Add options for ZK ACLs. (#144)

Signed-off-by: Houston Putman <[email protected]>
apache · Nov 12, 2020 · 30fa35b · 30fa35b
1 parent 4312384
commit 30fa35b
Show file tree

Hide file tree

Showing 19 changed files with 1,241 additions and 125 deletions.
diff --git a/api/v1beta1/common_types.go b/api/v1beta1/common_types.go
@@ -187,3 +187,60 @@ func ImageVersion(image string) (version string) {
 		return split[1]
 	}
 }
+
+// SolrNodeStatus is the status of a solrNode in the cloud, with readiness status
+// and internal and external addresses
+type ZookeeperConnectionInfo struct {
+	// The connection string to connect to the ensemble from within the Kubernetes cluster
+	// +optional
+	InternalConnectionString string `json:"internalConnectionString,omitempty"`
+
+	// The connection string to connect to the ensemble from outside of the Kubernetes cluster
+	// If external and no internal connection string is provided, the external cnx string will be used as the internal cnx string
+	// +optional
+	ExternalConnectionString *string `json:"externalConnectionString,omitempty"`
+
+	// The ChRoot to connect solr at
+	// +optional
+	ChRoot string `json:"chroot,omitempty"`
+
+	// ZooKeeper ACL to use when connecting with ZK.
+	// This ACL should have ALL permission in the given chRoot.
+	// +optional
+	AllACL *ZookeeperACL `json:"acl,omitempty"`
+
+	// ZooKeeper ACL to use when connecting with ZK for reading operations.
+	// This ACL should have READ permission in the given chRoot.
+	// +optional
+	ReadOnlyACL *ZookeeperACL `json:"readOnlyAcl,omitempty"`
+}
+
+func (ci *ZookeeperConnectionInfo) withDefaults() (changed bool) {
+	if ci.InternalConnectionString == "" {
+		if ci.ExternalConnectionString != nil {
+			changed = true
+			ci.InternalConnectionString = *ci.ExternalConnectionString
+		}
+	}
+	if ci.ChRoot == "" {
+		changed = true
+		ci.ChRoot = "/"
+	} else if !strings.HasPrefix(ci.ChRoot, "/") {
+		changed = true
+		ci.ChRoot = "/" + ci.ChRoot
+	}
+	return changed
+}
+
+// ZookeeperSpec defines the internal zookeeper ensemble to run for solr
+type ZookeeperACL struct {
+	// The name of the Kubernetes Secret that stores the username and password for the ACL.
+	// This secret must be in the same namespace as the solrCloud or prometheusExporter is running in.
+	SecretRef string `json:"secret"`
+
+	// The name of the key in the given secret that contains the ACL username
+	UsernameKey string `json:"usernameKey"`
+
+	// The name of the key in the given secret that contains the ACL password
+	PasswordKey string `json:"passwordKey"`
+}
diff --git a/api/v1beta1/solrcloud_types.go b/api/v1beta1/solrcloud_types.go
@@ -403,23 +403,6 @@ func (ref *ZookeeperRef) withDefaults() (changed bool) {
 	return changed
 }
 
-func (ci *ZookeeperConnectionInfo) withDefaults() (changed bool) {
-	if ci.InternalConnectionString == "" {
-		if ci.ExternalConnectionString != nil {
-			changed = true
-			ci.InternalConnectionString = *ci.ExternalConnectionString
-		}
-	}
-	if ci.ChRoot == "" {
-		changed = true
-		ci.ChRoot = "/"
-	} else if !strings.HasPrefix(ci.ChRoot, "/") {
-		changed = true
-		ci.ChRoot = "/" + ci.ChRoot
-	}
-	return changed
-}
-
 // ZookeeperSpec defines the internal zookeeper ensemble to run with the given spec
 type ZookeeperSpec struct {
 	// DEPRECATED: Will be removed in v0.3.0
@@ -654,23 +637,6 @@ type SolrNodeStatus struct {
 	Version string `json:"version"`
 }
 
