tjmoore4
diff --git a/‎cmd/postgres-operator/main.go
Lines changed: 20 additions & 20 deletions b/‎cmd/postgres-operator/main.go
Lines changed: 20 additions & 20 deletions
diff --git a/‎config/crd/bases/postgres-operator.crunchydata.com_postgresclusters.yaml
Lines changed: 0 additions & 4 deletions b/‎config/crd/bases/postgres-operator.crunchydata.com_postgresclusters.yaml
Lines changed: 0 additions & 4 deletions
diff --git a/‎go.mod
Lines changed: 1 addition & 2 deletions b/‎go.mod
Lines changed: 1 addition & 2 deletions
diff --git a/‎go.sum
Lines changed: 2 additions & 4 deletions b/‎go.sum
Lines changed: 2 additions & 4 deletions
diff --git a/‎internal/config/config.go
Lines changed: 0 additions & 12 deletions b/‎internal/config/config.go
Lines changed: 0 additions & 12 deletions
diff --git a/‎internal/controller/pgupgrade/pgupgrade_controller.go
Lines changed: 13 additions & 11 deletions b/‎internal/controller/pgupgrade/pgupgrade_controller.go
Lines changed: 13 additions & 11 deletions
diff --git a/‎internal/controller/pgupgrade/registration.go
Lines changed: 37 additions & 0 deletions b/‎internal/controller/pgupgrade/registration.go
Lines changed: 37 additions & 0 deletions
diff --git a/‎internal/controller/pgupgrade/registration_test.go
Lines changed: 108 additions & 0 deletions b/‎internal/controller/pgupgrade/registration_test.go
Lines changed: 108 additions & 0 deletions
@@ -16,6 +16,7 @@ limitations under the License.
 */
 
 import (
+	"context"
 	"net/http"
 	"os"
 	"strings"
@@ -35,6 +36,7 @@ import (
 	"github.com/crunchydata/postgres-operator/internal/controller/standalone_pgadmin"
 	"github.com/crunchydata/postgres-operator/internal/logging"
 	"github.com/crunchydata/postgres-operator/internal/naming"
+	"github.com/crunchydata/postgres-operator/internal/registration"
 	"github.com/crunchydata/postgres-operator/internal/upgradecheck"
 	"github.com/crunchydata/postgres-operator/internal/util"
 )
@@ -70,6 +72,7 @@ func main() {
 
 	// create a context that will be used to stop all controllers on a SIGTERM or SIGINT
 	ctx := cruntime.SetupSignalHandler()
+	ctx, shutdown := context.WithCancel(ctx)
 	log := logging.FromContext(ctx)
 	log.V(1).Info("debug flag set to true")
 
@@ -96,8 +99,13 @@ func main() {
 		log.Info("detected OpenShift environment")
 	}
 
+	registrar, err := registration.NewRunner(os.Getenv("RSA_KEY"), os.Getenv("TOKEN_PATH"), shutdown)
+	assertNoError(err)
+	assertNoError(mgr.Add(registrar))
+	_ = registrar.CheckToken()
+
 	// add all PostgreSQL Operator controllers to the runtime manager
-	addControllersToManager(mgr, openshift, log)
+	addControllersToManager(mgr, openshift, log, registrar)
 
 	if util.DefaultMutableFeatureGate.Enabled(util.BridgeIdentifiers) {
 		constructor := func() *bridge.Client {
@@ -128,23 +136,14 @@ func main() {
 
 // addControllersToManager adds all PostgreSQL Operator controllers to the provided controller
 // runtime manager.
-func addControllersToManager(mgr manager.Manager, openshift bool, log logr.Logger) {
-	semanticVersionString := util.SemanticMajorMinorPatch(versionString)
-	if semanticVersionString == "" {
-		os.Setenv("REGISTRATION_REQUIRED", "false")
-	}
-
+func addControllersToManager(mgr manager.Manager, openshift bool, log logr.Logger, reg registration.Registration) {
 	pgReconciler := &postgrescluster.Reconciler{
-		Client:      mgr.GetClient(),
-		IsOpenShift: openshift,
-		Owner:       postgrescluster.ControllerName,
-		PGOVersion:  semanticVersionString,
-		Recorder:    mgr.GetEventRecorderFor(postgrescluster.ControllerName),
-		// TODO(tlandreth) Replace the contents of cpk_rsa_key.pub with a key from a
-		// Crunchy authorization server.
-		Registration:    util.GetRegistration(os.Getenv("RSA_KEY"), os.Getenv("TOKEN_PATH"), log),
-		RegistrationURL: os.Getenv("REGISTRATION_URL"),
-		Tracer:          otel.Tracer(postgrescluster.ControllerName),
+		Client:       mgr.GetClient(),
+		IsOpenShift:  openshift,
+		Owner:        postgrescluster.ControllerName,
+		Recorder:     mgr.GetEventRecorderFor(postgrescluster.ControllerName),
+		Registration: reg,
+		Tracer:       otel.Tracer(postgrescluster.ControllerName),
 	}
 
