Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Set TLS Defaults for Microsoft SQL Server #1226

Merged
merged 4 commits into from
May 31, 2024
Merged

Set TLS Defaults for Microsoft SQL Server #1226

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
e10983c
Set TLS Defaults
Neaj-Morshad-101 May 31, 2024
fe8b607
Set TLS Defaults for Internal Auth
Neaj-Morshad-101 May 31, 2024
78ad8b8
Fix
Neaj-Morshad-101 May 31, 2024
0a980aa
Remove
Neaj-Morshad-101 May 31, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
97 changes: 89 additions & 8 deletions apis/kubedb/v1alpha2/mssqlserver_helpers.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -247,24 +247,24 @@ func (m *MSSQLServer) EndpointCertSecretName() string {
}

// CertificateName returns the default certificate name and/or certificate secret name for a certificate alias
func (s *MSSQLServer) CertificateName(alias MSSQLServerCertificateAlias) string {
return metautil.NameWithSuffix(s.Name, fmt.Sprintf("%s-cert", string(alias)))
func (m *MSSQLServer) CertificateName(alias MSSQLServerCertificateAlias) string {
return metautil.NameWithSuffix(m.Name, fmt.Sprintf("%s-cert", string(alias)))
}

func (s *MSSQLServer) SecretName(alias MSSQLServerCertificateAlias) string {
return metautil.NameWithSuffix(s.Name, string(alias))
func (m *MSSQLServer) SecretName(alias MSSQLServerCertificateAlias) string {
return metautil.NameWithSuffix(m.Name, string(alias))
}

// GetCertSecretName returns the secret name for a certificate alias if any
// otherwise returns default certificate secret name for the given alias.
func (s *MSSQLServer) GetCertSecretName(alias MSSQLServerCertificateAlias) string {
if s.Spec.TLS != nil {
name, ok := kmapi.GetCertificateSecretName(s.Spec.TLS.Certificates, string(alias))
func (m *MSSQLServer) GetCertSecretName(alias MSSQLServerCertificateAlias) string {
if m.Spec.TLS != nil {
name, ok := kmapi.GetCertificateSecretName(m.Spec.TLS.Certificates, string(alias))
if ok {
return name
}
}
return s.CertificateName(alias)
return m.CertificateName(alias)
}

func (m *MSSQLServer) GetNameSpacedName() string {
Expand Down Expand Up @@ -330,6 +330,8 @@ func (m *MSSQLServer) SetDefaults() {

m.setDefaultContainerSecurityContext(&mssqlVersion, m.Spec.PodTemplate)

m.SetTLSDefaults()

m.SetHealthCheckerDefaults()

m.setDefaultContainerResourceLimits(m.Spec.PodTemplate)
Expand Down Expand Up @@ -436,6 +438,85 @@ func (m *MSSQLServer) setDefaultContainerResourceLimits(podTemplate *ofst.PodTem
}
}

func (m *MSSQLServer) SetTLSDefaults() {
m.SetTLSDefaultsForInternalAuth()

if m.Spec.TLS == nil || m.Spec.TLS.IssuerRef == nil {
return
}

// Server-cert
defaultServerOrg := []string{KubeDBOrganization}
defaultServerOrgUnit := []string{string(MSSQLServerServerCert)}
_, cert := kmapi.GetCertificate(m.Spec.TLS.Certificates, string(MSSQLServerServerCert))
if cert != nil && cert.Subject != nil {
if cert.Subject.Organizations != nil {
defaultServerOrg = cert.Subject.Organizations
}
if cert.Subject.OrganizationalUnits != nil {
defaultServerOrgUnit = cert.Subject.OrganizationalUnits
}
}

m.Spec.TLS.Certificates = kmapi.SetMissingSpecForCertificate(m.Spec.TLS.Certificates, kmapi.CertificateSpec{
Alias: string(MSSQLServerServerCert),
SecretName: m.GetCertSecretName(MSSQLServerServerCert),
Subject: &kmapi.X509Subject{
Organizations: defaultServerOrg,
OrganizationalUnits: defaultServerOrgUnit,
},
})

