Support for postgres `address` configuration option is broken on master

[izgeri]

Summary

Some recent changes post-1.0 have revised PostgreSQL configuration to enable host/port (to be consistent with MySQL) and deprecated address. But though address is still meant to be supported, you can't connect to a pg database via Secretless when using address-based config.

Steps to Reproduce

Deploy an app with Secretless as a sidecar to OC 3.9. Use config of the form:

version: "2"
services:
  test-app-pg:
    protocol: pg
    listenOn: tcp://0.0.0.0:5432
    credentials:
      address:
        from: conjur
        get: test-secretless-app-db/url
      username:
        from: conjur
        get: test-secretless-app-db/username
      password:
        from: conjur
        get: test-secretless-app-db/password
      sslmode: require

You will see the app is unable to start up. I reproduced this using LOCAL_AUTHENTICATOR=true with a local build of secretless / the kubernetes authenticator sidecar and running kubernetes-conjur-demo in OC 3.9.

If you change the config to use host / port-based config, the app deploys as expected.

Expected Results

The app is deployed as usual, and can connect to pg via Secretless

Actual Results (including error logs, if applicable)

The app fails to start. The app logs show an error:

org.postgresql.util.PSQLException: FATAL: dial tcp: address tcp/5432/test_app: unknown port

The Secretless logs show:

2019/08/09 13:37:02 Secretless v1.1.0-a0c70ea starting up...
2019/08/09 13:37:02 WARN: Config file and config manager specified - forcing 'configfile' configuration manager!
2019/08/09 13:37:02 Loading internal plugins...
2019/08/09 13:37:02 - ConfigurationManagers: [configfile k8s/crd]
2019/08/09 13:37:02 - ConnectionManagers: []
2019/08/09 13:37:02 - Providers: [kubernetes literal vault aws conjur env file keychain]
2019/08/09 13:37:02 - Handlers: [mysql pg ssh sshagent http/aws http/basic_auth http/conjur]
2019/08/09 13:37:02 - Listeners: [ssh ssh-agent http mysql pg]
2019/08/09 13:37:02 Completed loading internal plugins.
2019/08/09 13:37:02 Loading external library plugins...
2019/08/09 13:37:02 Registering shutdown signal listeners...
2019/08/09 13:37:02 Initializing configuration manager 'configfile'...
2019/08/09 13:37:02 Trying to load configuration file: /etc/secretless/secretless.yml
2019/08/09 13:37:02 Configuration manager 'configfile' initialized (configSpec: '/etc/secretless/secretless.yml').
2019/08/09 13:37:02 Configuration manager 'configfile' provided new configuration...
2019/08/09 13:37:02 Initializing connection managers...
2019/08/09 13:37:02 Reloading...
2019/08/09 13:37:02 Initialization of plugins done.
2019/08/09 13:37:02 Initializing the proxy...
2019/08/09 13:37:02 ----------------------------
2019/08/09 13:37:02 Initializing health check on :5335...
2019/08/09 13:37:02 Initialization of health check done. You can access the endpoint at `/live` and `/ready`.
2019/08/09 13:37:02 Starting all listeners and handlers...
2019/08/09 13:37:02 Registering reload signal listeners...
2019/08/09 13:37:02 mysql listener 'test-app-mysql' listening at: [::]:3306
2019/08/09 13:37:02 pg listener 'test-app-pg' listening at: [::]:5432
2019/08/09 13:37:02 Shutting down 'mysql' listener...
2019/08/09 13:37:02 Shutting down 'pg' listener...
2019/08/09 13:37:02 Shutting down listener's handlers...
2019/08/09 13:37:02 Shutting down listener's handlers...
2019/08/09 13:37:02 Starting all listeners and handlers...
2019/08/09 13:37:02 mysql listener 'test-app-mysql' listening at: [::]:3306
2019/08/09 13:37:02 pg listener 'test-app-pg' listening at: [::]:5432
2019/08/09 13:37:10 Instantiating provider 'conjur'
2019/08/09 13:37:10 Info: Conjur provider using Kubernetes authenticator-based authentication
2019/08/09 13:37:10 Info: Conjur provider is authenticating as host/conjur/authn-k8s/madeup-id/apps/geri-app-test/service_account/oc-test-app-secretless ...
INFO: 2019/08/09 13:37:10 authenticator.go:174: Not logged in. Trying to log in...
INFO: 2019/08/09 13:37:10 authenticator.go:107: Logging in as host/conjur/authn-k8s/madeup-id/apps/geri-app-test/service_account/oc-test-app-secretless.
INFO: 2019/08/09 13:37:10 requests.go:21: Login request to: https://conjur-follower.geri-conjur-test.svc.cluster.local/api/authn-k8s/madeup-id/inject_client_cert
ERROR: 2019/08/09 13:37:10 authenticator.go:177: Login failed: client certificate not found at /etc/conjur/ssl/client.pem
2019/08/09 13:37:10 Info: Conjur provider received an error on authenticate: client certificate not found at /etc/conjur/ssl/client.pem
2019/08/09 13:37:13 Info: Conjur provider is authenticating as host/conjur/authn-k8s/madeup-id/apps/geri-app-test/service_account/oc-test-app-secretless ...
INFO: 2019/08/09 13:37:13 authenticator.go:174: Not logged in. Trying to log in...
INFO: 2019/08/09 13:37:13 authenticator.go:107: Logging in as host/conjur/authn-k8s/madeup-id/apps/geri-app-test/service_account/oc-test-app-secretless.
INFO: 2019/08/09 13:37:13 requests.go:21: Login request to: https://conjur-follower.geri-conjur-test.svc.cluster.local/api/authn-k8s/madeup-id/inject_client_cert
INFO: 2019/08/09 13:37:14 authenticator.go:181: Logged in
INFO: 2019/08/09 13:37:14 authenticator.go:163: Cert expires: 2019-08-12 13:37:13 +0000 UTC
INFO: 2019/08/09 13:37:14 authenticator.go:164: Current date: 2019-08-09 13:37:14.073150829 +0000 UTC
INFO: 2019/08/09 13:37:14 authenticator.go:165: Buffer time:  30s
INFO: 2019/08/09 13:37:14 requests.go:44: Authn request to: https://conjur-follower.geri-conjur-test.svc.cluster.local/api/authn-k8s/madeup-id/example/host%2Fconjur%2Fauthn-k8s%2Fmadeup-id%2Fapps%2Fgeri-app-test%2Fservice_account%2Foc-test-app-secretless/authenticate
INFO: 2019/08/09 13:37:14 authenticator.go:245: Successfully authenticated!
2019/08/09 13:37:14 Instantiating provider 'literal'
2019/08/09 13:37:14 WARN: 'address' has been deprecated for PG connector. Please use 'host' and 'port' instead.'
2019/08/09 13:37:14 WARN: 'address' has been deprecated for PG connector. Please use 'host' and 'port' instead.'
2019/08/09 13:37:34 WARN: 'address' has been deprecated for PG connector. Please use 'host' and 'port' instead.'
2019/08/09 13:37:34 WARN: 'address' has been deprecated for PG connector. Please use 'host' and 'port' instead.'
2019/08/09 13:38:08 WARN: 'address' has been deprecated for PG connector. Please use 'host' and 'port' instead.'
2019/08/09 13:38:08 WARN: 'address' has been deprecated for PG connector. Please use 'host' and 'port' instead.'
2019/08/09 13:39:06 WARN: 'address' has been deprecated for PG connector. Please use 'host' and 'port' instead.'
2019/08/09 13:39:06 WARN: 'address' has been deprecated for PG connector. Please use 'host' and 'port' instead.'
2019/08/09 13:40:32 WARN: 'address' has been deprecated for PG connector. Please use 'host' and 'port' instead.'
2019/08/09 13:40:33 WARN: 'address' has been deprecated for PG connector. Please use 'host' and 'port' instead.'

