This is an automated email from the ASF dual-hosted git repository.
gerlowskija pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/solr-operator.git
The following commit(s) were added to refs/heads/main by this push:
new ee1e3f3 Support 'ca.crt'-less TLS secrets in initContainer (#685)
ee1e3f3 is described below
commit ee1e3f3d7ef848c108ada64bd52527e0d3953a2f
Author: Steffen Moldenhauer <[email protected]>
AuthorDate: Mon Dec 9 18:19:54 2024 +0100
Support 'ca.crt'-less TLS secrets in initContainer (#685)
Prior to this commit, the gen-pkcs12-keystore initContainer required a
'ca.crt' key,
despite some providers not including this. This commit tweaks the openssl
command run by this initContainer to only use 'ca.crt' if that key/file is
available.
---------
Co-authored-by: Houston Putman <[email protected]>
Co-authored-by: Jason Gerlowski <[email protected]>
---
controllers/solrcloud_controller_tls_test.go | 5 +++--
controllers/util/solr_tls_util.go | 12 ++++++++----
helm/solr-operator/Chart.yaml | 8 ++++++++
tests/e2e/prometheus_exporter_tls_test.go | 3 ++-
tests/e2e/solrcloud_tls_test.go | 29 +++++++++++++++++++++-------
tests/e2e/test_utils_test.go | 11 ++++++-----
tests/e2e/utils_tls_test.go | 9 +++++----
7 files changed, 54 insertions(+), 23 deletions(-)
diff --git a/controllers/solrcloud_controller_tls_test.go
b/controllers/solrcloud_controller_tls_test.go
index 6dff3d7..374f28f 100644
--- a/controllers/solrcloud_controller_tls_test.go
+++ b/controllers/solrcloud_controller_tls_test.go
@@ -22,6 +22,8 @@ import (
"crypto/md5"
b64 "encoding/base64"
"fmt"
+ "strings"
+
solrv1beta1 "github.com/apache/solr-operator/api/v1beta1"
"github.com/apache/solr-operator/controllers/util"
. "github.com/onsi/ginkgo/v2"
@@ -31,7 +33,6 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/intstr"
"sigs.k8s.io/controller-runtime/pkg/client"
- "strings"
)
var _ = FDescribe("SolrCloud controller - TLS", func() {
@@ -522,7 +523,7 @@ func expectTLSConfigOnPodTemplateWithGomega(g Gomega,
solrCloud *solrv1beta1.Sol
break
}
}
- expCmd := "openssl pkcs12 -export -in /var/solr/tls/tls.crt -in
/var/solr/tls/ca.crt -inkey /var/solr/tls/tls.key -out
/var/solr/tls/pkcs12/keystore.p12 -passout pass:${SOLR_SSL_KEY_STORE_PASSWORD}"
+ expCmd := "OPTIONAL_CACRT=\"$(test -e /var/solr/tls/ca.crt &&
echo ' -certfile /var/solr/tls/ca.crt')\"; openssl pkcs12 -export -in
/var/solr/tls/tls.crt $OPTIONAL_CACRT -inkey /var/solr/tls/tls.key -out
/var/solr/tls/pkcs12/keystore.p12 -passout pass:${SOLR_SSL_KEY_STORE_PASSWORD}"
g.Expect(expInitContainer).To(Not(BeNil()), "Didn't find the
gen-pkcs12-keystore InitContainer in the sts!")
