THREESCALE-11156 add apimanger flags for TLS

3scale · Dec 11, 2024 · 7646db2 · 7646db2
1 parent cec4cf1
commit 7646db2
Show file tree

Hide file tree

Showing 16 changed files with 189 additions and 65 deletions.
diff --git a/apis/apps/v1alpha1/apimanager_types.go b/apis/apps/v1alpha1/apimanager_types.go
@@ -84,6 +84,10 @@ type APIManagerSpec struct {
 	PodDisruptionBudget *PodDisruptionBudgetSpec `json:"podDisruptionBudget,omitempty"`
 	// +optional
 	Monitoring *MonitoringSpec `json:"monitoring,omitempty"`
+	// +optional
+	SystemDatabaseTLSEnabled *bool `json:"systemDatabaseTLSEnabled,omitempty"`
+	// +optional
+	ZyncDatabaseTLSEnabled *bool `json:"zyncDatabaseTLSEnabled,omitempty"`
 }
 
 // APIManagerStatus defines the observed state of APIManager
@@ -1535,3 +1539,11 @@ type APIManagerList struct {
 func init() {
 	SchemeBuilder.Register(&APIManager{}, &APIManagerList{})
 }
+
+func (apimanager *APIManager) IsSystemDatabaseTLSEnabled() bool {
+	return apimanager.Spec.SystemDatabaseTLSEnabled != nil && *apimanager.Spec.SystemDatabaseTLSEnabled
+}
+
+func (apimanager *APIManager) IsZyncDatabaseTLSEnabled() bool {
+	return apimanager.Spec.ZyncDatabaseTLSEnabled != nil && *apimanager.Spec.ZyncDatabaseTLSEnabled
+}
diff --git a/apis/apps/v1alpha1/zz_generated.deepcopy.go b/apis/apps/v1alpha1/zz_generated.deepcopy.go
diff --git a/bundle/manifests/apps.3scale.net_apimanagers.yaml b/bundle/manifests/apps.3scale.net_apimanagers.yaml
@@ -9829,6 +9829,8 @@ spec:
                         type: array
                     type: object
                 type: object
+              systemDatabaseTLSEnabled:
+                type: boolean
               tenantName:
                 type: string
               wildcardDomain:
@@ -11821,6 +11823,8 @@ spec:
                         type: array
                     type: object
                 type: object
+              zyncDatabaseTLSEnabled:
+                type: boolean
             required:
             - wildcardDomain
             type: object

diff --git a/config/crd/bases/apps.3scale.net_apimanagers.yaml b/config/crd/bases/apps.3scale.net_apimanagers.yaml
@@ -19979,6 +19979,8 @@ spec:
                         type: array
                     type: object
                 type: object
+              systemDatabaseTLSEnabled:
+                type: boolean
               tenantName:
                 type: string
               wildcardDomain:
@@ -24051,6 +24053,8 @@ spec:
                         type: array
                     type: object
                 type: object
+              zyncDatabaseTLSEnabled:
+                type: boolean
             required:
             - wildcardDomain
             type: object

diff --git a/pkg/3scale/amp/component/system.go b/pkg/3scale/amp/component/system.go
@@ -27,9 +27,9 @@ const (
 	SystemSecretDatabaseSslCert                     = "DATABASE_SSL_CERT"
 	SystemSecretDatabaseSslKey                      = "DATABASE_SSL_KEY"
 	SystemSecretDatabaseSslMode                     = "DATABASE_SSL_MODE"
-	SystemSecretSslCa                               = "SSL_CA"
-	SystemSecretSslCert                             = "SSL_CERT"
-	SystemSecretSslKey                              = "SSL_KEY"
+	SystemSecretSslCa                               = "DB_SSL_CA"
+	SystemSecretSslCert                             = "DB_SSL_CERT"
+	SystemSecretSslKey                              = "DB_SSL_KEY"
 )
 
 const (
@@ -184,19 +184,22 @@ func (system *System) SystemRedisEnvVars() []v1.EnvVar {
 
 func (system *System) buildSystemBaseEnv() []v1.EnvVar {
 	result := []v1.EnvVar{}
-
 	baseEnvConfigMapEnvs := system.getSystemBaseEnvsFromEnvConfigMap()
 	result = append(result, baseEnvConfigMapEnvs...)
+	//apimanager, err := helper.GetApimanger()
+	//if err != nil {
+	//	log.Printf("Failed to get apimanger: %s", err)
+	//}
 
