Add tls verification configuration

Apicurio · Jan 30, 2025 · 893dcc8 · 893dcc8
1 parent 88918f3
commit 893dcc8
Show file tree

Hide file tree

Showing 14 changed files with 278 additions and 3,341 deletions.
diff --git a/operator/controller/src/main/java/io/apicurio/registry/operator/EnvironmentVariables.java b/operator/controller/src/main/java/io/apicurio/registry/operator/EnvironmentVariables.java
@@ -31,11 +31,9 @@ public class EnvironmentVariables {
     public static final String APICURIO_UI_AUTH_OIDC_LOGOUT_URL = "APICURIO_UI_AUTH_OIDC_LOGOUT_URL";
     public static final String APICURIO_REGISTRY_AUTH_SERVER_URL = "QUARKUS_OIDC_AUTH_SERVER_URL";
     public static final String OIDC_TLS_VERIFICATION = "QUARKUS_OIDC_TLS_VERIFICATION";
-    public static final String OIDC_TLS_KEYSTORE_TYPE = "QUARKUS_OIDC_TLS_KEY_STORE_FILE_TYPE";
-    public static final String OIDC_TLS_KEYSTORE_LOCATION = "QUARKUS_OIDC_TLS_KEY_STORE_LOCATION";
+    public static final String OIDC_TLS_KEYSTORE_LOCATION = "QUARKUS_OIDC_TLS_KEY_STORE_FILE";
     public static final String OIDC_TLS_KEYSTORE_PASSWORD = "QUARKUS_OIDC_TLS_KEY_STORE_PASSWORD";
-    public static final String OIDC_TLS_TRUSTSTORE_TYPE = "QUARKUS_OIDC_TLS_TRUST_STORE_FILE_TYPE";
-    public static final String OIDC_TLS_TRUSTSTORE_LOCATION = "QUARKUS_OIDC_TLS_TRUST_STORE_NAME";
-    public static final String OIDC_TLS_TRUSTSTORE_PASSWORD = "QUARKUS_OIDC_TLS_TRUST_STORE_PASWORD";
+    public static final String OIDC_TLS_TRUSTSTORE_LOCATION = "QUARKUS_OIDC_TLS_TRUST_STORE_FILE";
+    public static final String OIDC_TLS_TRUSTSTORE_PASSWORD = "QUARKUS_OIDC_TLS_TRUST_STORE_PASSWORD";
 
 }
diff --git a/operator/controller/src/main/java/io/apicurio/registry/operator/feat/Auth.java b/operator/controller/src/main/java/io/apicurio/registry/operator/feat/Auth.java
@@ -2,14 +2,15 @@
 
 import io.apicurio.registry.operator.EnvironmentVariables;
 import io.apicurio.registry.operator.api.v1.spec.auth.AppAuthSpec;
-import io.apicurio.registry.operator.utils.Utils;
 import io.fabric8.kubernetes.api.model.EnvVar;
-import io.fabric8.kubernetes.api.model.EnvVarBuilder;
 import io.fabric8.kubernetes.api.model.apps.Deployment;
 
 import java.util.Map;
 import java.util.Optional;
 
+import static io.apicurio.registry.operator.utils.Utils.createEnvVar;
+import static io.apicurio.registry.operator.utils.Utils.putIfNotBlank;
+
 /**
  * Helper class used to handle AUTH related configuration.
  */
@@ -40,32 +41,7 @@ public static void configureAuth(AppAuthSpec appAuthSpec, Deployment deployment,
         putIfNotBlank(env, EnvironmentVariables.APICURIO_UI_AUTH_OIDC_LOGOUT_URL, appAuthSpec.getLogoutURL());
         putIfNotBlank(env, EnvironmentVariables.APICURIO_REGISTRY_AUTH_SERVER_URL,
                 appAuthSpec.getAuthServerUrl());
-        putIfNotBlank(env, EnvironmentVariables.OIDC_TLS_VERIFICATION, appAuthSpec.getTlsVerification());
 
