From 402769b53456fb5c94905ef30cc5a2d8ec6d03f8 Mon Sep 17 00:00:00 2001 From: Dhiraj Bokde Date: Wed, 16 Oct 2024 17:09:31 -0700 Subject: [PATCH] feat: add support for configmap CA certs, fixes RHOAIENG-14601 Signed-off-by: Dhiraj Bokde --- Makefile | 7 +++- api/v1alpha1/modelregistry_types.go | 19 ++++++++++ api/v1alpha1/zz_generated.deepcopy.go | 30 +++++++++++++++ ...gistry.opendatahub.io_modelregistries.yaml | 33 +++++++++++++++++ .../mysql/secure_mysql_modelregistry.yaml | 2 +- .../config/templates/deployment.yaml.tmpl | 37 ++++++++++++++----- 6 files changed, 117 insertions(+), 11 deletions(-) diff --git a/Makefile b/Makefile index 4d10855..4f78b0e 100644 --- a/Makefile +++ b/Makefile @@ -208,7 +208,7 @@ $(GOVULNCHECK): $(LOCALBIN) test -s $(LOCALBIN)/govulncheck || GOBIN=$(LOCALBIN) GO111MODULE=on go install golang.org/x/vuln/cmd/govulncheck@$(GOVULNCHECK_VERSION) .PHONY: certificates -certificates: +certificates: certificates/clean # generate TLS certs scripts/generate_certs.sh $(or $(DOMAIN),$(shell oc get ingresses.config/cluster -o jsonpath='{.spec.domain}')) # create secrets from TLS certs @@ -224,6 +224,9 @@ certificates: --from-file=tls.key=certs/model-registry-db.key \ --from-file=tls.crt=certs/model-registry-db.crt \ --from-file=ca.crt=certs/domain.crt + # create CA cert configmap + $(KUBECTL) create configmap model-registry-db-credential \ + --from-file=ca.crt=certs/domain.crt .PHONY: certificates/clean certificates/clean: @@ -233,3 +236,5 @@ certificates/clean: # delete k8s secrets $(KUBECTL) delete --ignore-not-found=true -n istio-system secrets modelregistry-sample-rest-credential modelregistry-sample-grpc-credential $(KUBECTL) delete --ignore-not-found=true secrets model-registry-db-credential + # delete k8s configmap + $(KUBECTL) delete --ignore-not-found=true configmaps model-registry-db-credential diff --git a/api/v1alpha1/modelregistry_types.go b/api/v1alpha1/modelregistry_types.go index 627e8d3..229c6db 100644 --- a/api/v1alpha1/modelregistry_types.go +++ b/api/v1alpha1/modelregistry_types.go @@ -24,10 +24,20 @@ import ( // EDIT THIS FILE! THIS IS SCAFFOLDING FOR YOU TO OWN! // NOTE: json tags are required. Any new fields you add must have json tags for the fields to be serialized. +type ConfigMapKeyValue struct { + // +kubebuilder:validation:Required + // Kubernetes configmap name + Name string `json:"name"` + // +kubebuilder:validation:Required + // Key name in configmap + Key string `json:"key"` +} + type SecretKeyValue struct { // +kubebuilder:validation:Required // Kubernetes secret name Name string `json:"name"` + // +kubebuilder:validation:Required // Key name in secret Key string `json:"key"` } @@ -76,6 +86,9 @@ type PostgresConfig struct { // to be stored in encrypted form on disk even when interactive // passphrase input is not practical. SSLPasswordSecret *SecretKeyValue `json:"sslPasswordSecret,omitempty"` + // This parameter specifies the Kubernetes ConfigMap name and key containing SSL + // certificate authority (CA) certificate(s). + SSLRootCertificateConfigMap *ConfigMapKeyValue `json:"sslRootCertificateConfigMap,omitempty"` // This parameter specifies the Kubernetes Secret name and key containing SSL // certificate authority (CA) certificate(s). SSLRootCertificateSecret *SecretKeyValue `json:"sslRootCertificateSecret,omitempty"` @@ -121,6 +134,12 @@ type MySQLConfig struct { // This parameter specifies the Kubernetes Secret name and key used for the // client private key. SSLKeySecret *SecretKeyValue `json:"sslKeySecret,omitempty"` + // This parameter specifies the Kubernetes ConfigMap name and key containing + // certificate authority (CA) certificate. + SSLRootCertificateConfigMap *ConfigMapKeyValue `json:"sslRootCertificateConfigMap,omitempty"` + // This parameter specifies the Kubernetes ConfigMap name containing + // multiple certificate authority (CA) certificate(s) as keys. + SSLRootCertificatesConfigMapName *string `json:"sslRootCertificatesConfigMapName,omitempty"` // This parameter specifies