feat: add support for configmap CA certs, fixes RHOAIENG-14601

Signed-off-by: Dhiraj Bokde <[email protected]>
opendatahub-io · Oct 17, 2024 · 76d61b0 · 76d61b0
1 parent 1f25328
commit 76d61b0
Show file tree

Hide file tree

Showing 6 changed files with 117 additions and 11 deletions.
diff --git a/Makefile b/Makefile
@@ -208,7 +208,7 @@ $(GOVULNCHECK): $(LOCALBIN)
 	test -s $(LOCALBIN)/govulncheck || GOBIN=$(LOCALBIN) GO111MODULE=on go install golang.org/x/vuln/cmd/govulncheck@$(GOVULNCHECK_VERSION)
 
 .PHONY: certificates
-certificates:
+certificates: certificates/clean
 	# generate TLS certs
 	scripts/generate_certs.sh $(or $(DOMAIN),$(shell oc get ingresses.config/cluster -o jsonpath='{.spec.domain}'))
 	# create secrets from TLS certs
@@ -224,6 +224,9 @@ certificates:
       --from-file=tls.key=certs/model-registry-db.key \
       --from-file=tls.crt=certs/model-registry-db.crt \
       --from-file=ca.crt=certs/domain.crt
+    # create CA cert configmap
+	$(KUBECTL) create configmap model-registry-db-credential \
+      --from-file=ca.crt=certs/domain.crt
 
 .PHONY: certificates/clean
 certificates/clean:
@@ -233,3 +236,5 @@ certificates/clean:
 	# delete k8s secrets
 	$(KUBECTL) delete --ignore-not-found=true -n istio-system secrets modelregistry-sample-rest-credential modelregistry-sample-grpc-credential
 	$(KUBECTL) delete --ignore-not-found=true secrets model-registry-db-credential
+	# delete k8s configmap
+	$(KUBECTL) delete --ignore-not-found=true configmaps model-registry-db-credential
diff --git a/api/v1alpha1/modelregistry_types.go b/api/v1alpha1/modelregistry_types.go
@@ -24,10 +24,20 @@ import (
 // EDIT THIS FILE!  THIS IS SCAFFOLDING FOR YOU TO OWN!
 // NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
 
+type ConfigMapKeyValue struct {
+	// +kubebuilder:validation:Required
+	// Kubernetes configmap name
+	Name string `json:"name"`
+	// +kubebuilder:validation:Required
+	// Key name in configmap
+	Key string `json:"key"`
+}
+
 type SecretKeyValue struct {
 	// +kubebuilder:validation:Required
 	// Kubernetes secret name
 	Name string `json:"name"`
+	// +kubebuilder:validation:Required
 	// Key name in secret
 	Key string `json:"key"`
 }
@@ -76,6 +86,9 @@ type PostgresConfig struct {
 	// to be stored in encrypted form on disk even when interactive
 	// passphrase input is not practical.
 	SSLPasswordSecret *SecretKeyValue `json:"sslPasswordSecret,omitempty"`
+	// This parameter specifies the Kubernetes ConfigMap name and key containing SSL
+	// certificate authority (CA) certificate(s).
+	SSLRootCertificateConfigMap *ConfigMapKeyValue `json:"sslRootCertificateConfigMap,omitempty"`
 	// This parameter specifies the Kubernetes Secret name and key containing SSL
 	// certificate authority (CA) certificate(s).
 	SSLRootCertificateSecret *SecretKeyValue `json:"sslRootCertificateSecret,omitempty"`
@@ -121,6 +134,12 @@ type MySQLConfig struct {
 	// This parameter specifies the Kubernetes Secret name and key used for the
 	// client private key.
 	SSLKeySecret *SecretKeyValue `json:"sslKeySecret,omitempty"`
+	// This parameter specifies the Kubernetes ConfigMap name and key containing
+	// certificate authority (CA) certificate.
+	SSLRootCertificateConfigMap *ConfigMapKeyValue `json:"sslRootCertificateConfigMap,omitempty"`
+	// This parameter specifies the Kubernetes ConfigMap name containing
+	// multiple certificate authority (CA) certificate(s) as keys.
+	SSLRootCertificatesConfigMapName *string `json:"sslRootCertificatesConfigMapName,omitempty"`
 	// This parameter specifies the Kubernetes Secret name and key containing
 	// certificate authority (CA) certificate.
 	SSLRootCertificateSecret *SecretKeyValue `json:"sslRootCertificateSecret,omitempty"`

diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/modelregistry.opendatahub.io_modelregistries.yaml b/config/crd/bases/modelregistry.opendatahub.io_modelregistries.yaml
@@ -417,6 +417,20 @@ spec:
                     - key
                     - name
                     type: object
+                  sslRootCertificateConfigMap:
+                    description: This parameter specifies the Kubernetes ConfigMap
+                      name and key containing certificate authority (CA) certificate.
+                    properties:
+                      key:
+                        description: Key name in configmap
+                        type: string
+                      name:
+                        description: Kubernetes configmap name
+                        type: string
+                    required:
+                    - key
+                    - name
+                    type: object
                   sslRootCertificateSecret:
                     description: This parameter specifies the Kubernetes Secret name
                       and key containing certificate authority (CA) certificate.
@@ -431,6 +445,11 @@ spec:
                     - key
                     - name
                     type: object
+                  sslRootCertificatesConfigMapName:
+                    description: This parameter specifies the Kubernetes ConfigMap
+                      name containing multiple certificate authority (CA) certificate(s)
+                      as keys.
+                    type: string
                   sslRootCertificatesSecretName:
                     description: This parameter specifies the Kubernetes Secret name
                       containing multiple certificate authority (CA) certificate(s)
@@ -544,6 +563,20 @@ spec:
                     - key
                     - name
                     type: object
+                  sslRootCertificateConfigMap:
+                    description: This parameter specifies the Kubernetes ConfigMap
+                      name and key containing SSL certificate authority (CA) certificate(s).
+                    properties:
+                      key:
+                        description: Key name in configmap
+                        type: string
+                      name:
+                        description: Kubernetes configmap name
+                        type: string
+                    required:
+                    - key
+                    - name
+                    type: object
                   sslRootCertificateSecret:
                     description: This parameter specifies the Kubernetes Secret name
                       and key containing SSL certificate authority (CA) certificate(s).

