diff --git a/api/v1/helpers.go b/api/v1/helpers.go index 15404ac8b..e0a553d44 100644 --- a/api/v1/helpers.go +++ b/api/v1/helpers.go @@ -27,6 +27,7 @@ import ( vmeta "github.com/vertica/vertica-kubernetes/pkg/meta" "github.com/vertica/vertica-kubernetes/pkg/paths" corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/api/meta" "k8s.io/apimachinery/pkg/api/resource" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" @@ -1169,3 +1170,19 @@ func (v *VerticaDB) GetSubclustersInSandbox(sbName string) []string { } return scNames } + +func IsK8sSecretFound(ctx context.Context, vdb *VerticaDB, k8sClient client.Client, secretName *string, + secret *corev1.Secret) (bool, error) { + nm := types.NamespacedName{ + Name: *secretName, + Namespace: vdb.GetNamespace(), + } + err := k8sClient.Get(ctx, nm, secret) + if errors.IsNotFound(err) { + return false, nil + } else if err != nil { + return false, err + } else { + return true, nil + } +} diff --git a/api/v1/verticadb_types.go b/api/v1/verticadb_types.go index afdcee132..bf92a642e 100644 --- a/api/v1/verticadb_types.go +++ b/api/v1/verticadb_types.go @@ -284,6 +284,32 @@ type VerticaDBSpec struct { // prefix is the name of the secret in the service you are storing. NMATLSSecret string `json:"nmaTLSSecret,omitempty"` + // +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors="urn:alm:descriptor:com.tectonic.ui:hidden" + // +kubebuilder:default:="" + // +kubebuilder:validation:Optional + // A secret that contains the TLS credentials to be used to authenticate Vertica clients' certificates. + // If this is empty, the operator will create a secret to use and addthe name of the generate secret to this field. + // When set, the secret must have the following keys defined: tls.key, + // tls.crt and ca.crt. To store this secret outside of Kubernetes, you can + // use a secret path reference prefix, such as gsm://. Everything after the + // prefix is the name of the secret in the service you are storing. + ClientServerTLSSecret string `json:"clientServerTLSSecret,omitempty"` + + // +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors="urn:alm:descriptor:com.tectonic.ui:hidden" + // +kubebuilder:default:=TRY_VERIFY + // +kubebuilder:validation:Optional + // This field configures the Vertica's connection mode for client-server TLS. + // Choose one of the following TLSMODEs, listed in ascending security: + // - DISABLE: Disables TLS. All other options for this parameter enable TLS. + // - ENABLE: Enables TLS. Vertica does not verify client certificates. + // - TRY_VERIFY: Establishes a TLS connection if one of the following is true: + // - The client presents a valid certificate. + // - The client doesn't present a certificate + // If the client presents an invalid certificate, the connection is rejected. + // - VERIFY_CA: Connection succeeds if Vertica verifies that the client certificate is from a trusted CA. + // If the client does not present a client certificate, the connection is rejected. + ClientServerTLSMode string `json:"clientServerTLSMode,omitempty"` + // +operator-sdk:csv:customresourcedefinitions:type=spec,xDescriptors="urn:alm:descriptor:com.tectonic.ui:hidden" // +kubebuilder:validation:Optional // Allows tuning of the Vertica pods readiness probe. Each of the values diff --git a/api/v1/verticadb_webhook.go b/api/v1/verticadb_webhook.go index 6b1482d87..d666b13a7 100644 --- a/api/v1/verticadb_webhook.go +++ b/api/v1/verticadb_webhook.go @@ -51,7 +51,7 @@ const ( HadoopConfigMountName = "hadoop-conf" Krb5SecretMountName = "krb5" SSHMountName = "ssh" - NMACertsMountName = "nma-certs" + NMATLSConfigMapName = "nma-tls-config" DepotMountName = "depot" S3Prefix = "s3://" GCloudPrefix = "gs://" @@ -228,6 +228,7 @@ func (v *VerticaDB) validateVerticaDBSpec() field.ErrorList { allErrs = v.isServiceTypeValid(allErrs) allErrs = v.hasDuplicateScName(allErrs) allErrs = v.hasValidVolumeName(allErrs) + allErrs = v.hasValidClientServerTLSMode(allErrs) allErrs = v.hasValidVolumeMountName(allErrs) allErrs = v.hasValidKerberosSetup(allErrs) allErrs = v.hasValidTemporarySubclusterRouting(allErrs) @@ -670,6 +671,26 @@ func (v *VerticaDB) hasDuplicateScName(allErrs field.ErrorList) field.ErrorList return allErrs } +func (v *VerticaDB) hasValidClientServerTLSMode(allErrs field.ErrorList) field.ErrorList { + tlsModes := []string{"enable", "disable", "try_verify", "verify_ca", "verify_full"} + if v.Spec.ClientServerTLSMode != "" { + TLSMode := strings.ToLower(v.Spec.ClientServerTLSMode) + validMode := false + for _, mode := range tlsModes { + if mode == TLSMode { + validMode = true + } + } + if !validMode { + err := field.Invalid(field.NewPath("spec").Child("clientSeverTLSSecret"), v.Spec.ClientServerTLSMode, "invalid tls mode") + allErrs = append(allErrs, err) + } + } else { + v.Spec.ClientServerTLSMode = "try_verify" + } + return allErrs +} + func (v *VerticaDB) hasValidVolumeName(allErrs field.ErrorList) field.ErrorList { for i := range v.Spec.Volumes { vol := v.Spec.Volumes[i] diff --git a/changes/unreleased/Added-20250204-161432.yaml b/changes/unreleased/Added-20250204-161432.yaml new file mode 100644 index 000000000..caa4fdf8e --- /dev/null +++ b/changes/unreleased/Added-20250204-161432.yaml @@ -0,0 +1,5 @@ +kind: Added +body: ClientServerTLSSecret has been added to Vertica DB definition. It contains the TLS credentials to authenticate Vertica clients' certificates +time: 2025-02-04T16:14:32.906578043-05:00 +custom: + Issue: "1041" diff --git a/changes/unreleased/Removed-20250204-162421.yaml b/changes/unreleased/Removed-20250204-162421.yaml new file mode 100644 index 000000000..739d2688d --- /dev/null +++ b/changes/unreleased/Removed-20250204-162421.yaml @@ -0,0 +1,5 @@ +kind: Removed +body: NMATLSSecret used to be mounted at /certs/nma in nma container. Now it is not mounted any more. NMA will read certs from the kuberntes secrets. +time: 2025-02-04T16:24:21.090008412-05:00 +custom: + Issue: "1041" diff --git a/pkg/builder/builder.go b/pkg/builder/builder.go index 50ee8f250..87ab42b41 100644 --- a/pkg/builder/builder.go +++ b/pkg/builder/builder.go @@ -355,16 +355,10 @@ func buildStartupConfVolumeMount() corev1.VolumeMount { } } -func buildScrutinizeVolumeMounts(vscr *v1beta1.VerticaScrutinize, vdb *vapi.VerticaDB) []corev1.VolumeMount { +func buildScrutinizeVolumeMounts(vscr *v1beta1.VerticaScrutinize) []corev1.VolumeMount { volMnts := []corev1.VolumeMount{ buildScrutinizeSharedVolumeMount(vscr), } - - if vmeta.UseNMACertsMount(vdb.Annotations) && - vdb.Spec.NMATLSSecret != "" && - secrets.IsK8sSecret(vdb.Spec.NMATLSSecret) { - volMnts = append(volMnts, buildNMACertsVolumeMount()...) - } return volMnts } @@ -425,11 +419,6 @@ func buildSSHVolumeMounts() []corev1.VolumeMount { // used with NMA func buildCommonNMAVolumeMounts(vdb *vapi.VerticaDB) []corev1.VolumeMount { volMnts := buildScrutinizeVolumeMountForVerticaPod(vdb) - if vmeta.UseNMACertsMount(vdb.Annotations) && - vdb.Spec.NMATLSSecret != "" && - secrets.IsK8sSecret(vdb.Spec.NMATLSSecret) { - volMnts = append(volMnts, buildNMACertsVolumeMount()...) - } return volMnts } @@ -450,15 +439,6 @@ func buildScrutinizeVolumeMountForVerticaPod(vdb *vapi.VerticaDB) []corev1.Volum } } -func buildNMACertsVolumeMount() []corev1.VolumeMount { - return []corev1.VolumeMount{ - { - Name: vapi.NMACertsMountName, - MountPath: paths.NMACertsRoot, - }, - } -} - // buildCertSecretVolumeMounts returns the volume mounts for any cert secrets that are in the vdb func buildCertSecretVolumeMounts(vdb *vapi.VerticaDB) []corev1.VolumeMount { mnts := []corev1.VolumeMount{} @@ -487,12 +467,6 @@ func buildVolumes(vdb *vapi.VerticaDB) []corev1.Volume { if vdb.GetSSHSecretName() != "" { vols = append(vols, buildSSHVolume(vdb)) } - if vmeta.UseVClusterOps(vdb.Annotations) && - vmeta.UseNMACertsMount(vdb.Annotations) && - vdb.Spec.NMATLSSecret != "" && - secrets.IsK8sSecret(vdb.Spec.NMATLSSecret) { - vols = append(vols, buildNMACertsSecretVolume(vdb)) - } if vdb.IsDepotVolumeEmptyDir() { vols = append(vols, buildDepotVolume()) } @@ -507,12 +481,6 @@ func buildVolumes(vdb *vapi.VerticaDB) []corev1.Volume { // buildScrutinizeVolumes returns volumes that will be used by the scrutinize pod func buildScrutinizeVolumes(vscr *v1beta1.VerticaScrutinize, vdb *vapi.VerticaDB) []corev1.Volume { vols := []corev1.Volume{} - if vmeta.UseVClusterOps(vdb.Annotations) && - vmeta.UseNMACertsMount(vdb.Annotations) && - vdb.Spec.NMATLSSecret != "" && - secrets.IsK8sSecret(vdb.Spec.NMATLSSecret) { - vols = append(vols, buildNMACertsSecretVolume(vdb)) - } // we add a volume for the password when the password secret // is on k8s if vdb.Spec.PasswordSecret != "" && @@ -774,17 +742,6 @@ func buildSSHVolume(vdb *vapi.VerticaDB) corev1.Volume { } } -func buildNMACertsSecretVolume(vdb *vapi.VerticaDB) corev1.Volume { - return corev1.Volume{ - Name: vapi.NMACertsMountName, - VolumeSource: corev1.VolumeSource{ - Secret: &corev1.SecretVolumeSource{ - SecretName: vdb.Spec.NMATLSSecret, - }, - }, - } -} - // buildEmptyDirVolume returns a generic 'emptyDir' volume func buildEmptyDirVolume(volName string) corev1.Volume { return corev1.Volume{ @@ -1112,7 +1069,7 @@ func makeScrutinizeInitContainer(vscr *v1beta1.VerticaScrutinize, vdb *vapi.Vert Image: vdb.Spec.Image, Name: names.ScrutinizeInitContainer, Command: buildScrutinizeCmd(args), - VolumeMounts: buildScrutinizeVolumeMounts(vscr, vdb), + VolumeMounts: buildScrutinizeVolumeMounts(vscr), Resources: vscr.Spec.Resources, Env: buildCommonEnvVars(vdb), } @@ -1790,19 +1747,34 @@ func buildScrutinizeDBPasswordEnvVars(nm types.NamespacedName) []corev1.EnvVar { // buildNMATLSCertsEnvVars returns environment variables about NMA certs, // that are needed by NMA and vcluster scrutinize func buildNMATLSCertsEnvVars(vdb *vapi.VerticaDB) []corev1.EnvVar { - if vmeta.UseNMACertsMount(vdb.Annotations) && secrets.IsK8sSecret(vdb.Spec.NMATLSSecret) { - return []corev1.EnvVar{ - // Provide the path to each of the certs that are mounted in the container. - {Name: NMARootCAEnv, Value: fmt.Sprintf("%s/%s", paths.NMACertsRoot, paths.HTTPServerCACrtName)}, - {Name: NMACertEnv, Value: fmt.Sprintf("%s/%s", paths.NMACertsRoot, corev1.TLSCertKey)}, - {Name: NMAKeyEnv, Value: fmt.Sprintf("%s/%s", paths.NMACertsRoot, corev1.TLSPrivateKeyKey)}, - } - } + notTrue := false + configMapName := fmt.Sprintf("%s-%s", vdb.Name, vapi.NMATLSConfigMapName) return []corev1.EnvVar{ // The NMA will read the secrets directly from the secret store. // We provide the secret namespace and name for this reason. - {Name: NMASecretNamespaceEnv, Value: vdb.ObjectMeta.Namespace}, - {Name: NMASecretNameEnv, Value: vdb.Spec.NMATLSSecret}, + // {Name: NMASecretNamespaceEnv, Value: vdb.ObjectMeta.Namespace}, + // {Name: NMASecretNameEnv, Value: vdb.Spec.NMATLSSecret}, + + {Name: NMASecretNamespaceEnv, + ValueFrom: &corev1.EnvVarSource{ + ConfigMapKeyRef: &corev1.ConfigMapKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: configMapName, + }, + Key: NMASecretNamespaceEnv, + Optional: ¬True, + }, + }}, + {Name: NMASecretNameEnv, + ValueFrom: &corev1.EnvVarSource{ + ConfigMapKeyRef: &corev1.ConfigMapKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: configMapName, + }, + Key: NMASecretNameEnv, + Optional: ¬True, + }, + }}, } } @@ -1891,3 +1863,25 @@ func GetTarballName(cmd []string) string { } return "" } + +// BuildNMATLSConfigMap builds a configmap with tls secret name in it. +// The configmap will be mapped to two environmental variables in NMA pod +func BuildNMATLSConfigMap(configMapName string, vdb *vapi.VerticaDB) *corev1.ConfigMap { + secretMap := map[string]string{ + NMASecretNamespaceEnv: vdb.ObjectMeta.Namespace, + NMASecretNameEnv: vdb.Spec.NMATLSSecret, + } + tlsConfigMap := &corev1.ConfigMap{ + TypeMeta: metav1.TypeMeta{ + Kind: "ConfigMap", + APIVersion: "v1", + }, + ObjectMeta: metav1.ObjectMeta{ + Name: configMapName, + Namespace: vdb.Namespace, + OwnerReferences: []metav1.OwnerReference{vdb.GenerateOwnerReference()}, + }, + Data: secretMap, + } + return tlsConfigMap +} diff --git a/pkg/builder/builder_test.go b/pkg/builder/builder_test.go index 4271e558f..311b3dd8a 100644 --- a/pkg/builder/builder_test.go +++ b/pkg/builder/builder_test.go @@ -555,65 +555,6 @@ var _ = Describe("builder", func() { } }) - It("should mount or not mount NMA certs volume based on NMA container", func() { - vdb := vapi.MakeVDBForHTTP("v-nma-tls-abcde") - // monolithic container - vdb.Annotations[vmeta.VClusterOpsAnnotation] = vmeta.VClusterOpsAnnotationTrue - vdb.Annotations[vmeta.MountNMACertsAnnotation] = vmeta.MountNMACertsAnnotationFalse - ps := buildPodSpec(vdb, &vdb.Spec.Subclusters[0]) - c := makeServerContainer(vdb, &vdb.Spec.Subclusters[0]) - Ω(NMACertsVolumeExists(vdb, ps.Volumes)).Should(BeFalse()) - Ω(NMACertsVolumeMountExists(&c)).Should(BeFalse()) - Ω(NMACertsEnvVarsExist(vdb, &c)).Should(BeTrue()) - vdb.Annotations[vmeta.MountNMACertsAnnotation] = vmeta.MountNMACertsAnnotationTrue - ps = buildPodSpec(vdb, &vdb.Spec.Subclusters[0]) - c = makeServerContainer(vdb, &vdb.Spec.Subclusters[0]) - Ω(NMACertsVolumeExists(vdb, ps.Volumes)).Should(BeTrue()) - Ω(NMACertsVolumeMountExists(&c)).Should(BeTrue()) - Ω(NMACertsEnvVarsExist(vdb, &c)).Should(BeTrue()) - // test default value (which should be true) - delete(vdb.Annotations, vmeta.MountNMACertsAnnotation) - ps = buildPodSpec(vdb, &vdb.Spec.Subclusters[0]) - c = makeServerContainer(vdb, &vdb.Spec.Subclusters[0]) - Ω(NMACertsVolumeExists(vdb, ps.Volumes)).Should(BeTrue()) - Ω(NMACertsVolumeMountExists(&c)).Should(BeTrue()) - Ω(NMACertsEnvVarsExist(vdb, &c)).Should(BeTrue()) - }) - - It("should mount or not mount NMA certs volume according to annotation(sidecar)", func() { - vdb := vapi.MakeVDBForHTTP("v-nma-tls-abcde") - - // server container - vdb.Annotations[vmeta.VClusterOpsAnnotation] = vmeta.VClusterOpsAnnotationTrue - vdb.Annotations[vmeta.VersionAnnotation] = vapi.NMAInSideCarDeploymentMinVersion - vdb.Annotations[vmeta.MountNMACertsAnnotation] = vmeta.MountNMACertsAnnotationFalse - ps := buildPodSpec(vdb, &vdb.Spec.Subclusters[0]) - c := makeServerContainer(vdb, &vdb.Spec.Subclusters[0]) - Ω(NMACertsVolumeExists(vdb, ps.Volumes)).Should(BeFalse()) - Ω(NMACertsVolumeMountExists(&c)).Should(BeFalse()) - Ω(NMACertsEnvVarsExist(vdb, &c)).Should(BeFalse()) - vdb.Annotations[vmeta.MountNMACertsAnnotation] = vmeta.MountNMACertsAnnotationTrue - ps = buildPodSpec(vdb, &vdb.Spec.Subclusters[0]) - c = makeServerContainer(vdb, &vdb.Spec.Subclusters[0]) - Ω(NMACertsVolumeExists(vdb, ps.Volumes)).Should(BeTrue()) - Ω(NMACertsVolumeMountExists(&c)).Should(BeFalse()) - Ω(NMACertsEnvVarsExist(vdb, &c)).Should(BeFalse()) - - // nma container - vdb.Annotations[vmeta.MountNMACertsAnnotation] = vmeta.MountNMACertsAnnotationFalse - ps = buildPodSpec(vdb, &vdb.Spec.Subclusters[0]) - c = makeNMAContainer(vdb, &vdb.Spec.Subclusters[0]) - Ω(NMACertsVolumeExists(vdb, ps.Volumes)).Should(BeFalse()) - Ω(NMACertsVolumeMountExists(&c)).Should(BeFalse()) - Ω(NMACertsEnvVarsExist(vdb, &c)).Should(BeTrue()) - vdb.Annotations[vmeta.MountNMACertsAnnotation] = vmeta.MountNMACertsAnnotationTrue - ps = buildPodSpec(vdb, &vdb.Spec.Subclusters[0]) - c = makeNMAContainer(vdb, &vdb.Spec.Subclusters[0]) - Ω(NMACertsVolumeExists(vdb, ps.Volumes)).Should(BeTrue()) - Ω(NMACertsVolumeMountExists(&c)).Should(BeTrue()) - Ω(NMACertsEnvVarsExist(vdb, &c)).Should(BeTrue()) - }) - It("should not set any NMA resources if none are set for the subcluster", func() { vdb := vapi.MakeVDBForHTTP("v-nma-tls-abcde") sc := &vdb.Spec.Subclusters[0] @@ -713,6 +654,17 @@ var _ = Describe("builder", func() { Ω(sts.Annotations).Should(HaveKeyWithValue("ann1", "v1")) Ω(sts.Annotations).Should(HaveKeyWithValue("ann2", "another-value")) }) + + It("configmap