-
Notifications
You must be signed in to change notification settings - Fork 31
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support TLS connections for galera #119
Support TLS connections for galera #119
Conversation
Skipping CI for Draft Pull Request. |
59dacf0
to
68e9f09
Compare
/retest |
8b7c1d4
to
e5aad20
Compare
/retest |
65753bc
to
fa266f5
Compare
/retest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
overall looks good to me
// useTLS = (dbGalera.Spec.TLS.SecretName != "") | ||
useTLS = false |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need to switch to the commented out code to be able to test this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I updated it slightly to enforce TLS for users based on TLS property "TLS.Service.DisableNonTLSListeners". I also added a kuttl test for that feature
09009ce
to
d2b38a3
Compare
controllers/galera_controller.go
Outdated
Watches(&source.Kind{Type: &corev1.Secret{}}, handler.EnqueueRequestsFromMapFunc( | ||
func(o client.Object) []reconcile.Request { | ||
labels := o.GetLabels() | ||
|
||
reconcileCR, hasLabel := labels[mariaDBReconcileLabel] | ||
if !hasLabel { | ||
return []reconcile.Request{} | ||
} | ||
|
||
return []reconcile.Request{ | ||
{NamespacedName: types.NamespacedName{ | ||
Name: reconcileCR, | ||
Namespace: o.GetNamespace(), | ||
}}, | ||
} | ||
}, | ||
)). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is the label being set somewhere ? you consider using it to watch the tls cert secrets? for this case we intend that the service operators add themselves as an additional owner (not controller) of the secret. then is should only be required to add Owns(&corev1.Secret{}).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
See my remark below
controllers/galera_controller.go
Outdated
|
||
mariadbv1 "github.com/openstack-k8s-operators/mariadb-operator/api/v1beta1" | ||
mariadb "github.com/openstack-k8s-operators/mariadb-operator/pkg/mariadb" | ||
) | ||
|
||
// Label used in a k8s secret to reference its corresponding galera CR | ||
const mariaDBReconcileLabel = "mariadb-ref" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is it added somewhere to an object?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No the idea was to rely on the templating ability of cert-manager, as e.g. https://github.com/openstack-k8s-operators/mariadb-operator/pull/119/files#diff-c73cb33ebf19bd8e12d56f29679841e5abcd55b1fb58b07ec416749e8ca2d30bR47-R49
The drawback is that any Secret won't work if it's not labeled.
I'm good with adding the label automatically if this is a pattern that we're going to follow everywhere in the project.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lets wait with this. I should have an example hopefully tomorrow or on thu to show what I mean
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just implemented the 2nd pattern in this PR, that uses cache indexing. This approach allows us to reconcile and restart galera when a secret is manually deleted to forcibly regenerate a certificate in cert-monger.
/retest |
Fixed unit tests in the last push |
33334b4
to
a7c9d70
Compare
controllers/galera_controller.go
Outdated
err.Error())) | ||
return ctrl.Result{}, fmt.Errorf("error calculating input hash: %w", err) | ||
} | ||
instance.Status.Conditions.MarkTrue(condition.InputReadyCondition, condition.InputReadyMessage) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in the other operators we use TLSInputReady condition for TLS cert secrets. maybe want to also have this here to be in sync
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ack I'll update that
api/v1beta1/galera_types.go
Outdated
// TLS settings for MySQL service and internal Galera replication | ||
TLS tls.SimpleService `json:"tls,omitempty"` | ||
// +kubebuilder:validation:Optional | ||
// When TLS is used, only allow connections to the DB over TLS |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: maybe s/used/configured/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
controllers/galera_controller.go
Outdated
@@ -97,7 +120,8 @@ func buildGcommURI(instance *mariadbv1.Galera) string { | |||
res := []string{} | |||
|
|||
for i := 0; i < replicas; i++ { | |||
res = append(res, basename+"-"+strconv.Itoa(i)+"."+basename) | |||
// Generate Gcomm with FQDN for TLS validation |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: it not the FQDN, that would have .cluster.local on the end (logic looks fine, just the comment)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
PR rebased to add TLS support on the new MariaDBAccount CR as well |
Ability to specify a certificate and a CA to be used for galera cluster communication (GCOMM, SST). Updates to the certificate used for galera automatically triggers a rolling restart of the galera pods, without service disruption. The original volume mount names is changed to accomodate the TLS subpath mounts. They now follow the naming convention found in other Openstack services. When the Galera CR is configured to use TLS, the mariadbdatabase CR creates DB users that still allow connection to the DB without using TLS. This is because Openstack clients currently cannot be configured to connect via TLS or via plain TCP. This specific part will be addressed in a subsequent commit.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dciabrin, stuggi The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
7c0df7d
into
openstack-k8s-operators:main
No description provided.