Release v2.0.0 - Enterprise-Grade Database Proxy

.github/workflows/deploy.yaml

@@ -9,13 +9,49 @@ on:
       - "v*"
   release:
     types: [created]
+  pull_request:
+    branches:
+      - main
+      - development
 
 env:
   REGISTRY: ghcr.io
   IMAGE_NAME: ${{ github.repository }}
 
 jobs:
+  test:
+    strategy:
+      matrix:
+        os: [ubuntu-latest, macos-latest]
+        go-version: ["1.23.4"]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Go
+        uses: actions/setup-go@v4
+        with:
+          go-version: ${{ matrix.go-version }}
+
+      - name: Cache Go modules
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cache/go-build
+            ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ matrix.go-version }}-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-${{ matrix.go-version }}-
+
+      - name: Run tests
+        run: go test -v ./...
+
+      - name: Build binary for ${{ matrix.os }}
+        run: CGO_ENABLED=0 go build -o xdatabase-proxy cmd/proxy/main.go
+
   build-and-push:
+    needs: test
     runs-on: ubuntu-latest
     if: github.ref == 'refs/heads/main' || startsWith(github.ref, 'refs/tags/v')
     permissions:
@@ -31,9 +67,6 @@ jobs:
         with:
           go-version: "1.23.4"
 
-      - name: Run tests
-        run: go test -v ./...
-
       - name: Log in to the Container registry
         uses: docker/login-action@v3
         with:
@@ -64,9 +97,10 @@ jobs:
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-          platforms: linux/amd64
+          platforms: linux/amd64,linux/arm64,linux/386
 
   build-and-push-development:
+    needs: test
     runs-on: ubuntu-latest
     if: github.ref == 'refs/heads/development'
     permissions:
@@ -82,9 +116,6 @@ jobs:
         with:
           go-version: "1.23.4"
 
-      - name: Run tests
-        run: go test -v ./...
-
       - name: Log in to the Container registry
         uses: docker/login-action@v3
         with:
@@ -115,7 +146,7 @@ jobs:
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}
-          platforms: linux/amd64
+          platforms: linux/amd64,linux/arm64,linux/386
 
