From 3df1d312b955d99ac0d12c59b84c15f4130749ed Mon Sep 17 00:00:00 2001
From: Ming Wang <miwan@redhat.com>
Date: Wed, 31 Jul 2024 16:59:57 -0400
Subject: [PATCH] add db and storage certs

---
 ...yostat-operator.clusterserviceversion.yaml |  2 +-
 internal/controllers/certmanager.go           |  5 ++--
 .../resource_definitions/certificates.go      |  2 --
 .../resource_definitions.go                   | 28 ++++++++++---------
 internal/test/resources.go                    | 20 ++++++-------
 5 files changed, 28 insertions(+), 29 deletions(-)

diff --git a/bundle/manifests/cryostat-operator.clusterserviceversion.yaml b/bundle/manifests/cryostat-operator.clusterserviceversion.yaml
index 237c1793..e37b0aca 100644
--- a/bundle/manifests/cryostat-operator.clusterserviceversion.yaml
+++ b/bundle/manifests/cryostat-operator.clusterserviceversion.yaml
@@ -35,7 +35,7 @@ metadata:
     capabilities: Seamless Upgrades
     categories: Monitoring, Developer Tools
     containerImage: quay.io/cryostat/cryostat-operator:4.0.0-dev
-    createdAt: "2024-07-30T18:48:36Z"
+    createdAt: "2024-07-30T20:58:48Z"
     description: JVM monitoring and profiling tool
     operatorframework.io/initialization-resource: |-
       {
diff --git a/internal/controllers/certmanager.go b/internal/controllers/certmanager.go
index 6f2446c5..eff68fd4 100644
--- a/internal/controllers/certmanager.go
+++ b/internal/controllers/certmanager.go
@@ -90,7 +90,6 @@ func (r *Reconciler) setupTLS(ctx context.Context, cr *model.CryostatInstance) (
 		return nil, err
 	}
 
-	/**
 	// Create a certificate for the Cryostat database signed by the Cryostat CA
 	databaseCert := resources.NewDatabaseCert(cr)
 	err = r.createOrUpdateCertificate(ctx, databaseCert, cr.Object)
@@ -103,10 +102,12 @@ func (r *Reconciler) setupTLS(ctx context.Context, cr *model.CryostatInstance) (
 	err = r.createOrUpdateCertificate(ctx, storageCert, cr.Object)
 	if err != nil {
 		return nil, err
-	}**/
+	}
 
 	tlsConfig := &resources.TLSConfig{
 		CryostatSecret:     cryostatCert.Spec.SecretName,
+		DatabaseSecret:     databaseCert.Spec.SecretName,
+		StorageSecret:      storageCert.Spec.SecretName,
 		ReportsSecret:      reportsCert.Spec.SecretName,
 		KeystorePassSecret: cryostatCert.Spec.Keystores.PKCS12.PasswordSecretRef.Name,
 	}
diff --git a/internal/controllers/common/resource_definitions/certificates.go b/internal/controllers/common/resource_definitions/certificates.go
index 31a745fc..5213eeea 100644
--- a/internal/controllers/common/resource_definitions/certificates.go
+++ b/internal/controllers/common/resource_definitions/certificates.go
@@ -132,7 +132,6 @@ func NewReportsCert(cr *model.CryostatInstance) *certv1.Certificate {
 	}
 }
 
-/**
 func NewDatabaseCert(cr *model.CryostatInstance) *certv1.Certificate {
 	return &certv1.Certificate{
 		ObjectMeta: metav1.ObjectMeta{
@@ -180,4 +179,3 @@ func NewStorageCert(cr *model.CryostatInstance) *certv1.Certificate {
 		},
 	}
 }
-**/
diff --git a/internal/controllers/common/resource_definitions/resource_definitions.go b/internal/controllers/common/resource_definitions/resource_definitions.go
index 67f61e72..92fc5c0b 100644
--- a/internal/controllers/common/resource_definitions/resource_definitions.go
+++ b/internal/controllers/common/resource_definitions/resource_definitions.go
@@ -62,9 +62,9 @@ type TLSConfig struct {
 	// Name of the TLS secret for Reports Generator
 	ReportsSecret string
 	// Name of the TLS secret for Database
-	// DatabaseSecret string
+	DatabaseSecret string
 	// Name of the TLS secret for Storage
-	// StorageSecret string
+	StorageSecret string
 	// Name of the secret containing the password for the keystore in CryostatSecret
 	KeystorePassSecret string
 	// PEM-encoded X.509 certificate for the Cryostat CA
@@ -618,7 +618,7 @@ func NewPodForDatabase(cr *model.CryostatInstance, imageTags *ImageTags, tls *TL
 	container := []corev1.Container{NewDatabaseContainer(cr, imageTags.DatabaseImageTag, tls)}
 