should have nma cert secret name and namespace", func() { + vdb := vapi.MakeVDBForHTTP("v-nma-tls-abcde") + // server container + vdb.Annotations[vmeta.VClusterOpsAnnotation] = vmeta.VClusterOpsAnnotationTrue + vdb.Annotations[vmeta.VersionAnnotation] = vapi.NMAInSideCarDeploymentMinVersion + configMap := BuildNMATLSConfigMap("nma-configmap", vdb) + Ω(configMap.Data[NMASecretNameEnv]).Should(Equal(vdb.Spec.NMATLSSecret)) + Ω(configMap.Data[NMASecretNamespaceEnv]).Should(Equal(vdb.Namespace)) + }) + }) func getFirstSSHSecretVolumeMountIndex(c *v1.Container) (int, bool) { @@ -767,24 +719,6 @@ func getVolume(vols []v1.Volume, mountName string) *v1.Volume { return nil } -func NMACertsVolumeExists(vdb *vapi.VerticaDB, vols []v1.Volume) bool { - for i := range vols { - if vols[i].Name == vapi.NMACertsMountName && vols[i].Secret.SecretName == vdb.Spec.NMATLSSecret { - return true - } - } - return false -} - -func NMACertsVolumeMountExists(c *v1.Container) bool { - for _, vol := range c.VolumeMounts { - if vol.Name == vapi.NMACertsMountName && vol.MountPath == paths.NMACertsRoot { - return true - } - } - return false -} - func NMACertsEnvVarsExist(vdb *vapi.VerticaDB, c *v1.Container) bool { envMap := make(map[string]v1.EnvVar) for _, envVar := range c.Env { @@ -795,14 +729,8 @@ func NMACertsEnvVarsExist(vdb *vapi.VerticaDB, c *v1.Container) bool { _, keyOk := envMap[NMAKeyEnv] _, secretNamespaceOk := envMap[NMASecretNamespaceEnv] _, secretNameOk := envMap[NMASecretNameEnv] - if vmeta.UseNMACertsMount(vdb.Annotations) { - if rootCAOk && certOk && keyOk && !secretNamespaceOk && !secretNameOk { - return true - } - } else { - if !rootCAOk && !certOk && !keyOk && secretNamespaceOk && secretNameOk { - return true - } + if !rootCAOk && !certOk && !keyOk && secretNamespaceOk && secretNameOk { + return true } return false } diff --git a/pkg/controllers/vdb/nmacertconfigmapgen_reconciler.go b/pkg/controllers/vdb/nmacertconfigmapgen_reconciler.go new file mode 100644 index 000000000..ca39b1b66 --- /dev/null +++ b/pkg/controllers/vdb/nmacertconfigmapgen_reconciler.go @@ -0,0 +1,99 @@ +/* + (c) Copyright [2021-2024] Open Text. + Licensed under the Apache License, Version 2.0 (the "License"); + You may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +*/ + +package vdb + +import ( + "context" + "fmt" + + "github.com/go-logr/logr" + vapi "github.com/vertica/vertica-kubernetes/api/v1" + "github.com/vertica/vertica-kubernetes/pkg/builder" + "github.com/vertica/vertica-kubernetes/pkg/controllers" + corev1 "k8s.io/api/core/v1" + "k8s.io/apimachinery/pkg/api/errors" + "k8s.io/apimachinery/pkg/types" + ctrl "sigs.k8s.io/controller-runtime" +) + +// NMACertConfigMapGenReconciler will create a configmap that has the nma secret's name +// and namespace in it. They will be mapped to two environmental variables in NMA container +type NMACertConfigMapGenReconciler struct { + VRec *VerticaDBReconciler + Vdb *vapi.VerticaDB // Vdb is the CRD we are acting on. + Log logr.Logger +} + +func MakeNMACertConfigMapGenReconciler(vdbrecon *VerticaDBReconciler, log logr.Logger, vdb *vapi.VerticaDB) controllers.ReconcileActor { + return &NMACertConfigMapGenReconciler{ + VRec: vdbrecon, + Vdb: vdb, + Log: log.WithName("TLSCertConfigMapGenReconciler"), + } +} + +// Reconcile will create a TLS secret for the https server if one is missing +func (h *NMACertConfigMapGenReconciler) Reconcile(ctx context.Context, _ *ctrl.Request) (ctrl.Result, error) { + nmaSecret := corev1.Secret{} + if !h.tlsSecretsReady(ctx, &nmaSecret) { + h.Log.Info("nma secret is not ready yet to create configmap. will retry") + return ctrl.Result{Requeue: true}, nil + } + name := fmt.Sprintf("%s-%s", h.Vdb.Name, vapi.NMATLSConfigMapName) + configMapName := types.NamespacedName{ + Name: name, + Namespace: h.Vdb.GetNamespace(), + } + configMap := &corev1.ConfigMap{} + err := h.VRec.Client.Get(ctx, configMapName, configMap) + if err != nil { + if errors.IsNotFound(err) { + configMap = builder.BuildNMATLSConfigMap(name, h.Vdb) + err = h.VRec.Client.Create(ctx, configMap) + h.Log.Info("created TLS cert secret configmap", "nm", configMapName.Name) + return ctrl.Result{}, err + } + h.Log.Info("failed to retrieve TLS cert secret configmap", "nm", configMapName.Name) + return ctrl.Result{}, err + } + if configMap.Data[builder.NMASecretNamespaceEnv] != h.Vdb.GetObjectMeta().GetNamespace() || + configMap.Data[builder.NMASecretNameEnv] != h.Vdb.Spec.NMATLSSecret { + configMap = builder.BuildNMATLSConfigMap(name, h.Vdb) + err = h.VRec.Client.Update(ctx, configMap) + h.Log.Info("config map " + name + " is updated for new nma secret " + h.Vdb.Spec.NMATLSSecret) + return ctrl.Result{}, err + } + return ctrl.Result{}, err +} + +// tlsSecretsReady returns true when all TLS secrets are found in k8s env +func (h *NMACertConfigMapGenReconciler) tlsSecretsReady(ctx context.Context, secret *corev1.Secret) bool { + if h.Vdb.Spec.NMATLSSecret == "" { + h.Log.Info("nma secret name is not ready. wait for it to be created") + return false + } + found, err := vapi.IsK8sSecretFound(ctx, h.Vdb, h.VRec.Client, &h.Vdb.Spec.NMATLSSecret, secret) + if !found || err != nil { + if err == nil { + h.Log.Info("did not find nma tls secret " + h.Vdb.Spec.NMATLSSecret) + } else { + h.Log.Info("failed to find nma tls secret " + h.Vdb.Spec.NMATLSSecret + " because of err: " + err.Error()) + } + + return false + } + return true +} diff --git a/pkg/controllers/vdb/httpservercertgen_reconciler_test.go b/pkg/controllers/vdb/nmaservercertgen_reconciler_test.go similarity index 94% rename from pkg/controllers/vdb/httpservercertgen_reconciler_test.go rename to pkg/controllers/vdb/nmaservercertgen_reconciler_test.go index e552cafdc..7becf4ee5 100644 --- a/pkg/controllers/vdb/httpservercertgen_reconciler_test.go +++ b/pkg/controllers/vdb/nmaservercertgen_reconciler_test.go @@ -40,7 +40,7 @@ var _ = Describe("httpservercertgen_reconcile", func() { test.CreateVDB(ctx, k8sClient, vdb) defer test.DeleteVDB(ctx, k8sClient, vdb) - r := MakeHTTPServerCertGenReconciler(vdbRec, logger, vdb) + r := MakeTLSServerCertGenReconciler(vdbRec, logger, vdb) Expect(r.Reconcile(ctx, &ctrl.Request{})).Should(Equal(ctrl.Result{})) Expect(vdb.Spec.NMATLSSecret).ShouldNot(Equal("")) }) @@ -53,7 +53,7 @@ var _ = Describe("httpservercertgen_reconcile", func() { test.CreateVDB(ctx, k8sClient, vdb) defer test.DeleteVDB(ctx, k8sClient, vdb) - r := MakeHTTPServerCertGenReconciler(vdbRec, logger, vdb) + r := MakeTLSServerCertGenReconciler(vdbRec, logger, vdb) Expect(r.Reconcile(ctx, &ctrl.Request{})).Should(Equal(ctrl.Result{})) Expect(vdb.Spec.NMATLSSecret).Should(Equal(DummySecretName)) }) @@ -65,7 +65,7 @@ var _ = Describe("httpservercertgen_reconcile", func() { test.CreateVDB(ctx, k8sClient, vdb) defer test.DeleteVDB(ctx, k8sClient, vdb) - r := MakeHTTPServerCertGenReconciler(vdbRec, logger, vdb) + r := MakeTLSServerCertGenReconciler(vdbRec, logger, vdb) Expect(r.Reconcile(ctx, &ctrl.Request{})).Should(Equal(ctrl.Result{})) Expect(vdb.Spec.NMATLSSecret).ShouldNot(Equal("")) nm := types.NamespacedName{Namespace: vdb.Namespace, Name: vdb.Spec.NMATLSSecret} @@ -89,7 +89,7 @@ var _ = Describe("httpservercertgen_reconcile", func() { err := k8sClient.Get(ctx, nm, secret) Expect(errors.IsNotFound(err)).Should(BeTrue()) - r := MakeHTTPServerCertGenReconciler(vdbRec, logger, vdb) + r := MakeTLSServerCertGenReconciler(vdbRec, logger, vdb) Expect(r.Reconcile(ctx, &ctrl.Request{})).Should(Equal(ctrl.Result{})) Expect(vdb.Spec.NMATLSSecret).Should(Equal(TLSSecretName)) Expect(k8sClient.Get(ctx, nm, secret)).Should(Succeed()) diff --git a/pkg/controllers/vdb/serviceaccount_reconciler.go b/pkg/controllers/vdb/serviceaccount_reconciler.go index cbf83dfa4..2228d348b 100644 --- a/pkg/controllers/vdb/serviceaccount_reconciler.go +++ b/pkg/controllers/vdb/serviceaccount_reconciler.go @@ -76,7 +76,7 @@ func (s *ServiceAccountReconciler) Reconcile(ctx context.Context, _ *ctrl.Reques // There is no need to create the role and rolebinding when the following condition is met: // - NMA reads certs from mounted volume or non-k8s secret store if vmeta.UseVClusterOps(s.Vdb.Annotations) && - (vmeta.UseNMACertsMount(s.Vdb.Annotations) || !secrets.IsK8sSecret(s.Vdb.Spec.NMATLSSecret)) { + !secrets.IsK8sSecret(s.Vdb.Spec.NMATLSSecret) { return ctrl.Result{}, s.saveServiceAccountNameInVDB(ctx, sa.Name) } diff --git a/pkg/controllers/vdb/httpservercertgen_reconciler.go b/pkg/controllers/vdb/tlsservercertgen_reconciler.go similarity index 55% rename from pkg/controllers/vdb/httpservercertgen_reconciler.go rename to pkg/controllers/vdb/tlsservercertgen_reconciler.go index 4dce5ac4b..74a8fb30c 100644 --- a/pkg/controllers/vdb/httpservercertgen_reconciler.go +++ b/pkg/controllers/vdb/tlsservercertgen_reconciler.go @@ -34,70 +34,94 @@ import ( ctrl "sigs.k8s.io/controller-runtime" ) -// HTTPServerCertGenReconciler will create a secret that has TLS credentials. This -// secret will be used to authenticate with the http server. -type HTTPServerCertGenReconciler struct { +const ( + ClientServerTLSSecret = "ClientServerTLSSecret" + NMATLSSecret = "NMATLSSecret" +) + +// TLSServerCertGenReconciler will create a secret that has TLS credentials. This +// secret will be used to authenticate with the https server. +type TLSServerCertGenReconciler struct { VRec *VerticaDBReconciler Vdb *vapi.VerticaDB // Vdb is the CRD we are acting on. Log logr.Logger } -func MakeHTTPServerCertGenReconciler(vdbrecon *VerticaDBReconciler, log logr.Logger, vdb *vapi.VerticaDB) controllers.ReconcileActor { - return &HTTPServerCertGenReconciler{ +func MakeTLSServerCertGenReconciler(vdbrecon *VerticaDBReconciler, log logr.Logger, vdb *vapi.VerticaDB) controllers.ReconcileActor { + return &TLSServerCertGenReconciler{ VRec: vdbrecon, Vdb: vdb, - Log: log.WithName("HTTPServerCertGenReconciler"), + Log: log.WithName("TLSServerCertGenReconciler"), } } // Reconcile will create a TLS secret for the http server if one is missing -func (h *HTTPServerCertGenReconciler) Reconcile(ctx context.Context, _ *ctrl.Request) (ctrl.Result, error) { +func (h *TLSServerCertGenReconciler) Reconcile(ctx context.Context, _ *ctrl.Request) (ctrl.Result, error) { + secretFieldNameMap := map[string]string{ + ClientServerTLSSecret: h.Vdb.Spec.ClientServerTLSSecret, + NMATLSSecret: h.Vdb.Spec.NMATLSSecret, + } + err := error(nil) + for secretFieldName, secretName := range secretFieldNameMap { + err = h.reconcileOneSecret(secretFieldName, secretName, ctx) + if err != nil { + break + } + } + return ctrl.Result{}, err +} + +// reconcileOneSecret will create a TLS secret for the http server if one is missing +func (h *TLSServerCertGenReconciler) reconcileOneSecret(secretFieldName, secretName string, + ctx context.Context) error { // If the secret name is set, check that it exists. - if h.Vdb.Spec.NMATLSSecret != "" { + if secretName != "" { // As a convenience we will regenerate the secret using the same name. But // only do this if it is a k8s secret. We skip if there is a path reference // for a different secret store. - if !secrets.IsK8sSecret(h.Vdb.Spec.NMATLSSecret) { - h.Log.Info("nmaTLSSecret is set but uses a path reference that isn't for k8s.") - return ctrl.Result{}, nil + if !secrets.IsK8sSecret(secretName) { + h.Log.Info(secretName + " is set but uses a path reference that isn't for k8s.") + return nil } - nm := names.GenNamespacedName(h.Vdb, h.Vdb.Spec.NMATLSSecret) + nm := names.GenNamespacedName(h.Vdb, secretName) secret := corev1.Secret{} err := h.VRec.Client.Get(ctx, nm, &secret) if errors.IsNotFound(err) { - h.Log.Info("nmaTLSSecret is set but doesn't exist. Will recreate the secret.", "name", nm) + h.Log.Info(secretName+" is set but doesn't exist. Will recreate the secret.", "name", nm) } else if err != nil { - return ctrl.Result{}, - fmt.Errorf("failed while attempting to read the tls secret %s: %w", h.Vdb.Spec.NMATLSSecret, err) + return fmt.Errorf("failed while attempting to read the tls secret %s: %w", secretName, err) } else { // Secret is filled in and exists. We can exit. - return ctrl.Result{}, nil + return err } } caCert, err := security.NewSelfSignedCACertificate() if err != nil { - return ctrl.Result{}, err + return err } cert, err := security.NewCertificate(caCert, "dbadmin", h.getDNSNames()) if err != nil { - return ctrl.Result{}, err + return err } - secret, err := h.createSecret(ctx, cert, caCert) + secret, err := h.createSecret(secretFieldName, secretName, ctx, cert, caCert) if err != nil { - return ctrl.Result{}, err + return err } - return ctrl.Result{}, h.setSecretNameInVDB(ctx, secret.ObjectMeta.Name) + h.Log.Info("created certificate and secret for " + secret.Name) + return h.setSecretNameInVDB(ctx, secretFieldName, secret.ObjectMeta.Name) } // getDNSNames returns the DNS names to include in the certificate that we generate -func (h *HTTPServerCertGenReconciler) getDNSNames() []string { +func (h *TLSServerCertGenReconciler) getDNSNames() []string { return []string{ fmt.Sprintf("*.%s.svc", h.Vdb.Namespace), fmt.Sprintf("*.%s.svc.cluster.local", h.Vdb.Namespace), } } -func (h *HTTPServerCertGenReconciler) createSecret(ctx context.Context, cert, caCert security.Certificate) (*corev1.Secret, error) { +// createSecret returns a secret that store TLS certificate information +func (h *TLSServerCertGenReconciler) createSecret(secretFieldName, secretName string, ctx context.Context, cert, + caCert security.Certificate) (*corev1.Secret, error) { secret := corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Namespace: h.Vdb.Namespace, @@ -115,24 +139,32 @@ func (h *HTTPServerCertGenReconciler) createSecret(ctx context.Context, cert, ca // Either generate a name or use the one already present in the vdb. Using // the name already present is the case where the name was filled in but the // secret didn't exist. - if h.Vdb.Spec.NMATLSSecret == "" { - secret.GenerateName = fmt.Sprintf("%s-nma-tls-", h.Vdb.Name) + if secretName == "" { + if secretFieldName == NMATLSSecret { + secret.GenerateName = fmt.Sprintf("%s-nma-tls-", h.Vdb.Name) + } else { + secret.GenerateName = fmt.Sprintf("%s-clientserver-tls-", h.Vdb.Name) + } } else { - secret.Name = h.Vdb.Spec.NMATLSSecret + secret.Name = secretName } err := h.VRec.Client.Create(ctx, &secret) return &secret, err } // setSecretNameInVDB will set the secretName in the vdb to indicate we have created that secret -func (h *HTTPServerCertGenReconciler) setSecretNameInVDB(ctx context.Context, secretName string) error { +func (h *TLSServerCertGenReconciler) setSecretNameInVDB(ctx context.Context, secretFieldName, secretName string) error { nm := h.Vdb.ExtractNamespacedName() return retry.RetryOnConflict(retry.DefaultBackoff, func() error { // Always fetch the latest in case we are in the retry loop if err := h.VRec.Client.Get(ctx, nm, h.Vdb); err != nil { return err } - h.Vdb.Spec.NMATLSSecret = secretName + if secretFieldName == ClientServerTLSSecret { + h.Vdb.Spec.ClientServerTLSSecret = secretName + } else if secretFieldName == NMATLSSecret { + h.Vdb.Spec.NMATLSSecret = secretName + } return h.VRec.Client.Update(ctx, h.Vdb) }) } diff --git a/pkg/controllers/vdb/verticadb_controller.go b/pkg/controllers/vdb/verticadb_controller.go index cdb126b50..352e1dca1 100644 --- a/pkg/controllers/vdb/verticadb_controller.go +++ b/pkg/controllers/vdb/verticadb_controller.go @@ -186,8 +186,10 @@ func (r *VerticaDBReconciler) constructActors(log logr.Logger, vdb *vapi.Vertica // Handle upgrade actions for any k8s objects created in prior versions // of the operator. MakeUpgradeOperatorReconciler(r, log, vdb), - // Create a TLS secret for the NMA service - MakeHTTPServerCertGenReconciler(r, log, vdb), + // use the TLS secrets