Enhance SSL Testing Support for OpenGauss in Python GaussDB Driver

[pangpang20]

Description

This pull request introduces comprehensive SSL testing support for the Python GaussDB driver, focusing on OpenGauss database integration. It adds a new SSL-enabled test workflow, updates configuration files, and enhances documentation for SSL setup. The changes ensure robust testing of SSL connections with require and verify-ca modes, improve certificate management, and skip timing-sensitive tests under SSL to maintain test reliability.

Changes Made

• Added SSL Test Workflow:
  • Created .github/workflows/tests-ssl.yml to define a new GitHub Actions workflow for SSL-enabled tests on ubuntu-22.04.
  • Configured OpenGauss container with SSL settings, including certificate generation and permission management.
  • Updated GAUSSDB_TEST_DSN to include sslmode=verify-ca, client certificates, and keys.
  • Added steps for installing OpenSSL, GaussDB driver, and dependencies, and verifying SSL configuration.
• Updated Existing Workflow:
  • Renamed .github/workflows/tests.yml to Tests without SSL to distinguish it from the new SSL workflow.
• Enhanced SSL Testing:
  • Added tests/test_sslmode.py to test database connections and operations under require and verify-ca SSL modes.
  • Modified tests/conftest.py to skip timing-sensitive tests (marked with timing or slow) when SSL is enabled.
  • Updated tests/fix_proxy.py to ensure sslmode=disable is set if not specified, maintaining compatibility.
  • Skipped password usage checks in tests/pq/test_pgconn.py for SSL modes to avoid irrelevant failures.
• Certificate Management:
  • Added certificate files (certs/ca.crt, certs/ca.key, certs/client.crt, certs/client.key, certs/server.crt, certs/server.key, certs/san.cnf, certs/ca.srl) for SSL testing.
  • Included certs/readme.txt with instructions for generating CA, server, and client certificates.
  • Ensured proper permissions for certificates and configuration files in the workflow.
• Documentation Improvements:
  • Updated README.rst with detailed instructions for running OpenGauss with SSL, including certificate generation, configuration, and Docker setup.
  • Improved formatting with blank lines for better readability in README.rst and test_sslmode.py.
• Configuration Enhancements:
  • Configured postgresql.conf and pg_hba.conf for SSL support with hostssl and cert authentication.
  • Adjusted permissions and ownership for configuration and certificate directories to align with OpenGauss requirements.
• Workflow Optimizations:
  • Switched to ubuntu-22.04 for better compatibility and removed redundant OpenSSL 1.1.1f installation.
  • Simplified certificate generation by moving it to the certs directory and removed unnecessary volume mounts.
  • Added explicit directory creation and file copying for configuration files.

Why

These changes are necessary to ensure the Python GaussDB driver supports secure SSL connections with OpenGauss, which is critical for production environments requiring encrypted communication. The new SSL test workflow validates the driver's behavior under different SSL modes, ensuring reliability and compatibility. Documentation updates provide clear guidance for developers, and workflow optimizations improve test efficiency and maintainability. Skipping timing-sensitive tests under SSL prevents flaky test results due to SSL handshake overhead.

Testing

• Local Testing:
  • Ran pytest -s -v with GAUSSDB_TEST_DSN configured for sslmode=require and sslmode=verify-ca to verify connection and table operations.
  • Validated certificate generation and permissions using the provided scripts in certs/readme.txt.
  • Confirmed OpenGauss container startup with SSL-enabled configuration using Docker.
• CI Testing:
  • Executed the tests-ssl.yml workflow in GitHub Actions to ensure all steps (certificate setup, configuration, test execution) complete successfully.
  • Verified the Tests without SSL workflow remains unaffected for non-SSL test cases.
• Manual Verification:
  • Checked SSL configuration in the OpenGauss container using gsql commands to confirm ssl=on and correct certificate paths.
  • Tested database operations (create, insert, update, select) under SSL modes to ensure functionality.
• Edge Cases:
  • Validated behavior when GAUSSDB_TEST_DSN lacks SSL parameters, ensuring tests are skipped appropriately.
  • Tested with incorrect certificate permissions to confirm error handling in the workflow.