Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

THREESCALE-11156 add tls env var to zync and system deployments #1026

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

THREESCALE-11156 add tls env var to zync and system deployments #1026

wants to merge 1 commit into from

Conversation

austincunningham
Copy link
Contributor

@austincunningham austincunningham commented Oct 15, 2024
edited
Loading

Issue

THREESCALE-11156

What

Add database client side tls to 3scale

Verification

# install crd's
make install
# create project
oc new-project 3scale-test
# get the wildcarddomain
DOMAIN=$(oc get routes console -n openshift-console -o json | jq -r '.status.ingress[0].routerCanonicalHostname' | sed 's/router-default.//')
# create s3 secret
oc apply -f - <<EOF
---
kind: Secret
apiVersion: v1
metadata:
  name: s3-credentials
data:
  AWS_ACCESS_KEY_ID: UkVQTEFDRV9NRQ==
  AWS_BUCKET: UkVQTEFDRV9NRQ==
  AWS_REGION: UkVQTEFDRV9NRQ==
  AWS_SECRET_ACCESS_KEY: UkVQTEFDRV9NRQ==
type: Opaque
EOF

kubectl apply -f - <<EOF                    
---                                    
apiVersion: apps.3scale.net/v1alpha1   
kind: APIManager                     
metadata:
  name: apimanager-sample
spec:
  system:
    systemDatabaseTLSEnabled: true
    database:
      postgresql: {}
    fileStorage:
      simpleStorageService:
        configurationSecretRef:
          name: s3-credentials
  zync:
    zyncDatabaseTLSEnabled: true
  wildcardDomain: $DOMAIN
  externalComponents:
    system:
      database: true
    zync:
      database: true
EOF
  • Setup the system-database and zync secrets with sslmode disabled (need to be run from the postgres repo as thats where the certs are created)
oc create secret generic zync \
  --namespace=3scale-test \
  --from-literal=DATABASE_SSL_MODE=verify-ca \
  --from-literal=DATABASE_URL=postgresql://postgres:[email protected]/zync_production \
  --from-literal=ZYNC_DATABASE_PASSWORD=postgres \
  --from-file=DB_SSL_CA=rootCA.crt \
  --from-file=DB_SSL_CERT=client.crt \
  --from-file=DB_SSL_KEY=client.key 
oc create secret generic system-database \
  --from-literal=DATABASE_SSL_MODE=verify-ca \
  --from-literal=URL=postgresql://postgres:[email protected]/system \
  --from-literal=DB_USER=postgres \
  --from-literal=DB_PASSWORD=postgres \
  --from-file=DB_SSL_CA=rootCA.crt \
  --from-file=DB_SSL_CERT=client.crt \
  --from-file=DB_SSL_KEY=client.key
  • Create the default redis and wait for the deployments to be up
 make cluster/create/system-redis
 make cluster/create/backend-redis
  • Run the operator locally
make run
  • zync-que may crash as the database needs some bootstrapping, exec into the pod and run the bootstrap, Not tls related as happens without tls enabled.
bin/rails db:create
  • wait for the install to complete
  • exec into the zync and system pods to to confirm the env vars have been set e.g.
# get the pod name
 oc get po
NAME                                     READY   STATUS      RESTARTS   AGE
apicast-production-6d4d589848-shlls      1/1     Running     0          3h5m
apicast-staging-767df4cbd8-m2kf5         1/1     Running     0          3h5m
backend-cron-6bbd4d5846-hmc7r            1/1     Running     0          3h5m
backend-listener-9df5df447-842qk         1/1     Running     0          3h5m
backend-redis-b59dd94cb-pksk7            1/1     Running     0          3h5m
backend-worker-64d47694b8-89q2g          1/1     Running     0          3h5m
system-app-85c4d98dd-j9mtr               3/3     Running     0          4m40s
system-app-post-884dp                    0/1     Completed   0          3h3m
system-app-pre-wlzrd                     0/1     Completed   0          3h5m
system-memcache-6b4df58598-q6mzj         1/1     Running     0          3h5m
system-redis-bf8db486d-h5bq9             1/1     Running     0          3h5m
system-searchd-659bffb8f4-swf4g          1/1     Running     0          5m50s
system-searchd-manticore-reindex-5jjb4   0/1     Completed   0          3h5m
system-sidekiq-59cc7dd9ff-l6pxg          1/1     Running     0          5m53s
zync-6f49fb7c5c-2pltl                    0/1     Init:0/2    0          7m51s
zync-que-fdd4d69f7-7gxdx                 1/1     Running     0          7m50s
#e.g. exec and run printenv to check the envars
oc exec -it zync-que-fdd4d69f7-7gxdx -- printenv | grep DATABASE_SSL
Defaulted container "que" out of: que, set-permissions (init)
DATABASE_SSL_KEY=/tls/tls.key
DATABASE_SSL_MODE=verify-ca
DATABASE_SSL_CA=/tls/ca.crt
DATABASE_SSL_CERT=/tls/tls.crt
  • Add that the watch-by label has been applied to zync and system-database secret
oc label secret zync apimanager.apps.3scale.net/watched-by=apimanager -n <operator-namespace>
oc label secret system-database apimanager.apps.3scale.net/watched-by=apimanager -n <operator-namespace>
  • update the zync and system-database secrets key value DATABASE_SSL_MODE=disable