 	if err := pgReconciler.SetupWithManager(mgr); err != nil {
@@ -153,9 +152,10 @@ func addControllersToManager(mgr manager.Manager, openshift bool, log logr.Logge
 	}
 
 	upgradeReconciler := &pgupgrade.PGUpgradeReconciler{
-		Client: mgr.GetClient(),
-		Owner:  "pgupgrade-controller",
-		Scheme: mgr.GetScheme(),
+		Client:       mgr.GetClient(),
+		Owner:        "pgupgrade-controller",
+		Recorder:     mgr.GetEventRecorderFor("pgupgrade-controller"),
+		Registration: reg,
 	}
 
 	if err := upgradeReconciler.SetupWithManager(mgr); err != nil {
 
@@ -15457,8 +15457,6 @@ spec:
                     type: object
                 type: object
               registrationRequired:
-                description: Version information for installations with a registration
-                  requirement.
                 properties:
                   pgoVersion:
                     type: string
@@ -15471,8 +15469,6 @@ spec:
                 description: The instance set associated with the startupInstance
                 type: string
               tokenRequired:
-                description: Signals the need for a token to be applied when registration
-                  is required.
                 type: string
               userInterface:
                 description: Current state of the PostgreSQL user interface.
 
@@ -5,7 +5,7 @@ go 1.19
 require (
 	github.com/evanphx/json-patch/v5 v5.6.0
 	github.com/go-logr/logr v1.3.0
-	github.com/golang-jwt/jwt/v5 v5.0.0
+	github.com/golang-jwt/jwt/v5 v5.2.1
 	github.com/google/go-cmp v0.5.9
 	github.com/google/uuid v1.3.1
 	github.com/onsi/ginkgo/v2 v2.0.0
@@ -21,7 +21,6 @@ require (
 	go.opentelemetry.io/otel/sdk v1.2.0
 	go.opentelemetry.io/otel/trace v1.19.0
 	golang.org/x/crypto v0.19.0
-	golang.org/x/mod v0.8.0
 	gotest.tools/v3 v3.1.0
 	k8s.io/api v0.24.2
 	k8s.io/apimachinery v0.24.2
 
@@ -192,8 +192,8 @@ github.com/gogo/protobuf v1.2.1/go.mod h1:hp+jE20tsWTFYpLwKvXlhS1hjn+gTNwPg2I6zV
 github.com/gogo/protobuf v1.3.1/go.mod h1:SlYgWuQ5SjCEi6WLHjHCa1yvBfUnHcTbrrZtXPKa29o=
 github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
 github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
-github.com/golang-jwt/jwt/v5 v5.0.0 h1:1n1XNM9hk7O9mnQoNBGolZvzebBQ7p93ULHRc28XJUE=
-github.com/golang-jwt/jwt/v5 v5.0.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
+github.com/golang-jwt/jwt/v5 v5.2.1 h1:OuVbFODueb089Lh128TAcimifWaLhJwVflnrgM17wHk=
+github.com/golang-jwt/jwt/v5 v5.2.1/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/glog v1.0.0/go.mod h1:EWib/APOK0SL3dFbYqvxE3UYd8E6s1ouQ7iEp/0LWV4=
 github.com/golang/groupcache v0.0.0-20190129154638-5b532d6fd5ef/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
@@ -602,8 +602,6 @@ golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3/go.mod h1:3p9vT2HGsQu2K1YbXdKPJLVgG5VJdoTa1poYQBtP1AY=
-golang.org/x/mod v0.8.0 h1:LUYupSeNrTNCGzR/hVBk2NHZO4hXcVaW1k4Qx7rjPx8=
-golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 
@@ -50,18 +50,6 @@ func FetchKeyCommand(spec *v1beta1.PostgresClusterSpec) string {
 	return ""
 }
 
-func RegistrationRequired() bool {
-	return os.Getenv("REGISTRATION_REQUIRED") == "true"
-}
-
-// Get the version of CPK that applied the first RegistrationRequired status to this cluster.
-func RegistrationRequiredBy(cluster *v1beta1.PostgresCluster) string {
-	if cluster.Status.RegistrationRequired == nil {
-		return ""
-	}
-	return cluster.Status.RegistrationRequired.PGOVersion
-}
-
 // Red Hat Marketplace requires operators to use environment variables be used
 // for any image other than the operator itself. Those variables must start with
 // "RELATED_IMAGE_" so that OSBS can transform their tag values into digests
 
