This is an automated email from the ASF dual-hosted git repository.

gerlowskija pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/solr-operator.git


The following commit(s) were added to refs/heads/main by this push:
     new ee1e3f3  Support 'ca.crt'-less TLS secrets in initContainer (#685)
ee1e3f3 is described below

commit ee1e3f3d7ef848c108ada64bd52527e0d3953a2f
Author: Steffen Moldenhauer <54577793+smoldenhauer-...@users.noreply.github.com>
AuthorDate: Mon Dec 9 18:19:54 2024 +0100

    Support 'ca.crt'-less TLS secrets in initContainer (#685)
    
    Prior to this commit, the gen-pkcs12-keystore initContainer required a 
'ca.crt' key,
    despite some providers not including this.  This commit tweaks the openssl
    command run by this initContainer to only use 'ca.crt' if that key/file is 
available.
    ---------
    
    Co-authored-by: Houston Putman <houstonput...@gmail.com>
    Co-authored-by: Jason Gerlowski <gerlowsk...@apache.org>
---
 controllers/solrcloud_controller_tls_test.go |  5 +++--
 controllers/util/solr_tls_util.go            | 12 ++++++++----
 helm/solr-operator/Chart.yaml                |  8 ++++++++
 tests/e2e/prometheus_exporter_tls_test.go    |  3 ++-
 tests/e2e/solrcloud_tls_test.go              | 29 +++++++++++++++++++++-------
 tests/e2e/test_utils_test.go                 | 11 ++++++-----
 tests/e2e/utils_tls_test.go                  |  9 +++++----
 7 files changed, 54 insertions(+), 23 deletions(-)

diff --git a/controllers/solrcloud_controller_tls_test.go 
b/controllers/solrcloud_controller_tls_test.go
index 6dff3d7..374f28f 100644
--- a/controllers/solrcloud_controller_tls_test.go
+++ b/controllers/solrcloud_controller_tls_test.go
@@ -22,6 +22,8 @@ import (
        "crypto/md5"
        b64 "encoding/base64"
        "fmt"
+       "strings"
+
        solrv1beta1 "github.com/apache/solr-operator/api/v1beta1"
        "github.com/apache/solr-operator/controllers/util"
        . "github.com/onsi/ginkgo/v2"
@@ -31,7 +33,6 @@ import (
        metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
        "k8s.io/apimachinery/pkg/util/intstr"
        "sigs.k8s.io/controller-runtime/pkg/client"
-       "strings"
 )
 
 var _ = FDescribe("SolrCloud controller - TLS", func() {
@@ -522,7 +523,7 @@ func expectTLSConfigOnPodTemplateWithGomega(g Gomega, 
solrCloud *solrv1beta1.Sol
                                break
                        }
                }
-               expCmd := "openssl pkcs12 -export -in /var/solr/tls/tls.crt -in 
/var/solr/tls/ca.crt -inkey /var/solr/tls/tls.key -out 
/var/solr/tls/pkcs12/keystore.p12 -passout pass:${SOLR_SSL_KEY_STORE_PASSWORD}"
+               expCmd := "OPTIONAL_CACRT=\"$(test -e /var/solr/tls/ca.crt && 
echo ' -certfile /var/solr/tls/ca.crt')\"; openssl pkcs12 -export -in 
/var/solr/tls/tls.crt $OPTIONAL_CACRT -inkey /var/solr/tls/tls.key -out 
/var/solr/tls/pkcs12/keystore.p12 -passout pass:${SOLR_SSL_KEY_STORE_PASSWORD}"
                g.Expect(expInitContainer).To(Not(BeNil()), "Didn't find the 
gen-pkcs12-keystore InitContainer in the sts!")
                g.Expect(expInitContainer.Command[2]).To(Equal(expCmd), "Wrong 
TLS initContainer command")
        }
diff --git a/controllers/util/solr_tls_util.go 
b/controllers/util/solr_tls_util.go
index 676311b..8528757 100644
--- a/controllers/util/solr_tls_util.go
+++ b/controllers/util/solr_tls_util.go
@@ -21,13 +21,14 @@ import (
        "context"
        "crypto/md5"
        "fmt"
+       "strconv"
+       "strings"
+
        solr "github.com/apache/solr-operator/api/v1beta1"
        appsv1 "k8s.io/api/apps/v1"
        corev1 "k8s.io/api/core/v1"
        "k8s.io/apimachinery/pkg/types"
        "sigs.k8s.io/controller-runtime/pkg/client"
-       "strconv"
-       "strings"
 )
 
 const (
@@ -707,8 +708,11 @@ func (tls *TLSConfig) 
generatePkcs12InitContainer(imageName string, imagePullPol
                },
        }
 
