OLS-2459 enforce TLS security profile on Postgres connections

[onmete]

Description

Enforce the cluster's TLS security profile on all Postgres connections
(cache, quota limiters, token usage history, quota scheduler).

This is the service-side half of OLS-2459. The operator-side changes
(APIServer CR propagation) will follow in a separate PR.

Changes

• Default sslmode hardened — change POSTGRES_CACHE_SSL_MODE from
  "prefer" to "require" so the service never silently downgrades to
  cleartext, even when the operator config is absent (dev, test, or
  misconfiguration scenarios)
• build_ssl_context helper — new factory in ols/utils/ssl.py that
  builds an ssl.SSLContext with minimum_version and cipher restrictions
  from the configured TLS security profile. Returns None when no profile
  is set (preserves current behaviour)
• PostgresBase TLS threading — PostgresBase.__init__ accepts an
  optional tls_security_profile and passes the resulting SSLContext as
  sslcontext= to psycopg2.connect. Threaded through:
  PostgresCache, RevokableQuotaLimiter, UserQuotaLimiter,
  ClusterQuotaLimiter, QuotaLimiterFactory, TokenUsageHistory,
  CacheFactory, and AppConfig
• Quota scheduler TLS — the standalone connect() function also builds
  and passes an SSLContext when a profile is configured
• sslrootcert bug fix — un-commented sslrootcert=config.ca_cert_path
  in the quota scheduler's connect(), which was accidentally commented out,
  leaving it without CA verification

Type of change

• Bug fix
• New feature

Related Tickets & Documents

• Related Issue: OLS-2459

Checklist before requesting a review

• I have performed a self-review of my code.
• PR has passed all pre-merge test jobs.
• If it is a core feature, I have added thorough tests.

Testing

• All 1048 unit tests pass (make test-unit)
• MyPy type checking passes (make check-types)
• Ruff + Black formatting passes (make format)
• New tests cover:
  • build_ssl_context with IntermediateType, ModernType, None profile,
    None profile_type, CA cert path forwarding
  • PostgresBase with and without TLS profile (sslcontext presence)
  • Quota scheduler connect() with sslrootcert and sslcontext assertions
  • Default POSTGRES_CACHE_SSL_MODE == "require" assertion

Made with Cursor

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign onmete for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[onmete]

Self-review: Round 1 findings and fixes

Critical finding: sslcontext is not a valid libpq keyword

The initial implementation used sslcontext= as a kwarg to psycopg2.connect(),
which would raise ProgrammingError: invalid dsn: invalid connection option "sslcontext"
at runtime whenever a TLS profile was active. psycopg2 forwards all kwargs through
extensions.make_dsn() which only accepts libpq connection parameters.

Fix applied: Replaced build_ssl_context() / sslcontext= with libpq_tls_params()
which returns {"ssl_min_protocol_version": "TLSv1.2"} (or "TLSv1.3" for ModernType),
using libpq's native ssl_min_protocol_version parameter. This is validated to produce
correct DSN strings via extensions.make_dsn().

Cipher enforcement is not possible on the libpq client side — cipher negotiation is
controlled by the PostgreSQL server's ssl_ciphers setting. The minimum_version
enforcement is the security-critical part (prevents TLS downgrade).

Minor finding: inline import in test

Moved from psycopg2 import extensions from inside a test method to module level.

Integration test

Added test_result_can_be_merged_into_connect_kwargs which calls extensions.make_dsn()
with the output of libpq_tls_params() and asserts the DSN contains
ssl_min_protocol_version=TLSv1.2, proving the kwargs are valid for psycopg2.

All 1047 unit tests pass. MyPy, ruff, and black clean.

AI-generated via lightspeed-team-harness: https://github.com/openshift/lightspeed-team-harness

[openshift-ci]

@onmete: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.