add db and storage certs

bundle/manifests/cryostat-operator.clusterserviceversion.yaml

@@ -35,7 +35,7 @@ metadata:
  capabilities: Seamless Upgrades
  categories: Monitoring, Developer Tools
  containerImage: quay.io/cryostat/cryostat-operator:4.0.0-dev
- createdAt: "2024-07-30T18:48:36Z"
+ createdAt: "2024-07-30T20:58:48Z"
  description: JVM monitoring and profiling tool
  operatorframework.io/initialization-resource: |-
  {

internal/controllers/certmanager.go

@@ -90,7 +90,6 @@ func (r *Reconciler) setupTLS(ctx context.Context, cr *model.CryostatInstance) (
  return nil, err
  }
 
- /**
  // Create a certificate for the Cryostat database signed by the Cryostat CA
  databaseCert := resources.NewDatabaseCert(cr)
  err = r.createOrUpdateCertificate(ctx, databaseCert, cr.Object)
@@ -103,10 +102,12 @@ func (r *Reconciler) setupTLS(ctx context.Context, cr *model.CryostatInstance) (
  err = r.createOrUpdateCertificate(ctx, storageCert, cr.Object)
  if err != nil {
  return nil, err
- }**/
+ }
 
  tlsConfig := &resources.TLSConfig{
  CryostatSecret: cryostatCert.Spec.SecretName,
+ DatabaseSecret: databaseCert.Spec.SecretName,
+ StorageSecret: storageCert.Spec.SecretName,
  ReportsSecret: reportsCert.Spec.SecretName,
  KeystorePassSecret: cryostatCert.Spec.Keystores.PKCS12.PasswordSecretRef.Name,
  }

internal/controllers/common/resource_definitions/certificates.go

@@ -132,7 +132,6 @@ func NewReportsCert(cr *model.CryostatInstance) *certv1.Certificate {
  }
 }
 
-/**
 func NewDatabaseCert(cr *model.CryostatInstance) *certv1.Certificate {
  return &certv1.Certificate{
  ObjectMeta: metav1.ObjectMeta{
@@ -180,4 +179,3 @@ func NewStorageCert(cr *model.CryostatInstance) *certv1.Certificate {
  },
  }
 }
-**/

internal/controllers/common/resource_definitions/resource_definitions.go

@@ -62,9 +62,9 @@ type TLSConfig struct {
  // Name of the TLS secret for Reports Generator
  ReportsSecret string
  // Name of the TLS secret for Database
- // DatabaseSecret string
+ DatabaseSecret string
  // Name of the TLS secret for Storage
- // StorageSecret string
+ StorageSecret string
  // Name of the secret containing the password for the keystore in CryostatSecret
  KeystorePassSecret string
  // PEM-encoded X.509 certificate for the Cryostat CA
@@ -618,7 +618,7 @@ func NewPodForDatabase(cr *model.CryostatInstance, imageTags *ImageTags, tls *TL
  container := []corev1.Container{NewDatabaseContainer(cr, imageTags.DatabaseImageTag, tls)}
 
  volumes := newVolumeForDatabse(cr)
- /**
+
  if tls != nil {
  secretVolume := corev1.Volume{
  Name: "database-tls-secret",
@@ -629,7 +629,7 @@ func NewPodForDatabase(cr *model.CryostatInstance, imageTags *ImageTags, tls *TL
  },
  }
  volumes = append(volumes, secretVolume)
- }**/
+ }
 
  var podSc *corev1.PodSecurityContext
  if cr.Spec.SecurityOptions != nil && cr.Spec.SecurityOptions.PodSecurityContext != nil {
@@ -675,7 +675,7 @@ func NewPodForStorage(cr *model.CryostatInstance, imageTags *ImageTags, tls *TLS
  container := []corev1.Container{NewStorageContainer(cr, imageTags.StorageImageTag, tls)}
 
  volumes := newVolumeForStorage(cr)
- /**
+
  if tls != nil {
  secretVolume := corev1.Volume{
  Name: "storage-tls-secret",
@@ -686,7 +686,7 @@ func NewPodForStorage(cr *model.CryostatInstance, imageTags *ImageTags, tls *TLS
  },
  }
  volumes = append(volumes, secretVolume)
- }**/
+ }
 
  var podSc *corev1.PodSecurityContext
  if cr.Spec.SecurityOptions != nil && cr.Spec.SecurityOptions.PodSecurityContext != nil {
@@ -1223,7 +1223,7 @@ func NewCoreContainer(cr *model.CryostatInstance, specs *ServiceSpecs, imageTag
  },
  {
  Name: "QUARKUS_S3_ENDPOINT_OVERRIDE",
- Value: fmt.Sprintf("http://%s-storage.%s.svc.cluster.local:8333", cr.Name, cr.InstallNamespace),
+ Value: fmt.Sprintf("https://%s-storage.%s.svc.cluster.local:8333", cr.Name, cr.InstallNamespace),
  },
  {
  Name: "QUARKUS_S3_PATH_STYLE_ACCESS",
@@ -1600,8 +1600,9 @@ func NewStorageContainer(cr *model.CryostatInstance, imageTag string, tls *TLSCo
  })
 
  livenessProbeScheme := corev1.URISchemeHTTP
- /**
+
  if tls != nil {
+ /**
  tlsEnvs := []corev1.EnvVar{
  {
  Name: "S3_PORT_HTTPS",
@@ -1616,17 +1617,17 @@ func NewStorageContainer(cr *model.CryostatInstance, imageTag string, tls *TLSCo
  Value: fmt.Sprintf("/var/run/secrets/operator.cryostat.io/%s/%s", tls.StorageSecret, corev1.TLSCertKey),
  },
  }
+ envs = append(envs, tlsEnvs...) **/
 
  tlsSecretMount := corev1.VolumeMount{
  Name: "storage-tls-secret",
  MountPath: "/var/run/secrets/operator.cryostat.io/" + tls.StorageSecret,
  ReadOnly: true,
  }
 
