diff --git a/internal/controller/factory/statefulset.go b/internal/controller/factory/statefulset.go index f9447901..cf4002e3 100644 --- a/internal/controller/factory/statefulset.go +++ b/internal/controller/factory/statefulset.go @@ -19,6 +19,7 @@ package factory import ( "context" "fmt" + "path/filepath" "slices" appsv1 "k8s.io/api/apps/v1" @@ -32,8 +33,47 @@ import ( etcdaenixiov1alpha1 "github.com/aenix-io/etcd-operator/api/v1alpha1" ) +type certConfigurator interface { + Name() string + MountPath() string + CrtFilePath() string + KeyFilePath() string +} + +type certificate struct { + certName string + mountPath string + crtFile string + keyFile string +} + +type certificates map[string]certConfigurator + const ( etcdContainerName = "etcd" + etcdVolumeName = "data" + etcdDataMountPath = "/var/run/etcd" + ectdDataDirName = "default.etcd" +) + +var ( + etcdCertificates = certificates{ + "peer-trusted-ca-certificate": getCertificateConfig("peer-trusted-ca-certificate", + "/etc/etcd/pki/peer/ca", "ca.crt", ""), + "peer-certificate": getCertificateConfig("peer-certificate", + "/etc/etcd/pki/peer/cert", "tls.crt", "tls.key"), + "server-certificate": getCertificateConfig("server-certificate", + "/etc/etcd/pki/server/cert", "tls.crt", "tls.key"), + "client-trusted-ca-certificate": getCertificateConfig("client-trusted-ca-certificate", + "/etc/etcd/pki/client/ca", "ca.crt", ""), + } + + peerTrustedCACertificate = etcdCertificates["peer-trusted-ca-certificate"] + peerCertificate = etcdCertificates["peer-certificate"] + serverCertificate = etcdCertificates["server-certificate"] + clientTrustedCACertificate = etcdCertificates["client-trusted-ca-certificate"] + + etcdDataFullPath = filepath.Join(etcdDataMountPath, ectdDataDirName) ) func CreateOrUpdateStatefulSet( @@ -69,6 +109,7 @@ func CreateOrUpdateStatefulSet( } volumes := generateVolumes(cluster) + containers := generateContainers(cluster) statefulSet := &appsv1.StatefulSet{ ObjectMeta: metav1.ObjectMeta{ @@ -86,7 +127,7 @@ func CreateOrUpdateStatefulSet( Template: corev1.PodTemplateSpec{ ObjectMeta: podMetadata, Spec: corev1.PodSpec{ - Containers: generateContainers(cluster), + Containers: containers, ImagePullSecrets: cluster.Spec.PodTemplate.Spec.ImagePullSecrets, Affinity: cluster.Spec.PodTemplate.Spec.Affinity, NodeSelector: cluster.Spec.PodTemplate.Spec.NodeSelector, @@ -116,149 +157,24 @@ func CreateOrUpdateStatefulSet( func generateVolumes(cluster *etcdaenixiov1alpha1.EtcdCluster) []corev1.Volume { volumes := []corev1.Volume{} - var dataVolumeSource corev1.VolumeSource - - if cluster.Spec.Storage.EmptyDir != nil { - dataVolumeSource = corev1.VolumeSource{EmptyDir: cluster.Spec.Storage.EmptyDir} - } else { - dataVolumeSource = corev1.VolumeSource{ - PersistentVolumeClaim: &corev1.PersistentVolumeClaimVolumeSource{ - ClaimName: GetPVCName(cluster), - }, - } - } - - dataVolumeIdx := slices.IndexFunc(cluster.Spec.PodTemplate.Spec.Volumes, func(volume corev1.Volume) bool { - return volume.Name == "data" - }) - if dataVolumeIdx == -1 { - dataVolumeIdx = len(cluster.Spec.PodTemplate.Spec.Volumes) - volumes = append( - volumes, - corev1.Volume{}, - ) - } - - volumes[dataVolumeIdx] = corev1.Volume{ - Name: "data", - VolumeSource: dataVolumeSource, - } - - if cluster.Spec.Security != nil && cluster.Spec.Security.TLS.PeerSecret != "" { - volumes = append(volumes, - []corev1.Volume{ - { - Name: "peer-trusted-ca-certificate", - VolumeSource: corev1.VolumeSource{ - Secret: &corev1.SecretVolumeSource{ - SecretName: cluster.Spec.Security.TLS.PeerTrustedCASecret, - }, - }, - }, - { - Name: "peer-certificate", - VolumeSource: corev1.VolumeSource{ - Secret: &corev1.SecretVolumeSource{ - SecretName: cluster.Spec.Security.TLS.PeerSecret, - }, - }, - }, - }...) - } - - if cluster.Spec.Security != nil && cluster.Spec.Security.TLS.ServerSecret != "" { - volumes = append(volumes, - []corev1.Volume{ - { - Name: "server-certificate", - VolumeSource: corev1.VolumeSource{ - Secret: &corev1.SecretVolumeSource{ - SecretName: cluster.Spec.Security.TLS.ServerSecret, - }, - }, - }, - }...) - } + dataVolume := generateDataVolume(cluster) + volumes = append(volumes, dataVolume) - if cluster.Spec.Security != nil && cluster.Spec.Security.TLS.ClientSecret != "" { - volumes = append(volumes, - []corev1.Volume{ - { - Name: "client-trusted-ca-certificate", - VolumeSource: corev1.VolumeSource{ - Secret: &corev1.SecretVolumeSource{ - SecretName: cluster.Spec.Security.TLS.ClientTrustedCASecret, - }, - }, - }, - }...) + secretVolumes := generateSecretVolumes(cluster) + for _, volume := range secretVolumes { + volumes = append(volumes, volume) } return volumes - } -func generateVolumeMounts(cluster *etcdaenixiov1alpha1.EtcdCluster) []corev1.VolumeMount { - - volumeMounts := []corev1.VolumeMount{} - - for _, c := range cluster.Spec.PodTemplate.Spec.Containers { - if c.Name == etcdContainerName { - - volumeMounts = c.VolumeMounts - - mountIdx := slices.IndexFunc(volumeMounts, func(mount corev1.VolumeMount) bool { - return mount.Name == "data" - }) - if mountIdx == -1 { - volumeMounts = append(volumeMounts, corev1.VolumeMount{ - Name: "data", - ReadOnly: false, - MountPath: "/var/run/etcd", - }) - } else { - volumeMounts[mountIdx].ReadOnly = false - volumeMounts[mountIdx].MountPath = "/var/run/etcd" - } - } - - } - - if cluster.Spec.Security != nil && cluster.Spec.Security.TLS.PeerSecret != "" { - volumeMounts = append(volumeMounts, []corev1.VolumeMount{ - { - Name: "peer-trusted-ca-certificate", - ReadOnly: true, - MountPath: "/etc/etcd/pki/peer/ca", - }, - { - Name: "peer-certificate", - ReadOnly: true, - MountPath: "/etc/etcd/pki/peer/cert", - }, - }...) - } - - if cluster.Spec.Security != nil && cluster.Spec.Security.TLS.ServerSecret != "" { - volumeMounts = append(volumeMounts, []corev1.VolumeMount{ - { - Name: "server-certificate", - ReadOnly: true, - MountPath: "/etc/etcd/pki/server/cert", - }, - }...) - } - - if cluster.Spec.Security != nil && cluster.Spec.Security.TLS.ClientSecret != "" { - - volumeMounts = append(volumeMounts, []corev1.VolumeMount{ - { - Name: "client-trusted-ca-certificate", - ReadOnly: true, - MountPath: "/etc/etcd/pki/client/ca", - }, - }...) - } +func generateVolumeMounts( + cluster *etcdaenixiov1alpha1.EtcdCluster, + containerVolumeMounts []corev1.VolumeMount, +) []corev1.VolumeMount { + dataVolumeMount := updateOrAddEtcdDataVolumeMount(containerVolumeMounts) + tlsVolumeMounts := generateTLSSecretVolumeMounts(cluster) + volumeMounts := mergeVolumeMounts(tlsVolumeMounts, dataVolumeMount) return volumeMounts } @@ -270,64 +186,17 @@ func generateEtcdCommand() []string { } func generateEtcdArgs(cluster *etcdaenixiov1alpha1.EtcdCluster) []string { - args := []string{} + args := baseEtcdFlags() - for name, value := range cluster.Spec.Options { - flag := "--" + name - if