         AuthTLS.configureAuthTLS(appAuthSpec, deployment, env);
     }
-
-    /**
-     * Adds an environment variable to the map only if the value is not null or blank.
-     *
-     * @param envVars The environment variables map.
-     * @param name The name of the environment variable.
-     * @param value The value to be set (ignored if null or blank).
-     */
-    private static void putIfNotBlank(Map<String, EnvVar> envVars, String name, String value) {
-        if (!Utils.isBlank(value)) {
-            envVars.put(name, createEnvVar(name, value));
-        }
-    }
-
-    /**
-     * Creates an environment variable using the given name and value.
-     *
-     * @param name The name of the environment variable.
-     * @param value The value of the environment variable.
-     * @return An {@link EnvVar} instance with the specified name and value.
-     */
-    private static EnvVar createEnvVar(String name, String value) {
-        return new EnvVarBuilder().withName(name).withValue(value).build();
-    }
 }
diff --git a/operator/controller/src/main/java/io/apicurio/registry/operator/feat/AuthTLS.java b/operator/controller/src/main/java/io/apicurio/registry/operator/feat/AuthTLS.java
@@ -1,5 +1,6 @@
 package io.apicurio.registry.operator.feat;
 
+import io.apicurio.registry.operator.EnvironmentVariables;
 import io.apicurio.registry.operator.api.v1.spec.auth.AppAuthSpec;
 import io.apicurio.registry.operator.api.v1.spec.auth.AuthTLSSpec;
 import io.apicurio.registry.operator.utils.SecretKeyRefTool;
@@ -12,16 +13,20 @@
 import static io.apicurio.registry.operator.EnvironmentVariables.*;
 import static io.apicurio.registry.operator.api.v1.ContainerNames.REGISTRY_APP_CONTAINER_NAME;
 import static io.apicurio.registry.operator.resource.app.AppDeploymentResource.addEnvVar;
+import static io.apicurio.registry.operator.utils.Utils.putIfNotBlank;
 import static java.util.Optional.ofNullable;
 
 public class AuthTLS {
 
     /**
      * Configure TLS for OIDC authentication
      */
-    public static boolean configureAuthTLS(AppAuthSpec appAuthSpec, Deployment deployment,
+    public static void configureAuthTLS(AppAuthSpec appAuthSpec, Deployment deployment,
             Map<String, EnvVar> env) {
 
+        putIfNotBlank(env, EnvironmentVariables.OIDC_TLS_VERIFICATION,
+                appAuthSpec.getTls().getTlsVerificationType());
+
         // spotless:off
         var keystore = new SecretKeyRefTool(getAuthTLSSpec(appAuthSpec)
                 .map(AuthTLSSpec::getKeystoreSecretRef)
@@ -39,27 +44,17 @@ public static boolean configureAuthTLS(AppAuthSpec appAuthSpec, Deployment deplo
                 .map(AuthTLSSpec::getTruststorePasswordSecretRef)
                 .orElse(null), "ca.password");
         // spotless:on
-
-        if (truststore.isValid() && truststorePassword.isValid() && keystore.isValid()
-                && keystorePassword.isValid()) {
-
-            // ===== Keystore
-
-            addEnvVar(env, OIDC_TLS_KEYSTORE_TYPE, "PKCS12");
-            keystore.applySecretVolume(deployment, REGISTRY_APP_CONTAINER_NAME);
-            addEnvVar(env, OIDC_TLS_KEYSTORE_LOCATION, keystore.getSecretVolumeKeyPath());
-            keystorePassword.applySecretEnvVar(env, OIDC_TLS_KEYSTORE_PASSWORD);
-
-            // ===== Truststore
-
-            addEnvVar(env, OIDC_TLS_TRUSTSTORE_TYPE, "PKCS12");
+        if (truststore.isValid() && truststorePassword.isValid()) {
             truststore.applySecretVolume(deployment, REGISTRY_APP_CONTAINER_NAME);
             addEnvVar(env, OIDC_TLS_TRUSTSTORE_LOCATION, truststore.getSecretVolumeKeyPath());
             truststorePassword.applySecretEnvVar(env, OIDC_TLS_TRUSTSTORE_PASSWORD);
+        }
 
-            return true;
+        if (keystore.isValid() && keystorePassword.isValid()) {
+            keystore.applySecretVolume(deployment, REGISTRY_APP_CONTAINER_NAME);
+            addEnvVar(env, OIDC_TLS_KEYSTORE_LOCATION, keystore.getSecretVolumeKeyPath());
+            keystorePassword.applySecretEnvVar(env, OIDC_TLS_KEYSTORE_PASSWORD);
         }
-        return false;
     }
 
     private static Optional<AuthTLSSpec> getAuthTLSSpec(AppAuthSpec primary) {

diff --git a/operator/controller/src/main/java/io/apicurio/registry/operator/utils/Utils.java b/operator/controller/src/main/java/io/apicurio/registry/operator/utils/Utils.java
@@ -1,5 +1,10 @@
 package io.apicurio.registry.operator.utils;
 
