fix postgres impl

dims · dims · commit 9c1f6c0614b1 · 2025-11-19T06:35:18.000-05:00
Signed-off-by: Davanum Srinivas &lt;dsrinivas@nvidia.com&gt;
diff --git a/distros/kubernetes/nvsentinel/templates/configmap.yaml b/distros/kubernetes/nvsentinel/templates/configmap.yaml
@@ -24,7 +24,8 @@ data:
       "enableK8sPlatformConnector": "{{ .Values.platformConnector.k8sConnector.enabled }}",
       "K8sConnectorQps": {{ printf "%.2f" .Values.platformConnector.k8sConnector.qps }},
       "K8sConnectorBurst": {{ .Values.platformConnector.k8sConnector.burst }},
-      "enableMongoDBStorePlatformConnector": "{{ .Values.global.mongodbStore.enabled }}"
+      "enableMongoDBStorePlatformConnector": "{{ .Values.global.mongodbStore.enabled }}",
+      "enablePostgresDBStorePlatformConnector": {{ eq .Values.global.datastore.provider "postgresql" | quote }}
       {{- if .Values.platformConnector.nodeMetadata }}
       ,"nodeMetadataAugmentationEnabled": "{{ .Values.platformConnector.nodeMetadata.enabled }}"
       ,"nodeMetadataCacheSize": {{ .Values.platformConnector.nodeMetadata.cacheSize }}
diff --git a/distros/kubernetes/nvsentinel/templates/daemonset.yaml b/distros/kubernetes/nvsentinel/templates/daemonset.yaml
@@ -41,8 +41,49 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       serviceAccountName: {{ include "nvsentinel.serviceAccountName" . }}
+      {{- if and .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }}
+      initContainers:
+        - name: fix-cert-permissions
+          image: "docker.io/bitnamilegacy/os-shell:12-debian-12-r30"
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            runAsUser: 1001
+            runAsGroup: 1001
+          command:
+            - sh
+            - -c
+            - |
+              echo "Copying PostgreSQL client certificates with correct permissions..."
+              cp /etc/ssl/client-certs-original/tls.crt /etc/ssl/client-certs-fixed/
+              cp /etc/ssl/client-certs-original/ca.crt /etc/ssl/client-certs-fixed/
+              cp /etc/ssl/client-certs-original/tls.key /etc/ssl/client-certs-fixed/
+              chmod 644 /etc/ssl/client-certs-fixed/tls.crt
+              chmod 644 /etc/ssl/client-certs-fixed/ca.crt
+              chmod 600 /etc/ssl/client-certs-fixed/tls.key
+              echo "Certificate permissions fixed:"
+              ls -la /etc/ssl/client-certs-fixed/
+          volumeMounts:
+            - name: postgresql-client-cert-original
+              mountPath: /etc/ssl/client-certs-original
+              readOnly: true
+            - name: client-certs-fixed
+              mountPath: /etc/ssl/client-certs-fixed
+      {{- end }}
       containers:
         - name: platform-connector
+          image: "{{ .Values.platformConnector.image.repository }}:{{ .Values.platformConnector.image.tag | default .Values.global.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.platformConnector.image.pullPolicy }}
+          {{- if and .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }}
+          securityContext:
+            runAsUser: 1001
+            runAsGroup: 1001
+          {{- else }}
+          securityContext:
+            runAsUser: 0
+            capabilities:
+              drop:
+              - ALL
+          {{- end }}
           ports:
             - name: metrics
               containerPort: {{ .Values.global.metricsPort }}
@@ -62,17 +103,14 @@ spec:
             periodSeconds: 10
             timeoutSeconds: 3
             failureThreshold: 3
-          securityContext:
-            runAsUser: 0
-            capabilities:
-              drop:
-              - ALL
-          image: "{{ .Values.platformConnector.image.repository }}:{{ .Values.platformConnector.image.tag | default .Values.global.image.tag | default .Chart.AppVersion }}"
-          imagePullPolicy: {{ .Values.platformConnector.image.pullPolicy }}
           args:
           - "--config=/etc/config/config.json"
           - "--metrics-port={{ .Values.global.metricsPort }}"
-          - "--mongo-client-cert-mount-path=/etc/ssl/mongo-client"
+          {{- if and .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }}
+          - "--database-client-cert-mount-path={{ .Values.platformConnector.postgresqlStore.clientCertMountPath }}"
+          {{- else }}
+          - "--mongo-client-cert-mount-path={{ .Values.platformConnector.mongodbStore.clientCertMountPath }}"
+          {{- end }}
           - "--socket={{ .Values.socketPath }}"
           resources:
             {{- toYaml .Values.platformConnector.resources | nindent 12 }}
@@ -81,9 +119,15 @@ spec:
               mountPath: /var/run
             - name: platform-connector-configmap
               mountPath: /etc/config/
+            {{- if and .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }}
+            - name: client-certs-fixed
+              mountPath: {{ .Values.platformConnector.postgresqlStore.clientCertMountPath }}
+              readOnly: true
+            {{- else }}
             - name: mongo-app-client-cert
-              mountPath: /etc/ssl/mongo-client
+              mountPath: {{ .Values.platformConnector.mongodbStore.clientCertMountPath }}
               readOnly: true
+            {{- end }}
           env:
             - name: NODE_NAME
               valueFrom:
@@ -92,8 +136,13 @@ spec:
                   fieldPath: spec.nodeName
             - name: LOG_LEVEL
               value: "{{ .Values.platformConnector.logLevel }}"
+            {{- if and .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }}
+            - name: POSTGRESQL_CLIENT_CERT_MOUNT_PATH
+              value: {{ .Values.platformConnector.postgresqlStore.clientCertMountPath }}
+            {{- else }}
             - name: MONGODB_CLIENT_CERT_MOUNT_PATH
               value: {{ .Values.platformConnector.mongodbStore.clientCertMountPath }}
+            {{- end }}
           envFrom:
             - configMapRef:
                 name: {{ if .Values.global.datastore }}{{ .Release.Name }}-datastore-config{{ else }}mongodb-config{{ end }}
@@ -106,10 +155,19 @@ spec:
         - name: platform-connector-configmap
           configMap:
             name: {{ include "nvsentinel.fullname" . }}
+        {{- if and .Values.global.datastore (eq .Values.global.datastore.provider "postgresql") }}
+        - name: postgresql-client-cert-original
+          secret:
+            secretName: postgresql-client-cert
+            optional: false
+        - name: client-certs-fixed
+          emptyDir: {}
+        {{- else }}
         - name: mongo-app-client-cert
           secret:
             secretName: mongo-app-client-cert-secret
             optional: true
+        {{- end }}
       {{- with (.Values.global.tolerations | default .Values.platformConnector.tolerations) }}
       tolerations:
         {{- toYaml . | nindent 8 }}
diff --git a/distros/kubernetes/nvsentinel/values.yaml b/distros/kubernetes/nvsentinel/values.yaml
@@ -91,6 +91,9 @@ platformConnector:
     enabled: false
     clientCertMountPath: "/etc/ssl/mongo-client"
 
