Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
tmp without tls
Browse files Browse the repository at this point in the history
mwangggg committed Aug 29, 2024
1 parent eb57ec8 commit f13ca56
Showing 7 changed files with 66 additions and 60 deletions.
Original file line number Diff line number Diff line change
@@ -35,7 +35,7 @@ metadata:
capabilities: Seamless Upgrades
categories: Monitoring, Developer Tools
containerImage: quay.io/cryostat/cryostat-operator:4.0.0-dev
createdAt: "2024-07-29T20:27:49Z"
createdAt: "2024-07-29T20:48:29Z"
description: JVM monitoring and profiling tool
operatorframework.io/initialization-resource: |-
{
8 changes: 4 additions & 4 deletions internal/controllers/certmanager.go
Original file line number Diff line number Diff line change
@@ -90,6 +90,7 @@ func (r *Reconciler) setupTLS(ctx context.Context, cr *model.CryostatInstance) (
return nil, err
}

/**
// Create a certificate for the Cryostat database signed by the Cryostat CA
databaseCert := resources.NewDatabaseCert(cr)
err = r.createOrUpdateCertificate(ctx, databaseCert, cr.Object)
@@ -102,15 +103,14 @@ func (r *Reconciler) setupTLS(ctx context.Context, cr *model.CryostatInstance) (
err = r.createOrUpdateCertificate(ctx, storageCert, cr.Object)
if err != nil {
return nil, err
}
}**/

tlsConfig := &resources.TLSConfig{
CryostatSecret: cryostatCert.Spec.SecretName,
ReportsSecret: reportsCert.Spec.SecretName,
DatabaseSecret: databaseCert.Spec.SecretName,
StorageSecret: storageCert.Spec.SecretName,
KeystorePassSecret: cryostatCert.Spec.Keystores.PKCS12.PasswordSecretRef.Name,
}
certificates := []*certv1.Certificate{caCert, cryostatCert, reportsCert, databaseCert, storageCert}
certificates := []*certv1.Certificate{caCert, cryostatCert, reportsCert}

// Update owner references of TLS secrets created by cert-manager to ensure proper cleanup
err = r.setCertSecretOwner(ctx, cr.Object, certificates...)
Original file line number Diff line number Diff line change
@@ -132,6 +132,7 @@ func NewReportsCert(cr *model.CryostatInstance) *certv1.Certificate {
}
}

/**
func NewDatabaseCert(cr *model.CryostatInstance) *certv1.Certificate {
return &certv1.Certificate{
ObjectMeta: metav1.ObjectMeta{
@@ -179,3 +180,4 @@ func NewStorageCert(cr *model.CryostatInstance) *certv1.Certificate {
},
}
}
**/
Original file line number Diff line number Diff line change
@@ -62,9 +62,9 @@ type TLSConfig struct {
// Name of the TLS secret for Reports Generator
ReportsSecret string
// Name of the TLS secret for Database
DatabaseSecret string
// DatabaseSecret string
// Name of the TLS secret for Storage
StorageSecret string
// StorageSecret string
// Name of the secret containing the password for the keystore in CryostatSecret
KeystorePassSecret string
// PEM-encoded X.509 certificate for the Cryostat CA
@@ -618,6 +618,7 @@ func NewPodForDatabase(cr *model.CryostatInstance, imageTags *ImageTags, tls *TL
container := []corev1.Container{NewDatabaseContainer(cr, imageTags.DatabaseImageTag, tls)}

volumes := newVolumeForDatabse(cr)
/**
if tls != nil {
secretVolume := corev1.Volume{
Name: "database-tls-secret",
@@ -628,7 +629,7 @@ func NewPodForDatabase(cr *model.CryostatInstance, imageTags *ImageTags, tls *TL
},
}
volumes = append(volumes, secretVolume)
}
}**/

var podSc *corev1.PodSecurityContext
if cr.Spec.SecurityOptions != nil && cr.Spec.SecurityOptions.PodSecurityContext != nil {
@@ -674,6 +675,7 @@ func NewPodForStorage(cr *model.CryostatInstance, imageTags *ImageTags, tls *TLS
container := []corev1.Container{NewStorageContainer(cr, imageTags.StorageImageTag, tls)}

volumes := newVolumeForStorage(cr)
/**
if tls != nil {
secretVolume := corev1.Volume{
Name: "storage-tls-secret",
@@ -684,7 +686,7 @@ func NewPodForStorage(cr *model.CryostatInstance, imageTags *ImageTags, tls *TLS
},
}
volumes = append(volumes, secretVolume)
}
}**/