 	volumes := newVolumeForDatabse(cr)
-	/**
+
 	if tls != nil {
 		secretVolume := corev1.Volume{
 			Name: "database-tls-secret",
@@ -629,7 +629,7 @@ func NewPodForDatabase(cr *model.CryostatInstance, imageTags *ImageTags, tls *TL
 			},
 		}
 		volumes = append(volumes, secretVolume)
-	}**/
+	}
 
 	var podSc *corev1.PodSecurityContext
 	if cr.Spec.SecurityOptions != nil && cr.Spec.SecurityOptions.PodSecurityContext != nil {
@@ -675,7 +675,7 @@ func NewPodForStorage(cr *model.CryostatInstance, imageTags *ImageTags, tls *TLS
 	container := []corev1.Container{NewStorageContainer(cr, imageTags.StorageImageTag, tls)}
 
 	volumes := newVolumeForStorage(cr)
-	/**
+
 	if tls != nil {
 		secretVolume := corev1.Volume{
 			Name: "storage-tls-secret",
@@ -686,7 +686,7 @@ func NewPodForStorage(cr *model.CryostatInstance, imageTags *ImageTags, tls *TLS
 			},
 		}
 		volumes = append(volumes, secretVolume)
-	}**/
+	}
 
 	var podSc *corev1.PodSecurityContext
 	if cr.Spec.SecurityOptions != nil && cr.Spec.SecurityOptions.PodSecurityContext != nil {
@@ -1223,7 +1223,7 @@ func NewCoreContainer(cr *model.CryostatInstance, specs *ServiceSpecs, imageTag
 		},
 		{
 			Name:  "QUARKUS_S3_ENDPOINT_OVERRIDE",
-			Value: fmt.Sprintf("http://%s-storage.%s.svc.cluster.local:8333", cr.Name, cr.InstallNamespace),
+			Value: fmt.Sprintf("https://%s-storage.%s.svc.cluster.local:8333", cr.Name, cr.InstallNamespace),
 		},
 		{
 			Name:  "QUARKUS_S3_PATH_STYLE_ACCESS",
@@ -1600,8 +1600,9 @@ func NewStorageContainer(cr *model.CryostatInstance, imageTag string, tls *TLSCo
 	})
 
 	livenessProbeScheme := corev1.URISchemeHTTP
-	/**
+
 	if tls != nil {
+		/**
 		tlsEnvs := []corev1.EnvVar{
 			{
 				Name:  "S3_PORT_HTTPS",
@@ -1616,6 +1617,7 @@ func NewStorageContainer(cr *model.CryostatInstance, imageTag string, tls *TLSCo
 				Value: fmt.Sprintf("/var/run/secrets/operator.cryostat.io/%s/%s", tls.StorageSecret, corev1.TLSCertKey),
 			},
 		}
+		envs = append(envs, tlsEnvs...) **/
 
 		tlsSecretMount := corev1.VolumeMount{
 			Name:      "storage-tls-secret",
@@ -1623,10 +1625,9 @@ func NewStorageContainer(cr *model.CryostatInstance, imageTag string, tls *TLSCo
 			ReadOnly:  true,
 		}
 
-		envs = append(envs, tlsEnvs...)
 		mounts = append(mounts, tlsSecretMount)
 		livenessProbeScheme = corev1.URISchemeHTTPS
-	} else {
+	} /** else {
 		envs = append(envs, corev1.EnvVar{
 			Name:  "QUARKUS_HTTP_PORT",
 			Value: strconv.Itoa(int(constants.StorageContainerPort)),
@@ -1747,8 +1748,8 @@ func NewDatabaseContainer(cr *model.CryostatInstance, imageTag string, tls *TLSC
 		},
 	}
 