NOTE: side note the flag is different for MySQL which is disabled

  • exec into the zync and system pods to to confirm the env vars have been set e.g.
# get the pod name
 oc get po
NAME                                     READY   STATUS      RESTARTS   AGE
apicast-production-6d4d589848-shlls      1/1     Running     0          3h5m
apicast-staging-767df4cbd8-m2kf5         1/1     Running     0          3h5m
backend-cron-6bbd4d5846-hmc7r            1/1     Running     0          3h5m
backend-listener-9df5df447-842qk         1/1     Running     0          3h5m
backend-redis-b59dd94cb-pksk7            1/1     Running     0          3h5m
backend-worker-64d47694b8-89q2g          1/1     Running     0          3h5m
system-app-85c4d98dd-j9mtr               3/3     Running     0          4m40s
system-app-post-884dp                    0/1     Completed   0          3h3m
system-app-pre-wlzrd                     0/1     Completed   0          3h5m
system-memcache-6b4df58598-q6mzj         1/1     Running     0          3h5m
system-redis-bf8db486d-h5bq9             1/1     Running     0          3h5m
system-searchd-659bffb8f4-swf4g          1/1     Running     0          5m50s
system-searchd-manticore-reindex-5jjb4   0/1     Completed   0          3h5m
system-sidekiq-59cc7dd9ff-l6pxg          1/1     Running     0          5m53s
zync-6f49fb7c5c-2pltl                    0/1     Init:0/2    0          7m51s
zync-que-fdd4d69f7-7gxdx                 1/1     Running     0          7m50s
#e.g. exec and run printenv to check the envars
oc exec -it zync-que-fdd4d69f7-7gxdx -- printenv | grep DATABASE_SSL
Defaulted container "que" out of: que, set-permissions (init)
DATABASE_SSL_KEY=/tls/tls.key
DATABASE_SSL_MODE=disable
DATABASE_SSL_CA=/tls/ca.crt
DATABASE_SSL_CERT=/tls/tls.crt

@austincunningham austincunningham requested a review from a team as a code owner October 15, 2024 08:46
@carlkyrillos carlkyrillos mentioned this pull request Nov 7, 2024
Merged
@austincunningham austincunningham force-pushed the THREESCALE-11156 branch 3 times, most recently from 694a709 to 7646db2 Compare December 11, 2024 14:46
@austincunningham
Copy link
Contributor Author

/test test-e2e

@austincunningham austincunningham force-pushed the THREESCALE-11156 branch 7 times, most recently from 52d6f47 to de4820b Compare December 13, 2024 15:57
@austincunningham
Copy link
Contributor Author

