Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: gen-pkcs12-keystore adds ca.crt input option if it exists (#684) #685

Merged
5 changes: 3 additions & 2 deletions controllers/solrcloud_controller_tls_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,8 @@ import (
"crypto/md5"
b64 "encoding/base64"
"fmt"
"strings"

solrv1beta1 "github.com/apache/solr-operator/api/v1beta1"
"github.com/apache/solr-operator/controllers/util"
. "github.com/onsi/ginkgo/v2"
Expand All @@ -31,7 +33,6 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/intstr"
"sigs.k8s.io/controller-runtime/pkg/client"
"strings"
)

var _ = FDescribe("SolrCloud controller - TLS", func() {
Expand Down Expand Up @@ -522,7 +523,7 @@ func expectTLSConfigOnPodTemplateWithGomega(g Gomega, solrCloud *solrv1beta1.Sol
break
}
}
expCmd := "openssl pkcs12 -export -in /var/solr/tls/tls.crt -in /var/solr/tls/ca.crt -inkey /var/solr/tls/tls.key -out /var/solr/tls/pkcs12/keystore.p12 -passout pass:${SOLR_SSL_KEY_STORE_PASSWORD}"
expCmd := "OPTIONAL_CACRT=\"$(test -e /var/solr/tls/ca.crt && echo ' -certfile /var/solr/tls/ca.crt')\"; openssl pkcs12 -export -in /var/solr/tls/tls.crt $OPTIONAL_CACRT -inkey /var/solr/tls/tls.key -out /var/solr/tls/pkcs12/keystore.p12 -passout pass:${SOLR_SSL_KEY_STORE_PASSWORD}"
g.Expect(expInitContainer).To(Not(BeNil()), "Didn't find the gen-pkcs12-keystore InitContainer in the sts!")
g.Expect(expInitContainer.Command[2]).To(Equal(expCmd), "Wrong TLS initContainer command")
}
Expand Down
12 changes: 8 additions & 4 deletions controllers/util/solr_tls_util.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,13 +21,14 @@ import (
"context"
"crypto/md5"
"fmt"
"strconv"
"strings"

solr "github.com/apache/solr-operator/api/v1beta1"
appsv1 "k8s.io/api/apps/v1"
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/types"
"sigs.k8s.io/controller-runtime/pkg/client"
"strconv"
"strings"
)

const (
Expand Down Expand Up @@ -707,8 +708,11 @@ func (tls *TLSConfig) generatePkcs12InitContainer(imageName string, imagePullPol
},
}

cmd := "openssl pkcs12 -export -in " + DefaultKeyStorePath + "/" + TLSCertKey + " -in " + DefaultKeyStorePath +
"/ca.crt -inkey " + DefaultKeyStorePath + "/tls.key -out " + DefaultKeyStorePath +
caCrtFileName := DefaultKeyStorePath + "/ca.crt"

cmd := "OPTIONAL_CACRT=\"$(test -e " + caCrtFileName + " && echo ' -certfile " + caCrtFileName + "')\"; " +
"openssl pkcs12 -export -in " + DefaultKeyStorePath + "/" + TLSCertKey + " $OPTIONAL_CACRT " +
"-inkey " + DefaultKeyStorePath + "/tls.key -out " + DefaultKeyStorePath +
"/pkcs12/" + DefaultPkcs12KeystoreFile + " -passout pass:${SOLR_SSL_KEY_STORE_PASSWORD}"

return corev1.Container{
Expand Down
8 changes: 8 additions & 0 deletions helm/solr-operator/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -54,13 +54,21 @@ annotations:
# Add change log for a single release here.
# Allowed syntax is described at: https://artifacthub.io/docs/topics/annotations/helm/#example
artifacthub.io/changes: |
- kind: fixed
description: gen-pkcs12-keystore initContainer now supports 'ca.crt'-less TLS secrets
links:
- name: Github Issue
url: https://github.com/apache/solr-operator/issues/684
- name: Github PR
url: https://github.com/apache/solr-operator/pull/685
- kind: changed
description: SolrClouds now support auto-readOnlyRootFilesystem setting.
links:
- name: Github Issue
url: https://github.com/apache/solr-operator/issues/624
- name: Github PR
url: https://github.com/apache/solr-operator/pull/648
- kind: fixed
description: Avoid reset of security.json if get request fails
links:
- name: Github Issue
Expand Down
3 changes: 2 additions & 1 deletion tests/e2e/prometheus_exporter_tls_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ package e2e

import (
"context"