+import io.fabric8.kubernetes.api.model.EnvVar;
+import io.fabric8.kubernetes.api.model.EnvVarBuilder;
+
+import java.util.Map;
+
 public class Utils {
 
     private Utils() {
@@ -8,4 +13,28 @@ private Utils() {
     public static boolean isBlank(String value) {
         return value == null || value.isBlank();
     }
+
+    /**
+     * Adds an environment variable to the map only if the value is not null or blank.
+     *
+     * @param envVars The environment variables map.
+     * @param name The name of the environment variable.
+     * @param value The value to be set (ignored if null or blank).
+     */
+    public static void putIfNotBlank(Map<String, EnvVar> envVars, String name, String value) {
+        if (!Utils.isBlank(value)) {
+            envVars.put(name, createEnvVar(name, value));
+        }
+    }
+
+    /**
+     * Creates an environment variable using the given name and value.
+     *
+     * @param name The name of the environment variable.
+     * @param value The value of the environment variable.
+     * @return An {@link EnvVar} instance with the specified name and value.
+     */
+    public static EnvVar createEnvVar(String name, String value) {
+        return new EnvVarBuilder().withName(name).withValue(value).build();
+    }
 }
diff --git a/operator/controller/src/test/java/io/apicurio/registry/operator/it/ITBase.java b/operator/controller/src/test/java/io/apicurio/registry/operator/it/ITBase.java
@@ -2,6 +2,8 @@
 
 import io.apicurio.registry.operator.Constants;
 import io.apicurio.registry.operator.api.v1.ApicurioRegistry3;
+import io.fabric8.kubernetes.api.model.ConfigMap;
+import io.fabric8.kubernetes.api.model.ConfigMapBuilder;
 import io.fabric8.kubernetes.api.model.HasMetadata;
 import io.fabric8.kubernetes.api.model.NamespaceBuilder;
 import io.fabric8.kubernetes.api.model.apps.Deployment;
@@ -18,11 +20,7 @@
 import jakarta.enterprise.util.TypeLiteral;
 import org.awaitility.Awaitility;
 import org.eclipse.microprofile.config.ConfigProvider;
-import org.junit.jupiter.api.AfterAll;
-import org.junit.jupiter.api.AfterEach;
-import org.junit.jupiter.api.BeforeAll;
-import org.junit.jupiter.api.BeforeEach;
-import org.junit.jupiter.api.TestInfo;
+import org.junit.jupiter.api.*;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -221,6 +219,41 @@ private static void createOperator() {
         });
     }
 
+    static void createKeycloakDNSResolution(String ingressHostname, String keycloakService) {
+        String configMapName = "coredns";
+        String systemNamespace = "kube-system";
+
+        // Step 1: Fetch the existing CoreDNS ConfigMap
+        ConfigMap existingConfigMap = client.configMaps().inNamespace(systemNamespace).withName(configMapName)
+                .get();
+
+        if (existingConfigMap == null) {
+            throw new IllegalStateException("Error: CoreDNS ConfigMap not found!");
+        }
+
+        // Step 2: Modify the CoreDNS configuration
+        String corefile = existingConfigMap.getData().get("Corefile");
+
+        // Step 3: Append the rewrite rule to Corefile
+        String newCorefile = corefile.replaceFirst("\\.:53 \\{",
+                ".:53 {\n    rewrite name " + ingressHostname + " " + keycloakService);
+
+        // Step 4: Create the updated ConfigMap, ensuring resourceVersion is included
+        ConfigMap updatedConfigMap = new ConfigMapBuilder().withMetadata(existingConfigMap.getMetadata()) // Preserve
+                                                                                                          // metadata
+                                                                                                          // (including
+                                                                                                          // UID)
+                .addToData("Corefile", newCorefile).build();
+
+        // Step 5: Apply the updated ConfigMap
+        client.configMaps().inNamespace(systemNamespace).resource(updatedConfigMap).update();
+
+        log.info("CoreDNS ConfigMap updated successfully!");
+
+        // Step 6: Restart CoreDNS to apply changes
+        client.apps().deployments().inNamespace(systemNamespace).withName("coredns").rolling().restart();
+    }
+
     static void createNamespace(KubernetesClient client, String namespace) {
         log.info("Creating Namespace {}", namespace);
         client.resource(

diff --git a/operator/controller/src/test/java/io/apicurio/registry/operator/it/KeycloakITTest.java b/operator/controller/src/test/java/io/apicurio/registry/operator/it/KeycloakITTest.java
@@ -46,6 +46,9 @@ void testKeycloakPlain() {
                     .isEqualTo(1);
         });
 
