Skip to content

Commit

Permalink
tmp without tls
Browse files Browse the repository at this point in the history
  • Loading branch information
@mwangggg
mwangggg committed Jul 30, 2024
1 parent 3280fec commit fd015ed
Show file tree
Hide file tree
Showing 7 changed files with 66 additions and 60 deletions.
2 changes: 1 addition & 1 deletion bundle/manifests/cryostat-operator.clusterserviceversion.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,7 @@ metadata:
capabilities: Seamless Upgrades
categories: Monitoring, Developer Tools
containerImage: quay.io/cryostat/cryostat-operator:4.0.0-dev
createdAt: "2024-07-29T20:48:29Z"
createdAt: "2024-07-30T14:31:04Z"
description: JVM monitoring and profiling tool
operatorframework.io/initialization-resource: |-
{
Expand Down
8 changes: 4 additions & 4 deletions internal/controllers/certmanager.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,7 @@ func (r *Reconciler) setupTLS(ctx context.Context, cr *model.CryostatInstance) (
return nil, err
}

/**
// Create a certificate for the Cryostat database signed by the Cryostat CA
databaseCert := resources.NewDatabaseCert(cr)
err = r.createOrUpdateCertificate(ctx, databaseCert, cr.Object)
Expand All @@ -102,15 +103,14 @@ func (r *Reconciler) setupTLS(ctx context.Context, cr *model.CryostatInstance) (
err = r.createOrUpdateCertificate(ctx, storageCert, cr.Object)
if err != nil {
return nil, err
}
}**/

tlsConfig := &resources.TLSConfig{
CryostatSecret: cryostatCert.Spec.SecretName,
ReportsSecret: reportsCert.Spec.SecretName,
DatabaseSecret: databaseCert.Spec.SecretName,
StorageSecret: storageCert.Spec.SecretName,
KeystorePassSecret: cryostatCert.Spec.Keystores.PKCS12.PasswordSecretRef.Name,
}
certificates := []*certv1.Certificate{caCert, cryostatCert, reportsCert, databaseCert, storageCert}
certificates := []*certv1.Certificate{caCert, cryostatCert, reportsCert}

// Update owner references of TLS secrets created by cert-manager to ensure proper cleanup
err = r.setCertSecretOwner(ctx, cr.Object, certificates...)
Expand Down
2 changes: 2 additions & 0 deletions internal/controllers/common/resource_definitions/certificates.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -132,6 +132,7 @@ func NewReportsCert(cr *model.CryostatInstance) *certv1.Certificate {
}
}

/**
func NewDatabaseCert(cr *model.CryostatInstance) *certv1.Certificate {
return &certv1.Certificate{
ObjectMeta: metav1.ObjectMeta{
Expand Down Expand Up @@ -179,3 +180,4 @@ func NewStorageCert(cr *model.CryostatInstance) *certv1.Certificate {
},
}
}
**/
51 changes: 25 additions & 26 deletions internal/controllers/common/resource_definitions/resource_definitions.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -62,9 +62,9 @@ type TLSConfig struct {
// Name of the TLS secret for Reports Generator
ReportsSecret string
// Name of the TLS secret for Database
DatabaseSecret string
// DatabaseSecret string
// Name of the TLS secret for Storage
StorageSecret string
// StorageSecret string
// Name of the secret containing the password for the keystore in CryostatSecret
KeystorePassSecret string
// PEM-encoded X.509 certificate for the Cryostat CA
Expand Down Expand Up @@ -618,6 +618,7 @@ func NewPodForDatabase(cr *model.CryostatInstance, imageTags *ImageTags, tls *TL
container := []corev1.Container{NewDatabaseContainer(cr, imageTags.DatabaseImageTag, tls)}

volumes := newVolumeForDatabse(cr)
/**
if tls != nil {
secretVolume := corev1.Volume{
Name: "database-tls-secret",
Expand All @@ -628,7 +629,7 @@ func NewPodForDatabase(cr *model.CryostatInstance, imageTags *ImageTags, tls *TL
},
}
volumes = append(volumes, secretVolume)
}
}**/