@@ -23,7 +23,7 @@ import (
 	"k8s.io/apimachinery/pkg/api/equality"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
-	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/client-go/tools/record"
 	"k8s.io/client-go/util/workqueue"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -32,6 +32,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/source"
 
 	"github.com/crunchydata/postgres-operator/internal/config"
+	"github.com/crunchydata/postgres-operator/internal/registration"
 	"github.com/crunchydata/postgres-operator/pkg/apis/postgres-operator.crunchydata.com/v1beta1"
 )
 
@@ -41,14 +42,11 @@ const (
 
 // PGUpgradeReconciler reconciles a PGUpgrade object
 type PGUpgradeReconciler struct {
-	client.Client
+	Client client.Client
 	Owner  client.FieldOwner
-	Scheme *runtime.Scheme
 
-	// For this iteration, we will only be setting conditions rather than
-	// setting conditions and emitting events. That may change in the future,
-	// so we're leaving this EventRecorder here for now.
-	// record.EventRecorder
+	Recorder     record.EventRecorder
+	Registration registration.Registration
 }
 
 //+kubebuilder:rbac:groups="batch",resources="jobs",verbs={list,watch}
@@ -80,7 +78,7 @@ func (r *PGUpgradeReconciler) findUpgradesForPostgresCluster(
 	// namespace, we can configure the [ctrl.Manager] field indexer and pass a
 	// [fields.Selector] here.
 	// - https://book.kubebuilder.io/reference/watching-resources/externally-managed.html
-	if r.List(ctx, &upgrades, &client.ListOptions{
+	if r.Client.List(ctx, &upgrades, &client.ListOptions{
 		Namespace: cluster.Namespace,
 	}) == nil {
 		for i := range upgrades.Items {
@@ -140,14 +138,14 @@ func (r *PGUpgradeReconciler) Reconcile(ctx context.Context, req ctrl.Request) (
 	// copy before returning from its cache.
 	// - https://github.com/kubernetes-sigs/controller-runtime/issues/1235
 	upgrade := &v1beta1.PGUpgrade{}
-	err = r.Get(ctx, req.NamespacedName, upgrade)
+	err = r.Client.Get(ctx, req.NamespacedName, upgrade)
 
 	if err == nil {
 		// Write any changes to the upgrade status on the way out.
 		before := upgrade.DeepCopy()
 		defer func() {
 			if !equality.Semantic.DeepEqual(before.Status, upgrade.Status) {
-				status := r.Status().Patch(ctx, upgrade, client.MergeFrom(before), r.Owner)
+				status := r.Client.Status().Patch(ctx, upgrade, client.MergeFrom(before), r.Owner)
 
 				if err == nil && status != nil {
 					err = status
@@ -178,6 +176,10 @@ func (r *PGUpgradeReconciler) Reconcile(ctx context.Context, req ctrl.Request) (
 		return
 	}
 
+	if !r.UpgradeAuthorized(upgrade) {
+		return ctrl.Result{}, nil
+	}
+
 	// Set progressing condition to true if it doesn't exist already
 	setStatusToProgressingIfReasonWas("", upgrade)
 
@@ -452,7 +454,7 @@ func (r *PGUpgradeReconciler) Reconcile(ctx context.Context, req ctrl.Request) (
 			// Set the pgBackRest status for bootstrapping
 			patch.Status.PGBackRest.Repos = []v1beta1.RepoStatus{}
 
-			err = r.Status().Patch(ctx, patch, client.MergeFrom(world.Cluster), r.Owner)
+			err = r.Client.Status().Patch(ctx, patch, client.MergeFrom(world.Cluster), r.Owner)
 		}
 