+  postgresqlStore:
+    clientCertMountPath: "/etc/ssl/client-certs"
+
   k8sConnector:
     enabled: true
     qps: 5.0
diff --git a/platform-connectors/main.go b/platform-connectors/main.go
@@ -212,7 +212,7 @@ func initializeConnectors(
 	}
 
 	// Keep the legacy config key name for backward compatibility with existing ConfigMaps
-	if config["enableMongoDBStorePlatformConnector"] == True {
+	if config["enableMongoDBStorePlatformConnector"] == True || config["enablePostgresDBStorePlatformConnector"] == True {
 		storeConnector, err = initializeDatabaseStoreConnector(ctx, databaseClientCertMountPath)
 		if err != nil {
 			return nil, nil, nil, fmt.Errorf("failed to initialize database store connector: %w", err)
diff --git a/store-client/pkg/datastore/providers/postgresql/database_client.go b/store-client/pkg/datastore/providers/postgresql/database_client.go
@@ -254,7 +254,7 @@ func (c *PostgreSQLDatabaseClient) FindOne(
 	}
 
 	//nolint:gosec // G201: table name is controlled internally, not from user input
-	query := fmt.Sprintf("SELECT data FROM %s WHERE %s LIMIT 1", c.tableName, whereClause)
+	query := fmt.Sprintf("SELECT document FROM %s WHERE %s LIMIT 1", c.tableName, whereClause)
 
 	var jsonData []byte
 
@@ -293,7 +293,7 @@ func (c *PostgreSQLDatabaseClient) Find(
 	}
 
 	//nolint:gosec // G201: table name is controlled internally, not from user input
-	query := fmt.Sprintf("SELECT data FROM %s WHERE %s", c.tableName, whereClause)
+	query := fmt.Sprintf("SELECT document FROM %s WHERE %s", c.tableName, whereClause)
 