g.Expect(expInitContainer.Command[2]).To(Equal(expCmd), "Wrong
TLS initContainer command")
}
diff --git a/controllers/util/solr_tls_util.go
b/controllers/util/solr_tls_util.go
index 676311b..8528757 100644
--- a/controllers/util/solr_tls_util.go
+++ b/controllers/util/solr_tls_util.go
@@ -21,13 +21,14 @@ import (
"context"
"crypto/md5"
"fmt"
+ "strconv"
+ "strings"
+
solr "github.com/apache/solr-operator/api/v1beta1"
appsv1 "k8s.io/api/apps/v1"
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/types"
"sigs.k8s.io/controller-runtime/pkg/client"
- "strconv"
- "strings"
)
const (
@@ -707,8 +708,11 @@ func (tls *TLSConfig)
generatePkcs12InitContainer(imageName string, imagePullPol
},
}
- cmd := "openssl pkcs12 -export -in " + DefaultKeyStorePath + "/" +
TLSCertKey + " -in " + DefaultKeyStorePath +
- "/ca.crt -inkey " + DefaultKeyStorePath + "/tls.key -out " +
DefaultKeyStorePath +
+ caCrtFileName := DefaultKeyStorePath + "/ca.crt"
+
+ cmd := "OPTIONAL_CACRT=\"$(test -e " + caCrtFileName + " && echo '
-certfile " + caCrtFileName + "')\"; " +
+ "openssl pkcs12 -export -in " + DefaultKeyStorePath + "/" +
TLSCertKey + " $OPTIONAL_CACRT " +
+ "-inkey " + DefaultKeyStorePath + "/tls.key -out " +
DefaultKeyStorePath +
"/pkcs12/" + DefaultPkcs12KeystoreFile + " -passout
pass:${SOLR_SSL_KEY_STORE_PASSWORD}"
return corev1.Container{
diff --git a/helm/solr-operator/Chart.yaml b/helm/solr-operator/Chart.yaml
index 5a954c2..af4b173 100644
--- a/helm/solr-operator/Chart.yaml
+++ b/helm/solr-operator/Chart.yaml
@@ -54,6 +54,13 @@ annotations:
# Add change log for a single release here.
# Allowed syntax is described at:
https://artifacthub.io/docs/topics/annotations/helm/#example
artifacthub.io/changes: |
+ - kind: fixed
+ description: gen-pkcs12-keystore initContainer now supports
'ca.crt'-less TLS secrets
+ links:
+ - name: Github Issue
+ url: https://github.com/apache/solr-operator/issues/684
+ - name: Github PR
+ url: https://github.com/apache/solr-operator/pull/685
- kind: changed
description: SolrClouds now support auto-readOnlyRootFilesystem setting.
links:
@@ -61,6 +68,7 @@ annotations:
url: https://github.com/apache/solr-operator/issues/624
- name: Github PR
url: https://github.com/apache/solr-operator/pull/648
+ - kind: fixed
description: Avoid reset of security.json if get request fails
links:
- name: Github Issue
diff --git a/tests/e2e/prometheus_exporter_tls_test.go
b/tests/e2e/prometheus_exporter_tls_test.go
index a027ffb..f6fa229 100644
--- a/tests/e2e/prometheus_exporter_tls_test.go
+++ b/tests/e2e/prometheus_exporter_tls_test.go
@@ -19,6 +19,7 @@ package e2e
import (
"context"
+
solrv1beta1 "github.com/apache/solr-operator/api/v1beta1"
. "github.com/onsi/ginkgo/v2"
. "github.com/onsi/gomega"
@@ -44,7 +45,7 @@ var _ = FDescribe("E2E - Prometheus Exporter - TLS ",
Ordered, func() {
*/
BeforeAll(func(ctx context.Context) {
installSolrIssuer(ctx, testNamespace())
- solrCloud = generateBaseSolrCloudWithSecretTLS(ctx, 2, true)
+ solrCloud = generateBaseSolrCloudWithSecretTLS(ctx, 2, true,
true)
solrCloud.Spec.SolrTLS.CheckPeerName = true
diff --git a/tests/e2e/solrcloud_tls_test.go b/tests/e2e/solrcloud_tls_test.go
index 30b05f2..d162225 100644
--- a/tests/e2e/solrcloud_tls_test.go