var podSc *corev1.PodSecurityContext
if cr.Spec.SecurityOptions != nil && cr.Spec.SecurityOptions.PodSecurityContext != nil {
@@ -1213,15 +1215,15 @@ func NewCoreContainer(cr *model.CryostatInstance, specs *ServiceSpecs, imageTag
},
{
Name: "QUARKUS_DATASOURCE_JDBC_URL",
Value: "jdbc:postgresql://localhost:5432/cryostat",
Value: fmt.Sprintf("jdbc:postgresql://%s-database:5432/cryostat", cr.Name),
},
{
Name: "STORAGE_BUCKETS_ARCHIVE_NAME",
Value: "archivedrecordings",
},
{
Name: "QUARKUS_S3_ENDPOINT_OVERRIDE",
Value: "http://localhost:8333",
Value: fmt.Sprintf("http://%s-storage:8333", cr.Name),
},
{
Name: "QUARKUS_S3_PATH_STYLE_ACCESS",
@@ -1607,24 +1609,21 @@ func NewStorageContainer(cr *model.CryostatInstance, imageTag string, tls *TLSCo
})

livenessProbeScheme := corev1.URISchemeHTTP
/**
if tls != nil {
tlsEnvs := []corev1.EnvVar{
{
Name: "QUARKUS_HTTP_SSL_PORT",
Name: "S3_PORT_HTTPS",
Value: strconv.Itoa(int(constants.StorageContainerPort)),
},
{
Name: "QUARKUS_HTTP_SSL_CERTIFICATE_KEY_FILES",
Name: "S3_KEY_FILE",
Value: fmt.Sprintf("/var/run/secrets/operator.cryostat.io/%s/%s", tls.StorageSecret, corev1.TLSPrivateKeyKey),
},
{
Name: "QUARKUS_HTTP_SSL_CERTIFICATE_FILES",
Name: "S3_CERT_FILE",
Value: fmt.Sprintf("/var/run/secrets/operator.cryostat.io/%s/%s", tls.StorageSecret, corev1.TLSCertKey),
},
{
Name: "QUARKUS_HTTP_INSECURE_REQUESTS",
Value: "disabled",
},
}
tlsSecretMount := corev1.VolumeMount{
@@ -1641,7 +1640,7 @@ func NewStorageContainer(cr *model.CryostatInstance, imageTag string, tls *TLSCo
Name: "QUARKUS_HTTP_PORT",
Value: strconv.Itoa(int(constants.StorageContainerPort)),
})
}
}**/

if cr.Spec.SecurityOptions != nil && cr.Spec.SecurityOptions.StorageSecurityContext != nil {
containerSc = cr.Spec.SecurityOptions.StorageSecurityContext
@@ -1757,26 +1756,26 @@ func NewDatabaseContainer(cr *model.CryostatInstance, imageTag string, tls *TLSC
},
}

/**
if tls != nil {
tlsEnvs := []corev1.EnvVar{
{
Name: "QUARKUS_HTTP_SSL_PORT",
Value: strconv.Itoa(int(constants.DatabaseContainerPort)),
Name: "QUARKUS_DATASOURCE_REACTIVE_TRUST_ALL",
Value: "true",
},
{
Name: "QUARKUS_HTTP_SSL_CERTIFICATE_KEY_FILES",
Value: fmt.Sprintf("/var/run/secrets/operator.cryostat.io/%s/%s", tls.DatabaseSecret, corev1.TLSPrivateKeyKey),
Name: "QUARKUS_DATASOURCE_REACTIVE_KEY_CERTIFICATE_PEM_KEYS",
Value: fmt.Sprintf("/var/run/secrets/operator.cryostat.io/%s-database-tls/tls.key", cr.Name),
},
{
Name: "QUARKUS_HTTP_SSL_CERTIFICATE_FILES",
Value: fmt.Sprintf("/var/run/secrets/operator.cryostat.io/%s/%s", tls.DatabaseSecret, corev1.TLSCertKey),
Name: "QUARKUS_DATASOURCE_REACTIVE_KEY_CERTIFICATE_PEM_CERTS",
Value: fmt.Sprintf("/var/run/secrets/operator.cryostat.io/%s-database-tls/tls.crt", cr.Name),
},
{
Name: "QUARKUS_HTTP_INSECURE_REQUESTS",
Value: "disabled",
Name: "QUARKUS_DATASOURCE_REACTIVE_URL",
Value: fmt.Sprintf("https://%s-database:5432", cr.Name),
},
}

