diff --git a/pkg/controller/compliance/compliance_controller.go b/pkg/controller/compliance/compliance_controller.go index 29b0f2bd4a..7bc0fb5d38 100644 --- a/pkg/controller/compliance/compliance_controller.go +++ b/pkg/controller/compliance/compliance_controller.go @@ -33,7 +33,6 @@ import ( "github.com/tigera/operator/pkg/dns" "github.com/tigera/operator/pkg/render" rcertificatemanagement "github.com/tigera/operator/pkg/render/certificatemanagement" - relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" "github.com/tigera/operator/pkg/tls/certificatemanagement" "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/runtime" @@ -133,7 +132,6 @@ func add(mgr manager.Manager, c controller.Controller) error { render.ElasticsearchComplianceControllerUserSecret, render.ElasticsearchComplianceReporterUserSecret, render.ElasticsearchComplianceSnapshotterUserSecret, render.ElasticsearchComplianceServerUserSecret, render.ComplianceServerCertSecret, render.ManagerInternalTLSSecretName, certificatemanagement.CASecretName, - relasticsearch.PublicCertSecret, render.TigeraLinseedSecret, render.VoltronLinseedTLS, render.VoltronLinseedPublicCert, } { @@ -143,10 +141,6 @@ func add(mgr manager.Manager, c controller.Controller) error { } } - if err = utils.AddConfigMapWatch(c, relasticsearch.ClusterConfigConfigMapName, common.OperatorNamespace(), &handler.EnqueueRequestForObject{}); err != nil { - return fmt.Errorf("compliance-controller failed to watch the ConfigMap resource: %w", err) - } - // Watch for changes to primary resource ManagementCluster err = c.Watch(&source.Kind{Type: &operatorv1.ManagementCluster{}}, &handler.EnqueueRequestForObject{}) if err != nil { @@ -296,16 +290,6 @@ func (r *ReconcileCompliance) Reconcile(ctx context.Context, request reconcile.R return reconcile.Result{}, err } - esClusterConfig, err := utils.GetElasticsearchClusterConfig(ctx, r.client) - if err != nil { - if errors.IsNotFound(err) { - r.status.SetDegraded(operatorv1.ResourceNotReady, "Elasticsearch cluster configuration is not available, waiting for it to become available", err, reqLogger) - return reconcile.Result{}, nil - } - r.status.SetDegraded(operatorv1.ResourceReadError, "Failed to get the elasticsearch cluster configuration", err, reqLogger) - return reconcile.Result{}, err - } - secretsToWatch := []string{ render.ElasticsearchComplianceBenchmarkerUserSecret, render.ElasticsearchComplianceControllerUserSecret, render.ElasticsearchComplianceReporterUserSecret, render.ElasticsearchComplianceSnapshotterUserSecret, @@ -357,15 +341,6 @@ func (r *ReconcileCompliance) Reconcile(ctx context.Context, request reconcile.R return reconcile.Result{}, err } } - esgwCertificate, err := certificateManager.GetCertificate(r.client, relasticsearch.PublicCertSecret, common.OperatorNamespace()) - if err != nil { - r.status.SetDegraded(operatorv1.ResourceValidationError, fmt.Sprintf("Failed to retrieve / validate %s", relasticsearch.PublicCertSecret), err, reqLogger) - return reconcile.Result{}, err - } else if esgwCertificate == nil { - log.Info("Elasticsearch gateway certificates are not available yet, waiting until they become available") - r.status.SetDegraded(operatorv1.ResourceNotReady, "Elasticsearch gateway certificates are not available yet, waiting until they become available", nil, reqLogger) - return reconcile.Result{}, nil - } // The location of the Linseed certificate varies based on if this is a managed cluster or not. // For standalone and management clusters, we just use Linseed's actual certificate. @@ -384,7 +359,7 @@ func (r *ReconcileCompliance) Reconcile(ctx context.Context, request reconcile.R r.status.SetDegraded(operatorv1.ResourceNotReady, "Linseed certificate is not available yet, waiting until it becomes available", nil, reqLogger) return reconcile.Result{}, nil } - trustedBundle := certificateManager.CreateTrustedBundle(managerInternalTLSSecret, esgwCertificate, linseedCertificate) + trustedBundle := certificateManager.CreateTrustedBundle(managerInternalTLSSecret, linseedCertificate) // Get the key pairs for each component, generating them as needed. type complianceKeyPair struct { @@ -455,7 +430,6 @@ func (r *ReconcileCompliance) Reconcile(ctx context.Context, request reconcile.R BenchmarkerKeyPair: benchmarkerKeyPair.Interface, SnapshotterKeyPair: snapshotterKeyPair.Interface, ReporterKeyPair: reporterKeyPair.Interface, - ESClusterConfig: esClusterConfig, PullSecrets: pullSecrets, Openshift: openshift, ManagementCluster: managementCluster, diff --git a/pkg/controller/compliance/compliance_controller_test.go b/pkg/controller/compliance/compliance_controller_test.go index 2aa31dac01..32f20293fb 100644 --- a/pkg/controller/compliance/compliance_controller_test.go +++ b/pkg/controller/compliance/compliance_controller_test.go @@ -20,7 +20,6 @@ import ( "time" "github.com/tigera/operator/pkg/controller/certificatemanager" - relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" rmeta "github.com/tigera/operator/pkg/render/common/meta" "github.com/tigera/operator/pkg/render/common/secret" "github.com/tigera/operator/pkg/tls" @@ -127,15 +126,6 @@ var _ = Describe("Compliance controller tests", func() { Expect(c.Create(ctx, &operatorv1.APIServer{ObjectMeta: metav1.ObjectMeta{Name: "tigera-secure"}, Status: operatorv1.APIServerStatus{State: operatorv1.TigeraStatusReady}})).NotTo(HaveOccurred()) Expect(c.Create(ctx, &v3.Tier{ObjectMeta: metav1.ObjectMeta{Name: "allow-tigera"}})).NotTo(HaveOccurred()) Expect(c.Create(ctx, &v3.LicenseKey{ObjectMeta: metav1.ObjectMeta{Name: "default"}, Status: v3.LicenseKeyStatus{Features: []string{common.ComplianceFeature}}})).NotTo(HaveOccurred()) - Expect(c.Create(ctx, &corev1.ConfigMap{ - ObjectMeta: metav1.ObjectMeta{Name: relasticsearch.ClusterConfigConfigMapName, Namespace: common.OperatorNamespace()}, - Data: map[string]string{ - "clusterName": "cluster", - "shards": "2", - "replicas": "1", - "flowShards": "2", - }, - })).NotTo(HaveOccurred()) // Create a bunch of empty secrets, such that the reconcile loop will make it to the render functionality. Expect(c.Create(ctx, &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: render.ElasticsearchComplianceBenchmarkerUserSecret, Namespace: "tigera-operator"}})).NotTo(HaveOccurred()) @@ -149,8 +139,6 @@ var _ = Describe("Compliance controller tests", func() { Expect(c.Create(context.Background(), certificateManager.KeyPair().Secret(common.OperatorNamespace()))).NotTo(HaveOccurred()) esDNSNames := dns.GetServiceDNSNames(render.TigeraElasticsearchGatewaySecret, render.ElasticsearchNamespace, dns.DefaultClusterDomain) - gwKeyPair, err := certificateManager.GetOrCreateKeyPair(c, relasticsearch.PublicCertSecret, render.ElasticsearchNamespace, esDNSNames) - Expect(err).NotTo(HaveOccurred()) linseedKeyPair, err := certificateManager.GetOrCreateKeyPair(c, render.TigeraLinseedSecret, render.ElasticsearchNamespace, esDNSNames) Expect(err).NotTo(HaveOccurred()) @@ -158,7 +146,6 @@ var _ = Describe("Compliance controller tests", func() { linseedPublicCert, err := certificateManager.GetOrCreateKeyPair(c, render.VoltronLinseedPublicCert, common.OperatorNamespace(), esDNSNames) Expect(err).NotTo(HaveOccurred()) - Expect(c.Create(ctx, gwKeyPair.Secret(common.OperatorNamespace()))).NotTo(HaveOccurred()) Expect(c.Create(ctx, linseedKeyPair.Secret(common.OperatorNamespace()))).NotTo(HaveOccurred()) Expect(c.Create(ctx, linseedPublicCert.Secret(common.OperatorNamespace()))).NotTo(HaveOccurred()) diff --git a/pkg/controller/installation/core_controller.go b/pkg/controller/installation/core_controller.go index 162070f10d..fe150ca867 100644 --- a/pkg/controller/installation/core_controller.go +++ b/pkg/controller/installation/core_controller.go @@ -26,11 +26,11 @@ import ( "strconv" "strings" + relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" + "github.com/elastic/cloud-on-k8s/v2/pkg/utils/stringsutil" "github.com/go-logr/logr" configv1 "github.com/openshift/api/config/v1" - relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" - appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" rbacv1 "k8s.io/api/rbac/v1" @@ -1193,7 +1193,8 @@ func (r *ReconcileInstallation) Reconcile(ctx context.Context, request reconcile // es-kube-controllers needs to trust the ESGW certificate. We'll fetch it here and add it to the trusted bundle. // Note that although we're adding this to the typhaNodeTLS trusted bundle, it will be used by es-kube-controllers. This is because - // all components within this namespace share a trusted CA bundle. + // all components within this namespace share a trusted CA bundle. This is necessary because prior to v3.13 secrets were not signed by + // a single CA so we need to include each individually. esgwCertificate, err := certificateManager.GetCertificate(r.client, relasticsearch.PublicCertSecret, common.OperatorNamespace()) if err != nil { r.status.SetDegraded(operator.CertificateError, fmt.Sprintf("Failed to retrieve / validate %s", relasticsearch.PublicCertSecret), err, reqLogger) diff --git a/pkg/controller/intrusiondetection/intrusiondetection_controller.go b/pkg/controller/intrusiondetection/intrusiondetection_controller.go index 4fe9146c4f..43cfb46292 100644 --- a/pkg/controller/intrusiondetection/intrusiondetection_controller.go +++ b/pkg/controller/intrusiondetection/intrusiondetection_controller.go @@ -18,6 +18,8 @@ import ( "context" "fmt" + relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" + esv1 "github.com/elastic/cloud-on-k8s/v2/pkg/apis/elasticsearch/v1" "github.com/tigera/operator/pkg/render/common/networkpolicy" @@ -36,7 +38,6 @@ import ( "github.com/tigera/operator/pkg/controller/utils/imageset" "github.com/tigera/operator/pkg/render" rcertificatemanagement "github.com/tigera/operator/pkg/render/certificatemanagement" - relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" "github.com/tigera/operator/pkg/render/intrusiondetection/dpi" "github.com/tigera/operator/pkg/tls/certificatemanagement" batchv1 "k8s.io/api/batch/v1" @@ -172,7 +173,6 @@ func add(mgr manager.Manager, c controller.Controller) error { } for _, secretName := range []string{ - relasticsearch.PublicCertSecret, render.ElasticsearchIntrusionDetectionUserSecret, render.ElasticsearchIntrusionDetectionJobUserSecret, render.ElasticsearchPerformanceHotspotsUserSecret, @@ -192,11 +192,6 @@ func add(mgr manager.Manager, c controller.Controller) error { return fmt.Errorf("intrusiondetection-controller failed to watch the Secret resource: %v", err) } - // These watches are here to catch a modification to the resources we create in reconcile so the changes would be corrected. - if err = utils.AddSecretsWatch(c, relasticsearch.PublicCertSecret, render.IntrusionDetectionNamespace); err != nil { - return fmt.Errorf("intrusiondetection-controller failed to watch the Secret resource: %v", err) - } - if err = utils.AddSecretsWatch(c, render.TigeraLinseedSecret, render.IntrusionDetectionNamespace); err != nil { return fmt.Errorf("intrusiondetection-controller failed to watch the Secret resource: %v", err) } @@ -393,6 +388,15 @@ func (r *ReconcileIntrusionDetection) Reconcile(ctx context.Context, request rec return reconcile.Result{}, err } + if isManagedCluster { + if esClusterConfig.ClusterName() == render.DefaultElasticsearchClusterName { + msg := fmt.Sprintf("%s/%s ConfigMap must contain a 'clusterName' field that is not '%s'", common.OperatorNamespace(), relasticsearch.ClusterConfigConfigMapName, render.DefaultElasticsearchClusterName) + err = fmt.Errorf("Elasticsearch cluster name must be non-default value in managed clusters") + r.status.SetDegraded(operatorv1.InvalidConfigurationError, msg, err, reqLogger) + return reconcile.Result{}, err + } + } + secrets := []string{ render.ElasticsearchIntrusionDetectionUserSecret, render.ElasticsearchPerformanceHotspotsUserSecret, @@ -549,7 +553,6 @@ func (r *ReconcileIntrusionDetection) Reconcile(ctx context.Context, request rec ManagementCluster: isManagementCluster, HasNoLicense: hasNoLicense, HasNoDPIResource: hasNoDPIResource, - ESClusterConfig: esClusterConfig, ClusterDomain: r.clusterDomain, DPICertSecret: dpiKeyPair, }) diff --git a/pkg/controller/intrusiondetection/intrusiondetection_controller_test.go b/pkg/controller/intrusiondetection/intrusiondetection_controller_test.go index 051a7e5098..7c029c6124 100644 --- a/pkg/controller/intrusiondetection/intrusiondetection_controller_test.go +++ b/pkg/controller/intrusiondetection/intrusiondetection_controller_test.go @@ -19,6 +19,8 @@ import ( "fmt" "time" + relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" + esv1 "github.com/elastic/cloud-on-k8s/v2/pkg/apis/elasticsearch/v1" "github.com/tigera/operator/pkg/apis" @@ -42,8 +44,6 @@ import ( "github.com/tigera/operator/pkg/controller/status" "github.com/tigera/operator/pkg/controller/utils" "github.com/tigera/operator/pkg/render" - relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" - appsv1 "k8s.io/api/apps/v1" batchv1 "k8s.io/api/batch/v1" corev1 "k8s.io/api/core/v1" @@ -348,6 +348,8 @@ var _ = Describe("IntrusionDetection controller tests", func() { }, })).ToNot(HaveOccurred()) + Expect(c.Update(ctx, relasticsearch.NewClusterConfig("non-default-cluster-name", 1, 1, 1).ConfigMap())).NotTo(HaveOccurred()) + _, err := r.Reconcile(ctx, reconcile.Request{}) Expect(err).ShouldNot(HaveOccurred()) @@ -428,6 +430,8 @@ var _ = Describe("IntrusionDetection controller tests", func() { }, })).ToNot(HaveOccurred()) + Expect(c.Update(ctx, relasticsearch.NewClusterConfig("non-default-cluster-name", 1, 1, 1).ConfigMap())).NotTo(HaveOccurred()) + _, err := r.Reconcile(ctx, reconcile.Request{}) Expect(err).ShouldNot(HaveOccurred()) mockStatus.AssertNumberOfCalls(GinkgoT(), "SetDegraded", 0) @@ -560,6 +564,23 @@ var _ = Describe("IntrusionDetection controller tests", func() { Expect(*ids.Spec.ComponentResources[0].ResourceRequirements.Requests.Memory()).Should(Equal(resource.MustParse(memoryRequest))) Expect(*ids.Spec.ComponentResources[0].ResourceRequirements.Limits.Memory()).Should(Equal(resource.MustParse(memoryLimit))) }) + + It("should error if Elasticsearch configuration ConfigMap contains default cluster-name field in managed cluster", func() { + Expect(c.Create(ctx, &operatorv1.ManagementClusterConnection{ + ObjectMeta: metav1.ObjectMeta{Name: "tigera-secure"}, + Spec: operatorv1.ManagementClusterConnectionSpec{ + ManagementClusterAddr: "127.0.0.1:12345", + }, + })).ToNot(HaveOccurred()) + + _, err := r.Reconcile(ctx, reconcile.Request{}) + Expect(err).Should(HaveOccurred()) + + Expect(c.Update(ctx, relasticsearch.NewClusterConfig("managed-cluster-name", 1, 1, 1).ConfigMap())).NotTo(HaveOccurred()) + + _, err = r.Reconcile(ctx, reconcile.Request{}) + Expect(err).ShouldNot(HaveOccurred()) + }) }) Context("Reconcile for Condition status", func() { diff --git a/pkg/controller/logcollector/logcollector_controller.go b/pkg/controller/logcollector/logcollector_controller.go index 1f62e072a9..c5dba8dcaf 100644 --- a/pkg/controller/logcollector/logcollector_controller.go +++ b/pkg/controller/logcollector/logcollector_controller.go @@ -19,6 +19,8 @@ import ( "fmt" "strings" + relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" + "github.com/tigera/operator/pkg/render/common/networkpolicy" v3 "github.com/tigera/api/pkg/apis/projectcalico/v3" @@ -46,7 +48,6 @@ import ( "github.com/tigera/operator/pkg/controller/utils/imageset" "github.com/tigera/operator/pkg/render" rcertificatemanagement "github.com/tigera/operator/pkg/render/certificatemanagement" - relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" rmeta "github.com/tigera/operator/pkg/render/common/meta" "github.com/tigera/operator/pkg/render/monitor" "github.com/tigera/operator/pkg/tls/certificatemanagement" @@ -141,7 +142,7 @@ func add(mgr manager.Manager, c controller.Controller) error { for _, secretName := range []string{ render.ElasticsearchEksLogForwarderUserSecret, - relasticsearch.PublicCertSecret, render.S3FluentdSecretName, render.EksLogForwarderSecret, + render.S3FluentdSecretName, render.EksLogForwarderSecret, render.SplunkFluentdTokenSecretName, render.SplunkFluentdCertificateSecretName, monitor.PrometheusTLSSecretName, render.FluentdPrometheusTLSSecretName, render.TigeraLinseedSecret, render.VoltronLinseedPublicCert, render.EKSLogForwarderTLSSecretName, } { @@ -546,7 +547,6 @@ func (r *ReconcileLogCollector) Reconcile(ctx context.Context, request reconcile r.status.SetDegraded(operatorv1.ResourceReadError, "Failed to get the elasticsearch cluster configuration", err, reqLogger) return reconcile.Result{}, err } - eksConfig, err = getEksCloudwatchLogConfig(r.client, instance.Spec.AdditionalSources.EksCloudwatchLog.FetchInterval, instance.Spec.AdditionalSources.EksCloudwatchLog.Region, diff --git a/pkg/controller/logcollector/logcollector_controller_test.go b/pkg/controller/logcollector/logcollector_controller_test.go index 4e36d41de0..22b1e84d1b 100644 --- a/pkg/controller/logcollector/logcollector_controller_test.go +++ b/pkg/controller/logcollector/logcollector_controller_test.go @@ -43,7 +43,6 @@ import ( "github.com/tigera/operator/pkg/controller/status" "github.com/tigera/operator/pkg/controller/utils" "github.com/tigera/operator/pkg/render" - relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" "github.com/tigera/operator/pkg/render/monitor" "github.com/tigera/operator/test" ) @@ -127,15 +126,10 @@ var _ = Describe("LogCollector controller tests", func() { ObjectMeta: metav1.ObjectMeta{Name: "default"}, })).NotTo(HaveOccurred()) - Expect(c.Create(ctx, relasticsearch.NewClusterConfig("cluster", 1, 1, 1).ConfigMap())).NotTo(HaveOccurred()) - certificateManager, err := certificatemanager.Create(c, nil, "", common.OperatorNamespace(), certificatemanager.AllowCACreation()) Expect(err).NotTo(HaveOccurred()) Expect(c.Create(ctx, certificateManager.KeyPair().Secret(common.OperatorNamespace()))) // Persist the root-ca in the operator namespace. - kibanaTLS, err := certificateManager.GetOrCreateKeyPair(c, relasticsearch.PublicCertSecret, common.OperatorNamespace(), []string{relasticsearch.PublicCertSecret}) - Expect(err).NotTo(HaveOccurred()) - Expect(c.Create(ctx, kibanaTLS.Secret(common.OperatorNamespace()))).NotTo(HaveOccurred()) Expect(c.Create(ctx, &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: render.ElasticsearchEksLogForwarderUserSecret, diff --git a/pkg/controller/logstorage/elastic/elastic_controller.go b/pkg/controller/logstorage/elastic/elastic_controller.go index 279c4160ee..7dd4708964 100644 --- a/pkg/controller/logstorage/elastic/elastic_controller.go +++ b/pkg/controller/logstorage/elastic/elastic_controller.go @@ -193,7 +193,6 @@ func Add(mgr manager.Manager, opts options.AddOptions) error { esmetrics.ElasticsearchMetricsServerTLSSecret, render.TigeraLinseedSecret, certificatemanagement.CASecretName, - relasticsearch.PublicCertSecret, monitor.PrometheusClientTLSSecretName, render.ElasticsearchAdminUserSecret, render.ElasticsearchCuratorUserSecret, @@ -206,7 +205,6 @@ func Add(mgr manager.Manager, opts options.AddOptions) error { // Establish watches for secrets in the tigera-elasticsearch namespace. for _, secretName := range []string{ - relasticsearch.PublicCertSecret, render.ElasticsearchAdminUserSecret, render.TigeraElasticsearchInternalCertSecret, render.OIDCUsersESSecretName, diff --git a/pkg/controller/logstorage/elastic/elastic_controller_test.go b/pkg/controller/logstorage/elastic/elastic_controller_test.go index 3e15abeec2..40634b0cbf 100644 --- a/pkg/controller/logstorage/elastic/elastic_controller_test.go +++ b/pkg/controller/logstorage/elastic/elastic_controller_test.go @@ -351,10 +351,23 @@ var _ = Describe("LogStorage controller", func() { r, err := NewReconcilerWithShims(cli, scheme, mockStatus, operatorv1.ProviderNone, MockESCLICreator, dns.DefaultClusterDomain, readyFlag) Expect(err).ShouldNot(HaveOccurred()) + esConfigMapKey := client.ObjectKey{ + Name: relasticsearch.ClusterConfigConfigMapName, + Namespace: common.OperatorNamespace(), + } + + esConfigMap := corev1.ConfigMap{} + + // Verify that the ConfigMap doesn't exist prior to calling Reconcile + Expect(cli.Get(ctx, esConfigMapKey, &esConfigMap)).To(HaveOccurred()) + mockStatus.On("SetDegraded", operatorv1.ResourceNotReady, "Waiting for Elasticsearch cluster to be operational", mock.Anything, mock.Anything).Return() result, err := r.Reconcile(ctx, reconcile.Request{}) Expect(err).ShouldNot(HaveOccurred()) + // Check that the ConfigMap was created by the call to Reconcile + Expect(cli.Get(ctx, esConfigMapKey, &esConfigMap)).NotTo(HaveOccurred()) + // Expect to be waiting for Elasticsearch and Kibana to be functional Expect(result).Should(Equal(reconcile.Result{})) @@ -394,10 +407,24 @@ var _ = Describe("LogStorage controller", func() { } Expect(cli.Create(ctx, esAdminUserSecret)).ShouldNot(HaveOccurred()) + // Modify ConfigMap we expect to be reverted by a call to Reconcile + _, ok := esConfigMap.Data["test-field"] + Expect(ok).To(BeFalse()) + + esConfigMap.Data = map[string]string{ + "test-field": "test-data", + } + Expect(cli.Update(ctx, &esConfigMap)).NotTo(HaveOccurred()) + mockStatus.On("SetDegraded", operatorv1.ResourceNotReady, "Waiting for curator secrets to become available", mock.Anything, mock.Anything).Return() result, err = r.Reconcile(ctx, reconcile.Request{}) Expect(err).ShouldNot(HaveOccurred()) + // Verify that the ConfigMap was reverted to the original state + Expect(cli.Get(ctx, esConfigMapKey, &esConfigMap)).NotTo(HaveOccurred()) + _, ok = esConfigMap.Data["test-field"] + Expect(ok).To(BeFalse()) + // Expect to be waiting for curator secret Expect(result).Should(Equal(reconcile.Result{})) Expect(cli.Create(ctx, &corev1.Secret{ObjectMeta: curatorUsrSecretObjMeta})).ShouldNot(HaveOccurred()) @@ -554,9 +581,7 @@ var _ = Describe("LogStorage controller", func() { ) Expect(err).ShouldNot(HaveOccurred()) - esPublicSecret := createPubSecret(relasticsearch.PublicCertSecret, render.ElasticsearchNamespace, esSecret.Data["tls.crt"], "tls.crt") Expect(cli.Create(ctx, esSecret)).ShouldNot(HaveOccurred()) - Expect(cli.Create(ctx, esPublicSecret)).ShouldNot(HaveOccurred()) kbDNSNames = []string{"kb.example.com", "192.168.10.11"} kbSecret, err := secret.CreateTLSSecret(testCA, @@ -812,7 +837,6 @@ var _ = Describe("LogStorage controller", func() { AssociationStatus: cmnv1.AssociationEstablished, }, }, - relasticsearch.NewClusterConfig("cluster", 1, 1, 1).ConfigMap(), &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "tigera-pull-secret"}}, &corev1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{Namespace: render.ECKOperatorNamespace, Name: render.ECKLicenseConfigMapName}, @@ -1242,9 +1266,6 @@ func setUpLogStorageComponents(cli client.Client, ctx context.Context, storageCl trustedBundle := certificateManager.CreateTrustedBundle() esKeyPair, err := certificateManager.GetOrCreateKeyPair(cli, render.TigeraElasticsearchInternalCertSecret, common.OperatorNamespace(), []string{render.TigeraElasticsearchInternalCertSecret}) Expect(err).NotTo(HaveOccurred()) - esPublic, err := certificateManager.GetOrCreateKeyPair(cli, relasticsearch.PublicCertSecret, common.OperatorNamespace(), []string{render.TigeraElasticsearchInternalCertSecret}) - Expect(err).NotTo(HaveOccurred()) - Expect(cli.Create(context.Background(), esPublic.Secret(common.OperatorNamespace()))).NotTo(HaveOccurred()) var replicas int32 = 2 cfg := &render.ElasticsearchConfiguration{ @@ -1293,17 +1314,6 @@ func setUpLogStorageComponents(cli client.Client, ctx context.Context, storageCl Expect(cli.Create(ctx, &corev1.Secret{ObjectMeta: curatorUsrSecretObjMeta})).ShouldNot(HaveOccurred()) } -func createPubSecret(name string, ns string, bytes []byte, certName string) client.Object { - return &corev1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, Namespace: ns, - }, - Data: map[string][]byte{ - certName: bytes, - }, - } -} - // CreateLogStorage creates a LogStorage object with the given parameters after filling in defaults, // and asserts that the creation succeeds. func CreateLogStorage(client client.Client, ls *operatorv1.LogStorage) { diff --git a/pkg/controller/logstorage/elastic/external_elastic_controller_test.go b/pkg/controller/logstorage/elastic/external_elastic_controller_test.go index b8896900b8..f960a6bee4 100644 --- a/pkg/controller/logstorage/elastic/external_elastic_controller_test.go +++ b/pkg/controller/logstorage/elastic/external_elastic_controller_test.go @@ -155,7 +155,15 @@ var _ = Describe("External ES Controller", func() { Expect(cli.Create(ctx, esAdminUserSecret)).ShouldNot(HaveOccurred()) // Create the ExternalCertsSecret which contains the client certificate for connecting to the external ES cluster. - externalCertsSecret := createPubSecret(logstorage.ExternalCertsSecret, common.OperatorNamespace(), []byte{}, "tls.crt") + externalCertsSecret := &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: logstorage.ExternalCertsSecret, + Namespace: common.OperatorNamespace(), + }, + Data: map[string][]byte{ + "tls.crt": {}, + }, + } Expect(cli.Create(ctx, externalCertsSecret)).ShouldNot(HaveOccurred()) Expect(cli.Create( diff --git a/pkg/controller/logstorage/managedcluster/managed_cluster_controller.go b/pkg/controller/logstorage/managedcluster/managed_cluster_controller.go index 9a931b516c..f6221ba702 100644 --- a/pkg/controller/logstorage/managedcluster/managed_cluster_controller.go +++ b/pkg/controller/logstorage/managedcluster/managed_cluster_controller.go @@ -30,11 +30,9 @@ import ( "sigs.k8s.io/controller-runtime/pkg/reconcile" "sigs.k8s.io/controller-runtime/pkg/source" - "github.com/tigera/operator/pkg/common" "github.com/tigera/operator/pkg/controller/options" "github.com/tigera/operator/pkg/controller/utils" "github.com/tigera/operator/pkg/render" - relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" ) var log = logf.Log.WithName("controller_logstorage_managed") @@ -82,13 +80,6 @@ func Add(mgr manager.Manager, opts options.AddOptions) error { return fmt.Errorf("log-storage-managedcluster-controller failed to watch ManagementClusterConnection resource: %w", err) } - if err = utils.AddSecretsWatch(c, relasticsearch.PublicCertSecret, common.OperatorNamespace()); err != nil { - return fmt.Errorf("log-storage-managedcluster-controller failed to watch Secret resource: %w", err) - } - if err = utils.AddSecretsWatch(c, relasticsearch.PublicCertSecret, render.ElasticsearchNamespace); err != nil { - return fmt.Errorf("log-storage-managedcluster-controller failed to watch Secret resource: %w", err) - } - // Perform periodic reconciliation. This acts as a backstop to catch reconcile issues, // and also makes sure we spot when things change that might not trigger a reconciliation. err = utils.AddPeriodicReconcile(c, utils.PeriodicReconcileTime, &handler.EnqueueRequestForObject{}) diff --git a/pkg/controller/logstorage/secrets/secret_controller.go b/pkg/controller/logstorage/secrets/secret_controller.go index 76edf9c48b..a8e3b24b1c 100644 --- a/pkg/controller/logstorage/secrets/secret_controller.go +++ b/pkg/controller/logstorage/secrets/secret_controller.go @@ -29,7 +29,6 @@ import ( "github.com/tigera/operator/pkg/dns" "github.com/tigera/operator/pkg/render" rcertificatemanagement "github.com/tigera/operator/pkg/render/certificatemanagement" - relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" "github.com/tigera/operator/pkg/render/logstorage" "github.com/tigera/operator/pkg/render/logstorage/esgateway" "github.com/tigera/operator/pkg/render/logstorage/esmetrics" @@ -131,12 +130,6 @@ func Add(mgr manager.Manager, opts options.AddOptions) error { if err = utils.AddSecretsWatchWithHandler(c, certificatemanagement.TenantCASecretName, common.OperatorNamespace(), &handler.EnqueueRequestForObject{}); err != nil { return fmt.Errorf("log-storage-secrets-controller failed to watch Secret: %w", err) } - if err = utils.AddSecretsWatchWithHandler(c, relasticsearch.PublicCertSecret, helper.TruthNamespace(), eventHandler); err != nil { - return fmt.Errorf("log-storage-secrets-controller failed to watch Secret: %w", err) - } - if err = utils.AddSecretsWatchWithHandler(c, relasticsearch.PublicCertSecret, render.ElasticsearchNamespace, eventHandler); err != nil { - return fmt.Errorf("log-storage-secrets-controller failed to watch Secret: %w", err) - } if err = utils.AddSecretsWatchWithHandler(c, render.TigeraElasticsearchGatewaySecret, helper.TruthNamespace(), &handler.EnqueueRequestForObject{}); err != nil { return fmt.Errorf("log-storage-secrets-controller failed to watch Secret: %w", err) } diff --git a/pkg/controller/logstorage/secrets/secret_controller_test.go b/pkg/controller/logstorage/secrets/secret_controller_test.go index 8cc9641822..d7e6463d79 100644 --- a/pkg/controller/logstorage/secrets/secret_controller_test.go +++ b/pkg/controller/logstorage/secrets/secret_controller_test.go @@ -46,7 +46,6 @@ import ( "github.com/tigera/operator/pkg/controller/utils" "github.com/tigera/operator/pkg/dns" "github.com/tigera/operator/pkg/render" - relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" rmeta "github.com/tigera/operator/pkg/render/common/meta" "github.com/tigera/operator/pkg/render/common/secret" "github.com/tigera/operator/pkg/render/logstorage/esgateway" @@ -221,9 +220,7 @@ var _ = Describe("LogStorage Secrets controller", func() { ) Expect(err).ShouldNot(HaveOccurred()) - esPublicSecret := createPubSecret(relasticsearch.PublicCertSecret, render.ElasticsearchNamespace, esSecret.Data["tls.crt"], "tls.crt") Expect(cli.Create(ctx, esSecret)).ShouldNot(HaveOccurred()) - Expect(cli.Create(ctx, esPublicSecret)).ShouldNot(HaveOccurred()) kbDNSNames = []string{"kb.example.com", "192.168.10.11"} kbSecret, err := secret.CreateTLSSecret( @@ -505,17 +502,6 @@ func CreateLogStorage(client client.Client, ls *operatorv1.LogStorage) { ExpectWithOffset(1, client.Create(context.Background(), ls)).ShouldNot(HaveOccurred()) } -func createPubSecret(name string, ns string, bytes []byte, certName string) client.Object { - return &corev1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, Namespace: ns, - }, - Data: map[string][]byte{ - certName: bytes, - }, - } -} - // ExpectSecrets asserts that all of the given secrets exist in the cluster, and that no other secrets exist. func ExpectSecrets(ctx context.Context, cli client.Client, expected []types.NamespacedName) { for _, expected := range expected { diff --git a/pkg/controller/manager/manager_controller.go b/pkg/controller/manager/manager_controller.go index dc99226783..1a47d38b77 100644 --- a/pkg/controller/manager/manager_controller.go +++ b/pkg/controller/manager/manager_controller.go @@ -18,6 +18,8 @@ import ( "context" "fmt" + relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" + corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/runtime" @@ -44,7 +46,6 @@ import ( "github.com/tigera/operator/pkg/render" rcertificatemanagement "github.com/tigera/operator/pkg/render/certificatemanagement" tigerakvc "github.com/tigera/operator/pkg/render/common/authentication/tigera/key_validator_config" - relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" "github.com/tigera/operator/pkg/render/common/networkpolicy" "github.com/tigera/operator/pkg/render/monitor" "github.com/tigera/operator/pkg/tls/certificatemanagement" @@ -145,7 +146,7 @@ func Add(mgr manager.Manager, opts options.AddOptions) error { } for _, namespace := range namespacesToWatch { for _, secretName := range []string{ - render.ManagerTLSSecretName, relasticsearch.PublicCertSecret, render.ElasticsearchManagerUserSecret, + render.ManagerTLSSecretName, render.ElasticsearchManagerUserSecret, render.VoltronTunnelSecretName, render.ComplianceServerCertSecret, render.PacketCaptureServerCert, render.ManagerInternalTLSSecretName, monitor.PrometheusTLSSecretName, certificatemanagement.CASecretName, } { @@ -395,7 +396,6 @@ func (r *ReconcileManager) Reconcile(ctx context.Context, request reconcile.Requ trustedSecretNames = []string{ render.PacketCaptureServerCert, monitor.PrometheusTLSSecretName, - relasticsearch.PublicCertSecret, render.ProjectCalicoAPIServerTLSSecretName(installation.Variant), render.TigeraLinseedSecret, } @@ -460,14 +460,18 @@ func (r *ReconcileManager) Reconcile(ctx context.Context, request reconcile.Requ return reconcile.Result{}, err } - clusterConfig, err := utils.GetElasticsearchClusterConfig(context.Background(), r.client) - if err != nil { - if errors.IsNotFound(err) { - r.status.SetDegraded(operatorv1.ResourceNotFound, "Elasticsearch cluster configuration is not available, waiting for it to become available", err, logc) - return reconcile.Result{}, nil + var clusterConfig *relasticsearch.ClusterConfig + // We only require Elastic cluster configuration when Kibana is enabled. + if render.KibanaEnabled(tenant, installation) { + clusterConfig, err = utils.GetElasticsearchClusterConfig(context.Background(), r.client) + if err != nil { + if errors.IsNotFound(err) { + r.status.SetDegraded(operatorv1.ResourceNotFound, "Elasticsearch cluster configuration is not available, waiting for it to become available", err, logc) + return reconcile.Result{}, nil + } + r.status.SetDegraded(operatorv1.ResourceReadError, "Failed to get the elasticsearch cluster configuration", err, logc) + return reconcile.Result{}, err } - r.status.SetDegraded(operatorv1.ResourceReadError, "Failed to get the elasticsearch cluster configuration", err, logc) - return reconcile.Result{}, err } var esSecrets []*corev1.Secret diff --git a/pkg/controller/manager/manager_controller_test.go b/pkg/controller/manager/manager_controller_test.go index 1a307e7121..7b1b76c503 100644 --- a/pkg/controller/manager/manager_controller_test.go +++ b/pkg/controller/manager/manager_controller_test.go @@ -21,6 +21,7 @@ import ( "encoding/pem" "fmt" + relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" kerror "k8s.io/apimachinery/pkg/api/errors" . "github.com/onsi/ginkgo" @@ -50,7 +51,6 @@ import ( "github.com/tigera/operator/pkg/controller/utils" "github.com/tigera/operator/pkg/dns" "github.com/tigera/operator/pkg/render" - relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" rmeta "github.com/tigera/operator/pkg/render/common/meta" "github.com/tigera/operator/pkg/render/common/secret" rsecret "github.com/tigera/operator/pkg/render/common/secret" @@ -218,10 +218,7 @@ var _ = Describe("Manager controller tests", func() { promKp, err := certificateManager.GetOrCreateKeyPair(c, monitor.PrometheusTLSSecretName, common.OperatorNamespace(), []string{monitor.PrometheusTLSSecretName}) Expect(err).NotTo(HaveOccurred()) Expect(c.Create(ctx, promKp.Secret(common.OperatorNamespace()))).NotTo(HaveOccurred()) - gwKp, err := certificateManager.GetOrCreateKeyPair(c, relasticsearch.PublicCertSecret, common.OperatorNamespace(), []string{relasticsearch.PublicCertSecret}) - Expect(err).NotTo(HaveOccurred()) - Expect(c.Create(ctx, gwKp.Secret(common.OperatorNamespace()))).NotTo(HaveOccurred()) - linseedKp, err := certificateManager.GetOrCreateKeyPair(c, render.TigeraLinseedSecret, common.OperatorNamespace(), []string{relasticsearch.PublicCertSecret}) + linseedKp, err := certificateManager.GetOrCreateKeyPair(c, render.TigeraLinseedSecret, common.OperatorNamespace(), []string{render.TigeraLinseedSecret}) Expect(err).NotTo(HaveOccurred()) Expect(c.Create(ctx, linseedKp.Secret(common.OperatorNamespace()))).NotTo(HaveOccurred()) queryServerKp, err := certificateManager.GetOrCreateKeyPair(c, render.ProjectCalicoAPIServerTLSSecretName(operatorv1.TigeraSecureEnterprise), common.OperatorNamespace(), []string{render.ProjectCalicoAPIServerTLSSecretName(operatorv1.TigeraSecureEnterprise)}) @@ -432,6 +429,7 @@ var _ = Describe("Manager controller tests", func() { var licenseKey *v3.LicenseKey var compliance *operatorv1.Compliance var certificateManager certificatemanager.CertificateManager + var installation *operatorv1.Installation BeforeEach(func() { // Create an object we can use throughout the test to do the compliance reconcile loops. @@ -479,25 +477,25 @@ var _ = Describe("Manager controller tests", func() { }, } Expect(c.Create(ctx, licenseKey)).NotTo(HaveOccurred()) - Expect(c.Create( - ctx, - &operatorv1.Installation{ - ObjectMeta: metav1.ObjectMeta{Name: "default"}, - Spec: operatorv1.InstallationSpec{ - ControlPlaneReplicas: &replicas, - Variant: operatorv1.TigeraSecureEnterprise, - Registry: "some.registry.org/", - }, - Status: operatorv1.InstallationStatus{ - Variant: operatorv1.TigeraSecureEnterprise, - Computed: &operatorv1.InstallationSpec{ - Registry: "some.registry.org/", - // The test is provider agnostic. - KubernetesProvider: operatorv1.ProviderNone, - }, + + installation = &operatorv1.Installation{ + ObjectMeta: metav1.ObjectMeta{Name: "default"}, + Spec: operatorv1.InstallationSpec{ + ControlPlaneReplicas: &replicas, + Variant: operatorv1.TigeraSecureEnterprise, + Registry: "some.registry.org/", + }, + Status: operatorv1.InstallationStatus{ + Variant: operatorv1.TigeraSecureEnterprise, + Computed: &operatorv1.InstallationSpec{ + Registry: "some.registry.org/", + // The test is provider agnostic. + KubernetesProvider: operatorv1.ProviderNone, }, }, - )).NotTo(HaveOccurred()) + } + Expect(c.Create(ctx, installation)).NotTo(HaveOccurred()) + compliance = &operatorv1.Compliance{ ObjectMeta: metav1.ObjectMeta{Name: "tigera-secure"}, Status: operatorv1.ComplianceStatus{ @@ -524,10 +522,7 @@ var _ = Describe("Manager controller tests", func() { promKp, err := certificateManager.GetOrCreateKeyPair(c, monitor.PrometheusTLSSecretName, common.OperatorNamespace(), []string{monitor.PrometheusTLSSecretName}) Expect(err).NotTo(HaveOccurred()) Expect(c.Create(ctx, promKp.Secret(common.OperatorNamespace()))).NotTo(HaveOccurred()) - gwKp, err := certificateManager.GetOrCreateKeyPair(c, relasticsearch.PublicCertSecret, common.OperatorNamespace(), []string{relasticsearch.PublicCertSecret}) - Expect(err).NotTo(HaveOccurred()) - Expect(c.Create(ctx, gwKp.Secret(common.OperatorNamespace()))).NotTo(HaveOccurred()) - linseedKp, err := certificateManager.GetOrCreateKeyPair(c, render.TigeraLinseedSecret, common.OperatorNamespace(), []string{relasticsearch.PublicCertSecret}) + linseedKp, err := certificateManager.GetOrCreateKeyPair(c, render.TigeraLinseedSecret, common.OperatorNamespace(), []string{render.TigeraLinseedSecret}) Expect(err).NotTo(HaveOccurred()) Expect(c.Create(ctx, linseedKp.Secret(common.OperatorNamespace()))).NotTo(HaveOccurred()) queryServerKp, err := certificateManager.GetOrCreateKeyPair(c, render.ProjectCalicoAPIServerTLSSecretName(operatorv1.TigeraSecureEnterprise), common.OperatorNamespace(), []string{render.ProjectCalicoAPIServerTLSSecretName(operatorv1.TigeraSecureEnterprise)}) @@ -1185,6 +1180,29 @@ var _ = Describe("Manager controller tests", func() { Expect(kerror.IsNotFound(err)).Should(BeFalse()) }) }) + + Context("FIPS reconciliation", func() { + BeforeEach(func() { + fipsEnabled := operatorv1.FIPSModeEnabled + installation.Spec.FIPSMode = &fipsEnabled + Expect(c.Update( + ctx, + installation, + )).NotTo(HaveOccurred()) + }) + It("should not require presence of ElasticSearch ConfigMap", func() { + Expect(c.Delete(ctx, relasticsearch.NewClusterConfig("cluster", 1, 1, 1).ConfigMap())).NotTo(HaveOccurred()) + elasticConfigMapKey := client.ObjectKey{ + Name: relasticsearch.ClusterConfigConfigMapName, + Namespace: common.OperatorNamespace(), + } + elasticConfigMap := corev1.ConfigMap{} + Expect(c.Get(ctx, elasticConfigMapKey, &elasticConfigMap)).To(HaveOccurred()) + + _, err := r.Reconcile(ctx, reconcile.Request{}) + Expect(err).ShouldNot(HaveOccurred()) + }) + }) }) }) diff --git a/pkg/controller/policyrecommendation/policyrecommendation_controller.go b/pkg/controller/policyrecommendation/policyrecommendation_controller.go index e65c11c320..823c9c9a1a 100644 --- a/pkg/controller/policyrecommendation/policyrecommendation_controller.go +++ b/pkg/controller/policyrecommendation/policyrecommendation_controller.go @@ -35,7 +35,6 @@ import ( "github.com/tigera/operator/pkg/controller/utils/imageset" "github.com/tigera/operator/pkg/render" rcertificatemanagement "github.com/tigera/operator/pkg/render/certificatemanagement" - relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" "github.com/tigera/operator/pkg/tls/certificatemanagement" "k8s.io/apimachinery/pkg/api/errors" @@ -114,7 +113,6 @@ func Add(mgr manager.Manager, opts options.AddOptions) error { // Watch the given secrets in each both the policy-recommendation and operator namespaces for _, namespace := range watchNamespaces { for _, secretName := range []string{ - relasticsearch.PublicCertSecret, render.ElasticsearchPolicyRecommendationUserSecret, certificatemanagement.CASecretName, render.ManagerInternalTLSSecretName, diff --git a/pkg/controller/policyrecommendation/policyrecommendation_controller_test.go b/pkg/controller/policyrecommendation/policyrecommendation_controller_test.go index 4fdb262730..db4948cebe 100644 --- a/pkg/controller/policyrecommendation/policyrecommendation_controller_test.go +++ b/pkg/controller/policyrecommendation/policyrecommendation_controller_test.go @@ -46,7 +46,6 @@ import ( "github.com/tigera/operator/pkg/controller/status" "github.com/tigera/operator/pkg/controller/utils" "github.com/tigera/operator/pkg/render" - relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" "github.com/tigera/operator/test" ) @@ -140,9 +139,6 @@ var _ = Describe("PolicyRecommendation controller tests", func() { certificateManager, err := certificatemanager.Create(c, nil, "", common.OperatorNamespace(), certificatemanager.AllowCACreation()) Expect(err).NotTo(HaveOccurred()) Expect(c.Create(ctx, certificateManager.KeyPair().Secret(common.OperatorNamespace()))) // Persist the root-ca in the operator namespace. - kiibanaTLS, err := certificateManager.GetOrCreateKeyPair(c, relasticsearch.PublicCertSecret, common.OperatorNamespace(), []string{relasticsearch.PublicCertSecret}) - Expect(err).NotTo(HaveOccurred()) - Expect(c.Create(ctx, kiibanaTLS.Secret(common.OperatorNamespace()))).NotTo(HaveOccurred()) linseedTLS, err := certificateManager.GetOrCreateKeyPair(c, render.TigeraLinseedSecret, common.OperatorNamespace(), []string{render.TigeraLinseedSecret}) Expect(err).NotTo(HaveOccurred()) Expect(c.Create(ctx, linseedTLS.Secret(common.OperatorNamespace()))).NotTo(HaveOccurred()) diff --git a/pkg/controller/utils/elasticsearch.go b/pkg/controller/utils/elasticsearch.go index 74440840ac..7df235da1f 100644 --- a/pkg/controller/utils/elasticsearch.go +++ b/pkg/controller/utils/elasticsearch.go @@ -24,14 +24,14 @@ import ( "net/http" "time" + relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" + "github.com/olivere/elastic/v7" operator "github.com/tigera/operator/api/v1" operatorv1 "github.com/tigera/operator/api/v1" "github.com/tigera/operator/pkg/common" "github.com/tigera/operator/pkg/render" - relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" - corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/resource" "k8s.io/apimachinery/pkg/types" diff --git a/pkg/render/common/elasticsearch/clusterconfig.go b/pkg/render/common/elasticsearch/clusterconfig.go index dc442b3eed..d5c7b55aa4 100644 --- a/pkg/render/common/elasticsearch/clusterconfig.go +++ b/pkg/render/common/elasticsearch/clusterconfig.go @@ -1,4 +1,4 @@ -// Copyright (c) 2020 Tigera, Inc. All rights reserved. +// Copyright (c) 2020, 2023 Tigera, Inc. All rights reserved. // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -19,11 +19,9 @@ import ( "strconv" "github.com/pkg/errors" + "github.com/tigera/operator/pkg/common" corev1 "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - - "github.com/tigera/operator/pkg/common" - rmeta "github.com/tigera/operator/pkg/render/common/meta" ) const ( @@ -97,10 +95,6 @@ func (c ClusterConfig) FlowShards() int { return c.flowShards } -func (c ClusterConfig) Annotation() string { - return rmeta.AnnotationHash(c) -} - func (c ClusterConfig) ConfigMap() *corev1.ConfigMap { return &corev1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{ diff --git a/pkg/render/common/elasticsearch/decorator.go b/pkg/render/common/elasticsearch/decorator.go index fec99b6a8a..dc2187f4ec 100644 --- a/pkg/render/common/elasticsearch/decorator.go +++ b/pkg/render/common/elasticsearch/decorator.go @@ -15,8 +15,6 @@ package elasticsearch import ( - "strconv" - rmeta "github.com/tigera/operator/pkg/render/common/meta" "github.com/tigera/operator/pkg/render/common/secret" "github.com/tigera/operator/pkg/tls/certificatemanagement" @@ -26,8 +24,7 @@ import ( ) const ( - elasticsearchSecretsAnnotation = "hash.operator.tigera.io/elasticsearch-secrets" - elasticsearchConfigMapAnnotation = "hash.operator.tigera.io/elasticsearch-configmap" + elasticsearchSecretsAnnotation = "hash.operator.tigera.io/elasticsearch-secrets" ) type Annotatable interface { @@ -49,34 +46,17 @@ func elasticCertPath(osType rmeta.OSType) string { return certificatemanagement.TrustedCertBundleMountPath } -func DecorateAnnotations(obj Annotatable, config *ClusterConfig, secrets []*corev1.Secret) Annotatable { +func DecorateAnnotations(obj Annotatable, secrets []*corev1.Secret) Annotatable { annots := obj.GetAnnotations() if annots == nil { annots = map[string]string{} } - annots[elasticsearchConfigMapAnnotation] = config.Annotation() annots[elasticsearchSecretsAnnotation] = rmeta.SecretsAnnotationHash(secrets...) obj.SetAnnotations(annots) return obj } -// ContainerDecorate is the legacy implementation, which does not support multi-tenancy. -// Use DecorateEnvironment instead. -func ContainerDecorate(c corev1.Container, cluster, secret, clusterDomain string, osType rmeta.OSType) corev1.Container { - return DecorateEnvironment(c, "tigera-elasticsearch", cluster, secret, clusterDomain, osType) -} - -func ContainerDecorateIndexCreator(c corev1.Container, replicas, shards int) corev1.Container { - envVars := []corev1.EnvVar{ - {Name: "ELASTIC_REPLICAS", Value: strconv.Itoa(replicas)}, - {Name: "ELASTIC_SHARDS", Value: strconv.Itoa(shards)}, - } - c.Env = append(c.Env, envVars...) - - return c -} - func DecorateEnvironment(c corev1.Container, namespace string, cluster, esUserSecretName, clusterDomain string, osType rmeta.OSType) corev1.Container { certPath := elasticCertPath(osType) esScheme, esHost, esPort, _ := url.ParseEndpoint(GatewayEndpoint(osType, clusterDomain, namespace)) @@ -108,6 +88,69 @@ func DecorateEnvironment(c corev1.Container, namespace string, cluster, esUserSe return c } +func ElasticCuratorBackendCertEnvVar(osType rmeta.OSType) corev1.EnvVar { + return corev1.EnvVar{ + Name: "ES_CURATOR_BACKEND_CERT", + Value: elasticCertPath(osType), + } +} + +func ElasticCAEnvVar(osType rmeta.OSType) corev1.EnvVar { + return corev1.EnvVar{ + Name: "ELASTIC_CA", + Value: elasticCertPath(osType), + } +} + +func ElasticSchemeEnvVar(esScheme string) corev1.EnvVar { + return corev1.EnvVar{ + Name: "ELASTIC_SCHEME", + Value: esScheme, + } +} + +func ElasticHostEnvVar(esHost string) corev1.EnvVar { + return corev1.EnvVar{ + Name: "ELASTIC_HOST", + Value: esHost, + } +} + +func ElasticPortEnvVar(esPort string) corev1.EnvVar { + return corev1.EnvVar{ + Name: "ELASTIC_PORT", + Value: esPort, + } +} + +func ElasticIndexSuffixEnvVar(esIdxSuffix string) corev1.EnvVar { + return corev1.EnvVar{ + Name: "ELASTIC_INDEX_SUFFIX", + Value: esIdxSuffix, + } +} + +func ElasticUserEnvVar(esUserSecretName string) corev1.EnvVar { + return corev1.EnvVar{ + Name: "ELASTIC_USER", + ValueFrom: secret.GetEnvVarSource(esUserSecretName, "username", false), + } +} + +func ElasticUsernameEnvVar(esUsernameSecret string) corev1.EnvVar { + return corev1.EnvVar{ + Name: "ELASTIC_USERNAME", + ValueFrom: secret.GetEnvVarSource(esUsernameSecret, "username", false), + } +} + +func ElasticPasswordEnvVar(esUserSecretName string) corev1.EnvVar { + return corev1.EnvVar{ + Name: "ELASTIC_PASSWORD", + ValueFrom: secret.GetEnvVarSource(esUserSecretName, "password", false), + } +} + func DefaultVolumeMount(osType rmeta.OSType) corev1.VolumeMount { certPath := elasticCertDir(osType) return corev1.VolumeMount{ diff --git a/pkg/render/common/elasticsearch/decorator_test.go b/pkg/render/common/elasticsearch/decorator_test.go index acb475e21f..97d0451ef0 100644 --- a/pkg/render/common/elasticsearch/decorator_test.go +++ b/pkg/render/common/elasticsearch/decorator_test.go @@ -1,4 +1,4 @@ -// Copyright (c) 2019 Tigera, Inc. All rights reserved. +// Copyright (c) 2019, 2023 Tigera, Inc. All rights reserved. // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -43,9 +43,9 @@ var _ = Describe("Elasticsearch decorator tests", func() { }}, } }) - Context("relasticsearch.ContainerDecorate", func() { + Context("relasticsearch.DecorateEnvironment", func() { DescribeTable("should decorate a container with the ES host and port", func(clusterDomain, expectedESHost string, os rmeta.OSType) { - c := ContainerDecorate(container, "test-cluster", "secret", clusterDomain, os) + c := DecorateEnvironment(container, "test-ns", "test-cluster", "secret", clusterDomain, os) expectedEnvs := []corev1.EnvVar{ {Name: "ELASTIC_HOST", Value: expectedESHost}, diff --git a/pkg/render/common/elasticsearch/tls.go b/pkg/render/common/elasticsearch/tls.go index 47d960392b..780fd330b1 100644 --- a/pkg/render/common/elasticsearch/tls.go +++ b/pkg/render/common/elasticsearch/tls.go @@ -1,4 +1,4 @@ -// Copyright (c) 2022 Tigera, Inc. All rights reserved. +// Copyright (c) 2022 - 2023 Tigera, Inc. All rights reserved. // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. diff --git a/pkg/render/compliance.go b/pkg/render/compliance.go index ccebf98771..7e28635a5c 100644 --- a/pkg/render/compliance.go +++ b/pkg/render/compliance.go @@ -34,7 +34,6 @@ import ( "github.com/tigera/operator/pkg/components" "github.com/tigera/operator/pkg/render/common/authentication" "github.com/tigera/operator/pkg/render/common/configmap" - relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" rmeta "github.com/tigera/operator/pkg/render/common/meta" "github.com/tigera/operator/pkg/render/common/networkpolicy" "github.com/tigera/operator/pkg/render/common/podsecuritypolicy" @@ -105,7 +104,6 @@ func Compliance(cfg *ComplianceConfiguration) (Component, error) { type ComplianceConfiguration struct { ESSecrets []*corev1.Secret Installation *operatorv1.InstallationSpec - ESClusterConfig *relasticsearch.ClusterConfig PullSecrets []*corev1.Secret Openshift bool ManagementCluster *operatorv1.ManagementCluster diff --git a/pkg/render/compliance_test.go b/pkg/render/compliance_test.go index 42f808c42e..fd95244974 100644 --- a/pkg/render/compliance_test.go +++ b/pkg/render/compliance_test.go @@ -36,7 +36,6 @@ import ( "github.com/tigera/operator/pkg/controller/certificatemanager" "github.com/tigera/operator/pkg/dns" "github.com/tigera/operator/pkg/render" - relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" rmeta "github.com/tigera/operator/pkg/render/common/meta" rtest "github.com/tigera/operator/pkg/render/common/test" "github.com/tigera/operator/pkg/render/testutils" @@ -87,7 +86,6 @@ var _ = Describe("compliance rendering tests", func() { ReporterKeyPair: reporterKP, BenchmarkerKeyPair: benchmarkerKP, SnapshotterKeyPair: snapshotterKP, - ESClusterConfig: relasticsearch.NewClusterConfig("cluster", 1, 1, 1), Openshift: notOpenshift, ClusterDomain: clusterDomain, TrustedBundle: bundle, diff --git a/pkg/render/fluentd_test.go b/pkg/render/fluentd_test.go index d5d6c13374..2c634ae7a5 100644 --- a/pkg/render/fluentd_test.go +++ b/pkg/render/fluentd_test.go @@ -18,6 +18,8 @@ import ( . "github.com/onsi/ginkgo" . "github.com/onsi/ginkgo/extensions/table" . "github.com/onsi/gomega" + relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" + "github.com/tigera/operator/pkg/render/common/secret" "github.com/tigera/operator/pkg/tls/certificatemanagement" "k8s.io/api/policy/v1beta1" policyv1beta1 "k8s.io/api/policy/v1beta1" @@ -38,7 +40,6 @@ import ( "github.com/tigera/operator/pkg/controller/certificatemanager" "github.com/tigera/operator/pkg/dns" "github.com/tigera/operator/pkg/render" - relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" rmeta "github.com/tigera/operator/pkg/render/common/meta" rtest "github.com/tigera/operator/pkg/render/common/test" "github.com/tigera/operator/pkg/render/testutils" @@ -167,6 +168,16 @@ var _ = Describe("Tigera Secure Fluentd rendering tests", func() { corev1.EnvVar{Name: "LINSEED_TOKEN", Value: "/var/run/secrets/kubernetes.io/serviceaccount/token"}, )) + Expect(envs).ShouldNot(ContainElements( + corev1.EnvVar{Name: "ELASTIC_INDEX_SUFFIX", Value: "clusterTestName"}, + corev1.EnvVar{Name: "ELASTIC_SCHEME", Value: "https"}, + corev1.EnvVar{Name: "ELASTIC_HOST", Value: "tigera-secure-es-gateway-http.tigera-elasticsearch.svc"}, + corev1.EnvVar{Name: "ELASTIC_PORT", Value: "9200"}, + corev1.EnvVar{Name: "ELASTIC_USER", ValueFrom: secret.GetEnvVarSource("tigera-eks-log-forwarder-elasticsearch-access", "username", false)}, + corev1.EnvVar{Name: "ELASTIC_PASSWORD", ValueFrom: secret.GetEnvVarSource("tigera-eks-log-forwarder-elasticsearch-access", "password", false)}, + corev1.EnvVar{Name: "ELASTIC_CA", Value: "/etc/pki/tls/certs/tigera-ca-bundle.crt"}, + )) + container := ds.Spec.Template.Spec.Containers[0] Expect(container.ReadinessProbe.Exec.Command).To(ConsistOf([]string{"sh", "-c", "/bin/readiness.sh"})) @@ -982,15 +993,44 @@ var _ = Describe("Tigera Secure Fluentd rendering tests", func() { Type: corev1.SeccompProfileTypeRuntimeDefault, })) - Expect(envs).To(ContainElement(corev1.EnvVar{Name: "EKS_CLOUDWATCH_LOG_FETCH_INTERVAL", Value: "900"})) - - Expect(envs).To(ContainElement(corev1.EnvVar{Name: "LINSEED_ENABLED", Value: "true"})) - Expect(envs).To(ContainElement(corev1.EnvVar{Name: "LINSEED_CA_PATH", Value: "/etc/pki/tls/certs/tigera-ca-bundle.crt"})) - Expect(envs).To(ContainElement(corev1.EnvVar{Name: "TLS_CRT_PATH", Value: "/tigera-eks-log-forwarder-tls/tls.crt"})) - Expect(envs).To(ContainElement(corev1.EnvVar{Name: "TLS_KEY_PATH", Value: "/tigera-eks-log-forwarder-tls/tls.key"})) + expectedEnvVars := []corev1.EnvVar{ + {Name: "LOG_LEVEL", Value: "info", ValueFrom: nil}, + {Name: "FLUENT_UID", Value: "0", ValueFrom: nil}, + {Name: "MANAGED_K8S", Value: "true", ValueFrom: nil}, + {Name: "K8S_PLATFORM", Value: "eks", ValueFrom: nil}, + {Name: "FLUENTD_ES_SECURE", Value: "true"}, + {Name: "EKS_CLOUDWATCH_LOG_GROUP", Value: "dummy-eks-cluster-cloudwatch-log-group"}, + {Name: "EKS_CLOUDWATCH_LOG_STREAM_PREFIX", Value: ""}, + {Name: "EKS_CLOUDWATCH_LOG_FETCH_INTERVAL", Value: "900"}, + {Name: "AWS_REGION", Value: "us-west-1", ValueFrom: nil}, + {Name: "AWS_ACCESS_KEY_ID", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: "tigera-eks-log-forwarder-secret", + }, + Key: "aws-id", + }}, + }, + {Name: "AWS_SECRET_ACCESS_KEY", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: "tigera-eks-log-forwarder-secret", + }, + Key: "aws-key", + Optional: nil, + }}, + }, + {Name: "LINSEED_ENABLED", Value: "true"}, + {Name: "LINSEED_ENDPOINT", Value: "https://tigera-linseed.tigera-elasticsearch.svc"}, + {Name: "LINSEED_CA_PATH", Value: "/etc/pki/tls/certs/tigera-ca-bundle.crt"}, + {Name: "TLS_CRT_PATH", Value: "/tigera-eks-log-forwarder-tls/tls.crt"}, + {Name: "TLS_KEY_PATH", Value: "/tigera-eks-log-forwarder-tls/tls.key"}, + {Name: "LINSEED_TOKEN", Value: "/var/run/secrets/kubernetes.io/serviceaccount/token"}, + } - Expect(envs).To(ContainElement(corev1.EnvVar{Name: "LINSEED_ENDPOINT", Value: "https://tigera-linseed.tigera-elasticsearch.svc"})) - Expect(envs).To(ContainElement(corev1.EnvVar{Name: "LINSEED_TOKEN", Value: "/var/run/secrets/kubernetes.io/serviceaccount/token"})) + Expect(envs).To(Equal(expectedEnvVars)) }) It("should render with EKS Cloudwatch Log with multi tenant envvars", func() { diff --git a/pkg/render/intrusion_detection.go b/pkg/render/intrusion_detection.go index a8e4d75e36..57ccdb23a3 100644 --- a/pkg/render/intrusion_detection.go +++ b/pkg/render/intrusion_detection.go @@ -328,13 +328,12 @@ func (c *intrusionDetectionComponent) intrusionDetectionElasticsearchJob() *batc RestartPolicy: corev1.RestartPolicyNever, ImagePullSecrets: secret.GetReferenceList(c.cfg.PullSecrets), Containers: []corev1.Container{ - relasticsearch.ContainerDecorate(c.intrusionDetectionJobContainer(), c.cfg.ESClusterConfig.ClusterName(), - ElasticsearchIntrusionDetectionJobUserSecret, c.cfg.ClusterDomain, rmeta.OSTypeLinux), + c.intrusionDetectionJobContainer(), }, Volumes: []corev1.Volume{c.cfg.TrustedCertBundle.Volume()}, ServiceAccountName: IntrusionDetectionInstallerJobName, }, - }, c.cfg.ESClusterConfig, c.cfg.ESSecrets).(*corev1.PodTemplateSpec) + }, c.cfg.ESSecrets).(*corev1.PodTemplateSpec) return &batchv1.Job{ TypeMeta: metav1.TypeMeta{Kind: "Job", APIVersion: "batch/v1"}, @@ -410,6 +409,9 @@ func (c *intrusionDetectionComponent) intrusionDetectionJobContainer() corev1.Co Name: "FIPS_MODE_ENABLED", Value: operatorv1.IsFIPSModeEnabledString(c.cfg.Installation.FIPSMode), }, + relasticsearch.ElasticIndexSuffixEnvVar(c.cfg.ESClusterConfig.ClusterName()), + relasticsearch.ElasticUserEnvVar(ElasticsearchIntrusionDetectionJobUserSecret), + relasticsearch.ElasticPasswordEnvVar(ElasticsearchIntrusionDetectionJobUserSecret), }, SecurityContext: securitycontext.NewNonRootContext(), VolumeMounts: c.cfg.TrustedCertBundle.VolumeMounts(c.SupportedOSType()), @@ -723,10 +725,7 @@ func (c *intrusionDetectionComponent) deploymentPodTemplate() *corev1.PodTemplat }) } - intrusionDetectionContainer := relasticsearch.ContainerDecorateIndexCreator( - relasticsearch.ContainerDecorate(c.intrusionDetectionControllerContainer(), c.cfg.ESClusterConfig.ClusterName(), - ElasticsearchIntrusionDetectionUserSecret, c.cfg.ClusterDomain, rmeta.OSTypeLinux), - c.cfg.ESClusterConfig.Replicas(), c.cfg.ESClusterConfig.Shards()) + intrusionDetectionContainer := c.intrusionDetectionControllerContainer() if c.cfg.ManagedCluster { envVars := []corev1.EnvVar{ @@ -759,7 +758,7 @@ func (c *intrusionDetectionComponent) deploymentPodTemplate() *corev1.PodTemplat Containers: containers, Volumes: volumes, }, - }, c.cfg.ESClusterConfig, c.cfg.ESSecrets).(*corev1.PodTemplateSpec) + }, c.cfg.ESSecrets).(*corev1.PodTemplateSpec) } func (c *intrusionDetectionComponent) deployWebhooksController() bool { @@ -812,6 +811,7 @@ func (c *intrusionDetectionComponent) webhooksControllerContainer() corev1.Conta } func (c *intrusionDetectionComponent) intrusionDetectionControllerContainer() corev1.Container { + esScheme, esHost, esPort, _ := url.ParseEndpoint(relasticsearch.GatewayEndpoint(c.SupportedOSType(), c.cfg.ClusterDomain, ElasticsearchNamespace)) envs := []corev1.EnvVar{ { Name: "MULTI_CLUSTER_FORWARDING_CA", @@ -841,6 +841,13 @@ func (c *intrusionDetectionComponent) intrusionDetectionControllerContainer() co Name: "LINSEED_TOKEN", Value: GetLinseedTokenPath(c.cfg.ManagedCluster), }, + relasticsearch.ElasticIndexSuffixEnvVar(c.cfg.ESClusterConfig.ClusterName()), + relasticsearch.ElasticUserEnvVar(ElasticsearchIntrusionDetectionUserSecret), + relasticsearch.ElasticPasswordEnvVar(ElasticsearchIntrusionDetectionUserSecret), + relasticsearch.ElasticHostEnvVar(esHost), + relasticsearch.ElasticPortEnvVar(esPort), + relasticsearch.ElasticSchemeEnvVar(esScheme), + relasticsearch.ElasticCAEnvVar(c.SupportedOSType()), } sc := securitycontext.NewNonRootContext() diff --git a/pkg/render/intrusion_detection_test.go b/pkg/render/intrusion_detection_test.go index 49a3530745..906757fc73 100644 --- a/pkg/render/intrusion_detection_test.go +++ b/pkg/render/intrusion_detection_test.go @@ -17,6 +17,9 @@ package render_test import ( "fmt" + relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" + "github.com/tigera/operator/pkg/render/common/secret" + "github.com/tigera/operator/pkg/common" . "github.com/onsi/ginkgo" @@ -38,7 +41,6 @@ import ( "github.com/tigera/operator/pkg/controller/certificatemanager" "github.com/tigera/operator/pkg/dns" "github.com/tigera/operator/pkg/render" - relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" rmeta "github.com/tigera/operator/pkg/render/common/meta" rtest "github.com/tigera/operator/pkg/render/common/test" "github.com/tigera/operator/pkg/render/testutils" @@ -155,18 +157,53 @@ var _ = Describe("Intrusion Detection rendering tests", func() { idc := rtest.GetResource(resources, "intrusion-detection-controller", render.IntrusionDetectionNamespace, "apps", "v1", "Deployment").(*appsv1.Deployment) idji := rtest.GetResource(resources, "intrusion-detection-es-job-installer", render.IntrusionDetectionNamespace, "batch", "v1", "Job").(*batchv1.Job) Expect(idc.Spec.Template.Spec.Containers).To(HaveLen(2)) - Expect(idc.Spec.Template.Spec.Containers[0].Env).Should(ContainElements( - corev1.EnvVar{Name: "ELASTIC_INDEX_SUFFIX", Value: "clusterTestName"}, - corev1.EnvVar{Name: "LINSEED_URL", Value: "https://tigera-linseed.tigera-elasticsearch.svc"}, - corev1.EnvVar{Name: "LINSEED_CA", Value: "/etc/pki/tls/certs/tigera-ca-bundle.crt"}, - corev1.EnvVar{Name: "LINSEED_CLIENT_CERT", Value: "/intrusion-detection-tls/tls.crt"}, - corev1.EnvVar{Name: "LINSEED_CLIENT_KEY", Value: "/intrusion-detection-tls/tls.key"}, - corev1.EnvVar{Name: "FIPS_MODE_ENABLED", Value: "false"}, - )) + idcExpectedEnvVars := []corev1.EnvVar{ + {Name: "MULTI_CLUSTER_FORWARDING_CA", Value: "/etc/pki/tls/certs/tigera-ca-bundle.crt"}, + {Name: "FIPS_MODE_ENABLED", Value: "false"}, + {Name: "LINSEED_URL", Value: "https://tigera-linseed.tigera-elasticsearch.svc"}, + {Name: "LINSEED_CA", Value: "/etc/pki/tls/certs/tigera-ca-bundle.crt"}, + {Name: "LINSEED_CLIENT_CERT", Value: "/intrusion-detection-tls/tls.crt"}, + {Name: "LINSEED_CLIENT_KEY", Value: "/intrusion-detection-tls/tls.key"}, + {Name: "LINSEED_TOKEN", Value: "/var/run/secrets/kubernetes.io/serviceaccount/token"}, + {Name: "ELASTIC_INDEX_SUFFIX", Value: "clusterTestName"}, + {Name: "ELASTIC_USER", ValueFrom: secret.GetEnvVarSource(render.ElasticsearchIntrusionDetectionUserSecret, "username", false)}, + {Name: "ELASTIC_PASSWORD", ValueFrom: secret.GetEnvVarSource(render.ElasticsearchIntrusionDetectionUserSecret, "password", false)}, + {Name: "ELASTIC_HOST", Value: "tigera-secure-es-gateway-http.tigera-elasticsearch.svc"}, + {Name: "ELASTIC_PORT", Value: "9200"}, + {Name: "ELASTIC_SCHEME", Value: "https"}, + {Name: "ELASTIC_CA", Value: "/etc/pki/tls/certs/tigera-ca-bundle.crt"}, + } + Expect(idc.Spec.Template.Spec.Containers[0].Env).To(Equal(idcExpectedEnvVars)) + Expect(idji.Spec.Template.Spec.Containers).To(HaveLen(1)) - Expect(idji.Spec.Template.Spec.Containers[0].Env).Should(ContainElements( - corev1.EnvVar{Name: "ELASTIC_INDEX_SUFFIX", Value: "clusterTestName"}, - )) + idjiExpectedEnvVars := []corev1.EnvVar{ + {Name: "KIBANA_HOST", Value: "tigera-secure-es-gateway-http.tigera-elasticsearch.svc"}, + {Name: "KIBANA_PORT", Value: "5601", ValueFrom: nil}, + {Name: "KIBANA_SCHEME", Value: "https"}, + {Name: "START_XPACK_TRIAL", Value: "false"}, + {Name: "USER", ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: "tigera-ee-installer-elasticsearch-access", + }, + Key: "username", + }}, + }, + {Name: "PASSWORD", ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: "tigera-ee-installer-elasticsearch-access", + }, + Key: "password", + }}, + }, + {Name: "KB_CA_CERT", Value: "/etc/pki/tls/certs/tigera-ca-bundle.crt"}, + {Name: "FIPS_MODE_ENABLED", Value: "false"}, + {Name: "ELASTIC_INDEX_SUFFIX", Value: "clusterTestName"}, + {Name: "ELASTIC_USER", ValueFrom: secret.GetEnvVarSource(render.ElasticsearchIntrusionDetectionJobUserSecret, "username", false)}, + {Name: "ELASTIC_PASSWORD", ValueFrom: secret.GetEnvVarSource(render.ElasticsearchIntrusionDetectionJobUserSecret, "password", false)}, + } + Expect(idji.Spec.Template.Spec.Containers[0].Env).To(Equal(idjiExpectedEnvVars)) Expect(*idji.Spec.Template.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation).To(BeFalse()) Expect(*idji.Spec.Template.Spec.Containers[0].SecurityContext.Privileged).To(BeFalse()) @@ -600,7 +637,6 @@ var _ = Describe("Intrusion Detection rendering tests", func() { cfg.Installation = &operatorv1.InstallationSpec{ ControlPlaneNodeSelector: map[string]string{"foo": "bar"}, } - cfg.ESClusterConfig = &relasticsearch.ClusterConfig{} component := render.IntrusionDetection(cfg) resources, _ := component.Objects() idc := rtest.GetResource(resources, "intrusion-detection-controller", render.IntrusionDetectionNamespace, "apps", "v1", "Deployment").(*appsv1.Deployment) @@ -618,7 +654,6 @@ var _ = Describe("Intrusion Detection rendering tests", func() { cfg.Installation = &operatorv1.InstallationSpec{ ControlPlaneTolerations: []corev1.Toleration{t}, } - cfg.ESClusterConfig = &relasticsearch.ClusterConfig{} component := render.IntrusionDetection(cfg) resources, _ := component.Objects() idc := rtest.GetResource(resources, "intrusion-detection-controller", render.IntrusionDetectionNamespace, "apps", "v1", "Deployment").(*appsv1.Deployment) diff --git a/pkg/render/intrusiondetection/dpi/dpi.go b/pkg/render/intrusiondetection/dpi/dpi.go index e63eec0037..de206872bf 100644 --- a/pkg/render/intrusiondetection/dpi/dpi.go +++ b/pkg/render/intrusiondetection/dpi/dpi.go @@ -17,6 +17,7 @@ package dpi import ( "fmt" + relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" "github.com/tigera/operator/pkg/tls/certificatemanagement" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" @@ -30,7 +31,6 @@ import ( "github.com/tigera/operator/pkg/common" "github.com/tigera/operator/pkg/components" "github.com/tigera/operator/pkg/render" - relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" "github.com/tigera/operator/pkg/render/common/meta" "github.com/tigera/operator/pkg/render/common/networkpolicy" "github.com/tigera/operator/pkg/render/common/secret" @@ -58,7 +58,6 @@ type DPIConfig struct { ManagementCluster bool HasNoLicense bool HasNoDPIResource bool - ESClusterConfig *relasticsearch.ClusterConfig ClusterDomain string DPICertSecret certificatemanagement.KeyPairInterface } @@ -93,12 +92,15 @@ func (d *dpiComponent) Objects() (objsToCreate, objsToDelete []client.Object) { } else { toCreate = append(toCreate, render.CreateNamespace(DeepPacketInspectionNamespace, d.cfg.Installation.KubernetesProvider, render.PSSPrivileged)) } + + // This secret is deprecated in this namespace and should be removed in upgrade scenarios + toDelete = append(toDelete, &corev1.Secret{ + TypeMeta: metav1.TypeMeta{Kind: "Secret", APIVersion: "v1"}, + ObjectMeta: metav1.ObjectMeta{Name: relasticsearch.PublicCertSecret, Namespace: DeepPacketInspectionNamespace}, + }) + if d.cfg.HasNoDPIResource || d.cfg.HasNoLicense { toDelete = append(toDelete, d.dpiAllowTigeraPolicy()) - toDelete = append(toDelete, &corev1.Secret{ - TypeMeta: metav1.TypeMeta{Kind: "Secret", APIVersion: "v1"}, - ObjectMeta: metav1.ObjectMeta{Name: relasticsearch.PublicCertSecret, Namespace: DeepPacketInspectionNamespace}, - }) toDelete = append(toDelete, secret.ToRuntimeObjects(secret.CopyToNamespace(DeepPacketInspectionNamespace, d.cfg.PullSecrets...)...)...) toDelete = append(toDelete, d.dpiServiceAccount(), diff --git a/pkg/render/intrusiondetection/dpi/dpi_test.go b/pkg/render/intrusiondetection/dpi/dpi_test.go index 7a712d340f..04cbc18dbe 100644 --- a/pkg/render/intrusiondetection/dpi/dpi_test.go +++ b/pkg/render/intrusiondetection/dpi/dpi_test.go @@ -18,6 +18,7 @@ import ( . "github.com/onsi/ginkgo" . "github.com/onsi/ginkgo/extensions/table" . "github.com/onsi/gomega" + relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" "github.com/tigera/operator/pkg/tls/certificatemanagement" appsv1 "k8s.io/api/apps/v1" @@ -37,7 +38,6 @@ import ( "github.com/tigera/operator/pkg/controller/certificatemanager" "github.com/tigera/operator/pkg/dns" "github.com/tigera/operator/pkg/render" - relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" rtest "github.com/tigera/operator/pkg/render/common/test" "github.com/tigera/operator/pkg/render/intrusiondetection/dpi" "github.com/tigera/operator/pkg/render/testutils" @@ -164,8 +164,6 @@ var ( }, } - esConfigMap = relasticsearch.NewClusterConfig("clusterTestName", 1, 1, 1) - pullSecrets = []*corev1.Secret{{ TypeMeta: metav1.TypeMeta{Kind: "Secret", APIVersion: "v1"}, ObjectMeta: metav1.ObjectMeta{Name: "pull-secret", Namespace: common.OperatorNamespace()}, @@ -224,7 +222,6 @@ var _ = Describe("DPI rendering tests", func() { Openshift: false, HasNoLicense: false, HasNoDPIResource: false, - ESClusterConfig: esConfigMap, ClusterDomain: dns.DefaultClusterDomain, DPICertSecret: dpiCertSecret, } @@ -278,7 +275,6 @@ var _ = Describe("DPI rendering tests", func() { Openshift: false, HasNoLicense: false, HasNoDPIResource: false, - ESClusterConfig: esConfigMap, ClusterDomain: dns.DefaultClusterDomain, DPICertSecret: dpiCertSecret, ManagementCluster: true, @@ -325,7 +321,6 @@ var _ = Describe("DPI rendering tests", func() { Openshift: false, HasNoLicense: false, HasNoDPIResource: false, - ESClusterConfig: esConfigMap, ClusterDomain: dns.DefaultClusterDomain, DPICertSecret: dpiCertSecret, ManagedCluster: true, @@ -372,7 +367,6 @@ var _ = Describe("DPI rendering tests", func() { HasNoLicense: false, HasNoDPIResource: true, ManagementCluster: true, - ESClusterConfig: esConfigMap, ClusterDomain: dns.DefaultClusterDomain, DPICertSecret: dpiCertSecret, } @@ -455,8 +449,8 @@ var _ = Describe("DPI rendering tests", func() { createResources, deleteResource := component.Objects() expectedResources := []resourceTestObj{ {name: dpi.DeepPacketInspectionNamespace, ns: "", group: "", version: "v1", kind: "Namespace"}, - {name: dpi.DeepPacketInspectionPolicyName, ns: dpi.DeepPacketInspectionNamespace, group: "projectcalico.org", version: "v3", kind: "NetworkPolicy"}, {name: relasticsearch.PublicCertSecret, ns: dpi.DeepPacketInspectionNamespace, group: "", version: "v1", kind: "Secret"}, + {name: dpi.DeepPacketInspectionPolicyName, ns: dpi.DeepPacketInspectionNamespace, group: "projectcalico.org", version: "v3", kind: "NetworkPolicy"}, {name: "pull-secret", ns: dpi.DeepPacketInspectionNamespace, group: "", version: "v1", kind: "Secret"}, {name: dpi.DeepPacketInspectionName, ns: dpi.DeepPacketInspectionNamespace, group: "", version: "v1", kind: "ServiceAccount"}, {name: dpi.DeepPacketInspectionName, ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, @@ -485,7 +479,6 @@ var _ = Describe("DPI rendering tests", func() { HasNoLicense: false, HasNoDPIResource: true, ManagedCluster: true, - ESClusterConfig: esConfigMap, ClusterDomain: dns.DefaultClusterDomain, DPICertSecret: dpiCertSecret, } @@ -522,7 +515,6 @@ var _ = Describe("DPI rendering tests", func() { HasNoLicense: false, HasNoDPIResource: true, ManagementCluster: true, - ESClusterConfig: esConfigMap, ClusterDomain: dns.DefaultClusterDomain, DPICertSecret: dpiCertSecret, } @@ -554,8 +546,8 @@ var _ = Describe("DPI rendering tests", func() { component := dpi.DPI(cfg) createResources, deleteResource := component.Objects() expectedResources := []resourceTestObj{ - {name: dpi.DeepPacketInspectionPolicyName, ns: dpi.DeepPacketInspectionNamespace, group: "projectcalico.org", version: "v3", kind: "NetworkPolicy"}, {name: relasticsearch.PublicCertSecret, ns: dpi.DeepPacketInspectionNamespace, group: "", version: "v1", kind: "Secret"}, + {name: dpi.DeepPacketInspectionPolicyName, ns: dpi.DeepPacketInspectionNamespace, group: "projectcalico.org", version: "v3", kind: "NetworkPolicy"}, {name: "pull-secret", ns: dpi.DeepPacketInspectionNamespace, group: "", version: "v1", kind: "Secret"}, {name: dpi.DeepPacketInspectionName, ns: dpi.DeepPacketInspectionNamespace, group: "", version: "v1", kind: "ServiceAccount"}, {name: dpi.DeepPacketInspectionName, ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, diff --git a/pkg/render/kubecontrollers/kube-controllers.go b/pkg/render/kubecontrollers/kube-controllers.go index 12ef8ef5ce..7edf93dee8 100644 --- a/pkg/render/kubecontrollers/kube-controllers.go +++ b/pkg/render/kubecontrollers/kube-controllers.go @@ -18,6 +18,9 @@ import ( "fmt" "strings" + relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" + "github.com/tigera/operator/pkg/url" + appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" policyv1beta1 "k8s.io/api/policy/v1beta1" @@ -33,7 +36,6 @@ import ( "github.com/tigera/operator/pkg/ptr" "github.com/tigera/operator/pkg/render" rcomp "github.com/tigera/operator/pkg/render/common/components" - relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" rmeta "github.com/tigera/operator/pkg/render/common/meta" "github.com/tigera/operator/pkg/render/common/networkpolicy" "github.com/tigera/operator/pkg/render/common/podsecuritypolicy" @@ -529,15 +531,16 @@ func (c *kubeControllersComponent) controllersDeployment() *appsv1.Deployment { } if c.kubeControllerName == EsKubeController { - container = relasticsearch.DecorateEnvironment( - container, - render.ElasticsearchNamespace, - render.DefaultElasticsearchClusterName, - ElasticsearchKubeControllersUserSecret, - c.cfg.ClusterDomain, - rmeta.OSTypeLinux, - ) + _, esHost, esPort, _ := url.ParseEndpoint(relasticsearch.GatewayEndpoint(c.SupportedOSType(), c.cfg.ClusterDomain, render.ElasticsearchNamespace)) + container.Env = append(container.Env, []corev1.EnvVar{ + relasticsearch.ElasticHostEnvVar(esHost), + relasticsearch.ElasticPortEnvVar(esPort), + relasticsearch.ElasticUsernameEnvVar(ElasticsearchKubeControllersUserSecret), + relasticsearch.ElasticPasswordEnvVar(ElasticsearchKubeControllersUserSecret), + relasticsearch.ElasticCAEnvVar(c.SupportedOSType()), + }...) } + var initContainers []corev1.Container if c.cfg.MetricsServerTLS != nil && c.cfg.MetricsServerTLS.UseCertificateManagement() { initContainers = append(initContainers, c.cfg.MetricsServerTLS.InitContainer(c.cfg.Namespace)) diff --git a/pkg/render/kubecontrollers/kube-controllers_test.go b/pkg/render/kubecontrollers/kube-controllers_test.go index 7877ce6303..6b06053b6a 100644 --- a/pkg/render/kubecontrollers/kube-controllers_test.go +++ b/pkg/render/kubecontrollers/kube-controllers_test.go @@ -55,23 +55,8 @@ var _ = Describe("kube-controllers rendering tests", func() { ) esEnvs := []corev1.EnvVar{ - {Name: "ELASTIC_INDEX_SUFFIX", Value: "cluster"}, - {Name: "ELASTIC_SCHEME", Value: "https"}, {Name: "ELASTIC_HOST", Value: "tigera-secure-es-gateway-http.tigera-elasticsearch.svc"}, {Name: "ELASTIC_PORT", Value: "9200", ValueFrom: nil}, - {Name: "ELASTIC_ACCESS_MODE", Value: "serviceuser"}, - {Name: "ELASTIC_SSL_VERIFY", Value: "true"}, - { - Name: "ELASTIC_USER", Value: "", - ValueFrom: &corev1.EnvVarSource{ - SecretKeyRef: &corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: "tigera-ee-kube-controllers-elasticsearch-access", - }, - Key: "username", - }, - }, - }, { Name: "ELASTIC_USERNAME", Value: "", ValueFrom: &corev1.EnvVarSource{ @@ -95,9 +80,8 @@ var _ = Describe("kube-controllers rendering tests", func() { }, }, {Name: "ELASTIC_CA", Value: certificatemanagement.TrustedCertBundleMountPath}, - {Name: "ES_CA_CERT", Value: certificatemanagement.TrustedCertBundleMountPath}, - {Name: "ES_CURATOR_BACKEND_CERT", Value: certificatemanagement.TrustedCertBundleMountPath}, } + expectedPolicyForUnmanaged := testutils.GetExpectedPolicyFromFile("../testutils/expected_policies/kubecontrollers.json") expectedPolicyForUnmanagedOCP := testutils.GetExpectedPolicyFromFile("../testutils/expected_policies/kubecontrollers_ocp.json") expectedPolicyForManaged := testutils.GetExpectedPolicyFromFile("../testutils/expected_policies/kubecontrollers_managed.json") diff --git a/pkg/render/logstorage.go b/pkg/render/logstorage.go index b4bee15b30..0caa1e3222 100644 --- a/pkg/render/logstorage.go +++ b/pkg/render/logstorage.go @@ -22,6 +22,8 @@ import ( "net/url" "strings" + tigeraurl "github.com/tigera/operator/pkg/url" + cmnv1 "github.com/elastic/cloud-on-k8s/v2/pkg/apis/common/v1" esv1 "github.com/elastic/cloud-on-k8s/v2/pkg/apis/elasticsearch/v1" kbv1 "github.com/elastic/cloud-on-k8s/v2/pkg/apis/kibana/v1" @@ -1480,7 +1482,7 @@ func (es elasticsearchComponent) curatorCronJob() *batchv1.CronJob { NodeSelector: es.cfg.Installation.ControlPlaneNodeSelector, Tolerations: es.cfg.Installation.ControlPlaneTolerations, Containers: []corev1.Container{ - relasticsearch.ContainerDecorate(corev1.Container{ + { Name: ESCuratorName, Image: es.curatorImage, ImagePullPolicy: ImagePullPolicy(), @@ -1488,7 +1490,7 @@ func (es elasticsearchComponent) curatorCronJob() *batchv1.CronJob { LivenessProbe: elasticCuratorLivenessProbe, SecurityContext: securitycontext.NewNonRootContext(), VolumeMounts: es.cfg.TrustedBundle.VolumeMounts(es.SupportedOSType()), - }, DefaultElasticsearchClusterName, ElasticsearchCuratorUserSecret, es.cfg.ClusterDomain, es.SupportedOSType()), + }, }, ImagePullSecrets: secret.GetReferenceList(es.cfg.PullSecrets), RestartPolicy: corev1.RestartPolicyOnFailure, @@ -1512,6 +1514,9 @@ func (es elasticsearchComponent) curatorEnvVars() []corev1.EnvVar { } return fmt.Sprint(*i) } + + _, esHost, esPort, _ := tigeraurl.ParseEndpoint(relasticsearch.GatewayEndpoint(es.SupportedOSType(), es.cfg.ClusterDomain, ElasticsearchNamespace)) + return []corev1.EnvVar{ {Name: "EE_FLOWS_INDEX_RETENTION_PERIOD", Value: safeAccess(es.cfg.LogStorage.Spec.Retention.Flows)}, {Name: "EE_AUDIT_INDEX_RETENTION_PERIOD", Value: safeAccess(es.cfg.LogStorage.Spec.Retention.AuditReports)}, @@ -1521,6 +1526,11 @@ func (es elasticsearchComponent) curatorEnvVars() []corev1.EnvVar { {Name: "EE_BGP_INDEX_RETENTION_PERIOD", Value: safeAccess(es.cfg.LogStorage.Spec.Retention.BGPLogs)}, {Name: "EE_MAX_TOTAL_STORAGE_PCT", Value: fmt.Sprint(maxTotalStoragePercent)}, {Name: "EE_MAX_LOGS_STORAGE_PCT", Value: fmt.Sprint(maxLogsStoragePercent)}, + relasticsearch.ElasticUserEnvVar(ElasticsearchCuratorUserSecret), + relasticsearch.ElasticPasswordEnvVar(ElasticsearchCuratorUserSecret), + relasticsearch.ElasticHostEnvVar(esHost), + relasticsearch.ElasticPortEnvVar(esPort), + relasticsearch.ElasticCuratorBackendCertEnvVar(es.SupportedOSType()), } } diff --git a/pkg/render/logstorage/esgateway/esgateway.go b/pkg/render/logstorage/esgateway/esgateway.go index 7c12ea0d85..3dfee3c1a6 100644 --- a/pkg/render/logstorage/esgateway/esgateway.go +++ b/pkg/render/logstorage/esgateway/esgateway.go @@ -18,6 +18,8 @@ import ( "fmt" "strings" + "github.com/tigera/operator/pkg/render/common/elasticsearch" + "github.com/tigera/operator/pkg/ptr" appsv1 "k8s.io/api/apps/v1" @@ -32,7 +34,6 @@ import ( operatorv1 "github.com/tigera/operator/api/v1" "github.com/tigera/operator/pkg/components" "github.com/tigera/operator/pkg/render" - "github.com/tigera/operator/pkg/render/common/elasticsearch" rmeta "github.com/tigera/operator/pkg/render/common/meta" "github.com/tigera/operator/pkg/render/common/networkpolicy" "github.com/tigera/operator/pkg/render/common/podaffinity" diff --git a/pkg/render/logstorage/esgateway/esgateway_test.go b/pkg/render/logstorage/esgateway/esgateway_test.go index 89f060c62e..7516ae3b9b 100644 --- a/pkg/render/logstorage/esgateway/esgateway_test.go +++ b/pkg/render/logstorage/esgateway/esgateway_test.go @@ -17,6 +17,8 @@ package esgateway import ( "context" + relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" + . "github.com/onsi/ginkgo" . "github.com/onsi/ginkgo/extensions/table" . "github.com/onsi/gomega" @@ -38,7 +40,6 @@ import ( "github.com/tigera/operator/pkg/controller/certificatemanager" "github.com/tigera/operator/pkg/dns" "github.com/tigera/operator/pkg/render" - relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" "github.com/tigera/operator/pkg/render/common/podaffinity" rtest "github.com/tigera/operator/pkg/render/common/test" "github.com/tigera/operator/pkg/render/kubecontrollers" diff --git a/pkg/render/logstorage/esmetrics/elasticsearch_metrics.go b/pkg/render/logstorage/esmetrics/elasticsearch_metrics.go index dfe8877a9d..2d488a868e 100644 --- a/pkg/render/logstorage/esmetrics/elasticsearch_metrics.go +++ b/pkg/render/logstorage/esmetrics/elasticsearch_metrics.go @@ -17,6 +17,8 @@ package esmetrics import ( "fmt" + "github.com/tigera/operator/pkg/url" + appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" policyv1beta1 "k8s.io/api/policy/v1beta1" @@ -209,6 +211,8 @@ func (e elasticsearchMetrics) metricsDeployment() *appsv1.Deployment { annotations[e.cfg.ServerTLS.HashAnnotationKey()] = e.cfg.ServerTLS.HashAnnotationValue() } + _, esHost, esPort, _ := url.ParseEndpoint(relasticsearch.GatewayEndpoint(e.SupportedOSType(), e.cfg.ClusterDomain, render.ElasticsearchNamespace)) + return &appsv1.Deployment{ TypeMeta: metav1.TypeMeta{Kind: "Deployment", APIVersion: "apps/v1"}, ObjectMeta: metav1.ObjectMeta{ @@ -228,36 +232,38 @@ func (e elasticsearchMetrics) metricsDeployment() *appsv1.Deployment { ServiceAccountName: ElasticsearchMetricsName, InitContainers: initContainers, Containers: []corev1.Container{ - relasticsearch.ContainerDecorate( - corev1.Container{ - Name: ElasticsearchMetricsName, - Image: e.esMetricsImage, - ImagePullPolicy: render.ImagePullPolicy(), - SecurityContext: securitycontext.NewNonRootContext(), - Command: []string{"/bin/elasticsearch_exporter"}, - Args: []string{ - "--es.uri=https://$(ELASTIC_USERNAME):$(ELASTIC_PASSWORD)@$(ELASTIC_HOST):$(ELASTIC_PORT)", - "--es.all", "--es.indices", "--es.indices_settings", "--es.shards", "--es.cluster_settings", - "--es.timeout=30s", "--es.ca=$(ELASTIC_CA)", "--web.listen-address=:9081", - "--web.telemetry-path=/metrics", "--tls.key=/tigera-ee-elasticsearch-metrics-tls/tls.key", "--tls.crt=/tigera-ee-elasticsearch-metrics-tls/tls.crt", fmt.Sprintf("--ca.crt=%s", certificatemanagement.TrustedCertBundleMountPath), - }, - VolumeMounts: append( - e.cfg.TrustedBundle.VolumeMounts(e.SupportedOSType()), - e.cfg.ServerTLS.VolumeMount(e.SupportedOSType()), - ), - Env: []corev1.EnvVar{ - {Name: "FIPS_MODE_ENABLED", Value: operatorv1.IsFIPSModeEnabledString(e.cfg.Installation.FIPSMode)}, - }, - }, render.DefaultElasticsearchClusterName, ElasticsearchMetricsSecret, - e.cfg.ClusterDomain, e.SupportedOSType(), - ), + { + Name: ElasticsearchMetricsName, + Image: e.esMetricsImage, + ImagePullPolicy: render.ImagePullPolicy(), + SecurityContext: securitycontext.NewNonRootContext(), + Command: []string{"/bin/elasticsearch_exporter"}, + Args: []string{ + "--es.uri=https://$(ELASTIC_USERNAME):$(ELASTIC_PASSWORD)@$(ELASTIC_HOST):$(ELASTIC_PORT)", + "--es.all", "--es.indices", "--es.indices_settings", "--es.shards", "--es.cluster_settings", + "--es.timeout=30s", "--es.ca=$(ELASTIC_CA)", "--web.listen-address=:9081", + "--web.telemetry-path=/metrics", "--tls.key=/tigera-ee-elasticsearch-metrics-tls/tls.key", "--tls.crt=/tigera-ee-elasticsearch-metrics-tls/tls.crt", fmt.Sprintf("--ca.crt=%s", certificatemanagement.TrustedCertBundleMountPath), + }, + VolumeMounts: append( + e.cfg.TrustedBundle.VolumeMounts(e.SupportedOSType()), + e.cfg.ServerTLS.VolumeMount(e.SupportedOSType()), + ), + Env: []corev1.EnvVar{ + {Name: "FIPS_MODE_ENABLED", Value: operatorv1.IsFIPSModeEnabledString(e.cfg.Installation.FIPSMode)}, + relasticsearch.ElasticUsernameEnvVar(ElasticsearchMetricsSecret), + relasticsearch.ElasticPasswordEnvVar(ElasticsearchMetricsSecret), + relasticsearch.ElasticHostEnvVar(esHost), + relasticsearch.ElasticPortEnvVar(esPort), + relasticsearch.ElasticCAEnvVar(e.SupportedOSType()), + }, + }, }, Volumes: []corev1.Volume{ e.cfg.ServerTLS.Volume(), e.cfg.TrustedBundle.Volume(), }, }, - }, e.cfg.ESConfig, []*corev1.Secret{e.cfg.ESMetricsCredsSecret}).(*corev1.PodTemplateSpec), + }, []*corev1.Secret{e.cfg.ESMetricsCredsSecret}).(*corev1.PodTemplateSpec), }, } } diff --git a/pkg/render/logstorage/esmetrics/elasticsearch_metrics_test.go b/pkg/render/logstorage/esmetrics/elasticsearch_metrics_test.go index 3d66162ea5..e4cb92679b 100644 --- a/pkg/render/logstorage/esmetrics/elasticsearch_metrics_test.go +++ b/pkg/render/logstorage/esmetrics/elasticsearch_metrics_test.go @@ -169,23 +169,6 @@ var _ = Describe("Elasticsearch metrics", func() { }, Env: []corev1.EnvVar{ {Name: "FIPS_MODE_ENABLED", Value: "false"}, - {Name: "ELASTIC_INDEX_SUFFIX", Value: "cluster"}, - {Name: "ELASTIC_SCHEME", Value: "https"}, - {Name: "ELASTIC_HOST", Value: "tigera-secure-es-gateway-http.tigera-elasticsearch.svc"}, - {Name: "ELASTIC_PORT", Value: "9200"}, - {Name: "ELASTIC_ACCESS_MODE", Value: "serviceuser"}, - {Name: "ELASTIC_SSL_VERIFY", Value: "true"}, - { - Name: "ELASTIC_USER", - ValueFrom: &corev1.EnvVarSource{ - SecretKeyRef: &corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: "tigera-ee-elasticsearch-metrics-elasticsearch-access", - }, - Key: "username", - }, - }, - }, { Name: "ELASTIC_USERNAME", ValueFrom: &corev1.EnvVarSource{ @@ -208,9 +191,9 @@ var _ = Describe("Elasticsearch metrics", func() { }, }, }, + {Name: "ELASTIC_HOST", Value: "tigera-secure-es-gateway-http.tigera-elasticsearch.svc"}, + {Name: "ELASTIC_PORT", Value: "9200"}, {Name: "ELASTIC_CA", Value: certificatemanagement.TrustedCertBundleMountPath}, - {Name: "ES_CA_CERT", Value: certificatemanagement.TrustedCertBundleMountPath}, - {Name: "ES_CURATOR_BACKEND_CERT", Value: certificatemanagement.TrustedCertBundleMountPath}, }, VolumeMounts: append( cfg.TrustedBundle.VolumeMounts(meta.OSTypeLinux), diff --git a/pkg/render/logstorage_test.go b/pkg/render/logstorage_test.go index 7a444bd688..61833a4099 100644 --- a/pkg/render/logstorage_test.go +++ b/pkg/render/logstorage_test.go @@ -19,6 +19,8 @@ import ( "fmt" "reflect" + "github.com/tigera/operator/pkg/render/common/secret" + . "github.com/onsi/ginkgo" . "github.com/onsi/ginkgo/extensions/table" . "github.com/onsi/gomega" @@ -603,7 +605,6 @@ var _ = Describe("Elasticsearch rendering tests", func() { BeforeEach(func() { cfg.CuratorSecrets = []*corev1.Secret{ {ObjectMeta: metav1.ObjectMeta{Name: render.ElasticsearchCuratorUserSecret, Namespace: common.OperatorNamespace()}}, - {ObjectMeta: metav1.ObjectMeta{Name: relasticsearch.PublicCertSecret, Namespace: common.OperatorNamespace()}}, } cfg.ClusterDomain = dns.DefaultClusterDomain }) @@ -640,7 +641,6 @@ var _ = Describe("Elasticsearch rendering tests", func() { {render.KibanaName, render.KibanaNamespace, &kbv1.Kibana{}, nil}, {render.EsCuratorPolicyName, render.ElasticsearchNamespace, &v3.NetworkPolicy{}, nil}, {render.ElasticsearchCuratorUserSecret, render.ElasticsearchNamespace, &corev1.Secret{}, nil}, - {relasticsearch.PublicCertSecret, render.ElasticsearchNamespace, &corev1.Secret{}, nil}, {render.EsCuratorServiceAccount, render.ElasticsearchNamespace, &corev1.ServiceAccount{}, nil}, {render.ESCuratorName, "", &rbacv1.ClusterRole{}, nil}, {render.ESCuratorName, "", &rbacv1.ClusterRoleBinding{}, nil}, @@ -658,7 +658,7 @@ var _ = Describe("Elasticsearch rendering tests", func() { Expect(ok).To(BeTrue()) Expect(cronjob.Spec.JobTemplate.Spec.Template.Spec.Containers).To(HaveLen(1)) - Expect(cronjob.Spec.JobTemplate.Spec.Template.Spec.Containers[0].Env).To(ContainElements([]corev1.EnvVar{ + cronjobExpectedEnvVars := []corev1.EnvVar{ {Name: "EE_FLOWS_INDEX_RETENTION_PERIOD", Value: fmt.Sprint(1)}, {Name: "EE_AUDIT_INDEX_RETENTION_PERIOD", Value: fmt.Sprint(1)}, {Name: "EE_SNAPSHOT_INDEX_RETENTION_PERIOD", Value: fmt.Sprint(1)}, @@ -667,7 +667,13 @@ var _ = Describe("Elasticsearch rendering tests", func() { {Name: "EE_BGP_INDEX_RETENTION_PERIOD", Value: fmt.Sprint(1)}, {Name: "EE_MAX_TOTAL_STORAGE_PCT", Value: fmt.Sprint(80)}, {Name: "EE_MAX_LOGS_STORAGE_PCT", Value: fmt.Sprint(70)}, - })) + {Name: "ELASTIC_USER", ValueFrom: secret.GetEnvVarSource(render.ElasticsearchCuratorUserSecret, "username", false)}, + {Name: "ELASTIC_PASSWORD", ValueFrom: secret.GetEnvVarSource(render.ElasticsearchCuratorUserSecret, "password", false)}, + {Name: "ELASTIC_HOST", Value: "tigera-secure-es-gateway-http.tigera-elasticsearch.svc"}, + {Name: "ELASTIC_PORT", Value: "9200"}, + {Name: "ES_CURATOR_BACKEND_CERT", Value: "/etc/pki/tls/certs/tigera-ca-bundle.crt"}, + } + Expect(cronjob.Spec.JobTemplate.Spec.Template.Spec.Containers[0].Env).To(Equal(cronjobExpectedEnvVars)) Expect(*cronjob.Spec.JobTemplate.Spec.Template.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation).To(BeFalse()) Expect(*cronjob.Spec.JobTemplate.Spec.Template.Spec.Containers[0].SecurityContext.Privileged).To(BeFalse()) @@ -1720,7 +1726,6 @@ var deleteLogStorageTests = func(managementCluster *operatorv1.ManagementCluster }, CuratorSecrets: []*corev1.Secret{ {ObjectMeta: metav1.ObjectMeta{Name: render.ElasticsearchCuratorUserSecret, Namespace: common.OperatorNamespace()}}, - {ObjectMeta: metav1.ObjectMeta{Name: relasticsearch.PublicCertSecret, Namespace: common.OperatorNamespace()}}, }, Provider: operatorv1.ProviderNone, ClusterDomain: "cluster.local", diff --git a/pkg/render/manager.go b/pkg/render/manager.go index ac37d6135a..a45c39098e 100644 --- a/pkg/render/manager.go +++ b/pkg/render/manager.go @@ -20,6 +20,8 @@ import ( "strconv" "strings" + "github.com/tigera/operator/pkg/url" + ocsv1 "github.com/openshift/api/security/v1" appsv1 "k8s.io/api/apps/v1" @@ -273,13 +275,6 @@ func (c *managerComponent) managerDeployment() *appsv1.Deployment { } // Containers for the manager pod. - managerContainer := c.managerContainer() - esProxyContainer := c.managerEsProxyContainer() - if c.cfg.Tenant == nil { - // If we're running in multi-tenant mode, we don't need ES credentials as these are used for Kibana login. Otherwise, add them. - managerContainer = relasticsearch.ContainerDecorate(managerContainer, c.cfg.ClusterConfig.ClusterName(), ElasticsearchManagerUserSecret, c.cfg.ClusterDomain, c.SupportedOSType()) - esProxyContainer = relasticsearch.ContainerDecorate(esProxyContainer, c.cfg.ClusterConfig.ClusterName(), ElasticsearchManagerUserSecret, c.cfg.ClusterDomain, c.SupportedOSType()) - } if c.cfg.InternalTLSKeyPair != nil && c.cfg.InternalTLSKeyPair.UseCertificateManagement() { initContainers = append(initContainers, c.cfg.InternalTLSKeyPair.InitContainer(ManagerNamespace)) } @@ -299,10 +294,10 @@ func (c *managerComponent) managerDeployment() *appsv1.Deployment { Tolerations: c.managerTolerations(), ImagePullSecrets: secret.GetReferenceList(c.cfg.PullSecrets), InitContainers: initContainers, - Containers: []corev1.Container{managerContainer, esProxyContainer, c.voltronContainer()}, + Containers: []corev1.Container{c.managerContainer(), c.managerEsProxyContainer(), c.voltronContainer()}, Volumes: c.managerVolumes(), }, - }, c.cfg.ClusterConfig, c.cfg.ESSecrets).(*corev1.PodTemplateSpec) + }, c.cfg.ESSecrets).(*corev1.PodTemplateSpec) if c.cfg.Replicas != nil && *c.cfg.Replicas > 1 { podTemplate.Spec.Affinity = podaffinity.NewPodAntiAffinity("tigera-manager", c.cfg.Namespace) @@ -395,9 +390,9 @@ func (c *managerComponent) managerProxyProbe() *corev1.Probe { } } -func (c *managerComponent) kibanaEnabled() bool { - enableKibana := !operatorv1.IsFIPSModeEnabled(c.cfg.Installation.FIPSMode) - if c.cfg.Tenant.MultiTenant() { +func KibanaEnabled(tenant *operatorv1.Tenant, installation *operatorv1.InstallationSpec) bool { + enableKibana := !operatorv1.IsFIPSModeEnabled(installation.FIPSMode) + if tenant.MultiTenant() { enableKibana = false } return enableKibana @@ -417,7 +412,7 @@ func (c *managerComponent) managerEnvVars() []corev1.EnvVar { {Name: "CNX_CLUSTER_NAME", Value: "cluster"}, {Name: "CNX_POLICY_RECOMMENDATION_SUPPORT", Value: "true"}, {Name: "ENABLE_MULTI_CLUSTER_MANAGEMENT", Value: strconv.FormatBool(c.cfg.ManagementCluster != nil)}, - {Name: "ENABLE_KIBANA", Value: strconv.FormatBool(c.kibanaEnabled())}, + {Name: "ENABLE_KIBANA", Value: strconv.FormatBool(KibanaEnabled(c.cfg.Tenant, c.cfg.Installation))}, // The manager supports two states of a product feature being unavailable: the product feature being feature-flagged off, // and the current license not enabling the feature. The compliance flag that we set on the manager container is a feature // flag, which we should set purely based on whether the compliance CR is present, ignoring the license status. @@ -569,10 +564,22 @@ func (c *managerComponent) managerEsProxyContainer() corev1.Container { {Name: "FIPS_MODE_ENABLED", Value: operatorv1.IsFIPSModeEnabledString(c.cfg.Installation.FIPSMode)}, {Name: "LINSEED_CLIENT_CERT", Value: certPath}, {Name: "LINSEED_CLIENT_KEY", Value: keyPath}, - {Name: "ELASTIC_KIBANA_DISABLED", Value: strconv.FormatBool(!c.kibanaEnabled())}, + {Name: "ELASTIC_KIBANA_DISABLED", Value: strconv.FormatBool(!KibanaEnabled(c.cfg.Tenant, c.cfg.Installation))}, {Name: "VOLTRON_URL", Value: fmt.Sprintf("https://tigera-manager.%s.svc:9443", c.cfg.Namespace)}, } + if KibanaEnabled(c.cfg.Tenant, c.cfg.Installation) { + esScheme, esHost, esPort, _ := url.ParseEndpoint(relasticsearch.GatewayEndpoint(c.SupportedOSType(), c.cfg.ClusterDomain, ElasticsearchNamespace)) + env = append(env, + relasticsearch.ElasticCAEnvVar(c.SupportedOSType()), + relasticsearch.ElasticSchemeEnvVar(esScheme), + relasticsearch.ElasticHostEnvVar(esHost), + relasticsearch.ElasticPortEnvVar(esPort), + relasticsearch.ElasticUserEnvVar(ElasticsearchManagerUserSecret), + relasticsearch.ElasticPasswordEnvVar(ElasticsearchManagerUserSecret), + relasticsearch.ElasticIndexSuffixEnvVar(c.cfg.ClusterConfig.ClusterName())) + } + // Determine the Linseed location. Use code default unless in multi-tenant mode, // in which case use the Linseed in the current namespace. if c.cfg.Tenant != nil { diff --git a/pkg/render/manager_test.go b/pkg/render/manager_test.go index 808c2c49e5..cd1b9aa1dc 100644 --- a/pkg/render/manager_test.go +++ b/pkg/render/manager_test.go @@ -18,6 +18,9 @@ import ( "fmt" "strconv" + relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" + "github.com/tigera/operator/pkg/render/common/secret" + . "github.com/onsi/ginkgo" . "github.com/onsi/ginkgo/extensions/table" . "github.com/onsi/gomega" @@ -43,7 +46,6 @@ import ( "github.com/tigera/operator/pkg/dns" "github.com/tigera/operator/pkg/render" "github.com/tigera/operator/pkg/render/common/authentication" - relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" rmeta "github.com/tigera/operator/pkg/render/common/meta" "github.com/tigera/operator/pkg/render/common/podaffinity" rtest "github.com/tigera/operator/pkg/render/common/test" @@ -129,12 +131,23 @@ var _ = Describe("Tigera Secure Manager rendering tests", func() { )) // es-proxy container - Expect(esProxy.Env).Should(ContainElements( - corev1.EnvVar{Name: "ELASTIC_INDEX_SUFFIX", Value: "clusterTestName"}, - corev1.EnvVar{Name: "LINSEED_CLIENT_CERT", Value: "/internal-manager-tls/tls.crt"}, - corev1.EnvVar{Name: "LINSEED_CLIENT_KEY", Value: "/internal-manager-tls/tls.key"}, - corev1.EnvVar{Name: "VOLTRON_URL", Value: "https://tigera-manager.tigera-manager.svc:9443"}, - )) + esProxyExpectedEnvVars := []corev1.EnvVar{ + {Name: "ELASTIC_LICENSE_TYPE", Value: "enterprise_trial"}, + {Name: "ELASTIC_KIBANA_ENDPOINT", Value: "https://tigera-secure-es-gateway-http.tigera-elasticsearch.svc:5601"}, + {Name: "FIPS_MODE_ENABLED", Value: "false"}, + {Name: "LINSEED_CLIENT_CERT", Value: "/internal-manager-tls/tls.crt"}, + {Name: "LINSEED_CLIENT_KEY", Value: "/internal-manager-tls/tls.key"}, + {Name: "ELASTIC_KIBANA_DISABLED", Value: "false"}, + {Name: "VOLTRON_URL", Value: "https://tigera-manager.tigera-manager.svc:9443"}, + {Name: "ELASTIC_CA", Value: "/etc/pki/tls/certs/tigera-ca-bundle.crt"}, + {Name: "ELASTIC_SCHEME", Value: "https"}, + {Name: "ELASTIC_HOST", Value: "tigera-secure-es-gateway-http.tigera-elasticsearch.svc"}, + {Name: "ELASTIC_PORT", Value: "9200"}, + {Name: "ELASTIC_USER", ValueFrom: secret.GetEnvVarSource(render.ElasticsearchManagerUserSecret, "username", false)}, + {Name: "ELASTIC_PASSWORD", ValueFrom: secret.GetEnvVarSource(render.ElasticsearchManagerUserSecret, "password", false)}, + {Name: "ELASTIC_INDEX_SUFFIX", Value: "clusterTestName"}, + } + Expect(esProxy.Env).To(Equal(esProxyExpectedEnvVars)) Expect(esProxy.VolumeMounts).To(HaveLen(2)) Expect(esProxy.VolumeMounts[0].Name).To(Equal("tigera-ca-bundle")) @@ -695,9 +708,14 @@ var _ = Describe("Tigera Secure Manager rendering tests", func() { // renderManager passes in as few parameters as possible to render.Manager without it // panicing. It accepts variations on the installspec for testing purposes. renderManager := func(i *operatorv1.InstallationSpec) *appsv1.Deployment { + var esConfigMap *relasticsearch.ClusterConfig + // We only require Elastic cluster configuration when Kibana is enabled. + if render.KibanaEnabled(nil, i) { + esConfigMap = relasticsearch.NewClusterConfig("clusterTestName", 1, 1, 1) + } cfg := &render.ManagerConfiguration{ TrustedCertBundle: bundle, - ClusterConfig: &relasticsearch.ClusterConfig{}, + ClusterConfig: esConfigMap, TLSKeyPair: kp, VoltronLinseedKeyPair: voltronLinseedKP, Installation: i, @@ -1085,7 +1103,11 @@ func renderObjects(roc renderConfig) []client.Object { roc.bindingNamespaces = []string{roc.ns} } - esConfigMap := relasticsearch.NewClusterConfig("clusterTestName", 1, 1, 1) + var esConfigMap *relasticsearch.ClusterConfig + // We only require Elastic cluster configuration when Kibana is enabled. + if render.KibanaEnabled(roc.tenant, roc.installation) { + esConfigMap = relasticsearch.NewClusterConfig("clusterTestName", 1, 1, 1) + } cfg := &render.ManagerConfiguration{ KeyValidatorConfig: dexCfg, TrustedCertBundle: bundle,