 	result = append(result,
 		helper.EnvVarFromSecret("DATABASE_URL", SystemSecretSystemDatabaseSecretName, SystemSecretSystemDatabaseURLFieldName),
-		helper.EnvVarFromSecretOptional("SSL_CA", SystemSecretSystemDatabaseSecretName, "SSL_CA"),
-		helper.EnvVarFromSecretOptional("SSL_CERT", SystemSecretSystemDatabaseSecretName, "SSL_CERT"),
-		helper.EnvVarFromSecretOptional("SSL_KEY", SystemSecretSystemDatabaseSecretName, "SSL_KEY"),
-		helper.EnvVarFromSecretOptional("DATABASE_SSL_MODE", SystemSecretSystemDatabaseSecretName, "DATABASE_SSL_MODE"),
-		helper.EnvVarFromValue("DATABASE_SSL_CA", helper.TlsCertPresent("DATABASE_SSL_CA", SystemSecretSystemDatabaseSecretName)),
-		helper.EnvVarFromValue("DATABASE_SSL_CERT", helper.TlsCertPresent("DATABASE_SSL_CERT", SystemSecretSystemDatabaseSecretName)),
-		helper.EnvVarFromValue("DATABASE_SSL_KEY", helper.TlsCertPresent("DATABASE_SSL_KEY", SystemSecretSystemDatabaseSecretName)),
+		helper.EnvVarFromSecretOptional("DB_SSL_CA", SystemSecretSystemDatabaseSecretName, SystemSecretSslCa),
+		helper.EnvVarFromSecretOptional("DB_SSL_CERT", SystemSecretSystemDatabaseSecretName, SystemSecretSslCert),
+		helper.EnvVarFromSecretOptional("DB_SSL_KEY", SystemSecretSystemDatabaseSecretName, SystemSecretSslKey),
+		helper.EnvVarFromSecretOptional("DATABASE_SSL_MODE", SystemSecretSystemDatabaseSecretName, SystemSecretDatabaseSslMode),
+		helper.EnvVarFromValue("DATABASE_SSL_CA", helper.TlsCertPresent("DATABASE_SSL_CA", SystemSecretSystemDatabaseSecretName, system.Options.SystemDbTLSEnabled)),
+		helper.EnvVarFromValue("DATABASE_SSL_CERT", helper.TlsCertPresent("DATABASE_SSL_CERT", SystemSecretSystemDatabaseSecretName, system.Options.SystemDbTLSEnabled)),
+		helper.EnvVarFromValue("DATABASE_SSL_KEY", helper.TlsCertPresent("DATABASE_SSL_KEY", SystemSecretSystemDatabaseSecretName, system.Options.SystemDbTLSEnabled)),
 
 		helper.EnvVarFromSecret("MASTER_DOMAIN", SystemSecretSystemSeedSecretName, SystemSecretSystemSeedMasterDomainFieldName),
 		helper.EnvVarFromSecret("MASTER_USER", SystemSecretSystemSeedSecretName, SystemSecretSystemSeedMasterUserFieldName),
@@ -528,15 +531,15 @@ func (system *System) appPodVolumes() []v1.Volume {
 				SecretName: SystemSecretSystemDatabaseSecretName, // Name of the secret containing the TLS certs
 				Items: []v1.KeyToPath{
 					{
-						Key:  "SSL_CA",
+						Key:  SystemSecretSslCa,
 						Path: "ca.crt", // Map the secret key to the ca.crt file in the container
 					},
 					{
-						Key:  "SSL_CERT",
+						Key:  SystemSecretSslCert,
 						Path: "tls.crt", // Map the secret key to the tls.crt file in the container
 					},
 					{
-						Key:  "SSL_KEY",
+						Key:  SystemSecretSslKey,
 						Path: "tls.key", // Map the secret key to the tls.key file in the container
 					},
 				},
@@ -980,15 +983,15 @@ func (system *System) SidekiqPodVolumes() []v1.Volume {
 				SecretName: SystemSecretSystemDatabaseSecretName, // Name of the secret containing the TLS certs
 				Items: []v1.KeyToPath{
 					{
-						Key:  "SSL_CA",
+						Key:  SystemSecretSslCa,
 						Path: "ca.crt", // Map the secret key to the ca.crt file in the container
 					},
 					{
-						Key:  "SSL_CERT",
+						Key:  SystemSecretSslCert,
 						Path: "tls.crt", // Map the secret key to the tls.crt file in the container
 					},
 					{
-						Key:  "SSL_KEY",
+						Key:  SystemSecretSslKey,
 						Path: "tls.key", // Map the secret key to the tls.key file in the container
 					},
 				},

diff --git a/pkg/3scale/amp/component/system_options.go b/pkg/3scale/amp/component/system_options.go
@@ -88,6 +88,7 @@ type SystemOptions struct {
 	SMTPLabels               map[string]string `validate:"required"`
 	SideKiqMetrics           bool
 	AppMetrics               bool
+	SystemDbTLSEnabled       bool
 