-// SolrNodeStatus is the status of a solrNode in the cloud, with readiness status
-// and internal and external addresses
-type ZookeeperConnectionInfo struct {
-	// The connection string to connect to the ensemble from within the Kubernetes cluster
-	// +optional
-	InternalConnectionString string `json:"internalConnectionString,omitempty"`
-
-	// The connection string to connect to the ensemble from outside of the Kubernetes cluster
-	// If external and no internal connection string is provided, the external cnx string will be used as the internal cnx string
-	// +optional
-	ExternalConnectionString *string `json:"externalConnectionString,omitempty"`
-
-	// The ChRoot to connect solr at
-	// +optional
-	ChRoot string `json:"chroot,omitempty"`
-}
-
 // +kubebuilder:object:root=true
 // +kubebuilder:resource:scope=Namespaced
 

diff --git a/api/v1beta1/solrprometheusexporter_types.go b/api/v1beta1/solrprometheusexporter_types.go
@@ -111,7 +111,7 @@ type SolrCloudReference struct {
 	// +optional
 	Namespace string `json:"namespace,omitempty"`
 
-	// The ZK Connection information for a cloud, could be used for solr's outside of the kube cluster
+	// The ZK Connection information for a cloud, could be used for solr's running outside of the kube cluster
 	// +optional
 	ZookeeperConnectionInfo *ZookeeperConnectionInfo `json:"zkConnectionInfo,omitempty"`
 }

diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/solr.bloomberg.com_solrclouds.yaml b/config/crd/bases/solr.bloomberg.com_solrclouds.yaml
@@ -3354,6 +3354,23 @@ spec:
                 connectionInfo:
                   description: A zookeeper ensemble that is run independently of the solr operator If an externalConnectionString is provided, but no internalConnectionString is, the external will be used as the internal
                   properties:
+                    acl:
+                      description: ZooKeeper ACL to use when connecting with ZK. This ACL should have ALL permission in the given chRoot.
+                      properties:
+                        passwordKey:
+                          description: The name of the key in the given secret that contains the ACL password
+                          type: string
+                        secret:
+                          description: The name of the Kubernetes Secret that stores the username and password for the ACL. This secret must be in the same namespace as the solrCloud or prometheusExporter is running in.
+                          type: string
+                        usernameKey:
+                          description: The name of the key in the given secret that contains the ACL username
+                          type: string
+                      required:
+                      - passwordKey
+                      - secret
+                      - usernameKey
+                      type: object
                     chroot:
                       description: The ChRoot to connect solr at
                       type: string
@@ -3363,6 +3380,23 @@ spec:
                     internalConnectionString:
                       description: The connection string to connect to the ensemble from within the Kubernetes cluster
                       type: string
+                    readOnlyAcl:
+                      description: ZooKeeper ACL to use when connecting with ZK for reading operations. This ACL should have READ permission in the given chRoot.
+                      properties:
+                        passwordKey:
+                          description: The name of the key in the given secret that contains the ACL password
+                          type: string
+                        secret:
+                          description: The name of the Kubernetes Secret that stores the username and password for the ACL. This secret must be in the same namespace as the solrCloud or prometheusExporter is running in.
+                          type: string
+                        usernameKey:
+                          description: The name of the key in the given secret that contains the ACL username
+                          type: string
+                      required:
+                      - passwordKey
+                      - secret
+                      - usernameKey
+                      type: object
                   type: object
                 provided:
                   description: 'Create a new Zookeeper Ensemble with the following spec Note: This option will not allow the SolrCloud to run across kube-clusters. Note: Requires   - The zookeeperOperator flag to be provided to the Solr Operator   - A zookeeper operator to be running'
@@ -4533,6 +4567,23 @@ spec:
             zookeeperConnectionInfo:
               description: ZookeeperConnectionInfo is the information on how to connect to the used Zookeeper
               properties:
+                acl:
+                  description: ZooKeeper ACL to use when connecting with ZK. This ACL should have ALL permission in the given chRoot.
+                  properties:
+                    passwordKey:
+                      description: The name of the key in the given secret that contains the ACL password
+                      type: string
+                    secret:
+                      description: The name of the Kubernetes Secret that stores the username and password for the ACL. This secret must be in the same namespace as the solrCloud or prometheusExporter is running in.
+                      type: string
+                    usernameKey:
+                      description: The name of the key in the given secret that contains the ACL username
+                      type: string
+                  required:
+                  - passwordKey
+                  - secret
+                  - usernameKey
+                  type: object
                 chroot:
                   description: The ChRoot to connect solr at
                   type: string
@@ -4542,6 +4593,23 @@ spec:
                 internalConnectionString:
                   description: The connection string to connect to the ensemble from within the Kubernetes cluster
                   type: string
+                readOnlyAcl:
+                  description: ZooKeeper ACL to use when connecting with ZK for reading operations. This ACL should have READ permission in the given chRoot.
+                  properties:
+                    passwordKey:
+                      description: The name of the key in the given secret that contains the ACL password
+                      type: string
+                    secret:
+                      description: The name of the Kubernetes Secret that stores the username and password for the ACL. This secret must be in the same namespace as the solrCloud or prometheusExporter is running in.
+                      type: string
+                    usernameKey:
+                      description: The name of the key in the given secret that contains the ACL username
+                      type: string
+                  required:
+                  - passwordKey
+                  - secret
+                  - usernameKey
+                  type: object
               type: object
           required:
           - backupRestoreReady