 	// Apply options
 	if options != nil {
diff --git a/store-client/pkg/datastore/providers/postgresql/health_events.go b/store-client/pkg/datastore/providers/postgresql/health_events.go
@@ -21,7 +21,6 @@ import (
 	"fmt"
 	"log/slog"
 	"strings"
-	"time"
 
 	"github.com/nvidia/nvsentinel/store-client/pkg/datastore"
 )
@@ -268,6 +267,14 @@ func (p *PostgreSQLHealthEventStore) FindHealthEventsByNode(
 			return nil, fmt.Errorf("failed to unmarshal health event: %w", err)
 		}
 
+		// Populate RawEvent for cold-start support
+		var rawEvent map[string]interface{}
+		if err := json.Unmarshal(documentJSON, &rawEvent); err != nil {
+			return nil, fmt.Errorf("failed to unmarshal raw event: %w", err)
+		}
+
+		event.RawEvent = rawEvent
+
 		events = append(events, event)
 	}
 
@@ -368,6 +375,14 @@ func (p *PostgreSQLHealthEventStore) executeFilterQuery(
 			return nil, fmt.Errorf("failed to unmarshal health event: %w", err)
 		}
 
+		// Populate RawEvent for cold-start support
+		var rawEvent map[string]interface{}
+		if err := json.Unmarshal(documentJSON, &rawEvent); err != nil {
+			return nil, fmt.Errorf("failed to unmarshal raw event: %w", err)
+		}
+
+		event.RawEvent = rawEvent
+
 		events = append(events, event)
 	}
 
@@ -407,6 +422,14 @@ func (p *PostgreSQLHealthEventStore) FindHealthEventsByStatus(
 			return nil, fmt.Errorf("failed to unmarshal health event: %w", err)
 		}
 
+		// Populate RawEvent for cold-start support
+		var rawEvent map[string]interface{}
+		if err := json.Unmarshal(documentJSON, &rawEvent); err != nil {
+			return nil, fmt.Errorf("failed to unmarshal raw event: %w", err)
+		}
+
+		event.RawEvent = rawEvent
+
 		events = append(events, event)
 	}
 
@@ -563,6 +586,14 @@ func (p *PostgreSQLHealthEventStore) FindLatestEventForNode(
 		return nil, fmt.Errorf("failed to unmarshal health event: %w", err)
 	}
 
+	// Populate RawEvent for cold-start support
+	var rawEvent map[string]interface{}
+	if err := json.Unmarshal(documentJSON, &rawEvent); err != nil {
+		return nil, fmt.Errorf("failed to unmarshal raw event: %w", err)
+	}
+
+	event.RawEvent = rawEvent
+
 	return &event, nil
 }
 
@@ -576,10 +607,9 @@ func (p *PostgreSQLHealthEventStore) FindHealthEventsByQuery(ctx context.Context
 	// Build the full query
 	//nolint:gosec // G202 false positive - using parameterized query with placeholders
 	query := `
-		SELECT id, data, createdAt, updatedAt
+		SELECT document
 		FROM health_events
 		WHERE ` + whereClause + `
-		ORDER BY createdAt DESC
 	`
 
 	rows, err := p.db.QueryContext(ctx, query, args...)
@@ -591,13 +621,9 @@ func (p *PostgreSQLHealthEventStore) FindHealthEventsByQuery(ctx context.Context
 	var events []datastore.HealthEventWithStatus
 
 	for rows.Next() {
-		var id string
-
 		var documentJSON []byte
 
-		var createdAt, updatedAt time.Time
-
-		if err := rows.Scan(&id, &documentJSON, &createdAt, &updatedAt); err != nil {
+		if err := rows.Scan(&documentJSON); err != nil {
 			return nil, fmt.Errorf("failed to scan health event row: %w", err)
 		}
 
@@ -606,7 +632,13 @@ func (p *PostgreSQLHealthEventStore) FindHealthEventsByQuery(ctx context.Context
 			return nil, fmt.Errorf("failed to unmarshal health event: %w", err)
 		}
 