-       cmd := "openssl pkcs12 -export -in " + DefaultKeyStorePath + "/" + 
TLSCertKey + " -in " + DefaultKeyStorePath +
-               "/ca.crt -inkey " + DefaultKeyStorePath + "/tls.key -out " + 
DefaultKeyStorePath +
+       caCrtFileName := DefaultKeyStorePath + "/ca.crt"
+
+       cmd := "OPTIONAL_CACRT=\"$(test -e " + caCrtFileName + " && echo ' 
-certfile " + caCrtFileName + "')\"; " +
+               "openssl pkcs12 -export -in " + DefaultKeyStorePath + "/" + 
TLSCertKey + " $OPTIONAL_CACRT " +
+               "-inkey " + DefaultKeyStorePath + "/tls.key -out " + 
DefaultKeyStorePath +
                "/pkcs12/" + DefaultPkcs12KeystoreFile + " -passout 
pass:${SOLR_SSL_KEY_STORE_PASSWORD}"
 
        return corev1.Container{
diff --git a/helm/solr-operator/Chart.yaml b/helm/solr-operator/Chart.yaml
index 5a954c2..af4b173 100644
--- a/helm/solr-operator/Chart.yaml
+++ b/helm/solr-operator/Chart.yaml
@@ -54,6 +54,13 @@ annotations:
   # Add change log for a single release here.
   # Allowed syntax is described at: 
https://artifacthub.io/docs/topics/annotations/helm/#example
   artifacthub.io/changes: |
+    - kind: fixed
+      description: gen-pkcs12-keystore initContainer now supports 
'ca.crt'-less TLS secrets
+      links:
+        - name: Github Issue
+          url: https://github.com/apache/solr-operator/issues/684
+        - name: Github PR
+          url: https://github.com/apache/solr-operator/pull/685
     - kind: changed
       description: SolrClouds now support auto-readOnlyRootFilesystem setting.
       links:
@@ -61,6 +68,7 @@ annotations:
           url: https://github.com/apache/solr-operator/issues/624
         - name: Github PR
           url: https://github.com/apache/solr-operator/pull/648
+    - kind: fixed
       description: Avoid reset of security.json if get request fails  
       links:
         - name: Github Issue
diff --git a/tests/e2e/prometheus_exporter_tls_test.go 
b/tests/e2e/prometheus_exporter_tls_test.go
index a027ffb..f6fa229 100644
--- a/tests/e2e/prometheus_exporter_tls_test.go
+++ b/tests/e2e/prometheus_exporter_tls_test.go
@@ -19,6 +19,7 @@ package e2e
 
 import (
        "context"
+
        solrv1beta1 "github.com/apache/solr-operator/api/v1beta1"
        . "github.com/onsi/ginkgo/v2"
        . "github.com/onsi/gomega"
@@ -44,7 +45,7 @@ var _ = FDescribe("E2E - Prometheus Exporter - TLS ", 
Ordered, func() {
        */
        BeforeAll(func(ctx context.Context) {
                installSolrIssuer(ctx, testNamespace())
-               solrCloud = generateBaseSolrCloudWithSecretTLS(ctx, 2, true)
+               solrCloud = generateBaseSolrCloudWithSecretTLS(ctx, 2, true, 
true)
 
                solrCloud.Spec.SolrTLS.CheckPeerName = true
 
diff --git a/tests/e2e/solrcloud_tls_test.go b/tests/e2e/solrcloud_tls_test.go
index 30b05f2..d162225 100644
--- a/tests/e2e/solrcloud_tls_test.go
+++ b/tests/e2e/solrcloud_tls_test.go
@@ -19,6 +19,7 @@ package e2e
 
 import (
        "context"
+
        solrv1beta1 "github.com/apache/solr-operator/api/v1beta1"
        . "github.com/onsi/ginkgo/v2"
        . "github.com/onsi/gomega"
@@ -59,7 +60,7 @@ var _ = FDescribe("E2E - SolrCloud - TLS - Secrets", func() {
        FContext("No Client TLS", func() {
 