diff --git a/config/samples/secure-db/components/mysql/secure_mysql_modelregistry.yaml b/config/samples/secure-db/components/mysql/secure_mysql_modelregistry.yaml
@@ -4,6 +4,6 @@ metadata:
   name: modelregistry-sample
 spec:
   mysql:
-    sslRootCertificateSecret:
+    sslRootCertificateConfigMap:
       name: model-registry-db-credential
       key: ca.crt
diff --git a/internal/controller/config/templates/deployment.yaml.tmpl b/internal/controller/config/templates/deployment.yaml.tmpl
@@ -62,7 +62,9 @@ spec:
                 {{- if .Spec.Postgres.SSLPasswordSecret}}
             - --postgres_config_sslpassword=${POSTGRES_SSLPASSWORD}
                 {{- end}}
-                {{- if .Spec.Postgres.SSLRootCertificateSecret}}
+                {{- if .Spec.Postgres.SSLRootCertificateConfigMap}}
+            - --postgres_config_sslrootcert=/etc/postgres_ssl_rootcert/{{.Spec.Postgres.SSLRootCertificateConfigMap.Key}}
+                {{- else if .Spec.Postgres.SSLRootCertificateSecret}}
             - --postgres_config_sslrootcert=/etc/postgres_ssl_rootcert/{{.Spec.Postgres.SSLRootCertificateSecret.Key}}
                 {{- end}}
             {{- else if .Spec.MySQL}}
@@ -85,10 +87,12 @@ spec:
                 {{- if .Spec.MySQL.SSLKeySecret}}
             - --mysql_config_sslkey=/etc/mysql_ssl_key/{{.Spec.MySQL.SSLKeySecret.Key}}
                 {{- end}}
-                {{- if .Spec.MySQL.SSLRootCertificateSecret}}
+                {{- if .Spec.MySQL.SSLRootCertificateConfigMap}}
+            - --mysql_config_sslrootcert=/etc/mysql_ssl_rootcert/{{.Spec.MySQL.SSLRootCertificateConfigMap.Key}}
+                {{- else if .Spec.MySQL.SSLRootCertificateSecret}}
             - --mysql_config_sslrootcert=/etc/mysql_ssl_rootcert/{{.Spec.MySQL.SSLRootCertificateSecret.Key}}
                 {{- end}}
-                {{- if .Spec.MySQL.SSLRootCertificatesSecretName}}
+                {{- if or .Spec.MySQL.SSLRootCertificatesConfigMapName .Spec.MySQL.SSLRootCertificatesSecretName}}
             - --mysql_config_sslcapath=/etc/mysql_ssl_rootcerts/
                 {{- end}}
                 {{- if .Spec.MySQL.SSLCipher}}
@@ -138,7 +142,7 @@ spec:
               mountPath: /etc/postgres_ssl_key
               readOnly: true
                 {{- end}}
-                {{- if .Spec.Postgres.SSLRootCertificateSecret}}
+                {{- if or .Spec.Postgres.SSLRootCertificateConfigMap .Spec.Postgres.SSLRootCertificateSecret}}
             - name: postgres-ssl-rootcert
               mountPath: /etc/postgres_ssl_rootcert
               readOnly: true
@@ -154,12 +158,12 @@ spec:
               mountPath: /etc/mysql_ssl_key
               readOnly: true
                 {{- end}}
-                {{- if .Spec.MySQL.SSLRootCertificateSecret}}
+                {{- if or .Spec.MySQL.SSLRootCertificateConfigMap .Spec.MySQL.SSLRootCertificateSecret}}
             - name: mysql-ssl-rootcert
               mountPath: /etc/mysql_ssl_rootcert
               readOnly: true
                 {{- end}}
-                {{- if .Spec.MySQL.SSLRootCertificatesSecretName}}
+                {{- if or .Spec.MySQL.SSLRootCertificatesConfigMapName .Spec.MySQL.SSLRootCertificatesSecretName}}
             - name: mysql-ssl-rootcerts
               mountPath: /etc/mysql_ssl_rootcerts
               readOnly: true
@@ -244,7 +248,12 @@ spec:
             secretName: {{.Spec.Postgres.SSLKeySecret.Name}}
             defaultMode: 0600
             {{- end}}
-            {{- if .Spec.Postgres.SSLRootCertificateSecret}}
+            {{- if .Spec.Postgres.SSLRootCertificateConfigMap}}
+        - name: postgres-ssl-rootcert
+          configMap:
+            name: {{.Spec.Postgres.SSLRootCertificateConfigMap.Name}}
+            defaultMode: 0600
+            {{- else if .Spec.Postgres.SSLRootCertificateSecret}}
         - name: postgres-ssl-rootcert
           secret:
             secretName: {{.Spec.Postgres.SSLRootCertificateSecret.Name}}
@@ -263,13 +272,23 @@ spec:
             secretName: {{.Spec.MySQL.SSLKeySecret.Name}}
             defaultMode: 0600
             {{- end}}
-            {{- if .Spec.MySQL.SSLRootCertificateSecret}}
+            {{- if .Spec.MySQL.SSLRootCertificateConfigMap}}
+        - name: mysql-ssl-rootcert
+          configMap:
+            name: {{.Spec.MySQL.SSLRootCertificateConfigMap.Name}}
+            defaultMode: 0600
+            {{- else if .Spec.MySQL.SSLRootCertificateSecret}}
         - name: mysql-ssl-rootcert
           secret:
             secretName: {{.Spec.MySQL.SSLRootCertificateSecret.Name}}
             defaultMode: 0600
             {{- end}}
-            {{- if .Spec.MySQL.SSLRootCertificatesSecretName}}
+            {{- if .Spec.MySQL.SSLRootCertificatesConfigMapName}}
+        - name: mysql-ssl-rootcerts
+          configMap:
+            name: {{.Spec.MySQL.SSLRootCertificatesConfigMapName}}
+            defaultMode: 0600
+            {{- else if .Spec.MySQL.SSLRootCertificatesSecretName}}
         - name: mysql-ssl-rootcerts
           secret:
             secretName: {{.Spec.MySQL.SSLRootCertificatesSecretName}}