+        createKeycloakDNSResolution("simple-keycloak.apps.cluster.example",
+                "keycloak." + namespace + ".svc.cluster.local");
+
         // Deploy Registry
         var registry = deserialize("k8s/examples/auth/simple-with_keycloak.apicurioregistry3.yaml",
                 ApicurioRegistry3.class);
@@ -62,9 +65,6 @@ void testKeycloakPlain() {
         Assertions.assertEquals("https://simple-ui.apps.cluster.example", appAuthSpec.getRedirectURI());
         Assertions.assertEquals("https://simple-ui.apps.cluster.example", appAuthSpec.getLogoutURL());
 
-        // We must change the auth url of the backend to use the service.
-        appAuthSpec.setAuthServerUrl("http://keycloak." + namespace + ".svc.cluster.local/realms/registry");
-
         client.resource(registry).create();
 
         // Assertions, checks registry deployments exist
@@ -86,8 +86,8 @@ void testKeycloakPlain() {
         assertThat(appEnv).map(ev -> ev.getName() + "=" + ev.getValue())
                 .contains(EnvironmentVariables.APICURIO_REGISTRY_UI_CLIENT_ID + "=" + "apicurio-registry");
         assertThat(appEnv).map(ev -> ev.getName() + "=" + ev.getValue())
-                .contains(EnvironmentVariables.APICURIO_REGISTRY_AUTH_SERVER_URL + "=" + "http://keycloak."
-                        + namespace + ".svc.cluster.local/realms/registry");
+                .contains(EnvironmentVariables.APICURIO_REGISTRY_AUTH_SERVER_URL + "="
+                        + "https://simple-keycloak.apps.cluster.example/realms/registry");
         assertThat(appEnv).map(ev -> ev.getName() + "=" + ev.getValue())
                 .contains(EnvironmentVariables.APICURIO_UI_AUTH_OIDC_REDIRECT_URI + "="
                         + "https://simple-ui.apps.cluster.example");