diff --git a/config/crd/bases/solr.bloomberg.com_solrprometheusexporters.yaml b/config/crd/bases/solr.bloomberg.com_solrprometheusexporters.yaml
@@ -2262,8 +2262,25 @@ spec:
                       description: The namespace of a solr cloud running within the kubernetes cluster
                       type: string
                     zkConnectionInfo:
-                      description: The ZK Connection information for a cloud, could be used for solr's outside of the kube cluster
+                      description: The ZK Connection information for a cloud, could be used for solr's running outside of the kube cluster
                       properties:
+                        acl:
+                          description: ZooKeeper ACL to use when connecting with ZK. This ACL should have ALL permission in the given chRoot.
+                          properties:
+                            passwordKey:
+                              description: The name of the key in the given secret that contains the ACL password
+                              type: string
+                            secret:
+                              description: The name of the Kubernetes Secret that stores the username and password for the ACL. This secret must be in the same namespace as the solrCloud or prometheusExporter is running in.
+                              type: string
+                            usernameKey:
+                              description: The name of the key in the given secret that contains the ACL username
+                              type: string
+                          required:
+                          - passwordKey
+                          - secret
+                          - usernameKey
+                          type: object
                         chroot:
                           description: The ChRoot to connect solr at
                           type: string
@@ -2273,6 +2290,23 @@ spec:
                         internalConnectionString:
                           description: The connection string to connect to the ensemble from within the Kubernetes cluster
                           type: string
+                        readOnlyAcl:
+                          description: ZooKeeper ACL to use when connecting with ZK for reading operations. This ACL should have READ permission in the given chRoot.
+                          properties:
+                            passwordKey:
+                              description: The name of the key in the given secret that contains the ACL password
+                              type: string
+                            secret:
+                              description: The name of the Kubernetes Secret that stores the username and password for the ACL. This secret must be in the same namespace as the solrCloud or prometheusExporter is running in.
+                              type: string
+                            usernameKey:
+                              description: The name of the key in the given secret that contains the ACL username
+                              type: string
+                          required:
+                          - passwordKey
+                          - secret
+                          - usernameKey
+                          type: object
                       type: object
                   type: object
                 standalone:

diff --git a/controllers/controller_utils_test.go b/controllers/controller_utils_test.go
@@ -178,6 +178,14 @@ func expectDeployment(t *testing.T, g *gomega.GomegaWithT, requests chan reconci
 }
 
 func testPodEnvVariables(t *testing.T, expectedEnvVars map[string]string, foundEnvVars []corev1.EnvVar) {
+	testGenericPodEnvVariables(t, expectedEnvVars, foundEnvVars, "SOLR_OPTS")
+}
+
+func testMetricsPodEnvVariables(t *testing.T, expectedEnvVars map[string]string, foundEnvVars []corev1.EnvVar) {
+	testGenericPodEnvVariables(t, expectedEnvVars, foundEnvVars, "JAVA_OPTS")
+}
+
+func testGenericPodEnvVariables(t *testing.T, expectedEnvVars map[string]string, foundEnvVars []corev1.EnvVar, lastVarName string) {
 	matchCount := 0
 	for _, envVar := range foundEnvVars {
 		if expectedVal, match := expectedEnvVars[envVar.Name]; match {
@@ -186,6 +194,7 @@ func testPodEnvVariables(t *testing.T, expectedEnvVars map[string]string, foundE
 		}
 	}
 	assert.Equal(t, len(expectedEnvVars), matchCount, "Not all expected env variables found in podSpec")
+	assert.Equal(t, lastVarName, foundEnvVars[len(foundEnvVars)-1].Name, lastVarName+" must be the last envVar set, as it uses other envVars.")
 }
 
 func testPodTolerations(t *testing.T, expectedTolerations []corev1.Toleration, foundTolerations []corev1.Toleration) {