var podSc *corev1.PodSecurityContext
if cr.Spec.SecurityOptions != nil && cr.Spec.SecurityOptions.PodSecurityContext != nil {
Expand Down Expand Up @@ -674,6 +675,7 @@ func NewPodForStorage(cr *model.CryostatInstance, imageTags *ImageTags, tls *TLS
container := []corev1.Container{NewStorageContainer(cr, imageTags.StorageImageTag, tls)}

volumes := newVolumeForStorage(cr)
/**
if tls != nil {
secretVolume := corev1.Volume{
Name: "storage-tls-secret",
Expand All @@ -684,7 +686,7 @@ func NewPodForStorage(cr *model.CryostatInstance, imageTags *ImageTags, tls *TLS
},
}
volumes = append(volumes, secretVolume)
}
}**/

var podSc *corev1.PodSecurityContext
if cr.Spec.SecurityOptions != nil && cr.Spec.SecurityOptions.PodSecurityContext != nil {
Expand Down Expand Up @@ -1213,15 +1215,15 @@ func NewCoreContainer(cr *model.CryostatInstance, specs *ServiceSpecs, imageTag
},
{
Name: "QUARKUS_DATASOURCE_JDBC_URL",
Value: "jdbc:postgresql://localhost:5432/cryostat",
Value: fmt.Sprintf("jdbc:postgresql://%s-database:5432/cryostat", cr.Name),
},
{
Name: "STORAGE_BUCKETS_ARCHIVE_NAME",
Value: "archivedrecordings",
},
{
Name: "QUARKUS_S3_ENDPOINT_OVERRIDE",
Value: "http://localhost:8333",
Value: fmt.Sprintf("http://%s-storage:8333", cr.Name),
},
{
Name: "QUARKUS_S3_PATH_STYLE_ACCESS",
Expand Down Expand Up @@ -1607,24 +1609,21 @@ func NewStorageContainer(cr *model.CryostatInstance, imageTag string, tls *TLSCo
})

livenessProbeScheme := corev1.URISchemeHTTP
/**
if tls != nil {
tlsEnvs := []corev1.EnvVar{
{
Name: "QUARKUS_HTTP_SSL_PORT",
Name: "S3_PORT_HTTPS",
Value: strconv.Itoa(int(constants.StorageContainerPort)),
},
{
Name: "QUARKUS_HTTP_SSL_CERTIFICATE_KEY_FILES",
Name: "S3_KEY_FILE",
Value: fmt.Sprintf("/var/run/secrets/operator.cryostat.io/%s/%s", tls.StorageSecret, corev1.TLSPrivateKeyKey),
},
{
Name: "QUARKUS_HTTP_SSL_CERTIFICATE_FILES",
Name: "S3_CERT_FILE",
Value: fmt.Sprintf("/var/run/secrets/operator.cryostat.io/%s/%s", tls.StorageSecret, corev1.TLSCertKey),
},
{
Name: "QUARKUS_HTTP_INSECURE_REQUESTS",
Value: "disabled",
},
}
tlsSecretMount := corev1.VolumeMount{
Expand All @@ -1641,7 +1640,7 @@ func NewStorageContainer(cr *model.CryostatInstance, imageTag string, tls *TLSCo
Name: "QUARKUS_HTTP_PORT",
Value: strconv.Itoa(int(constants.StorageContainerPort)),
})
}
}**/

if cr.Spec.SecurityOptions != nil && cr.Spec.SecurityOptions.StorageSecurityContext != nil {
containerSc = cr.Spec.SecurityOptions.StorageSecurityContext
Expand Down Expand Up @@ -1757,26 +1756,26 @@ func NewDatabaseContainer(cr *model.CryostatInstance, imageTag string, tls *TLSC
},
}