/test test-e2e

@austincunningham austincunningham changed the title WIP THREESCALE-11156 add tls env var to zync and system deployments THREESCALE-11156 add tls env var to zync and system deployments Jan 10, 2025
@austincunningham austincunningham force-pushed the THREESCALE-11156 branch 9 times, most recently from 8c46579 to f626b13 Compare January 15, 2025 08:03
@austincunningham austincunningham force-pushed the THREESCALE-11156 branch 7 times, most recently from bc1e44b to a5fd165 Compare January 27, 2025 09:32
@austincunningham
THREESCALE-11156 add tls env var to zync and system deployments
247a2e0 
THREESCALE-11156 add volume mounts for secrets

THREESCALE-11156 fix default internal to work without tls

THREESCALE-11156 set cert permissions

THREESCALE-11156 add apimanger flags for TLS

THREESCALE-11156 fix e2e

THREESCALE-11156 add Database TLS doc

THREESCALE-11156 add watchby logic

THREESCALE-11156 removed internal database changes
MStokluska
MStokluska reviewed Jan 28, 2025
View reviewed changes
apis/apps/v1alpha1/apimanager_types.go
@@ -84,6 +84,10 @@ type APIManagerSpec struct {
PodDisruptionBudget *PodDisruptionBudgetSpec `json:"podDisruptionBudget,omitempty"`
// +optional
Monitoring *MonitoringSpec `json:"monitoring,omitempty"`
// +optional
SystemDatabaseTLSEnabled *bool `json:"systemDatabaseTLSEnabled,omitempty"`
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if it's not a problem, please move this to system spec and zync spec respectively. Not a big deal if you prefer this is a global.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Don't believe it would be a problem to move. It's preference really. And it doesn't matter to me where it lives .

MStokluska
MStokluska reviewed Jan 28, 2025
View reviewed changes
pkg/3scale/amp/component/system.go
helper.EnvVarFromSecretOptional("DB_SSL_CERT", SystemSecretSystemDatabaseSecretName, SystemSecretSslCert),
helper.EnvVarFromSecretOptional("DB_SSL_KEY", SystemSecretSystemDatabaseSecretName, SystemSecretSslKey),
helper.EnvVarFromSecretOptional("DATABASE_SSL_MODE", SystemSecretSystemDatabaseSecretName, SystemSecretDatabaseSslMode),
helper.EnvVarFromValue("DATABASE_SSL_CA", helper.TlsCertPresent("DATABASE_SSL_CA", SystemSecretSystemDatabaseSecretName, system.Options.SystemDbTLSEnabled)),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

as discussed, let's move the creation of empty keys + validation of keys + validation of values here: https://github.com/3scale/3scale-operator/blob/master/pkg/3scale/amp/operator/highavailability_options_provider.go#L29

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree its better if the reconciler catches this.

Copy link
Contributor Author

@austincunningham austincunningham Jan 29, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes the secret validation should check if the secret values are populated in the highavailability reconcile and populate with an empty string if not set and return an error.

Two things here

  • It doesn't look like highavailability_options_provider GetHighAvailabilityOptions() handles zync database at the moment (maybe because spec.highavaibility is deprecated). Can add the functionally but am now doubting this is the correct place to do so.
  • And may still leave the helper to populate the env vars that are not available in the secret .
    i.e. the env vars in the secret have actual certs where as the env var that are used have paths to certs

MStokluska
MStokluska reviewed Jan 28, 2025
View reviewed changes
pkg/3scale/amp/component/system_searchd.go
MountPath: "/var/lib/searchd",
},
},
//Env: s.commonSearchdEnvVars(),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

is this required

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Think it was commented during some debugging . So I would say its required.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

having reviewed its not required.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@valerymo valerymo valerymo left review comments

@MStokluska MStokluska MStokluska left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@austincunningham @MStokluska @valerymo @openshift-merge-robot