tlsSecretMount := corev1.VolumeMount{
Name: "database-tls-secret",
MountPath: "/var/run/secrets/operator.cryostat.io/" + tls.DatabaseSecret,
@@ -1787,10 +1786,10 @@ func NewDatabaseContainer(cr *model.CryostatInstance, imageTag string, tls *TLSC
mounts = append(mounts, tlsSecretMount)
} else {
envs = append(envs, corev1.EnvVar{
Name: "QUARKUS_HTTP_PORT",
Value: strconv.Itoa(int(constants.DatabaseContainerPort)),
Name: "QUARKUS_DATASOURCE_REACTIVE_URL",
Value: fmt.Sprintf("http://%s-database:5432", cr.Name),
})
}
}**/

return corev1.Container{
Name: cr.Name + "-db",
2 changes: 1 addition & 1 deletion internal/controllers/reconciler_test.go
Original file line number Diff line number Diff line change
@@ -2289,7 +2289,7 @@ func (t *cryostatTestInput) expectWaitingForCertificate() {

func (t *cryostatTestInput) expectCertificates() {
// Check certificates
certs := []*certv1.Certificate{t.NewCryostatCert(), t.NewCACert(), t.NewReportsCert(), t.NewDatabaseCert(), t.NewStorageCert()}
certs := []*certv1.Certificate{t.NewCryostatCert(), t.NewCACert(), t.NewReportsCert()}
for _, expected := range certs {
actual := &certv1.Certificate{}
err := t.Client.Get(context.Background(), types.NamespacedName{Name: expected.Name, Namespace: expected.Namespace}, actual)
2 changes: 1 addition & 1 deletion internal/test/clients.go
Original file line number Diff line number Diff line change
@@ -70,7 +70,7 @@ func (c *testClient) makeCertificatesReady(ctx context.Context, obj runtime.Obje
// If this object is one of the operator-managed certificates, mock the behaviour
// of cert-manager processing those certificates
cert, ok := obj.(*certv1.Certificate)
if ok && c.matchesName(cert, c.NewCryostatCert(), c.NewCACert(), c.NewReportsCert(), c.NewDatabaseCert(), c.NewStorageCert()) &&
if ok && c.matchesName(cert, c.NewCryostatCert(), c.NewCACert(), c.NewReportsCert()) &&
len(cert.Status.Conditions) == 0 {
// Create certificate secret
c.createCertSecret(ctx, cert)
59 changes: 32 additions & 27 deletions internal/test/resources.go
Original file line number Diff line number Diff line change
@@ -1066,6 +1066,7 @@ func (r *TestResources) NewReportsCert() *certv1.Certificate {
}
}

/**
func (r *TestResources) NewDatabaseCert() *certv1.Certificate {
return &certv1.Certificate{
ObjectMeta: metav1.ObjectMeta{
@@ -1116,7 +1117,7 @@ func (r *TestResources) NewStorageCert() *certv1.Certificate {
},
},
}
}
}**/

func (r *TestResources) NewCACert() *certv1.Certificate {
return &certv1.Certificate{
@@ -1388,15 +1389,15 @@ func (r *TestResources) NewCoreEnvironmentVariables(reportsUrl string, databaseU
},
{
Name: "QUARKUS_DATASOURCE_JDBC_URL",
Value: "jdbc:postgresql://localhost:5432/cryostat",
Value: fmt.Sprintf("jdbc:postgresql://%s-database:5432/cryostat", r.Name),
},
{
Name: "STORAGE_BUCKETS_ARCHIVE_NAME",
Value: "archivedrecordings",
},
{
Name: "QUARKUS_S3_ENDPOINT_OVERRIDE",
Value: "http://localhost:8333",
Value: fmt.Sprintf("http://%s-storage:8333", r.Name),
},
{
Name: "QUARKUS_S3_PATH_STYLE_ACCESS",
@@ -1654,26 +1655,24 @@ func (r *TestResources) NewStorageEnvironmentVariables() []corev1.EnvVar {
},
},
}
/**
if r.TLS {
envs = append(envs, corev1.EnvVar{
Name: "QUARKUS_HTTP_SSL_PORT",
Name: "S3_PORT_HTTPS",
Value: "8333",
}, corev1.EnvVar{
Name: "QUARKUS_HTTP_SSL_CERTIFICATE_KEY_FILES",
Name: "S3_KEY_FILE",
Value: fmt.Sprintf("/var/run/secrets/operator.cryostat.io/%s-storage-tls/tls.key", r.Name),
}, corev1.EnvVar{
Name: "QUARKUS_HTTP_SSL_CERTIFICATE_FILES",
Name: "S3_CERT_FILE",
Value: fmt.Sprintf("/var/run/secrets/operator.cryostat.io/%s-storage-tls/tls.crt", r.Name),
}, corev1.EnvVar{
Name: "QUARKUS_HTTP_INSECURE_REQUESTS",
Value: "disabled",
})
} else {
envs = append(envs, corev1.EnvVar{
Name: "QUARKUS_HTTP_PORT",
Value: "8333",
})
}
}**/
return envs
}