   create-release:
     needs: build-and-push

.gitignore

@@ -9,3 +9,6 @@ build/
 
 # Ignore all files in the dist directory
 dist/
+
+./development_data
+development_data

CHANGELOG.md

@@ -11,13 +11,135 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Changed
 
-### Deprecated
+### Fixed
 
 ### Removed
 
+### Security
+
+## [2.0.0] - 2026-01-12
+
+### Added
+- **Runtime Environment Detection**: Auto-detect execution environment (Kubernetes/Container/VM)
+- **Flexible Discovery Modes**: 
+  - Kubernetes discovery from any runtime (in-cluster or remote with kubeconfig)
+  - Static backend configuration for non-Kubernetes deployments
+- **Enterprise TLS Management**:
+  - `TLS_AUTO_GENERATE`: Automatic self-signed certificate generation
+  - `TLS_AUTO_RENEW`: Automatic certificate renewal for expired/invalid certs
+  - `TLS_RENEWAL_THRESHOLD_DAYS`: Configurable renewal threshold
+  - Certificate expiration validation
+  - **Optional TLS**: `TLS_ENABLED` flag to make TLS completely optional
+- **Professional Configuration System**:
+  - Runtime-aware configuration (kubernetes/container/vm)
+  - Type-safe configuration with validation
+  - Smart auto-detection for all modes (runtime, discovery, TLS)
+- **Enhanced Environment Variables**:
+  - `DATABASE_TYPE`: Database type (postgresql)
+  - `RUNTIME`: Explicit runtime environment setting
+  - `DISCOVERY_MODE`: Explicit discovery mode
+  - `TLS_MODE`: Explicit TLS provider mode
+  - `TLS_ENABLED`: Enable/disable TLS
+  - `NAMESPACE`: Professional naming (replaces POD_NAMESPACE)
+- **Multi-Runtime Kubernetes Access**:
+  - Access Kubernetes from VM/Container using KUBECONFIG
+  - Support for multiple Kubernetes contexts
+  - Remote cluster discovery from non-Kubernetes environments
+- **Configuration Validation**: Comprehensive validation with helpful error messages
+- **Backward Compatibility**: Full support for legacy environment variables
+- New proxy manager component for advanced proxy infrastructure management
+- Comprehensive structured logger with improved console output formatting
+- Self-signed certificate generation capability for TLS
+- Database type support in resolver configurations (Kubernetes and Memory resolvers)
+- Test client script (`scripts/test-client.sh`) for connection testing
+- Certificate utility functions for certificate management (`cmd/proxy/internal/utils/cert.go`)
+- Memory-based TLS provider implementation
+- API server component for proxy management
+- Core server architecture with improved request handling
+- Protocol handler for PostgreSQL connections
+- Filesystem-based TLS storage provider
+
+### Changed
+- **Removed `PROXY_ENABLED`**: Proxy always runs when started (fail-fast on misconfiguration)
+- **Professional Configuration Architecture**:
+  - Type-safe enums for modes (RuntimeEnvironment, DiscoveryMode, TLSMode)
+  - Validation-first approach with clear error messages
+  - Smart defaults for all settings
+- **Improved Factory Pattern**:
+  - Runtime-aware resolver factory
+  - TLS factory with certificate lifecycle management
+  - Better error handling and logging
+- **Enhanced README**:
+  - Complete rewrite with enterprise focus
+  - Clear runtime scenarios and examples
+  - Professional documentation structure
+  - Architecture diagram
+- **Better Logging**:
+  - Runtime information in startup logs
+  - TLS mode and certificate status
+  - Discovery mode details
+- Merged main branch into development branch for latest stable features
+- Updated Docker CMD path to reflect new folder structure (`cmd/proxy`)
+- Refactored connection handler to improve error handling and lifecycle management for production environments
+- Moved PostgreSQL handler from protocol package to proxy package
+- Reorganized project structure: moved from `apps/proxy` to `cmd/proxy` and `pkg/*` to `cmd/proxy/internal/*`
+- Updated TLS provider implementation with enhanced self-signed certificate support
+- Improved discovery system for both Kubernetes and memory-based resolvers
+- Enhanced PostgreSQL protocol parser implementation
+- Restructured folder hierarchy for better organization
+- Updated GitHub usernames and repository references across all configuration files
+- Modified platform support in deployment workflow (amd64, arm64, 386)
+- **TLS Now Optional**: Proxy can run without TLS if `TLS_ENABLED=false`
+- Updated all Kubernetes deployment YAMLs to use new environment variable scheme
+- Updated test and development scripts to use new configuration format
+
 ### Fixed
+- **PostgreSQL Database Parameter Handling**: Complete fix for database defaulting logic
+  - Defaults to "postgres" when client omits database name
+  - Detects when client auto-fills database with username (common psql behavior)
+  - Prevents "database does not exist" errors when username contains deployment_id suffix
+  - Example: `database=postgres.team-1992252154561` now correctly becomes `database=postgres`
+- **PostgreSQL Resolver**: Uses correct database type (postgresql) instead of mysql for routing
+- **StartupMessage Rebuild**: Simplified logic - now rebuilds on every handshake for consistency
+  - Every TCP connection gets a fresh StartupMessage
+  - Eliminates unnecessary optimization that caused edge cases
+  - Ensures username parsing and database defaulting always work correctly
+- **Enhanced Logging**: Added comprehensive logging for connection parameters and username parsing
+- Multi-instance TLS certificate creation race conditions
+- Kubernetes discovery from non-Kubernetes runtimes
+- Certificate lifecycle management issues
+- Configuration validation edge cases
+- Connection lifecycle issues in production environments
+- Error response handling in connection handler
+- Binary file cleanup (removed `proxy` binary from tracking)
+- Certificate file management in repository
+
+### Removed
+- `PROXY_ENABLED` environment variable (proxy always runs)
+- `POD_NAMESPACE` in favor of generic `NAMESPACE`
+- `POSTGRESQL_PROXY_ENABLED` in favor of `DATABASE_TYPE`
+- `TLS_ENABLE_SELF_SIGNED` in favor of `TLS_AUTO_GENERATE`
+- Unnecessary configuration complexity
+- Deleted old HTTP health check implementation (`cmd/proxy/internal/http/health.go`)
+- Removed legacy Kubernetes client implementation
+- Cleaned up old proxy server implementations and tests
+- Removed temporary binary and certificate files from repository root
 
 ### Security
+- Enhanced certificate validation
+- Automatic certificate renewal prevents expired certs
+- Multi-instance safe certificate generation
+- Better TLS configuration validation
+- Enhanced TLS configuration with improved certificate management
+- Added self-signed certificate generation for development environments
+- Improved certificate storage security with filesystem provider
+
+### Architecture
+- **Configuration-Driven Design**: All behavior controlled by environment variables
+- **Runtime Awareness**: Detects and adapts to execution environment
+- **Fail-Fast Philosophy**: Clear errors on misconfiguration
+- **Production-Grade**: Enterprise-ready with proper validation and error handling
+- **Optional TLS**: Full support for non-TLS deployments
 
 ## [1.0.8] - 2025-07-07
 

Dockerfile

@@ -1,16 +1,25 @@
+# Build stage
 FROM golang:1.23.4-alpine as builder
 
 WORKDIR /app
 
 COPY . .
 
 RUN go mod download
-RUN CGO_ENABLED=0 go build -o main apps/proxy/main.go
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -o main cmd/proxy/main.go
 
+# Runtime stage
 FROM alpine:latest as runner
 
 WORKDIR /app
 
+RUN apk add --no-cache ca-certificates tzdata
+
 COPY --from=builder /app/main /app/main
 
+EXPOSE 5432
+
+HEALTHCHECK --interval=30s --timeout=3s --start-period=5s --retries=3 \
+  CMD test -f /app/main || exit 1
+
 CMD ["./main"]