                BeforeEach(func(ctx context.Context) {
-                       solrCloud = generateBaseSolrCloudWithSecretTLS(ctx, 2, 
false)
+                       solrCloud = generateBaseSolrCloudWithSecretTLS(ctx, 2, 
false, true)
 
                        //solrCloud.Spec.SolrOpts = 
"-Djavax.net.debug=SSL,keymanager,trustmanager,ssl:handshake"
                })
@@ -70,7 +71,21 @@ var _ = FDescribe("E2E - SolrCloud - TLS - Secrets", func() {
        FContext("No Client TLS - Just a Keystore", func() {
 
                BeforeEach(func(ctx context.Context) {
-                       solrCloud = generateBaseSolrCloudWithSecretTLS(ctx, 2, 
false)
+                       solrCloud = generateBaseSolrCloudWithSecretTLS(ctx, 2, 
false, true)
+
+                       solrCloud.Spec.SolrTLS.TrustStoreSecret = nil
+                       solrCloud.Spec.SolrTLS.TrustStorePasswordSecret = nil
+
+                       //solrCloud.Spec.SolrOpts = 
"-Djavax.net.debug=SSL,keymanager,trustmanager,ssl:handshake"
+               })
+
+               FIt("Can run", func() {})
+       })
+
+       FContext("No Client TLS - gen-pkcs12-keystore", func() {
+
+               BeforeEach(func(ctx context.Context) {
+                       solrCloud = generateBaseSolrCloudWithSecretTLS(ctx, 2, 
false, false)
 
                        solrCloud.Spec.SolrTLS.TrustStoreSecret = nil
                        solrCloud.Spec.SolrTLS.TrustStorePasswordSecret = nil
@@ -84,7 +99,7 @@ var _ = FDescribe("E2E - SolrCloud - TLS - Secrets", func() {
        FContext("No Client TLS - CheckPeerName", func() {
 
                BeforeEach(func(ctx context.Context) {
-                       solrCloud = generateBaseSolrCloudWithSecretTLS(ctx, 2, 
false)
+                       solrCloud = generateBaseSolrCloudWithSecretTLS(ctx, 2, 
false, true)
 
                        solrCloud.Spec.SolrTLS.CheckPeerName = true
 
@@ -115,7 +130,7 @@ var _ = FDescribe("E2E - SolrCloud - TLS - Secrets", func() 
{
        FContext("With Client TLS - VerifyClientHostname", func() {
 
                BeforeEach(func(ctx context.Context) {
-                       solrCloud = generateBaseSolrCloudWithSecretTLS(ctx, 2, 
true)
+                       solrCloud = generateBaseSolrCloudWithSecretTLS(ctx, 2, 
true, true)
 
                        solrCloud.Spec.SolrTLS.VerifyClientHostname = true
 
@@ -139,7 +154,7 @@ var _ = FDescribe("E2E - SolrCloud - TLS - Secrets", func() 
{
        FContext("With Client TLS - CheckPeerName", func() {
 
                BeforeEach(func(ctx context.Context) {
-                       solrCloud = generateBaseSolrCloudWithSecretTLS(ctx, 2, 
true)
+                       solrCloud = generateBaseSolrCloudWithSecretTLS(ctx, 2, 
true, true)
 
                        solrCloud.Spec.SolrTLS.CheckPeerName = true
 
@@ -164,7 +179,7 @@ var _ = FDescribe("E2E - SolrCloud - TLS - Secrets", func() 
{
        FContext("With Client TLS - Client Auth Need", func() {
 
                BeforeEach(func(ctx context.Context) {
-                       solrCloud = generateBaseSolrCloudWithSecretTLS(ctx, 2, 
true)
+                       solrCloud = generateBaseSolrCloudWithSecretTLS(ctx, 2, 
true, true)
 
                        solrCloud.Spec.SolrTLS.ClientAuth = solrv1beta1.Need
 
@@ -177,7 +192,7 @@ var _ = FDescribe("E2E - SolrCloud - TLS - Secrets", func() 
{
        FContext("With Client TLS - Client Auth Want", func() {
 
                BeforeEach(func(ctx context.Context) {
-                       solrCloud = generateBaseSolrCloudWithSecretTLS(ctx, 2, 
true)
+                       solrCloud = generateBaseSolrCloudWithSecretTLS(ctx, 2, 
true, true)
 
