev1.SecretTypeOpaque,
-			map[string][]byte{
-				model.StorageConnectionStringKey: []byte("redis://"),
-			},
-		},
-		"redis-ca": {
-			corev1.SecretTypeOpaque,
-			map[string][]byte{
-				model.CAKey: []byte("ca-data"),
-			},
-		},
-		"redis-tls": {
-			corev1.SecretTypeTLS,
-			map[string][]byte{
-				corev1.TLSCertKey:       []byte("cert-data"),
-				corev1.TLSPrivateKeyKey: []byte("key-data"),
-			},
-		},
 		"postgres": {
 			corev1.SecretTypeOpaque,
 			map[string][]byte{
@@ -119,31 +100,6 @@ func TestFetchConstraints(t *testing.T) {
 			Secrets:          "pomerium/bootstrap-secrets",
 			Storage:          &icsv1.Storage{},
 		}, assert.Error},
-		{"redis: secret missing", icsv1.PomeriumSpec{
-			Authenticate:     new(icsv1.Authenticate),
-			IdentityProvider: &icsv1.IdentityProvider{Secret: "pomerium/idp-secrets"},
-			Certificates:     []string{},
-			Secrets:          "pomerium/bootstrap-secrets",
-			Storage:          &icsv1.Storage{Redis: &icsv1.RedisStorage{}},
-		}, assert.Error},
-		{"redis: secret present", icsv1.PomeriumSpec{
-			Authenticate:     new(icsv1.Authenticate),
-			IdentityProvider: &icsv1.IdentityProvider{Secret: "pomerium/idp-secrets"},
-			Certificates:     []string{},
-			Secrets:          "pomerium/bootstrap-secrets",
-			Storage:          &icsv1.Storage{Redis: &icsv1.RedisStorage{Secret: "pomerium/redis"}},
-		}, assert.NoError},
-		{"redis: ca + tls", icsv1.PomeriumSpec{
-			Authenticate:     new(icsv1.Authenticate),
-			IdentityProvider: &icsv1.IdentityProvider{Secret: "pomerium/idp-secrets"},
-			Certificates:     []string{},
-			Secrets:          "pomerium/bootstrap-secrets",
-			Storage: &icsv1.Storage{Redis: &icsv1.RedisStorage{
-				Secret:    "pomerium/redis",
-				CASecret:  proto.String("pomerium/redis-ca"),
-				TLSSecret: proto.String("pomerium/redis-tls"),
-			}},
-		}, assert.NoError},
 		{"postgres: secret missing", icsv1.PomeriumSpec{
 			Authenticate:     new(icsv1.Authenticate),
 			IdentityProvider: &icsv1.IdentityProvider{Secret: "pomerium/idp-secrets"},

deployment.yaml

@@ -297,36 +297,6 @@ spec:
                     required:
                     - secret
                     type: object
-                  redis:
-                    description: Redis defines REDIS connection parameters
-                    properties:
-                      caSecret:
-                        description: CASecret should refer to a k8s secret with key
-                          <code>ca.crt</code> that must be a PEM-encoded certificate
-                          authority to use when connecting to the databroker storage
-                          engine.
-                        format: namespace/name
-                        type: string
-                      secret:
-                        description: Secret specifies a name of a Secret that must
-                          contain <code>connection</code> key.
-                        format: namespace/name
-                        minLength: 1
-                        type: string
-                      tlsSecret:
-                        description: TLSSecret should refer to a k8s secret of type
-                          <code>kubernetes.io/tls</code> that would be used to perform
-                          TLS connection to REDIS.
-                        format: namespace/name
-                        minLength: 1
-                        type: string
-                      tlsSkipVerify:
-                        description: TLSSkipVerify disables TLS certificate chain
-                          validation.
-                        type: boolean
-                    required:
-                    - secret
-                    type: object
                 type: object
               timeouts:
                 description: Timeout specifies the <a href="https://www.pomerium.com/docs/reference/global-timeouts">global

pomerium/config.go

@@ -61,7 +61,7 @@ func applyConfig(ctx context.Context, p *pb.Config, c *model.Config) error {
 }
 
 func checkForWarnings(ctx context.Context, _ *pb.Config, c *model.Config) error {
-	if c.Spec.Storage == nil || (c.Spec.Storage.Redis == nil && c.Spec.Storage.Postgres == nil) {
+	if c.Spec.Storage == nil || c.Spec.Storage.Postgres == nil {
 		util.Add(ctx, config.FieldMsg{
 			Key:           "storage",
 			DocsURL:       "https://www.pomerium.com/docs/topics/data-storage#persistence",

pomerium/ctrl/bootstrap.go

@@ -82,42 +82,8 @@ func applyStorage(ctx context.Context, dst *config.Options, src *model.Config) e
 	if src.Spec.Storage.Postgres != nil {
 		return applyStoragePostgres(dst, src)
 	}
-	if src.Spec.Storage.Redis != nil {
-		return applyStorageRedis(dst, src)
-	}
-
-	return fmt.Errorf("if storage is specified, it must contain either redis or postgresql config. omit storage key for in-memory")
-}
-
-func applyStorageRedis(dst *config.Options, src *model.Config) error {
-	conn, ok := src.StorageSecrets.Secret.Data[model.StorageConnectionStringKey]
-	if !ok {
-		return fmt.Errorf("storage secret must have %s key", model.StorageConnectionStringKey)
-	}
-
-	dst.DataBrokerStorageConnectionString = string(conn)
-	dst.DataBrokerStorageCertSkipVerify = src.Spec.Storage.Redis.TLSSkipVerify
 
-	if src.StorageSecrets.CA != nil {
-		ca, err := storageFiles.CreateFile("ca.pem", src.StorageSecrets.Secret.Data[model.CAKey])
-		if err != nil {
-			return fmt.Errorf("ca: %w", err)
-		}
-		dst.DataBrokerStorageCAFile = ca
-	}
-	if src.StorageSecrets.TLS != nil {
-		cert, err := storageFiles.CreateFile("cert.pem", src.StorageSecrets.TLS.Data[corev1.TLSCertKey])
-		if err != nil {
-			return fmt.Errorf("tls cert: %w", err)
-		}
-		key, err := storageFiles.CreateFile("key.pem", src.StorageSecrets.TLS.Data[corev1.TLSPrivateKeyKey])
-		if err != nil {
-			return fmt.Errorf("tls key: %w", err)
-		}
-		dst.DataBrokerStorageCertFile = cert
-		dst.DataBrokerStorageCertKeyFile = key
-	}
-	return nil
+	return fmt.Errorf("if storage is specified, it must contain postgresql config. omit storage key for in-memory")
 }
 
 func applyStoragePostgres(dst *config.Options, src *model.Config) error {