solrv1beta1 "github.com/apache/solr-operator/api/v1beta1"
. "github.com/onsi/ginkgo/v2"
. "github.com/onsi/gomega"
Expand All @@ -44,7 +45,7 @@ var _ = FDescribe("E2E - Prometheus Exporter - TLS ", Ordered, func() {
*/
BeforeAll(func(ctx context.Context) {
installSolrIssuer(ctx, testNamespace())
solrCloud = generateBaseSolrCloudWithSecretTLS(ctx, 2, true)
solrCloud = generateBaseSolrCloudWithSecretTLS(ctx, 2, true, true)

solrCloud.Spec.SolrTLS.CheckPeerName = true

Expand Down
29 changes: 22 additions & 7 deletions tests/e2e/solrcloud_tls_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ package e2e

import (
"context"

solrv1beta1 "github.com/apache/solr-operator/api/v1beta1"
. "github.com/onsi/ginkgo/v2"
. "github.com/onsi/gomega"
Expand Down Expand Up @@ -59,7 +60,7 @@ var _ = FDescribe("E2E - SolrCloud - TLS - Secrets", func() {
FContext("No Client TLS", func() {

BeforeEach(func(ctx context.Context) {
solrCloud = generateBaseSolrCloudWithSecretTLS(ctx, 2, false)
solrCloud = generateBaseSolrCloudWithSecretTLS(ctx, 2, false, true)

//solrCloud.Spec.SolrOpts = "-Djavax.net.debug=SSL,keymanager,trustmanager,ssl:handshake"
})
Expand All @@ -70,7 +71,21 @@ var _ = FDescribe("E2E - SolrCloud - TLS - Secrets", func() {
FContext("No Client TLS - Just a Keystore", func() {

BeforeEach(func(ctx context.Context) {
solrCloud = generateBaseSolrCloudWithSecretTLS(ctx, 2, false)
solrCloud = generateBaseSolrCloudWithSecretTLS(ctx, 2, false, true)

solrCloud.Spec.SolrTLS.TrustStoreSecret = nil
solrCloud.Spec.SolrTLS.TrustStorePasswordSecret = nil

//solrCloud.Spec.SolrOpts = "-Djavax.net.debug=SSL,keymanager,trustmanager,ssl:handshake"
})

FIt("Can run", func() {})
})

FContext("No Client TLS - gen-pkcs12-keystore", func() {

BeforeEach(func(ctx context.Context) {
solrCloud = generateBaseSolrCloudWithSecretTLS(ctx, 2, false, false)

solrCloud.Spec.SolrTLS.TrustStoreSecret = nil
solrCloud.Spec.SolrTLS.TrustStorePasswordSecret = nil
Expand All @@ -84,7 +99,7 @@ var _ = FDescribe("E2E - SolrCloud - TLS - Secrets", func() {
FContext("No Client TLS - CheckPeerName", func() {

BeforeEach(func(ctx context.Context) {
solrCloud = generateBaseSolrCloudWithSecretTLS(ctx, 2, false)
solrCloud = generateBaseSolrCloudWithSecretTLS(ctx, 2, false, true)

solrCloud.Spec.SolrTLS.CheckPeerName = true

Expand Down Expand Up @@ -115,7 +130,7 @@ var _ = FDescribe("E2E - SolrCloud - TLS - Secrets", func() {
FContext("With Client TLS - VerifyClientHostname", func() {

BeforeEach(func(ctx context.Context) {
solrCloud = generateBaseSolrCloudWithSecretTLS(ctx, 2, true)
solrCloud = generateBaseSolrCloudWithSecretTLS(ctx, 2, true, true)

solrCloud.Spec.SolrTLS.VerifyClientHostname = true

Expand All @@ -139,7 +154,7 @@ var _ = FDescribe("E2E - SolrCloud - TLS - Secrets", func() {
FContext("With Client TLS - CheckPeerName", func() {

BeforeEach(func(ctx context.Context) {
solrCloud = generateBaseSolrCloudWithSecretTLS(ctx, 2, true)
solrCloud = generateBaseSolrCloudWithSecretTLS(ctx, 2, true, true)

solrCloud.Spec.SolrTLS.CheckPeerName = true

Expand All @@ -164,7 +179,7 @@ var _ = FDescribe("E2E - SolrCloud - TLS - Secrets", func() {
FContext("With Client TLS - Client Auth Need", func() {