 	IncludeOracleOptionalSettings bool
 

diff --git a/pkg/3scale/amp/component/system_searchd.go b/pkg/3scale/amp/component/system_searchd.go
@@ -120,15 +120,15 @@ func (s *SystemSearchd) Deployment(containerImage string) *k8sappsv1.Deployment
 									SecretName: SystemSecretSystemDatabaseSecretName, // Name of the secret containing the TLS certs
 									Items: []v1.KeyToPath{
 										{
-											Key:  "SSL_CA",
+											Key:  SystemSecretSslCa,
 											Path: "ca.crt", // Map the secret key to the ca.crt file in the container
 										},
 										{
-											Key:  "SSL_CERT",
+											Key:  SystemSecretSslCert,
 											Path: "tls.crt", // Map the secret key to the tls.crt file in the container
 										},
 										{
-											Key:  "SSL_KEY",
+											Key:  SystemSecretSslKey,
 											Path: "tls.key", // Map the secret key to the tls.key file in the container
 										},
 									},
@@ -283,15 +283,15 @@ func (s *SystemSearchd) ReindexingJob(containerImage string, system *System) *ba
 									SecretName: SystemSecretSystemDatabaseSecretName, // Name of the secret containing the TLS certs
 									Items: []v1.KeyToPath{
 										{
-											Key:  "SSL_CA",
+											Key:  SystemSecretSslCa,
 											Path: "ca.crt", // Map the secret key to the ca.crt file in the container
 										},
 										{
-											Key:  "SSL_CERT",
+											Key:  SystemSecretSslCert,
 											Path: "tls.crt", // Map the secret key to the tls.crt file in the container
 										},
 										{
-											Key:  "SSL_KEY",
+											Key:  SystemSecretSslKey,
 											Path: "tls.key", // Map the secret key to the tls.key file in the container
 										},
 									},

diff --git a/pkg/3scale/amp/component/system_searchd_options.go b/pkg/3scale/amp/component/system_searchd_options.go
@@ -26,6 +26,8 @@ type SystemSearchdOptions struct {
 	PriorityClassName         string                        `validate:"-"`
 	TopologySpreadConstraints []v1.TopologySpreadConstraint `validate:"-"`
 	PodTemplateAnnotations    map[string]string             `validate:"-"`
+
+	SearchdDbTLSEnabled bool
 }
 
 func NewSystemSearchdOptions() *SystemSearchdOptions {

diff --git a/pkg/3scale/amp/component/zync.go b/pkg/3scale/amp/component/zync.go
@@ -25,9 +25,9 @@ const (
 	ZyncSecretDatabasePasswordFieldName    = "ZYNC_DATABASE_PASSWORD"
 	ZyncSecretAuthenticationTokenFieldName = "ZYNC_AUTHENTICATION_TOKEN"
 	ZyncSecretDatabaseSslMode              = "DATABASE_SSL_MODE"
-	ZyncSecretSslCa                        = "SSL_CA"
-	ZyncSecretSslCert                      = "SSL_CERT"
-	ZyncSecretSslKey                       = "SSL_KEY"
+	ZyncSecretSslCa                        = "DB_SSL_CA"
+	ZyncSecretSslCert                      = "DB_SSL_CERT"
+	ZyncSecretSslKey                       = "DB_SSL_KEY"
 )
 