-	/**
 	if tls != nil {
+		/**
 		tlsEnvs := []corev1.EnvVar{
 			{
 				Name:  "QUARKUS_DATASOURCE_REACTIVE_TRUST_ALL",
@@ -1767,15 +1768,16 @@ func NewDatabaseContainer(cr *model.CryostatInstance, imageTag string, tls *TLSC
 				Value: fmt.Sprintf("https://%s-database:5432", cr.Name),
 			},
 		}
+		envs = append(envs, tlsEnvs...) **/
+
 		tlsSecretMount := corev1.VolumeMount{
 			Name:      "database-tls-secret",
 			MountPath: "/var/run/secrets/operator.cryostat.io/" + tls.DatabaseSecret,
 			ReadOnly:  true,
 		}
 
-		envs = append(envs, tlsEnvs...)
 		mounts = append(mounts, tlsSecretMount)
-	} else {
+	} /** else {
 		envs = append(envs, corev1.EnvVar{
 			Name:  "QUARKUS_DATASOURCE_REACTIVE_URL",
 			Value: fmt.Sprintf("http://%s-database:5432", cr.Name),
diff --git a/internal/test/resources.go b/internal/test/resources.go
index f051364c..48178227 100644
--- a/internal/test/resources.go
+++ b/internal/test/resources.go
@@ -1397,7 +1397,7 @@ func (r *TestResources) NewCoreEnvironmentVariables(reportsUrl string, ingress b
 		},
 		{
 			Name:  "QUARKUS_S3_ENDPOINT_OVERRIDE",
-			Value: fmt.Sprintf("http://%s-storage.%s.svc.cluster.local:8333", r.Name, r.Namespace),
+			Value: fmt.Sprintf("https://%s-storage.%s.svc.cluster.local:8333", r.Name, r.Namespace),
 		},
 		{
 			Name:  "QUARKUS_S3_PATH_STYLE_ACCESS",
@@ -1960,7 +1960,7 @@ func (r *TestResources) NewStorageVolumeMounts() []corev1.VolumeMount {
 			MountPath: "/data",
 			SubPath:   "seaweed",
 		})
-	/**
+
 	if r.TLS {
 		mounts = append(mounts,
 			corev1.VolumeMount{
@@ -1968,7 +1968,7 @@ func (r *TestResources) NewStorageVolumeMounts() []corev1.VolumeMount {
 				MountPath: fmt.Sprintf("/var/run/secrets/operator.cryostat.io/%s-storage-tls", r.Name),
 				ReadOnly:  true,
 			})
-	}**/
+	}
 	return mounts
 }
 
@@ -1980,7 +1980,7 @@ func (r *TestResources) NewDatabaseVolumeMounts() []corev1.VolumeMount {
 			MountPath: "/data",
 			SubPath:   "postgres",
 		})
-	/**
+
 	if r.TLS {
 		mounts = append(mounts,
 			corev1.VolumeMount{
@@ -1988,7 +1988,7 @@ func (r *TestResources) NewDatabaseVolumeMounts() []corev1.VolumeMount {
 				MountPath: fmt.Sprintf("/var/run/secrets/operator.cryostat.io/%s-database-tls", r.Name),
 				ReadOnly:  true,
 			})
-	}**/
+	}
 	return mounts
 }
 
@@ -2114,10 +2114,10 @@ func (r *TestResources) NewDatasourceLivenessProbe() *corev1.Probe {
 
 func (r *TestResources) NewStorageLivenessProbe() *corev1.Probe {
 	protocol := corev1.URISchemeHTTP
-	/**
+
 	if r.TLS {
 		protocol = corev1.URISchemeHTTPS
-	}**/
+	}
 	return &corev1.Probe{
 		ProbeHandler: corev1.ProbeHandler{
 			HTTPGet: &corev1.HTTPGetAction{
@@ -2483,7 +2483,6 @@ func (r *TestResources) NewDatabaseVolumes() []corev1.Volume {
 		},
 	}
 
-	/**
 	if r.TLS {
 		volumes = append(volumes, corev1.Volume{
 			Name: "database-tls-secret",
@@ -2493,7 +2492,7 @@ func (r *TestResources) NewDatabaseVolumes() []corev1.Volume {
 				},
 			},
 		})
-	} **/
+	}
 	return volumes
 }
 
@@ -2510,7 +2509,6 @@ func (r *TestResources) NewStorageVolumes() []corev1.Volume {
 		},
 	}
 
-	/**
 	if r.TLS {
 		volumes = append(volumes, corev1.Volume{
 			Name: "storage-tls-secret",
@@ -2520,7 +2518,7 @@ func (r *TestResources) NewStorageVolumes() []corev1.Volume {
 				},
 			},
 		})
-	}**/
+	}
 	return volumes
 }