the Kubernetes Secret name and key containing // certificate authority (CA) certificate. SSLRootCertificateSecret *SecretKeyValue `json:"sslRootCertificateSecret,omitempty"` diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 573cb91..06f8059 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -26,6 +26,21 @@ import ( "k8s.io/apimachinery/pkg/runtime" ) +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ConfigMapKeyValue) DeepCopyInto(out *ConfigMapKeyValue) { + *out = *in +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ConfigMapKeyValue. +func (in *ConfigMapKeyValue) DeepCopy() *ConfigMapKeyValue { + if in == nil { + return nil + } + out := new(ConfigMapKeyValue) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *GatewayConfig) DeepCopyInto(out *GatewayConfig) { *out = *in @@ -261,6 +276,16 @@ func (in *MySQLConfig) DeepCopyInto(out *MySQLConfig) { *out = new(SecretKeyValue) **out = **in } + if in.SSLRootCertificateConfigMap != nil { + in, out := &in.SSLRootCertificateConfigMap, &out.SSLRootCertificateConfigMap + *out = new(ConfigMapKeyValue) + **out = **in + } + if in.SSLRootCertificatesConfigMapName != nil { + in, out := &in.SSLRootCertificatesConfigMapName, &out.SSLRootCertificatesConfigMapName + *out = new(string) + **out = **in + } if in.SSLRootCertificateSecret != nil { in, out := &in.SSLRootCertificateSecret, &out.SSLRootCertificateSecret *out = new(SecretKeyValue) @@ -321,6 +346,11 @@ func (in *PostgresConfig) DeepCopyInto(out *PostgresConfig) { *out = new(SecretKeyValue) **out = **in } + if in.SSLRootCertificateConfigMap != nil { + in, out := &in.SSLRootCertificateConfigMap, &out.SSLRootCertificateConfigMap + *out = new(ConfigMapKeyValue) + **out = **in + } if in.SSLRootCertificateSecret != nil { in, out := &in.SSLRootCertificateSecret, &out.SSLRootCertificateSecret *out = new(SecretKeyValue) diff --git a/config/crd/bases/modelregistry.opendatahub.io_modelregistries.yaml b/config/crd/bases/modelregistry.opendatahub.io_modelregistries.yaml index ff9f677..1b95c30 100644 --- a/config/crd/bases/modelregistry.opendatahub.io_modelregistries.yaml +++ b/config/crd/bases/modelregistry.opendatahub.io_modelregistries.yaml @@ -417,6 +417,20 @@ spec: - key - name type: object + sslRootCertificateConfigMap: + description: This parameter specifies the Kubernetes ConfigMap + name and key containing certificate authority (CA) certificate. + properties: + key: + description: Key name in configmap + type: string + name: + description: Kubernetes configmap name + type: string + required: + - key + - name + type: object sslRootCertificateSecret: description: This parameter specifies the Kubernetes Secret name and key containing certificate authority (CA) certificate. @@ -431,6 +445,11 @@ spec: - key - name type: object + sslRootCertificatesConfigMapName: + description: This parameter specifies the Kubernetes ConfigMap + name containing multiple certificate authority (CA) certificate(s) + as keys. + type: string sslRootCertificatesSecretName: description: This parameter specifies the Kubernetes Secret name containing multiple certificate authority (CA) certificate(s) @@ -544,6 +563,20 @@ spec: - key - name type: object + sslRootCertificateConfigMap: + description: This parameter specifies the Kubernetes ConfigMap + name and key containing SSL certificate authority (CA) certificate(s). + properties: + key: + description: Key name in configmap + type: string + name: + description: Kubernetes configmap name + type: string + required: + - key + - name + type: object sslRootCertificateSecret: description: This parameter specifies the Kubernetes Secret name and key containing SSL certificate authority (CA) certificate(s). diff --git a/config/samples/secure-db/components/mysql/secure_mysql_modelregistry.yaml b/config/samples/secure-db/components/mysql/secure_mysql_modelregistry.yaml index 9c273b7..e1b373b 100644 --- a/config/samples/secure-db/components/mysql/secure_mysql_modelregistry.yaml +++ b/config/samples/secure-db/components/mysql/secure_mysql_modelregistry.yaml @@ -4,6 +4,6 @@ metadata: name: modelregistry-sample spec: mysql: - sslRootCertificateSecret: + sslRootCertificateConfigMap: name: model-registry-db-credential key: ca.crt diff --git a/internal/controller/config/templates/deployment.yaml.tmpl b/internal/controller/config/templates/deployment.yaml.tmpl index b0174f8..6377f76 100644 --- a/internal/controller/config/templates/deployment.yaml.tmpl +++ b/internal/controller/config/templates/deployment.yaml.tmpl @@ -62,7 +62,9 @@ spec: {{- if .Spec.Postgres.SSLPasswordSecret}} - --postgres_config_sslpassword=${POSTGRES_SSLPASSWORD} {{- end}} - {{- if .Spec.Postgres.SSLRootCertificateSecret}} + {{- if .Spec.Postgres.SSLRootCertificateConfigMap}} + - --postgres_config_sslrootcert=/etc/postgres_ssl_rootcert/{{.Spec.Postgres.SSLRootCertificateConfigMap.Key}} + {{- else if .Spec.Postgres.SSLRootCertificateSecret}} - --postgres_config_sslrootcert=/etc/postgres_ssl_rootcert/{{.Spec.Postgres.SSLRootCertificateSecret.Key}} {{- end}} {{- else if .Spec.MySQL}} @@ -85,10 +87,12 @@ spec: {{- if .Spec.MySQL.SSLKeySecret}} - --mysql_config_sslkey=/etc/mysql_ssl_key/{{.Spec.MySQL.SSLKeySecret.Key}} {{- end}} - {{- if .Spec.MySQL.SSLRootCertificateSecret}} + {{- if .Spec.MySQL.SSLRootCertificateConfigMap}} + - --mysql_config_sslrootcert=/etc/mysql_ssl_rootcert/{{.Spec.MySQL.SSLRootCertificateConfigMap.Key}} + {{- else if .Spec.MySQL.SSLRootCertificateSecret}} - --mysql_config_sslrootcert=/etc/mysql_ssl_rootcert/{{.Spec.MySQL.SSLRootCertificateSecret.Key}} {{- end}} - {{- if .Spec.MySQL.SSLRootCertificatesSecretName}} + {{- if or .Spec.MySQL.SSLRootCertificatesConfigMapName .Spec.MySQL.SSLRootCertificatesSecretName}} - --mysql_config_sslcapath=/etc/mysql_ssl_rootcerts/ {{- end}} {{- if .Spec.MySQL.SSLCipher}} @@ -138,7 +142,7 @@ spec: mountPath: /etc/postgres_ssl_key readOnly: true {{- end}} - {{- if .Spec.Postgres.SSLRootCertificateSecret}} + {{- if or .Spec.Postgres.SSLRootCertificateConfigMap .Spec.Postgres.SSLRootCertificateSecret}} - name: postgres-ssl-rootcert mountPath: /etc/postgres_ssl_rootcert readOnly: true @@ -154,12 +158,12 @@ spec: mountPath: /etc/mysql_ssl_key readOnly: true {{- end}} - {{- if .Spec.MySQL.SSLRootCertificateSecret}} + {{- if or .Spec.MySQL.SSLRootCertificateConfigMap .Spec.MySQL.SSLRootCertificateSecret}} - name: mysql-ssl-rootcert mountPath: /etc/mysql_ssl_rootcert readOnly: true {{- end}} - {{- if .Spec.MySQL.SSLRootCertificatesSecretName}} + {{- if or .Spec.MySQL.SSLRootCertificatesConfigMapName .Spec.MySQL.SSLRootCertificatesSecretName}} - name: mysql-ssl-rootcerts mountPath: /etc/mysql_ssl_rootcerts readOnly: true @@ -244,7 +248,12 @@ spec: secretName: {{.Spec.Postgres.SSLKeySecret.Name}} defaultMode: 0600 {{- end}} - {{- if .Spec.Postgres.SSLRootCertificateSecret}} + {{- if .Spec.Postgres.SSLRootCertificateConfigMap}} + - name: postgres-ssl-rootcert + configMap: + name: {{.Spec.Postgres.SSLRootCertificateConfigMap.Name}} + defaultMode: 0600 + {{- else if .Spec.Postgres.SSLRootCertificateSecret}} - name: postgres-ssl-rootcert secret: secretName: {{.Spec.Postgres.SSLRootCertificateSecret.Name}} @@ -263,13 +272,23 @@ spec: secretName: {{.Spec.MySQL.SSLKeySecret.Name}} defaultMode: 0600 {{- end}} - {{- if .Spec.MySQL.SSLRootCertificateSecret}} + {{- if .Spec.MySQL.SSLRootCertificateConfigMap}} + - name: mysql-ssl-rootcert + configMap: + name: {{.Spec.MySQL.SSLRootCertificateConfigMap.Name}} + defaultMode: 0600 + {{- else if .Spec.MySQL.SSLRootCertificateSecret}} - name: mysql-ssl-rootcert secret: secretName: {{.Spec.MySQL.SSLRootCertificateSecret.Name}} defaultMode: 0600 {{- end}} - {{- if .Spec.MySQL.SSLRootCertificatesSecretName}} + {{- if .Spec.MySQL.SSLRootCertificatesConfigMapName}} + - name: mysql-ssl-rootcerts + configMap: + name: {{.Spec.MySQL.SSLRootCertificatesConfigMapName}} + defaultMode: 0600 + {{- else if .Spec.MySQL.SSLRootCertificatesSecretName}} - name: mysql-ssl-rootcerts secret: secretName: {{.Spec.MySQL.SSLRootCertificatesSecretName}}