 const (
@@ -241,9 +241,9 @@ func (zync *Zync) Deployment(containerImage string) *k8sappsv1.Deployment {
 									},
 								},
 								helper.EnvVarFromSecretOptional("DATABASE_SSL_MODE", ZyncSecretName, "DATABASE_SSL_MODE"),
-								helper.EnvVarFromValue("DATABASE_SSL_CA", helper.TlsCertPresent("DATABASE_SSL_CA", ZyncSecretName)),
-								helper.EnvVarFromValue("DATABASE_SSL_CERT", helper.TlsCertPresent("DATABASE_SSL_CERT", ZyncSecretName)),
-								helper.EnvVarFromValue("DATABASE_SSL_KEY", helper.TlsCertPresent("DATABASE_SSL_KEY", ZyncSecretName)),
+								helper.EnvVarFromValue("DATABASE_SSL_CA", helper.TlsCertPresent("DATABASE_SSL_CA", ZyncSecretName, zync.Options.ZyncDbTLSEnabled)),
+								helper.EnvVarFromValue("DATABASE_SSL_CERT", helper.TlsCertPresent("DATABASE_SSL_CERT", ZyncSecretName, zync.Options.ZyncDbTLSEnabled)),
+								helper.EnvVarFromValue("DATABASE_SSL_KEY", helper.TlsCertPresent("DATABASE_SSL_KEY", ZyncSecretName, zync.Options.ZyncDbTLSEnabled)),
 							},
 							VolumeMounts: []v1.VolumeMount{
 								{
@@ -306,15 +306,15 @@ func (zync *Zync) Deployment(containerImage string) *k8sappsv1.Deployment {
 									SecretName: ZyncSecretName, // Name of the secret containing the TLS certs
 									Items: []v1.KeyToPath{
 										{
-											Key:  "SSL_CA",
+											Key:  ZyncSecretSslCa,
 											Path: "ca.crt", // Map the secret key to the ca.crt file in the container
 										},
 										{
-											Key:  "SSL_CERT",
+											Key:  ZyncSecretSslCert,
 											Path: "tls.crt", // Map the secret key to the tls.crt file in the container
 										},
 										{
-											Key:  "SSL_KEY",
+											Key:  ZyncSecretSslKey,
 											Path: "tls.key", // Map the secret key to the tls.key file in the container
 										},
 									},
@@ -343,13 +343,15 @@ func (zync *Zync) commonZyncEnvVars() []v1.EnvVar {
 		helper.EnvVarFromSecret("DATABASE_URL", "zync", "DATABASE_URL"),
 		helper.EnvVarFromSecret("SECRET_KEY_BASE", "zync", "SECRET_KEY_BASE"),
 		helper.EnvVarFromSecret("ZYNC_AUTHENTICATION_TOKEN", "zync", "ZYNC_AUTHENTICATION_TOKEN"),
-		helper.EnvVarFromSecretOptional("SSL_CA", ZyncSecretName, "SSL_CA"),
-		helper.EnvVarFromSecretOptional("SSL_CERT", ZyncSecretName, "SSL_CERT"),
-		helper.EnvVarFromSecretOptional("SSL_KEY", ZyncSecretName, "SSL_KEY"),
-		helper.EnvVarFromSecretOptional("DATABASE_SSL_MODE", ZyncSecretName, "DATABASE_SSL_MODE"),
-		helper.EnvVarFromValue("DATABASE_SSL_CA", helper.TlsCertPresent("DATABASE_SSL_CA", ZyncSecretName)),
-		helper.EnvVarFromValue("DATABASE_SSL_CERT", helper.TlsCertPresent("DATABASE_SSL_CERT", ZyncSecretName)),
-		helper.EnvVarFromValue("DATABASE_SSL_KEY", helper.TlsCertPresent("DATABASE_SSL_KEY", ZyncSecretName)),
+		// SSL certs from secret
+		helper.EnvVarFromSecretOptional("DB_SSL_CA", ZyncSecretName, ZyncSecretSslCa),
+		helper.EnvVarFromSecretOptional("DB_SSL_CERT", ZyncSecretName, ZyncSecretSslCert),
+		helper.EnvVarFromSecretOptional("DB_SSL_KEY", ZyncSecretName, ZyncSecretSslKey),
+		helper.EnvVarFromSecretOptional("DATABASE_SSL_MODE", ZyncSecretName, ZyncSecretDatabaseSslMode),
+		// SSL mount pat env vars
+		helper.EnvVarFromValue("DATABASE_SSL_CA", helper.TlsCertPresent("DATABASE_SSL_CA", ZyncSecretName, zync.Options.ZyncDbTLSEnabled)),
+		helper.EnvVarFromValue("DATABASE_SSL_CERT", helper.TlsCertPresent("DATABASE_SSL_CERT", ZyncSecretName, zync.Options.ZyncDbTLSEnabled)),
+		helper.EnvVarFromValue("DATABASE_SSL_KEY", helper.TlsCertPresent("DATABASE_SSL_KEY", ZyncSecretName, zync.Options.ZyncDbTLSEnabled)),
 		{
 			Name: "POD_NAME",
 			ValueFrom: &v1.EnvVarSource{
@@ -478,15 +480,15 @@ func (zync *Zync) QueDeployment(containerImage string) *k8sappsv1.Deployment {
 									SecretName: ZyncSecretName, // Name of the secret containing the TLS certs
 									Items: []v1.KeyToPath{
 										{
-											Key:  "SSL_CA",
+											Key:  ZyncSecretSslCa,
 											Path: "ca.crt", // Map the secret key to the ca.crt file in the container
 										},
 										{
-											Key:  "SSL_CERT",
+											Key:  ZyncSecretSslCert,
 											Path: "tls.crt", // Map the secret key to the tls.crt file in the container
 										},
 										{
-											Key:  "SSL_KEY",
+											Key:  ZyncSecretSslKey,
 											Path: "tls.key", // Map the secret key to the tls.key file in the container
 										},
 									},

diff --git a/pkg/3scale/amp/component/zync_options.go b/pkg/3scale/amp/component/zync_options.go
@@ -26,6 +26,7 @@ type ZyncOptions struct {
 	DatabaseSslCa                         string
 	DatabaseSslCert                       string
 	DatabaseSslKey                        string
+	ZyncDbTLSEnabled                      bool
 