// Client-cert
defaultClientOrg := []string{KubeDBOrganization}
defaultClientOrgUnit := []string{string(MSSQLServerClientCert)}
_, cert = kmapi.GetCertificate(m.Spec.TLS.Certificates, string(MSSQLServerClientCert))
if cert != nil && cert.Subject != nil {
if cert.Subject.Organizations != nil {
defaultClientOrg = cert.Subject.Organizations
}
if cert.Subject.OrganizationalUnits != nil {
defaultClientOrgUnit = cert.Subject.OrganizationalUnits
}
}
m.Spec.TLS.Certificates = kmapi.SetMissingSpecForCertificate(m.Spec.TLS.Certificates, kmapi.CertificateSpec{
Alias: string(MSSQLServerClientCert),
SecretName: m.GetCertSecretName(MSSQLServerClientCert),
Subject: &kmapi.X509Subject{
Organizations: defaultClientOrg,
OrganizationalUnits: defaultClientOrgUnit,
},
})
}

func (m *MSSQLServer) SetTLSDefaultsForInternalAuth() {
if m.Spec.InternalAuth == nil || m.Spec.InternalAuth.EndpointCert == nil || m.Spec.InternalAuth.EndpointCert.IssuerRef == nil {
return
}

// Endpoint-cert
defaultServerOrg := []string{KubeDBOrganization}
defaultServerOrgUnit := []string{string(MSSQLServerEndpointCert)}
_, cert := kmapi.GetCertificate(m.Spec.InternalAuth.EndpointCert.Certificates, string(MSSQLServerEndpointCert))
if cert != nil && cert.Subject != nil {
if cert.Subject.Organizations != nil {
defaultServerOrg = cert.Subject.Organizations
}
if cert.Subject.OrganizationalUnits != nil {
defaultServerOrgUnit = cert.Subject.OrganizationalUnits
}
}

m.Spec.InternalAuth.EndpointCert.Certificates = kmapi.SetMissingSpecForCertificate(m.Spec.InternalAuth.EndpointCert.Certificates, kmapi.CertificateSpec{
Alias: string(MSSQLServerEndpointCert),
SecretName: m.GetCertSecretName(MSSQLServerEndpointCert),
Subject: &kmapi.X509Subject{
Organizations: defaultServerOrg,
OrganizationalUnits: defaultServerOrgUnit,
},
})
}

func (m *MSSQLServer) ReplicasAreReady(lister pslister.PetSetLister) (bool, string, error) {
// Desire number of petSets
expectedItems := 1
Expand Down
6 changes: 3 additions & 3 deletions apis/kubedb/v1alpha2/mssqlserver_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,9 +42,9 @@ const (
type MSSQLServerCertificateAlias string

const (
MSSQLServerServerCert MSSQLServerCertificateAlias = "server"
MSSQLServerClientCert MSSQLServerCertificateAlias = "client"
MSSQLServerEndpoint MSSQLServerCertificateAlias = "endpoint"
MSSQLServerServerCert MSSQLServerCertificateAlias = "server"
MSSQLServerClientCert MSSQLServerCertificateAlias = "client"
MSSQLServerEndpointCert MSSQLServerCertificateAlias = "endpoint"
)

// MSSQLServer defines a MSSQLServer database.
Expand Down
6 changes: 3 additions & 3 deletions apis/kubedb/v1alpha2/mssqlserver_webhook.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -132,11 +132,11 @@ func (m *MSSQLServer) ValidateCreateOrUpdate() field.ErrorList {

if m.Spec.InternalAuth == nil {
allErr = append(allErr, field.Invalid(field.NewPath("spec").Child("internalAuth"),
m.Name, "spec.internalAuth, spec.internalAuth.endpointCert, spec.internalAuth.endpointCert.issuerRef' is missing"))
m.Name, "spec.internalAuth is missing"))
} else if m.Spec.InternalAuth.EndpointCert == nil {
allErr = append(allErr, field.Invalid(field.NewPath("spec").Child("internalAuth").Child("endpointCert"),
m.Name, "spec.internalAuth.endpointCert, spec.internalAuth.endpointCert.issuerRef' is missing"))
} else if m.Spec.InternalAuth.EndpointCert != nil {
m.Name, "spec.internalAuth.endpointCert is missing"))
} else {
if m.Spec.InternalAuth.EndpointCert.IssuerRef == nil {
allErr = append(allErr, field.Invalid(field.NewPath("spec").Child("internalAuth").Child("endpointCert").Child("issuerRef"),
m.Name, "spec.internalAuth.endpointCert.issuerRef' is missing"))
Expand Down
Loading