Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support TLS connections for galera #119

Merged

Conversation

dciabrin
Copy link
Contributor

No description provided.

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jun 28, 2023

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@dciabrin dciabrin force-pushed the galera-tls branch 2 times, most recently from 59dacf0 to 68e9f09 Compare July 3, 2023 10:48
@dciabrin dciabrin marked this pull request as ready for review July 3, 2023 12:12
@openshift-ci openshift-ci bot requested review from abays and olliewalsh July 3, 2023 12:13
@dciabrin
Copy link
Contributor Author

dciabrin commented Jul 4, 2023

/retest

@dciabrin
Copy link
Contributor Author

/retest

controllers/galera_controller.go Outdated Show resolved Hide resolved
controllers/galera_controller.go Outdated Show resolved Hide resolved
pkg/mariadb/database.go Outdated Show resolved Hide resolved
@dciabrin
Copy link
Contributor Author

/retest

Copy link
Contributor

@gibizer gibizer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

overall looks good to me

Comment on lines 154 to 155
// useTLS = (dbGalera.Spec.TLS.SecretName != "")
useTLS = false
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to switch to the commented out code to be able to test this?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I updated it slightly to enforce TLS for users based on TLS property "TLS.Service.DisableNonTLSListeners". I also added a kuttl test for that feature

@dciabrin dciabrin force-pushed the galera-tls branch 4 times, most recently from 09009ce to d2b38a3 Compare October 23, 2023 15:10
Comment on lines 740 to 756
Watches(&source.Kind{Type: &corev1.Secret{}}, handler.EnqueueRequestsFromMapFunc(
func(o client.Object) []reconcile.Request {
labels := o.GetLabels()

reconcileCR, hasLabel := labels[mariaDBReconcileLabel]
if !hasLabel {
return []reconcile.Request{}
}

return []reconcile.Request{
{NamespacedName: types.NamespacedName{
Name: reconcileCR,
Namespace: o.GetNamespace(),
}},
}
},
)).
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is the label being set somewhere ? you consider using it to watch the tls cert secrets? for this case we intend that the service operators add themselves as an additional owner (not controller) of the secret. then is should only be required to add Owns(&corev1.Secret{}).

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See my remark below


mariadbv1 "github.com/openstack-k8s-operators/mariadb-operator/api/v1beta1"
mariadb "github.com/openstack-k8s-operators/mariadb-operator/pkg/mariadb"
)

// Label used in a k8s secret to reference its corresponding galera CR
const mariaDBReconcileLabel = "mariadb-ref"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is it added somewhere to an object?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No the idea was to rely on the templating ability of cert-manager, as e.g. https://github.com/openstack-k8s-operators/mariadb-operator/pull/119/files#diff-c73cb33ebf19bd8e12d56f29679841e5abcd55b1fb58b07ec416749e8ca2d30bR47-R49
The drawback is that any Secret won't work if it's not labeled.
I'm good with adding the label automatically if this is a pattern that we're going to follow everywhere in the project.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lets wait with this. I should have an example hopefully tomorrow or on thu to show what I mean

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just implemented the 2nd pattern in this PR, that uses cache indexing. This approach allows us to reconcile and restart galera when a secret is manually deleted to forcibly regenerate a certificate in cert-monger.

controllers/galera_controller.go Outdated Show resolved Hide resolved
@dciabrin
Copy link
Contributor Author

dciabrin commented Nov 9, 2023

/retest

@dciabrin
Copy link
Contributor Author

Fixed unit tests in the last push

@Deydra71 Deydra71 self-requested a review January 10, 2024 08:04
@olliewalsh olliewalsh mentioned this pull request Jan 12, 2024
@dciabrin dciabrin force-pushed the galera-tls branch 3 times, most recently from 33334b4 to a7c9d70 Compare January 23, 2024 21:39
err.Error()))
return ctrl.Result{}, fmt.Errorf("error calculating input hash: %w", err)
}
instance.Status.Conditions.MarkTrue(condition.InputReadyCondition, condition.InputReadyMessage)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

in the other operators we use TLSInputReady condition for TLS cert secrets. maybe want to also have this here to be in sync

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ack I'll update that

pkg/mariadb/volumes.go Show resolved Hide resolved
pkg/mariadb/volumes.go Show resolved Hide resolved
// TLS settings for MySQL service and internal Galera replication
TLS tls.SimpleService `json:"tls,omitempty"`
// +kubebuilder:validation:Optional
// When TLS is used, only allow connections to the DB over TLS
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: maybe s/used/configured/

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

@@ -97,7 +120,8 @@ func buildGcommURI(instance *mariadbv1.Galera) string {
res := []string{}

for i := 0; i < replicas; i++ {
res = append(res, basename+"-"+strconv.Itoa(i)+"."+basename)
// Generate Gcomm with FQDN for TLS validation
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: it not the FQDN, that would have .cluster.local on the end (logic looks fine, just the comment)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

@dciabrin
Copy link
Contributor Author

PR rebased to add TLS support on the new MariaDBAccount CR as well

Ability to specify a certificate and a CA to be used for galera
cluster communication (GCOMM, SST).

Updates to the certificate used for galera automatically triggers
a rolling restart of the galera pods, without service disruption.

The original volume mount names is changed to accomodate the
TLS subpath mounts. They now follow the naming convention found
in other Openstack services.

When the Galera CR is configured to use TLS, the mariadbdatabase
CR creates DB users that still allow connection to the DB without
using TLS. This is because Openstack clients currently cannot be
configured to connect via TLS or via plain TCP. This specific
part will be addressed in a subsequent commit.
Copy link
Contributor

@stuggi stuggi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

Copy link
Contributor

openshift-ci bot commented Jan 31, 2024

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dciabrin, stuggi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-merge-bot openshift-merge-bot bot merged commit 7c0df7d into openstack-k8s-operators:main Jan 31, 2024
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants