From df5ebdc1631bff4cbad9e5af52ea0bc8fe090e9b Mon Sep 17 00:00:00 2001 From: Josh Lucas Date: Tue, 24 Oct 2023 13:08:23 -0400 Subject: [PATCH 1/9] Remove usage of ES ConfigMap and PublicCertSecret --- .../compliance/compliance_controller.go | 28 +------- .../compliance/compliance_controller_test.go | 13 ---- .../installation/core_controller.go | 14 ---- .../intrusiondetection_controller.go | 35 +--------- .../intrusiondetection_controller_test.go | 6 -- .../logcollector/logcollector_controller.go | 22 +------ .../logcollector_controller_test.go | 6 -- .../logstorage/elastic/elastic_controller.go | 6 -- .../elastic/elastic_controller_test.go | 17 ----- .../managed_cluster_controller.go | 9 --- .../logstorage/secrets/secret_controller.go | 7 -- .../secrets/secret_controller_test.go | 14 ---- pkg/controller/manager/manager_controller.go | 19 +----- .../manager/manager_controller_test.go | 15 +---- .../policyrecommendation_controller.go | 2 - .../policyrecommendation_controller_test.go | 4 -- pkg/controller/utils/elasticsearch.go | 13 ---- .../common/elasticsearch/clusterconfig.go | 64 +------------------ pkg/render/common/elasticsearch/decorator.go | 21 +----- .../common/elasticsearch/decorator_test.go | 6 +- pkg/render/common/elasticsearch/tls.go | 3 +- pkg/render/compliance.go | 2 - pkg/render/compliance_test.go | 2 - pkg/render/fluentd.go | 27 ++++---- pkg/render/fluentd_test.go | 2 - pkg/render/intrusion_detection.go | 13 ++-- pkg/render/intrusion_detection_test.go | 8 --- pkg/render/intrusiondetection/dpi/dpi.go | 6 -- pkg/render/intrusiondetection/dpi/dpi_test.go | 13 ---- pkg/render/logstorage.go | 5 +- pkg/render/logstorage/esgateway/esgateway.go | 7 -- .../logstorage/esgateway/esgateway_test.go | 3 - .../esmetrics/elasticsearch_metrics.go | 6 +- pkg/render/logstorage_test.go | 8 --- pkg/render/manager.go | 7 +- pkg/render/manager_test.go | 6 -- 36 files changed, 39 insertions(+), 400 deletions(-) diff --git a/pkg/controller/compliance/compliance_controller.go b/pkg/controller/compliance/compliance_controller.go index 29b0f2bd4a..7bc0fb5d38 100644 --- a/pkg/controller/compliance/compliance_controller.go +++ b/pkg/controller/compliance/compliance_controller.go @@ -33,7 +33,6 @@ import ( "github.com/tigera/operator/pkg/dns" "github.com/tigera/operator/pkg/render" rcertificatemanagement "github.com/tigera/operator/pkg/render/certificatemanagement" - relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" "github.com/tigera/operator/pkg/tls/certificatemanagement" "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/runtime" @@ -133,7 +132,6 @@ func add(mgr manager.Manager, c controller.Controller) error { render.ElasticsearchComplianceControllerUserSecret, render.ElasticsearchComplianceReporterUserSecret, render.ElasticsearchComplianceSnapshotterUserSecret, render.ElasticsearchComplianceServerUserSecret, render.ComplianceServerCertSecret, render.ManagerInternalTLSSecretName, certificatemanagement.CASecretName, - relasticsearch.PublicCertSecret, render.TigeraLinseedSecret, render.VoltronLinseedTLS, render.VoltronLinseedPublicCert, } { @@ -143,10 +141,6 @@ func add(mgr manager.Manager, c controller.Controller) error { } } - if err = utils.AddConfigMapWatch(c, relasticsearch.ClusterConfigConfigMapName, common.OperatorNamespace(), &handler.EnqueueRequestForObject{}); err != nil { - return fmt.Errorf("compliance-controller failed to watch the ConfigMap resource: %w", err) - } - // Watch for changes to primary resource ManagementCluster err = c.Watch(&source.Kind{Type: &operatorv1.ManagementCluster{}}, &handler.EnqueueRequestForObject{}) if err != nil { @@ -296,16 +290,6 @@ func (r *ReconcileCompliance) Reconcile(ctx context.Context, request reconcile.R return reconcile.Result{}, err } - esClusterConfig, err := utils.GetElasticsearchClusterConfig(ctx, r.client) - if err != nil { - if errors.IsNotFound(err) { - r.status.SetDegraded(operatorv1.ResourceNotReady, "Elasticsearch cluster configuration is not available, waiting for it to become available", err, reqLogger) - return reconcile.Result{}, nil - } - r.status.SetDegraded(operatorv1.ResourceReadError, "Failed to get the elasticsearch cluster configuration", err, reqLogger) - return reconcile.Result{}, err - } - secretsToWatch := []string{ render.ElasticsearchComplianceBenchmarkerUserSecret, render.ElasticsearchComplianceControllerUserSecret, render.ElasticsearchComplianceReporterUserSecret, render.ElasticsearchComplianceSnapshotterUserSecret, @@ -357,15 +341,6 @@ func (r *ReconcileCompliance) Reconcile(ctx context.Context, request reconcile.R return reconcile.Result{}, err } } - esgwCertificate, err := certificateManager.GetCertificate(r.client, relasticsearch.PublicCertSecret, common.OperatorNamespace()) - if err != nil { - r.status.SetDegraded(operatorv1.ResourceValidationError, fmt.Sprintf("Failed to retrieve / validate %s", relasticsearch.PublicCertSecret), err, reqLogger) - return reconcile.Result{}, err - } else if esgwCertificate == nil { - log.Info("Elasticsearch gateway certificates are not available yet, waiting until they become available") - r.status.SetDegraded(operatorv1.ResourceNotReady, "Elasticsearch gateway certificates are not available yet, waiting until they become available", nil, reqLogger) - return reconcile.Result{}, nil - } // The location of the Linseed certificate varies based on if this is a managed cluster or not. // For standalone and management clusters, we just use Linseed's actual certificate. @@ -384,7 +359,7 @@ func (r *ReconcileCompliance) Reconcile(ctx context.Context, request reconcile.R r.status.SetDegraded(operatorv1.ResourceNotReady, "Linseed certificate is not available yet, waiting until it becomes available", nil, reqLogger) return reconcile.Result{}, nil } - trustedBundle := certificateManager.CreateTrustedBundle(managerInternalTLSSecret, esgwCertificate, linseedCertificate) + trustedBundle := certificateManager.CreateTrustedBundle(managerInternalTLSSecret, linseedCertificate) // Get the key pairs for each component, generating them as needed. type complianceKeyPair struct { @@ -455,7 +430,6 @@ func (r *ReconcileCompliance) Reconcile(ctx context.Context, request reconcile.R BenchmarkerKeyPair: benchmarkerKeyPair.Interface, SnapshotterKeyPair: snapshotterKeyPair.Interface, ReporterKeyPair: reporterKeyPair.Interface, - ESClusterConfig: esClusterConfig, PullSecrets: pullSecrets, Openshift: openshift, ManagementCluster: managementCluster, diff --git a/pkg/controller/compliance/compliance_controller_test.go b/pkg/controller/compliance/compliance_controller_test.go index 2aa31dac01..32f20293fb 100644 --- a/pkg/controller/compliance/compliance_controller_test.go +++ b/pkg/controller/compliance/compliance_controller_test.go @@ -20,7 +20,6 @@ import ( "time" "github.com/tigera/operator/pkg/controller/certificatemanager" - relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" rmeta "github.com/tigera/operator/pkg/render/common/meta" "github.com/tigera/operator/pkg/render/common/secret" "github.com/tigera/operator/pkg/tls" @@ -127,15 +126,6 @@ var _ = Describe("Compliance controller tests", func() { Expect(c.Create(ctx, &operatorv1.APIServer{ObjectMeta: metav1.ObjectMeta{Name: "tigera-secure"}, Status: operatorv1.APIServerStatus{State: operatorv1.TigeraStatusReady}})).NotTo(HaveOccurred()) Expect(c.Create(ctx, &v3.Tier{ObjectMeta: metav1.ObjectMeta{Name: "allow-tigera"}})).NotTo(HaveOccurred()) Expect(c.Create(ctx, &v3.LicenseKey{ObjectMeta: metav1.ObjectMeta{Name: "default"}, Status: v3.LicenseKeyStatus{Features: []string{common.ComplianceFeature}}})).NotTo(HaveOccurred()) - Expect(c.Create(ctx, &corev1.ConfigMap{ - ObjectMeta: metav1.ObjectMeta{Name: relasticsearch.ClusterConfigConfigMapName, Namespace: common.OperatorNamespace()}, - Data: map[string]string{ - "clusterName": "cluster", - "shards": "2", - "replicas": "1", - "flowShards": "2", - }, - })).NotTo(HaveOccurred()) // Create a bunch of empty secrets, such that the reconcile loop will make it to the render functionality. Expect(c.Create(ctx, &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: render.ElasticsearchComplianceBenchmarkerUserSecret, Namespace: "tigera-operator"}})).NotTo(HaveOccurred()) @@ -149,8 +139,6 @@ var _ = Describe("Compliance controller tests", func() { Expect(c.Create(context.Background(), certificateManager.KeyPair().Secret(common.OperatorNamespace()))).NotTo(HaveOccurred()) esDNSNames := dns.GetServiceDNSNames(render.TigeraElasticsearchGatewaySecret, render.ElasticsearchNamespace, dns.DefaultClusterDomain) - gwKeyPair, err := certificateManager.GetOrCreateKeyPair(c, relasticsearch.PublicCertSecret, render.ElasticsearchNamespace, esDNSNames) - Expect(err).NotTo(HaveOccurred()) linseedKeyPair, err := certificateManager.GetOrCreateKeyPair(c, render.TigeraLinseedSecret, render.ElasticsearchNamespace, esDNSNames) Expect(err).NotTo(HaveOccurred()) @@ -158,7 +146,6 @@ var _ = Describe("Compliance controller tests", func() { linseedPublicCert, err := certificateManager.GetOrCreateKeyPair(c, render.VoltronLinseedPublicCert, common.OperatorNamespace(), esDNSNames) Expect(err).NotTo(HaveOccurred()) - Expect(c.Create(ctx, gwKeyPair.Secret(common.OperatorNamespace()))).NotTo(HaveOccurred()) Expect(c.Create(ctx, linseedKeyPair.Secret(common.OperatorNamespace()))).NotTo(HaveOccurred()) Expect(c.Create(ctx, linseedPublicCert.Secret(common.OperatorNamespace()))).NotTo(HaveOccurred()) diff --git a/pkg/controller/installation/core_controller.go b/pkg/controller/installation/core_controller.go index 1f9309361d..dfb485dcdd 100644 --- a/pkg/controller/installation/core_controller.go +++ b/pkg/controller/installation/core_controller.go @@ -29,8 +29,6 @@ import ( "github.com/elastic/cloud-on-k8s/v2/pkg/utils/stringsutil" "github.com/go-logr/logr" configv1 "github.com/openshift/api/config/v1" - relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" - appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" rbacv1 "k8s.io/api/rbac/v1" @@ -1198,18 +1196,6 @@ func (r *ReconcileInstallation) Reconcile(ctx context.Context, request reconcile typhaNodeTLS.TrustedBundle.AddCertificates(prometheusClientCert) } - // es-kube-controllers needs to trust the ESGW certificate. We'll fetch it here and add it to the trusted bundle. - // Note that although we're adding this to the typhaNodeTLS trusted bundle, it will be used by es-kube-controllers. This is because - // all components within this namespace share a trusted CA bundle. - esgwCertificate, err := certificateManager.GetCertificate(r.client, relasticsearch.PublicCertSecret, common.OperatorNamespace()) - if err != nil { - r.status.SetDegraded(operator.CertificateError, fmt.Sprintf("Failed to retrieve / validate %s", relasticsearch.PublicCertSecret), err, reqLogger) - return reconcile.Result{}, err - } - if esgwCertificate != nil { - typhaNodeTLS.TrustedBundle.AddCertificates(esgwCertificate) - } - calicoVersion = components.EnterpriseRelease } diff --git a/pkg/controller/intrusiondetection/intrusiondetection_controller.go b/pkg/controller/intrusiondetection/intrusiondetection_controller.go index 20b7689423..20fa4ae0b6 100644 --- a/pkg/controller/intrusiondetection/intrusiondetection_controller.go +++ b/pkg/controller/intrusiondetection/intrusiondetection_controller.go @@ -36,7 +36,6 @@ import ( "github.com/tigera/operator/pkg/controller/utils/imageset" "github.com/tigera/operator/pkg/render" rcertificatemanagement "github.com/tigera/operator/pkg/render/certificatemanagement" - relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" "github.com/tigera/operator/pkg/render/intrusiondetection/dpi" "github.com/tigera/operator/pkg/tls/certificatemanagement" batchv1 "k8s.io/api/batch/v1" @@ -171,7 +170,6 @@ func add(mgr manager.Manager, c controller.Controller) error { } for _, secretName := range []string{ - relasticsearch.PublicCertSecret, render.ElasticsearchIntrusionDetectionUserSecret, render.ElasticsearchIntrusionDetectionJobUserSecret, render.ElasticsearchPerformanceHotspotsUserSecret, @@ -191,19 +189,10 @@ func add(mgr manager.Manager, c controller.Controller) error { return fmt.Errorf("intrusiondetection-controller failed to watch the Secret resource: %v", err) } - // These watches are here to catch a modification to the resources we create in reconcile so the changes would be corrected. - if err = utils.AddSecretsWatch(c, relasticsearch.PublicCertSecret, render.IntrusionDetectionNamespace); err != nil { - return fmt.Errorf("intrusiondetection-controller failed to watch the Secret resource: %v", err) - } - if err = utils.AddSecretsWatch(c, render.TigeraLinseedSecret, render.IntrusionDetectionNamespace); err != nil { return fmt.Errorf("intrusiondetection-controller failed to watch the Secret resource: %v", err) } - if err = utils.AddConfigMapWatch(c, relasticsearch.ClusterConfigConfigMapName, common.OperatorNamespace(), &handler.EnqueueRequestForObject{}); err != nil { - return fmt.Errorf("intrusiondetection-controller failed to watch the ConfigMap resource: %v", err) - } - if err = utils.AddConfigMapWatch(c, render.ECKLicenseConfigMapName, render.ECKOperatorNamespace, &handler.EnqueueRequestForObject{}); err != nil { return fmt.Errorf("intrusiondetection-controller failed to watch the ConfigMap resource: %v", err) } @@ -381,16 +370,6 @@ func (r *ReconcileIntrusionDetection) Reconcile(ctx context.Context, request rec } } - esClusterConfig, err := utils.GetElasticsearchClusterConfig(context.Background(), r.client) - if err != nil { - if errors.IsNotFound(err) { - r.status.SetDegraded(operatorv1.ResourceNotFound, "Elasticsearch cluster configuration is not available, waiting for it to become available", err, reqLogger) - return reconcile.Result{}, nil - } - r.status.SetDegraded(operatorv1.ResourceReadError, "Failed to get the elasticsearch cluster configuration", err, reqLogger) - return reconcile.Result{}, err - } - secrets := []string{ render.ElasticsearchIntrusionDetectionUserSecret, render.ElasticsearchPerformanceHotspotsUserSecret, @@ -420,16 +399,6 @@ func (r *ReconcileIntrusionDetection) Reconcile(ctx context.Context, request rec return reconcile.Result{}, err } - esgwCertificate, err := certificateManager.GetCertificate(r.client, relasticsearch.PublicCertSecret, common.OperatorNamespace()) - if err != nil { - r.status.SetDegraded(operatorv1.ResourceReadError, fmt.Sprintf("Failed to retrieve / validate %s", relasticsearch.PublicCertSecret), err, reqLogger) - return reconcile.Result{}, err - } else if esgwCertificate == nil { - log.Info("Elasticsearch gateway certificate is not available yet, waiting until they become available") - r.status.SetDegraded(operatorv1.ResourceNotReady, "Elasticsearch gateway certificate are not available yet, waiting until they become available", nil, reqLogger) - return reconcile.Result{}, nil - } - // The location of the Linseed certificate varies based on if this is a managed cluster or not. linseedCertLocation := render.TigeraLinseedSecret if isManagedCluster { @@ -460,7 +429,7 @@ func (r *ReconcileIntrusionDetection) Reconcile(ctx context.Context, request rec // Intrusion detection controller sometimes needs to make requests to outside sources. Therefore, we include // the system root certificate bundle. - trustedBundle, err := certificateManager.CreateTrustedBundleWithSystemRootCertificates(esgwCertificate, linseedCertificate) + trustedBundle, err := certificateManager.CreateTrustedBundleWithSystemRootCertificates(linseedCertificate) if err != nil { r.status.SetDegraded(operatorv1.ResourceCreateError, "Unable to create tigera-ca-bundle configmap", err, reqLogger) return reconcile.Result{}, err @@ -493,7 +462,6 @@ func (r *ReconcileIntrusionDetection) Reconcile(ctx context.Context, request rec LogCollector: lc, ESSecrets: esSecrets, Installation: network, - ESClusterConfig: esClusterConfig, PullSecrets: pullSecrets, Openshift: r.provider == operatorv1.ProviderOpenShift, ClusterDomain: r.clusterDomain, @@ -546,7 +514,6 @@ func (r *ReconcileIntrusionDetection) Reconcile(ctx context.Context, request rec ManagementCluster: isManagementCluster, HasNoLicense: hasNoLicense, HasNoDPIResource: hasNoDPIResource, - ESClusterConfig: esClusterConfig, ClusterDomain: r.clusterDomain, DPICertSecret: dpiKeyPair, }) diff --git a/pkg/controller/intrusiondetection/intrusiondetection_controller_test.go b/pkg/controller/intrusiondetection/intrusiondetection_controller_test.go index 41b4e1fc32..89cd2cc97d 100644 --- a/pkg/controller/intrusiondetection/intrusiondetection_controller_test.go +++ b/pkg/controller/intrusiondetection/intrusiondetection_controller_test.go @@ -42,8 +42,6 @@ import ( "github.com/tigera/operator/pkg/controller/status" "github.com/tigera/operator/pkg/controller/utils" "github.com/tigera/operator/pkg/render" - relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" - appsv1 "k8s.io/api/apps/v1" batchv1 "k8s.io/api/batch/v1" corev1 "k8s.io/api/core/v1" @@ -156,9 +154,6 @@ var _ = Describe("IntrusionDetection controller tests", func() { certificateManager, err := certificatemanager.Create(c, nil, "", common.OperatorNamespace(), certificatemanager.AllowCACreation()) Expect(err).NotTo(HaveOccurred()) Expect(c.Create(ctx, certificateManager.KeyPair().Secret(common.OperatorNamespace()))) // Persist the root-ca in the operator namespace. - kiibanaTLS, err := certificateManager.GetOrCreateKeyPair(c, relasticsearch.PublicCertSecret, common.OperatorNamespace(), []string{relasticsearch.PublicCertSecret}) - Expect(err).NotTo(HaveOccurred()) - Expect(c.Create(ctx, kiibanaTLS.Secret(common.OperatorNamespace()))).NotTo(HaveOccurred()) linseedTLS, err := certificateManager.GetOrCreateKeyPair(c, render.TigeraLinseedSecret, common.OperatorNamespace(), []string{render.TigeraLinseedSecret}) Expect(err).NotTo(HaveOccurred()) Expect(c.Create(ctx, linseedTLS.Secret(common.OperatorNamespace()))).NotTo(HaveOccurred()) @@ -168,7 +163,6 @@ var _ = Describe("IntrusionDetection controller tests", func() { Expect(err).NotTo(HaveOccurred()) Expect(c.Create(ctx, linseedPublicCert.Secret(common.OperatorNamespace()))).NotTo(HaveOccurred()) - Expect(c.Create(ctx, relasticsearch.NewClusterConfig("cluster", 1, 1, 1).ConfigMap())).NotTo(HaveOccurred()) Expect(c.Create(ctx, rtest.CreateCertSecret(render.ElasticsearchIntrusionDetectionUserSecret, common.OperatorNamespace(), render.GuardianSecretName))) Expect(c.Create(ctx, rtest.CreateCertSecret(render.ElasticsearchPerformanceHotspotsUserSecret, common.OperatorNamespace(), render.GuardianSecretName))) Expect(c.Create(ctx, &corev1.ConfigMap{ diff --git a/pkg/controller/logcollector/logcollector_controller.go b/pkg/controller/logcollector/logcollector_controller.go index 93761f7c7e..7280556138 100644 --- a/pkg/controller/logcollector/logcollector_controller.go +++ b/pkg/controller/logcollector/logcollector_controller.go @@ -46,7 +46,6 @@ import ( "github.com/tigera/operator/pkg/controller/utils/imageset" "github.com/tigera/operator/pkg/render" rcertificatemanagement "github.com/tigera/operator/pkg/render/certificatemanagement" - relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" rmeta "github.com/tigera/operator/pkg/render/common/meta" "github.com/tigera/operator/pkg/render/monitor" "github.com/tigera/operator/pkg/tls/certificatemanagement" @@ -141,7 +140,7 @@ func add(mgr manager.Manager, c controller.Controller) error { for _, secretName := range []string{ render.ElasticsearchEksLogForwarderUserSecret, - relasticsearch.PublicCertSecret, render.S3FluentdSecretName, render.EksLogForwarderSecret, + render.S3FluentdSecretName, render.EksLogForwarderSecret, render.SplunkFluentdTokenSecretName, render.SplunkFluentdCertificateSecretName, monitor.PrometheusTLSSecretName, render.FluentdPrometheusTLSSecretName, render.TigeraLinseedSecret, render.VoltronLinseedPublicCert, } { @@ -150,10 +149,8 @@ func add(mgr manager.Manager, c controller.Controller) error { } } - for _, configMapName := range []string{render.FluentdFilterConfigMapName, relasticsearch.ClusterConfigConfigMapName} { - if err = utils.AddConfigMapWatch(c, configMapName, common.OperatorNamespace(), &handler.EnqueueRequestForObject{}); err != nil { - return fmt.Errorf("logcollector-controller failed to watch ConfigMap %s: %v", configMapName, err) - } + if err = utils.AddConfigMapWatch(c, render.FluentdFilterConfigMapName, common.OperatorNamespace(), &handler.EnqueueRequestForObject{}); err != nil { + return fmt.Errorf("logcollector-controller failed to watch ConfigMap %s: %v", render.FluentdFilterConfigMapName, err) } err = c.Watch(&source.Kind{Type: &corev1.Node{}}, &handler.EnqueueRequestForObject{}) @@ -531,21 +528,10 @@ func (r *ReconcileLogCollector) Reconcile(ctx context.Context, request reconcile } var eksConfig *render.EksCloudwatchLogConfig - var esClusterConfig *relasticsearch.ClusterConfig if installation.KubernetesProvider == operatorv1.ProviderEKS { log.Info("Managed kubernetes EKS found, getting necessary credentials and config") if instance.Spec.AdditionalSources != nil { if instance.Spec.AdditionalSources.EksCloudwatchLog != nil { - esClusterConfig, err = utils.GetElasticsearchClusterConfig(ctx, r.client) - if err != nil { - if errors.IsNotFound(err) { - r.status.SetDegraded(operatorv1.ResourceNotReady, "Elasticsearch cluster configuration is not available, waiting for it to become available", err, reqLogger) - return reconcile.Result{}, nil - } - r.status.SetDegraded(operatorv1.ResourceReadError, "Failed to get the elasticsearch cluster configuration", err, reqLogger) - return reconcile.Result{}, err - } - eksConfig, err = getEksCloudwatchLogConfig(r.client, instance.Spec.AdditionalSources.EksCloudwatchLog.FetchInterval, instance.Spec.AdditionalSources.EksCloudwatchLog.Region, @@ -564,7 +550,6 @@ func (r *ReconcileLogCollector) Reconcile(ctx context.Context, request reconcile fluentdCfg := &render.FluentdConfiguration{ LogCollector: instance, - ESClusterConfig: esClusterConfig, S3Credential: s3Credential, SplkCredential: splunkCredential, Filters: filters, @@ -615,7 +600,6 @@ func (r *ReconcileLogCollector) Reconcile(ctx context.Context, request reconcile if hasWindowsNodes { fluentdCfg = &render.FluentdConfiguration{ LogCollector: instance, - ESClusterConfig: esClusterConfig, S3Credential: s3Credential, SplkCredential: splunkCredential, Filters: filters, diff --git a/pkg/controller/logcollector/logcollector_controller_test.go b/pkg/controller/logcollector/logcollector_controller_test.go index 4e36d41de0..22b1e84d1b 100644 --- a/pkg/controller/logcollector/logcollector_controller_test.go +++ b/pkg/controller/logcollector/logcollector_controller_test.go @@ -43,7 +43,6 @@ import ( "github.com/tigera/operator/pkg/controller/status" "github.com/tigera/operator/pkg/controller/utils" "github.com/tigera/operator/pkg/render" - relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" "github.com/tigera/operator/pkg/render/monitor" "github.com/tigera/operator/test" ) @@ -127,15 +126,10 @@ var _ = Describe("LogCollector controller tests", func() { ObjectMeta: metav1.ObjectMeta{Name: "default"}, })).NotTo(HaveOccurred()) - Expect(c.Create(ctx, relasticsearch.NewClusterConfig("cluster", 1, 1, 1).ConfigMap())).NotTo(HaveOccurred()) - certificateManager, err := certificatemanager.Create(c, nil, "", common.OperatorNamespace(), certificatemanager.AllowCACreation()) Expect(err).NotTo(HaveOccurred()) Expect(c.Create(ctx, certificateManager.KeyPair().Secret(common.OperatorNamespace()))) // Persist the root-ca in the operator namespace. - kibanaTLS, err := certificateManager.GetOrCreateKeyPair(c, relasticsearch.PublicCertSecret, common.OperatorNamespace(), []string{relasticsearch.PublicCertSecret}) - Expect(err).NotTo(HaveOccurred()) - Expect(c.Create(ctx, kibanaTLS.Secret(common.OperatorNamespace()))).NotTo(HaveOccurred()) Expect(c.Create(ctx, &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: render.ElasticsearchEksLogForwarderUserSecret, diff --git a/pkg/controller/logstorage/elastic/elastic_controller.go b/pkg/controller/logstorage/elastic/elastic_controller.go index d299ddd5c5..e1aa8d9d99 100644 --- a/pkg/controller/logstorage/elastic/elastic_controller.go +++ b/pkg/controller/logstorage/elastic/elastic_controller.go @@ -188,7 +188,6 @@ func Add(mgr manager.Manager, opts options.AddOptions) error { esmetrics.ElasticsearchMetricsServerTLSSecret, render.TigeraLinseedSecret, certificatemanagement.CASecretName, - relasticsearch.PublicCertSecret, monitor.PrometheusClientTLSSecretName, render.ElasticsearchAdminUserSecret, render.ElasticsearchCuratorUserSecret, @@ -201,7 +200,6 @@ func Add(mgr manager.Manager, opts options.AddOptions) error { // Establish watches for secrets in the tigera-elasticsearch namespace. for _, secretName := range []string{ - relasticsearch.PublicCertSecret, render.ElasticsearchAdminUserSecret, render.TigeraElasticsearchInternalCertSecret, render.OIDCUsersESSecretName, @@ -227,10 +225,6 @@ func Add(mgr manager.Manager, opts options.AddOptions) error { } } - if err = utils.AddConfigMapWatch(c, relasticsearch.ClusterConfigConfigMapName, common.OperatorNamespace(), &handler.EnqueueRequestForObject{}); err != nil { - return fmt.Errorf("log-storage-elastic-controller failed to watch ConfigMap resource: %w", err) - } - if err = utils.AddConfigMapWatch(c, render.ECKLicenseConfigMapName, render.ECKOperatorNamespace, &handler.EnqueueRequestForObject{}); err != nil { return fmt.Errorf("log-storage-elastic-controller failed to watch ConfigMap resource: %w", err) } diff --git a/pkg/controller/logstorage/elastic/elastic_controller_test.go b/pkg/controller/logstorage/elastic/elastic_controller_test.go index 3e15abeec2..2e8b5c1f31 100644 --- a/pkg/controller/logstorage/elastic/elastic_controller_test.go +++ b/pkg/controller/logstorage/elastic/elastic_controller_test.go @@ -554,9 +554,7 @@ var _ = Describe("LogStorage controller", func() { ) Expect(err).ShouldNot(HaveOccurred()) - esPublicSecret := createPubSecret(relasticsearch.PublicCertSecret, render.ElasticsearchNamespace, esSecret.Data["tls.crt"], "tls.crt") Expect(cli.Create(ctx, esSecret)).ShouldNot(HaveOccurred()) - Expect(cli.Create(ctx, esPublicSecret)).ShouldNot(HaveOccurred()) kbDNSNames = []string{"kb.example.com", "192.168.10.11"} kbSecret, err := secret.CreateTLSSecret(testCA, @@ -812,7 +810,6 @@ var _ = Describe("LogStorage controller", func() { AssociationStatus: cmnv1.AssociationEstablished, }, }, - relasticsearch.NewClusterConfig("cluster", 1, 1, 1).ConfigMap(), &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "tigera-pull-secret"}}, &corev1.ConfigMap{ ObjectMeta: metav1.ObjectMeta{Namespace: render.ECKOperatorNamespace, Name: render.ECKLicenseConfigMapName}, @@ -1242,9 +1239,6 @@ func setUpLogStorageComponents(cli client.Client, ctx context.Context, storageCl trustedBundle := certificateManager.CreateTrustedBundle() esKeyPair, err := certificateManager.GetOrCreateKeyPair(cli, render.TigeraElasticsearchInternalCertSecret, common.OperatorNamespace(), []string{render.TigeraElasticsearchInternalCertSecret}) Expect(err).NotTo(HaveOccurred()) - esPublic, err := certificateManager.GetOrCreateKeyPair(cli, relasticsearch.PublicCertSecret, common.OperatorNamespace(), []string{render.TigeraElasticsearchInternalCertSecret}) - Expect(err).NotTo(HaveOccurred()) - Expect(cli.Create(context.Background(), esPublic.Secret(common.OperatorNamespace()))).NotTo(HaveOccurred()) var replicas int32 = 2 cfg := &render.ElasticsearchConfiguration{ @@ -1293,17 +1287,6 @@ func setUpLogStorageComponents(cli client.Client, ctx context.Context, storageCl Expect(cli.Create(ctx, &corev1.Secret{ObjectMeta: curatorUsrSecretObjMeta})).ShouldNot(HaveOccurred()) } -func createPubSecret(name string, ns string, bytes []byte, certName string) client.Object { - return &corev1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, Namespace: ns, - }, - Data: map[string][]byte{ - certName: bytes, - }, - } -} - // CreateLogStorage creates a LogStorage object with the given parameters after filling in defaults, // and asserts that the creation succeeds. func CreateLogStorage(client client.Client, ls *operatorv1.LogStorage) { diff --git a/pkg/controller/logstorage/managedcluster/managed_cluster_controller.go b/pkg/controller/logstorage/managedcluster/managed_cluster_controller.go index 9a931b516c..f6221ba702 100644 --- a/pkg/controller/logstorage/managedcluster/managed_cluster_controller.go +++ b/pkg/controller/logstorage/managedcluster/managed_cluster_controller.go @@ -30,11 +30,9 @@ import ( "sigs.k8s.io/controller-runtime/pkg/reconcile" "sigs.k8s.io/controller-runtime/pkg/source" - "github.com/tigera/operator/pkg/common" "github.com/tigera/operator/pkg/controller/options" "github.com/tigera/operator/pkg/controller/utils" "github.com/tigera/operator/pkg/render" - relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" ) var log = logf.Log.WithName("controller_logstorage_managed") @@ -82,13 +80,6 @@ func Add(mgr manager.Manager, opts options.AddOptions) error { return fmt.Errorf("log-storage-managedcluster-controller failed to watch ManagementClusterConnection resource: %w", err) } - if err = utils.AddSecretsWatch(c, relasticsearch.PublicCertSecret, common.OperatorNamespace()); err != nil { - return fmt.Errorf("log-storage-managedcluster-controller failed to watch Secret resource: %w", err) - } - if err = utils.AddSecretsWatch(c, relasticsearch.PublicCertSecret, render.ElasticsearchNamespace); err != nil { - return fmt.Errorf("log-storage-managedcluster-controller failed to watch Secret resource: %w", err) - } - // Perform periodic reconciliation. This acts as a backstop to catch reconcile issues, // and also makes sure we spot when things change that might not trigger a reconciliation. err = utils.AddPeriodicReconcile(c, utils.PeriodicReconcileTime, &handler.EnqueueRequestForObject{}) diff --git a/pkg/controller/logstorage/secrets/secret_controller.go b/pkg/controller/logstorage/secrets/secret_controller.go index 50a9f95954..064b5c83af 100644 --- a/pkg/controller/logstorage/secrets/secret_controller.go +++ b/pkg/controller/logstorage/secrets/secret_controller.go @@ -29,7 +29,6 @@ import ( "github.com/tigera/operator/pkg/dns" "github.com/tigera/operator/pkg/render" rcertificatemanagement "github.com/tigera/operator/pkg/render/certificatemanagement" - relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" "github.com/tigera/operator/pkg/render/logstorage/esgateway" "github.com/tigera/operator/pkg/render/logstorage/esmetrics" "github.com/tigera/operator/pkg/render/logstorage/linseed" @@ -128,12 +127,6 @@ func Add(mgr manager.Manager, opts options.AddOptions) error { if err = utils.AddSecretsWatchWithHandler(c, certificatemanagement.TenantCASecretName, common.OperatorNamespace(), &handler.EnqueueRequestForObject{}); err != nil { return fmt.Errorf("log-storage-secrets-controller failed to watch Secret: %w", err) } - if err = utils.AddSecretsWatchWithHandler(c, relasticsearch.PublicCertSecret, helper.TruthNamespace(), eventHandler); err != nil { - return fmt.Errorf("log-storage-secrets-controller failed to watch Secret: %w", err) - } - if err = utils.AddSecretsWatchWithHandler(c, relasticsearch.PublicCertSecret, render.ElasticsearchNamespace, eventHandler); err != nil { - return fmt.Errorf("log-storage-secrets-controller failed to watch Secret: %w", err) - } if err = utils.AddSecretsWatchWithHandler(c, render.TigeraElasticsearchGatewaySecret, helper.TruthNamespace(), &handler.EnqueueRequestForObject{}); err != nil { return fmt.Errorf("log-storage-secrets-controller failed to watch Secret: %w", err) } diff --git a/pkg/controller/logstorage/secrets/secret_controller_test.go b/pkg/controller/logstorage/secrets/secret_controller_test.go index 8cc9641822..d7e6463d79 100644 --- a/pkg/controller/logstorage/secrets/secret_controller_test.go +++ b/pkg/controller/logstorage/secrets/secret_controller_test.go @@ -46,7 +46,6 @@ import ( "github.com/tigera/operator/pkg/controller/utils" "github.com/tigera/operator/pkg/dns" "github.com/tigera/operator/pkg/render" - relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" rmeta "github.com/tigera/operator/pkg/render/common/meta" "github.com/tigera/operator/pkg/render/common/secret" "github.com/tigera/operator/pkg/render/logstorage/esgateway" @@ -221,9 +220,7 @@ var _ = Describe("LogStorage Secrets controller", func() { ) Expect(err).ShouldNot(HaveOccurred()) - esPublicSecret := createPubSecret(relasticsearch.PublicCertSecret, render.ElasticsearchNamespace, esSecret.Data["tls.crt"], "tls.crt") Expect(cli.Create(ctx, esSecret)).ShouldNot(HaveOccurred()) - Expect(cli.Create(ctx, esPublicSecret)).ShouldNot(HaveOccurred()) kbDNSNames = []string{"kb.example.com", "192.168.10.11"} kbSecret, err := secret.CreateTLSSecret( @@ -505,17 +502,6 @@ func CreateLogStorage(client client.Client, ls *operatorv1.LogStorage) { ExpectWithOffset(1, client.Create(context.Background(), ls)).ShouldNot(HaveOccurred()) } -func createPubSecret(name string, ns string, bytes []byte, certName string) client.Object { - return &corev1.Secret{ - ObjectMeta: metav1.ObjectMeta{ - Name: name, Namespace: ns, - }, - Data: map[string][]byte{ - certName: bytes, - }, - } -} - // ExpectSecrets asserts that all of the given secrets exist in the cluster, and that no other secrets exist. func ExpectSecrets(ctx context.Context, cli client.Client, expected []types.NamespacedName) { for _, expected := range expected { diff --git a/pkg/controller/manager/manager_controller.go b/pkg/controller/manager/manager_controller.go index 33b406e310..b91c4f19d6 100644 --- a/pkg/controller/manager/manager_controller.go +++ b/pkg/controller/manager/manager_controller.go @@ -44,7 +44,6 @@ import ( "github.com/tigera/operator/pkg/render" rcertificatemanagement "github.com/tigera/operator/pkg/render/certificatemanagement" tigerakvc "github.com/tigera/operator/pkg/render/common/authentication/tigera/key_validator_config" - relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" "github.com/tigera/operator/pkg/render/common/networkpolicy" "github.com/tigera/operator/pkg/render/monitor" "github.com/tigera/operator/pkg/tls/certificatemanagement" @@ -145,7 +144,7 @@ func Add(mgr manager.Manager, opts options.AddOptions) error { } for _, namespace := range namespacesToWatch { for _, secretName := range []string{ - render.ManagerTLSSecretName, relasticsearch.PublicCertSecret, render.ElasticsearchManagerUserSecret, + render.ManagerTLSSecretName, render.ElasticsearchManagerUserSecret, render.VoltronTunnelSecretName, render.ComplianceServerCertSecret, render.PacketCaptureServerCert, render.ManagerInternalTLSSecretName, monitor.PrometheusTLSSecretName, certificatemanagement.CASecretName, } { @@ -159,10 +158,6 @@ func Add(mgr manager.Manager, opts options.AddOptions) error { return fmt.Errorf("manager-controller failed to watch ConfigMap resource %s: %w", tigerakvc.StaticWellKnownJWKSConfigMapName, err) } - if err = utils.AddConfigMapWatch(managerController, relasticsearch.ClusterConfigConfigMapName, common.OperatorNamespace(), eventHandler); err != nil { - return fmt.Errorf("compliance-controller failed to watch the ConfigMap resource: %w", err) - } - if err = utils.AddNamespaceWatch(managerController, common.TigeraPrometheusNamespace); err != nil { return fmt.Errorf("manager-controller failed to watch the '%s' namespace: %w", common.TigeraPrometheusNamespace, err) } @@ -391,7 +386,6 @@ func (r *ReconcileManager) Reconcile(ctx context.Context, request reconcile.Requ trustedSecretNames = []string{ render.PacketCaptureServerCert, monitor.PrometheusTLSSecretName, - relasticsearch.PublicCertSecret, render.ProjectCalicoAPIServerTLSSecretName(installation.Variant), render.TigeraLinseedSecret, } @@ -454,16 +448,6 @@ func (r *ReconcileManager) Reconcile(ctx context.Context, request reconcile.Requ return reconcile.Result{}, err } - clusterConfig, err := utils.GetElasticsearchClusterConfig(context.Background(), r.client) - if err != nil { - if errors.IsNotFound(err) { - r.status.SetDegraded(operatorv1.ResourceNotFound, "Elasticsearch cluster configuration is not available, waiting for it to become available", err, logc) - return reconcile.Result{}, nil - } - r.status.SetDegraded(operatorv1.ResourceReadError, "Failed to get the elasticsearch cluster configuration", err, logc) - return reconcile.Result{}, err - } - var esSecrets []*corev1.Secret if !r.multiTenant { // Get secrets used by the manager to authenticate with Elasticsearch. This is used for Kibana login, and isn't @@ -607,7 +591,6 @@ func (r *ReconcileManager) Reconcile(ctx context.Context, request reconcile.Requ KeyValidatorConfig: keyValidatorConfig, ESSecrets: esSecrets, TrustedCertBundle: trustedBundle, - ClusterConfig: clusterConfig, TLSKeyPair: tlsSecret, VoltronLinseedKeyPair: linseedVoltronServerCert, PullSecrets: pullSecrets, diff --git a/pkg/controller/manager/manager_controller_test.go b/pkg/controller/manager/manager_controller_test.go index 89ab6add35..cce1363487 100644 --- a/pkg/controller/manager/manager_controller_test.go +++ b/pkg/controller/manager/manager_controller_test.go @@ -49,7 +49,6 @@ import ( "github.com/tigera/operator/pkg/controller/utils" "github.com/tigera/operator/pkg/dns" "github.com/tigera/operator/pkg/render" - relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" rmeta "github.com/tigera/operator/pkg/render/common/meta" "github.com/tigera/operator/pkg/render/common/secret" rsecret "github.com/tigera/operator/pkg/render/common/secret" @@ -200,8 +199,6 @@ var _ = Describe("Manager controller tests", func() { ObjectMeta: metav1.ObjectMeta{Name: common.TigeraPrometheusNamespace}, })).NotTo(HaveOccurred()) - Expect(c.Create(ctx, relasticsearch.NewClusterConfig("cluster", 1, 1, 1).ConfigMap())).NotTo(HaveOccurred()) - // Provision certificates that the controller will query as part of the test. var err error certificateManager, err = certificatemanager.Create(c, nil, "", common.OperatorNamespace(), certificatemanager.AllowCACreation()) @@ -217,10 +214,7 @@ var _ = Describe("Manager controller tests", func() { promKp, err := certificateManager.GetOrCreateKeyPair(c, monitor.PrometheusTLSSecretName, common.OperatorNamespace(), []string{monitor.PrometheusTLSSecretName}) Expect(err).NotTo(HaveOccurred()) Expect(c.Create(ctx, promKp.Secret(common.OperatorNamespace()))).NotTo(HaveOccurred()) - gwKp, err := certificateManager.GetOrCreateKeyPair(c, relasticsearch.PublicCertSecret, common.OperatorNamespace(), []string{relasticsearch.PublicCertSecret}) - Expect(err).NotTo(HaveOccurred()) - Expect(c.Create(ctx, gwKp.Secret(common.OperatorNamespace()))).NotTo(HaveOccurred()) - linseedKp, err := certificateManager.GetOrCreateKeyPair(c, render.TigeraLinseedSecret, common.OperatorNamespace(), []string{relasticsearch.PublicCertSecret}) + linseedKp, err := certificateManager.GetOrCreateKeyPair(c, render.TigeraLinseedSecret, common.OperatorNamespace(), []string{render.TigeraLinseedSecret}) Expect(err).NotTo(HaveOccurred()) Expect(c.Create(ctx, linseedKp.Secret(common.OperatorNamespace()))).NotTo(HaveOccurred()) queryServerKp, err := certificateManager.GetOrCreateKeyPair(c, render.ProjectCalicoAPIServerTLSSecretName(operatorv1.TigeraSecureEnterprise), common.OperatorNamespace(), []string{render.ProjectCalicoAPIServerTLSSecretName(operatorv1.TigeraSecureEnterprise)}) @@ -523,10 +517,7 @@ var _ = Describe("Manager controller tests", func() { promKp, err := certificateManager.GetOrCreateKeyPair(c, monitor.PrometheusTLSSecretName, common.OperatorNamespace(), []string{monitor.PrometheusTLSSecretName}) Expect(err).NotTo(HaveOccurred()) Expect(c.Create(ctx, promKp.Secret(common.OperatorNamespace()))).NotTo(HaveOccurred()) - gwKp, err := certificateManager.GetOrCreateKeyPair(c, relasticsearch.PublicCertSecret, common.OperatorNamespace(), []string{relasticsearch.PublicCertSecret}) - Expect(err).NotTo(HaveOccurred()) - Expect(c.Create(ctx, gwKp.Secret(common.OperatorNamespace()))).NotTo(HaveOccurred()) - linseedKp, err := certificateManager.GetOrCreateKeyPair(c, render.TigeraLinseedSecret, common.OperatorNamespace(), []string{relasticsearch.PublicCertSecret}) + linseedKp, err := certificateManager.GetOrCreateKeyPair(c, render.TigeraLinseedSecret, common.OperatorNamespace(), []string{render.TigeraLinseedSecret}) Expect(err).NotTo(HaveOccurred()) Expect(c.Create(ctx, linseedKp.Secret(common.OperatorNamespace()))).NotTo(HaveOccurred()) queryServerKp, err := certificateManager.GetOrCreateKeyPair(c, render.ProjectCalicoAPIServerTLSSecretName(operatorv1.TigeraSecureEnterprise), common.OperatorNamespace(), []string{render.ProjectCalicoAPIServerTLSSecretName(operatorv1.TigeraSecureEnterprise)}) @@ -536,8 +527,6 @@ var _ = Describe("Manager controller tests", func() { Expect(err).NotTo(HaveOccurred()) Expect(c.Create(ctx, internalCertKp.Secret(common.OperatorNamespace()))).NotTo(HaveOccurred()) - Expect(c.Create(ctx, relasticsearch.NewClusterConfig("cluster", 1, 1, 1).ConfigMap())).NotTo(HaveOccurred()) - Expect(c.Create(ctx, &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: render.ElasticsearchManagerUserSecret, diff --git a/pkg/controller/policyrecommendation/policyrecommendation_controller.go b/pkg/controller/policyrecommendation/policyrecommendation_controller.go index 8095ff6b1d..6a26fe16d1 100644 --- a/pkg/controller/policyrecommendation/policyrecommendation_controller.go +++ b/pkg/controller/policyrecommendation/policyrecommendation_controller.go @@ -35,7 +35,6 @@ import ( "github.com/tigera/operator/pkg/controller/utils/imageset" "github.com/tigera/operator/pkg/render" rcertificatemanagement "github.com/tigera/operator/pkg/render/certificatemanagement" - relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" "github.com/tigera/operator/pkg/tls/certificatemanagement" "k8s.io/apimachinery/pkg/api/errors" @@ -114,7 +113,6 @@ func Add(mgr manager.Manager, opts options.AddOptions) error { // Watch the given secrets in each both the policy-recommendation and operator namespaces for _, namespace := range watchNamespaces { for _, secretName := range []string{ - relasticsearch.PublicCertSecret, render.ElasticsearchPolicyRecommendationUserSecret, certificatemanagement.CASecretName, render.ManagerInternalTLSSecretName, diff --git a/pkg/controller/policyrecommendation/policyrecommendation_controller_test.go b/pkg/controller/policyrecommendation/policyrecommendation_controller_test.go index 4fdb262730..db4948cebe 100644 --- a/pkg/controller/policyrecommendation/policyrecommendation_controller_test.go +++ b/pkg/controller/policyrecommendation/policyrecommendation_controller_test.go @@ -46,7 +46,6 @@ import ( "github.com/tigera/operator/pkg/controller/status" "github.com/tigera/operator/pkg/controller/utils" "github.com/tigera/operator/pkg/render" - relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" "github.com/tigera/operator/test" ) @@ -140,9 +139,6 @@ var _ = Describe("PolicyRecommendation controller tests", func() { certificateManager, err := certificatemanager.Create(c, nil, "", common.OperatorNamespace(), certificatemanager.AllowCACreation()) Expect(err).NotTo(HaveOccurred()) Expect(c.Create(ctx, certificateManager.KeyPair().Secret(common.OperatorNamespace()))) // Persist the root-ca in the operator namespace. - kiibanaTLS, err := certificateManager.GetOrCreateKeyPair(c, relasticsearch.PublicCertSecret, common.OperatorNamespace(), []string{relasticsearch.PublicCertSecret}) - Expect(err).NotTo(HaveOccurred()) - Expect(c.Create(ctx, kiibanaTLS.Secret(common.OperatorNamespace()))).NotTo(HaveOccurred()) linseedTLS, err := certificateManager.GetOrCreateKeyPair(c, render.TigeraLinseedSecret, common.OperatorNamespace(), []string{render.TigeraLinseedSecret}) Expect(err).NotTo(HaveOccurred()) Expect(c.Create(ctx, linseedTLS.Secret(common.OperatorNamespace()))).NotTo(HaveOccurred()) diff --git a/pkg/controller/utils/elasticsearch.go b/pkg/controller/utils/elasticsearch.go index 74440840ac..eb84f149ae 100644 --- a/pkg/controller/utils/elasticsearch.go +++ b/pkg/controller/utils/elasticsearch.go @@ -30,8 +30,6 @@ import ( operatorv1 "github.com/tigera/operator/api/v1" "github.com/tigera/operator/pkg/common" "github.com/tigera/operator/pkg/render" - relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" - corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/resource" "k8s.io/apimachinery/pkg/types" @@ -92,17 +90,6 @@ func ElasticsearchSecrets(ctx context.Context, userSecretNames []string, cli cli return esUserSecrets, nil } -// GetElasticsearchClusterConfig retrieves the config map containing the elasticsearch configuration values, such as the -// the cluster name and replica count. -func GetElasticsearchClusterConfig(ctx context.Context, cli client.Client) (*relasticsearch.ClusterConfig, error) { - configMap := &corev1.ConfigMap{} - if err := cli.Get(ctx, client.ObjectKey{Name: relasticsearch.ClusterConfigConfigMapName, Namespace: common.OperatorNamespace()}, configMap); err != nil { - return nil, err - } - - return relasticsearch.NewClusterConfigFromConfigMap(configMap) -} - type ElasticsearchClientCreator func(client client.Client, ctx context.Context, elasticHTTPSEndpoint string) (ElasticClient, error) type ElasticClient interface { diff --git a/pkg/render/common/elasticsearch/clusterconfig.go b/pkg/render/common/elasticsearch/clusterconfig.go index dc442b3eed..63cdffbcd4 100644 --- a/pkg/render/common/elasticsearch/clusterconfig.go +++ b/pkg/render/common/elasticsearch/clusterconfig.go @@ -1,4 +1,4 @@ -// Copyright (c) 2020 Tigera, Inc. All rights reserved. +// Copyright (c) 2020, 2023 Tigera, Inc. All rights reserved. // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -15,21 +15,9 @@ package elasticsearch import ( - "fmt" - "strconv" - - "github.com/pkg/errors" - corev1 "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" - - "github.com/tigera/operator/pkg/common" rmeta "github.com/tigera/operator/pkg/render/common/meta" ) -const ( - ClusterConfigConfigMapName = "tigera-secure-elasticsearch" -) - func NewClusterConfig(clusterName string, replicas int, shards int, flowShards int) *ClusterConfig { return &ClusterConfig{ clusterName: clusterName, @@ -39,41 +27,6 @@ func NewClusterConfig(clusterName string, replicas int, shards int, flowShards i } } -func NewClusterConfigFromConfigMap(configMap *corev1.ConfigMap) (*ClusterConfig, error) { - var replicas, shards, flowShards int - var err error - - if configMap.Data["clusterName"] == "" { - return nil, fmt.Errorf("'clusterName' is not set") - } - - if configMap.Data["replicas"] == "" { - return nil, fmt.Errorf("'replicas' is not set") - } else { - if replicas, err = strconv.Atoi(configMap.Data["replicas"]); err != nil { - return nil, errors.Wrap(err, "'replicas' must be an integer") - } - } - - if configMap.Data["shards"] == "" { - return nil, fmt.Errorf("'shards' is not set") - } else { - if shards, err = strconv.Atoi(configMap.Data["shards"]); err != nil { - return nil, errors.Wrap(err, "'shards' must be an integer") - } - } - - if configMap.Data["flowShards"] == "" { - return nil, fmt.Errorf("'flowShards' is not set") - } else { - if flowShards, err = strconv.Atoi(configMap.Data["flowShards"]); err != nil { - return nil, errors.Wrap(err, "'flowShards' must be an integer") - } - } - - return NewClusterConfig(configMap.Data["clusterName"], replicas, shards, flowShards), nil -} - type ClusterConfig struct { clusterName string replicas int @@ -100,18 +53,3 @@ func (c ClusterConfig) FlowShards() int { func (c ClusterConfig) Annotation() string { return rmeta.AnnotationHash(c) } - -func (c ClusterConfig) ConfigMap() *corev1.ConfigMap { - return &corev1.ConfigMap{ - ObjectMeta: metav1.ObjectMeta{ - Name: ClusterConfigConfigMapName, - Namespace: common.OperatorNamespace(), - }, - Data: map[string]string{ - "clusterName": c.clusterName, - "replicas": strconv.Itoa(c.replicas), - "shards": strconv.Itoa(c.shards), - "flowShards": strconv.Itoa(c.flowShards), - }, - } -} diff --git a/pkg/render/common/elasticsearch/decorator.go b/pkg/render/common/elasticsearch/decorator.go index fec99b6a8a..edf67633e2 100644 --- a/pkg/render/common/elasticsearch/decorator.go +++ b/pkg/render/common/elasticsearch/decorator.go @@ -15,8 +15,6 @@ package elasticsearch import ( - "strconv" - rmeta "github.com/tigera/operator/pkg/render/common/meta" "github.com/tigera/operator/pkg/render/common/secret" "github.com/tigera/operator/pkg/tls/certificatemanagement" @@ -49,34 +47,17 @@ func elasticCertPath(osType rmeta.OSType) string { return certificatemanagement.TrustedCertBundleMountPath } -func DecorateAnnotations(obj Annotatable, config *ClusterConfig, secrets []*corev1.Secret) Annotatable { +func DecorateAnnotations(obj Annotatable, secrets []*corev1.Secret) Annotatable { annots := obj.GetAnnotations() if annots == nil { annots = map[string]string{} } - annots[elasticsearchConfigMapAnnotation] = config.Annotation() annots[elasticsearchSecretsAnnotation] = rmeta.SecretsAnnotationHash(secrets...) obj.SetAnnotations(annots) return obj } -// ContainerDecorate is the legacy implementation, which does not support multi-tenancy. -// Use DecorateEnvironment instead. -func ContainerDecorate(c corev1.Container, cluster, secret, clusterDomain string, osType rmeta.OSType) corev1.Container { - return DecorateEnvironment(c, "tigera-elasticsearch", cluster, secret, clusterDomain, osType) -} - -func ContainerDecorateIndexCreator(c corev1.Container, replicas, shards int) corev1.Container { - envVars := []corev1.EnvVar{ - {Name: "ELASTIC_REPLICAS", Value: strconv.Itoa(replicas)}, - {Name: "ELASTIC_SHARDS", Value: strconv.Itoa(shards)}, - } - c.Env = append(c.Env, envVars...) - - return c -} - func DecorateEnvironment(c corev1.Container, namespace string, cluster, esUserSecretName, clusterDomain string, osType rmeta.OSType) corev1.Container { certPath := elasticCertPath(osType) esScheme, esHost, esPort, _ := url.ParseEndpoint(GatewayEndpoint(osType, clusterDomain, namespace)) diff --git a/pkg/render/common/elasticsearch/decorator_test.go b/pkg/render/common/elasticsearch/decorator_test.go index acb475e21f..97d0451ef0 100644 --- a/pkg/render/common/elasticsearch/decorator_test.go +++ b/pkg/render/common/elasticsearch/decorator_test.go @@ -1,4 +1,4 @@ -// Copyright (c) 2019 Tigera, Inc. All rights reserved. +// Copyright (c) 2019, 2023 Tigera, Inc. All rights reserved. // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -43,9 +43,9 @@ var _ = Describe("Elasticsearch decorator tests", func() { }}, } }) - Context("relasticsearch.ContainerDecorate", func() { + Context("relasticsearch.DecorateEnvironment", func() { DescribeTable("should decorate a container with the ES host and port", func(clusterDomain, expectedESHost string, os rmeta.OSType) { - c := ContainerDecorate(container, "test-cluster", "secret", clusterDomain, os) + c := DecorateEnvironment(container, "test-ns", "test-cluster", "secret", clusterDomain, os) expectedEnvs := []corev1.EnvVar{ {Name: "ELASTIC_HOST", Value: expectedESHost}, diff --git a/pkg/render/common/elasticsearch/tls.go b/pkg/render/common/elasticsearch/tls.go index 47d960392b..ffe829ff47 100644 --- a/pkg/render/common/elasticsearch/tls.go +++ b/pkg/render/common/elasticsearch/tls.go @@ -1,4 +1,4 @@ -// Copyright (c) 2022 Tigera, Inc. All rights reserved. +// Copyright (c) 2022 - 2023 Tigera, Inc. All rights reserved. // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. @@ -15,6 +15,5 @@ package elasticsearch const ( - PublicCertSecret = "tigera-secure-es-gateway-http-certs-public" UnusedCertSecret = "tigera-secure-es-http-certs-unused" ) diff --git a/pkg/render/compliance.go b/pkg/render/compliance.go index ccebf98771..7e28635a5c 100644 --- a/pkg/render/compliance.go +++ b/pkg/render/compliance.go @@ -34,7 +34,6 @@ import ( "github.com/tigera/operator/pkg/components" "github.com/tigera/operator/pkg/render/common/authentication" "github.com/tigera/operator/pkg/render/common/configmap" - relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" rmeta "github.com/tigera/operator/pkg/render/common/meta" "github.com/tigera/operator/pkg/render/common/networkpolicy" "github.com/tigera/operator/pkg/render/common/podsecuritypolicy" @@ -105,7 +104,6 @@ func Compliance(cfg *ComplianceConfiguration) (Component, error) { type ComplianceConfiguration struct { ESSecrets []*corev1.Secret Installation *operatorv1.InstallationSpec - ESClusterConfig *relasticsearch.ClusterConfig PullSecrets []*corev1.Secret Openshift bool ManagementCluster *operatorv1.ManagementCluster diff --git a/pkg/render/compliance_test.go b/pkg/render/compliance_test.go index 42f808c42e..fd95244974 100644 --- a/pkg/render/compliance_test.go +++ b/pkg/render/compliance_test.go @@ -36,7 +36,6 @@ import ( "github.com/tigera/operator/pkg/controller/certificatemanager" "github.com/tigera/operator/pkg/dns" "github.com/tigera/operator/pkg/render" - relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" rmeta "github.com/tigera/operator/pkg/render/common/meta" rtest "github.com/tigera/operator/pkg/render/common/test" "github.com/tigera/operator/pkg/render/testutils" @@ -87,7 +86,6 @@ var _ = Describe("compliance rendering tests", func() { ReporterKeyPair: reporterKP, BenchmarkerKeyPair: benchmarkerKP, SnapshotterKeyPair: snapshotterKP, - ESClusterConfig: relasticsearch.NewClusterConfig("cluster", 1, 1, 1), Openshift: notOpenshift, ClusterDomain: clusterDomain, TrustedBundle: bundle, diff --git a/pkg/render/fluentd.go b/pkg/render/fluentd.go index 3d2b19abb0..c9a26c74dc 100644 --- a/pkg/render/fluentd.go +++ b/pkg/render/fluentd.go @@ -150,17 +150,14 @@ type FluentdConfiguration struct { S3Credential *S3Credential SplkCredential *SplunkCredential Filters *FluentdFilters - // ESClusterConfig is only populated for when EKSConfig - // is also defined - ESClusterConfig *relasticsearch.ClusterConfig - EKSConfig *EksCloudwatchLogConfig - PullSecrets []*corev1.Secret - Installation *operatorv1.InstallationSpec - ClusterDomain string - OSType rmeta.OSType - FluentdKeyPair certificatemanagement.KeyPairInterface - TrustedBundle certificatemanagement.TrustedBundle - ManagedCluster bool + EKSConfig *EksCloudwatchLogConfig + PullSecrets []*corev1.Secret + Installation *operatorv1.InstallationSpec + ClusterDomain string + OSType rmeta.OSType + FluentdKeyPair certificatemanagement.KeyPairInterface + TrustedBundle certificatemanagement.TrustedBundle + ManagedCluster bool // Set if running as a multi-tenant management cluster. Configures the management cluster's // own fluentd daemonset. @@ -1076,7 +1073,7 @@ func (c *fluentdComponent) eksLogForwarderDeployment() *appsv1.Deployment { Tolerations: c.cfg.Installation.ControlPlaneTolerations, ServiceAccountName: eksLogForwarderName, ImagePullSecrets: secret.GetReferenceList(c.cfg.PullSecrets), - InitContainers: []corev1.Container{relasticsearch.ContainerDecorate(corev1.Container{ + InitContainers: []corev1.Container{relasticsearch.DecorateEnvironment(corev1.Container{ Name: eksLogForwarderName + "-startup", Image: c.image, ImagePullPolicy: ImagePullPolicy(), @@ -1084,15 +1081,15 @@ func (c *fluentdComponent) eksLogForwarderDeployment() *appsv1.Deployment { Env: envVars, SecurityContext: c.securityContext(false), VolumeMounts: c.eksLogForwarderVolumeMounts(), - }, c.cfg.ESClusterConfig.ClusterName(), ElasticsearchEksLogForwarderUserSecret, c.cfg.ClusterDomain, c.cfg.OSType)}, - Containers: []corev1.Container{relasticsearch.ContainerDecorate(corev1.Container{ + }, ElasticsearchNamespace, DefaultElasticsearchClusterName, ElasticsearchEksLogForwarderUserSecret, c.cfg.ClusterDomain, c.cfg.OSType)}, + Containers: []corev1.Container{relasticsearch.DecorateEnvironment(corev1.Container{ Name: eksLogForwarderName, Image: c.image, ImagePullPolicy: ImagePullPolicy(), Env: envVars, SecurityContext: c.securityContext(false), VolumeMounts: c.eksLogForwarderVolumeMounts(), - }, c.cfg.ESClusterConfig.ClusterName(), ElasticsearchEksLogForwarderUserSecret, c.cfg.ClusterDomain, c.cfg.OSType)}, + }, ElasticsearchNamespace, DefaultElasticsearchClusterName, ElasticsearchEksLogForwarderUserSecret, c.cfg.ClusterDomain, c.cfg.OSType)}, Volumes: c.eksLogForwarderVolumes(), }, }, diff --git a/pkg/render/fluentd_test.go b/pkg/render/fluentd_test.go index c83d8908f0..d0842d4db0 100644 --- a/pkg/render/fluentd_test.go +++ b/pkg/render/fluentd_test.go @@ -34,7 +34,6 @@ import ( "github.com/tigera/operator/pkg/controller/certificatemanager" "github.com/tigera/operator/pkg/dns" "github.com/tigera/operator/pkg/render" - relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" rmeta "github.com/tigera/operator/pkg/render/common/meta" rtest "github.com/tigera/operator/pkg/render/common/test" "github.com/tigera/operator/pkg/render/testutils" @@ -820,7 +819,6 @@ var _ = Describe("Tigera Secure Fluentd rendering tests", func() { GroupName: "dummy-eks-cluster-cloudwatch-log-group", FetchInterval: fetchInterval, } - cfg.ESClusterConfig = relasticsearch.NewClusterConfig("clusterTestName", 1, 1, 1) t := corev1.Toleration{ Key: "foo", Operator: corev1.TolerationOpEqual, diff --git a/pkg/render/intrusion_detection.go b/pkg/render/intrusion_detection.go index 85fdbc358f..1769839e75 100644 --- a/pkg/render/intrusion_detection.go +++ b/pkg/render/intrusion_detection.go @@ -122,7 +122,6 @@ type IntrusionDetectionConfiguration struct { LogCollector *operatorv1.LogCollector ESSecrets []*corev1.Secret Installation *operatorv1.InstallationSpec - ESClusterConfig *relasticsearch.ClusterConfig PullSecrets []*corev1.Secret Openshift bool ClusterDomain string @@ -321,13 +320,13 @@ func (c *intrusionDetectionComponent) intrusionDetectionElasticsearchJob() *batc RestartPolicy: corev1.RestartPolicyNever, ImagePullSecrets: secret.GetReferenceList(c.cfg.PullSecrets), Containers: []corev1.Container{ - relasticsearch.ContainerDecorate(c.intrusionDetectionJobContainer(), c.cfg.ESClusterConfig.ClusterName(), + relasticsearch.DecorateEnvironment(c.intrusionDetectionJobContainer(), ElasticsearchNamespace, DefaultElasticsearchClusterName, ElasticsearchIntrusionDetectionJobUserSecret, c.cfg.ClusterDomain, rmeta.OSTypeLinux), }, Volumes: []corev1.Volume{c.cfg.TrustedCertBundle.Volume()}, ServiceAccountName: IntrusionDetectionInstallerJobName, }, - }, c.cfg.ESClusterConfig, c.cfg.ESSecrets).(*corev1.PodTemplateSpec) + }, c.cfg.ESSecrets).(*corev1.PodTemplateSpec) return &batchv1.Job{ TypeMeta: metav1.TypeMeta{Kind: "Job", APIVersion: "batch/v1"}, @@ -701,10 +700,8 @@ func (c *intrusionDetectionComponent) deploymentPodTemplate() *corev1.PodTemplat }) } - container := relasticsearch.ContainerDecorateIndexCreator( - relasticsearch.ContainerDecorate(c.intrusionDetectionControllerContainer(), c.cfg.ESClusterConfig.ClusterName(), - ElasticsearchIntrusionDetectionUserSecret, c.cfg.ClusterDomain, rmeta.OSTypeLinux), - c.cfg.ESClusterConfig.Replicas(), c.cfg.ESClusterConfig.Shards()) + container := relasticsearch.DecorateEnvironment(c.intrusionDetectionControllerContainer(), ElasticsearchNamespace, DefaultElasticsearchClusterName, + ElasticsearchIntrusionDetectionUserSecret, c.cfg.ClusterDomain, rmeta.OSTypeLinux) if c.cfg.ManagedCluster { envVars := []corev1.EnvVar{ @@ -734,7 +731,7 @@ func (c *intrusionDetectionComponent) deploymentPodTemplate() *corev1.PodTemplat }, Volumes: volumes, }, - }, c.cfg.ESClusterConfig, c.cfg.ESSecrets).(*corev1.PodTemplateSpec) + }, c.cfg.ESSecrets).(*corev1.PodTemplateSpec) } func (c *intrusionDetectionComponent) intrusionDetectionControllerContainer() corev1.Container { diff --git a/pkg/render/intrusion_detection_test.go b/pkg/render/intrusion_detection_test.go index d62ff04b4c..6a7ab4de46 100644 --- a/pkg/render/intrusion_detection_test.go +++ b/pkg/render/intrusion_detection_test.go @@ -38,7 +38,6 @@ import ( "github.com/tigera/operator/pkg/controller/certificatemanager" "github.com/tigera/operator/pkg/dns" "github.com/tigera/operator/pkg/render" - relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" rmeta "github.com/tigera/operator/pkg/render/common/meta" rtest "github.com/tigera/operator/pkg/render/common/test" "github.com/tigera/operator/pkg/render/testutils" @@ -93,7 +92,6 @@ var _ = Describe("Intrusion Detection rendering tests", func() { TrustedCertBundle: bundle, IntrusionDetectionCertSecret: keyPair, Installation: &operatorv1.InstallationSpec{Registry: "testregistry.com/"}, - ESClusterConfig: relasticsearch.NewClusterConfig("clusterTestName", 1, 1, 1), ClusterDomain: dns.DefaultClusterDomain, ESLicenseType: render.ElasticsearchLicenseTypeUnknown, ManagedCluster: notManagedCluster, @@ -156,7 +154,6 @@ var _ = Describe("Intrusion Detection rendering tests", func() { idji := rtest.GetResource(resources, "intrusion-detection-es-job-installer", render.IntrusionDetectionNamespace, "batch", "v1", "Job").(*batchv1.Job) Expect(idc.Spec.Template.Spec.Containers).To(HaveLen(1)) Expect(idc.Spec.Template.Spec.Containers[0].Env).Should(ContainElements( - corev1.EnvVar{Name: "ELASTIC_INDEX_SUFFIX", Value: "clusterTestName"}, corev1.EnvVar{Name: "LINSEED_URL", Value: "https://tigera-linseed.tigera-elasticsearch.svc"}, corev1.EnvVar{Name: "LINSEED_CA", Value: "/etc/pki/tls/certs/tigera-ca-bundle.crt"}, corev1.EnvVar{Name: "LINSEED_CLIENT_CERT", Value: "/intrusion-detection-tls/tls.crt"}, @@ -164,9 +161,6 @@ var _ = Describe("Intrusion Detection rendering tests", func() { corev1.EnvVar{Name: "FIPS_MODE_ENABLED", Value: "false"}, )) Expect(idji.Spec.Template.Spec.Containers).To(HaveLen(1)) - Expect(idji.Spec.Template.Spec.Containers[0].Env).Should(ContainElements( - corev1.EnvVar{Name: "ELASTIC_INDEX_SUFFIX", Value: "clusterTestName"}, - )) Expect(*idji.Spec.Template.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation).To(BeFalse()) Expect(*idji.Spec.Template.Spec.Containers[0].SecurityContext.Privileged).To(BeFalse()) @@ -437,7 +431,6 @@ var _ = Describe("Intrusion Detection rendering tests", func() { cfg.Installation = &operatorv1.InstallationSpec{ ControlPlaneNodeSelector: map[string]string{"foo": "bar"}, } - cfg.ESClusterConfig = &relasticsearch.ClusterConfig{} component := render.IntrusionDetection(cfg) resources, _ := component.Objects() idc := rtest.GetResource(resources, "intrusion-detection-controller", render.IntrusionDetectionNamespace, "apps", "v1", "Deployment").(*appsv1.Deployment) @@ -455,7 +448,6 @@ var _ = Describe("Intrusion Detection rendering tests", func() { cfg.Installation = &operatorv1.InstallationSpec{ ControlPlaneTolerations: []corev1.Toleration{t}, } - cfg.ESClusterConfig = &relasticsearch.ClusterConfig{} component := render.IntrusionDetection(cfg) resources, _ := component.Objects() idc := rtest.GetResource(resources, "intrusion-detection-controller", render.IntrusionDetectionNamespace, "apps", "v1", "Deployment").(*appsv1.Deployment) diff --git a/pkg/render/intrusiondetection/dpi/dpi.go b/pkg/render/intrusiondetection/dpi/dpi.go index e63eec0037..c3208be623 100644 --- a/pkg/render/intrusiondetection/dpi/dpi.go +++ b/pkg/render/intrusiondetection/dpi/dpi.go @@ -30,7 +30,6 @@ import ( "github.com/tigera/operator/pkg/common" "github.com/tigera/operator/pkg/components" "github.com/tigera/operator/pkg/render" - relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" "github.com/tigera/operator/pkg/render/common/meta" "github.com/tigera/operator/pkg/render/common/networkpolicy" "github.com/tigera/operator/pkg/render/common/secret" @@ -58,7 +57,6 @@ type DPIConfig struct { ManagementCluster bool HasNoLicense bool HasNoDPIResource bool - ESClusterConfig *relasticsearch.ClusterConfig ClusterDomain string DPICertSecret certificatemanagement.KeyPairInterface } @@ -95,10 +93,6 @@ func (d *dpiComponent) Objects() (objsToCreate, objsToDelete []client.Object) { } if d.cfg.HasNoDPIResource || d.cfg.HasNoLicense { toDelete = append(toDelete, d.dpiAllowTigeraPolicy()) - toDelete = append(toDelete, &corev1.Secret{ - TypeMeta: metav1.TypeMeta{Kind: "Secret", APIVersion: "v1"}, - ObjectMeta: metav1.ObjectMeta{Name: relasticsearch.PublicCertSecret, Namespace: DeepPacketInspectionNamespace}, - }) toDelete = append(toDelete, secret.ToRuntimeObjects(secret.CopyToNamespace(DeepPacketInspectionNamespace, d.cfg.PullSecrets...)...)...) toDelete = append(toDelete, d.dpiServiceAccount(), diff --git a/pkg/render/intrusiondetection/dpi/dpi_test.go b/pkg/render/intrusiondetection/dpi/dpi_test.go index 7a712d340f..6a2760440e 100644 --- a/pkg/render/intrusiondetection/dpi/dpi_test.go +++ b/pkg/render/intrusiondetection/dpi/dpi_test.go @@ -37,7 +37,6 @@ import ( "github.com/tigera/operator/pkg/controller/certificatemanager" "github.com/tigera/operator/pkg/dns" "github.com/tigera/operator/pkg/render" - relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" rtest "github.com/tigera/operator/pkg/render/common/test" "github.com/tigera/operator/pkg/render/intrusiondetection/dpi" "github.com/tigera/operator/pkg/render/testutils" @@ -164,8 +163,6 @@ var ( }, } - esConfigMap = relasticsearch.NewClusterConfig("clusterTestName", 1, 1, 1) - pullSecrets = []*corev1.Secret{{ TypeMeta: metav1.TypeMeta{Kind: "Secret", APIVersion: "v1"}, ObjectMeta: metav1.ObjectMeta{Name: "pull-secret", Namespace: common.OperatorNamespace()}, @@ -224,7 +221,6 @@ var _ = Describe("DPI rendering tests", func() { Openshift: false, HasNoLicense: false, HasNoDPIResource: false, - ESClusterConfig: esConfigMap, ClusterDomain: dns.DefaultClusterDomain, DPICertSecret: dpiCertSecret, } @@ -278,7 +274,6 @@ var _ = Describe("DPI rendering tests", func() { Openshift: false, HasNoLicense: false, HasNoDPIResource: false, - ESClusterConfig: esConfigMap, ClusterDomain: dns.DefaultClusterDomain, DPICertSecret: dpiCertSecret, ManagementCluster: true, @@ -325,7 +320,6 @@ var _ = Describe("DPI rendering tests", func() { Openshift: false, HasNoLicense: false, HasNoDPIResource: false, - ESClusterConfig: esConfigMap, ClusterDomain: dns.DefaultClusterDomain, DPICertSecret: dpiCertSecret, ManagedCluster: true, @@ -372,7 +366,6 @@ var _ = Describe("DPI rendering tests", func() { HasNoLicense: false, HasNoDPIResource: true, ManagementCluster: true, - ESClusterConfig: esConfigMap, ClusterDomain: dns.DefaultClusterDomain, DPICertSecret: dpiCertSecret, } @@ -456,7 +449,6 @@ var _ = Describe("DPI rendering tests", func() { expectedResources := []resourceTestObj{ {name: dpi.DeepPacketInspectionNamespace, ns: "", group: "", version: "v1", kind: "Namespace"}, {name: dpi.DeepPacketInspectionPolicyName, ns: dpi.DeepPacketInspectionNamespace, group: "projectcalico.org", version: "v3", kind: "NetworkPolicy"}, - {name: relasticsearch.PublicCertSecret, ns: dpi.DeepPacketInspectionNamespace, group: "", version: "v1", kind: "Secret"}, {name: "pull-secret", ns: dpi.DeepPacketInspectionNamespace, group: "", version: "v1", kind: "Secret"}, {name: dpi.DeepPacketInspectionName, ns: dpi.DeepPacketInspectionNamespace, group: "", version: "v1", kind: "ServiceAccount"}, {name: dpi.DeepPacketInspectionName, ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, @@ -485,7 +477,6 @@ var _ = Describe("DPI rendering tests", func() { HasNoLicense: false, HasNoDPIResource: true, ManagedCluster: true, - ESClusterConfig: esConfigMap, ClusterDomain: dns.DefaultClusterDomain, DPICertSecret: dpiCertSecret, } @@ -494,7 +485,6 @@ var _ = Describe("DPI rendering tests", func() { expectedDeleteResources := []client.Object{ &v3.NetworkPolicy{ObjectMeta: metav1.ObjectMeta{Name: dpi.DeepPacketInspectionPolicyName, Namespace: dpi.DeepPacketInspectionNamespace}}, - &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: relasticsearch.PublicCertSecret, Namespace: dpi.DeepPacketInspectionNamespace}}, &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "pull-secret", Namespace: dpi.DeepPacketInspectionNamespace}}, &corev1.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Name: dpi.DeepPacketInspectionNamespace, Namespace: dpi.DeepPacketInspectionNamespace}}, &rbacv1.ClusterRole{ObjectMeta: metav1.ObjectMeta{Name: dpi.DeepPacketInspectionName}}, @@ -522,7 +512,6 @@ var _ = Describe("DPI rendering tests", func() { HasNoLicense: false, HasNoDPIResource: true, ManagementCluster: true, - ESClusterConfig: esConfigMap, ClusterDomain: dns.DefaultClusterDomain, DPICertSecret: dpiCertSecret, } @@ -531,7 +520,6 @@ var _ = Describe("DPI rendering tests", func() { expectedDeleteResources := []client.Object{ &v3.NetworkPolicy{ObjectMeta: metav1.ObjectMeta{Name: dpi.DeepPacketInspectionPolicyName, Namespace: dpi.DeepPacketInspectionNamespace}}, - &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: relasticsearch.PublicCertSecret, Namespace: dpi.DeepPacketInspectionNamespace}}, &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "pull-secret", Namespace: dpi.DeepPacketInspectionNamespace}}, &corev1.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Name: dpi.DeepPacketInspectionNamespace, Namespace: dpi.DeepPacketInspectionNamespace}}, &rbacv1.ClusterRole{ObjectMeta: metav1.ObjectMeta{Name: dpi.DeepPacketInspectionName}}, @@ -555,7 +543,6 @@ var _ = Describe("DPI rendering tests", func() { createResources, deleteResource := component.Objects() expectedResources := []resourceTestObj{ {name: dpi.DeepPacketInspectionPolicyName, ns: dpi.DeepPacketInspectionNamespace, group: "projectcalico.org", version: "v3", kind: "NetworkPolicy"}, - {name: relasticsearch.PublicCertSecret, ns: dpi.DeepPacketInspectionNamespace, group: "", version: "v1", kind: "Secret"}, {name: "pull-secret", ns: dpi.DeepPacketInspectionNamespace, group: "", version: "v1", kind: "Secret"}, {name: dpi.DeepPacketInspectionName, ns: dpi.DeepPacketInspectionNamespace, group: "", version: "v1", kind: "ServiceAccount"}, {name: dpi.DeepPacketInspectionName, ns: "", group: "rbac.authorization.k8s.io", version: "v1", kind: "ClusterRole"}, diff --git a/pkg/render/logstorage.go b/pkg/render/logstorage.go index 3551dee550..803cda7906 100644 --- a/pkg/render/logstorage.go +++ b/pkg/render/logstorage.go @@ -371,7 +371,6 @@ func (es *elasticsearchComponent) Objects() ([]client.Object, []client.Object) { } toCreate = append(toCreate, es.elasticsearchServiceAccount()) - toCreate = append(toCreate, es.cfg.ClusterConfig.ConfigMap()) toCreate = append(toCreate, es.elasticsearchCluster()) @@ -1479,7 +1478,7 @@ func (es elasticsearchComponent) curatorCronJob() *batchv1.CronJob { NodeSelector: es.cfg.Installation.ControlPlaneNodeSelector, Tolerations: es.cfg.Installation.ControlPlaneTolerations, Containers: []corev1.Container{ - relasticsearch.ContainerDecorate(corev1.Container{ + relasticsearch.DecorateEnvironment(corev1.Container{ Name: ESCuratorName, Image: es.curatorImage, ImagePullPolicy: ImagePullPolicy(), @@ -1487,7 +1486,7 @@ func (es elasticsearchComponent) curatorCronJob() *batchv1.CronJob { LivenessProbe: elasticCuratorLivenessProbe, SecurityContext: securitycontext.NewNonRootContext(), VolumeMounts: es.cfg.TrustedBundle.VolumeMounts(es.SupportedOSType()), - }, DefaultElasticsearchClusterName, ElasticsearchCuratorUserSecret, es.cfg.ClusterDomain, es.SupportedOSType()), + }, ElasticsearchNamespace, DefaultElasticsearchClusterName, ElasticsearchCuratorUserSecret, es.cfg.ClusterDomain, es.SupportedOSType()), }, ImagePullSecrets: secret.GetReferenceList(es.cfg.PullSecrets), RestartPolicy: corev1.RestartPolicyOnFailure, diff --git a/pkg/render/logstorage/esgateway/esgateway.go b/pkg/render/logstorage/esgateway/esgateway.go index 7c12ea0d85..ba2257538f 100644 --- a/pkg/render/logstorage/esgateway/esgateway.go +++ b/pkg/render/logstorage/esgateway/esgateway.go @@ -32,7 +32,6 @@ import ( operatorv1 "github.com/tigera/operator/api/v1" "github.com/tigera/operator/pkg/components" "github.com/tigera/operator/pkg/render" - "github.com/tigera/operator/pkg/render/common/elasticsearch" rmeta "github.com/tigera/operator/pkg/render/common/meta" "github.com/tigera/operator/pkg/render/common/networkpolicy" "github.com/tigera/operator/pkg/render/common/podaffinity" @@ -119,12 +118,6 @@ func (e *esGateway) Objects() (toCreate, toDelete []client.Object) { toCreate = append(toCreate, e.esGatewayServiceAccount()) toCreate = append(toCreate, e.esGatewayDeployment()) - // The following secret is used by kube controllers and sent to managed clusters. It is also used by manifests in our docs. - if e.cfg.ESGatewayKeyPair.UseCertificateManagement() { - toCreate = append(toCreate, render.CreateCertificateSecret(e.cfg.Installation.CertificateManagement.CACert, elasticsearch.PublicCertSecret, e.cfg.TruthNamespace)) - } else { - toCreate = append(toCreate, render.CreateCertificateSecret(e.cfg.ESGatewayKeyPair.GetCertificatePEM(), elasticsearch.PublicCertSecret, e.cfg.TruthNamespace)) - } if e.cfg.UsePSP { toCreate = append(toCreate, e.esGatewayPodSecurityPolicy()) } diff --git a/pkg/render/logstorage/esgateway/esgateway_test.go b/pkg/render/logstorage/esgateway/esgateway_test.go index 89f060c62e..e0af90f831 100644 --- a/pkg/render/logstorage/esgateway/esgateway_test.go +++ b/pkg/render/logstorage/esgateway/esgateway_test.go @@ -38,7 +38,6 @@ import ( "github.com/tigera/operator/pkg/controller/certificatemanager" "github.com/tigera/operator/pkg/dns" "github.com/tigera/operator/pkg/render" - relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" "github.com/tigera/operator/pkg/render/common/podaffinity" rtest "github.com/tigera/operator/pkg/render/common/test" "github.com/tigera/operator/pkg/render/kubecontrollers" @@ -94,7 +93,6 @@ var _ = Describe("ES Gateway rendering tests", func() { &rbacv1.RoleBinding{ObjectMeta: metav1.ObjectMeta{Name: RoleName, Namespace: render.ElasticsearchNamespace}}, &corev1.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Name: ServiceAccountName, Namespace: render.ElasticsearchNamespace}}, &appsv1.Deployment{ObjectMeta: metav1.ObjectMeta{Name: DeploymentName, Namespace: render.ElasticsearchNamespace}}, - &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: relasticsearch.PublicCertSecret, Namespace: common.OperatorNamespace()}}, &policyv1beta1.PodSecurityPolicy{ObjectMeta: metav1.ObjectMeta{Name: "tigera-esgateway"}}, } createResources, _ := EsGateway(cfg).Objects() @@ -134,7 +132,6 @@ var _ = Describe("ES Gateway rendering tests", func() { &rbacv1.RoleBinding{ObjectMeta: metav1.ObjectMeta{Name: RoleName, Namespace: render.ElasticsearchNamespace}}, &corev1.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Name: ServiceAccountName, Namespace: render.ElasticsearchNamespace}}, &appsv1.Deployment{ObjectMeta: metav1.ObjectMeta{Name: DeploymentName, Namespace: render.ElasticsearchNamespace}}, - &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: relasticsearch.PublicCertSecret, Namespace: common.OperatorNamespace()}}, &policyv1beta1.PodSecurityPolicy{ObjectMeta: metav1.ObjectMeta{Name: "tigera-esgateway"}}, } createResources, _ := EsGateway(cfg).Objects() diff --git a/pkg/render/logstorage/esmetrics/elasticsearch_metrics.go b/pkg/render/logstorage/esmetrics/elasticsearch_metrics.go index dfe8877a9d..b68f1c4214 100644 --- a/pkg/render/logstorage/esmetrics/elasticsearch_metrics.go +++ b/pkg/render/logstorage/esmetrics/elasticsearch_metrics.go @@ -228,7 +228,7 @@ func (e elasticsearchMetrics) metricsDeployment() *appsv1.Deployment { ServiceAccountName: ElasticsearchMetricsName, InitContainers: initContainers, Containers: []corev1.Container{ - relasticsearch.ContainerDecorate( + relasticsearch.DecorateEnvironment( corev1.Container{ Name: ElasticsearchMetricsName, Image: e.esMetricsImage, @@ -248,7 +248,7 @@ func (e elasticsearchMetrics) metricsDeployment() *appsv1.Deployment { Env: []corev1.EnvVar{ {Name: "FIPS_MODE_ENABLED", Value: operatorv1.IsFIPSModeEnabledString(e.cfg.Installation.FIPSMode)}, }, - }, render.DefaultElasticsearchClusterName, ElasticsearchMetricsSecret, + }, render.ElasticsearchNamespace, render.DefaultElasticsearchClusterName, ElasticsearchMetricsSecret, e.cfg.ClusterDomain, e.SupportedOSType(), ), }, @@ -257,7 +257,7 @@ func (e elasticsearchMetrics) metricsDeployment() *appsv1.Deployment { e.cfg.TrustedBundle.Volume(), }, }, - }, e.cfg.ESConfig, []*corev1.Secret{e.cfg.ESMetricsCredsSecret}).(*corev1.PodTemplateSpec), + }, []*corev1.Secret{e.cfg.ESMetricsCredsSecret}).(*corev1.PodTemplateSpec), }, } } diff --git a/pkg/render/logstorage_test.go b/pkg/render/logstorage_test.go index 2e2673b8cd..3865538a2e 100644 --- a/pkg/render/logstorage_test.go +++ b/pkg/render/logstorage_test.go @@ -219,7 +219,6 @@ var _ = Describe("Elasticsearch rendering tests", func() { &v3.NetworkPolicy{ObjectMeta: metav1.ObjectMeta{Name: networkpolicy.TigeraComponentDefaultDenyPolicyName, Namespace: render.ElasticsearchNamespace}}, &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "tigera-pull-secret", Namespace: render.ElasticsearchNamespace}}, &corev1.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Name: "tigera-elasticsearch", Namespace: render.ElasticsearchNamespace}}, - &corev1.ConfigMap{ObjectMeta: metav1.ObjectMeta{Name: relasticsearch.ClusterConfigConfigMapName, Namespace: common.OperatorNamespace()}}, &esv1.Elasticsearch{ObjectMeta: metav1.ObjectMeta{Name: render.ElasticsearchName, Namespace: render.ElasticsearchNamespace}}, &rbacv1.Role{ObjectMeta: metav1.ObjectMeta{Name: render.EsManagerRole, Namespace: render.ElasticsearchNamespace}}, &rbacv1.RoleBinding{ObjectMeta: metav1.ObjectMeta{Name: render.EsManagerRoleBinding, Namespace: render.ElasticsearchNamespace}}, @@ -481,7 +480,6 @@ var _ = Describe("Elasticsearch rendering tests", func() { {networkpolicy.TigeraComponentDefaultDenyPolicyName, render.ElasticsearchNamespace, &v3.NetworkPolicy{}, nil}, {"tigera-pull-secret", render.ElasticsearchNamespace, &corev1.Secret{}, nil}, {"tigera-elasticsearch", render.ElasticsearchNamespace, &corev1.ServiceAccount{}, nil}, - {relasticsearch.ClusterConfigConfigMapName, common.OperatorNamespace(), &corev1.ConfigMap{}, nil}, {render.ElasticsearchName, render.ElasticsearchNamespace, &esv1.Elasticsearch{}, nil}, {render.KibanaNamespace, "", &corev1.Namespace{}, nil}, {render.KibanaPolicyName, render.KibanaNamespace, &v3.NetworkPolicy{}, nil}, @@ -547,7 +545,6 @@ var _ = Describe("Elasticsearch rendering tests", func() { {networkpolicy.TigeraComponentDefaultDenyPolicyName, render.ElasticsearchNamespace, &v3.NetworkPolicy{}, nil}, {"tigera-pull-secret", render.ElasticsearchNamespace, &corev1.Secret{}, nil}, {"tigera-elasticsearch", render.ElasticsearchNamespace, &corev1.ServiceAccount{}, nil}, - {relasticsearch.ClusterConfigConfigMapName, common.OperatorNamespace(), &corev1.ConfigMap{}, nil}, {render.ElasticsearchName, render.ElasticsearchNamespace, &esv1.Elasticsearch{}, nil}, {render.KibanaNamespace, "", &corev1.Namespace{}, nil}, {render.KibanaPolicyName, render.KibanaNamespace, &v3.NetworkPolicy{}, nil}, @@ -603,7 +600,6 @@ var _ = Describe("Elasticsearch rendering tests", func() { BeforeEach(func() { cfg.CuratorSecrets = []*corev1.Secret{ {ObjectMeta: metav1.ObjectMeta{Name: render.ElasticsearchCuratorUserSecret, Namespace: common.OperatorNamespace()}}, - {ObjectMeta: metav1.ObjectMeta{Name: relasticsearch.PublicCertSecret, Namespace: common.OperatorNamespace()}}, } cfg.ClusterDomain = dns.DefaultClusterDomain }) @@ -630,7 +626,6 @@ var _ = Describe("Elasticsearch rendering tests", func() { {networkpolicy.TigeraComponentDefaultDenyPolicyName, render.ElasticsearchNamespace, &v3.NetworkPolicy{}, nil}, {"tigera-pull-secret", render.ElasticsearchNamespace, &corev1.Secret{}, nil}, {"tigera-elasticsearch", render.ElasticsearchNamespace, &corev1.ServiceAccount{}, nil}, - {relasticsearch.ClusterConfigConfigMapName, common.OperatorNamespace(), &corev1.ConfigMap{}, nil}, {render.ElasticsearchName, render.ElasticsearchNamespace, &esv1.Elasticsearch{}, nil}, {render.KibanaNamespace, "", &corev1.Namespace{}, nil}, {render.KibanaPolicyName, render.KibanaNamespace, &v3.NetworkPolicy{}, nil}, @@ -640,7 +635,6 @@ var _ = Describe("Elasticsearch rendering tests", func() { {render.KibanaName, render.KibanaNamespace, &kbv1.Kibana{}, nil}, {render.EsCuratorPolicyName, render.ElasticsearchNamespace, &v3.NetworkPolicy{}, nil}, {render.ElasticsearchCuratorUserSecret, render.ElasticsearchNamespace, &corev1.Secret{}, nil}, - {relasticsearch.PublicCertSecret, render.ElasticsearchNamespace, &corev1.Secret{}, nil}, {render.EsCuratorServiceAccount, render.ElasticsearchNamespace, &corev1.ServiceAccount{}, nil}, {render.ESCuratorName, "", &rbacv1.ClusterRole{}, nil}, {render.ESCuratorName, "", &rbacv1.ClusterRoleBinding{}, nil}, @@ -883,7 +877,6 @@ var _ = Describe("Elasticsearch rendering tests", func() { {networkpolicy.TigeraComponentDefaultDenyPolicyName, render.ElasticsearchNamespace, &v3.NetworkPolicy{}, nil}, {"tigera-pull-secret", render.ElasticsearchNamespace, &corev1.Secret{}, nil}, {"tigera-elasticsearch", render.ElasticsearchNamespace, &corev1.ServiceAccount{}, nil}, - {relasticsearch.ClusterConfigConfigMapName, common.OperatorNamespace(), &corev1.ConfigMap{}, nil}, {render.ElasticsearchName, render.ElasticsearchNamespace, &esv1.Elasticsearch{}, nil}, {render.ElasticsearchKeystoreSecret, common.OperatorNamespace(), &corev1.Secret{}, nil}, {render.ElasticsearchKeystoreSecret, render.ElasticsearchNamespace, &corev1.Secret{}, nil}, @@ -1720,7 +1713,6 @@ var deleteLogStorageTests = func(managementCluster *operatorv1.ManagementCluster }, CuratorSecrets: []*corev1.Secret{ {ObjectMeta: metav1.ObjectMeta{Name: render.ElasticsearchCuratorUserSecret, Namespace: common.OperatorNamespace()}}, - {ObjectMeta: metav1.ObjectMeta{Name: relasticsearch.PublicCertSecret, Namespace: common.OperatorNamespace()}}, }, Provider: operatorv1.ProviderNone, ClusterDomain: "cluster.local", diff --git a/pkg/render/manager.go b/pkg/render/manager.go index 72b262ddb7..2d412df6af 100644 --- a/pkg/render/manager.go +++ b/pkg/render/manager.go @@ -126,7 +126,6 @@ func Manager(cfg *ManagerConfiguration) (Component, error) { type ManagerConfiguration struct { KeyValidatorConfig authentication.KeyValidatorConfig ESSecrets []*corev1.Secret - ClusterConfig *relasticsearch.ClusterConfig PullSecrets []*corev1.Secret Openshift bool Installation *operatorv1.InstallationSpec @@ -277,8 +276,8 @@ func (c *managerComponent) managerDeployment() *appsv1.Deployment { esProxyContainer := c.managerEsProxyContainer() if c.cfg.Tenant == nil { // If we're running in multi-tenant mode, we don't need ES credentials as these are used for Kibana login. Otherwise, add them. - managerContainer = relasticsearch.ContainerDecorate(managerContainer, c.cfg.ClusterConfig.ClusterName(), ElasticsearchManagerUserSecret, c.cfg.ClusterDomain, c.SupportedOSType()) - esProxyContainer = relasticsearch.ContainerDecorate(esProxyContainer, c.cfg.ClusterConfig.ClusterName(), ElasticsearchManagerUserSecret, c.cfg.ClusterDomain, c.SupportedOSType()) + managerContainer = relasticsearch.DecorateEnvironment(managerContainer, ElasticsearchNamespace, DefaultElasticsearchClusterName, ElasticsearchManagerUserSecret, c.cfg.ClusterDomain, c.SupportedOSType()) + esProxyContainer = relasticsearch.DecorateEnvironment(esProxyContainer, ElasticsearchNamespace, DefaultElasticsearchClusterName, ElasticsearchManagerUserSecret, c.cfg.ClusterDomain, c.SupportedOSType()) } if c.cfg.InternalTLSKeyPair != nil && c.cfg.InternalTLSKeyPair.UseCertificateManagement() { initContainers = append(initContainers, c.cfg.InternalTLSKeyPair.InitContainer(ManagerNamespace)) @@ -302,7 +301,7 @@ func (c *managerComponent) managerDeployment() *appsv1.Deployment { Containers: []corev1.Container{managerContainer, esProxyContainer, c.voltronContainer()}, Volumes: c.managerVolumes(), }, - }, c.cfg.ClusterConfig, c.cfg.ESSecrets).(*corev1.PodTemplateSpec) + }, c.cfg.ESSecrets).(*corev1.PodTemplateSpec) if c.cfg.Replicas != nil && *c.cfg.Replicas > 1 { podTemplate.Spec.Affinity = podaffinity.NewPodAntiAffinity("tigera-manager", c.cfg.Namespace) diff --git a/pkg/render/manager_test.go b/pkg/render/manager_test.go index 7a889baaf7..f214b6b8b4 100644 --- a/pkg/render/manager_test.go +++ b/pkg/render/manager_test.go @@ -43,7 +43,6 @@ import ( "github.com/tigera/operator/pkg/dns" "github.com/tigera/operator/pkg/render" "github.com/tigera/operator/pkg/render/common/authentication" - relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" rmeta "github.com/tigera/operator/pkg/render/common/meta" "github.com/tigera/operator/pkg/render/common/podaffinity" rtest "github.com/tigera/operator/pkg/render/common/test" @@ -130,7 +129,6 @@ var _ = Describe("Tigera Secure Manager rendering tests", func() { // es-proxy container Expect(esProxy.Env).Should(ContainElements( - corev1.EnvVar{Name: "ELASTIC_INDEX_SUFFIX", Value: "clusterTestName"}, corev1.EnvVar{Name: "LINSEED_CLIENT_CERT", Value: "/internal-manager-tls/tls.crt"}, corev1.EnvVar{Name: "LINSEED_CLIENT_KEY", Value: "/internal-manager-tls/tls.key"}, )) @@ -428,7 +426,6 @@ var _ = Describe("Tigera Secure Manager rendering tests", func() { VoltronLinseedKeyPair: voltronLinseedCert, InternalTLSKeyPair: internalTraffic, Installation: installation, - ClusterConfig: &relasticsearch.ClusterConfig{}, Namespace: render.ManagerNamespace, TruthNamespace: common.OperatorNamespace(), } @@ -696,7 +693,6 @@ var _ = Describe("Tigera Secure Manager rendering tests", func() { renderManager := func(i *operatorv1.InstallationSpec) *appsv1.Deployment { cfg := &render.ManagerConfiguration{ TrustedCertBundle: bundle, - ClusterConfig: &relasticsearch.ClusterConfig{}, TLSKeyPair: kp, VoltronLinseedKeyPair: voltronLinseedKP, Installation: i, @@ -1047,11 +1043,9 @@ func renderObjects(roc renderConfig) []client.Object { roc.bindingNamespaces = []string{roc.ns} } - esConfigMap := relasticsearch.NewClusterConfig("clusterTestName", 1, 1, 1) cfg := &render.ManagerConfiguration{ KeyValidatorConfig: dexCfg, TrustedCertBundle: bundle, - ClusterConfig: esConfigMap, TLSKeyPair: managerTLS, Installation: roc.installation, ManagementCluster: roc.managementCluster, From 2dd03468f1fc9c535eeb52fc09e29951d02e1573 Mon Sep 17 00:00:00 2001 From: Josh Lucas Date: Fri, 3 Nov 2023 09:53:45 -0400 Subject: [PATCH 2/9] Reinstating ConfigMap for components that actually consume it and adding UTs along the way to protect its usage --- .../intrusiondetection_controller.go | 25 +++++ .../intrusiondetection_controller_test.go | 26 ++++- .../logcollector/logcollector_controller.go | 20 +++- pkg/controller/manager/manager_controller.go | 22 +++++ .../manager/manager_controller_test.go | 97 +++++++++++++++---- pkg/controller/utils/elasticsearch.go | 13 +++ .../common/elasticsearch/clusterconfig.go | 62 +++++++++++- pkg/render/common/elasticsearch/decorator.go | 66 ++++++++++++- pkg/render/fluentd.go | 74 +++++++++----- pkg/render/fluentd_test.go | 12 +++ pkg/render/intrusion_detection.go | 22 ++++- pkg/render/intrusion_detection_test.go | 12 +++ .../kubecontrollers/kube-controllers.go | 11 --- .../kubecontrollers/kube-controllers_test.go | 45 --------- pkg/render/logstorage.go | 35 +++++-- .../esmetrics/elasticsearch_metrics.go | 59 ++++++----- .../esmetrics/elasticsearch_metrics_test.go | 21 +--- pkg/render/logstorage_test.go | 12 +++ pkg/render/manager.go | 27 ++++-- pkg/render/manager_test.go | 21 ++++ 20 files changed, 513 insertions(+), 169 deletions(-) diff --git a/pkg/controller/intrusiondetection/intrusiondetection_controller.go b/pkg/controller/intrusiondetection/intrusiondetection_controller.go index 20fa4ae0b6..c5633847ba 100644 --- a/pkg/controller/intrusiondetection/intrusiondetection_controller.go +++ b/pkg/controller/intrusiondetection/intrusiondetection_controller.go @@ -18,6 +18,8 @@ import ( "context" "fmt" + relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" + esv1 "github.com/elastic/cloud-on-k8s/v2/pkg/apis/elasticsearch/v1" "github.com/tigera/operator/pkg/render/common/networkpolicy" @@ -193,6 +195,10 @@ func add(mgr manager.Manager, c controller.Controller) error { return fmt.Errorf("intrusiondetection-controller failed to watch the Secret resource: %v", err) } + if err = utils.AddConfigMapWatch(c, relasticsearch.ClusterConfigConfigMapName, common.OperatorNamespace(), &handler.EnqueueRequestForObject{}); err != nil { + return fmt.Errorf("intrusiondetection-controller failed to watch the ConfigMap resource: %v", err) + } + if err = utils.AddConfigMapWatch(c, render.ECKLicenseConfigMapName, render.ECKOperatorNamespace, &handler.EnqueueRequestForObject{}); err != nil { return fmt.Errorf("intrusiondetection-controller failed to watch the ConfigMap resource: %v", err) } @@ -370,6 +376,24 @@ func (r *ReconcileIntrusionDetection) Reconcile(ctx context.Context, request rec } } + esClusterConfig, err := utils.GetElasticsearchClusterConfig(context.Background(), r.client) + if err != nil { + if errors.IsNotFound(err) { + r.status.SetDegraded(operatorv1.ResourceNotFound, "Elasticsearch cluster configuration is not available, waiting for it to become available", err, reqLogger) + return reconcile.Result{}, nil + } + r.status.SetDegraded(operatorv1.ResourceReadError, "Failed to get the elasticsearch cluster configuration", err, reqLogger) + return reconcile.Result{}, err + } + + if isManagedCluster { + if esClusterConfig.ClusterName() == render.DefaultElasticsearchClusterName { + err = fmt.Errorf("Elasticsearch cluster name must be non-default value in managed clusters") + r.status.SetDegraded(operatorv1.InvalidConfigurationError, "", err, reqLogger) + return reconcile.Result{}, err + } + } + secrets := []string{ render.ElasticsearchIntrusionDetectionUserSecret, render.ElasticsearchPerformanceHotspotsUserSecret, @@ -462,6 +486,7 @@ func (r *ReconcileIntrusionDetection) Reconcile(ctx context.Context, request rec LogCollector: lc, ESSecrets: esSecrets, Installation: network, + ESClusterConfig: esClusterConfig, PullSecrets: pullSecrets, Openshift: r.provider == operatorv1.ProviderOpenShift, ClusterDomain: r.clusterDomain, diff --git a/pkg/controller/intrusiondetection/intrusiondetection_controller_test.go b/pkg/controller/intrusiondetection/intrusiondetection_controller_test.go index 89cd2cc97d..ebefd8f914 100644 --- a/pkg/controller/intrusiondetection/intrusiondetection_controller_test.go +++ b/pkg/controller/intrusiondetection/intrusiondetection_controller_test.go @@ -19,6 +19,8 @@ import ( "fmt" "time" + relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" + esv1 "github.com/elastic/cloud-on-k8s/v2/pkg/apis/elasticsearch/v1" "github.com/tigera/operator/pkg/apis" @@ -161,8 +163,9 @@ var _ = Describe("IntrusionDetection controller tests", func() { // Managed clusters need the public cert for Linseed as well. linseedPublicCert, err := certificateManager.GetOrCreateKeyPair(c, render.VoltronLinseedPublicCert, common.OperatorNamespace(), []string{render.VoltronLinseedPublicCert}) Expect(err).NotTo(HaveOccurred()) - Expect(c.Create(ctx, linseedPublicCert.Secret(common.OperatorNamespace()))).NotTo(HaveOccurred()) + Expect(c.Create(ctx, linseedPublicCert.Secret(common.OperatorNamespace()))).NotTo(HaveOccurred()) + Expect(c.Create(ctx, relasticsearch.NewClusterConfig("cluster", 1, 1, 1).ConfigMap())).NotTo(HaveOccurred()) Expect(c.Create(ctx, rtest.CreateCertSecret(render.ElasticsearchIntrusionDetectionUserSecret, common.OperatorNamespace(), render.GuardianSecretName))) Expect(c.Create(ctx, rtest.CreateCertSecret(render.ElasticsearchPerformanceHotspotsUserSecret, common.OperatorNamespace(), render.GuardianSecretName))) Expect(c.Create(ctx, &corev1.ConfigMap{ @@ -342,6 +345,8 @@ var _ = Describe("IntrusionDetection controller tests", func() { }, })).ToNot(HaveOccurred()) + Expect(c.Update(ctx, relasticsearch.NewClusterConfig("non-default-cluster-name", 1, 1, 1).ConfigMap())).NotTo(HaveOccurred()) + _, err := r.Reconcile(ctx, reconcile.Request{}) Expect(err).ShouldNot(HaveOccurred()) @@ -422,6 +427,8 @@ var _ = Describe("IntrusionDetection controller tests", func() { }, })).ToNot(HaveOccurred()) + Expect(c.Update(ctx, relasticsearch.NewClusterConfig("non-default-cluster-name", 1, 1, 1).ConfigMap())).NotTo(HaveOccurred()) + _, err := r.Reconcile(ctx, reconcile.Request{}) Expect(err).ShouldNot(HaveOccurred()) Expect(mockStatus.AssertNumberOfCalls(nil, "SetDegraded", 0)).To(BeTrue()) @@ -554,6 +561,23 @@ var _ = Describe("IntrusionDetection controller tests", func() { Expect(*ids.Spec.ComponentResources[0].ResourceRequirements.Requests.Memory()).Should(Equal(resource.MustParse(memoryRequest))) Expect(*ids.Spec.ComponentResources[0].ResourceRequirements.Limits.Memory()).Should(Equal(resource.MustParse(memoryLimit))) }) + + It("should error if Elasticsearch configuration ConfigMap contains default cluster-name field in managed cluster", func() { + Expect(c.Create(ctx, &operatorv1.ManagementClusterConnection{ + ObjectMeta: metav1.ObjectMeta{Name: "tigera-secure"}, + Spec: operatorv1.ManagementClusterConnectionSpec{ + ManagementClusterAddr: "127.0.0.1:12345", + }, + })).ToNot(HaveOccurred()) + + _, err := r.Reconcile(ctx, reconcile.Request{}) + Expect(err).Should(HaveOccurred()) + + Expect(c.Update(ctx, relasticsearch.NewClusterConfig("managed-cluster-name", 1, 1, 1).ConfigMap())).NotTo(HaveOccurred()) + + _, err = r.Reconcile(ctx, reconcile.Request{}) + Expect(err).ShouldNot(HaveOccurred()) + }) }) Context("Reconcile for Condition status", func() { diff --git a/pkg/controller/logcollector/logcollector_controller.go b/pkg/controller/logcollector/logcollector_controller.go index 7280556138..205943c6de 100644 --- a/pkg/controller/logcollector/logcollector_controller.go +++ b/pkg/controller/logcollector/logcollector_controller.go @@ -19,6 +19,8 @@ import ( "fmt" "strings" + relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" + "github.com/tigera/operator/pkg/render/common/networkpolicy" v3 "github.com/tigera/api/pkg/apis/projectcalico/v3" @@ -149,8 +151,10 @@ func add(mgr manager.Manager, c controller.Controller) error { } } - if err = utils.AddConfigMapWatch(c, render.FluentdFilterConfigMapName, common.OperatorNamespace(), &handler.EnqueueRequestForObject{}); err != nil { - return fmt.Errorf("logcollector-controller failed to watch ConfigMap %s: %v", render.FluentdFilterConfigMapName, err) + for _, configMapName := range []string{render.FluentdFilterConfigMapName, relasticsearch.ClusterConfigConfigMapName} { + if err = utils.AddConfigMapWatch(c, configMapName, common.OperatorNamespace(), &handler.EnqueueRequestForObject{}); err != nil { + return fmt.Errorf("logcollector-controller failed to watch ConfigMap %s: %v", configMapName, err) + } } err = c.Watch(&source.Kind{Type: &corev1.Node{}}, &handler.EnqueueRequestForObject{}) @@ -528,10 +532,20 @@ func (r *ReconcileLogCollector) Reconcile(ctx context.Context, request reconcile } var eksConfig *render.EksCloudwatchLogConfig + var esClusterConfig *relasticsearch.ClusterConfig if installation.KubernetesProvider == operatorv1.ProviderEKS { log.Info("Managed kubernetes EKS found, getting necessary credentials and config") if instance.Spec.AdditionalSources != nil { if instance.Spec.AdditionalSources.EksCloudwatchLog != nil { + esClusterConfig, err = utils.GetElasticsearchClusterConfig(ctx, r.client) + if err != nil { + if errors.IsNotFound(err) { + r.status.SetDegraded(operatorv1.ResourceNotReady, "Elasticsearch cluster configuration is not available, waiting for it to become available", err, reqLogger) + return reconcile.Result{}, nil + } + r.status.SetDegraded(operatorv1.ResourceReadError, "Failed to get the elasticsearch cluster configuration", err, reqLogger) + return reconcile.Result{}, err + } eksConfig, err = getEksCloudwatchLogConfig(r.client, instance.Spec.AdditionalSources.EksCloudwatchLog.FetchInterval, instance.Spec.AdditionalSources.EksCloudwatchLog.Region, @@ -553,6 +567,7 @@ func (r *ReconcileLogCollector) Reconcile(ctx context.Context, request reconcile S3Credential: s3Credential, SplkCredential: splunkCredential, Filters: filters, + ESClusterConfig: esClusterConfig, EKSConfig: eksConfig, PullSecrets: pullSecrets, Installation: installation, @@ -603,6 +618,7 @@ func (r *ReconcileLogCollector) Reconcile(ctx context.Context, request reconcile S3Credential: s3Credential, SplkCredential: splunkCredential, Filters: filters, + ESClusterConfig: esClusterConfig, EKSConfig: eksConfig, PullSecrets: pullSecrets, Installation: installation, diff --git a/pkg/controller/manager/manager_controller.go b/pkg/controller/manager/manager_controller.go index b91c4f19d6..005950a87d 100644 --- a/pkg/controller/manager/manager_controller.go +++ b/pkg/controller/manager/manager_controller.go @@ -18,6 +18,8 @@ import ( "context" "fmt" + relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" + corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/api/errors" "k8s.io/apimachinery/pkg/runtime" @@ -158,6 +160,10 @@ func Add(mgr manager.Manager, opts options.AddOptions) error { return fmt.Errorf("manager-controller failed to watch ConfigMap resource %s: %w", tigerakvc.StaticWellKnownJWKSConfigMapName, err) } + if err = utils.AddConfigMapWatch(managerController, relasticsearch.ClusterConfigConfigMapName, common.OperatorNamespace(), eventHandler); err != nil { + return fmt.Errorf("compliance-controller failed to watch the ConfigMap resource: %w", err) + } + if err = utils.AddNamespaceWatch(managerController, common.TigeraPrometheusNamespace); err != nil { return fmt.Errorf("manager-controller failed to watch the '%s' namespace: %w", common.TigeraPrometheusNamespace, err) } @@ -448,6 +454,21 @@ func (r *ReconcileManager) Reconcile(ctx context.Context, request reconcile.Requ return reconcile.Result{}, err } + var clusterConfig *relasticsearch.ClusterConfig + // We only require Elastic cluster configuration when Kibana is enabled. We infer whether Kibana is enabled by checking + // FIPS configuration mode and multi-tenancy mode. See manager.go function kibanaEnabled for more details. + if !r.multiTenant && !operatorv1.IsFIPSModeEnabled(installation.FIPSMode) { + clusterConfig, err = utils.GetElasticsearchClusterConfig(context.Background(), r.client) + if err != nil { + if errors.IsNotFound(err) { + r.status.SetDegraded(operatorv1.ResourceNotFound, "Elasticsearch cluster configuration is not available, waiting for it to become available", err, logc) + return reconcile.Result{}, nil + } + r.status.SetDegraded(operatorv1.ResourceReadError, "Failed to get the elasticsearch cluster configuration", err, logc) + return reconcile.Result{}, err + } + } + var esSecrets []*corev1.Secret if !r.multiTenant { // Get secrets used by the manager to authenticate with Elasticsearch. This is used for Kibana login, and isn't @@ -591,6 +612,7 @@ func (r *ReconcileManager) Reconcile(ctx context.Context, request reconcile.Requ KeyValidatorConfig: keyValidatorConfig, ESSecrets: esSecrets, TrustedCertBundle: trustedBundle, + ClusterConfig: clusterConfig, TLSKeyPair: tlsSecret, VoltronLinseedKeyPair: linseedVoltronServerCert, PullSecrets: pullSecrets, diff --git a/pkg/controller/manager/manager_controller_test.go b/pkg/controller/manager/manager_controller_test.go index cce1363487..04e0a583c7 100644 --- a/pkg/controller/manager/manager_controller_test.go +++ b/pkg/controller/manager/manager_controller_test.go @@ -21,6 +21,7 @@ import ( "encoding/pem" "fmt" + relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" kerror "k8s.io/apimachinery/pkg/api/errors" . "github.com/onsi/ginkgo" @@ -199,6 +200,8 @@ var _ = Describe("Manager controller tests", func() { ObjectMeta: metav1.ObjectMeta{Name: common.TigeraPrometheusNamespace}, })).NotTo(HaveOccurred()) + Expect(c.Create(ctx, relasticsearch.NewClusterConfig("cluster", 1, 1, 1).ConfigMap())).NotTo(HaveOccurred()) + // Provision certificates that the controller will query as part of the test. var err error certificateManager, err = certificatemanager.Create(c, nil, "", common.OperatorNamespace(), certificatemanager.AllowCACreation()) @@ -425,6 +428,7 @@ var _ = Describe("Manager controller tests", func() { var licenseKey *v3.LicenseKey var compliance *operatorv1.Compliance var certificateManager certificatemanager.CertificateManager + var installation *operatorv1.Installation BeforeEach(func() { // Create an object we can use throughout the test to do the compliance reconcile loops. @@ -472,25 +476,24 @@ var _ = Describe("Manager controller tests", func() { }, } Expect(c.Create(ctx, licenseKey)).NotTo(HaveOccurred()) - Expect(c.Create( - ctx, - &operatorv1.Installation{ - ObjectMeta: metav1.ObjectMeta{Name: "default"}, - Spec: operatorv1.InstallationSpec{ - ControlPlaneReplicas: &replicas, - Variant: operatorv1.TigeraSecureEnterprise, - Registry: "some.registry.org/", - }, - Status: operatorv1.InstallationStatus{ - Variant: operatorv1.TigeraSecureEnterprise, - Computed: &operatorv1.InstallationSpec{ - Registry: "some.registry.org/", - // The test is provider agnostic. - KubernetesProvider: operatorv1.ProviderNone, - }, + + installation = &operatorv1.Installation{ + ObjectMeta: metav1.ObjectMeta{Name: "default"}, + Spec: operatorv1.InstallationSpec{ + ControlPlaneReplicas: &replicas, + Variant: operatorv1.TigeraSecureEnterprise, + Registry: "some.registry.org/", + }, + Status: operatorv1.InstallationStatus{ + Variant: operatorv1.TigeraSecureEnterprise, + Computed: &operatorv1.InstallationSpec{ + Registry: "some.registry.org/", + // The test is provider agnostic. + KubernetesProvider: operatorv1.ProviderNone, }, }, - )).NotTo(HaveOccurred()) + } + compliance = &operatorv1.Compliance{ ObjectMeta: metav1.ObjectMeta{Name: "tigera-secure"}, Status: operatorv1.ComplianceStatus{ @@ -527,6 +530,8 @@ var _ = Describe("Manager controller tests", func() { Expect(err).NotTo(HaveOccurred()) Expect(c.Create(ctx, internalCertKp.Secret(common.OperatorNamespace()))).NotTo(HaveOccurred()) + Expect(c.Create(ctx, relasticsearch.NewClusterConfig("cluster", 1, 1, 1).ConfigMap())).NotTo(HaveOccurred()) + Expect(c.Create(ctx, &corev1.Secret{ ObjectMeta: metav1.ObjectMeta{ Name: render.ElasticsearchManagerUserSecret, @@ -554,6 +559,12 @@ var _ = Describe("Manager controller tests", func() { }) Context("image reconciliation", func() { + BeforeEach(func() { + Expect(c.Create( + ctx, + installation, + )).NotTo(HaveOccurred()) + }) It("should use builtin images", func() { mockStatus.On("RemoveCertificateSigningRequests", mock.Anything).Return() _, err := r.Reconcile(ctx, reconcile.Request{}) @@ -635,6 +646,12 @@ var _ = Describe("Manager controller tests", func() { Context("allow-tigera reconciliation", func() { var readyFlag *utils.ReadyFlag BeforeEach(func() { + + Expect(c.Create( + ctx, + installation, + )).NotTo(HaveOccurred()) + mockStatus = &status.MockStatus{} mockStatus.On("OnCRFound").Return() mockStatus.On("SetMetaData", mock.Anything).Return() @@ -662,6 +679,13 @@ var _ = Describe("Manager controller tests", func() { }) Context("compliance reconciliation", func() { + BeforeEach(func() { + Expect(c.Create( + ctx, + installation, + )).NotTo(HaveOccurred()) + }) + It("should degrade if license is not present", func() { Expect(c.Delete(ctx, licenseKey)).NotTo(HaveOccurred()) mockStatus = &status.MockStatus{} @@ -724,6 +748,12 @@ var _ = Describe("Manager controller tests", func() { }) Context("Reconcile for Condition status", func() { + BeforeEach(func() { + Expect(c.Create( + ctx, + installation, + )).NotTo(HaveOccurred()) + }) generation := int64(2) It("should reconcile with creating new status condition with one item", func() { mockStatus.On("RemoveCertificateSigningRequests", mock.Anything).Return() @@ -904,6 +934,12 @@ var _ = Describe("Manager controller tests", func() { }) Context("Multi-cluster reconciliation", func() { + BeforeEach(func() { + Expect(c.Create( + ctx, + installation, + )).NotTo(HaveOccurred()) + }) It("Should reconcile multi-cluster setup for a management cluster for a single tenant", func() { // Create the ManagementCluster CR needed to configure // a management cluster for a multi-cluster setup @@ -971,6 +1007,10 @@ var _ = Describe("Manager controller tests", func() { tenantANamespace := "tenant-a" tenantBNamespace := "tenant-b" BeforeEach(func() { + Expect(c.Create( + ctx, + installation, + )).NotTo(HaveOccurred()) r.multiTenant = true }) @@ -1108,6 +1148,29 @@ var _ = Describe("Manager controller tests", func() { Expect(kerror.IsNotFound(err)).Should(BeFalse()) }) }) + + Context("FIPS reconciliation", func() { + fipsEnabled := operatorv1.FIPSModeEnabled + BeforeEach(func() { + installation.Spec.FIPSMode = &fipsEnabled + Expect(c.Create( + ctx, + installation, + )).NotTo(HaveOccurred()) + }) + It("should not require presence of ElasticSearch ConfigMap", func() { + Expect(c.Delete(ctx, relasticsearch.NewClusterConfig("cluster", 1, 1, 1).ConfigMap())).NotTo(HaveOccurred()) + elasticConfigMapKey := client.ObjectKey{ + Name: relasticsearch.ClusterConfigConfigMapName, + Namespace: common.OperatorNamespace(), + } + elasticConfigMap := corev1.ConfigMap{} + Expect(c.Get(ctx, elasticConfigMapKey, &elasticConfigMap)).To(HaveOccurred()) + + _, err := r.Reconcile(ctx, reconcile.Request{}) + Expect(err).ShouldNot(HaveOccurred()) + }) + }) }) }) diff --git a/pkg/controller/utils/elasticsearch.go b/pkg/controller/utils/elasticsearch.go index eb84f149ae..7df235da1f 100644 --- a/pkg/controller/utils/elasticsearch.go +++ b/pkg/controller/utils/elasticsearch.go @@ -24,6 +24,8 @@ import ( "net/http" "time" + relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" + "github.com/olivere/elastic/v7" operator "github.com/tigera/operator/api/v1" @@ -90,6 +92,17 @@ func ElasticsearchSecrets(ctx context.Context, userSecretNames []string, cli cli return esUserSecrets, nil } +// GetElasticsearchClusterConfig retrieves the config map containing the elasticsearch configuration values, such as the +// the cluster name and replica count. +func GetElasticsearchClusterConfig(ctx context.Context, cli client.Client) (*relasticsearch.ClusterConfig, error) { + configMap := &corev1.ConfigMap{} + if err := cli.Get(ctx, client.ObjectKey{Name: relasticsearch.ClusterConfigConfigMapName, Namespace: common.OperatorNamespace()}, configMap); err != nil { + return nil, err + } + + return relasticsearch.NewClusterConfigFromConfigMap(configMap) +} + type ElasticsearchClientCreator func(client client.Client, ctx context.Context, elasticHTTPSEndpoint string) (ElasticClient, error) type ElasticClient interface { diff --git a/pkg/render/common/elasticsearch/clusterconfig.go b/pkg/render/common/elasticsearch/clusterconfig.go index 63cdffbcd4..d5c7b55aa4 100644 --- a/pkg/render/common/elasticsearch/clusterconfig.go +++ b/pkg/render/common/elasticsearch/clusterconfig.go @@ -15,7 +15,17 @@ package elasticsearch import ( - rmeta "github.com/tigera/operator/pkg/render/common/meta" + "fmt" + "strconv" + + "github.com/pkg/errors" + "github.com/tigera/operator/pkg/common" + corev1 "k8s.io/api/core/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" +) + +const ( + ClusterConfigConfigMapName = "tigera-secure-elasticsearch" ) func NewClusterConfig(clusterName string, replicas int, shards int, flowShards int) *ClusterConfig { @@ -27,6 +37,41 @@ func NewClusterConfig(clusterName string, replicas int, shards int, flowShards i } } +func NewClusterConfigFromConfigMap(configMap *corev1.ConfigMap) (*ClusterConfig, error) { + var replicas, shards, flowShards int + var err error + + if configMap.Data["clusterName"] == "" { + return nil, fmt.Errorf("'clusterName' is not set") + } + + if configMap.Data["replicas"] == "" { + return nil, fmt.Errorf("'replicas' is not set") + } else { + if replicas, err = strconv.Atoi(configMap.Data["replicas"]); err != nil { + return nil, errors.Wrap(err, "'replicas' must be an integer") + } + } + + if configMap.Data["shards"] == "" { + return nil, fmt.Errorf("'shards' is not set") + } else { + if shards, err = strconv.Atoi(configMap.Data["shards"]); err != nil { + return nil, errors.Wrap(err, "'shards' must be an integer") + } + } + + if configMap.Data["flowShards"] == "" { + return nil, fmt.Errorf("'flowShards' is not set") + } else { + if flowShards, err = strconv.Atoi(configMap.Data["flowShards"]); err != nil { + return nil, errors.Wrap(err, "'flowShards' must be an integer") + } + } + + return NewClusterConfig(configMap.Data["clusterName"], replicas, shards, flowShards), nil +} + type ClusterConfig struct { clusterName string replicas int @@ -50,6 +95,17 @@ func (c ClusterConfig) FlowShards() int { return c.flowShards } -func (c ClusterConfig) Annotation() string { - return rmeta.AnnotationHash(c) +func (c ClusterConfig) ConfigMap() *corev1.ConfigMap { + return &corev1.ConfigMap{ + ObjectMeta: metav1.ObjectMeta{ + Name: ClusterConfigConfigMapName, + Namespace: common.OperatorNamespace(), + }, + Data: map[string]string{ + "clusterName": c.clusterName, + "replicas": strconv.Itoa(c.replicas), + "shards": strconv.Itoa(c.shards), + "flowShards": strconv.Itoa(c.flowShards), + }, + } } diff --git a/pkg/render/common/elasticsearch/decorator.go b/pkg/render/common/elasticsearch/decorator.go index edf67633e2..dc2187f4ec 100644 --- a/pkg/render/common/elasticsearch/decorator.go +++ b/pkg/render/common/elasticsearch/decorator.go @@ -24,8 +24,7 @@ import ( ) const ( - elasticsearchSecretsAnnotation = "hash.operator.tigera.io/elasticsearch-secrets" - elasticsearchConfigMapAnnotation = "hash.operator.tigera.io/elasticsearch-configmap" + elasticsearchSecretsAnnotation = "hash.operator.tigera.io/elasticsearch-secrets" ) type Annotatable interface { @@ -89,6 +88,69 @@ func DecorateEnvironment(c corev1.Container, namespace string, cluster, esUserSe return c } +func ElasticCuratorBackendCertEnvVar(osType rmeta.OSType) corev1.EnvVar { + return corev1.EnvVar{ + Name: "ES_CURATOR_BACKEND_CERT", + Value: elasticCertPath(osType), + } +} + +func ElasticCAEnvVar(osType rmeta.OSType) corev1.EnvVar { + return corev1.EnvVar{ + Name: "ELASTIC_CA", + Value: elasticCertPath(osType), + } +} + +func ElasticSchemeEnvVar(esScheme string) corev1.EnvVar { + return corev1.EnvVar{ + Name: "ELASTIC_SCHEME", + Value: esScheme, + } +} + +func ElasticHostEnvVar(esHost string) corev1.EnvVar { + return corev1.EnvVar{ + Name: "ELASTIC_HOST", + Value: esHost, + } +} + +func ElasticPortEnvVar(esPort string) corev1.EnvVar { + return corev1.EnvVar{ + Name: "ELASTIC_PORT", + Value: esPort, + } +} + +func ElasticIndexSuffixEnvVar(esIdxSuffix string) corev1.EnvVar { + return corev1.EnvVar{ + Name: "ELASTIC_INDEX_SUFFIX", + Value: esIdxSuffix, + } +} + +func ElasticUserEnvVar(esUserSecretName string) corev1.EnvVar { + return corev1.EnvVar{ + Name: "ELASTIC_USER", + ValueFrom: secret.GetEnvVarSource(esUserSecretName, "username", false), + } +} + +func ElasticUsernameEnvVar(esUsernameSecret string) corev1.EnvVar { + return corev1.EnvVar{ + Name: "ELASTIC_USERNAME", + ValueFrom: secret.GetEnvVarSource(esUsernameSecret, "username", false), + } +} + +func ElasticPasswordEnvVar(esUserSecretName string) corev1.EnvVar { + return corev1.EnvVar{ + Name: "ELASTIC_PASSWORD", + ValueFrom: secret.GetEnvVarSource(esUserSecretName, "password", false), + } +} + func DefaultVolumeMount(osType rmeta.OSType) corev1.VolumeMount { certPath := elasticCertDir(osType) return corev1.VolumeMount{ diff --git a/pkg/render/fluentd.go b/pkg/render/fluentd.go index c9a26c74dc..212afc6aa3 100644 --- a/pkg/render/fluentd.go +++ b/pkg/render/fluentd.go @@ -150,14 +150,17 @@ type FluentdConfiguration struct { S3Credential *S3Credential SplkCredential *SplunkCredential Filters *FluentdFilters - EKSConfig *EksCloudwatchLogConfig - PullSecrets []*corev1.Secret - Installation *operatorv1.InstallationSpec - ClusterDomain string - OSType rmeta.OSType - FluentdKeyPair certificatemanagement.KeyPairInterface - TrustedBundle certificatemanagement.TrustedBundle - ManagedCluster bool + // ESClusterConfig is only populated for when EKSConfig + // is also defined + ESClusterConfig *relasticsearch.ClusterConfig + EKSConfig *EksCloudwatchLogConfig + PullSecrets []*corev1.Secret + Installation *operatorv1.InstallationSpec + ClusterDomain string + OSType rmeta.OSType + FluentdKeyPair certificatemanagement.KeyPairInterface + TrustedBundle certificatemanagement.TrustedBundle + ManagedCluster bool // Set if running as a multi-tenant management cluster. Configures the management cluster's // own fluentd daemonset. @@ -1022,6 +1025,8 @@ func (c *fluentdComponent) eksLogForwarderDeployment() *appsv1.Deployment { eksCloudwatchLogCredentialHashAnnotation: rmeta.AnnotationHash(c.cfg.EKSConfig), } + esScheme, esHost, esPort, _ := url.ParseEndpoint(relasticsearch.GatewayEndpoint(c.cfg.OSType, c.cfg.ClusterDomain, ElasticsearchNamespace)) + envVars := []corev1.EnvVar{ // Meta flags. {Name: "LOG_LEVEL", Value: "info"}, @@ -1037,10 +1042,40 @@ func (c *fluentdComponent) eksLogForwarderDeployment() *appsv1.Deployment { {Name: "AWS_REGION", Value: c.cfg.EKSConfig.AwsRegion}, {Name: "AWS_ACCESS_KEY_ID", ValueFrom: secret.GetEnvVarSource(EksLogForwarderSecret, EksLogForwarderAwsId, false)}, {Name: "AWS_SECRET_ACCESS_KEY", ValueFrom: secret.GetEnvVarSource(EksLogForwarderSecret, EksLogForwarderAwsKey, false)}, + relasticsearch.ElasticIndexSuffixEnvVar(c.cfg.ESClusterConfig.ClusterName()), + relasticsearch.ElasticUserEnvVar(ElasticsearchEksLogForwarderUserSecret), + relasticsearch.ElasticPasswordEnvVar(ElasticsearchEksLogForwarderUserSecret), + relasticsearch.ElasticSchemeEnvVar(esScheme), + relasticsearch.ElasticHostEnvVar(esHost), + relasticsearch.ElasticPortEnvVar(esPort), + relasticsearch.ElasticCAEnvVar(c.cfg.OSType), } var eksLogForwarderReplicas int32 = 1 + initContainer := corev1.Container{ + Name: eksLogForwarderName + "-startup", + Image: c.image, + ImagePullPolicy: ImagePullPolicy(), + Command: []string{c.path("/bin/eks-log-forwarder-startup")}, + Env: envVars, + SecurityContext: c.securityContext(false), + VolumeMounts: c.eksLogForwarderVolumeMounts(), + } + + initContainer.Env = append(initContainer.Env, envVars...) + + container := corev1.Container{ + Name: eksLogForwarderName, + Image: c.image, + ImagePullPolicy: ImagePullPolicy(), + Env: envVars, + SecurityContext: c.securityContext(false), + VolumeMounts: c.eksLogForwarderVolumeMounts(), + } + + container.Env = append(container.Env, envVars...) + return &appsv1.Deployment{ TypeMeta: metav1.TypeMeta{Kind: "Deployment", APIVersion: "apps/v1"}, ObjectMeta: metav1.ObjectMeta{ @@ -1073,23 +1108,12 @@ func (c *fluentdComponent) eksLogForwarderDeployment() *appsv1.Deployment { Tolerations: c.cfg.Installation.ControlPlaneTolerations, ServiceAccountName: eksLogForwarderName, ImagePullSecrets: secret.GetReferenceList(c.cfg.PullSecrets), - InitContainers: []corev1.Container{relasticsearch.DecorateEnvironment(corev1.Container{ - Name: eksLogForwarderName + "-startup", - Image: c.image, - ImagePullPolicy: ImagePullPolicy(), - Command: []string{c.path("/bin/eks-log-forwarder-startup")}, - Env: envVars, - SecurityContext: c.securityContext(false), - VolumeMounts: c.eksLogForwarderVolumeMounts(), - }, ElasticsearchNamespace, DefaultElasticsearchClusterName, ElasticsearchEksLogForwarderUserSecret, c.cfg.ClusterDomain, c.cfg.OSType)}, - Containers: []corev1.Container{relasticsearch.DecorateEnvironment(corev1.Container{ - Name: eksLogForwarderName, - Image: c.image, - ImagePullPolicy: ImagePullPolicy(), - Env: envVars, - SecurityContext: c.securityContext(false), - VolumeMounts: c.eksLogForwarderVolumeMounts(), - }, ElasticsearchNamespace, DefaultElasticsearchClusterName, ElasticsearchEksLogForwarderUserSecret, c.cfg.ClusterDomain, c.cfg.OSType)}, + InitContainers: []corev1.Container{ + initContainer, + }, + Containers: []corev1.Container{ + container, + }, Volumes: c.eksLogForwarderVolumes(), }, }, diff --git a/pkg/render/fluentd_test.go b/pkg/render/fluentd_test.go index d0842d4db0..bf3e86b4ff 100644 --- a/pkg/render/fluentd_test.go +++ b/pkg/render/fluentd_test.go @@ -18,6 +18,8 @@ import ( . "github.com/onsi/ginkgo" . "github.com/onsi/ginkgo/extensions/table" . "github.com/onsi/gomega" + relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" + "github.com/tigera/operator/pkg/render/common/secret" "github.com/tigera/operator/pkg/tls/certificatemanagement" appsv1 "k8s.io/api/apps/v1" @@ -819,6 +821,7 @@ var _ = Describe("Tigera Secure Fluentd rendering tests", func() { GroupName: "dummy-eks-cluster-cloudwatch-log-group", FetchInterval: fetchInterval, } + cfg.ESClusterConfig = relasticsearch.NewClusterConfig("clusterTestName", 1, 1, 1) t := corev1.Toleration{ Key: "foo", Operator: corev1.TolerationOpEqual, @@ -882,6 +885,15 @@ var _ = Describe("Tigera Secure Fluentd rendering tests", func() { })) Expect(envs).To(ContainElement(corev1.EnvVar{Name: "EKS_CLOUDWATCH_LOG_FETCH_INTERVAL", Value: "900"})) + Expect(envs).To(ContainElements([]corev1.EnvVar{ + {Name: "ELASTIC_INDEX_SUFFIX", Value: "clusterTestName"}, + {Name: "ELASTIC_SCHEME", Value: "https"}, + {Name: "ELASTIC_HOST", Value: "tigera-secure-es-gateway-http.tigera-elasticsearch.svc"}, + {Name: "ELASTIC_PORT", Value: "9200"}, + {Name: "ELASTIC_USER", ValueFrom: secret.GetEnvVarSource("tigera-eks-log-forwarder-elasticsearch-access", "username", false)}, + {Name: "ELASTIC_PASSWORD", ValueFrom: secret.GetEnvVarSource("tigera-eks-log-forwarder-elasticsearch-access", "password", false)}, + {Name: "ELASTIC_CA", Value: "/etc/pki/tls/certs/tigera-ca-bundle.crt"}, + })) }) Context("allow-tigera rendering", func() { diff --git a/pkg/render/intrusion_detection.go b/pkg/render/intrusion_detection.go index 1769839e75..1a4a53c537 100644 --- a/pkg/render/intrusion_detection.go +++ b/pkg/render/intrusion_detection.go @@ -122,6 +122,7 @@ type IntrusionDetectionConfiguration struct { LogCollector *operatorv1.LogCollector ESSecrets []*corev1.Secret Installation *operatorv1.InstallationSpec + ESClusterConfig *relasticsearch.ClusterConfig PullSecrets []*corev1.Secret Openshift bool ClusterDomain string @@ -309,6 +310,13 @@ func (c *intrusionDetectionComponent) Ready() bool { } func (c *intrusionDetectionComponent) intrusionDetectionElasticsearchJob() *batchv1.Job { + container := c.intrusionDetectionJobContainer() + envVars := []corev1.EnvVar{ + relasticsearch.ElasticIndexSuffixEnvVar(c.cfg.ESClusterConfig.ClusterName()), + relasticsearch.ElasticUserEnvVar(ElasticsearchIntrusionDetectionUserSecret), + relasticsearch.ElasticPasswordEnvVar(ElasticsearchIntrusionDetectionUserSecret), + } + container.Env = append(container.Env, envVars...) podTemplate := relasticsearch.DecorateAnnotations(&corev1.PodTemplateSpec{ ObjectMeta: metav1.ObjectMeta{ Labels: map[string]string{"job-name": IntrusionDetectionInstallerJobName}, @@ -320,8 +328,7 @@ func (c *intrusionDetectionComponent) intrusionDetectionElasticsearchJob() *batc RestartPolicy: corev1.RestartPolicyNever, ImagePullSecrets: secret.GetReferenceList(c.cfg.PullSecrets), Containers: []corev1.Container{ - relasticsearch.DecorateEnvironment(c.intrusionDetectionJobContainer(), ElasticsearchNamespace, DefaultElasticsearchClusterName, - ElasticsearchIntrusionDetectionJobUserSecret, c.cfg.ClusterDomain, rmeta.OSTypeLinux), + container, }, Volumes: []corev1.Volume{c.cfg.TrustedCertBundle.Volume()}, ServiceAccountName: IntrusionDetectionInstallerJobName, @@ -700,8 +707,15 @@ func (c *intrusionDetectionComponent) deploymentPodTemplate() *corev1.PodTemplat }) } - container := relasticsearch.DecorateEnvironment(c.intrusionDetectionControllerContainer(), ElasticsearchNamespace, DefaultElasticsearchClusterName, - ElasticsearchIntrusionDetectionUserSecret, c.cfg.ClusterDomain, rmeta.OSTypeLinux) + container := c.intrusionDetectionControllerContainer() + + envVars := []corev1.EnvVar{ + relasticsearch.ElasticIndexSuffixEnvVar(c.cfg.ESClusterConfig.ClusterName()), + relasticsearch.ElasticUserEnvVar(ElasticsearchIntrusionDetectionUserSecret), + relasticsearch.ElasticPasswordEnvVar(ElasticsearchIntrusionDetectionUserSecret), + } + + container.Env = append(container.Env, envVars...) if c.cfg.ManagedCluster { envVars := []corev1.EnvVar{ diff --git a/pkg/render/intrusion_detection_test.go b/pkg/render/intrusion_detection_test.go index 6a7ab4de46..e2e9c1d8f1 100644 --- a/pkg/render/intrusion_detection_test.go +++ b/pkg/render/intrusion_detection_test.go @@ -17,6 +17,9 @@ package render_test import ( "fmt" + relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" + "github.com/tigera/operator/pkg/render/common/secret" + "github.com/tigera/operator/pkg/common" . "github.com/onsi/ginkgo" @@ -92,6 +95,7 @@ var _ = Describe("Intrusion Detection rendering tests", func() { TrustedCertBundle: bundle, IntrusionDetectionCertSecret: keyPair, Installation: &operatorv1.InstallationSpec{Registry: "testregistry.com/"}, + ESClusterConfig: relasticsearch.NewClusterConfig("clusterTestName", 1, 1, 1), ClusterDomain: dns.DefaultClusterDomain, ESLicenseType: render.ElasticsearchLicenseTypeUnknown, ManagedCluster: notManagedCluster, @@ -154,6 +158,9 @@ var _ = Describe("Intrusion Detection rendering tests", func() { idji := rtest.GetResource(resources, "intrusion-detection-es-job-installer", render.IntrusionDetectionNamespace, "batch", "v1", "Job").(*batchv1.Job) Expect(idc.Spec.Template.Spec.Containers).To(HaveLen(1)) Expect(idc.Spec.Template.Spec.Containers[0].Env).Should(ContainElements( + corev1.EnvVar{Name: "ELASTIC_INDEX_SUFFIX", Value: "clusterTestName"}, + corev1.EnvVar{Name: "ELASTIC_USER", ValueFrom: secret.GetEnvVarSource(render.ElasticsearchIntrusionDetectionUserSecret, "username", false)}, + corev1.EnvVar{Name: "ELASTIC_PASSWORD", ValueFrom: secret.GetEnvVarSource(render.ElasticsearchIntrusionDetectionUserSecret, "password", false)}, corev1.EnvVar{Name: "LINSEED_URL", Value: "https://tigera-linseed.tigera-elasticsearch.svc"}, corev1.EnvVar{Name: "LINSEED_CA", Value: "/etc/pki/tls/certs/tigera-ca-bundle.crt"}, corev1.EnvVar{Name: "LINSEED_CLIENT_CERT", Value: "/intrusion-detection-tls/tls.crt"}, @@ -161,6 +168,11 @@ var _ = Describe("Intrusion Detection rendering tests", func() { corev1.EnvVar{Name: "FIPS_MODE_ENABLED", Value: "false"}, )) Expect(idji.Spec.Template.Spec.Containers).To(HaveLen(1)) + Expect(idji.Spec.Template.Spec.Containers[0].Env).Should(ContainElements( + corev1.EnvVar{Name: "ELASTIC_INDEX_SUFFIX", Value: "clusterTestName"}, + corev1.EnvVar{Name: "ELASTIC_USER", ValueFrom: secret.GetEnvVarSource(render.ElasticsearchIntrusionDetectionUserSecret, "username", false)}, + corev1.EnvVar{Name: "ELASTIC_PASSWORD", ValueFrom: secret.GetEnvVarSource(render.ElasticsearchIntrusionDetectionUserSecret, "password", false)}, + )) Expect(*idji.Spec.Template.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation).To(BeFalse()) Expect(*idji.Spec.Template.Spec.Containers[0].SecurityContext.Privileged).To(BeFalse()) diff --git a/pkg/render/kubecontrollers/kube-controllers.go b/pkg/render/kubecontrollers/kube-controllers.go index 12ef8ef5ce..cc775dd694 100644 --- a/pkg/render/kubecontrollers/kube-controllers.go +++ b/pkg/render/kubecontrollers/kube-controllers.go @@ -33,7 +33,6 @@ import ( "github.com/tigera/operator/pkg/ptr" "github.com/tigera/operator/pkg/render" rcomp "github.com/tigera/operator/pkg/render/common/components" - relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" rmeta "github.com/tigera/operator/pkg/render/common/meta" "github.com/tigera/operator/pkg/render/common/networkpolicy" "github.com/tigera/operator/pkg/render/common/podsecuritypolicy" @@ -528,16 +527,6 @@ func (c *kubeControllersComponent) controllersDeployment() *appsv1.Deployment { VolumeMounts: c.kubeControllersVolumeMounts(), } - if c.kubeControllerName == EsKubeController { - container = relasticsearch.DecorateEnvironment( - container, - render.ElasticsearchNamespace, - render.DefaultElasticsearchClusterName, - ElasticsearchKubeControllersUserSecret, - c.cfg.ClusterDomain, - rmeta.OSTypeLinux, - ) - } var initContainers []corev1.Container if c.cfg.MetricsServerTLS != nil && c.cfg.MetricsServerTLS.UseCertificateManagement() { initContainers = append(initContainers, c.cfg.MetricsServerTLS.InitContainer(c.cfg.Namespace)) diff --git a/pkg/render/kubecontrollers/kube-controllers_test.go b/pkg/render/kubecontrollers/kube-controllers_test.go index 7877ce6303..41490918e2 100644 --- a/pkg/render/kubecontrollers/kube-controllers_test.go +++ b/pkg/render/kubecontrollers/kube-controllers_test.go @@ -54,50 +54,6 @@ var _ = Describe("kube-controllers rendering tests", func() { cli client.Client ) - esEnvs := []corev1.EnvVar{ - {Name: "ELASTIC_INDEX_SUFFIX", Value: "cluster"}, - {Name: "ELASTIC_SCHEME", Value: "https"}, - {Name: "ELASTIC_HOST", Value: "tigera-secure-es-gateway-http.tigera-elasticsearch.svc"}, - {Name: "ELASTIC_PORT", Value: "9200", ValueFrom: nil}, - {Name: "ELASTIC_ACCESS_MODE", Value: "serviceuser"}, - {Name: "ELASTIC_SSL_VERIFY", Value: "true"}, - { - Name: "ELASTIC_USER", Value: "", - ValueFrom: &corev1.EnvVarSource{ - SecretKeyRef: &corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: "tigera-ee-kube-controllers-elasticsearch-access", - }, - Key: "username", - }, - }, - }, - { - Name: "ELASTIC_USERNAME", Value: "", - ValueFrom: &corev1.EnvVarSource{ - SecretKeyRef: &corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: "tigera-ee-kube-controllers-elasticsearch-access", - }, - Key: "username", - }, - }, - }, - { - Name: "ELASTIC_PASSWORD", Value: "", - ValueFrom: &corev1.EnvVarSource{ - SecretKeyRef: &corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: "tigera-ee-kube-controllers-elasticsearch-access", - }, - Key: "password", - }, - }, - }, - {Name: "ELASTIC_CA", Value: certificatemanagement.TrustedCertBundleMountPath}, - {Name: "ES_CA_CERT", Value: certificatemanagement.TrustedCertBundleMountPath}, - {Name: "ES_CURATOR_BACKEND_CERT", Value: certificatemanagement.TrustedCertBundleMountPath}, - } expectedPolicyForUnmanaged := testutils.GetExpectedPolicyFromFile("../testutils/expected_policies/kubecontrollers.json") expectedPolicyForUnmanagedOCP := testutils.GetExpectedPolicyFromFile("../testutils/expected_policies/kubecontrollers_ocp.json") expectedPolicyForManaged := testutils.GetExpectedPolicyFromFile("../testutils/expected_policies/kubecontrollers_managed.json") @@ -345,7 +301,6 @@ var _ = Describe("kube-controllers rendering tests", func() { Expect(envs).To(ContainElement(corev1.EnvVar{ Name: "ENABLED_CONTROLLERS", Value: "authorization,elasticsearchconfiguration", })) - Expect(envs).To(ContainElements(esEnvs)) Expect(dp.Spec.Template.Spec.Containers[0].VolumeMounts).To(HaveLen(1)) Expect(dp.Spec.Template.Spec.Containers[0].VolumeMounts[0].Name).To(Equal("tigera-ca-bundle")) diff --git a/pkg/render/logstorage.go b/pkg/render/logstorage.go index 803cda7906..a6d9b140ea 100644 --- a/pkg/render/logstorage.go +++ b/pkg/render/logstorage.go @@ -22,6 +22,8 @@ import ( "net/url" "strings" + tigeraurl "github.com/tigera/operator/pkg/url" + cmnv1 "github.com/elastic/cloud-on-k8s/v2/pkg/apis/common/v1" esv1 "github.com/elastic/cloud-on-k8s/v2/pkg/apis/elasticsearch/v1" kbv1 "github.com/elastic/cloud-on-k8s/v2/pkg/apis/kibana/v1" @@ -371,6 +373,7 @@ func (es *elasticsearchComponent) Objects() ([]client.Object, []client.Object) { } toCreate = append(toCreate, es.elasticsearchServiceAccount()) + toCreate = append(toCreate, es.cfg.ClusterConfig.ConfigMap()) toCreate = append(toCreate, es.elasticsearchCluster()) @@ -1449,6 +1452,28 @@ func (es elasticsearchComponent) curatorCronJob() *batchv1.CronJob { const schedule = "@hourly" + container := corev1.Container{ + Name: ESCuratorName, + Image: es.curatorImage, + ImagePullPolicy: ImagePullPolicy(), + Env: es.curatorEnvVars(), + LivenessProbe: elasticCuratorLivenessProbe, + SecurityContext: securitycontext.NewNonRootContext(), + VolumeMounts: es.cfg.TrustedBundle.VolumeMounts(es.SupportedOSType()), + } + + _, esHost, esPort, _ := tigeraurl.ParseEndpoint(relasticsearch.GatewayEndpoint(es.SupportedOSType(), es.cfg.ClusterDomain, ElasticsearchNamespace)) + + envVars := []corev1.EnvVar{ + relasticsearch.ElasticUserEnvVar(ElasticsearchCuratorUserSecret), + relasticsearch.ElasticPasswordEnvVar(ElasticsearchCuratorUserSecret), + relasticsearch.ElasticHostEnvVar(esHost), + relasticsearch.ElasticPortEnvVar(esPort), + relasticsearch.ElasticCuratorBackendCertEnvVar(es.SupportedOSType()), + } + + container.Env = append(container.Env, envVars...) + return &batchv1.CronJob{ TypeMeta: metav1.TypeMeta{ Kind: "CronJob", @@ -1478,15 +1503,7 @@ func (es elasticsearchComponent) curatorCronJob() *batchv1.CronJob { NodeSelector: es.cfg.Installation.ControlPlaneNodeSelector, Tolerations: es.cfg.Installation.ControlPlaneTolerations, Containers: []corev1.Container{ - relasticsearch.DecorateEnvironment(corev1.Container{ - Name: ESCuratorName, - Image: es.curatorImage, - ImagePullPolicy: ImagePullPolicy(), - Env: es.curatorEnvVars(), - LivenessProbe: elasticCuratorLivenessProbe, - SecurityContext: securitycontext.NewNonRootContext(), - VolumeMounts: es.cfg.TrustedBundle.VolumeMounts(es.SupportedOSType()), - }, ElasticsearchNamespace, DefaultElasticsearchClusterName, ElasticsearchCuratorUserSecret, es.cfg.ClusterDomain, es.SupportedOSType()), + container, }, ImagePullSecrets: secret.GetReferenceList(es.cfg.PullSecrets), RestartPolicy: corev1.RestartPolicyOnFailure, diff --git a/pkg/render/logstorage/esmetrics/elasticsearch_metrics.go b/pkg/render/logstorage/esmetrics/elasticsearch_metrics.go index b68f1c4214..361e23dd41 100644 --- a/pkg/render/logstorage/esmetrics/elasticsearch_metrics.go +++ b/pkg/render/logstorage/esmetrics/elasticsearch_metrics.go @@ -17,6 +17,8 @@ package esmetrics import ( "fmt" + "github.com/tigera/operator/pkg/url" + appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" policyv1beta1 "k8s.io/api/policy/v1beta1" @@ -209,6 +211,39 @@ func (e elasticsearchMetrics) metricsDeployment() *appsv1.Deployment { annotations[e.cfg.ServerTLS.HashAnnotationKey()] = e.cfg.ServerTLS.HashAnnotationValue() } + _, esHost, esPort, _ := url.ParseEndpoint(relasticsearch.GatewayEndpoint(e.SupportedOSType(), e.cfg.ClusterDomain, render.ElasticsearchNamespace)) + + envVars := []corev1.EnvVar{ + relasticsearch.ElasticUsernameEnvVar(ElasticsearchMetricsSecret), + relasticsearch.ElasticPasswordEnvVar(ElasticsearchMetricsSecret), + relasticsearch.ElasticHostEnvVar(esHost), + relasticsearch.ElasticPortEnvVar(esPort), + relasticsearch.ElasticCAEnvVar(e.SupportedOSType()), + } + + container := corev1.Container{ + Name: ElasticsearchMetricsName, + Image: e.esMetricsImage, + ImagePullPolicy: render.ImagePullPolicy(), + SecurityContext: securitycontext.NewNonRootContext(), + Command: []string{"/bin/elasticsearch_exporter"}, + Args: []string{ + "--es.uri=https://$(ELASTIC_USERNAME):$(ELASTIC_PASSWORD)@$(ELASTIC_HOST):$(ELASTIC_PORT)", + "--es.all", "--es.indices", "--es.indices_settings", "--es.shards", "--es.cluster_settings", + "--es.timeout=30s", "--es.ca=$(ELASTIC_CA)", "--web.listen-address=:9081", + "--web.telemetry-path=/metrics", "--tls.key=/tigera-ee-elasticsearch-metrics-tls/tls.key", "--tls.crt=/tigera-ee-elasticsearch-metrics-tls/tls.crt", fmt.Sprintf("--ca.crt=%s", certificatemanagement.TrustedCertBundleMountPath), + }, + VolumeMounts: append( + e.cfg.TrustedBundle.VolumeMounts(e.SupportedOSType()), + e.cfg.ServerTLS.VolumeMount(e.SupportedOSType()), + ), + Env: []corev1.EnvVar{ + {Name: "FIPS_MODE_ENABLED", Value: operatorv1.IsFIPSModeEnabledString(e.cfg.Installation.FIPSMode)}, + }, + } + + container.Env = append(container.Env, envVars...) + return &appsv1.Deployment{ TypeMeta: metav1.TypeMeta{Kind: "Deployment", APIVersion: "apps/v1"}, ObjectMeta: metav1.ObjectMeta{ @@ -228,29 +263,7 @@ func (e elasticsearchMetrics) metricsDeployment() *appsv1.Deployment { ServiceAccountName: ElasticsearchMetricsName, InitContainers: initContainers, Containers: []corev1.Container{ - relasticsearch.DecorateEnvironment( - corev1.Container{ - Name: ElasticsearchMetricsName, - Image: e.esMetricsImage, - ImagePullPolicy: render.ImagePullPolicy(), - SecurityContext: securitycontext.NewNonRootContext(), - Command: []string{"/bin/elasticsearch_exporter"}, - Args: []string{ - "--es.uri=https://$(ELASTIC_USERNAME):$(ELASTIC_PASSWORD)@$(ELASTIC_HOST):$(ELASTIC_PORT)", - "--es.all", "--es.indices", "--es.indices_settings", "--es.shards", "--es.cluster_settings", - "--es.timeout=30s", "--es.ca=$(ELASTIC_CA)", "--web.listen-address=:9081", - "--web.telemetry-path=/metrics", "--tls.key=/tigera-ee-elasticsearch-metrics-tls/tls.key", "--tls.crt=/tigera-ee-elasticsearch-metrics-tls/tls.crt", fmt.Sprintf("--ca.crt=%s", certificatemanagement.TrustedCertBundleMountPath), - }, - VolumeMounts: append( - e.cfg.TrustedBundle.VolumeMounts(e.SupportedOSType()), - e.cfg.ServerTLS.VolumeMount(e.SupportedOSType()), - ), - Env: []corev1.EnvVar{ - {Name: "FIPS_MODE_ENABLED", Value: operatorv1.IsFIPSModeEnabledString(e.cfg.Installation.FIPSMode)}, - }, - }, render.ElasticsearchNamespace, render.DefaultElasticsearchClusterName, ElasticsearchMetricsSecret, - e.cfg.ClusterDomain, e.SupportedOSType(), - ), + container, }, Volumes: []corev1.Volume{ e.cfg.ServerTLS.Volume(), diff --git a/pkg/render/logstorage/esmetrics/elasticsearch_metrics_test.go b/pkg/render/logstorage/esmetrics/elasticsearch_metrics_test.go index 3d66162ea5..e4cb92679b 100644 --- a/pkg/render/logstorage/esmetrics/elasticsearch_metrics_test.go +++ b/pkg/render/logstorage/esmetrics/elasticsearch_metrics_test.go @@ -169,23 +169,6 @@ var _ = Describe("Elasticsearch metrics", func() { }, Env: []corev1.EnvVar{ {Name: "FIPS_MODE_ENABLED", Value: "false"}, - {Name: "ELASTIC_INDEX_SUFFIX", Value: "cluster"}, - {Name: "ELASTIC_SCHEME", Value: "https"}, - {Name: "ELASTIC_HOST", Value: "tigera-secure-es-gateway-http.tigera-elasticsearch.svc"}, - {Name: "ELASTIC_PORT", Value: "9200"}, - {Name: "ELASTIC_ACCESS_MODE", Value: "serviceuser"}, - {Name: "ELASTIC_SSL_VERIFY", Value: "true"}, - { - Name: "ELASTIC_USER", - ValueFrom: &corev1.EnvVarSource{ - SecretKeyRef: &corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: "tigera-ee-elasticsearch-metrics-elasticsearch-access", - }, - Key: "username", - }, - }, - }, { Name: "ELASTIC_USERNAME", ValueFrom: &corev1.EnvVarSource{ @@ -208,9 +191,9 @@ var _ = Describe("Elasticsearch metrics", func() { }, }, }, + {Name: "ELASTIC_HOST", Value: "tigera-secure-es-gateway-http.tigera-elasticsearch.svc"}, + {Name: "ELASTIC_PORT", Value: "9200"}, {Name: "ELASTIC_CA", Value: certificatemanagement.TrustedCertBundleMountPath}, - {Name: "ES_CA_CERT", Value: certificatemanagement.TrustedCertBundleMountPath}, - {Name: "ES_CURATOR_BACKEND_CERT", Value: certificatemanagement.TrustedCertBundleMountPath}, }, VolumeMounts: append( cfg.TrustedBundle.VolumeMounts(meta.OSTypeLinux), diff --git a/pkg/render/logstorage_test.go b/pkg/render/logstorage_test.go index 3865538a2e..3af225a9ea 100644 --- a/pkg/render/logstorage_test.go +++ b/pkg/render/logstorage_test.go @@ -19,6 +19,8 @@ import ( "fmt" "reflect" + "github.com/tigera/operator/pkg/render/common/secret" + . "github.com/onsi/ginkgo" . "github.com/onsi/ginkgo/extensions/table" . "github.com/onsi/gomega" @@ -219,6 +221,7 @@ var _ = Describe("Elasticsearch rendering tests", func() { &v3.NetworkPolicy{ObjectMeta: metav1.ObjectMeta{Name: networkpolicy.TigeraComponentDefaultDenyPolicyName, Namespace: render.ElasticsearchNamespace}}, &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "tigera-pull-secret", Namespace: render.ElasticsearchNamespace}}, &corev1.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Name: "tigera-elasticsearch", Namespace: render.ElasticsearchNamespace}}, + &corev1.ConfigMap{ObjectMeta: metav1.ObjectMeta{Name: relasticsearch.ClusterConfigConfigMapName, Namespace: common.OperatorNamespace()}}, &esv1.Elasticsearch{ObjectMeta: metav1.ObjectMeta{Name: render.ElasticsearchName, Namespace: render.ElasticsearchNamespace}}, &rbacv1.Role{ObjectMeta: metav1.ObjectMeta{Name: render.EsManagerRole, Namespace: render.ElasticsearchNamespace}}, &rbacv1.RoleBinding{ObjectMeta: metav1.ObjectMeta{Name: render.EsManagerRoleBinding, Namespace: render.ElasticsearchNamespace}}, @@ -480,6 +483,7 @@ var _ = Describe("Elasticsearch rendering tests", func() { {networkpolicy.TigeraComponentDefaultDenyPolicyName, render.ElasticsearchNamespace, &v3.NetworkPolicy{}, nil}, {"tigera-pull-secret", render.ElasticsearchNamespace, &corev1.Secret{}, nil}, {"tigera-elasticsearch", render.ElasticsearchNamespace, &corev1.ServiceAccount{}, nil}, + {relasticsearch.ClusterConfigConfigMapName, common.OperatorNamespace(), &corev1.ConfigMap{}, nil}, {render.ElasticsearchName, render.ElasticsearchNamespace, &esv1.Elasticsearch{}, nil}, {render.KibanaNamespace, "", &corev1.Namespace{}, nil}, {render.KibanaPolicyName, render.KibanaNamespace, &v3.NetworkPolicy{}, nil}, @@ -545,6 +549,7 @@ var _ = Describe("Elasticsearch rendering tests", func() { {networkpolicy.TigeraComponentDefaultDenyPolicyName, render.ElasticsearchNamespace, &v3.NetworkPolicy{}, nil}, {"tigera-pull-secret", render.ElasticsearchNamespace, &corev1.Secret{}, nil}, {"tigera-elasticsearch", render.ElasticsearchNamespace, &corev1.ServiceAccount{}, nil}, + {relasticsearch.ClusterConfigConfigMapName, common.OperatorNamespace(), &corev1.ConfigMap{}, nil}, {render.ElasticsearchName, render.ElasticsearchNamespace, &esv1.Elasticsearch{}, nil}, {render.KibanaNamespace, "", &corev1.Namespace{}, nil}, {render.KibanaPolicyName, render.KibanaNamespace, &v3.NetworkPolicy{}, nil}, @@ -626,6 +631,7 @@ var _ = Describe("Elasticsearch rendering tests", func() { {networkpolicy.TigeraComponentDefaultDenyPolicyName, render.ElasticsearchNamespace, &v3.NetworkPolicy{}, nil}, {"tigera-pull-secret", render.ElasticsearchNamespace, &corev1.Secret{}, nil}, {"tigera-elasticsearch", render.ElasticsearchNamespace, &corev1.ServiceAccount{}, nil}, + {relasticsearch.ClusterConfigConfigMapName, common.OperatorNamespace(), &corev1.ConfigMap{}, nil}, {render.ElasticsearchName, render.ElasticsearchNamespace, &esv1.Elasticsearch{}, nil}, {render.KibanaNamespace, "", &corev1.Namespace{}, nil}, {render.KibanaPolicyName, render.KibanaNamespace, &v3.NetworkPolicy{}, nil}, @@ -661,6 +667,11 @@ var _ = Describe("Elasticsearch rendering tests", func() { {Name: "EE_BGP_INDEX_RETENTION_PERIOD", Value: fmt.Sprint(1)}, {Name: "EE_MAX_TOTAL_STORAGE_PCT", Value: fmt.Sprint(80)}, {Name: "EE_MAX_LOGS_STORAGE_PCT", Value: fmt.Sprint(70)}, + {Name: "ELASTIC_USER", ValueFrom: secret.GetEnvVarSource(render.ElasticsearchCuratorUserSecret, "username", false)}, + {Name: "ELASTIC_PASSWORD", ValueFrom: secret.GetEnvVarSource(render.ElasticsearchCuratorUserSecret, "password", false)}, + {Name: "ELASTIC_HOST", Value: "tigera-secure-es-gateway-http.tigera-elasticsearch.svc"}, + {Name: "ELASTIC_PORT", Value: "9200"}, + {Name: "ES_CURATOR_BACKEND_CERT", Value: "/etc/pki/tls/certs/tigera-ca-bundle.crt"}, })) Expect(*cronjob.Spec.JobTemplate.Spec.Template.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation).To(BeFalse()) @@ -877,6 +888,7 @@ var _ = Describe("Elasticsearch rendering tests", func() { {networkpolicy.TigeraComponentDefaultDenyPolicyName, render.ElasticsearchNamespace, &v3.NetworkPolicy{}, nil}, {"tigera-pull-secret", render.ElasticsearchNamespace, &corev1.Secret{}, nil}, {"tigera-elasticsearch", render.ElasticsearchNamespace, &corev1.ServiceAccount{}, nil}, + {relasticsearch.ClusterConfigConfigMapName, common.OperatorNamespace(), &corev1.ConfigMap{}, nil}, {render.ElasticsearchName, render.ElasticsearchNamespace, &esv1.Elasticsearch{}, nil}, {render.ElasticsearchKeystoreSecret, common.OperatorNamespace(), &corev1.Secret{}, nil}, {render.ElasticsearchKeystoreSecret, render.ElasticsearchNamespace, &corev1.Secret{}, nil}, diff --git a/pkg/render/manager.go b/pkg/render/manager.go index 2d412df6af..ed71b96b43 100644 --- a/pkg/render/manager.go +++ b/pkg/render/manager.go @@ -20,6 +20,8 @@ import ( "strconv" "strings" + "github.com/tigera/operator/pkg/url" + ocsv1 "github.com/openshift/api/security/v1" appsv1 "k8s.io/api/apps/v1" @@ -126,6 +128,7 @@ func Manager(cfg *ManagerConfiguration) (Component, error) { type ManagerConfiguration struct { KeyValidatorConfig authentication.KeyValidatorConfig ESSecrets []*corev1.Secret + ClusterConfig *relasticsearch.ClusterConfig PullSecrets []*corev1.Secret Openshift bool Installation *operatorv1.InstallationSpec @@ -272,13 +275,6 @@ func (c *managerComponent) managerDeployment() *appsv1.Deployment { } // Containers for the manager pod. - managerContainer := c.managerContainer() - esProxyContainer := c.managerEsProxyContainer() - if c.cfg.Tenant == nil { - // If we're running in multi-tenant mode, we don't need ES credentials as these are used for Kibana login. Otherwise, add them. - managerContainer = relasticsearch.DecorateEnvironment(managerContainer, ElasticsearchNamespace, DefaultElasticsearchClusterName, ElasticsearchManagerUserSecret, c.cfg.ClusterDomain, c.SupportedOSType()) - esProxyContainer = relasticsearch.DecorateEnvironment(esProxyContainer, ElasticsearchNamespace, DefaultElasticsearchClusterName, ElasticsearchManagerUserSecret, c.cfg.ClusterDomain, c.SupportedOSType()) - } if c.cfg.InternalTLSKeyPair != nil && c.cfg.InternalTLSKeyPair.UseCertificateManagement() { initContainers = append(initContainers, c.cfg.InternalTLSKeyPair.InitContainer(ManagerNamespace)) } @@ -298,7 +294,7 @@ func (c *managerComponent) managerDeployment() *appsv1.Deployment { Tolerations: c.managerTolerations(), ImagePullSecrets: secret.GetReferenceList(c.cfg.PullSecrets), InitContainers: initContainers, - Containers: []corev1.Container{managerContainer, esProxyContainer, c.voltronContainer()}, + Containers: []corev1.Container{c.managerContainer(), c.managerEsProxyContainer(), c.voltronContainer()}, Volumes: c.managerVolumes(), }, }, c.cfg.ESSecrets).(*corev1.PodTemplateSpec) @@ -565,6 +561,21 @@ func (c *managerComponent) managerEsProxyContainer() corev1.Container { {Name: "ELASTIC_KIBANA_DISABLED", Value: strconv.FormatBool(!c.kibanaEnabled())}, } + if c.kibanaEnabled() { + esScheme, esHost, esPort, _ := url.ParseEndpoint(relasticsearch.GatewayEndpoint(c.SupportedOSType(), c.cfg.ClusterDomain, ElasticsearchNamespace)) + esEnvVars := []corev1.EnvVar{ + relasticsearch.ElasticCAEnvVar(c.SupportedOSType()), + relasticsearch.ElasticSchemeEnvVar(esScheme), + relasticsearch.ElasticHostEnvVar(esHost), + relasticsearch.ElasticPortEnvVar(esPort), + relasticsearch.ElasticUsernameEnvVar(ElasticsearchManagerUserSecret), + relasticsearch.ElasticPasswordEnvVar(ElasticsearchManagerUserSecret), + relasticsearch.ElasticIndexSuffixEnvVar(c.cfg.ClusterConfig.ClusterName()), + } + + env = append(env, esEnvVars...) + } + // Determine the Linseed location. Use code default unless in multi-tenant mode, // in which case use the Linseed in the current namespace. if c.cfg.Tenant != nil { diff --git a/pkg/render/manager_test.go b/pkg/render/manager_test.go index f214b6b8b4..5b6eb75ef4 100644 --- a/pkg/render/manager_test.go +++ b/pkg/render/manager_test.go @@ -18,6 +18,9 @@ import ( "fmt" "strconv" + relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" + "github.com/tigera/operator/pkg/render/common/secret" + . "github.com/onsi/ginkgo" . "github.com/onsi/ginkgo/extensions/table" . "github.com/onsi/gomega" @@ -131,6 +134,13 @@ var _ = Describe("Tigera Secure Manager rendering tests", func() { Expect(esProxy.Env).Should(ContainElements( corev1.EnvVar{Name: "LINSEED_CLIENT_CERT", Value: "/internal-manager-tls/tls.crt"}, corev1.EnvVar{Name: "LINSEED_CLIENT_KEY", Value: "/internal-manager-tls/tls.key"}, + corev1.EnvVar{Name: "ELASTIC_CA", Value: "/etc/pki/tls/certs/tigera-ca-bundle.crt"}, + corev1.EnvVar{Name: "ELASTIC_SCHEME", Value: "https"}, + corev1.EnvVar{Name: "ELASTIC_HOST", Value: "tigera-secure-es-gateway-http.tigera-elasticsearch.svc"}, + corev1.EnvVar{Name: "ELASTIC_PORT", Value: "9200"}, + corev1.EnvVar{Name: "ELASTIC_USERNAME", ValueFrom: secret.GetEnvVarSource(render.ElasticsearchManagerUserSecret, "username", false)}, + corev1.EnvVar{Name: "ELASTIC_PASSWORD", ValueFrom: secret.GetEnvVarSource(render.ElasticsearchManagerUserSecret, "password", false)}, + corev1.EnvVar{Name: "ELASTIC_INDEX_SUFFIX", Value: "clusterTestName"}, )) Expect(esProxy.VolumeMounts).To(HaveLen(2)) @@ -426,6 +436,7 @@ var _ = Describe("Tigera Secure Manager rendering tests", func() { VoltronLinseedKeyPair: voltronLinseedCert, InternalTLSKeyPair: internalTraffic, Installation: installation, + ClusterConfig: &relasticsearch.ClusterConfig{}, Namespace: render.ManagerNamespace, TruthNamespace: common.OperatorNamespace(), } @@ -691,8 +702,13 @@ var _ = Describe("Tigera Secure Manager rendering tests", func() { // renderManager passes in as few parameters as possible to render.Manager without it // panicing. It accepts variations on the installspec for testing purposes. renderManager := func(i *operatorv1.InstallationSpec) *appsv1.Deployment { + var esConfigMap *relasticsearch.ClusterConfig + if !operatorv1.IsFIPSModeEnabled(i.FIPSMode) { + esConfigMap = relasticsearch.NewClusterConfig("clusterTestName", 1, 1, 1) + } cfg := &render.ManagerConfiguration{ TrustedCertBundle: bundle, + ClusterConfig: esConfigMap, TLSKeyPair: kp, VoltronLinseedKeyPair: voltronLinseedKP, Installation: i, @@ -1043,9 +1059,14 @@ func renderObjects(roc renderConfig) []client.Object { roc.bindingNamespaces = []string{roc.ns} } + var esConfigMap *relasticsearch.ClusterConfig + if roc.tenant == nil && !operatorv1.IsFIPSModeEnabled(roc.installation.FIPSMode) { + esConfigMap = relasticsearch.NewClusterConfig("clusterTestName", 1, 1, 1) + } cfg := &render.ManagerConfiguration{ KeyValidatorConfig: dexCfg, TrustedCertBundle: bundle, + ClusterConfig: esConfigMap, TLSKeyPair: managerTLS, Installation: roc.installation, ManagementCluster: roc.managementCluster, From bb319c01248662c8fb544f4a80a979b1c27b9c0e Mon Sep 17 00:00:00 2001 From: Josh Lucas Date: Thu, 9 Nov 2023 10:36:23 -0500 Subject: [PATCH 3/9] PR feedback and failure fixes --- .../logcollector/logcollector_controller.go | 4 +- .../logstorage/elastic/elastic_controller.go | 4 ++ .../elastic/elastic_controller_test.go | 27 +++++++++ pkg/render/common/elasticsearch/tls.go | 1 + pkg/render/fluentd_test.go | 10 ++++ pkg/render/intrusion_detection.go | 28 ++++----- pkg/render/intrusion_detection_test.go | 8 ++- .../kubecontrollers/kube-controllers.go | 14 +++++ pkg/render/logstorage.go | 40 ++++++------- pkg/render/logstorage/esgateway/esgateway.go | 7 +++ .../esmetrics/elasticsearch_metrics.go | 57 ++++++++----------- pkg/render/manager.go | 9 +-- pkg/render/manager_test.go | 7 ++- 13 files changed, 134 insertions(+), 82 deletions(-) diff --git a/pkg/controller/logcollector/logcollector_controller.go b/pkg/controller/logcollector/logcollector_controller.go index 205943c6de..968f1d417f 100644 --- a/pkg/controller/logcollector/logcollector_controller.go +++ b/pkg/controller/logcollector/logcollector_controller.go @@ -564,10 +564,10 @@ func (r *ReconcileLogCollector) Reconcile(ctx context.Context, request reconcile fluentdCfg := &render.FluentdConfiguration{ LogCollector: instance, + ESClusterConfig: esClusterConfig, S3Credential: s3Credential, SplkCredential: splunkCredential, Filters: filters, - ESClusterConfig: esClusterConfig, EKSConfig: eksConfig, PullSecrets: pullSecrets, Installation: installation, @@ -615,10 +615,10 @@ func (r *ReconcileLogCollector) Reconcile(ctx context.Context, request reconcile if hasWindowsNodes { fluentdCfg = &render.FluentdConfiguration{ LogCollector: instance, + ESClusterConfig: esClusterConfig, S3Credential: s3Credential, SplkCredential: splunkCredential, Filters: filters, - ESClusterConfig: esClusterConfig, EKSConfig: eksConfig, PullSecrets: pullSecrets, Installation: installation, diff --git a/pkg/controller/logstorage/elastic/elastic_controller.go b/pkg/controller/logstorage/elastic/elastic_controller.go index 19ac2a6fa4..b83f9f3e3b 100644 --- a/pkg/controller/logstorage/elastic/elastic_controller.go +++ b/pkg/controller/logstorage/elastic/elastic_controller.go @@ -225,6 +225,10 @@ func Add(mgr manager.Manager, opts options.AddOptions) error { } } + if err = utils.AddConfigMapWatch(c, relasticsearch.ClusterConfigConfigMapName, common.OperatorNamespace(), &handler.EnqueueRequestForObject{}); err != nil { + return fmt.Errorf("log-storage-elastic-controller failed to watch ConfigMap resource: %w", err) + } + if err = utils.AddConfigMapWatch(c, render.ECKLicenseConfigMapName, render.ECKOperatorNamespace, &handler.EnqueueRequestForObject{}); err != nil { return fmt.Errorf("log-storage-elastic-controller failed to watch ConfigMap resource: %w", err) } diff --git a/pkg/controller/logstorage/elastic/elastic_controller_test.go b/pkg/controller/logstorage/elastic/elastic_controller_test.go index 2e8b5c1f31..40634b0cbf 100644 --- a/pkg/controller/logstorage/elastic/elastic_controller_test.go +++ b/pkg/controller/logstorage/elastic/elastic_controller_test.go @@ -351,10 +351,23 @@ var _ = Describe("LogStorage controller", func() { r, err := NewReconcilerWithShims(cli, scheme, mockStatus, operatorv1.ProviderNone, MockESCLICreator, dns.DefaultClusterDomain, readyFlag) Expect(err).ShouldNot(HaveOccurred()) + esConfigMapKey := client.ObjectKey{ + Name: relasticsearch.ClusterConfigConfigMapName, + Namespace: common.OperatorNamespace(), + } + + esConfigMap := corev1.ConfigMap{} + + // Verify that the ConfigMap doesn't exist prior to calling Reconcile + Expect(cli.Get(ctx, esConfigMapKey, &esConfigMap)).To(HaveOccurred()) + mockStatus.On("SetDegraded", operatorv1.ResourceNotReady, "Waiting for Elasticsearch cluster to be operational", mock.Anything, mock.Anything).Return() result, err := r.Reconcile(ctx, reconcile.Request{}) Expect(err).ShouldNot(HaveOccurred()) + // Check that the ConfigMap was created by the call to Reconcile + Expect(cli.Get(ctx, esConfigMapKey, &esConfigMap)).NotTo(HaveOccurred()) + // Expect to be waiting for Elasticsearch and Kibana to be functional Expect(result).Should(Equal(reconcile.Result{})) @@ -394,10 +407,24 @@ var _ = Describe("LogStorage controller", func() { } Expect(cli.Create(ctx, esAdminUserSecret)).ShouldNot(HaveOccurred()) + // Modify ConfigMap we expect to be reverted by a call to Reconcile + _, ok := esConfigMap.Data["test-field"] + Expect(ok).To(BeFalse()) + + esConfigMap.Data = map[string]string{ + "test-field": "test-data", + } + Expect(cli.Update(ctx, &esConfigMap)).NotTo(HaveOccurred()) + mockStatus.On("SetDegraded", operatorv1.ResourceNotReady, "Waiting for curator secrets to become available", mock.Anything, mock.Anything).Return() result, err = r.Reconcile(ctx, reconcile.Request{}) Expect(err).ShouldNot(HaveOccurred()) + // Verify that the ConfigMap was reverted to the original state + Expect(cli.Get(ctx, esConfigMapKey, &esConfigMap)).NotTo(HaveOccurred()) + _, ok = esConfigMap.Data["test-field"] + Expect(ok).To(BeFalse()) + // Expect to be waiting for curator secret Expect(result).Should(Equal(reconcile.Result{})) Expect(cli.Create(ctx, &corev1.Secret{ObjectMeta: curatorUsrSecretObjMeta})).ShouldNot(HaveOccurred()) diff --git a/pkg/render/common/elasticsearch/tls.go b/pkg/render/common/elasticsearch/tls.go index ffe829ff47..780fd330b1 100644 --- a/pkg/render/common/elasticsearch/tls.go +++ b/pkg/render/common/elasticsearch/tls.go @@ -15,5 +15,6 @@ package elasticsearch const ( + PublicCertSecret = "tigera-secure-es-gateway-http-certs-public" UnusedCertSecret = "tigera-secure-es-http-certs-unused" ) diff --git a/pkg/render/fluentd_test.go b/pkg/render/fluentd_test.go index bf3e86b4ff..0d380c8649 100644 --- a/pkg/render/fluentd_test.go +++ b/pkg/render/fluentd_test.go @@ -161,6 +161,16 @@ var _ = Describe("Tigera Secure Fluentd rendering tests", func() { corev1.EnvVar{Name: "LINSEED_TOKEN", Value: "/var/run/secrets/kubernetes.io/serviceaccount/token"}, )) + Expect(envs).ShouldNot(ContainElements( + corev1.EnvVar{Name: "ELASTIC_INDEX_SUFFIX", Value: "clusterTestName"}, + corev1.EnvVar{Name: "ELASTIC_SCHEME", Value: "https"}, + corev1.EnvVar{Name: "ELASTIC_HOST", Value: "tigera-secure-es-gateway-http.tigera-elasticsearch.svc"}, + corev1.EnvVar{Name: "ELASTIC_PORT", Value: "9200"}, + corev1.EnvVar{Name: "ELASTIC_USER", ValueFrom: secret.GetEnvVarSource("tigera-eks-log-forwarder-elasticsearch-access", "username", false)}, + corev1.EnvVar{Name: "ELASTIC_PASSWORD", ValueFrom: secret.GetEnvVarSource("tigera-eks-log-forwarder-elasticsearch-access", "password", false)}, + corev1.EnvVar{Name: "ELASTIC_CA", Value: "/etc/pki/tls/certs/tigera-ca-bundle.crt"}, + )) + container := ds.Spec.Template.Spec.Containers[0] Expect(container.ReadinessProbe.Exec.Command).To(ConsistOf([]string{"sh", "-c", "/bin/readiness.sh"})) diff --git a/pkg/render/intrusion_detection.go b/pkg/render/intrusion_detection.go index 1a4a53c537..fdbd6a53f8 100644 --- a/pkg/render/intrusion_detection.go +++ b/pkg/render/intrusion_detection.go @@ -310,13 +310,6 @@ func (c *intrusionDetectionComponent) Ready() bool { } func (c *intrusionDetectionComponent) intrusionDetectionElasticsearchJob() *batchv1.Job { - container := c.intrusionDetectionJobContainer() - envVars := []corev1.EnvVar{ - relasticsearch.ElasticIndexSuffixEnvVar(c.cfg.ESClusterConfig.ClusterName()), - relasticsearch.ElasticUserEnvVar(ElasticsearchIntrusionDetectionUserSecret), - relasticsearch.ElasticPasswordEnvVar(ElasticsearchIntrusionDetectionUserSecret), - } - container.Env = append(container.Env, envVars...) podTemplate := relasticsearch.DecorateAnnotations(&corev1.PodTemplateSpec{ ObjectMeta: metav1.ObjectMeta{ Labels: map[string]string{"job-name": IntrusionDetectionInstallerJobName}, @@ -328,7 +321,7 @@ func (c *intrusionDetectionComponent) intrusionDetectionElasticsearchJob() *batc RestartPolicy: corev1.RestartPolicyNever, ImagePullSecrets: secret.GetReferenceList(c.cfg.PullSecrets), Containers: []corev1.Container{ - container, + c.intrusionDetectionJobContainer(), }, Volumes: []corev1.Volume{c.cfg.TrustedCertBundle.Volume()}, ServiceAccountName: IntrusionDetectionInstallerJobName, @@ -409,6 +402,9 @@ func (c *intrusionDetectionComponent) intrusionDetectionJobContainer() corev1.Co Name: "FIPS_MODE_ENABLED", Value: operatorv1.IsFIPSModeEnabledString(c.cfg.Installation.FIPSMode), }, + relasticsearch.ElasticIndexSuffixEnvVar(c.cfg.ESClusterConfig.ClusterName()), + relasticsearch.ElasticUserEnvVar(ElasticsearchIntrusionDetectionJobUserSecret), + relasticsearch.ElasticPasswordEnvVar(ElasticsearchIntrusionDetectionJobUserSecret), }, SecurityContext: securitycontext.NewNonRootContext(), VolumeMounts: c.cfg.TrustedCertBundle.VolumeMounts(c.SupportedOSType()), @@ -709,14 +705,6 @@ func (c *intrusionDetectionComponent) deploymentPodTemplate() *corev1.PodTemplat container := c.intrusionDetectionControllerContainer() - envVars := []corev1.EnvVar{ - relasticsearch.ElasticIndexSuffixEnvVar(c.cfg.ESClusterConfig.ClusterName()), - relasticsearch.ElasticUserEnvVar(ElasticsearchIntrusionDetectionUserSecret), - relasticsearch.ElasticPasswordEnvVar(ElasticsearchIntrusionDetectionUserSecret), - } - - container.Env = append(container.Env, envVars...) - if c.cfg.ManagedCluster { envVars := []corev1.EnvVar{ {Name: "DISABLE_ALERTS", Value: "yes"}, @@ -749,6 +737,7 @@ func (c *intrusionDetectionComponent) deploymentPodTemplate() *corev1.PodTemplat } func (c *intrusionDetectionComponent) intrusionDetectionControllerContainer() corev1.Container { + esScheme, esHost, esPort, _ := url.ParseEndpoint(relasticsearch.GatewayEndpoint(c.SupportedOSType(), c.cfg.ClusterDomain, ElasticsearchNamespace)) envs := []corev1.EnvVar{ { Name: "MULTI_CLUSTER_FORWARDING_CA", @@ -778,6 +767,13 @@ func (c *intrusionDetectionComponent) intrusionDetectionControllerContainer() co Name: "LINSEED_TOKEN", Value: GetLinseedTokenPath(c.cfg.ManagedCluster), }, + relasticsearch.ElasticIndexSuffixEnvVar(c.cfg.ESClusterConfig.ClusterName()), + relasticsearch.ElasticUserEnvVar(ElasticsearchIntrusionDetectionUserSecret), + relasticsearch.ElasticPasswordEnvVar(ElasticsearchIntrusionDetectionUserSecret), + relasticsearch.ElasticHostEnvVar(esHost), + relasticsearch.ElasticPortEnvVar(esPort), + relasticsearch.ElasticSchemeEnvVar(esScheme), + relasticsearch.ElasticCAEnvVar(c.SupportedOSType()), } sc := securitycontext.NewNonRootContext() diff --git a/pkg/render/intrusion_detection_test.go b/pkg/render/intrusion_detection_test.go index e2e9c1d8f1..3917d1167d 100644 --- a/pkg/render/intrusion_detection_test.go +++ b/pkg/render/intrusion_detection_test.go @@ -161,6 +161,10 @@ var _ = Describe("Intrusion Detection rendering tests", func() { corev1.EnvVar{Name: "ELASTIC_INDEX_SUFFIX", Value: "clusterTestName"}, corev1.EnvVar{Name: "ELASTIC_USER", ValueFrom: secret.GetEnvVarSource(render.ElasticsearchIntrusionDetectionUserSecret, "username", false)}, corev1.EnvVar{Name: "ELASTIC_PASSWORD", ValueFrom: secret.GetEnvVarSource(render.ElasticsearchIntrusionDetectionUserSecret, "password", false)}, + corev1.EnvVar{Name: "ELASTIC_CA", Value: "/etc/pki/tls/certs/tigera-ca-bundle.crt"}, + corev1.EnvVar{Name: "ELASTIC_SCHEME", Value: "https"}, + corev1.EnvVar{Name: "ELASTIC_HOST", Value: "tigera-secure-es-gateway-http.tigera-elasticsearch.svc"}, + corev1.EnvVar{Name: "ELASTIC_PORT", Value: "9200"}, corev1.EnvVar{Name: "LINSEED_URL", Value: "https://tigera-linseed.tigera-elasticsearch.svc"}, corev1.EnvVar{Name: "LINSEED_CA", Value: "/etc/pki/tls/certs/tigera-ca-bundle.crt"}, corev1.EnvVar{Name: "LINSEED_CLIENT_CERT", Value: "/intrusion-detection-tls/tls.crt"}, @@ -170,8 +174,8 @@ var _ = Describe("Intrusion Detection rendering tests", func() { Expect(idji.Spec.Template.Spec.Containers).To(HaveLen(1)) Expect(idji.Spec.Template.Spec.Containers[0].Env).Should(ContainElements( corev1.EnvVar{Name: "ELASTIC_INDEX_SUFFIX", Value: "clusterTestName"}, - corev1.EnvVar{Name: "ELASTIC_USER", ValueFrom: secret.GetEnvVarSource(render.ElasticsearchIntrusionDetectionUserSecret, "username", false)}, - corev1.EnvVar{Name: "ELASTIC_PASSWORD", ValueFrom: secret.GetEnvVarSource(render.ElasticsearchIntrusionDetectionUserSecret, "password", false)}, + corev1.EnvVar{Name: "ELASTIC_USER", ValueFrom: secret.GetEnvVarSource(render.ElasticsearchIntrusionDetectionJobUserSecret, "username", false)}, + corev1.EnvVar{Name: "ELASTIC_PASSWORD", ValueFrom: secret.GetEnvVarSource(render.ElasticsearchIntrusionDetectionJobUserSecret, "password", false)}, )) Expect(*idji.Spec.Template.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation).To(BeFalse()) diff --git a/pkg/render/kubecontrollers/kube-controllers.go b/pkg/render/kubecontrollers/kube-controllers.go index cc775dd694..7edf93dee8 100644 --- a/pkg/render/kubecontrollers/kube-controllers.go +++ b/pkg/render/kubecontrollers/kube-controllers.go @@ -18,6 +18,9 @@ import ( "fmt" "strings" + relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" + "github.com/tigera/operator/pkg/url" + appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" policyv1beta1 "k8s.io/api/policy/v1beta1" @@ -527,6 +530,17 @@ func (c *kubeControllersComponent) controllersDeployment() *appsv1.Deployment { VolumeMounts: c.kubeControllersVolumeMounts(), } + if c.kubeControllerName == EsKubeController { + _, esHost, esPort, _ := url.ParseEndpoint(relasticsearch.GatewayEndpoint(c.SupportedOSType(), c.cfg.ClusterDomain, render.ElasticsearchNamespace)) + container.Env = append(container.Env, []corev1.EnvVar{ + relasticsearch.ElasticHostEnvVar(esHost), + relasticsearch.ElasticPortEnvVar(esPort), + relasticsearch.ElasticUsernameEnvVar(ElasticsearchKubeControllersUserSecret), + relasticsearch.ElasticPasswordEnvVar(ElasticsearchKubeControllersUserSecret), + relasticsearch.ElasticCAEnvVar(c.SupportedOSType()), + }...) + } + var initContainers []corev1.Container if c.cfg.MetricsServerTLS != nil && c.cfg.MetricsServerTLS.UseCertificateManagement() { initContainers = append(initContainers, c.cfg.MetricsServerTLS.InitContainer(c.cfg.Namespace)) diff --git a/pkg/render/logstorage.go b/pkg/render/logstorage.go index a6d9b140ea..a181711691 100644 --- a/pkg/render/logstorage.go +++ b/pkg/render/logstorage.go @@ -1452,28 +1452,6 @@ func (es elasticsearchComponent) curatorCronJob() *batchv1.CronJob { const schedule = "@hourly" - container := corev1.Container{ - Name: ESCuratorName, - Image: es.curatorImage, - ImagePullPolicy: ImagePullPolicy(), - Env: es.curatorEnvVars(), - LivenessProbe: elasticCuratorLivenessProbe, - SecurityContext: securitycontext.NewNonRootContext(), - VolumeMounts: es.cfg.TrustedBundle.VolumeMounts(es.SupportedOSType()), - } - - _, esHost, esPort, _ := tigeraurl.ParseEndpoint(relasticsearch.GatewayEndpoint(es.SupportedOSType(), es.cfg.ClusterDomain, ElasticsearchNamespace)) - - envVars := []corev1.EnvVar{ - relasticsearch.ElasticUserEnvVar(ElasticsearchCuratorUserSecret), - relasticsearch.ElasticPasswordEnvVar(ElasticsearchCuratorUserSecret), - relasticsearch.ElasticHostEnvVar(esHost), - relasticsearch.ElasticPortEnvVar(esPort), - relasticsearch.ElasticCuratorBackendCertEnvVar(es.SupportedOSType()), - } - - container.Env = append(container.Env, envVars...) - return &batchv1.CronJob{ TypeMeta: metav1.TypeMeta{ Kind: "CronJob", @@ -1503,7 +1481,15 @@ func (es elasticsearchComponent) curatorCronJob() *batchv1.CronJob { NodeSelector: es.cfg.Installation.ControlPlaneNodeSelector, Tolerations: es.cfg.Installation.ControlPlaneTolerations, Containers: []corev1.Container{ - container, + { + Name: ESCuratorName, + Image: es.curatorImage, + ImagePullPolicy: ImagePullPolicy(), + Env: es.curatorEnvVars(), + LivenessProbe: elasticCuratorLivenessProbe, + SecurityContext: securitycontext.NewNonRootContext(), + VolumeMounts: es.cfg.TrustedBundle.VolumeMounts(es.SupportedOSType()), + }, }, ImagePullSecrets: secret.GetReferenceList(es.cfg.PullSecrets), RestartPolicy: corev1.RestartPolicyOnFailure, @@ -1527,6 +1513,9 @@ func (es elasticsearchComponent) curatorEnvVars() []corev1.EnvVar { } return fmt.Sprint(*i) } + + _, esHost, esPort, _ := tigeraurl.ParseEndpoint(relasticsearch.GatewayEndpoint(es.SupportedOSType(), es.cfg.ClusterDomain, ElasticsearchNamespace)) + return []corev1.EnvVar{ {Name: "EE_FLOWS_INDEX_RETENTION_PERIOD", Value: safeAccess(es.cfg.LogStorage.Spec.Retention.Flows)}, {Name: "EE_AUDIT_INDEX_RETENTION_PERIOD", Value: safeAccess(es.cfg.LogStorage.Spec.Retention.AuditReports)}, @@ -1536,6 +1525,11 @@ func (es elasticsearchComponent) curatorEnvVars() []corev1.EnvVar { {Name: "EE_BGP_INDEX_RETENTION_PERIOD", Value: safeAccess(es.cfg.LogStorage.Spec.Retention.BGPLogs)}, {Name: "EE_MAX_TOTAL_STORAGE_PCT", Value: fmt.Sprint(maxTotalStoragePercent)}, {Name: "EE_MAX_LOGS_STORAGE_PCT", Value: fmt.Sprint(maxLogsStoragePercent)}, + relasticsearch.ElasticUserEnvVar(ElasticsearchCuratorUserSecret), + relasticsearch.ElasticPasswordEnvVar(ElasticsearchCuratorUserSecret), + relasticsearch.ElasticHostEnvVar(esHost), + relasticsearch.ElasticPortEnvVar(esPort), + relasticsearch.ElasticCuratorBackendCertEnvVar(es.SupportedOSType()), } } diff --git a/pkg/render/logstorage/esgateway/esgateway.go b/pkg/render/logstorage/esgateway/esgateway.go index ba2257538f..e72a871359 100644 --- a/pkg/render/logstorage/esgateway/esgateway.go +++ b/pkg/render/logstorage/esgateway/esgateway.go @@ -18,6 +18,8 @@ import ( "fmt" "strings" + "github.com/tigera/operator/pkg/render/common/elasticsearch" + "github.com/tigera/operator/pkg/ptr" appsv1 "k8s.io/api/apps/v1" @@ -118,6 +120,11 @@ func (e *esGateway) Objects() (toCreate, toDelete []client.Object) { toCreate = append(toCreate, e.esGatewayServiceAccount()) toCreate = append(toCreate, e.esGatewayDeployment()) + if e.cfg.ESGatewayKeyPair.UseCertificateManagement() { + toCreate = append(toCreate, render.CreateCertificateSecret(e.cfg.Installation.CertificateManagement.CACert, elasticsearch.PublicCertSecret, e.cfg.TruthNamespace)) + } else { + toCreate = append(toCreate, render.CreateCertificateSecret(e.cfg.ESGatewayKeyPair.GetCertificatePEM(), elasticsearch.PublicCertSecret, e.cfg.TruthNamespace)) + } if e.cfg.UsePSP { toCreate = append(toCreate, e.esGatewayPodSecurityPolicy()) } diff --git a/pkg/render/logstorage/esmetrics/elasticsearch_metrics.go b/pkg/render/logstorage/esmetrics/elasticsearch_metrics.go index 361e23dd41..2d488a868e 100644 --- a/pkg/render/logstorage/esmetrics/elasticsearch_metrics.go +++ b/pkg/render/logstorage/esmetrics/elasticsearch_metrics.go @@ -213,37 +213,6 @@ func (e elasticsearchMetrics) metricsDeployment() *appsv1.Deployment { _, esHost, esPort, _ := url.ParseEndpoint(relasticsearch.GatewayEndpoint(e.SupportedOSType(), e.cfg.ClusterDomain, render.ElasticsearchNamespace)) - envVars := []corev1.EnvVar{ - relasticsearch.ElasticUsernameEnvVar(ElasticsearchMetricsSecret), - relasticsearch.ElasticPasswordEnvVar(ElasticsearchMetricsSecret), - relasticsearch.ElasticHostEnvVar(esHost), - relasticsearch.ElasticPortEnvVar(esPort), - relasticsearch.ElasticCAEnvVar(e.SupportedOSType()), - } - - container := corev1.Container{ - Name: ElasticsearchMetricsName, - Image: e.esMetricsImage, - ImagePullPolicy: render.ImagePullPolicy(), - SecurityContext: securitycontext.NewNonRootContext(), - Command: []string{"/bin/elasticsearch_exporter"}, - Args: []string{ - "--es.uri=https://$(ELASTIC_USERNAME):$(ELASTIC_PASSWORD)@$(ELASTIC_HOST):$(ELASTIC_PORT)", - "--es.all", "--es.indices", "--es.indices_settings", "--es.shards", "--es.cluster_settings", - "--es.timeout=30s", "--es.ca=$(ELASTIC_CA)", "--web.listen-address=:9081", - "--web.telemetry-path=/metrics", "--tls.key=/tigera-ee-elasticsearch-metrics-tls/tls.key", "--tls.crt=/tigera-ee-elasticsearch-metrics-tls/tls.crt", fmt.Sprintf("--ca.crt=%s", certificatemanagement.TrustedCertBundleMountPath), - }, - VolumeMounts: append( - e.cfg.TrustedBundle.VolumeMounts(e.SupportedOSType()), - e.cfg.ServerTLS.VolumeMount(e.SupportedOSType()), - ), - Env: []corev1.EnvVar{ - {Name: "FIPS_MODE_ENABLED", Value: operatorv1.IsFIPSModeEnabledString(e.cfg.Installation.FIPSMode)}, - }, - } - - container.Env = append(container.Env, envVars...) - return &appsv1.Deployment{ TypeMeta: metav1.TypeMeta{Kind: "Deployment", APIVersion: "apps/v1"}, ObjectMeta: metav1.ObjectMeta{ @@ -263,7 +232,31 @@ func (e elasticsearchMetrics) metricsDeployment() *appsv1.Deployment { ServiceAccountName: ElasticsearchMetricsName, InitContainers: initContainers, Containers: []corev1.Container{ - container, + { + Name: ElasticsearchMetricsName, + Image: e.esMetricsImage, + ImagePullPolicy: render.ImagePullPolicy(), + SecurityContext: securitycontext.NewNonRootContext(), + Command: []string{"/bin/elasticsearch_exporter"}, + Args: []string{ + "--es.uri=https://$(ELASTIC_USERNAME):$(ELASTIC_PASSWORD)@$(ELASTIC_HOST):$(ELASTIC_PORT)", + "--es.all", "--es.indices", "--es.indices_settings", "--es.shards", "--es.cluster_settings", + "--es.timeout=30s", "--es.ca=$(ELASTIC_CA)", "--web.listen-address=:9081", + "--web.telemetry-path=/metrics", "--tls.key=/tigera-ee-elasticsearch-metrics-tls/tls.key", "--tls.crt=/tigera-ee-elasticsearch-metrics-tls/tls.crt", fmt.Sprintf("--ca.crt=%s", certificatemanagement.TrustedCertBundleMountPath), + }, + VolumeMounts: append( + e.cfg.TrustedBundle.VolumeMounts(e.SupportedOSType()), + e.cfg.ServerTLS.VolumeMount(e.SupportedOSType()), + ), + Env: []corev1.EnvVar{ + {Name: "FIPS_MODE_ENABLED", Value: operatorv1.IsFIPSModeEnabledString(e.cfg.Installation.FIPSMode)}, + relasticsearch.ElasticUsernameEnvVar(ElasticsearchMetricsSecret), + relasticsearch.ElasticPasswordEnvVar(ElasticsearchMetricsSecret), + relasticsearch.ElasticHostEnvVar(esHost), + relasticsearch.ElasticPortEnvVar(esPort), + relasticsearch.ElasticCAEnvVar(e.SupportedOSType()), + }, + }, }, Volumes: []corev1.Volume{ e.cfg.ServerTLS.Volume(), diff --git a/pkg/render/manager.go b/pkg/render/manager.go index 2b6d672d0a..d3b1c1b5bf 100644 --- a/pkg/render/manager.go +++ b/pkg/render/manager.go @@ -564,17 +564,14 @@ func (c *managerComponent) managerEsProxyContainer() corev1.Container { if c.kibanaEnabled() { esScheme, esHost, esPort, _ := url.ParseEndpoint(relasticsearch.GatewayEndpoint(c.SupportedOSType(), c.cfg.ClusterDomain, ElasticsearchNamespace)) - esEnvVars := []corev1.EnvVar{ + env = append(env, relasticsearch.ElasticCAEnvVar(c.SupportedOSType()), relasticsearch.ElasticSchemeEnvVar(esScheme), relasticsearch.ElasticHostEnvVar(esHost), relasticsearch.ElasticPortEnvVar(esPort), - relasticsearch.ElasticUsernameEnvVar(ElasticsearchManagerUserSecret), + relasticsearch.ElasticUserEnvVar(ElasticsearchManagerUserSecret), relasticsearch.ElasticPasswordEnvVar(ElasticsearchManagerUserSecret), - relasticsearch.ElasticIndexSuffixEnvVar(c.cfg.ClusterConfig.ClusterName()), - } - - env = append(env, esEnvVars...) + relasticsearch.ElasticIndexSuffixEnvVar(c.cfg.ClusterConfig.ClusterName())) } // Determine the Linseed location. Use code default unless in multi-tenant mode, diff --git a/pkg/render/manager_test.go b/pkg/render/manager_test.go index 0ab61acb64..e23e74fbcd 100644 --- a/pkg/render/manager_test.go +++ b/pkg/render/manager_test.go @@ -138,7 +138,7 @@ var _ = Describe("Tigera Secure Manager rendering tests", func() { corev1.EnvVar{Name: "ELASTIC_SCHEME", Value: "https"}, corev1.EnvVar{Name: "ELASTIC_HOST", Value: "tigera-secure-es-gateway-http.tigera-elasticsearch.svc"}, corev1.EnvVar{Name: "ELASTIC_PORT", Value: "9200"}, - corev1.EnvVar{Name: "ELASTIC_USERNAME", ValueFrom: secret.GetEnvVarSource(render.ElasticsearchManagerUserSecret, "username", false)}, + corev1.EnvVar{Name: "ELASTIC_USER", ValueFrom: secret.GetEnvVarSource(render.ElasticsearchManagerUserSecret, "username", false)}, corev1.EnvVar{Name: "ELASTIC_PASSWORD", ValueFrom: secret.GetEnvVarSource(render.ElasticsearchManagerUserSecret, "password", false)}, corev1.EnvVar{Name: "ELASTIC_INDEX_SUFFIX", Value: "clusterTestName"}, corev1.EnvVar{Name: "VOLTRON_URL", Value: "https://tigera-manager.tigera-manager.svc:9443"}, @@ -704,6 +704,9 @@ var _ = Describe("Tigera Secure Manager rendering tests", func() { // panicing. It accepts variations on the installspec for testing purposes. renderManager := func(i *operatorv1.InstallationSpec) *appsv1.Deployment { var esConfigMap *relasticsearch.ClusterConfig + // We only require Elastic cluster configuration when Kibana is enabled. We infer whether Kibana is enabled by checking + // FIPS configuration mode and multi-tenancy mode. See manager.go function kibanaEnabled for more details. + // In this case we know that the tenant is nil so we only need check the FIPS mode. if !operatorv1.IsFIPSModeEnabled(i.FIPSMode) { esConfigMap = relasticsearch.NewClusterConfig("clusterTestName", 1, 1, 1) } @@ -1063,6 +1066,8 @@ func renderObjects(roc renderConfig) []client.Object { } var esConfigMap *relasticsearch.ClusterConfig + // We only require Elastic cluster configuration when Kibana is enabled. We infer whether Kibana is enabled by checking + // FIPS configuration mode and multi-tenancy mode. See manager.go function kibanaEnabled for more details. if roc.tenant == nil && !operatorv1.IsFIPSModeEnabled(roc.installation.FIPSMode) { esConfigMap = relasticsearch.NewClusterConfig("clusterTestName", 1, 1, 1) } From f4f9fea3ebc66dbd453216dca87f67223b783d48 Mon Sep 17 00:00:00 2001 From: Josh Lucas Date: Mon, 20 Nov 2023 10:47:06 -0500 Subject: [PATCH 4/9] More PR feedbac and failure fixes --- pkg/render/fluentd.go | 2 -- pkg/render/intrusiondetection/dpi/dpi.go | 8 ++++++++ 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/pkg/render/fluentd.go b/pkg/render/fluentd.go index 212afc6aa3..618e3a189b 100644 --- a/pkg/render/fluentd.go +++ b/pkg/render/fluentd.go @@ -1063,8 +1063,6 @@ func (c *fluentdComponent) eksLogForwarderDeployment() *appsv1.Deployment { VolumeMounts: c.eksLogForwarderVolumeMounts(), } - initContainer.Env = append(initContainer.Env, envVars...) - container := corev1.Container{ Name: eksLogForwarderName, Image: c.image, diff --git a/pkg/render/intrusiondetection/dpi/dpi.go b/pkg/render/intrusiondetection/dpi/dpi.go index c3208be623..de206872bf 100644 --- a/pkg/render/intrusiondetection/dpi/dpi.go +++ b/pkg/render/intrusiondetection/dpi/dpi.go @@ -17,6 +17,7 @@ package dpi import ( "fmt" + relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" "github.com/tigera/operator/pkg/tls/certificatemanagement" appsv1 "k8s.io/api/apps/v1" corev1 "k8s.io/api/core/v1" @@ -91,6 +92,13 @@ func (d *dpiComponent) Objects() (objsToCreate, objsToDelete []client.Object) { } else { toCreate = append(toCreate, render.CreateNamespace(DeepPacketInspectionNamespace, d.cfg.Installation.KubernetesProvider, render.PSSPrivileged)) } + + // This secret is deprecated in this namespace and should be removed in upgrade scenarios + toDelete = append(toDelete, &corev1.Secret{ + TypeMeta: metav1.TypeMeta{Kind: "Secret", APIVersion: "v1"}, + ObjectMeta: metav1.ObjectMeta{Name: relasticsearch.PublicCertSecret, Namespace: DeepPacketInspectionNamespace}, + }) + if d.cfg.HasNoDPIResource || d.cfg.HasNoLicense { toDelete = append(toDelete, d.dpiAllowTigeraPolicy()) toDelete = append(toDelete, secret.ToRuntimeObjects(secret.CopyToNamespace(DeepPacketInspectionNamespace, d.cfg.PullSecrets...)...)...) From 2f4d4908c9db9a83bd3c7a86b23bfb105dba6346 Mon Sep 17 00:00:00 2001 From: Josh Lucas Date: Tue, 21 Nov 2023 10:33:00 -0500 Subject: [PATCH 5/9] Test failure fixes --- .../elastic/external_elastic_controller_test.go | 10 +++++++++- pkg/render/intrusiondetection/dpi/dpi_test.go | 5 +++++ pkg/render/logstorage/esgateway/esgateway_test.go | 4 ++++ 3 files changed, 18 insertions(+), 1 deletion(-) diff --git a/pkg/controller/logstorage/elastic/external_elastic_controller_test.go b/pkg/controller/logstorage/elastic/external_elastic_controller_test.go index b8896900b8..f960a6bee4 100644 --- a/pkg/controller/logstorage/elastic/external_elastic_controller_test.go +++ b/pkg/controller/logstorage/elastic/external_elastic_controller_test.go @@ -155,7 +155,15 @@ var _ = Describe("External ES Controller", func() { Expect(cli.Create(ctx, esAdminUserSecret)).ShouldNot(HaveOccurred()) // Create the ExternalCertsSecret which contains the client certificate for connecting to the external ES cluster. - externalCertsSecret := createPubSecret(logstorage.ExternalCertsSecret, common.OperatorNamespace(), []byte{}, "tls.crt") + externalCertsSecret := &corev1.Secret{ + ObjectMeta: metav1.ObjectMeta{ + Name: logstorage.ExternalCertsSecret, + Namespace: common.OperatorNamespace(), + }, + Data: map[string][]byte{ + "tls.crt": {}, + }, + } Expect(cli.Create(ctx, externalCertsSecret)).ShouldNot(HaveOccurred()) Expect(cli.Create( diff --git a/pkg/render/intrusiondetection/dpi/dpi_test.go b/pkg/render/intrusiondetection/dpi/dpi_test.go index 6a2760440e..04cbc18dbe 100644 --- a/pkg/render/intrusiondetection/dpi/dpi_test.go +++ b/pkg/render/intrusiondetection/dpi/dpi_test.go @@ -18,6 +18,7 @@ import ( . "github.com/onsi/ginkgo" . "github.com/onsi/ginkgo/extensions/table" . "github.com/onsi/gomega" + relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" "github.com/tigera/operator/pkg/tls/certificatemanagement" appsv1 "k8s.io/api/apps/v1" @@ -448,6 +449,7 @@ var _ = Describe("DPI rendering tests", func() { createResources, deleteResource := component.Objects() expectedResources := []resourceTestObj{ {name: dpi.DeepPacketInspectionNamespace, ns: "", group: "", version: "v1", kind: "Namespace"}, + {name: relasticsearch.PublicCertSecret, ns: dpi.DeepPacketInspectionNamespace, group: "", version: "v1", kind: "Secret"}, {name: dpi.DeepPacketInspectionPolicyName, ns: dpi.DeepPacketInspectionNamespace, group: "projectcalico.org", version: "v3", kind: "NetworkPolicy"}, {name: "pull-secret", ns: dpi.DeepPacketInspectionNamespace, group: "", version: "v1", kind: "Secret"}, {name: dpi.DeepPacketInspectionName, ns: dpi.DeepPacketInspectionNamespace, group: "", version: "v1", kind: "ServiceAccount"}, @@ -485,6 +487,7 @@ var _ = Describe("DPI rendering tests", func() { expectedDeleteResources := []client.Object{ &v3.NetworkPolicy{ObjectMeta: metav1.ObjectMeta{Name: dpi.DeepPacketInspectionPolicyName, Namespace: dpi.DeepPacketInspectionNamespace}}, + &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: relasticsearch.PublicCertSecret, Namespace: dpi.DeepPacketInspectionNamespace}}, &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "pull-secret", Namespace: dpi.DeepPacketInspectionNamespace}}, &corev1.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Name: dpi.DeepPacketInspectionNamespace, Namespace: dpi.DeepPacketInspectionNamespace}}, &rbacv1.ClusterRole{ObjectMeta: metav1.ObjectMeta{Name: dpi.DeepPacketInspectionName}}, @@ -520,6 +523,7 @@ var _ = Describe("DPI rendering tests", func() { expectedDeleteResources := []client.Object{ &v3.NetworkPolicy{ObjectMeta: metav1.ObjectMeta{Name: dpi.DeepPacketInspectionPolicyName, Namespace: dpi.DeepPacketInspectionNamespace}}, + &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: relasticsearch.PublicCertSecret, Namespace: dpi.DeepPacketInspectionNamespace}}, &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: "pull-secret", Namespace: dpi.DeepPacketInspectionNamespace}}, &corev1.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Name: dpi.DeepPacketInspectionNamespace, Namespace: dpi.DeepPacketInspectionNamespace}}, &rbacv1.ClusterRole{ObjectMeta: metav1.ObjectMeta{Name: dpi.DeepPacketInspectionName}}, @@ -542,6 +546,7 @@ var _ = Describe("DPI rendering tests", func() { component := dpi.DPI(cfg) createResources, deleteResource := component.Objects() expectedResources := []resourceTestObj{ + {name: relasticsearch.PublicCertSecret, ns: dpi.DeepPacketInspectionNamespace, group: "", version: "v1", kind: "Secret"}, {name: dpi.DeepPacketInspectionPolicyName, ns: dpi.DeepPacketInspectionNamespace, group: "projectcalico.org", version: "v3", kind: "NetworkPolicy"}, {name: "pull-secret", ns: dpi.DeepPacketInspectionNamespace, group: "", version: "v1", kind: "Secret"}, {name: dpi.DeepPacketInspectionName, ns: dpi.DeepPacketInspectionNamespace, group: "", version: "v1", kind: "ServiceAccount"}, diff --git a/pkg/render/logstorage/esgateway/esgateway_test.go b/pkg/render/logstorage/esgateway/esgateway_test.go index e0af90f831..7516ae3b9b 100644 --- a/pkg/render/logstorage/esgateway/esgateway_test.go +++ b/pkg/render/logstorage/esgateway/esgateway_test.go @@ -17,6 +17,8 @@ package esgateway import ( "context" + relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" + . "github.com/onsi/ginkgo" . "github.com/onsi/ginkgo/extensions/table" . "github.com/onsi/gomega" @@ -93,6 +95,7 @@ var _ = Describe("ES Gateway rendering tests", func() { &rbacv1.RoleBinding{ObjectMeta: metav1.ObjectMeta{Name: RoleName, Namespace: render.ElasticsearchNamespace}}, &corev1.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Name: ServiceAccountName, Namespace: render.ElasticsearchNamespace}}, &appsv1.Deployment{ObjectMeta: metav1.ObjectMeta{Name: DeploymentName, Namespace: render.ElasticsearchNamespace}}, + &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: relasticsearch.PublicCertSecret, Namespace: common.OperatorNamespace()}}, &policyv1beta1.PodSecurityPolicy{ObjectMeta: metav1.ObjectMeta{Name: "tigera-esgateway"}}, } createResources, _ := EsGateway(cfg).Objects() @@ -132,6 +135,7 @@ var _ = Describe("ES Gateway rendering tests", func() { &rbacv1.RoleBinding{ObjectMeta: metav1.ObjectMeta{Name: RoleName, Namespace: render.ElasticsearchNamespace}}, &corev1.ServiceAccount{ObjectMeta: metav1.ObjectMeta{Name: ServiceAccountName, Namespace: render.ElasticsearchNamespace}}, &appsv1.Deployment{ObjectMeta: metav1.ObjectMeta{Name: DeploymentName, Namespace: render.ElasticsearchNamespace}}, + &corev1.Secret{ObjectMeta: metav1.ObjectMeta{Name: relasticsearch.PublicCertSecret, Namespace: common.OperatorNamespace()}}, &policyv1beta1.PodSecurityPolicy{ObjectMeta: metav1.ObjectMeta{Name: "tigera-esgateway"}}, } createResources, _ := EsGateway(cfg).Objects() From 27d1474882ccbfee385e6cacc2f06bf1a30ba26e Mon Sep 17 00:00:00 2001 From: Josh Lucas Date: Tue, 21 Nov 2023 11:08:21 -0500 Subject: [PATCH 6/9] Fixups --- .../kubecontrollers/kube-controllers_test.go | 29 +++++++++++++++++++ pkg/render/logstorage/esgateway/esgateway.go | 1 + 2 files changed, 30 insertions(+) diff --git a/pkg/render/kubecontrollers/kube-controllers_test.go b/pkg/render/kubecontrollers/kube-controllers_test.go index 41490918e2..6b06053b6a 100644 --- a/pkg/render/kubecontrollers/kube-controllers_test.go +++ b/pkg/render/kubecontrollers/kube-controllers_test.go @@ -54,6 +54,34 @@ var _ = Describe("kube-controllers rendering tests", func() { cli client.Client ) + esEnvs := []corev1.EnvVar{ + {Name: "ELASTIC_HOST", Value: "tigera-secure-es-gateway-http.tigera-elasticsearch.svc"}, + {Name: "ELASTIC_PORT", Value: "9200", ValueFrom: nil}, + { + Name: "ELASTIC_USERNAME", Value: "", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: "tigera-ee-kube-controllers-elasticsearch-access", + }, + Key: "username", + }, + }, + }, + { + Name: "ELASTIC_PASSWORD", Value: "", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: "tigera-ee-kube-controllers-elasticsearch-access", + }, + Key: "password", + }, + }, + }, + {Name: "ELASTIC_CA", Value: certificatemanagement.TrustedCertBundleMountPath}, + } + expectedPolicyForUnmanaged := testutils.GetExpectedPolicyFromFile("../testutils/expected_policies/kubecontrollers.json") expectedPolicyForUnmanagedOCP := testutils.GetExpectedPolicyFromFile("../testutils/expected_policies/kubecontrollers_ocp.json") expectedPolicyForManaged := testutils.GetExpectedPolicyFromFile("../testutils/expected_policies/kubecontrollers_managed.json") @@ -301,6 +329,7 @@ var _ = Describe("kube-controllers rendering tests", func() { Expect(envs).To(ContainElement(corev1.EnvVar{ Name: "ENABLED_CONTROLLERS", Value: "authorization,elasticsearchconfiguration", })) + Expect(envs).To(ContainElements(esEnvs)) Expect(dp.Spec.Template.Spec.Containers[0].VolumeMounts).To(HaveLen(1)) Expect(dp.Spec.Template.Spec.Containers[0].VolumeMounts[0].Name).To(Equal("tigera-ca-bundle")) diff --git a/pkg/render/logstorage/esgateway/esgateway.go b/pkg/render/logstorage/esgateway/esgateway.go index e72a871359..3dfee3c1a6 100644 --- a/pkg/render/logstorage/esgateway/esgateway.go +++ b/pkg/render/logstorage/esgateway/esgateway.go @@ -120,6 +120,7 @@ func (e *esGateway) Objects() (toCreate, toDelete []client.Object) { toCreate = append(toCreate, e.esGatewayServiceAccount()) toCreate = append(toCreate, e.esGatewayDeployment()) + // The following secret is used by kube controllers and sent to managed clusters. It is also used by manifests in our docs. if e.cfg.ESGatewayKeyPair.UseCertificateManagement() { toCreate = append(toCreate, render.CreateCertificateSecret(e.cfg.Installation.CertificateManagement.CACert, elasticsearch.PublicCertSecret, e.cfg.TruthNamespace)) } else { From d12b444fdb07af4a62787ddbe3bdfa281d33242c Mon Sep 17 00:00:00 2001 From: Josh Lucas Date: Fri, 1 Dec 2023 15:56:02 -0500 Subject: [PATCH 7/9] PR feedback --- .../installation/core_controller.go | 15 +++++ .../intrusiondetection_controller.go | 15 ++++- .../intrusiondetection_controller_test.go | 5 +- pkg/controller/manager/manager_controller.go | 5 +- .../manager/manager_controller_test.go | 40 +----------- pkg/render/fluentd.go | 49 +++++--------- pkg/render/fluentd_test.go | 42 +++++++++--- pkg/render/intrusion_detection_test.go | 65 +++++++++++++------ pkg/render/logstorage_test.go | 5 +- pkg/render/manager.go | 12 ++-- pkg/render/manager_test.go | 29 +++++---- 11 files changed, 158 insertions(+), 124 deletions(-) diff --git a/pkg/controller/installation/core_controller.go b/pkg/controller/installation/core_controller.go index b9bb331c10..fe150ca867 100644 --- a/pkg/controller/installation/core_controller.go +++ b/pkg/controller/installation/core_controller.go @@ -26,6 +26,8 @@ import ( "strconv" "strings" + relasticsearch "github.com/tigera/operator/pkg/render/common/elasticsearch" + "github.com/elastic/cloud-on-k8s/v2/pkg/utils/stringsutil" "github.com/go-logr/logr" configv1 "github.com/openshift/api/config/v1" @@ -1189,6 +1191,19 @@ func (r *ReconcileInstallation) Reconcile(ctx context.Context, request reconcile typhaNodeTLS.TrustedBundle.AddCertificates(prometheusClientCert) } + // es-kube-controllers needs to trust the ESGW certificate. We'll fetch it here and add it to the trusted bundle. + // Note that although we're adding this to the typhaNodeTLS trusted bundle, it will be used by es-kube-controllers. This is because + // all components within this namespace share a trusted CA bundle. This is necessary because prior to v3.13 secrets were not signed by + // a single CA so we need to include each individually. + esgwCertificate, err := certificateManager.GetCertificate(r.client, relasticsearch.PublicCertSecret, common.OperatorNamespace()) + if err != nil { + r.status.SetDegraded(operator.CertificateError, fmt.Sprintf("Failed to retrieve / validate %s", relasticsearch.PublicCertSecret), err, reqLogger) + return reconcile.Result{}, err + } + if esgwCertificate != nil { + typhaNodeTLS.TrustedBundle.AddCertificates(esgwCertificate) + } + calicoVersion = components.EnterpriseRelease } diff --git a/pkg/controller/intrusiondetection/intrusiondetection_controller.go b/pkg/controller/intrusiondetection/intrusiondetection_controller.go index ddb76d3eb1..43cfb46292 100644 --- a/pkg/controller/intrusiondetection/intrusiondetection_controller.go +++ b/pkg/controller/intrusiondetection/intrusiondetection_controller.go @@ -390,8 +390,9 @@ func (r *ReconcileIntrusionDetection) Reconcile(ctx context.Context, request rec if isManagedCluster { if esClusterConfig.ClusterName() == render.DefaultElasticsearchClusterName { + msg := fmt.Sprintf("%s/%s ConfigMap must contain a 'clusterName' field that is not '%s'", common.OperatorNamespace(), relasticsearch.ClusterConfigConfigMapName, render.DefaultElasticsearchClusterName) err = fmt.Errorf("Elasticsearch cluster name must be non-default value in managed clusters") - r.status.SetDegraded(operatorv1.InvalidConfigurationError, "", err, reqLogger) + r.status.SetDegraded(operatorv1.InvalidConfigurationError, msg, err, reqLogger) return reconcile.Result{}, err } } @@ -425,6 +426,16 @@ func (r *ReconcileIntrusionDetection) Reconcile(ctx context.Context, request rec return reconcile.Result{}, err } + esgwCertificate, err := certificateManager.GetCertificate(r.client, relasticsearch.PublicCertSecret, common.OperatorNamespace()) + if err != nil { + r.status.SetDegraded(operatorv1.ResourceReadError, fmt.Sprintf("Failed to retrieve / validate %s", relasticsearch.PublicCertSecret), err, reqLogger) + return reconcile.Result{}, err + } else if esgwCertificate == nil { + log.Info("Elasticsearch gateway certificate is not available yet, waiting until they become available") + r.status.SetDegraded(operatorv1.ResourceNotReady, "Elasticsearch gateway certificate are not available yet, waiting until they become available", nil, reqLogger) + return reconcile.Result{}, nil + } + // The location of the Linseed certificate varies based on if this is a managed cluster or not. linseedCertLocation := render.TigeraLinseedSecret if isManagedCluster { @@ -455,7 +466,7 @@ func (r *ReconcileIntrusionDetection) Reconcile(ctx context.Context, request rec // Intrusion detection controller sometimes needs to make requests to outside