[izgeri]

Note: I tried to (but couldn't) reproduce this locally by running pg in a Docker container

docker run --name pg-reg -p 5433:5432 -e POSTGRES_PASSWORD=mypassword -e POSTGRES_USER=myuser -e POSTGRES_DB=mydb -d postgres

and then running ./bin/build_darwin to have a local OSX secretless binary. I started Secretless by running

./dist/darwin/amd64/secretless-broker -f secretless-pg.yml 

where secretless-pg.yml includes:

listeners:
- address: 0.0.0.0:5432
  #  caCertFiles: []
  debug: true
  name: pg_listener
  protocol: pg

handlers:
- name: pg_handler
  listener: pg_listener
  debug: true
  credentials:
  - name: username
    provider: literal
    id: myuser
  - name: password
    provider: literal
    id: mypassword
  - name: sslmode
    provider: literal
    id: disable
  - name: address
    provider: literal
    id: localhost:5433

Then, when I try to connect to pg via Secretless (psql -h localhost -p 5432 -d postgres) it's able to proxy the connection appropriately.

[izgeri]

@yserota I created a docs issue to make a minor correction to the docs for this - please see https://github.com/cyberark/secretless-docs/issues/183

[izgeri]

Note that the only thing broken was my expectation that I can pass /dbname in the address field for the pg config. This is no longer the case, and that assumption was fixed in https://github.com/conjurdemos/kubernetes-conjur-demo/pull/74 and will be updated in the documentation as part of https://github.com/cyberark/secretless-docs/issues/183. In light of this, I'm closing the bug now.