/**
if tls != nil {
tlsEnvs := []corev1.EnvVar{
{
Name: "QUARKUS_HTTP_SSL_PORT",
Value: strconv.Itoa(int(constants.DatabaseContainerPort)),
Name: "QUARKUS_DATASOURCE_REACTIVE_TRUST_ALL",
Value: "true",
},
{
Name: "QUARKUS_HTTP_SSL_CERTIFICATE_KEY_FILES",
Value: fmt.Sprintf("/var/run/secrets/operator.cryostat.io/%s/%s", tls.DatabaseSecret, corev1.TLSPrivateKeyKey),
Name: "QUARKUS_DATASOURCE_REACTIVE_KEY_CERTIFICATE_PEM_KEYS",
Value: fmt.Sprintf("/var/run/secrets/operator.cryostat.io/%s-database-tls/tls.key", cr.Name),
},
{
Name: "QUARKUS_HTTP_SSL_CERTIFICATE_FILES",
Value: fmt.Sprintf("/var/run/secrets/operator.cryostat.io/%s/%s", tls.DatabaseSecret, corev1.TLSCertKey),
Name: "QUARKUS_DATASOURCE_REACTIVE_KEY_CERTIFICATE_PEM_CERTS",
Value: fmt.Sprintf("/var/run/secrets/operator.cryostat.io/%s-database-tls/tls.crt", cr.Name),
},
{
Name: "QUARKUS_HTTP_INSECURE_REQUESTS",
Value: "disabled",
Name: "QUARKUS_DATASOURCE_REACTIVE_URL",
Value: fmt.Sprintf("https://%s-database:5432", cr.Name),
},
}

tlsSecretMount := corev1.VolumeMount{
Name: "database-tls-secret",
MountPath: "/var/run/secrets/operator.cryostat.io/" + tls.DatabaseSecret,
Expand All @@ -1787,10 +1786,10 @@ func NewDatabaseContainer(cr *model.CryostatInstance, imageTag string, tls *TLSC
mounts = append(mounts, tlsSecretMount)
} else {
envs = append(envs, corev1.EnvVar{
Name: "QUARKUS_HTTP_PORT",
Value: strconv.Itoa(int(constants.DatabaseContainerPort)),
Name: "QUARKUS_DATASOURCE_REACTIVE_URL",
Value: fmt.Sprintf("http://%s-database:5432", cr.Name),
})
}
}**/

return corev1.Container{
Name: cr.Name + "-db",
Expand Down
2 changes: 1 addition & 1 deletion internal/controllers/reconciler_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2289,7 +2289,7 @@ func (t *cryostatTestInput) expectWaitingForCertificate() {

func (t *cryostatTestInput) expectCertificates() {
// Check certificates
certs := []*certv1.Certificate{t.NewCryostatCert(), t.NewCACert(), t.NewReportsCert(), t.NewDatabaseCert(), t.NewStorageCert()}
certs := []*certv1.Certificate{t.NewCryostatCert(), t.NewCACert(), t.NewReportsCert()}
for _, expected := range certs {
actual := &certv1.Certificate{}
err := t.Client.Get(context.Background(), types.NamespacedName{Name: expected.Name, Namespace: expected.Namespace}, actual)
Expand Down
2 changes: 1 addition & 1 deletion internal/test/clients.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,7 @@ func (c *testClient) makeCertificatesReady(ctx context.Context, obj runtime.Obje
// If this object is one of the operator-managed certificates, mock the behaviour
// of cert-manager processing those certificates
cert, ok := obj.(*certv1.Certificate)
if ok && c.matchesName(cert, c.NewCryostatCert(), c.NewCACert(), c.NewReportsCert(), c.NewDatabaseCert(), c.NewStorageCert()) &&
if ok && c.matchesName(cert, c.NewCryostatCert(), c.NewCACert(), c.NewReportsCert()) &&
len(cert.Status.Conditions) == 0 {
// Create certificate secret
c.createCertSecret(ctx, cert)
Expand Down
Loading

0 comments on commit fd015ed

Please sign in to comment.