 		return ctrl.Result{}, err
 
@@ -0,0 +1,37 @@
+// Copyright 2021 - 2024 Crunchy Data Solutions, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package pgupgrade
+
+import (
+	"k8s.io/apimachinery/pkg/api/meta"
+
+	"github.com/crunchydata/postgres-operator/internal/registration"
+	"github.com/crunchydata/postgres-operator/pkg/apis/postgres-operator.crunchydata.com/v1beta1"
+)
+
+func (r *PGUpgradeReconciler) UpgradeAuthorized(upgrade *v1beta1.PGUpgrade) bool {
+	// Allow an upgrade in progress to complete, when the registration requirement is introduced.
+	// But don't allow new upgrades to be started until a valid token is applied.
+	progressing := meta.FindStatusCondition(upgrade.Status.Conditions, ConditionPGUpgradeProgressing) != nil
+	required := r.Registration.Required(r.Recorder, upgrade, &upgrade.Status.Conditions)
+
+	// If a valid token has not been applied, warn the user.
+	if required && !progressing {
+		registration.SetRequiredWarning(r.Recorder, upgrade, &upgrade.Status.Conditions)
+		return false
+	}
+
+	return true
+}
@@ -0,0 +1,108 @@
+// Copyright 2021 - 2024 Crunchy Data Solutions, Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package pgupgrade
+
+import (
+	"testing"
+
+	"gotest.tools/v3/assert"
+	"k8s.io/apimachinery/pkg/api/meta"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/client-go/tools/record"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	"github.com/crunchydata/postgres-operator/internal/controller/runtime"
+	"github.com/crunchydata/postgres-operator/internal/registration"
+	"github.com/crunchydata/postgres-operator/internal/testing/cmp"
+	"github.com/crunchydata/postgres-operator/internal/testing/events"
+	"github.com/crunchydata/postgres-operator/pkg/apis/postgres-operator.crunchydata.com/v1beta1"
+)
+
+func TestUpgradeAuthorized(t *testing.T) {
+	t.Run("UpgradeAlreadyInProgress", func(t *testing.T) {
+		reconciler := new(PGUpgradeReconciler)
+		upgrade := new(v1beta1.PGUpgrade)
+
+		for _, required := range []bool{false, true} {
+			reconciler.Registration = registration.RegistrationFunc(
+				func(record.EventRecorder, client.Object, *[]metav1.Condition) bool {
+					return required
+				})
+
+			meta.SetStatusCondition(&upgrade.Status.Conditions, metav1.Condition{
+				Type:   ConditionPGUpgradeProgressing,
+				Status: metav1.ConditionTrue,
+			})
+
+			result := reconciler.UpgradeAuthorized(upgrade)
+			assert.Assert(t, result, "expected signal to proceed")
+
+			progressing := meta.FindStatusCondition(upgrade.Status.Conditions, ConditionPGUpgradeProgressing)
+			assert.Equal(t, progressing.Status, metav1.ConditionTrue)
+		}
+	})
+
+	t.Run("RegistrationRequired", func(t *testing.T) {
+		scheme, err := runtime.CreatePostgresOperatorScheme()
+		assert.NilError(t, err)
+
+		recorder := events.NewRecorder(t, scheme)
+		upgrade := new(v1beta1.PGUpgrade)
+		upgrade.Name = "some-upgrade"
+
+		reconciler := PGUpgradeReconciler{
+			Recorder: recorder,
+			Registration: registration.RegistrationFunc(
+				func(record.EventRecorder, client.Object, *[]metav1.Condition) bool {
+					return true
+				}),
+		}
+
+		meta.RemoveStatusCondition(&upgrade.Status.Conditions, ConditionPGUpgradeProgressing)
+
+		result := reconciler.UpgradeAuthorized(upgrade)
+		assert.Assert(t, !result, "expected signal to not proceed")
+
+		condition := meta.FindStatusCondition(upgrade.Status.Conditions, v1beta1.Registered)
+		if assert.Check(t, condition != nil) {
+			assert.Equal(t, condition.Status, metav1.ConditionFalse)
+		}
+
+		if assert.Check(t, len(recorder.Events) > 0) {
+			assert.Equal(t, recorder.Events[0].Type, "Warning")
+			assert.Equal(t, recorder.Events[0].Regarding.Kind, "PGUpgrade")
+			assert.Equal(t, recorder.Events[0].Regarding.Name, "some-upgrade")
+			assert.Assert(t, cmp.Contains(recorder.Events[0].Note, "requires"))
+		}
+	})
+
+	t.Run("RegistrationCompleted", func(t *testing.T) {
+		reconciler := new(PGUpgradeReconciler)
+		upgrade := new(v1beta1.PGUpgrade)
+
+		called := false
+		reconciler.Registration = registration.RegistrationFunc(
+			func(record.EventRecorder, client.Object, *[]metav1.Condition) bool {
+				called = true
+				return false
+			})
+
+		meta.RemoveStatusCondition(&upgrade.Status.Conditions, ConditionPGUpgradeProgressing)
+
+		result := reconciler.UpgradeAuthorized(upgrade)
+		assert.Assert(t, result, "expected signal to proceed")
+		assert.Assert(t, called, "expected registration package to clear conditions")
+	})
+}