- envs = append(envs, tlsEnvs...)
  mounts = append(mounts, tlsSecretMount)
  livenessProbeScheme = corev1.URISchemeHTTPS
- } else {
+ } /** else {
  envs = append(envs, corev1.EnvVar{
  Name: "QUARKUS_HTTP_PORT",
  Value: strconv.Itoa(int(constants.StorageContainerPort)),
@@ -1747,8 +1748,8 @@ func NewDatabaseContainer(cr *model.CryostatInstance, imageTag string, tls *TLSC
  },
  }
 
- /**
  if tls != nil {
+ /**
  tlsEnvs := []corev1.EnvVar{
  {
  Name: "QUARKUS_DATASOURCE_REACTIVE_TRUST_ALL",
@@ -1767,15 +1768,16 @@ func NewDatabaseContainer(cr *model.CryostatInstance, imageTag string, tls *TLSC
  Value: fmt.Sprintf("https://%s-database:5432", cr.Name),
  },
  }
+ envs = append(envs, tlsEnvs...) **/
+
  tlsSecretMount := corev1.VolumeMount{
  Name: "database-tls-secret",
  MountPath: "/var/run/secrets/operator.cryostat.io/" + tls.DatabaseSecret,
  ReadOnly: true,
  }
 
- envs = append(envs, tlsEnvs...)
  mounts = append(mounts, tlsSecretMount)
- } else {
+ } /** else {
  envs = append(envs, corev1.EnvVar{
  Name: "QUARKUS_DATASOURCE_REACTIVE_URL",
  Value: fmt.Sprintf("http://%s-database:5432", cr.Name),

internal/test/resources.go

@@ -1397,7 +1397,7 @@ func (r *TestResources) NewCoreEnvironmentVariables(reportsUrl string, ingress b
  },
  {
  Name: "QUARKUS_S3_ENDPOINT_OVERRIDE",
- Value: fmt.Sprintf("http://%s-storage.%s.svc.cluster.local:8333", r.Name, r.Namespace),
+ Value: fmt.Sprintf("https://%s-storage.%s.svc.cluster.local:8333", r.Name, r.Namespace),
  },
  {
  Name: "QUARKUS_S3_PATH_STYLE_ACCESS",
@@ -1960,15 +1960,15 @@ func (r *TestResources) NewStorageVolumeMounts() []corev1.VolumeMount {
  MountPath: "/data",
  SubPath: "seaweed",
  })
- /**
+
  if r.TLS {
  mounts = append(mounts,
  corev1.VolumeMount{
  Name: "storage-tls-secret",
  MountPath: fmt.Sprintf("/var/run/secrets/operator.cryostat.io/%s-storage-tls", r.Name),
  ReadOnly: true,
  })
- }**/
+ }
  return mounts
 }
 
@@ -1980,15 +1980,15 @@ func (r *TestResources) NewDatabaseVolumeMounts() []corev1.VolumeMount {
  MountPath: "/data",
  SubPath: "postgres",
  })
- /**
+
  if r.TLS {
  mounts = append(mounts,
  corev1.VolumeMount{
  Name: "database-tls-secret",
  MountPath: fmt.Sprintf("/var/run/secrets/operator.cryostat.io/%s-database-tls", r.Name),
  ReadOnly: true,
  })
- }**/
+ }
  return mounts
 }
 
@@ -2114,10 +2114,10 @@ func (r *TestResources) NewDatasourceLivenessProbe() *corev1.Probe {
 
 func (r *TestResources) NewStorageLivenessProbe() *corev1.Probe {
  protocol := corev1.URISchemeHTTP
- /**
+
  if r.TLS {
  protocol = corev1.URISchemeHTTPS
- }**/
+ }
  return &corev1.Probe{
  ProbeHandler: corev1.ProbeHandler{
  HTTPGet: &corev1.HTTPGetAction{
@@ -2483,7 +2483,6 @@ func (r *TestResources) NewDatabaseVolumes() []corev1.Volume {
  },
  }
 
- /**
  if r.TLS {
  volumes = append(volumes, corev1.Volume{
  Name: "database-tls-secret",
@@ -2493,7 +2492,7 @@ func (r *TestResources) NewDatabaseVolumes() []corev1.Volume {
  },
  },
  })
- } **/
+ }
  return volumes
 }
 
@@ -2510,7 +2509,6 @@ func (r *TestResources) NewStorageVolumes() []corev1.Volume {
  },
  }
 
- /**
  if r.TLS {
  volumes = append(volumes, corev1.Volume{
  Name: "storage-tls-secret",
@@ -2520,7 +2518,7 @@ func (r *TestResources) NewStorageVolumes() []corev1.Volume {
  },
  },
  })
- }**/
+ }
  return volumes
 }