From e10983c095df413b9f34d96e2b7b8d3d79506001 Mon Sep 17 00:00:00 2001 From: Neaj Morshad Date: Fri, 31 May 2024 15:15:11 +0600 Subject: [PATCH 1/4] Set TLS Defaults Signed-off-by: Neaj Morshad --- apis/kubedb/v1alpha2/mssqlserver_helpers.go | 67 ++++++++++++++++++--- 1 file changed, 59 insertions(+), 8 deletions(-) diff --git a/apis/kubedb/v1alpha2/mssqlserver_helpers.go b/apis/kubedb/v1alpha2/mssqlserver_helpers.go index 1d4a6eb61d..6758d83a02 100644 --- a/apis/kubedb/v1alpha2/mssqlserver_helpers.go +++ b/apis/kubedb/v1alpha2/mssqlserver_helpers.go @@ -247,24 +247,24 @@ func (m *MSSQLServer) EndpointCertSecretName() string { } // CertificateName returns the default certificate name and/or certificate secret name for a certificate alias -func (s *MSSQLServer) CertificateName(alias MSSQLServerCertificateAlias) string { - return metautil.NameWithSuffix(s.Name, fmt.Sprintf("%s-cert", string(alias))) +func (m *MSSQLServer) CertificateName(alias MSSQLServerCertificateAlias) string { + return metautil.NameWithSuffix(m.Name, fmt.Sprintf("%s-cert", string(alias))) } -func (s *MSSQLServer) SecretName(alias MSSQLServerCertificateAlias) string { - return metautil.NameWithSuffix(s.Name, string(alias)) +func (m *MSSQLServer) SecretName(alias MSSQLServerCertificateAlias) string { + return metautil.NameWithSuffix(m.Name, string(alias)) } // GetCertSecretName returns the secret name for a certificate alias if any // otherwise returns default certificate secret name for the given alias. -func (s *MSSQLServer) GetCertSecretName(alias MSSQLServerCertificateAlias) string { - if s.Spec.TLS != nil { - name, ok := kmapi.GetCertificateSecretName(s.Spec.TLS.Certificates, string(alias)) +func (m *MSSQLServer) GetCertSecretName(alias MSSQLServerCertificateAlias) string { + if m.Spec.TLS != nil { + name, ok := kmapi.GetCertificateSecretName(m.Spec.TLS.Certificates, string(alias)) if ok { return name } } - return s.CertificateName(alias) + return m.CertificateName(alias) } func (m *MSSQLServer) GetNameSpacedName() string { @@ -330,6 +330,8 @@ func (m *MSSQLServer) SetDefaults() { m.setDefaultContainerSecurityContext(&mssqlVersion, m.Spec.PodTemplate) + m.SetTLSDefaults() + m.SetHealthCheckerDefaults() m.setDefaultContainerResourceLimits(m.Spec.PodTemplate) @@ -436,6 +438,55 @@ func (m *MSSQLServer) setDefaultContainerResourceLimits(podTemplate *ofst.PodTem } } +func (m *MSSQLServer) SetTLSDefaults() { + if m.Spec.TLS == nil || m.Spec.TLS.IssuerRef == nil { + return + } + + // Server-cert + defaultServerOrg := []string{KubeDBOrganization} + defaultServerOrgUnit := []string{string(MSSQLServerServerCert)} + _, cert := kmapi.GetCertificate(m.Spec.TLS.Certificates, string(MSSQLServerServerCert)) + if cert != nil && cert.Subject != nil { + if cert.Subject.Organizations != nil { + defaultServerOrg = cert.Subject.Organizations + } + if cert.Subject.OrganizationalUnits != nil { + defaultServerOrgUnit = cert.Subject.OrganizationalUnits + } + } + + m.Spec.TLS.Certificates = kmapi.SetMissingSpecForCertificate(m.Spec.TLS.Certificates, kmapi.CertificateSpec{ + Alias: string(MSSQLServerServerCert), + SecretName: m.GetCertSecretName(MSSQLServerServerCert), + Subject: &kmapi.X509Subject{ + Organizations: defaultServerOrg, + OrganizationalUnits: defaultServerOrgUnit, + }, + }) + + // Client-cert + defaultClientOrg := []string{KubeDBOrganization} + defaultClientOrgUnit := []string{string(MSSQLServerClientCert)} + _, cert = kmapi.GetCertificate(m.Spec.TLS.Certificates, string(MSSQLServerClientCert)) + if cert != nil && cert.Subject != nil { + if cert.Subject.Organizations != nil { + defaultClientOrg = cert.Subject.Organizations + } + if cert.Subject.OrganizationalUnits != nil { + defaultClientOrgUnit = cert.Subject.OrganizationalUnits + } + } + m.Spec.TLS.Certificates = kmapi.SetMissingSpecForCertificate(m.Spec.TLS.Certificates, kmapi.CertificateSpec{ + Alias: string(MSSQLServerClientCert), + SecretName: m.GetCertSecretName(MSSQLServerClientCert), + Subject: &kmapi.X509Subject{ + Organizations: defaultClientOrg, + OrganizationalUnits: defaultClientOrgUnit, + }, + }) +} + func (m *MSSQLServer) ReplicasAreReady(lister pslister.PetSetLister) (bool, string, error) { // Desire number of petSets expectedItems := 1 From fe8b60751be677102e91f58dda140e38d02a9afc Mon Sep 17 00:00:00 2001 From: Neaj Morshad Date: Fri, 31 May 2024 15:53:32 +0600 Subject: [PATCH 2/4] Set TLS Defaults for Internal Auth Signed-off-by: Neaj Morshad --- apis/kubedb/v1alpha2/mssqlserver_helpers.go | 30 +++++++++++++++++++++ apis/kubedb/v1alpha2/mssqlserver_types.go | 6 ++--- 2 files changed, 33 insertions(+), 3 deletions(-) diff --git a/apis/kubedb/v1alpha2/mssqlserver_helpers.go b/apis/kubedb/v1alpha2/mssqlserver_helpers.go index 6758d83a02..a1050b901e 100644 --- a/apis/kubedb/v1alpha2/mssqlserver_helpers.go +++ b/apis/kubedb/v1alpha2/mssqlserver_helpers.go @@ -439,6 +439,8 @@ func (m *MSSQLServer) setDefaultContainerResourceLimits(podTemplate *ofst.PodTem } func (m *MSSQLServer) SetTLSDefaults() { + m.SetTLSDefaultsForInternalAuth() + if m.Spec.TLS == nil || m.Spec.TLS.IssuerRef == nil { return } @@ -487,6 +489,34 @@ func (m *MSSQLServer) SetTLSDefaults() { }) } +func (m *MSSQLServer) SetTLSDefaultsForInternalAuth() { + if m.Spec.InternalAuth == nil || m.Spec.InternalAuth.EndpointCert == nil || m.Spec.InternalAuth.EndpointCert.IssuerRef == nil { + return + } + + // Endpoint-cert + defaultServerOrg := []string{KubeDBOrganization} + defaultServerOrgUnit := []string{string(MSSQLServerEndpointCert)} + _, cert := kmapi.GetCertificate(m.Spec.TLS.Certificates, string(MSSQLServerEndpointCert)) + if cert != nil && cert.Subject != nil { + if cert.Subject.Organizations != nil { + defaultServerOrg = cert.Subject.Organizations + } + if cert.Subject.OrganizationalUnits != nil { + defaultServerOrgUnit = cert.Subject.OrganizationalUnits + } + } + + m.Spec.TLS.Certificates = kmapi.SetMissingSpecForCertificate(m.Spec.TLS.Certificates, kmapi.CertificateSpec{ + Alias: string(MSSQLServerEndpointCert), + SecretName: m.GetCertSecretName(MSSQLServerEndpointCert), + Subject: &kmapi.X509Subject{ + Organizations: defaultServerOrg, + OrganizationalUnits: defaultServerOrgUnit, + }, + }) +} + func (m *MSSQLServer) ReplicasAreReady(lister pslister.PetSetLister) (bool, string, error) { // Desire number of petSets expectedItems := 1 diff --git a/apis/kubedb/v1alpha2/mssqlserver_types.go b/apis/kubedb/v1alpha2/mssqlserver_types.go index 6829f21730..794b8524da 100644 --- a/apis/kubedb/v1alpha2/mssqlserver_types.go +++ b/apis/kubedb/v1alpha2/mssqlserver_types.go @@ -42,9 +42,9 @@ const ( type MSSQLServerCertificateAlias string const ( - MSSQLServerServerCert MSSQLServerCertificateAlias = "server" - MSSQLServerClientCert