sources. Therefore, we include // the system root certificate bundle. - trustedBundle, err := certificateManager.CreateTrustedBundleWithSystemRootCertificates(linseedCertificate) + trustedBundle, err := certificateManager.CreateTrustedBundleWithSystemRootCertificates(esgwCertificate, linseedCertificate) if err != nil { r.status.SetDegraded(operatorv1.ResourceCreateError, "Unable to create tigera-ca-bundle configmap", err, reqLogger) return reconcile.Result{}, err diff --git a/pkg/controller/intrusiondetection/intrusiondetection_controller_test.go b/pkg/controller/intrusiondetection/intrusiondetection_controller_test.go index 4d0e36248a..7c029c6124 100644 --- a/pkg/controller/intrusiondetection/intrusiondetection_controller_test.go +++ b/pkg/controller/intrusiondetection/intrusiondetection_controller_test.go @@ -154,6 +154,9 @@ var _ = Describe("IntrusionDetection controller tests", func() { certificateManager, err := certificatemanager.Create(c, nil, "", common.OperatorNamespace(), certificatemanager.AllowCACreation()) Expect(err).NotTo(HaveOccurred()) Expect(c.Create(ctx, certificateManager.KeyPair().Secret(common.OperatorNamespace()))) // Persist the root-ca in the operator namespace. + kiibanaTLS, err := certificateManager.GetOrCreateKeyPair(c, relasticsearch.PublicCertSecret, common.OperatorNamespace(), []string{relasticsearch.PublicCertSecret}) + Expect(err).NotTo(HaveOccurred()) + Expect(c.Create(ctx, kiibanaTLS.Secret(common.OperatorNamespace()))).NotTo(HaveOccurred()) linseedTLS, err := certificateManager.GetOrCreateKeyPair(c, render.TigeraLinseedSecret, common.OperatorNamespace(), []string{render.TigeraLinseedSecret}) Expect(err).NotTo(HaveOccurred()) Expect(c.Create(ctx, linseedTLS.Secret(common.OperatorNamespace()))).NotTo(HaveOccurred()) @@ -161,8 +164,8 @@ var _ = Describe("IntrusionDetection controller tests", func() { // Managed clusters need the public cert for Linseed as well. linseedPublicCert, err := certificateManager.GetOrCreateKeyPair(c, render.VoltronLinseedPublicCert, common.OperatorNamespace(), []string{render.VoltronLinseedPublicCert}) Expect(err).NotTo(HaveOccurred()) - Expect(c.Create(ctx, linseedPublicCert.Secret(common.OperatorNamespace()))).NotTo(HaveOccurred()) + Expect(c.Create(ctx, relasticsearch.NewClusterConfig("cluster", 1, 1, 1).ConfigMap())).NotTo(HaveOccurred()) Expect(c.Create(ctx, rtest.CreateCertSecret(render.ElasticsearchIntrusionDetectionUserSecret, common.OperatorNamespace(), render.GuardianSecretName))) Expect(c.Create(ctx, rtest.CreateCertSecret(render.ElasticsearchPerformanceHotspotsUserSecret, common.OperatorNamespace(), render.GuardianSecretName))) diff --git a/pkg/controller/manager/manager_controller.go b/pkg/controller/manager/manager_controller.go index 86257eb2ed..1a47d38b77 100644 --- a/pkg/controller/manager/manager_controller.go +++ b/pkg/controller/manager/manager_controller.go @@ -461,9 +461,8 @@ func (r *ReconcileManager) Reconcile(ctx context.Context, request reconcile.Requ } var clusterConfig *relasticsearch.ClusterConfig - // We only require Elastic cluster configuration when Kibana is enabled. We infer whether Kibana is enabled by checking - // FIPS configuration mode and multi-tenancy mode. See manager.go function kibanaEnabled for more details. - if !r.multiTenant && !operatorv1.IsFIPSModeEnabled(installation.FIPSMode) { + // We only require Elastic cluster configuration when Kibana is enabled. + if render.KibanaEnabled(tenant, installation) { clusterConfig, err = utils.GetElasticsearchClusterConfig(context.Background(), r.client) if err != nil { if errors.IsNotFound(err) { diff --git a/pkg/controller/manager/manager_controller_test.go b/pkg/controller/manager/manager_controller_test.go index d051437c4b..7b1b76c503 100644 --- a/pkg/controller/manager/manager_controller_test.go +++ b/pkg/controller/manager/manager_controller_test.go @@ -494,6 +494,7 @@ var _ = Describe("Manager controller tests", func() { }, }, } + Expect(c.Create(ctx, installation)).NotTo(HaveOccurred()) compliance = &operatorv1.Compliance{ ObjectMeta: metav1.ObjectMeta{Name: "tigera-secure"}, @@ -560,12 +561,6 @@ var _ = Describe("Manager controller tests", func() { }) Context("image reconciliation", func() { - BeforeEach(func() { - Expect(c.Create( - ctx, - installation, - )).NotTo(HaveOccurred()) - }) It("should use builtin images", func() { mockStatus.On("RemoveCertificateSigningRequests", mock.Anything).Return() _, err := r.Reconcile(ctx, reconcile.Request{}) @@ -647,12 +642,6 @@ var _ = Describe("Manager controller tests", func() { Context("allow-tigera reconciliation", func() { var readyFlag *utils.ReadyFlag BeforeEach(func() { - - Expect(c.Create( - ctx, - installation, - )).NotTo(HaveOccurred()) - mockStatus = &status.MockStatus{} mockStatus.On("OnCRFound").Return() mockStatus.On("SetMetaData", mock.Anything).Return() @@ -680,13 +669,6 @@ var _ = Describe("Manager controller tests", func() { }) Context("compliance reconciliation", func() { - BeforeEach(func() { - Expect(c.Create( - ctx, - installation, - )).NotTo(HaveOccurred()) - }) - It("should degrade if license is not present", func() { Expect(c.Delete(ctx, licenseKey)).NotTo(HaveOccurred()) mockStatus = &status.MockStatus{} @@ -749,12 +731,6 @@ var _ = Describe("Manager controller tests", func() { }) Context("Reconcile for Condition status", func() { - BeforeEach(func() { - Expect(c.Create( - ctx, - installation, - )).NotTo(HaveOccurred()) - }) generation := int64(2) It("should reconcile with creating new status condition with one item", func() { mockStatus.On("RemoveCertificateSigningRequests", mock.Anything).Return() @@ -935,12 +911,6 @@ var _ = Describe("Manager controller tests", func() { }) Context("Multi-cluster reconciliation", func() { - BeforeEach(func() { - Expect(c.Create( - ctx, - installation, - )).NotTo(HaveOccurred()) - }) It("Should reconcile multi-cluster setup for a management cluster for a single tenant", func() { // Create the ManagementCluster CR needed to configure // a management cluster for a multi-cluster setup @@ -1069,10 +1039,6 @@ var _ = Describe("Manager controller tests", func() { tenantANamespace := "tenant-a" tenantBNamespace := "tenant-b" BeforeEach(func() { - Expect(c.Create( - ctx, - installation, - )).NotTo(HaveOccurred()) r.multiTenant = true }) @@ -1216,10 +1182,10 @@ var _ = Describe("Manager controller tests", func() { }) Context("FIPS reconciliation", func() { - fipsEnabled := operatorv1.FIPSModeEnabled BeforeEach(func() { + fipsEnabled := operatorv1.FIPSModeEnabled installation.Spec.FIPSMode = &fipsEnabled - Expect(c.Create( + Expect(c.Update( ctx, installation, )).NotTo(HaveOccurred()) diff --git a/pkg/render/fluentd.go b/pkg/render/fluentd.go index 137ce9012f..f5682c4139 100644 --- a/pkg/render/fluentd.go +++ b/pkg/render/fluentd.go @@ -1025,8 +1025,6 @@ func (c *fluentdComponent) eksLogForwarderDeployment() *appsv1.Deployment { eksCloudwatchLogCredentialHashAnnotation: rmeta.AnnotationHash(c.cfg.EKSConfig), } - esScheme, esHost, esPort, _ := url.ParseEndpoint(relasticsearch.GatewayEndpoint(c.cfg.OSType, c.cfg.ClusterDomain, ElasticsearchNamespace)) - envVars := []corev1.EnvVar{ // Meta flags. {Name: "LOG_LEVEL", Value: "info"}, @@ -1042,38 +1040,10 @@ func (c *fluentdComponent) eksLogForwarderDeployment() *appsv1.Deployment { {Name: "AWS_REGION", Value: c.cfg.EKSConfig.AwsRegion}, {Name: "AWS_ACCESS_KEY_ID", ValueFrom: secret.GetEnvVarSource(EksLogForwarderSecret, EksLogForwarderAwsId, false)}, {Name: "AWS_SECRET_ACCESS_KEY", ValueFrom: secret.GetEnvVarSource(EksLogForwarderSecret, EksLogForwarderAwsKey, false)}, - relasticsearch.ElasticIndexSuffixEnvVar(c.cfg.ESClusterConfig.ClusterName()), - relasticsearch.ElasticUserEnvVar(ElasticsearchEksLogForwarderUserSecret), - relasticsearch.ElasticPasswordEnvVar(ElasticsearchEksLogForwarderUserSecret), - relasticsearch.ElasticSchemeEnvVar(esScheme), - relasticsearch.ElasticHostEnvVar(esHost), - relasticsearch.ElasticPortEnvVar(esPort), - relasticsearch.ElasticCAEnvVar(c.cfg.OSType), } var eksLogForwarderReplicas int32 = 1 - initContainer := corev1.Container{ - Name: eksLogForwarderName + "-startup", - Image: c.image, - ImagePullPolicy: ImagePullPolicy(), - Command: []string{c.path("/bin/eks-log-forwarder-startup")}, - Env: envVars, - SecurityContext: c.securityContext(false), - VolumeMounts: c.eksLogForwarderVolumeMounts(), - } - - container := corev1.Container{ - Name: eksLogForwarderName, - Image: c.image, - ImagePullPolicy: ImagePullPolicy(), - Env: envVars, - SecurityContext: c.securityContext(false), - VolumeMounts: c.eksLogForwarderVolumeMounts(), - } - - container.Env = append(container.Env, envVars...) - return &appsv1.Deployment{ TypeMeta: metav1.TypeMeta{Kind: "Deployment", APIVersion: "apps/v1"}, ObjectMeta: metav1.ObjectMeta{ @@ -1107,10 +1077,25 @@ func (c *fluentdComponent) eksLogForwarderDeployment() *appsv1.Deployment { ServiceAccountName: eksLogForwarderName, ImagePullSecrets: secret.GetReferenceList(c.cfg.PullSecrets), InitContainers: []corev1.Container{ - initContainer, + { + Name: eksLogForwarderName + "-startup", + Image: c.image, + ImagePullPolicy: ImagePullPolicy(), + Command: []string{c.path("/bin/eks-log-forwarder-startup")}, + Env: envVars, + SecurityContext: c.securityContext(false), + VolumeMounts: c.eksLogForwarderVolumeMounts(), + }, }, Containers: []corev1.Container{ - container, + { + Name: eksLogForwarderName, + Image: c.image, + ImagePullPolicy: ImagePullPolicy(), + Env: envVars, + SecurityContext: c.securityContext(false), + VolumeMounts: c.eksLogForwarderVolumeMounts(), + }, }, Volumes: c.eksLogForwarderVolumes(), }, diff --git a/pkg/render/fluentd_test.go b/pkg/render/fluentd_test.go index 0d380c8649..de7d913d1f 100644 --- a/pkg/render/fluentd_test.go +++ b/pkg/render/fluentd_test.go @@ -894,16 +894,38 @@ var _ = Describe("Tigera Secure Fluentd rendering tests", func() { Type: corev1.SeccompProfileTypeRuntimeDefault, })) - Expect(envs).To(ContainElement(corev1.EnvVar{Name: "EKS_CLOUDWATCH_LOG_FETCH_INTERVAL", Value: "900"})) - Expect(envs).To(ContainElements([]corev1.EnvVar{ - {Name: "ELASTIC_INDEX_SUFFIX", Value: "clusterTestName"}, - {Name: "ELASTIC_SCHEME", Value: "https"}, - {Name: "ELASTIC_HOST", Value: "tigera-secure-es-gateway-http.tigera-elasticsearch.svc"}, - {Name: "ELASTIC_PORT", Value: "9200"}, - {Name: "ELASTIC_USER", ValueFrom: secret.GetEnvVarSource("tigera-eks-log-forwarder-elasticsearch-access", "username", false)}, - {Name: "ELASTIC_PASSWORD", ValueFrom: secret.GetEnvVarSource("tigera-eks-log-forwarder-elasticsearch-access", "password", false)}, - {Name: "ELASTIC_CA", Value: "/etc/pki/tls/certs/tigera-ca-bundle.crt"}, - })) + expectedEnvVars := []corev1.EnvVar{ + {Name: "LOG_LEVEL", Value: "info", ValueFrom: nil}, + {Name: "FLUENT_UID", Value: "0", ValueFrom: nil}, + {Name: "MANAGED_K8S", Value: "true", ValueFrom: nil}, + {Name: "K8S_PLATFORM", Value: "eks", ValueFrom: nil}, + {Name: "FLUENTD_ES_SECURE", Value: "true"}, + {Name: "EKS_CLOUDWATCH_LOG_GROUP", Value: "dummy-eks-cluster-cloudwatch-log-group"}, + {Name: "EKS_CLOUDWATCH_LOG_STREAM_PREFIX", Value: ""}, + {Name: "EKS_CLOUDWATCH_LOG_FETCH_INTERVAL", Value: "900"}, + {Name: "AWS_REGION", Value: "us-west-1", ValueFrom: nil}, + {Name: "AWS_ACCESS_KEY_ID", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: "tigera-eks-log-forwarder-secret", + }, + Key: "aws-id", + }}, + }, + {Name: "AWS_SECRET_ACCESS_KEY", + ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: "tigera-eks-log-forwarder-secret", + }, + Key: "aws-key", + Optional: nil, + }}, + }, + } + + Expect(envs).To(Equal(expectedEnvVars)) }) Context("allow-tigera rendering", func() { diff --git a/pkg/render/intrusion_detection_test.go b/pkg/render/intrusion_detection_test.go index 052370c15b..906757fc73 100644 --- a/pkg/render/intrusion_detection_test.go +++ b/pkg/render/intrusion_detection_test.go @@ -157,26 +157,53 @@ var _ = Describe("Intrusion Detection rendering tests", func() { idc := rtest.GetResource(resources, "intrusion-detection-controller", render.IntrusionDetectionNamespace, "apps", "v1", "Deployment").(*appsv1.Deployment) idji := rtest.GetResource(resources, "intrusion-detection-es-job-installer", render.IntrusionDetectionNamespace, "batch", "v1", "Job").(*batchv1.Job) Expect(idc.Spec.Template.Spec.Containers).To(HaveLen(2)) - Expect(idc.Spec.Template.Spec.Containers[0].Env).Should(ContainElements( - corev1.EnvVar{Name: "ELASTIC_INDEX_SUFFIX", Value: "clusterTestName"}, - corev1.EnvVar{Name: "ELASTIC_USER", ValueFrom: secret.GetEnvVarSource(render.ElasticsearchIntrusionDetectionUserSecret, "username", false)}, - corev1.EnvVar{Name: "ELASTIC_PASSWORD", ValueFrom: secret.GetEnvVarSource(render.ElasticsearchIntrusionDetectionUserSecret, "password", false)}, - corev1.EnvVar{Name: "ELASTIC_CA", Value: "/etc/pki/tls/certs/tigera-ca-bundle.crt"}, - corev1.EnvVar{Name: "ELASTIC_SCHEME", Value: "https"}, - corev1.EnvVar{Name: "ELASTIC_HOST", Value: "tigera-secure-es-gateway-http.tigera-elasticsearch.svc"}, - corev1.EnvVar{Name: "ELASTIC_PORT", Value: "9200"}, - corev1.EnvVar{Name: "LINSEED_URL", Value: "https://tigera-linseed.tigera-elasticsearch.svc"}, - corev1.EnvVar{Name: "LINSEED_CA", Value: "/etc/pki/tls/certs/tigera-ca-bundle.crt"}, - corev1.EnvVar{Name: "LINSEED_CLIENT_CERT", Value: "/intrusion-detection-tls/tls.crt"}, - corev1.EnvVar{Name: "LINSEED_CLIENT_KEY", Value: "/intrusion-detection-tls/tls.key"}, - corev1.EnvVar{Name: "FIPS_MODE_ENABLED", Value: "false"}, - )) + idcExpectedEnvVars := []corev1.EnvVar{ + {Name: "MULTI_CLUSTER_FORWARDING_CA", Value: "/etc/pki/tls/certs/tigera-ca-bundle.crt"}, + {Name: "FIPS_MODE_ENABLED", Value: "false"}, + {Name: "LINSEED_URL", Value: "https://tigera-linseed.tigera-elasticsearch.svc"}, + {Name: "LINSEED_CA", Value: "/etc/pki/tls/certs/tigera-ca-bundle.crt"}, + {Name: "LINSEED_CLIENT_CERT", Value: "/intrusion-detection-tls/tls.crt"}, + {Name: "LINSEED_CLIENT_KEY", Value: "/intrusion-detection-tls/tls.key"}, + {Name: "LINSEED_TOKEN", Value: "/var/run/secrets/kubernetes.io/serviceaccount/token"}, + {Name: "ELASTIC_INDEX_SUFFIX", Value: "clusterTestName"}, + {Name: "ELASTIC_USER", ValueFrom: secret.GetEnvVarSource(render.ElasticsearchIntrusionDetectionUserSecret, "username", false)}, + {Name: "ELASTIC_PASSWORD", ValueFrom: secret.GetEnvVarSource(render.ElasticsearchIntrusionDetectionUserSecret, "password", false)}, + {Name: "ELASTIC_HOST", Value: "tigera-secure-es-gateway-http.tigera-elasticsearch.svc"}, + {Name: "ELASTIC_PORT", Value: "9200"}, + {Name: "ELASTIC_SCHEME", Value: "https"}, + {Name: "ELASTIC_CA", Value: "/etc/pki/tls/certs/tigera-ca-bundle.crt"}, + } + Expect(idc.Spec.Template.Spec.Containers[0].Env).To(Equal(idcExpectedEnvVars)) + Expect(idji.Spec.Template.Spec.Containers).To(HaveLen(1)) - Expect(idji.Spec.Template.Spec.Containers[0].Env).Should(ContainElements( - corev1.EnvVar{Name: "ELASTIC_INDEX_SUFFIX", Value: "clusterTestName"}, - corev1.EnvVar{Name: "ELASTIC_USER", ValueFrom: secret.GetEnvVarSource(render.ElasticsearchIntrusionDetectionJobUserSecret, "username", false)}, - corev1.EnvVar{Name: "ELASTIC_PASSWORD", ValueFrom: secret.GetEnvVarSource(render.ElasticsearchIntrusionDetectionJobUserSecret, "password", false)}, - )) + idjiExpectedEnvVars := []corev1.EnvVar{ + {Name: "KIBANA_HOST", Value: "tigera-secure-es-gateway-http.tigera-elasticsearch.svc"}, + {Name: "KIBANA_PORT", Value: "5601", ValueFrom: nil}, + {Name: "KIBANA_SCHEME", Value: "https"}, + {Name: "START_XPACK_TRIAL", Value: "false"}, + {Name: "USER", ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: "tigera-ee-installer-elasticsearch-access", + }, + Key: "username", + }}, + }, + {Name: "PASSWORD", ValueFrom: &corev1.EnvVarSource{ + SecretKeyRef: &corev1.SecretKeySelector{ + LocalObjectReference: corev1.LocalObjectReference{ + Name: "tigera-ee-installer-elasticsearch-access", + }, + Key: "password", + }}, + }, + {Name: "KB_CA_CERT", Value: "/etc/pki/tls/certs/tigera-ca-bundle.crt"}, + {Name: "FIPS_MODE_ENABLED", Value: "false"}, + {Name: "ELASTIC_INDEX_SUFFIX", Value: "clusterTestName"}, + {Name: "ELASTIC_USER", ValueFrom: secret.GetEnvVarSource(render.ElasticsearchIntrusionDetectionJobUserSecret, "username", false)}, + {Name: "ELASTIC_PASSWORD", ValueFrom: secret.GetEnvVarSource(render.ElasticsearchIntrusionDetectionJobUserSecret, "password", false)}, + } + Expect(idji.Spec.Template.Spec.Containers[0].Env).To(Equal(idjiExpectedEnvVars)) Expect(*idji.Spec.Template.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation).To(BeFalse()) Expect(*idji.Spec.Template.Spec.Containers[0].SecurityContext.Privileged).To(BeFalse()) diff --git a/pkg/render/logstorage_test.go b/pkg/render/logstorage_test.go index 3af225a9ea..39bcf74789 100644 --- a/pkg/render/logstorage_test.go +++ b/pkg/render/logstorage_test.go @@ -658,7 +658,7 @@ var _ = Describe("Elasticsearch rendering tests", func() { Expect(ok).To(BeTrue()) Expect(cronjob.Spec.JobTemplate.Spec.Template.Spec.Containers).To(HaveLen(1)) - Expect(cronjob.Spec.JobTemplate.Spec.Template.Spec.Containers[0].Env).To(ContainElements([]corev1.EnvVar{ + cronjobExpectedEnvVars := []corev1.EnvVar{ {Name: "EE_FLOWS_INDEX_RETENTION_PERIOD", Value: fmt.Sprint(1)}, {Name: "EE_AUDIT_INDEX_RETENTION_PERIOD", Value: fmt.Sprint(1)}, {Name: "EE_SNAPSHOT_INDEX_RETENTION_PERIOD", Value: fmt.Sprint(1)}, @@ -672,7 +672,8 @@ var _ = Describe("Elasticsearch rendering tests", func() { {Name: "ELASTIC_HOST", Value: "tigera-secure-es-gateway-http.tigera-elasticsearch.svc"}, {Name: "ELASTIC_PORT", Value: "9200"}, {Name: "ES_CURATOR_BACKEND_CERT", Value: "/etc/pki/tls/certs/tigera-ca-bundle.crt"}, - })) + } + Expect(cronjob.Spec.JobTemplate.Spec.Template.Spec.Containers[0].Env).To(Equal(cronjobExpectedEnvVars)) Expect(*cronjob.Spec.JobTemplate.Spec.Template.Spec.Containers[0].SecurityContext.AllowPrivilegeEscalation).To(BeFalse()) Expect(*cronjob.Spec.JobTemplate.Spec.Template.Spec.Containers[0].SecurityContext.Privileged).To(BeFalse()) diff --git a/pkg/render/manager.go b/pkg/render/manager.go index c3211af065..155af32c86 100644 --- a/pkg/render/manager.go +++ b/pkg/render/manager.go @@ -390,9 +390,9 @@ func (c *managerComponent) managerProxyProbe() *corev1.Probe { } } -func (c *managerComponent) kibanaEnabled() bool { - enableKibana := !operatorv1.IsFIPSModeEnabled(c.cfg.Installation.FIPSMode) - if c.cfg.Tenant.MultiTenant() { +func KibanaEnabled(tenant *operatorv1.Tenant, installation *operatorv1.InstallationSpec) bool { + enableKibana := !operatorv1.IsFIPSModeEnabled(installation.FIPSMode) + if tenant.MultiTenant() { enableKibana = false } return enableKibana @@ -412,7 +412,7 @@ func (c *managerComponent) managerEnvVars() []corev1.EnvVar { {Name: "CNX_CLUSTER_NAME", Value: "cluster"}, {Name: "CNX_POLICY_RECOMMENDATION_SUPPORT", Value: "true"}, {Name: "ENABLE_MULTI_CLUSTER_MANAGEMENT", Value: strconv.FormatBool(c.cfg.ManagementCluster != nil)}, - {Name: "ENABLE_KIBANA", Value: strconv.FormatBool(c.kibanaEnabled())}, + {Name: "ENABLE_KIBANA", Value: strconv.FormatBool(KibanaEnabled(c.cfg.Tenant, c.cfg.Installation))}, // The manager supports two states of a product feature being unavailable: the product feature being feature-flagged off, // and the current license not enabling the feature. The compliance flag that we set on the manager container is a feature // flag, which we should set purely based on whether the compliance CR is present, ignoring the license status. @@ -561,11 +561,11 @@ func (c *managerComponent) managerEsProxyContainer() corev1.Container { {Name: "FIPS_MODE_ENABLED", Value: operatorv1.IsFIPSModeEnabledString(c.cfg.Installation.FIPSMode)}, {Name: "LINSEED_CLIENT_CERT", Value: certPath}, {Name: "LINSEED_CLIENT_KEY", Value: keyPath}, - {Name: "ELASTIC_KIBANA_DISABLED", Value: strconv.FormatBool(!c.kibanaEnabled())}, + {Name: "ELASTIC_KIBANA_DISABLED", Value: strconv.FormatBool(!KibanaEnabled(c.cfg.Tenant, c.cfg.Installation))}, {Name: "VOLTRON_URL", Value: fmt.Sprintf("https://tigera-manager.%s.svc:9443", c.cfg.Namespace)}, } - if c.kibanaEnabled() { + if KibanaEnabled(c.cfg.Tenant, c.cfg.Installation) { esScheme, esHost, esPort, _ := url.ParseEndpoint(relasticsearch.GatewayEndpoint(c.SupportedOSType(), c.cfg.ClusterDomain, ElasticsearchNamespace)) env = append(env, relasticsearch.ElasticCAEnvVar(c.SupportedOSType()), diff --git a/pkg/render/manager_test.go b/pkg/render/manager_test.go index 5f9437df7e..2473f6038b 100644 --- a/pkg/render/manager_test.go +++ b/pkg/render/manager_test.go @@ -131,18 +131,23 @@ var _ = Describe("Tigera Secure Manager rendering tests", func() { )) // es-proxy container - Expect(esProxy.Env).Should(ContainElements( - corev1.EnvVar{Name: "LINSEED_CLIENT_CERT", Value: "/internal-manager-tls/tls.crt"}, - corev1.EnvVar{Name: "LINSEED_CLIENT_KEY", Value: "/internal-manager-tls/tls.key"}, - corev1.EnvVar{Name: "ELASTIC_CA", Value: "/etc/pki/tls/certs/tigera-ca-bundle.crt"}, - corev1.EnvVar{Name: "ELASTIC_SCHEME", Value: "https"}, - corev1.EnvVar{Name: "ELASTIC_HOST", Value: "tigera-secure-es-gateway-http.tigera-elasticsearch.svc"}, - corev1.EnvVar{Name: "ELASTIC_PORT", Value: "9200"}, - corev1.EnvVar{Name: "ELASTIC_USER", ValueFrom: secret.GetEnvVarSource(render.ElasticsearchManagerUserSecret, "username", false)}, - corev1.EnvVar{Name: "ELASTIC_PASSWORD", ValueFrom: secret.GetEnvVarSource(render.ElasticsearchManagerUserSecret, "password", false)}, - corev1.EnvVar{Name: "ELASTIC_INDEX_SUFFIX", Value: "clusterTestName"}, - corev1.EnvVar{Name: "VOLTRON_URL", Value: "https://tigera-manager.tigera-manager.svc:9443"}, - )) + esProxyExpectedEnvVars := []corev1.EnvVar{ + {Name: "ELASTIC_LICENSE_TYPE", Value: "enterprise_trial"}, + {Name: "ELASTIC_KIBANA_ENDPOINT", Value: "https://tigera-secure-es-gateway-http.tigera-elasticsearch.svc:5601"}, + {Name: "FIPS_MODE_ENABLED", Value: "false"}, + {Name: "LINSEED_CLIENT_CERT", Value: "/internal-manager-tls/tls.crt"}, + {Name: "LINSEED_CLIENT_KEY", Value: "/internal-manager-tls/tls.key"}, + {Name: "ELASTIC_KIBANA_DISABLED", Value: "false"}, + {Name: "VOLTRON_URL", Value: "https://tigera-manager.tigera-manager.svc:9443"}, + {Name: "ELASTIC_CA", Value: "/etc/pki/tls/certs/tigera-ca-bundle.crt"}, + {Name: "ELASTIC_SCHEME", Value: "https"}, + {Name: "ELASTIC_HOST", Value: "tigera-secure-es-gateway-http.tigera-elasticsearch.svc"}, + {Name: "ELASTIC_PORT", Value: "9200"}, + {Name: "ELASTIC_USER", ValueFrom: secret.GetEnvVarSource(render.ElasticsearchManagerUserSecret, "username", false)}, + {Name: "ELASTIC_PASSWORD", ValueFrom: secret.GetEnvVarSource(render.ElasticsearchManagerUserSecret, "password", false)}, + {Name: "ELASTIC_INDEX_SUFFIX", Value: "clusterTestName"}, + } + Expect(esProxy.Env).To(Equal(esProxyExpectedEnvVars)) Expect(esProxy.VolumeMounts).To(HaveLen(2)) Expect(esProxy.VolumeMounts[0].Name).To(Equal("tigera-ca-bundle")) From b632ee105734cb037914f0dada1347ddf64903cc Mon Sep 17 00:00:00 2001 From: Josh Lucas Date: Fri, 8 Dec 2023 16:04:37 -0500 Subject: [PATCH 8/9] Use KibanaEnabled function instead of raw logic --- pkg/render/manager_test.go | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/pkg/render/manager_test.go b/pkg/render/manager_test.go index 95786dbd9f..cd1b9aa1dc 100644 --- a/pkg/render/manager_test.go +++ b/pkg/render/manager_test.go @@ -709,10 +709,8 @@ var _ = Describe("Tigera Secure Manager rendering tests", func() { // panicing. It accepts variations on the installspec for testing purposes. renderManager := func(i *operatorv1.InstallationSpec) *appsv1.Deployment { var esConfigMap *relasticsearch.ClusterConfig - // We only require Elastic cluster configuration when Kibana is enabled. We infer whether Kibana is enabled by checking - // FIPS configuration mode and multi-tenancy mode. See manager.go function kibanaEnabled for more details. - // In this case we know that the tenant is nil so we only need check the FIPS mode. - if !operatorv1.IsFIPSModeEnabled(i.FIPSMode) { + // We only require Elastic cluster configuration when Kibana is enabled. + if render.KibanaEnabled(nil, i) { esConfigMap = relasticsearch.NewClusterConfig("clusterTestName", 1, 1, 1) } cfg := &render.ManagerConfiguration{ @@ -1106,9 +1104,8 @@ func renderObjects(roc renderConfig) []client.Object { } var esConfigMap *relasticsearch.ClusterConfig - // We only require Elastic cluster configuration when Kibana is enabled. We infer whether Kibana is enabled by checking - // FIPS configuration mode and multi-tenancy mode. See manager.go function kibanaEnabled for more details. - if roc.tenant == nil && !operatorv1.IsFIPSModeEnabled(roc.installation.FIPSMode) { + // We only require Elastic cluster configuration when Kibana is enabled. + if render.KibanaEnabled(roc.tenant, roc.installation) { esConfigMap = relasticsearch.NewClusterConfig("clusterTestName", 1, 1, 1) } cfg := &render.ManagerConfiguration{ From 9ca133f36cb1f6d031eed9f4516a6a0e5e17f126 Mon Sep 17 00:00:00 2001 From: Josh Lucas Date: Fri, 8 Dec 2023 17:26:36 -0500 Subject: [PATCH 9/9] Fix test failures --- pkg/render/fluentd_test.go | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/pkg/render/fluentd_test.go b/pkg/render/fluentd_test.go index f1dcb5f915..2c634ae7a5 100644 --- a/pkg/render/fluentd_test.go +++ b/pkg/render/fluentd_test.go @@ -1002,12 +1002,6 @@ var _ = Describe("Tigera Secure Fluentd rendering tests", func() { {Name: "EKS_CLOUDWATCH_LOG_GROUP", Value: "dummy-eks-cluster-cloudwatch-log-group"}, {Name: "EKS_CLOUDWATCH_LOG_STREAM_PREFIX", Value: ""}, {Name: "EKS_CLOUDWATCH_LOG_FETCH_INTERVAL", Value: "900"}, - {Name: "LINSEED_ENABLED", Value: "true"}, - {Name: "LINSEED_CA_PATH", Value: "/etc/pki/tls/certs/tigera-ca-bundle.crt"}, - {Name: "TLS_CRT_PATH", Value: "/tigera-eks-log-forwarder-tls/tls.crt"}, - {Name: "TLS_KEY_PATH", Value: "/tigera-eks-log-forwarder-tls/tls.key"}, - {Name: "LINSEED_ENDPOINT", Value: "https://tigera-linseed.tigera-elasticsearch.svc"}, - {Name: "LINSEED_TOKEN", Value: "/var/run/secrets/kubernetes.io/serviceaccount/token"}, {Name: "AWS_REGION", Value: "us-west-1", ValueFrom: nil}, {Name: "AWS_ACCESS_KEY_ID", ValueFrom: &corev1.EnvVarSource{ @@ -1028,6 +1022,12 @@ var _ = Describe("Tigera Secure Fluentd rendering tests", func() { Optional: nil, }}, }, + {Name: "LINSEED_ENABLED", Value: "true"}, + {Name: "LINSEED_ENDPOINT", Value: "https://tigera-linseed.tigera-elasticsearch.svc"}, + {Name: "LINSEED_CA_PATH", Value: "/etc/pki/tls/certs/tigera-ca-bundle.crt"}, + {Name: "TLS_CRT_PATH", Value: "/tigera-eks-log-forwarder-tls/tls.crt"}, + {Name: "TLS_KEY_PATH", Value: "/tigera-eks-log-forwarder-tls/tls.key"}, + {Name: "LINSEED_TOKEN", Value: "/var/run/secrets/kubernetes.io/serviceaccount/token"}, } Expect(envs).To(Equal(expectedEnvVars))