Add mssql ops apis for reconfigure tls (#1341)

* Add mssql ops apis for reconfigure tls Signed-off-by: Neaj Morshad <[email protected]> * Add cacerts schema Signed-off-by: Neaj Morshad <[email protected]> * Make clientTLS optional and ensure MSSQL_PID is set Signed-off-by: Neaj Morshad <[email protected]> * Add review changes Signed-off-by: Neaj Morshad <[email protected]> --------- Signed-off-by: Neaj Morshad <[email protected]>
kubedb · Nov 19, 2024 · 8cc8608 · 8cc8608
1 parent 2fa3548
commit 8cc8608
Show file tree

Hide file tree

Showing 32 changed files with 20,821 additions and 105 deletions.
diff --git a/apis/kubedb/constants.go b/apis/kubedb/constants.go
@@ -417,6 +417,7 @@ const (
 
 	// environment variables
 	EnvAcceptEula        = "ACCEPT_EULA"
+	EnvMSSQLPid          = "MSSQL_PID"
 	EnvMSSQLEnableHADR   = "MSSQL_ENABLE_HADR"
 	EnvMSSQLAgentEnabled = "MSSQL_AGENT_ENABLED"
 	EnvMSSQLSAUsername   = "MSSQL_SA_USERNAME"

diff --git a/apis/kubedb/v1alpha2/mssqlserver_helpers.go b/apis/kubedb/v1alpha2/mssqlserver_helpers.go
@@ -502,6 +502,11 @@ func (m *MSSQLServer) SetTLSDefaults() {
 		return
 	}
 
+	if m.Spec.TLS.ClientTLS == nil {
+		defaultValue := false
+		m.Spec.TLS.ClientTLS = &defaultValue
+	}
+
 	// Server-cert
 	defaultServerOrg := []string{kubedb.KubeDBOrganization}
 	defaultServerOrgUnit := []string{string(MSSQLServerServerCert)}

diff --git a/apis/kubedb/v1alpha2/mssqlserver_types.go b/apis/kubedb/v1alpha2/mssqlserver_types.go
@@ -104,7 +104,7 @@ type MSSQLServerSpec struct {
 	PodTemplate *ofst.PodTemplateSpec `json:"podTemplate,omitempty"`
 
 	// TLS contains tls configurations for client and server.
-	TLS *SQLServerTLSConfig `json:"tls,omitempty"`
+	TLS *MSSQLServerTLSConfig `json:"tls,omitempty"`
 
 	// ServiceTemplates is an optional configuration for services used to expose database
 	// +optional
@@ -132,9 +132,11 @@ type MSSQLServerSpec struct {
 	Archiver *Archiver `json:"archiver,omitempty"`
 }
 
-type SQLServerTLSConfig struct {
+type MSSQLServerTLSConfig struct {
 	kmapi.TLSConfig `json:",inline"`
-	ClientTLS       bool `json:"clientTLS"`
+
+	// +optional
+	ClientTLS *bool `json:"clientTLS"`
 }
 
 type MSSQLServerTopology struct {

diff --git a/apis/kubedb/v1alpha2/mssqlserver_webhook.go b/apis/kubedb/v1alpha2/mssqlserver_webhook.go
@@ -137,9 +137,11 @@ func (m *MSSQLServer) ValidateCreateOrUpdate() field.ErrorList {
 	if m.Spec.TLS == nil {
 		allErr = append(allErr, field.Invalid(field.NewPath("spec").Child("tls"),
 			m.Name, "spec.tls is missing"))
-	} else if m.Spec.TLS.IssuerRef == nil {
-		allErr = append(allErr, field.Invalid(field.NewPath("spec").Child("tls").Child("issuerRef"),
-			m.Name, "spec.tls.issuerRef' is missing"))
+	} else {
+		if m.Spec.TLS.IssuerRef == nil {
+			allErr = append(allErr, field.Invalid(field.NewPath("spec").Child("tls").Child("issuerRef"),
+				m.Name, "spec.tls.issuerRef' is missing"))
+		}
 	}
 
 	if m.Spec.PodTemplate != nil {
@@ -289,11 +291,18 @@ func getMSSQLServerContainerEnvs(m *MSSQLServer) []core.EnvVar {
 }
 
 func ValidateMSSQLServerEnvVar(envs []core.EnvVar, forbiddenEnvs []string, resourceType string) error {
+	presentMSSQL_PID := false
 	for _, env := range envs {
 		present, _ := arrays.Contains(forbiddenEnvs, env.Name)
 		if present {
 			return fmt.Errorf("environment variable %s is forbidden to use in %s spec", env.Name, resourceType)
 		}
+		if env.Name == "MSSQL_PID" {
+			presentMSSQL_PID = true
+		}
+	}
+	if !presentMSSQL_PID {
+		return fmt.Errorf("environment variable %s must be provided in %s spec", kubedb.EnvMSSQLPid, resourceType)
 	}
 	return nil
 }
diff --git a/apis/kubedb/v1alpha2/openapi_generated.go b/apis/kubedb/v1alpha2/openapi_generated.go
diff --git a/apis/kubedb/v1alpha2/zz_generated.deepcopy.go b/apis/kubedb/v1alpha2/zz_generated.deepcopy.go
diff --git a/apis/ops/v1alpha1/mssqlserver_ops_types.go b/apis/ops/v1alpha1/mssqlserver_ops_types.go
@@ -18,6 +18,8 @@ limitations under the License.
 package v1alpha1
 
 import (
+	dbapi "kubedb.dev/apimachinery/apis/kubedb/v1alpha2"
+
 	core "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -66,7 +68,7 @@ type MSSQLServerOpsRequestSpec struct {
 	// Specifies information necessary for custom configuration of MSSQLServer
 	Configuration *MSSQLServerCustomConfigurationSpec `json:"configuration,omitempty"`
 	// Specifies information necessary for configuring TLS
-	TLS *TLSSpec `json:"tls,omitempty"`
+	TLS *MSSQLServerTLSSpec `json:"tls,omitempty"`
 	// Specifies information necessary for configuring authSecret of the database
 	Authentication *AuthSpec `json:"authentication,omitempty"`
 	// Specifies information necessary for restarting database
@@ -119,6 +121,20 @@ type MSSQLServerCustomConfigurationSpec struct {
 	RemoveCustomConfig bool                       `json:"removeCustomConfig,omitempty"`
 }
 
+type MSSQLServerTLSSpec struct {
+	// SQLServerTLSSpec contains updated tls configurations for client and server.
+	// +optional
+	dbapi.MSSQLServerTLSConfig `json:",inline,omitempty"`
+
+	// RotateCertificates tells operator to initiate certificate rotation
+	// +optional
+	RotateCertificates bool `json:"rotateCertificates,omitempty"`
+
+	// Remove tells operator to remove TLS configuration
+	// +optional
+	Remove bool `json:"remove,omitempty"`
+}
+
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
 // MSSQLServerOpsRequestList is a list of MSSQLServerOpsRequests

diff --git a/apis/ops/v1alpha1/openapi_generated.go b/apis/ops/v1alpha1/openapi_generated.go