Merge pull request #357 from dciabrin/db-tls

Helper function for TLS support in database access
openstack-k8s-operators · Oct 11, 2023 · 7fd4e4c · 7fd4e4c
2 parents 3bdf9ff + f21280c
commit 7fd4e4c
Show file tree

Hide file tree

Showing 2 changed files with 89 additions and 0 deletions.
diff --git a/modules/common/tls/tls.go b/modules/common/tls/tls.go
@@ -21,6 +21,7 @@ package tls
 import (
 	"context"
 	"fmt"
+	"strings"
 
 	"github.com/openstack-k8s-operators/lib-common/modules/common/helper"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/secret"
@@ -132,3 +133,27 @@ func (t *TLS) CreateVolumes() []corev1.Volume {
 
 	return volumes
 }
+
+// CreateDatabaseClientConfig - connection flags for the MySQL client
+// Configures TLS connections for clients that use TLS certificates
+// returns a string of mysql config statements
+func (t *TLS) CreateDatabaseClientConfig() string {
+	conn := []string{}
+	// This assumes certificates are always injected in
+	// a common directory for all services
+	if t.Service.SecretName != "" {
+		conn = append(conn,
+			"ssl-cert=/etc/pki/tls/certs/tls.crt",
+			"ssl-key=/etc/pki/tls/private/tls.key")
+	}
+	// Client uses a CA certificate that gets merged
+	// into the pod's CA bundle by kolla_start
+	if t.Ca.CaSecretName != "" {
+		conn = append(conn,
+			"ssl-ca=/etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem")
+	}
+	if len(conn) > 0 {
+		conn = append([]string{"ssl=1"}, conn...)
+	}
+	return strings.Join(conn, "\n")
+}
diff --git a/modules/common/tls/tls_test.go b/modules/common/tls/tls_test.go
@@ -17,6 +17,7 @@ limitations under the License.
 package tls
 
 import (
+	"strings"
 	"testing"
 )
 
@@ -107,3 +108,66 @@ func TestCreateVolumes(t *testing.T) {
 		})
 	}
 }
+
+func TestGenerateTLSConnectionConfig(t *testing.T) {
+	tests := []struct {
+		name         string
+		service      *Service
+		ca           *Ca
+		wantStmts    []string
+		excludeStmts []string
+	}{
+		{
+			name:         "No Secrets",
+			service:      &Service{},
+			ca:           &Ca{},
+			wantStmts:    []string{},
+			excludeStmts: []string{"ssl=1", "ssl-cert=", "ssl-key=", "ssl-ca="},
+		},
+		{
+			name:         "Only TLS Secret",
+			service:      &Service{SecretName: "test-tls-secret"},
+			ca:           &Ca{},
+			wantStmts:    []string{"ssl=1", "ssl-cert=", "ssl-key="},
+			excludeStmts: []string{"ssl-ca="},
+		},
+		{
+			name:         "Only CA Secret",
+			service:      &Service{},
+			ca:           &Ca{CaSecretName: "test-ca1"},
+			wantStmts:    []string{"ssl=1", "ssl-ca="},
+			excludeStmts: []string{"ssl-cert=", "ssl-key="},
+		},
+		{
+			name:         "TLS and CA Secrets",
+			service:      &Service{SecretName: "test-tls-secret"},
+			ca:           &Ca{CaSecretName: "test-ca1"},
+			wantStmts:    []string{"ssl=1", "ssl-cert=", "ssl-key=", "ssl-ca="},
+			excludeStmts: []string{},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			tlsInstance := &TLS{Service: tt.service, Ca: tt.ca}
+			configStr := tlsInstance.CreateDatabaseClientConfig()
+			var missingStmts []string
+			for _, stmt := range tt.wantStmts {
+				if !strings.Contains(configStr, stmt) {
+					missingStmts = append(missingStmts, stmt)
+				}
+			}
+			var unexpectedStmts []string
+			for _, stmt := range tt.excludeStmts {
+				if strings.Contains(configStr, stmt) {
+					unexpectedStmts = append(unexpectedStmts, stmt)
+				}
+			}
+			if len(missingStmts) != 0 || len(unexpectedStmts) != 0 {
+				t.Errorf("CreateDatabaseClientConfig() "+
+					"missing statements: %v, unexpected statements: %v",
+					missingStmts, unexpectedStmts)
+			}
+		})
+	}
+}