len(value) == 0 { - args = append(args, flag) - - continue - } - - args = append(args, fmt.Sprintf("%s=%s", flag, value)) - } - - peerTlsSettings := []string{"--peer-auto-tls"} - - if cluster.Spec.Security != nil && cluster.Spec.Security.TLS.PeerSecret != "" { - peerTlsSettings = []string{ - "--peer-trusted-ca-file=/etc/etcd/pki/peer/ca/ca.crt", - "--peer-cert-file=/etc/etcd/pki/peer/cert/tls.crt", - "--peer-key-file=/etc/etcd/pki/peer/cert/tls.key", - "--peer-client-cert-auth", - } - } - - serverTlsSettings := []string{} - serverProtocol := "http" - - if cluster.Spec.Security != nil && cluster.Spec.Security.TLS.ServerSecret != "" { - serverTlsSettings = []string{ - "--cert-file=/etc/etcd/pki/server/cert/tls.crt", - "--key-file=/etc/etcd/pki/server/cert/tls.key", - } - serverProtocol = "https" - } - - clientTlsSettings := []string{} - - if cluster.Spec.Security != nil && cluster.Spec.Security.TLS.ClientSecret != "" { - clientTlsSettings = []string{ - "--trusted-ca-file=/etc/etcd/pki/client/ca/ca.crt", - "--client-cert-auth", - } + // Append TLS flags + args = append(args, etcdTLSFlags(cluster)...) + // Append URLs flags + args = append(args, etcdURLsFlags(cluster)...) + // Append extra flags + if cluster.Spec.Options != nil { + args = append(args, etcdExtraFlags(cluster.Spec.Options)...) } - args = append(args, []string{ - "--name=$(POD_NAME)", - "--listen-metrics-urls=http://0.0.0.0:2381", - "--listen-peer-urls=https://0.0.0.0:2380", - fmt.Sprintf("--listen-client-urls=%s://0.0.0.0:2379", serverProtocol), - fmt.Sprintf("--initial-advertise-peer-urls=https://$(POD_NAME).%s.$(POD_NAMESPACE).svc:2380", cluster.Name), - "--data-dir=/var/run/etcd/default.etcd", - fmt.Sprintf("--advertise-client-urls=%s://$(POD_NAME).%s.$(POD_NAMESPACE).svc:2379", serverProtocol, cluster.Name), - }...) - - args = append(args, peerTlsSettings...) - args = append(args, serverTlsSettings...) - args = append(args, clientTlsSettings...) - return args } @@ -362,7 +231,8 @@ func generateContainers(cluster *etcdaenixiov1alpha1.EtcdCluster) []corev1.Conta }) clusterStateConfigMapName := GetClusterStateConfigMapName(cluster) envIdx := slices.IndexFunc(c.EnvFrom, func(env corev1.EnvFromSource) bool { - return env.ConfigMapRef != nil && env.ConfigMapRef.LocalObjectReference.Name == clusterStateConfigMapName + return env.ConfigMapRef != nil && + env.ConfigMapRef.LocalObjectReference.Name == clusterStateConfigMapName }) if envIdx == -1 { c.EnvFrom = append(c.EnvFrom, corev1.EnvFromSource{ @@ -377,7 +247,7 @@ func generateContainers(cluster *etcdaenixiov1alpha1.EtcdCluster) []corev1.Conta c.LivenessProbe = getLivenessProbe(c.LivenessProbe) c.ReadinessProbe = getReadinessProbe(c.ReadinessProbe) c.Env = mergeEnvs(c.Env, podEnv) - c.VolumeMounts = generateVolumeMounts(cluster) + c.VolumeMounts = generateVolumeMounts(cluster, c.VolumeMounts) } containers = append(containers, c) @@ -482,3 +352,271 @@ func mergeWithDefaultProbe(probe *corev1.Probe, defaultProbe corev1.Probe) *core func hasProbeHandlerAction(probe corev1.Probe) bool { return probe.HTTPGet != nil || probe.TCPSocket != nil || probe.Exec != nil || probe.GRPC != nil } + +// Name returns the name of the certificate. +func (c certificate) Name() string { + return c.certName +} + +// MountPath returns the mount path associated with the certificate. +func (c certificate) MountPath() string { + return c.mountPath +} + +// CrtFilePath