Skip to content

Commit

Permalink
Support TLS
Browse files Browse the repository at this point in the history
  • Loading branch information
supl committed Mar 5, 2024
1 parent 05149df commit 48fe14f
Show file tree
Hide file tree
Showing 4 changed files with 99 additions and 7 deletions.
2 changes: 1 addition & 1 deletion build.gradle
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ subprojects {
project.version = project.findProperty('projVersion') ?: '2.0.0-SNAPSHOT'

ext {
scalarAdminVersion = '2.1.2'
scalarAdminVersion = '2.2.0'
guavaVersion = '31.1-jre'
kubernetesClientVersion = '17.0.2'
slf4jVersion = '1.7.36'
Expand Down
56 changes: 55 additions & 1 deletion cli/src/main/java/com/scalar/admin/kubernetes/Cli.java
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,11 @@

import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import java.io.File;
import java.io.IOException;
import java.io.UncheckedIOException;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.time.ZoneId;
import java.util.concurrent.Callable;
import javax.annotation.Nullable;
Expand Down Expand Up @@ -59,6 +64,33 @@ class Cli implements Callable<Integer> {
defaultValue = "Etc/UTC")
private ZoneId zoneId;

@Option(
names = {"--tls"},
description = "Whether wire encryption (TLS) between scalar-admin and the target is enabled.")
private boolean tlsEnabled;

@Option(
names = {"--ca-root-cert-path"},
description =
"A path to a root certificate file for verifying the server's certificate when wire"
+ " encryption is enabled.")
private String caRootCertPath;

@Option(
names = {"--ca-root-cert-pem"},
description =
"A PEM format string of a root certificate for verifying the server's certificate when"
+ " wire encryption is enabled. This option is prioritized when --ca-root-cert-path"
+ " is specified.")
private String caRootCertPem;

@Option(
names = {"--override-authority"},
description =
"The value to be used as the expected authority in the server's certificate when wire"
+ " encryption is enabled.")
private String overrideAuthority;

@Option(
names = {"-h", "--help"},
usageHelp = true,
Expand All @@ -76,7 +108,11 @@ public Integer call() {
Result result = null;

try {
Pauser pauser = new Pauser(namespace, helmReleaseName);
Pauser pauser =
tlsEnabled
? new TlsPauser(namespace, helmReleaseName, getCaRootCert(), overrideAuthority)
: new Pauser(namespace, helmReleaseName);

PausedDuration duration = pauser.pause(pauseDuration, maxPauseWaitTime);

result = new Result(namespace, helmReleaseName, duration, zoneId);
Expand All @@ -98,4 +134,22 @@ public Integer call() {

return 0;
}

private String getCaRootCert() {
String caRootCert = null;

if (caRootCertPem != null) {
caRootCert = caRootCertPem.replace("\\n", System.lineSeparator());
} else if (caRootCertPath != null) {
try {
caRootCert =
new String(
Files.readAllBytes(new File(caRootCertPath).toPath()), StandardCharsets.UTF_8);
} catch (IOException e) {
throw new UncheckedIOException("Couldn't read the file: " + caRootCertPath, e);
}
}

return caRootCert;
}
}
13 changes: 8 additions & 5 deletions lib/src/main/java/com/scalar/admin/kubernetes/Pauser.java
Original file line number Diff line number Diff line change
Expand Up @@ -84,11 +84,7 @@ public PausedDuration pause(int pauseDuration, @Nullable Long maxPauseWaitTime)
throw new PauserException("Failed to find the target pods to pause.", e);
}

RequestCoordinator coordinator =
new RequestCoordinator(
target.getPods().stream()
.map(p -> new InetSocketAddress(p.getStatus().getPodIP(), target.getAdminPort()))
.collect(Collectors.toList()));
RequestCoordinator coordinator = getRequestCoordinator(target);

coordinator.pause(true, maxPauseWaitTime);

Expand Down Expand Up @@ -137,4 +133,11 @@ private void unpauseWithRetry(
}
}
}

RequestCoordinator getRequestCoordinator(TargetSnapshot target) {
return new RequestCoordinator(
target.getPods().stream()
.map(p -> new InetSocketAddress(p.getStatus().getPodIP(), target.getAdminPort()))
.collect(Collectors.toList()));
}
}
35 changes: 35 additions & 0 deletions lib/src/main/java/com/scalar/admin/kubernetes/TlsPauser.java
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
package com.scalar.admin.kubernetes;

import com.scalar.admin.RequestCoordinator;
import com.scalar.admin.TlsRequestCoordinator;
import java.net.InetSocketAddress;
import java.util.stream.Collectors;
import javax.annotation.Nullable;

public class TlsPauser extends Pauser {

private final String caRootCert;
private final String overrideAuthority;

public TlsPauser(
String namespace,
String helmReleaseName,
@Nullable String caRootCert,
@Nullable String overrideAuthority)
throws PauserException {
super(namespace, helmReleaseName);

this.caRootCert = caRootCert;
this.overrideAuthority = overrideAuthority;
}

@Override
RequestCoordinator getRequestCoordinator(TargetSnapshot target) {
return new TlsRequestCoordinator(
target.getPods().stream()
.map(p -> new InetSocketAddress(p.getStatus().getPodIP(), target.getAdminPort()))
.collect(Collectors.toList()),
caRootCert,
overrideAuthority);
}
}

0 comments on commit 48fe14f

Please sign in to comment.