-		event.CreatedAt = createdAt
+		// Populate RawEvent for cold-start support
+		var rawEvent map[string]interface{}
+		if err := json.Unmarshal(documentJSON, &rawEvent); err != nil {
+			return nil, fmt.Errorf("failed to unmarshal raw event: %w", err)
+		}
+
+		event.RawEvent = rawEvent
 		events = append(events, event)
 	}
 
diff --git a/store-client/pkg/query/builder.go b/store-client/pkg/query/builder.go
@@ -407,7 +407,7 @@ func mongoFieldToJSONB(fieldPath string) string {
 			return fieldPath
 		}
 
-		return fmt.Sprintf("data->>'%s'", fieldPath)
+		return fmt.Sprintf("document->>'%s'", fieldPath)
 	}
 
 	// Split the path into parts
@@ -417,7 +417,7 @@ func mongoFieldToJSONB(fieldPath string) string {
 	// All intermediate parts use -> operator
 	// Final part uses ->> operator to extract as text
 	var jsonbPath strings.Builder
-	jsonbPath.WriteString("data")
+	jsonbPath.WriteString("document")
 
 	for i, part := range parts {
 		if i < len(parts)-1 {
diff --git a/store-client/pkg/query/builder_test.go b/store-client/pkg/query/builder_test.go

Original file line number	Diff line number	Diff line change
`@@ -212,7 +212,7 @@ func initializeConnectors(`
`212`	`212`	`}`
`213`	`213`
`214`	`214`	`// Keep the legacy config key name for backward compatibility with existing ConfigMaps`
`215`		`- if config["enableMongoDBStorePlatformConnector"] == True {`
	`215`	`+ if config["enableMongoDBStorePlatformConnector"] == True \|\| config["enablePostgresDBStorePlatformConnector"] == True {`
`216`	`216`	`storeConnector, err = initializeDatabaseStoreConnector(ctx, databaseClientCertMountPath)`
`217`	`217`	`if err != nil {`
`218`	`218`	`return nil, nil, nil, fmt.Errorf("failed to initialize database store connector: %w", err)`
Original file line number	Diff line number	Diff line change
`@@ -254,7 +254,7 @@ func (c *PostgreSQLDatabaseClient) FindOne(`
`254`	`254`	`}`
`255`	`255`
`256`	`256`	`//nolint:gosec // G201: table name is controlled internally, not from user input`
`257`		`- query := fmt.Sprintf("SELECT data FROM %s WHERE %s LIMIT 1", c.tableName, whereClause)`
	`257`	`+ query := fmt.Sprintf("SELECT document FROM %s WHERE %s LIMIT 1", c.tableName, whereClause)`
`258`	`258`
`259`	`259`	`var jsonData []byte`
`260`	`260`
`@@ -293,7 +293,7 @@ func (c *PostgreSQLDatabaseClient) Find(`
`293`	`293`	`}`
`294`	`294`
`295`	`295`	`//nolint:gosec // G201: table name is controlled internally, not from user input`
`296`		`- query := fmt.Sprintf("SELECT data FROM %s WHERE %s", c.tableName, whereClause)`
	`296`	`+ query := fmt.Sprintf("SELECT document FROM %s WHERE %s", c.tableName, whereClause)`
`297`	`297`
`298`	`298`	`// Apply options`
`299`	`299`	`if options != nil {`
Original file line number	Diff line number	Diff line change
`@@ -407,7 +407,7 @@ func mongoFieldToJSONB(fieldPath string) string {`
`407`	`407`	`return fieldPath`
`408`	`408`	`}`
`409`	`409`
`410`		`- return fmt.Sprintf("data->>'%s'", fieldPath)`
	`410`	`+ return fmt.Sprintf("document->>'%s'", fieldPath)`
`411`	`411`	`}`
`412`	`412`
`413`	`413`	`// Split the path into parts`
`@@ -417,7 +417,7 @@ func mongoFieldToJSONB(fieldPath string) string {`
`417`	`417`	`// All intermediate parts use -> operator`
`418`	`418`	`// Final part uses ->> operator to extract as text`
`419`	`419`	`var jsonbPath strings.Builder`
`420`		`- jsonbPath.WriteString("data")`
	`420`	`+ jsonbPath.WriteString("document")`
`421`	`421`
`422`	`422`	`for i, part := range parts {`
`423`	`423`	`if i < len(parts)-1 {`