@@ -1717,26 +1716,27 @@ func (r *TestResources) NewDatabaseEnvironmentVariables(dbSecretProvided bool) [
},
},
}
/**
if r.TLS {
envs = append(envs, corev1.EnvVar{
Name: "QUARKUS_HTTP_SSL_PORT",
Value: "5432",
Name: "QUARKUS_DATASOURCE_REACTIVE_TRUST_ALL",
Value: "true",
}, corev1.EnvVar{
Name: "QUARKUS_HTTP_SSL_CERTIFICATE_KEY_FILES",
Name: "QUARKUS_DATASOURCE_REACTIVE_KEY_CERTIFICATE_PEM_KEYS",
Value: fmt.Sprintf("/var/run/secrets/operator.cryostat.io/%s-database-tls/tls.key", r.Name),
}, corev1.EnvVar{
Name: "QUARKUS_HTTP_SSL_CERTIFICATE_FILES",
Name: "QUARKUS_DATASOURCE_REACTIVE_KEY_CERTIFICATE_PEM_CERTS",
Value: fmt.Sprintf("/var/run/secrets/operator.cryostat.io/%s-database-tls/tls.crt", r.Name),
}, corev1.EnvVar{
Name: "QUARKUS_HTTP_INSECURE_REQUESTS",
Value: "disabled",
Name: "QUARKUS_DATASOURCE_REACTIVE_URL",
Value: fmt.Sprintf("https://%s-database:5432", r.Name),
})
} else {
envs = append(envs, corev1.EnvVar{
Name: "QUARKUS_HTTP_PORT",
Value: "5432",
Name: "QUARKUS_DATASOURCE_REACTIVE_URL",
Value: fmt.Sprintf("http://%s-database:5432", r.Name),
})
}
}**/
return envs
}

@@ -1976,14 +1976,15 @@ func (r *TestResources) NewStorageVolumeMounts() []corev1.VolumeMount {
MountPath: "/data",
SubPath: "seaweed",
})
/**
if r.TLS {
mounts = append(mounts,
corev1.VolumeMount{
Name: "storage-tls-secret",
MountPath: fmt.Sprintf("/var/run/secrets/operator.cryostat.io/%s-storage-tls", r.Name),
ReadOnly: true,
})
}
}**/
return mounts
}

@@ -1995,14 +1996,15 @@ func (r *TestResources) NewDatabaseVolumeMounts() []corev1.VolumeMount {
MountPath: "/data",
SubPath: "postgres",
})
/**
if r.TLS {
mounts = append(mounts,
corev1.VolumeMount{
Name: "database-tls-secret",
MountPath: fmt.Sprintf("/var/run/secrets/operator.cryostat.io/%s-database-tls", r.Name),
ReadOnly: true,
})
}
}**/
return mounts
}

@@ -2127,10 +2129,11 @@ func (r *TestResources) NewDatasourceLivenessProbe() *corev1.Probe {
}

func (r *TestResources) NewStorageLivenessProbe() *corev1.Probe {
protocol := corev1.URISchemeHTTPS
if !r.TLS {
protocol = corev1.URISchemeHTTP
}
protocol := corev1.URISchemeHTTP
/**
if r.TLS {
protocol = corev1.URISchemeHTTPS
}**/
return &corev1.Probe{
ProbeHandler: corev1.ProbeHandler{
HTTPGet: &corev1.HTTPGetAction{
@@ -2496,6 +2499,7 @@ func (r *TestResources) NewDatabaseVolumes() []corev1.Volume {
},
}

/**
if r.TLS {
volumes = append(volumes, corev1.Volume{
Name: "database-tls-secret",
@@ -2505,7 +2509,7 @@ func (r *TestResources) NewDatabaseVolumes() []corev1.Volume {
},
},
})
}
} **/
return volumes
}

@@ -2522,6 +2526,7 @@ func (r *TestResources) NewStorageVolumes() []corev1.Volume {
},
}

/**
if r.TLS {
volumes = append(volumes, corev1.Volume{
Name: "storage-tls-secret",
@@ -2531,7 +2536,7 @@ func (r *TestResources) NewStorageVolumes() []corev1.Volume {
},
},
})
}
}**/
return volumes
}

0 comments on commit f13ca56

Please sign in to comment.