+++ b/tests/e2e/solrcloud_tls_test.go
@@ -19,6 +19,7 @@ package e2e
import (
"context"
+
solrv1beta1 "github.com/apache/solr-operator/api/v1beta1"
. "github.com/onsi/ginkgo/v2"
. "github.com/onsi/gomega"
@@ -59,7 +60,7 @@ var _ = FDescribe("E2E - SolrCloud - TLS - Secrets", func() {
FContext("No Client TLS", func() {
BeforeEach(func(ctx context.Context) {
- solrCloud = generateBaseSolrCloudWithSecretTLS(ctx, 2,
false)
+ solrCloud = generateBaseSolrCloudWithSecretTLS(ctx, 2,
false, true)
//solrCloud.Spec.SolrOpts =
"-Djavax.net.debug=SSL,keymanager,trustmanager,ssl:handshake"
})
@@ -70,7 +71,21 @@ var _ = FDescribe("E2E - SolrCloud - TLS - Secrets", func() {
FContext("No Client TLS - Just a Keystore", func() {
BeforeEach(func(ctx context.Context) {
- solrCloud = generateBaseSolrCloudWithSecretTLS(ctx, 2,
false)
+ solrCloud = generateBaseSolrCloudWithSecretTLS(ctx, 2,
false, true)
+
+ solrCloud.Spec.SolrTLS.TrustStoreSecret = nil
+ solrCloud.Spec.SolrTLS.TrustStorePasswordSecret = nil
+
+ //solrCloud.Spec.SolrOpts =
"-Djavax.net.debug=SSL,keymanager,trustmanager,ssl:handshake"
+ })
+
+ FIt("Can run", func() {})
+ })
+
+ FContext("No Client TLS - gen-pkcs12-keystore", func() {
+
+ BeforeEach(func(ctx context.Context) {
+ solrCloud = generateBaseSolrCloudWithSecretTLS(ctx, 2,
false, false)
solrCloud.Spec.SolrTLS.TrustStoreSecret = nil
solrCloud.Spec.SolrTLS.TrustStorePasswordSecret = nil
@@ -84,7 +99,7 @@ var _ = FDescribe("E2E - SolrCloud - TLS - Secrets", func() {
FContext("No Client TLS - CheckPeerName", func() {
BeforeEach(func(ctx context.Context) {
- solrCloud = generateBaseSolrCloudWithSecretTLS(ctx, 2,
false)
+ solrCloud = generateBaseSolrCloudWithSecretTLS(ctx, 2,
false, true)
solrCloud.Spec.SolrTLS.CheckPeerName = true
@@ -115,7 +130,7 @@ var _ = FDescribe("E2E - SolrCloud - TLS - Secrets", func()
{
FContext("With Client TLS - VerifyClientHostname", func() {
BeforeEach(func(ctx context.Context) {
- solrCloud = generateBaseSolrCloudWithSecretTLS(ctx, 2,
true)
+ solrCloud = generateBaseSolrCloudWithSecretTLS(ctx, 2,
true, true)
solrCloud.Spec.SolrTLS.VerifyClientHostname = true
@@ -139,7 +154,7 @@ var _ = FDescribe("E2E - SolrCloud - TLS - Secrets", func()
{
FContext("With Client TLS - CheckPeerName", func() {
BeforeEach(func(ctx context.Context) {
- solrCloud = generateBaseSolrCloudWithSecretTLS(ctx, 2,
true)
+ solrCloud = generateBaseSolrCloudWithSecretTLS(ctx, 2,
true, true)
solrCloud.Spec.SolrTLS.CheckPeerName = true
@@ -164,7 +179,7 @@ var _ = FDescribe("E2E - SolrCloud - TLS - Secrets", func()
{
FContext("With Client TLS - Client Auth Need", func() {
BeforeEach(func(ctx context.Context) {
- solrCloud = generateBaseSolrCloudWithSecretTLS(ctx, 2,
true)
+ solrCloud = generateBaseSolrCloudWithSecretTLS(ctx, 2,
true, true)
solrCloud.Spec.SolrTLS.ClientAuth = solrv1beta1.Need
@@ -177,7 +192,7 @@ var _ = FDescribe("E2E - SolrCloud - TLS - Secrets", func()
{
FContext("With Client TLS - Client Auth Want", func() {
BeforeEach(func(ctx context.Context) {
- solrCloud = generateBaseSolrCloudWithSecretTLS(ctx, 2,
true)
+ solrCloud = generateBaseSolrCloudWithSecretTLS(ctx, 2,
true, true)
solrCloud.Spec.SolrTLS.ClientAuth = solrv1beta1.Want
diff --git a/tests/e2e/test_utils_test.go b/tests/e2e/test_utils_test.go