returns the file path of the certificate's CRT file. +func (c certificate) CrtFilePath() string { + return c.buildFilePath(c.crtFile) +} + +// KeyFilePath returns the file path of the certificate's key file, if available. +func (c certificate) KeyFilePath() string { + if c.keyFile == "" { + return "" + } + return c.buildFilePath(c.keyFile) +} + +// buildFilePath constructs the full file path using the certificate's mount path. +func (c certificate) buildFilePath(fileName string) string { + return filepath.Join(c.mountPath, fileName) +} + +// getCertificateConfig returns a certificate configuration object with the provided details. +func getCertificateConfig(name, mountPath, crtFile, keyFile string) certificate { + return certificate{ + certName: name, + mountPath: mountPath, + crtFile: crtFile, + keyFile: keyFile, + } +} + +// hasTLSConfigInSpec checks if a specific type of TLS secret is configured in the cluster specification. +func hasTLSConfigInSpec(cluster *etcdaenixiov1alpha1.EtcdCluster, secretType string) bool { + if cluster.Spec.Security == nil { + return false + } + + switch secretType { + case "PeerSecret": + return cluster.Spec.Security.TLS.PeerSecret != "" + case "ServerSecret": + return cluster.Spec.Security.TLS.ServerSecret != "" + case "ClientSecret": + return cluster.Spec.Security.TLS.ClientSecret != "" + default: + return false + } +} + +// baseEtcdFlags returns a list of base flags for configuring etcd. +func baseEtcdFlags() []string { + return []string{ + "--name=$(POD_NAME)", + "--listen-metrics-urls=http://0.0.0.0:2381", + "--listen-peer-urls=https://0.0.0.0:2380", + "--data-dir=" + etcdDataFullPath, + } +} + +// etcdTLSFlags generates TLS-related flags for etcd based on the cluster's TLS configuration. +func etcdTLSFlags(cluster *etcdaenixiov1alpha1.EtcdCluster) []string { + args := []string{} + + if hasTLSConfigInSpec(cluster, "PeerSecret") { + args = append(args, + "--peer-trusted-ca-file="+peerTrustedCACertificate.CrtFilePath(), + "--peer-cert-file="+peerCertificate.CrtFilePath(), + "--peer-key-file="+peerCertificate.KeyFilePath(), + "--peer-client-cert-auth", + ) + } else { + args = append(args, + "--peer-auto-tls", + ) + } + if hasTLSConfigInSpec(cluster, "ServerSecret") { + args = append(args, + "--cert-file="+serverCertificate.CrtFilePath(), + "--key-file="+serverCertificate.KeyFilePath(), + ) + } + if hasTLSConfigInSpec(cluster, "ClientSecret") { + args = append(args, + "--trusted-ca-file="+clientTrustedCACertificate.CrtFilePath(), + "--client-cert-auth", + ) + } + + return args +} + +// etcdURLsFlags generates URL-related flags for etcd depending on the TLS cluster configuration. +func etcdURLsFlags(cluster *etcdaenixiov1alpha1.EtcdCluster) []string { + args := []string{} + + clientProtocol := "http" + if hasTLSConfigInSpec(cluster, "ServerSecret") { + clientProtocol = "https" + } + + listenClientURL := fmt.Sprintf("%s://0.0.0.0:2379", clientProtocol) + advertiseClientURL := fmt.Sprintf("%s://$(POD_NAME).%s.$(POD_NAMESPACE).svc:2379", + clientProtocol, cluster.Name) + initialAdvertisePeerURL := fmt.Sprintf("https://$(POD_NAME).%s.