MSSQLServerCertificateAlias = "client" - MSSQLServerEndpoint MSSQLServerCertificateAlias = "endpoint" + MSSQLServerServerCert MSSQLServerCertificateAlias = "server" + MSSQLServerClientCert MSSQLServerCertificateAlias = "client" + MSSQLServerEndpointCert MSSQLServerCertificateAlias = "endpoint" ) // MSSQLServer defines a MSSQLServer database. From 78ad8b8475ff19a5909fd9ac5c5e9e91a4857e2d Mon Sep 17 00:00:00 2001 From: Neaj Morshad Date: Fri, 31 May 2024 16:18:51 +0600 Subject: [PATCH 3/4] Fix Signed-off-by: Neaj Morshad --- apis/kubedb/v1alpha2/mssqlserver_helpers.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/apis/kubedb/v1alpha2/mssqlserver_helpers.go b/apis/kubedb/v1alpha2/mssqlserver_helpers.go index a1050b901e..2a1a6cd222 100644 --- a/apis/kubedb/v1alpha2/mssqlserver_helpers.go +++ b/apis/kubedb/v1alpha2/mssqlserver_helpers.go @@ -497,7 +497,7 @@ func (m *MSSQLServer) SetTLSDefaultsForInternalAuth() { // Endpoint-cert defaultServerOrg := []string{KubeDBOrganization} defaultServerOrgUnit := []string{string(MSSQLServerEndpointCert)} - _, cert := kmapi.GetCertificate(m.Spec.TLS.Certificates, string(MSSQLServerEndpointCert)) + _, cert := kmapi.GetCertificate(m.Spec.InternalAuth.EndpointCert.Certificates, string(MSSQLServerEndpointCert)) if cert != nil && cert.Subject != nil { if cert.Subject.Organizations != nil { defaultServerOrg = cert.Subject.Organizations @@ -507,7 +507,7 @@ func (m *MSSQLServer) SetTLSDefaultsForInternalAuth() { } } - m.Spec.TLS.Certificates = kmapi.SetMissingSpecForCertificate(m.Spec.TLS.Certificates, kmapi.CertificateSpec{ + m.Spec.InternalAuth.EndpointCert.Certificates = kmapi.SetMissingSpecForCertificate(m.Spec.InternalAuth.EndpointCert.Certificates, kmapi.CertificateSpec{ Alias: string(MSSQLServerEndpointCert), SecretName: m.GetCertSecretName(MSSQLServerEndpointCert), Subject: &kmapi.X509Subject{ From 0a980aa42d5d00e8a5fe89eaccdc581f3d268ad3 Mon Sep 17 00:00:00 2001 From: Neaj Morshad Date: Fri, 31 May 2024 18:39:03 +0600 Subject: [PATCH 4/4] Remove Signed-off-by: Neaj Morshad --- apis/kubedb/v1alpha2/mssqlserver_webhook.go | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/apis/kubedb/v1alpha2/mssqlserver_webhook.go b/apis/kubedb/v1alpha2/mssqlserver_webhook.go index cf225afa4d..e535b62223 100644 --- a/apis/kubedb/v1alpha2/mssqlserver_webhook.go +++ b/apis/kubedb/v1alpha2/mssqlserver_webhook.go @@ -132,11 +132,11 @@ func (m *MSSQLServer) ValidateCreateOrUpdate() field.ErrorList { if m.Spec.InternalAuth == nil { allErr = append(allErr, field.Invalid(field.NewPath("spec").Child("internalAuth"), - m.Name, "spec.internalAuth, spec.internalAuth.endpointCert, spec.internalAuth.endpointCert.issuerRef' is missing")) + m.Name, "spec.internalAuth is missing")) } else if m.Spec.InternalAuth.EndpointCert == nil { allErr = append(allErr, field.Invalid(field.NewPath("spec").Child("internalAuth").Child("endpointCert"), - m.Name, "spec.internalAuth.endpointCert, spec.internalAuth.endpointCert.issuerRef' is missing")) - } else if m.Spec.InternalAuth.EndpointCert != nil { + m.Name, "spec.internalAuth.endpointCert is missing")) + } else { if m.Spec.InternalAuth.EndpointCert.IssuerRef == nil { allErr = append(allErr, field.Invalid(field.NewPath("spec").Child("internalAuth").Child("endpointCert").Child("issuerRef"), m.Name, "spec.internalAuth.endpointCert.issuerRef' is missing"))