 	ZyncAffinity            *v1.Affinity    `validate:"-"`
 	ZyncTolerations         []v1.Toleration `validate:"-"`

diff --git a/pkg/3scale/amp/operator/system_options_provider.go b/pkg/3scale/amp/operator/system_options_provider.go
@@ -49,6 +49,11 @@ func (s *SystemOptionsProvider) GetSystemOptions() (*component.SystemOptions, er
 	s.options.DeveloperUILabels = s.developerUILabels()
 	s.options.MemcachedLabels = s.memcachedLabels()
 	s.options.SMTPLabels = s.smtpLabels()
+	s.setSystemDBTLSEabled()
+	if s.apimanager.IsSystemDatabaseTLSEnabled() {
+		s.options.CommonAppLabels = s.setSystemDatabaseTLSLabels()
+		s.options.CommonSidekiqLabels = s.setSidekiqDatabaseTLSLabels()
+	}
 
 	err := s.setSecretBasedOptions()
 	if err != nil {
@@ -604,6 +609,17 @@ func (s *SystemOptionsProvider) smtpLabels() map[string]string {
 	return labels
 }
 
+func (s *SystemOptionsProvider) setSidekiqDatabaseTLSLabels() map[string]string {
+	labels := s.commonSidekiqLabels()
+	labels["apimanager.apps.3scale.net/watched-by"] = "sidekiq"
+	return labels
+}
+func (s *SystemOptionsProvider) setSystemDatabaseTLSLabels() map[string]string {
+	labels := s.commonAppLabels()
+	labels["apimanager.apps.3scale.net/watched-by"] = "system"
+	return labels
+}
+
 func (s *SystemOptionsProvider) setPriorityClassNames() {
 	if s.apimanager.Spec.System.AppSpec.PriorityClassName != nil {
 		s.options.AppPriorityClassName = *s.apimanager.Spec.System.AppSpec.PriorityClassName
@@ -626,3 +642,7 @@ func (s *SystemOptionsProvider) setPodTemplateAnnotations() {
 	s.options.AppPodTemplateAnnotations = s.apimanager.Spec.System.AppSpec.Annotations
 	s.options.SideKiqPodTemplateAnnotations = s.apimanager.Spec.System.SidekiqSpec.Annotations
 }
+
+func (s *SystemOptionsProvider) setSystemDBTLSEabled() {
+	s.options.SystemDbTLSEnabled = s.apimanager.IsSystemDatabaseTLSEnabled()
+}
diff --git a/pkg/3scale/amp/operator/system_postgresql_options_provider.go b/pkg/3scale/amp/operator/system_postgresql_options_provider.go
@@ -86,32 +86,29 @@ func (s *SystemPostgresqlOptionsProvider) setSecretBasedOptions() error {
 	}
 	s.options.DatabaseURL = val
 
-	val, err = s.secretSource.FieldValue(
+	_, err = s.secretSource.FieldValue(
 		component.SystemSecretSystemDatabaseSecretName,
 		component.SystemSecretDatabaseSslCa,
 		component.DefaultSystemSslEmpty())
 	if err != nil {
 		return err
 	}
-	s.options.DatabaseURL = val
 
-	val, err = s.secretSource.FieldValue(
+	_, err = s.secretSource.FieldValue(
 		component.SystemSecretSystemDatabaseSecretName,
 		component.SystemSecretDatabaseSslCert,
 		component.DefaultSystemSslEmpty())
 	if err != nil {
 		return err
 	}
-	s.options.DatabaseURL = val
 
-	val, err = s.secretSource.FieldValue(
+	_, err = s.secretSource.FieldValue(
 		component.SystemSecretSystemDatabaseSecretName,
 		component.SystemSecretDatabaseSslKey,
 		component.DefaultSystemSslEmpty())
 	if err != nil {
 		return err
 	}
-	s.options.DatabaseURL = val
 
 	// databaseURL processing
 	urlObj, err := s.databaseURLIsValid(s.options.DatabaseURL)