BeforeEach(func(ctx context.Context) {
solrCloud = generateBaseSolrCloudWithSecretTLS(ctx, 2, true)
solrCloud = generateBaseSolrCloudWithSecretTLS(ctx, 2, true, true)

solrCloud.Spec.SolrTLS.ClientAuth = solrv1beta1.Need

Expand All @@ -177,7 +192,7 @@ var _ = FDescribe("E2E - SolrCloud - TLS - Secrets", func() {
FContext("With Client TLS - Client Auth Want", func() {

BeforeEach(func(ctx context.Context) {
solrCloud = generateBaseSolrCloudWithSecretTLS(ctx, 2, true)
solrCloud = generateBaseSolrCloudWithSecretTLS(ctx, 2, true, true)

solrCloud.Spec.SolrTLS.ClientAuth = solrv1beta1.Want

Expand Down
11 changes: 6 additions & 5 deletions tests/e2e/test_utils_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,12 @@ import (
"encoding/json"
"errors"
"fmt"
"io"
"os"
"strconv"
"strings"
"time"

solrv1beta1 "github.com/apache/solr-operator/api/v1beta1"
"github.com/apache/solr-operator/controllers/util"
"github.com/apache/solr-operator/controllers/util/solr_api"
Expand All @@ -34,7 +40,6 @@ import (
"helm.sh/helm/v3/pkg/cli"
"helm.sh/helm/v3/pkg/release"
"helm.sh/helm/v3/pkg/storage/driver"
"io"
corev1 "k8s.io/api/core/v1"
"k8s.io/apimachinery/pkg/api/resource"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
Expand All @@ -43,11 +48,7 @@ import (
"k8s.io/apimachinery/pkg/util/rand"
"k8s.io/client-go/tools/remotecommand"
"k8s.io/utils/pointer"
"os"
"sigs.k8s.io/controller-runtime/pkg/client"
"strconv"
"strings"
"time"
)

const (
Expand Down
9 changes: 5 additions & 4 deletions tests/e2e/utils_tls_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ package e2e

import (
"context"

solrv1beta1 "github.com/apache/solr-operator/api/v1beta1"
certmanagerv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
certmanagermetav1 "github.com/cert-manager/cert-manager/pkg/apis/meta/v1"
Expand All @@ -39,10 +40,10 @@ const (
clientAuthSecret = "client-auth"
)

func generateBaseSolrCloudWithSecretTLS(ctx context.Context, replicas int, includeClientTLS bool) (solrCloud *solrv1beta1.SolrCloud) {
func generateBaseSolrCloudWithSecretTLS(ctx context.Context, replicas int, includeClientTLS bool, createKeyStore bool) (solrCloud *solrv1beta1.SolrCloud) {
solrCloud = generateBaseSolrCloud(replicas)

solrCertSecret, tlsPasswordSecret, clientCertSecret, clientTlsPasswordSecret := generateSolrCert(ctx, solrCloud, includeClientTLS)
solrCertSecret, tlsPasswordSecret, clientCertSecret, clientTlsPasswordSecret := generateSolrCert(ctx, solrCloud, includeClientTLS, createKeyStore)

solrCloud.Spec.SolrTLS = &solrv1beta1.SolrTLSOptions{
PKCS12Secret: &corev1.SecretKeySelector{
Expand Down Expand Up @@ -303,7 +304,7 @@ func installSolrIssuer(ctx context.Context, namespace string) {
expectSecret(ctx, clusterCA, secretName)
}

func generateSolrCert(ctx context.Context, solrCloud *solrv1beta1.SolrCloud, includeClientTLS bool) (certSecretName string, tlsPasswordSecretName string, clientTLSCertSecretName string, clientTLSPasswordSecretName string) {
func generateSolrCert(ctx context.Context, solrCloud *solrv1beta1.SolrCloud, includeClientTLS bool, createKeyStore bool) (certSecretName string, tlsPasswordSecretName string, clientTLSCertSecretName string, clientTLSPasswordSecretName string) {
// First create a secret to use as a password for the keystore/truststore
tlsPasswordSecret := &corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Expand Down Expand Up @@ -338,7 +339,7 @@ func generateSolrCert(ctx context.Context, solrCloud *solrv1beta1.SolrCloud, inc
SecretName: certSecretName,
Keystores: &certmanagerv1.CertificateKeystores{
PKCS12: &certmanagerv1.PKCS12Keystore{
Create: true,
Create: createKeyStore,
PasswordSecretRef: certmanagermetav1.SecretKeySelector{
LocalObjectReference: certmanagermetav1.LocalObjectReference{
Name: tlsPasswordSecret.Name,
Expand Down
Loading