                        solrCloud.Spec.SolrTLS.ClientAuth = solrv1beta1.Want
 
diff --git a/tests/e2e/test_utils_test.go b/tests/e2e/test_utils_test.go
index 486499d..95677d3 100644
--- a/tests/e2e/test_utils_test.go
+++ b/tests/e2e/test_utils_test.go
@@ -23,6 +23,12 @@ import (
        "encoding/json"
        "errors"
        "fmt"
+       "io"
+       "os"
+       "strconv"
+       "strings"
+       "time"
+
        solrv1beta1 "github.com/apache/solr-operator/api/v1beta1"
        "github.com/apache/solr-operator/controllers/util"
        "github.com/apache/solr-operator/controllers/util/solr_api"
@@ -34,7 +40,6 @@ import (
        "helm.sh/helm/v3/pkg/cli"
        "helm.sh/helm/v3/pkg/release"
        "helm.sh/helm/v3/pkg/storage/driver"
-       "io"
        corev1 "k8s.io/api/core/v1"
        "k8s.io/apimachinery/pkg/api/resource"
        metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -43,11 +48,7 @@ import (
        "k8s.io/apimachinery/pkg/util/rand"
        "k8s.io/client-go/tools/remotecommand"
        "k8s.io/utils/pointer"
-       "os"
        "sigs.k8s.io/controller-runtime/pkg/client"
-       "strconv"
-       "strings"
-       "time"
 )
 
 const (
diff --git a/tests/e2e/utils_tls_test.go b/tests/e2e/utils_tls_test.go
index b8efcfa..5089bdf 100644
--- a/tests/e2e/utils_tls_test.go
+++ b/tests/e2e/utils_tls_test.go
@@ -19,6 +19,7 @@ package e2e
 
 import (
        "context"
+
        solrv1beta1 "github.com/apache/solr-operator/api/v1beta1"
        certmanagerv1 
"github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
        certmanagermetav1 
"github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
@@ -39,10 +40,10 @@ const (
        clientAuthSecret         = "client-auth"
 )
 
-func generateBaseSolrCloudWithSecretTLS(ctx context.Context, replicas int, 
includeClientTLS bool) (solrCloud *solrv1beta1.SolrCloud) {
+func generateBaseSolrCloudWithSecretTLS(ctx context.Context, replicas int, 
includeClientTLS bool, createKeyStore bool) (solrCloud *solrv1beta1.SolrCloud) {
        solrCloud = generateBaseSolrCloud(replicas)
 
-       solrCertSecret, tlsPasswordSecret, clientCertSecret, 
clientTlsPasswordSecret := generateSolrCert(ctx, solrCloud, includeClientTLS)
+       solrCertSecret, tlsPasswordSecret, clientCertSecret, 
clientTlsPasswordSecret := generateSolrCert(ctx, solrCloud, includeClientTLS, 
createKeyStore)
 
        solrCloud.Spec.SolrTLS = &solrv1beta1.SolrTLSOptions{
                PKCS12Secret: &corev1.SecretKeySelector{
@@ -303,7 +304,7 @@ func installSolrIssuer(ctx context.Context, namespace 
string) {
        expectSecret(ctx, clusterCA, secretName)
 }
 
-func generateSolrCert(ctx context.Context, solrCloud *solrv1beta1.SolrCloud, 
includeClientTLS bool) (certSecretName string, tlsPasswordSecretName string, 
clientTLSCertSecretName string, clientTLSPasswordSecretName string) {
+func generateSolrCert(ctx context.Context, solrCloud *solrv1beta1.SolrCloud, 
includeClientTLS bool, createKeyStore bool) (certSecretName string, 
tlsPasswordSecretName string, clientTLSCertSecretName string, 
clientTLSPasswordSecretName string) {
        // First create a secret to use as a password for the 
keystore/truststore
        tlsPasswordSecret := &corev1.Secret{
                ObjectMeta: metav1.ObjectMeta{
@@ -338,7 +339,7 @@ func generateSolrCert(ctx context.Context, solrCloud 
*solrv1beta1.SolrCloud, inc
                        SecretName: certSecretName,
                        Keystores: &certmanagerv1.CertificateKeystores{
                                PKCS12: &certmanagerv1.PKCS12Keystore{
-                                       Create: true,
+                                       Create: createKeyStore,
                                        PasswordSecretRef: 
certmanagermetav1.SecretKeySelector{
                                                LocalObjectReference: 
certmanagermetav1.LocalObjectReference{
                                                        Name: 
tlsPasswordSecret.Name,

Reply via email to