used by the NMA service, https service and clientserver + MakeTLSServerCertGenReconciler(r, log, vdb), + // Create a ConfigMap to store secret names for all tls certs + MakeNMACertConfigMapGenReconciler(r, log, vdb), // Create ServiceAcount, Role and RoleBindings needed for vertica pods MakeServiceAccountReconciler(r, log, vdb), // Handle setting up the pod security context. This picks the diff --git a/pkg/meta/annotations.go b/pkg/meta/annotations.go index 188b99bfd..e22c9dd5c 100644 --- a/pkg/meta/annotations.go +++ b/pkg/meta/annotations.go @@ -70,13 +70,6 @@ const ( MountVProxyCertsAnnotationTrue = "true" MountVProxyCertsAnnotationFalse = "false" - // This is a feature flag for mounting NMA certs as a secret volume in server containers - // if deployment method is vclusterops. When set to true the NMA reads certs from this mounted - // volume, when set to false it reads certs directly from k8s secret store. - MountNMACertsAnnotation = "vertica.com/mount-nma-certs" - MountNMACertsAnnotationTrue = "true" - MountNMACertsAnnotationFalse = "false" - // Two annotations that are set by the operator when creating objects. OperatorDeploymentMethodAnnotation = "vertica.com/operator-deployment-method" OperatorVersionAnnotation = "vertica.com/operator-version" @@ -404,12 +397,6 @@ func UseVProxyCertsMount(annotations map[string]string) bool { return lookupBoolAnnotation(annotations, MountVProxyCertsAnnotation, true /* default value */) } -// UseNMACertsMount returns true if the NMA reads certs from the mounted secret -// volume rather than directly from k8s secret store. -func UseNMACertsMount(annotations map[string]string) bool { - return lookupBoolAnnotation(annotations, MountNMACertsAnnotation, true /* default value */) -} - // IgnoreClusterLease returns true if revive/start should ignore the cluster lease func IgnoreClusterLease(annotations map[string]string) bool { return lookupBoolAnnotation(annotations, IgnoreClusterLeaseAnnotation, false /* default value */) diff --git a/pkg/meta/annotations_test.go b/pkg/meta/annotations_test.go index 139d4c120..f649d372e 100644 --- a/pkg/meta/annotations_test.go +++ b/pkg/meta/annotations_test.go @@ -50,11 +50,6 @@ var _ = Describe("annotations", func() { Ω(UseVClusterOps(ann)).Should(BeTrue()) }) - It("should treat mountNMACerts annotation as a bool", func() { - ann := map[string]string{MountNMACertsAnnotation: MountNMACertsAnnotationTrue} - Ω(UseNMACertsMount(ann)).Should(BeTrue()) - }) - It("should return default NMA sidecar resources", func() { ann := map[string]string{} Ω(GetNMAResource(ann, corev1.ResourceLimitsMemory)).Should(Equal(DefaultNMAResources[corev1.ResourceLimitsMemory])) diff --git a/pkg/paths/paths.go b/pkg/paths/paths.go index 8e43e20ae..63f59a84b 100644 --- a/pkg/paths/paths.go +++ b/pkg/paths/paths.go @@ -51,6 +51,7 @@ const ( EulaAcceptanceFile = "/opt/vertica/config/d5415f948449e9d4c421b568f2411140.dat" EulaAcceptanceScript = "/opt/vertica/config/accept_eula.py" CertsRoot = "/certs" + TLSCertsConfigPath = "/certs/config" NMACertsRoot = "/certs/nma" Krb5Conf = "/etc/krb5.conf" Krb5Keytab = "/etc/krb5/krb5.keytab" diff --git a/tests/e2e-leg-6/nma-certs-mount/00-create-creds.yaml b/tests/e2e-leg-9/nma-generated-cert-config/00-create-creds.yaml similarity index 88% rename from tests/e2e-leg-6/nma-certs-mount/00-create-creds.yaml rename to tests/e2e-leg-9/nma-generated-cert-config/00-create-creds.yaml index 626bea17d..ecced2c12 100644 --- a/tests/e2e-leg-6/nma-certs-mount/00-create-creds.yaml +++ b/tests/e2e-leg-9/nma-generated-cert-config/00-create-creds.yaml @@ -16,3 +16,4 @@ kind: TestStep commands: - script: kustomize build ../../manifests/communal-creds/overlay | kubectl apply -f - --namespace $NAMESPACE - script: kustomize build ../../manifests/priv-container-creds/overlay | kubectl apply -f - --namespace $NAMESPACE + - script: kustomize build ../../manifests/vertica-license/overlay | kubectl apply -f - --namespace $NAMESPACE diff --git a/tests/e2e-leg-6/nma-certs-mount/05-assert.yaml b/tests/e2e-leg-9/nma-generated-cert-config/05-assert.yaml similarity index 100% rename from tests/e2e-leg-6/nma-certs-mount/05-assert.yaml rename to tests/e2e-leg-9/nma-generated-cert-config/05-assert.yaml diff --git a/tests/e2e-leg-6/nma-certs-mount/05-deploy-operator.yaml b/tests/e2e-leg-9/nma-generated-cert-config/05-deploy-operator.yaml similarity index 100% rename from tests/e2e-leg-6/nma-certs-mount/05-deploy-operator.yaml rename to tests/e2e-leg-9/nma-generated-cert-config/05-deploy-operator.yaml diff --git a/tests/e2e-leg-9/nma-generated-cert-config/10-assert.yaml b/tests/e2e-leg-9/nma-generated-cert-config/10-assert.yaml new file mode 100644 index 000000000..43dec0cfe --- /dev/null +++ b/tests/e2e-leg-9/nma-generated-cert-config/10-assert.yaml @@ -0,0 +1,17 @@ +# (c) Copyright [2021-2024] Open Text. +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Secret +metadata: + name: custom-cert diff --git a/tests/e2e-leg-6/nma-certs-mount/27-run-scrutinize.yaml b/tests/e2e-leg-9/nma-generated-cert-config/10-create-cert.yaml similarity index 86% rename from tests/e2e-leg-6/nma-certs-mount/27-run-scrutinize.yaml rename to tests/e2e-leg-9/nma-generated-cert-config/10-create-cert.yaml index 0dcd04f56..8bf91d6e8 100644 --- a/tests/e2e-leg-6/nma-certs-mount/27-run-scrutinize.yaml +++ b/tests/e2e-leg-9/nma-generated-cert-config/10-create-cert.yaml @@ -14,4 +14,4 @@ apiVersion: kuttl.dev/v1beta1 kind: TestStep commands: - - script: cd ../../.. && scripts/capture-scrutinize.sh -o /tmp/scrutinize-op -x -n $NAMESPACE + - command: sh -c "envsubst < cert.yaml | kubectl apply -n $NAMESPACE -f -" diff --git a/tests/e2e-leg-6/nma-certs-mount/15-assert.yaml b/tests/e2e-leg-9/nma-generated-cert-config/15-assert.yaml similarity index 94% rename from tests/e2e-leg-6/nma-certs-mount/15-assert.yaml rename to tests/e2e-leg-9/nma-generated-cert-config/15-assert.yaml index d70cb14eb..080053489 100644 --- a/tests/e2e-leg-6/nma-certs-mount/15-assert.yaml +++ b/tests/e2e-leg-9/nma-generated-cert-config/15-assert.yaml @@ -14,14 +14,14 @@ apiVersion: apps/v1 kind: StatefulSet metadata: - name: v-nma-certs-sc1 + name: v-tls-certs-sc1 status: replicas: 1 --- apiVersion: vertica.com/v1beta1 kind: VerticaDB metadata: - name: v-nma-certs + name: v-tls-certs status: subclusters: - installCount: 1 diff --git a/tests/e2e-leg-6/nma-certs-mount/15-setup-vdb.yaml b/tests/e2e-leg-9/nma-generated-cert-config/15-setup-vdb.yaml similarity index 100% rename from tests/e2e-leg-6/nma-certs-mount/15-setup-vdb.yaml rename to tests/e2e-leg-9/nma-generated-cert-config/15-setup-vdb.yaml diff --git a/tests/e2e-leg-6/nma-certs-mount/17-assert.yaml b/tests/e2e-leg-9/nma-generated-cert-config/17-assert.yaml similarity index 77% rename from tests/e2e-leg-6/nma-certs-mount/17-assert.yaml rename to tests/e2e-leg-9/nma-generated-cert-config/17-assert.yaml index 6ffb1026c..74447f512 100644 --- a/tests/e2e-leg-6/nma-certs-mount/17-assert.yaml +++ b/tests/e2e-leg-9/nma-generated-cert-config/17-assert.yaml @@ -14,20 +14,16 @@ apiVersion: apps/v1 kind: StatefulSet metadata: - name: v-nma-certs-sc1 + name: v-tls-certs-sc1 status: replicas: 1 readyReplicas: 1 --- -apiVersion: vertica.com/v1beta1 +apiVersion: vertica.com/v1 kind: VerticaDB metadata: - name: v-nma-certs - annotations: - vertica.com/vcluster-ops: "true" - vertica.com/mount-nma-certs: "false" + name: v-tls-certs status: subclusters: - - installCount: 1 - addedToDBCount: 1 + - addedToDBCount: 1 upNodeCount: 1 diff --git a/tests/e2e-leg-6/nma-certs-mount/17-wait-for-createdb.yaml b/tests/e2e-leg-9/nma-generated-cert-config/17-wait-for-createdb.yaml similarity index 100% rename from tests/e2e-leg-6/nma-certs-mount/17-wait-for-createdb.yaml rename to tests/e2e-leg-9/nma-generated-cert-config/17-wait-for-createdb.yaml diff --git a/tests/e2e-leg-9/nma-generated-cert-config/25-verify-nma-tls-certs-env.yaml b/tests/e2e-leg-9/nma-generated-cert-config/25-verify-nma-tls-certs-env.yaml new file mode 100644 index 000000000..501130409 --- /dev/null +++ b/tests/e2e-leg-9/nma-generated-cert-config/25-verify-nma-tls-certs-env.yaml @@ -0,0 +1,19 @@ +# (c) Copyright [2021-2024] Open Text. +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: kuttl.dev/v1beta2 +kind: TestStep +commands: + # nma env variable should exist. + - command: kubectl exec -n $NAMESPACE v-tls-certs-sc1-0 -c nma -- bash -c "env | grep NMA_SECRET_NAME=v-tls-certs-nma-tls" + - command: kubectl exec -n $NAMESPACE v-tls-certs-sc1-0 -c nma -- bash -c "env | grep NMA_SECRET_NAMESPACE=$NAMESPACE" diff --git a/tests/e2e-leg-6/nma-certs-mount/50-verify-nma-certs-mount.yaml b/tests/e2e-leg-9/nma-generated-cert-config/35-restart-nma.yaml similarity index 78% rename from tests/e2e-leg-6/nma-certs-mount/50-verify-nma-certs-mount.yaml rename to tests/e2e-leg-9/nma-generated-cert-config/35-restart-nma.yaml index 85af65528..f4d817743 100644 --- a/tests/e2e-leg-6/nma-certs-mount/50-verify-nma-certs-mount.yaml +++ b/tests/e2e-leg-9/nma-generated-cert-config/35-restart-nma.yaml @@ -11,8 +11,8 @@ # See the License for the specific language governing permissions and # limitations under the License. -apiVersion: kuttl.dev/v1beta2 +apiVersion: kuttl.dev/v1beta1 kind: TestStep commands: - # nma certs volume mount path should exist. - - command: kubectl exec -n $NAMESPACE v-nma-certs-sc1-0 -- bash -c "test -d /certs/nma" + - command: kubectl exec v-tls-certs-sc1-0 -c nma -n $NAMESPACE -- bash -c "kill 1" + namespaced: true diff --git a/tests/e2e-leg-9/nma-generated-cert-config/40-assert.yaml b/tests/e2e-leg-9/nma-generated-cert-config/40-assert.yaml new file mode 100644 index 000000000..dcb3c1494 --- /dev/null +++ b/tests/e2e-leg-9/nma-generated-cert-config/40-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: vertica.com/v1beta1 +kind: VerticaDB +metadata: + name: v-tls-certs +status: + subclusters: + - addedToDBCount: 1 + upNodeCount: 1 + name: sc1 + detail: + - upNode: true diff --git a/tests/e2e-leg-6/nma-certs-mount/40-wait-for-restart.yaml b/tests/e2e-leg-9/nma-generated-cert-config/40-wait-for-restart.yaml similarity index 100% rename from tests/e2e-leg-6/nma-certs-mount/40-wait-for-restart.yaml rename to tests/e2e-leg-9/nma-generated-cert-config/40-wait-for-restart.yaml diff --git a/tests/e2e-leg-9/nma-generated-cert-config/45-verify-nma-tls-certs-env.yaml b/tests/e2e-leg-9/nma-generated-cert-config/45-verify-nma-tls-certs-env.yaml new file mode 100644 index 000000000..2fe1a789f --- /dev/null +++ b/tests/e2e-leg-9/nma-generated-cert-config/45-verify-nma-tls-certs-env.yaml @@ -0,0 +1,20 @@ +# (c) Copyright [2021-2024] Open Text. +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: kuttl.dev/v1beta2 +kind: TestStep +commands: + # nma env variable should exist. + - command: sleep 60 + - command: kubectl exec -n $NAMESPACE v-tls-certs-sc1-0 -c nma -- bash -c "env | grep NMA_SECRET_NAME=v-tls-certs-nma-tls" + - command: kubectl exec -n $NAMESPACE v-tls-certs-sc1-0 -c nma -- bash -c "env | grep NMA_SECRET_NAMESPACE=$NAMESPACE" diff --git a/tests/e2e-leg-9/nma-generated-cert-config/50-change-nma-tls-secret.yaml b/tests/e2e-leg-9/nma-generated-cert-config/50-change-nma-tls-secret.yaml new file mode 100644 index 000000000..b2bb73ce2 --- /dev/null +++ b/tests/e2e-leg-9/nma-generated-cert-config/50-change-nma-tls-secret.yaml @@ -0,0 +1,6 @@ +apiVersion: vertica.com/v1 +kind: VerticaDB +metadata: + name: v-tls-certs +spec: + nmaTLSSecret: custom-cert diff --git a/tests/e2e-leg-9/nma-generated-cert-config/55-restart-nma.yaml b/tests/e2e-leg-9/nma-generated-cert-config/55-restart-nma.yaml new file mode 100644 index 000000000..f4d817743 --- /dev/null +++ b/tests/e2e-leg-9/nma-generated-cert-config/55-restart-nma.yaml @@ -0,0 +1,18 @@ +# (c) Copyright [2021-2024] Open Text. +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - command: kubectl exec v-tls-certs-sc1-0 -c nma -n $NAMESPACE -- bash -c "kill 1" + namespaced: true diff --git a/tests/e2e-leg-9/nma-generated-cert-config/60-assert.yaml b/tests/e2e-leg-9/nma-generated-cert-config/60-assert.yaml new file mode 100644 index 000000000..dcb3c1494 --- /dev/null +++ b/tests/e2e-leg-9/nma-generated-cert-config/60-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: vertica.com/v1beta1 +kind: VerticaDB +metadata: + name: v-tls-certs +status: + subclusters: + - addedToDBCount: 1 + upNodeCount: 1 + name: sc1 + detail: + - upNode: true diff --git a/tests/e2e-leg-9/nma-generated-cert-config/60-wait-for-restart.yaml b/tests/e2e-leg-9/nma-generated-cert-config/60-wait-for-restart.yaml new file mode 100644 index 000000000..8bcd1e149 --- /dev/null +++ b/tests/e2e-leg-9/nma-generated-cert-config/60-wait-for-restart.yaml @@ -0,0 +1 @@ +# Intentionally empty to give this step a name in kuttl diff --git a/tests/e2e-leg-9/nma-generated-cert-config/65-verify-nma-tls-certs-env.yaml b/tests/e2e-leg-9/nma-generated-cert-config/65-verify-nma-tls-certs-env.yaml new file mode 100644 index 000000000..6e531089c --- /dev/null +++ b/tests/e2e-leg-9/nma-generated-cert-config/65-verify-nma-tls-certs-env.yaml @@ -0,0 +1,20 @@ +# (c) Copyright [2021-2024] Open Text. +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: kuttl.dev/v1beta2 +kind: TestStep +commands: + # nma env variable should exist. + - command: sleep 60 + - command: kubectl exec -n $NAMESPACE v-tls-certs-sc1-0 -c nma -- bash -c "env | grep NMA_SECRET_NAME=custom-cert" + - command: kubectl exec -n $NAMESPACE v-tls-certs-sc1-0 -c nma -- bash -c "env | grep NMA_SECRET_NAMESPACE=$NAMESPACE" diff --git a/tests/e2e-leg-6/nma-certs-mount/65-delete-cr.yaml b/tests/e2e-leg-9/nma-generated-cert-config/85-delete-cr.yaml similarity index 100% rename from tests/e2e-leg-6/nma-certs-mount/65-delete-cr.yaml rename to tests/e2e-leg-9/nma-generated-cert-config/85-delete-cr.yaml diff --git a/tests/e2e-leg-6/nma-certs-mount/65-errors.yaml b/tests/e2e-leg-9/nma-generated-cert-config/85-errors.yaml similarity index 100% rename from tests/e2e-leg-6/nma-certs-mount/65-errors.yaml rename to tests/e2e-leg-9/nma-generated-cert-config/85-errors.yaml diff --git a/tests/e2e-leg-6/nma-certs-mount/66-assert.yaml b/tests/e2e-leg-9/nma-generated-cert-config/86-assert.yaml similarity index 100% rename from tests/e2e-leg-6/nma-certs-mount/66-assert.yaml rename to tests/e2e-leg-9/nma-generated-cert-config/86-assert.yaml diff --git a/tests/e2e-leg-6/nma-certs-mount/66-cleanup-storage.yaml b/tests/e2e-leg-9/nma-generated-cert-config/86-cleanup-storage.yaml similarity index 100% rename from tests/e2e-leg-6/nma-certs-mount/66-cleanup-storage.yaml rename to tests/e2e-leg-9/nma-generated-cert-config/86-cleanup-storage.yaml diff --git a/tests/e2e-leg-6/nma-certs-mount/66-errors.yaml b/tests/e2e-leg-9/nma-generated-cert-config/86-errors.yaml similarity index 100% rename from tests/e2e-leg-6/nma-certs-mount/66-errors.yaml rename to tests/e2e-leg-9/nma-generated-cert-config/86-errors.yaml diff --git a/tests/e2e-leg-6/nma-certs-mount/99-delete-ns.yaml b/tests/e2e-leg-9/nma-generated-cert-config/99-delete-ns.yaml similarity index 100% rename from tests/e2e-leg-6/nma-certs-mount/99-delete-ns.yaml rename to tests/e2e-leg-9/nma-generated-cert-config/99-delete-ns.yaml diff --git a/tests/e2e-leg-6/nma-certs-mount/30-flip-mount-nma-certs-flag.yaml b/tests/e2e-leg-9/nma-generated-cert-config/cert.yaml similarity index 61% rename from tests/e2e-leg-6/nma-certs-mount/30-flip-mount-nma-certs-flag.yaml rename to tests/e2e-leg-9/nma-generated-cert-config/cert.yaml index e01e04dac..3da5aff88 100644 --- a/tests/e2e-leg-6/nma-certs-mount/30-flip-mount-nma-certs-flag.yaml +++ b/tests/e2e-leg-9/nma-generated-cert-config/cert.yaml @@ -11,11 +11,23 @@ # See the License for the specific language governing permissions and # limitations under the