$(POD_NAMESPACE).svc:2380", cluster.Name) + + args = append(args, "--listen-client-urls="+listenClientURL) + args = append(args, "--advertise-client-urls="+advertiseClientURL) + args = append(args, "--initial-advertise-peer-urls="+initialAdvertisePeerURL) + + return args +} + +// etcdExtraFlags generates additional flags for etcd based on the provided in spec options. +func etcdExtraFlags(options map[string]string) []string { + args := []string{} + + for name, value := range options { + flag := "--" + name + if len(value) == 0 { + args = append(args, flag) + } else { + args = append(args, fmt.Sprintf("%s=%s", flag, value)) + } + } + return args +} + +// generateSecretVolumes generates secret volumes based on TLS configuration in the etcd cluster spec. +func generateSecretVolumes(cluster *etcdaenixiov1alpha1.EtcdCluster) map[string]corev1.Volume { + volumesMap := make(map[string]corev1.Volume) + + addSecretVolume := func(name, secretName string) { + volumesMap[name] = createSecretVolume(name, secretName) + } + + if cluster.Spec.Security != nil { + if cluster.Spec.Security.TLS.PeerSecret != "" { + addSecretVolume(peerTrustedCACertificate.Name(), cluster.Spec.Security.TLS.PeerTrustedCASecret) + addSecretVolume(peerCertificate.Name(), cluster.Spec.Security.TLS.PeerSecret) + } + if cluster.Spec.Security.TLS.ServerSecret != "" { + addSecretVolume(serverCertificate.Name(), cluster.Spec.Security.TLS.ServerSecret) + } + if cluster.Spec.Security.TLS.ClientSecret != "" { + addSecretVolume(clientTrustedCACertificate.Name(), cluster.Spec.Security.TLS.ClientTrustedCASecret) + } + } + + return volumesMap +} + +// createSecretVolume return a volume object for a given secret. +func createSecretVolume(name, secretName string) corev1.Volume { + return corev1.Volume{ + Name: name, + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: secretName, + }, + }, + } +} + +// generateDataVolume generates the etcd data volume. +func generateDataVolume(cluster *etcdaenixiov1alpha1.EtcdCluster) corev1.Volume { + var dataVolumeSource corev1.VolumeSource + + if cluster.Spec.Storage.EmptyDir != nil { + dataVolumeSource = corev1.VolumeSource{EmptyDir: cluster.Spec.Storage.EmptyDir} + } else { + dataVolumeSource = corev1.VolumeSource{ + PersistentVolumeClaim: &corev1.PersistentVolumeClaimVolumeSource{ + ClaimName: GetPVCName(cluster), + }, + } + } + + return corev1.Volume{ + Name: etcdVolumeName, + VolumeSource: dataVolumeSource, + } +} + +// updateOrAddEtcdDataVolumeMount updates or adds the volume mount for etcd data volume. +func updateOrAddEtcdDataVolumeMount(volumeMounts []corev1.VolumeMount) []corev1.VolumeMount { + readOnly := false + + // Check if the volume mount with etcdVolumeName already exists + idx := slices.IndexFunc(volumeMounts, func(vm corev1.VolumeMount) bool { + return vm.Name == etcdVolumeName + }) + + if idx >= 0 { + // Volume mount with etcdVolumeName found, update it + volumeMounts[idx].ReadOnly = readOnly + volumeMounts[idx].MountPath = etcdDataMountPath + } else { + // Volume mount with etcdVolumeName not found, append new volume mount + volumeMounts = append(volumeMounts, corev1.VolumeMount{ + Name: etcdVolumeName, + ReadOnly: readOnly, + MountPath: etcdDataMountPath, + }) + } + + return volumeMounts +} + +// generateTLSSecretVolumeMounts generates volume mounts for TLS secrets. +func generateTLSSecretVolumeMounts(cluster *etcdaenixiov1alpha1.EtcdCluster) []corev1.VolumeMount { + volumeMounts := []corev1.VolumeMount{} + + if hasTLSConfigInSpec(cluster, "") { + return volumeMounts + } + + if hasTLSConfigInSpec(cluster, "PeerSecret") { + volumeMounts = append(volumeMounts, []corev1.VolumeMount{ + { + Name: peerTrustedCACertificate.Name(), + ReadOnly: true, + MountPath: peerTrustedCACertificate.MountPath(), + }, + { + Name: peerCertificate.Name(), + ReadOnly: true, + MountPath: peerCertificate.MountPath(), + }, + }...) + } + + if hasTLSConfigInSpec(cluster, "ServerSecret") { + volumeMounts = append(volumeMounts, corev1.VolumeMount{ + Name: serverCertificate.Name(), + ReadOnly: true, + MountPath: serverCertificate.MountPath(), + }) + } + + if hasTLSConfigInSpec(cluster, "ClientSecret") { + volumeMounts = append(volumeMounts, corev1.VolumeMount{ + Name: clientTrustedCACertificate.Name(), + ReadOnly: true, + MountPath: clientTrustedCACertificate.MountPath(), + }) + } + + return volumeMounts +} + +// mergeVolumeMounts merges multiple lists of volume mounts into a single list. +func mergeVolumeMounts(lists ...[]corev1.VolumeMount) []corev1.VolumeMount { + var volumeMounts []corev1.VolumeMount + + for _, list := range lists { + volumeMounts = append(volumeMounts, list...) + } + + return volumeMounts +} diff --git a/internal/controller/factory/statefulset_test.go b/internal/controller/factory/statefulset_test.go index 724692a8..ce28fa5d 100644 --- a/internal/controller/factory/statefulset_test.go +++ b/internal/controller/factory/statefulset_test.go @@ -687,7 +687,7 @@ var _ = Describe("CreateOrUpdateStatefulSet handler", func() { } } }) - It("should generate security volumes mounts", func() { + It("should generate security volumes mounts and cert args", func() { localCluster := etcdCluster.DeepCopy() localCluster.Spec.Security = &etcdaenixiov1alpha1.SecuritySpec{ TLS: etcdaenixiov1alpha1.TLSSpec{ @@ -700,6 +700,7 @@ var _ = Describe("CreateOrUpdateStatefulSet handler", func() { } containers := generateContainers(localCluster) + args := generateEtcdArgs(localCluster) Expect(containers[0].VolumeMounts).To(ContainElement(corev1.VolumeMount{ Name: "peer-trusted-ca-certificate", @@ -721,6 +722,39 @@ var _ = Describe("CreateOrUpdateStatefulSet handler", func() { MountPath: "/etc/etcd/pki/client/ca", ReadOnly: true, })) + + Expect(args).To(ContainElements([]string{ + "--name=$(POD_NAME)", + "--listen-metrics-urls=http://0.0.0.0:2381", + "--listen-peer-urls=https://0.0.0.0:2380", + "--data-dir=/var/run/etcd/default.etcd", + "--listen-client-urls=https://0.0.0.0:2379", + "--advertise-client-urls=https://$(POD_NAME).test-resource.$(POD_NAMESPACE).svc:2379", + "--initial-advertise-peer-urls=https://$(POD_NAME).test-resource.$(POD_NAMESPACE).svc:2380", + "--peer-trusted-ca-file=/etc/etcd/pki/peer/ca/ca.crt", + "--peer-cert-file=/etc/etcd/pki/peer/cert/tls.crt", + "--peer-key-file=/etc/etcd/pki/peer/cert/tls.key", + "--peer-client-cert-auth", + "--cert-file=/etc/etcd/pki/server/cert/tls.crt", + "--key-file=/etc/etcd/pki/server/cert/tls.key", + "--trusted-ca-file=/etc/etcd/pki/client/ca/ca.crt", + "--client-cert-auth", + })) + }) + It("should generate correct default args", func() { + localCluster := etcdCluster.DeepCopy() + args := generateEtcdArgs(localCluster) + + Expect(args).To(ContainElements([]string{ + "--name=$(POD_NAME)", + "--listen-metrics-urls=http://0.0.0.0:2381", + "--listen-peer-urls=https://0.0.0.0:2380", + "--data-dir=/var/run/etcd/default.etcd", + "--peer-auto-tls", + "--listen-client-urls=http://0.0.0.0:2379", + "--advertise-client-urls=http://$(POD_NAME).test-resource.$(POD_NAMESPACE).svc:2379", + "--initial-advertise-peer-urls=https://$(POD_NAME).test-resource.$(POD_NAMESPACE).svc:2380", + })) }) })