index 486499d..95677d3 100644
--- a/tests/e2e/test_utils_test.go
+++ b/tests/e2e/test_utils_test.go
@@ -23,6 +23,12 @@ import (
"encoding/json"
"errors"
"fmt"
+ "io"
+ "os"
+ "strconv"
+ "strings"
+ "time"
+
solrv1beta1 "github.com/apache/solr-operator/api/v1beta1"
"github.com/apache/solr-operator/controllers/util"
"github.com/apache/solr-operator/controllers/util/solr_api"
@@ -34,7 +40,6 @@ import (
"helm.sh/helm/v3/pkg/cli"
"helm.sh/helm/v3/pkg/release"
"helm.sh/helm/v3/pkg/storage/driver"
- "io"
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/api/resource"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -43,11 +48,7 @@ import (
"k8s.io/apimachinery/pkg/util/rand"
"k8s.io/client-go/tools/remotecommand"
"k8s.io/utils/pointer"
- "os"
"sigs.k8s.io/controller-runtime/pkg/client"
- "strconv"
- "strings"
- "time"
)
const (
diff --git a/tests/e2e/utils_tls_test.go b/tests/e2e/utils_tls_test.go
index b8efcfa..5089bdf 100644
--- a/tests/e2e/utils_tls_test.go
+++ b/tests/e2e/utils_tls_test.go
@@ -19,6 +19,7 @@ package e2e
import (
"context"
+
solrv1beta1 "github.com/apache/solr-operator/api/v1beta1"
certmanagerv1
"github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
certmanagermetav1
"github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
@@ -39,10 +40,10 @@ const (
clientAuthSecret = "client-auth"
)
-func generateBaseSolrCloudWithSecretTLS(ctx context.Context, replicas int,
includeClientTLS bool) (solrCloud *solrv1beta1.SolrCloud) {
+func generateBaseSolrCloudWithSecretTLS(ctx context.Context, replicas int,
includeClientTLS bool, createKeyStore bool) (solrCloud *solrv1beta1.SolrCloud) {
solrCloud = generateBaseSolrCloud(replicas)
- solrCertSecret, tlsPasswordSecret, clientCertSecret,
clientTlsPasswordSecret := generateSolrCert(ctx, solrCloud, includeClientTLS)
+ solrCertSecret, tlsPasswordSecret, clientCertSecret,
clientTlsPasswordSecret := generateSolrCert(ctx, solrCloud, includeClientTLS,
createKeyStore)
solrCloud.Spec.SolrTLS = &solrv1beta1.SolrTLSOptions{
PKCS12Secret: &corev1.SecretKeySelector{
@@ -303,7 +304,7 @@ func installSolrIssuer(ctx context.Context, namespace
string) {
expectSecret(ctx, clusterCA, secretName)
}
-func generateSolrCert(ctx context.Context, solrCloud *solrv1beta1.SolrCloud,
includeClientTLS bool) (certSecretName string, tlsPasswordSecretName string,
clientTLSCertSecretName string, clientTLSPasswordSecretName string) {
+func generateSolrCert(ctx context.Context, solrCloud *solrv1beta1.SolrCloud,
includeClientTLS bool, createKeyStore bool) (certSecretName string,
tlsPasswordSecretName string, clientTLSCertSecretName string,
clientTLSPasswordSecretName string) {
// First create a secret to use as a password for the
keystore/truststore
tlsPasswordSecret := &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
@@ -338,7 +339,7 @@ func generateSolrCert(ctx context.Context, solrCloud
*solrv1beta1.SolrCloud, inc
SecretName: certSecretName,
Keystores: &certmanagerv1.CertificateKeystores{
PKCS12: &certmanagerv1.PKCS12Keystore{
- Create: true,
+ Create: createKeyStore,
PasswordSecretRef:
certmanagermetav1.SecretKeySelector{
LocalObjectReference:
certmanagermetav1.LocalObjectReference{
Name:
tlsPasswordSecret.Name,