License. -apiVersion: vertica.com/v1beta1 -kind: VerticaDB -metadata: - name: v-nma-certs - annotations: - vertica.com/vcluster-ops: "true" - vertica.com/mount-nma-certs: "true" +# This is applied through envsubst so that the $NAMESPACE gets filled in +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: serving-cert +spec: + commonName: default + isCA: true + issuerRef: + kind: Issuer + name: selfsigned-issuer + secretName: custom-cert +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: selfsigned-issuer +spec: + selfSigned: {} diff --git a/tests/e2e-leg-6/nma-certs-mount/setup-vdb/base/kustomization.yaml b/tests/e2e-leg-9/nma-generated-cert-config/setup-vdb/base/kustomization.yaml similarity index 100% rename from tests/e2e-leg-6/nma-certs-mount/setup-vdb/base/kustomization.yaml rename to tests/e2e-leg-9/nma-generated-cert-config/setup-vdb/base/kustomization.yaml diff --git a/tests/e2e-leg-6/nma-certs-mount/setup-vdb/base/setup-vdb.yaml b/tests/e2e-leg-9/nma-generated-cert-config/setup-vdb/base/setup-vdb.yaml similarity index 84% rename from tests/e2e-leg-6/nma-certs-mount/setup-vdb/base/setup-vdb.yaml rename to tests/e2e-leg-9/nma-generated-cert-config/setup-vdb/base/setup-vdb.yaml index 812d2397a..65abd4b22 100644 --- a/tests/e2e-leg-6/nma-certs-mount/setup-vdb/base/setup-vdb.yaml +++ b/tests/e2e-leg-9/nma-generated-cert-config/setup-vdb/base/setup-vdb.yaml @@ -11,18 +11,17 @@ # See the License for the specific language governing permissions and # limitations under the License. -apiVersion: vertica.com/v1beta1 +apiVersion: vertica.com/v1 kind: VerticaDB metadata: - name: v-nma-certs + name: v-tls-certs annotations: - vertica.com/vcluster-ops: "true" - vertica.com/mount-nma-certs: "false" + vertica.com/k-safety: "0" + vertica.com/include-uid-in-path: true spec: initPolicy: CreateSkipPackageInstall image: kustomize-vertica-image - communal: - includeUIDInPath: true + communal: {} local: requestSize: 100Mi catalogPath: /catalog @@ -31,7 +30,6 @@ spec: subclusters: - name: sc1 size: 1 - kSafety: "0" securityContext: capabilities: add: ["SYS_PTRACE"] diff --git a/tests/e2e-leg-9/nma-user-cert-config/00-create-creds.yaml b/tests/e2e-leg-9/nma-user-cert-config/00-create-creds.yaml new file mode 100644 index 000000000..ecced2c12 --- /dev/null +++ b/tests/e2e-leg-9/nma-user-cert-config/00-create-creds.yaml @@ -0,0 +1,19 @@ +# (c) Copyright [2021-2024] Open Text. +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - script: kustomize build ../../manifests/communal-creds/overlay | kubectl apply -f - --namespace $NAMESPACE + - script: kustomize build ../../manifests/priv-container-creds/overlay | kubectl apply -f - --namespace $NAMESPACE + - script: kustomize build ../../manifests/vertica-license/overlay | kubectl apply -f - --namespace $NAMESPACE diff --git a/tests/e2e-leg-6/nma-certs-mount/40-assert.yaml b/tests/e2e-leg-9/nma-user-cert-config/05-assert.yaml similarity index 79% rename from tests/e2e-leg-6/nma-certs-mount/40-assert.yaml rename to tests/e2e-leg-9/nma-user-cert-config/05-assert.yaml index 3975efefc..9faca75c9 100644 --- a/tests/e2e-leg-6/nma-certs-mount/40-assert.yaml +++ b/tests/e2e-leg-9/nma-user-cert-config/05-assert.yaml @@ -11,12 +11,11 @@ # See the License for the specific language governing permissions and # limitations under the License. -apiVersion: vertica.com/v1beta1 -kind: VerticaDB +apiVersion: v1 +kind: Pod metadata: - name: v-nma-certs + namespace: verticadb-operator + labels: + control-plane: verticadb-operator status: - subclusters: - - installCount: 1 - addedToDBCount: 1 - upNodeCount: 1 + phase: Running diff --git a/tests/e2e-leg-9/nma-user-cert-config/05-deploy-operator.yaml b/tests/e2e-leg-9/nma-user-cert-config/05-deploy-operator.yaml new file mode 100644 index 000000000..0cd372046 --- /dev/null +++ b/tests/e2e-leg-9/nma-user-cert-config/05-deploy-operator.yaml @@ -0,0 +1,12 @@ +# (c) Copyright [2021-2024] Open Text. +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. diff --git a/tests/e2e-leg-9/nma-user-cert-config/10-assert.yaml b/tests/e2e-leg-9/nma-user-cert-config/10-assert.yaml new file mode 100644 index 000000000..43dec0cfe --- /dev/null +++ b/tests/e2e-leg-9/nma-user-cert-config/10-assert.yaml @@ -0,0 +1,17 @@ +# (c) Copyright [2021-2024] Open Text. +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Secret +metadata: + name: custom-cert diff --git a/tests/e2e-leg-6/nma-certs-mount/55-run-scrutinize.yaml b/tests/e2e-leg-9/nma-user-cert-config/10-create-cert.yaml similarity index 86% rename from tests/e2e-leg-6/nma-certs-mount/55-run-scrutinize.yaml rename to tests/e2e-leg-9/nma-user-cert-config/10-create-cert.yaml index 0dcd04f56..8bf91d6e8 100644 --- a/tests/e2e-leg-6/nma-certs-mount/55-run-scrutinize.yaml +++ b/tests/e2e-leg-9/nma-user-cert-config/10-create-cert.yaml @@ -14,4 +14,4 @@ apiVersion: kuttl.dev/v1beta1 kind: TestStep commands: - - script: cd ../../.. && scripts/capture-scrutinize.sh -o /tmp/scrutinize-op -x -n $NAMESPACE + - command: sh -c "envsubst < cert.yaml | kubectl apply -n $NAMESPACE -f -" diff --git a/tests/e2e-leg-6/nma-certs-mount/35-assert.yaml b/tests/e2e-leg-9/nma-user-cert-config/15-assert.yaml similarity index 85% rename from tests/e2e-leg-6/nma-certs-mount/35-assert.yaml rename to tests/e2e-leg-9/nma-user-cert-config/15-assert.yaml index 7075d275f..080053489 100644 --- a/tests/e2e-leg-6/nma-certs-mount/35-assert.yaml +++ b/tests/e2e-leg-9/nma-user-cert-config/15-assert.yaml @@ -11,12 +11,17 @@ # See the License for the specific language governing permissions and # limitations under the License. +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: v-tls-certs-sc1 +status: + replicas: 1 +--- apiVersion: vertica.com/v1beta1 kind: VerticaDB metadata: - name: v-nma-certs + name: v-tls-certs status: subclusters: - installCount: 1 - addedToDBCount: 1 - upNodeCount: 0 diff --git a/tests/e2e-leg-9/nma-user-cert-config/15-setup-vdb.yaml b/tests/e2e-leg-9/nma-user-cert-config/15-setup-vdb.yaml new file mode 100644 index 000000000..c9ed69089 --- /dev/null +++ b/tests/e2e-leg-9/nma-user-cert-config/15-setup-vdb.yaml @@ -0,0 +1,17 @@ +# (c) Copyright [2021-2024] Open Text. +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - command: bash -c "kustomize build setup-vdb/overlay | kubectl -n $NAMESPACE apply -f - " diff --git a/tests/e2e-leg-9/nma-user-cert-config/17-assert.yaml b/tests/e2e-leg-9/nma-user-cert-config/17-assert.yaml new file mode 100644 index 000000000..e1ee859ca --- /dev/null +++ b/tests/e2e-leg-9/nma-user-cert-config/17-assert.yaml @@ -0,0 +1,38 @@ +# (c) Copyright [2021-2024] Open Text. +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: v-tls-certs-sc1 +status: + replicas: 1 + readyReplicas: 1 +--- +apiVersion: vertica.com/v1 +kind: VerticaDB +metadata: + name: v-tls-certs +spec: + nmaTLSSecret: custom-cert +status: + subclusters: + - addedToDBCount: 1 + upNodeCount: 1 +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: v-tls-certs-nma-tls-config +data: + NMA_SECRET_NAME: custom-cert diff --git a/tests/e2e-leg-9/nma-user-cert-config/17-wait-for-createdb.yaml b/tests/e2e-leg-9/nma-user-cert-config/17-wait-for-createdb.yaml new file mode 100644 index 000000000..bf3726035 --- /dev/null +++ b/tests/e2e-leg-9/nma-user-cert-config/17-wait-for-createdb.yaml @@ -0,0 +1 @@ +# Intentionally empty to give this step a name in kuttl \ No newline at end of file diff --git a/tests/e2e-leg-6/nma-certs-mount/25-verify-no-nma-certs-mount.yaml b/tests/e2e-leg-9/nma-user-cert-config/25-verify-nma-tls-certs-env.yaml similarity index 69% rename from tests/e2e-leg-6/nma-certs-mount/25-verify-no-nma-certs-mount.yaml rename to tests/e2e-leg-9/nma-user-cert-config/25-verify-nma-tls-certs-env.yaml index 62e2fed9e..3df9dbd3c 100644 --- a/tests/e2e-leg-6/nma-certs-mount/25-verify-no-nma-certs-mount.yaml +++ b/tests/e2e-leg-9/nma-user-cert-config/25-verify-nma-tls-certs-env.yaml @@ -14,5 +14,6 @@ apiVersion: kuttl.dev/v1beta2 kind: TestStep commands: - # nma certs volume mount path should not exist. - - command: kubectl exec -n $NAMESPACE v-nma-certs-sc1-0 -- bash -c "! test -d /certs/nma" + # nma env variable should exist. + - command: kubectl exec -n $NAMESPACE v-tls-certs-sc1-0 -c nma -- bash -c "env | grep NMA_SECRET_NAME=custom-cert" + - command: kubectl exec -n $NAMESPACE v-tls-certs-sc1-0 -c nma -- bash -c "env | grep NMA_SECRET_NAMESPACE=$NAMESPACE" diff --git a/tests/e2e-leg-9/nma-user-cert-config/35-restart-nma.yaml b/tests/e2e-leg-9/nma-user-cert-config/35-restart-nma.yaml new file mode 100644 index 000000000..f4d817743 --- /dev/null +++ b/tests/e2e-leg-9/nma-user-cert-config/35-restart-nma.yaml @@ -0,0 +1,18 @@ +# (c) Copyright [2021-2024] Open Text. +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - command: kubectl exec v-tls-certs-sc1-0 -c nma -n $NAMESPACE -- bash -c "kill 1" + namespaced: true diff --git a/tests/e2e-leg-9/nma-user-cert-config/40-assert.yaml b/tests/e2e-leg-9/nma-user-cert-config/40-assert.yaml new file mode 100644 index 000000000..dcb3c1494 --- /dev/null +++ b/tests/e2e-leg-9/nma-user-cert-config/40-assert.yaml @@ -0,0 +1,11 @@ +apiVersion: vertica.com/v1beta1 +kind: VerticaDB +metadata: + name: v-tls-certs +status: + subclusters: + - addedToDBCount: 1 + upNodeCount: 1 + name: sc1 + detail: + - upNode: true diff --git a/tests/e2e-leg-9/nma-user-cert-config/40-wait-for-restart.yaml b/tests/e2e-leg-9/nma-user-cert-config/40-wait-for-restart.yaml new file mode 100644 index 000000000..8bcd1e149 --- /dev/null +++ b/tests/e2e-leg-9/nma-user-cert-config/40-wait-for-restart.yaml @@ -0,0 +1 @@ +# Intentionally empty to give this step a name in kuttl diff --git a/tests/e2e-leg-9/nma-user-cert-config/45-verify-nma-tls-certs-env.yaml b/tests/e2e-leg-9/nma-user-cert-config/45-verify-nma-tls-certs-env.yaml new file mode 100644 index 000000000..6e531089c --- /dev/null +++ b/tests/e2e-leg-9/nma-user-cert-config/45-verify-nma-tls-certs-env.yaml @@ -0,0 +1,20 @@ +# (c) Copyright [2021-2024] Open Text. +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: kuttl.dev/v1beta2 +kind: TestStep +commands: + # nma env variable should exist. + - command: sleep 60 + - command: kubectl exec -n $NAMESPACE v-tls-certs-sc1-0 -c nma -- bash -c "env | grep NMA_SECRET_NAME=custom-cert" + - command: kubectl exec -n $NAMESPACE v-tls-certs-sc1-0 -c nma -- bash -c "env | grep NMA_SECRET_NAMESPACE=$NAMESPACE" diff --git a/tests/e2e-leg-9/nma-user-cert-config/65-delete-cr.yaml b/tests/e2e-leg-9/nma-user-cert-config/65-delete-cr.yaml new file mode 100644 index 000000000..9d6b01a58 --- /dev/null +++ b/tests/e2e-leg-9/nma-user-cert-config/65-delete-cr.yaml @@ -0,0 +1,18 @@ +# (c) Copyright [2021-2024] Open Text. +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +delete: + - apiVersion: vertica.com/v1beta1 + kind: VerticaDB diff --git a/tests/e2e-leg-6/nma-certs-mount/30-assert.yaml b/tests/e2e-leg-9/nma-user-cert-config/65-errors.yaml similarity index 82% rename from tests/e2e-leg-6/nma-certs-mount/30-assert.yaml rename to tests/e2e-leg-9/nma-user-cert-config/65-errors.yaml index e01e04dac..7ae9512ca 100644 --- a/tests/e2e-leg-6/nma-certs-mount/30-assert.yaml +++ b/tests/e2e-leg-9/nma-user-cert-config/65-errors.yaml @@ -11,11 +11,14 @@ # See the License for the specific language governing permissions and # limitations under the License. +apiVersion: apps/v1 +kind: StatefulSet +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app.kubernetes.io/managed-by: verticadb-operator +--- apiVersion: vertica.com/v1beta1 kind: VerticaDB -metadata: - name: v-nma-certs - annotations: - vertica.com/vcluster-ops: "true" - vertica.com/mount-nma-certs: "true" - diff --git a/tests/e2e-leg-9/nma-user-cert-config/66-assert.yaml b/tests/e2e-leg-9/nma-user-cert-config/66-assert.yaml new file mode 100644 index 000000000..861c7dc8f --- /dev/null +++ b/tests/e2e-leg-9/nma-user-cert-config/66-assert.yaml @@ -0,0 +1,19 @@ +# (c) Copyright [2021-2024] Open Text. +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: Pod +metadata: + name: clean-communal +status: + phase: Succeeded diff --git a/tests/e2e-leg-9/nma-user-cert-config/66-cleanup-storage.yaml b/tests/e2e-leg-9/nma-user-cert-config/66-cleanup-storage.yaml new file mode 100644 index 000000000..dcc6306f3 --- /dev/null +++ b/tests/e2e-leg-9/nma-user-cert-config/66-cleanup-storage.yaml @@ -0,0 +1,17 @@ +# (c) Copyright [2021-2024] Open Text. +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: kuttl.dev/v1beta1 +kind: TestStep +commands: + - command: bash -c "kustomize build clean-communal/overlay | kubectl -n $NAMESPACE apply -f - " diff --git a/tests/e2e-leg-9/nma-user-cert-config/66-errors.yaml b/tests/e2e-leg-9/nma-user-cert-config/66-errors.yaml new file mode 100644 index 000000000..671be36cf --- /dev/null +++ b/tests/e2e-leg-9/nma-user-cert-config/66-errors.yaml @@ -0,0 +1,15 @@ +# (c) Copyright [2021-2024] Open Text. +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: v1 +kind: PersistentVolumeClaim diff --git a/tests/e2e-leg-6/nma-certs-mount/35-kill-sts.yaml b/tests/e2e-leg-9/nma-user-cert-config/99-delete-ns.yaml similarity index 90% rename from tests/e2e-leg-6/nma-certs-mount/35-kill-sts.yaml rename to tests/e2e-leg-9/nma-user-cert-config/99-delete-ns.yaml index b51562280..1674b3e8f 100644 --- a/tests/e2e-leg-6/nma-certs-mount/35-kill-sts.yaml +++ b/tests/e2e-leg-9/nma-user-cert-config/99-delete-ns.yaml @@ -14,5 +14,4 @@ apiVersion: kuttl.dev/v1beta1 kind: TestStep commands: - - command: kubectl delete sts v-nma-certs-sc1 - namespaced: true \ No newline at end of file + - command: kubectl delete ns $NAMESPACE diff --git a/tests/e2e-leg-9/nma-user-cert-config/cert.yaml b/tests/e2e-leg-9/nma-user-cert-config/cert.yaml new file mode 100644 index 000000000..3da5aff88 --- /dev/null +++ b/tests/e2e-leg-9/nma-user-cert-config/cert.yaml @@ -0,0 +1,33 @@ +# (c) Copyright [2021-2024] Open Text. +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# This is applied through envsubst so that the $NAMESPACE gets filled in + +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: serving-cert +spec: + commonName: default + isCA: true + issuerRef: + kind: Issuer + name: selfsigned-issuer + secretName: custom-cert +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: selfsigned-issuer +spec: + selfSigned: {} diff --git a/tests/e2e-leg-9/nma-user-cert-config/setup-vdb/base/kustomization.yaml b/tests/e2e-leg-9/nma-user-cert-config/setup-vdb/base/kustomization.yaml new file mode 100644 index 000000000..681396735 --- /dev/null +++ b/tests/e2e-leg-9/nma-user-cert-config/setup-vdb/base/kustomization.yaml @@ -0,0 +1,15 @@ +# (c) Copyright [2021-2024] Open Text. +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +resources: + - setup-vdb.yaml diff --git a/tests/e2e-leg-9/nma-user-cert-config/setup-vdb/base/setup-vdb.yaml b/tests/e2e-leg-9/nma-user-cert-config/setup-vdb/base/setup-vdb.yaml new file mode 100644 index 000000000..f1a578b4c --- /dev/null +++ b/tests/e2e-leg-9/nma-user-cert-config/setup-vdb/base/setup-vdb.yaml @@ -0,0 +1,40 @@ +# (c) Copyright [2021-2024] Open Text. +# Licensed under the Apache License, Version 2.0 (the "License"); +# You may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +apiVersion: vertica.com/v1 +kind: VerticaDB +metadata: + name: v-tls-certs + annotations: + vertica.com/k-safety: "0" + vertica.com/include-uid-in-path: true +spec: + initPolicy: CreateSkipPackageInstall + image: kustomize-vertica-image + communal: {} + local: + requestSize: 100Mi + catalogPath: /catalog + dbName: vertdb + encryptSpreadComm: vertica + subclusters: + - name: sc1 + size: 1 + nmaTLSSecret: custom-cert + securityContext: + capabilities: + add: ["SYS_PTRACE"] + certSecrets: [] + imagePullSecrets: [] + volumes: [] + volumeMounts: []