diff --git a/operator/controller/src/test/java/io/apicurio/registry/operator/it/KeycloakTLSITTest.java b/operator/controller/src/test/java/io/apicurio/registry/operator/it/KeycloakTLSITTest.java
@@ -0,0 +1,98 @@
+package io.apicurio.registry.operator.it;
+
+import io.apicurio.registry.operator.EnvironmentVariables;
+import io.apicurio.registry.operator.api.v1.ApicurioRegistry3;
+import io.fabric8.kubernetes.api.model.HasMetadata;
+import io.fabric8.kubernetes.client.utils.Serialization;
+import io.quarkus.test.junit.QuarkusTest;
+import org.awaitility.Awaitility;
+import org.junit.jupiter.api.Assertions;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.time.Duration;
+import java.util.List;
+
+import static io.apicurio.registry.operator.api.v1.ContainerNames.REGISTRY_APP_CONTAINER_NAME;
+import static io.apicurio.registry.operator.resource.ResourceFactory.COMPONENT_APP;
+import static io.apicurio.registry.operator.resource.ResourceFactory.COMPONENT_UI;
+import static io.apicurio.registry.operator.resource.ResourceFactory.deserialize;
+import static io.apicurio.registry.operator.resource.app.AppDeploymentResource.getContainerFromDeployment;
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.awaitility.Awaitility.await;
+
+@QuarkusTest
+public class KeycloakTLSITTest extends ITBase {
+
+    private static final Logger log = LoggerFactory.getLogger(KeycloakTLSITTest.class);
+
+    @BeforeAll
+    public static void init() {
+        Awaitility.setDefaultTimeout(Duration.ofSeconds(60));
+    }
+
+    @Test
+    void testKeycloakPlain() {
+        // Preparation, deploy Keycloak
+        List<HasMetadata> resources = Serialization
+                .unmarshal(KeycloakTLSITTest.class.getResourceAsStream("/k8s/examples/auth/keycloak.yaml"));
+
+        createResources(resources, "Keycloak");
+
+        await().ignoreExceptions().untilAsserted(() -> {
+            assertThat(client.apps().deployments().withName("keycloak").get().getStatus().getReadyReplicas())
+                    .isEqualTo(1);
+        });
+
+        // Deploy Registry
+        var registry = deserialize("k8s/examples/auth/tls/simple-with_keycloak.apicurioregistry3.yaml",
+                ApicurioRegistry3.class);
+
+        registry.getMetadata().setNamespace(namespace);
+
+        var appAuthSpec = registry.getSpec().getApp().getAuth();
+
+        Assertions.assertEquals("registry-api", appAuthSpec.getAppClientId());
+        Assertions.assertEquals("apicurio-registry", appAuthSpec.getUiClientId());
+        Assertions.assertEquals(true, appAuthSpec.getEnabled());
+        Assertions.assertEquals("https://simple-keycloak.apps.cluster.example/realms/registry",
+                appAuthSpec.getAuthServerUrl());
+        Assertions.assertEquals("https://simple-ui.apps.cluster.example", appAuthSpec.getRedirectURI());
+        Assertions.assertEquals("https://simple-ui.apps.cluster.example", appAuthSpec.getLogoutURL());
+
+        // We must change the auth url of the backend to use the service.
+        appAuthSpec.setAuthServerUrl("https://keycloak." + namespace + ".svc.cluster.local/realms/registry");
+
+        client.resource(registry).create();
+
+        // Assertions, checks registry deployments exist
+        checkDeploymentExists(registry, COMPONENT_APP, 1);
+        checkDeploymentExists(registry, COMPONENT_UI, 1);
+
+        // App deployment auth related assertions
+        var appEnv = getContainerFromDeployment(
+                client.apps().deployments().inNamespace(namespace)
+                        .withName(registry.getMetadata().getName() + "-app-deployment").get(),
+                REGISTRY_APP_CONTAINER_NAME).getEnv();
+
+        assertThat(appEnv).map(ev -> ev.getName() + "=" + ev.getValue())
+                .contains(EnvironmentVariables.APICURIO_REGISTRY_AUTH_ENABLED + "=" + "true");
+        assertThat(appEnv).map(ev -> ev.getName() + "=" + ev.getValue())
+                .contains(EnvironmentVariables.OIDC_TLS_VERIFICATION + "=" + "required");
+        assertThat(appEnv).map(ev -> ev.getName() + "=" + ev.getValue())
+                .contains(EnvironmentVariables.APICURIO_REGISTRY_APP_CLIENT_ID + "=" + "registry-api");
+        assertThat(appEnv).map(ev -> ev.getName() + "=" + ev.getValue())
+                .contains(EnvironmentVariables.APICURIO_REGISTRY_UI_CLIENT_ID + "=" + "apicurio-registry");
+        assertThat(appEnv).map(ev -> ev.getName() + "=" + ev.getValue())
+                .contains(EnvironmentVariables.APICURIO_REGISTRY_AUTH_SERVER_URL + "=" + "https://keycloak."
+                        + namespace + ".svc.cluster.local/realms/registry");
+        assertThat(appEnv).map(ev -> ev.getName() + "=" + ev.getValue())
+                .contains(EnvironmentVariables.APICURIO_UI_AUTH_OIDC_REDIRECT_URI + "="
+                        + "https://simple-ui.apps.cluster.example");
+        assertThat(appEnv).map(ev -> ev.getName() + "=" + ev.getValue())
+                .contains(EnvironmentVariables.APICURIO_UI_AUTH_OIDC_LOGOUT_URL + "="
+                        + "https://simple-ui.apps.cluster.example");
+    }
+}
diff --git a/operator/controller/src/test/java/io/apicurio/registry/operator/unit/CorsTest.java b/operator/controller/src/test/java/io/apicurio/registry/operator/unit/CorsTest.java
@@ -19,7 +19,7 @@ public class CorsTest {
     public void testConfigureAllowedOrigins() throws Exception {
         doTestAllowedOrigins("k8s/examples/cors/example-default.yaml", "*");
         doTestAllowedOrigins("k8s/examples/cors/example-ingress.yaml",
-                "https://simple-ui.apps.cluster.example", "https://simple-ui.apps.cluster.example");
+                "http://simple-ui.apps.cluster.example", "https://simple-ui.apps.cluster.example");
         doTestAllowedOrigins("k8s/examples/cors/example-env-vars.yaml", "https://ui.example.org");
         doTestAllowedOrigins("k8s/examples/cors/example-env-vars-and-ingress.yaml", "https://ui.example.org");
     }