diff --git a/api/v1beta1/activemqartemissecurity_types.go b/api/v1beta1/activemqartemissecurity_types.go index 266fa899f..aaf05b37d 100644 --- a/api/v1beta1/activemqartemissecurity_types.go +++ b/api/v1beta1/activemqartemissecurity_types.go @@ -328,6 +328,9 @@ type ConnectorConfigType struct { // Whether management connection is secured //+operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Secured",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:booleanSwitch"} Secured *bool `json:"secured,omitempty"` + // The keystore type for management connector + //+operator-sdk:csv:customresourcedefinitions:type=spec,displayName="KeyStore Type",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:text"} + KeyStoreType *string `json:"keyStoreType,omitempty"` // The keystore provider for management connector //+operator-sdk:csv:customresourcedefinitions:type=spec,displayName="KeyStore Provider",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:text"} KeyStoreProvider *string `json:"keyStoreProvider,omitempty"` @@ -337,6 +340,9 @@ type ConnectorConfigType struct { // The keystore password for management connector //+operator-sdk:csv:customresourcedefinitions:type=spec,displayName="KeyStore Password",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:text"} KeyStorePassword *string `json:"keyStorePassword,omitempty"` + // The truststore type for management connector + //+operator-sdk:csv:customresourcedefinitions:type=spec,displayName="TrustStore Type",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:text"} + TrustStoreType *string `json:"trustStoreType,omitempty"` // The truststore provider for management connector //+operator-sdk:csv:customresourcedefinitions:type=spec,displayName="TrustStore Provider",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:text"} TrustStoreProvider *string `json:"trustStoreProvider,omitempty"` diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go index c5eaf3c5c..1bd1aa4ba 100644 --- a/api/v1beta1/zz_generated.deepcopy.go +++ b/api/v1beta1/zz_generated.deepcopy.go @@ -1051,6 +1051,11 @@ func (in *ConnectorConfigType) DeepCopyInto(out *ConnectorConfigType) { *out = new(bool) **out = **in } + if in.KeyStoreType != nil { + in, out := &in.KeyStoreType, &out.KeyStoreType + *out = new(string) + **out = **in + } if in.KeyStoreProvider != nil { in, out := &in.KeyStoreProvider, &out.KeyStoreProvider *out = new(string) @@ -1066,6 +1071,11 @@ func (in *ConnectorConfigType) DeepCopyInto(out *ConnectorConfigType) { *out = new(string) **out = **in } + if in.TrustStoreType != nil { + in, out := &in.TrustStoreType, &out.TrustStoreType + *out = new(string) + **out = **in + } if in.TrustStoreProvider != nil { in, out := &in.TrustStoreProvider, &out.TrustStoreProvider *out = new(string) diff --git a/bundle/manifests/activemq-artemis-operator.clusterserviceversion.yaml b/bundle/manifests/activemq-artemis-operator.clusterserviceversion.yaml index f3c00081b..a6f4309de 100644 --- a/bundle/manifests/activemq-artemis-operator.clusterserviceversion.yaml +++ b/bundle/manifests/activemq-artemis-operator.clusterserviceversion.yaml @@ -2490,6 +2490,11 @@ spec: path: securitySettings.management.connector.keyStoreProvider x-descriptors: - urn:alm:descriptor:com.tectonic.ui:text + - description: The keystore type for management connector + displayName: KeyStore Type + path: securitySettings.management.connector.keyStoreType + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:text - description: The JMX object name of management displayName: Object Name path: securitySettings.management.connector.objectName @@ -2530,6 +2535,11 @@ spec: path: securitySettings.management.connector.trustStoreProvider x-descriptors: - urn:alm:descriptor:com.tectonic.ui:text + - description: The truststore type for management connector + displayName: TrustStore Type + path: securitySettings.management.connector.trustStoreType + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:text - description: The roles allowed to login hawtio displayName: Hawtio Roles path: securitySettings.management.hawtioRoles diff --git a/bundle/manifests/broker.amq.io_activemqartemissecurities.yaml b/bundle/manifests/broker.amq.io_activemqartemissecurities.yaml index 0cf24e9a4..8c85ce0b6 100644 --- a/bundle/manifests/broker.amq.io_activemqartemissecurities.yaml +++ b/bundle/manifests/broker.amq.io_activemqartemissecurities.yaml @@ -888,6 +888,9 @@ spec: keyStoreProvider: description: The keystore provider for management connector type: string + keyStoreType: + description: The keystore type for management connector + type: string objectName: description: The JMX object name of management type: string @@ -914,6 +917,9 @@ spec: trustStoreProvider: description: The truststore provider for management connector type: string + trustStoreType: + description: The truststore type for management connector + type: string type: object hawtioRoles: description: The roles allowed to login hawtio diff --git a/config/crd/bases/broker.amq.io_activemqartemissecurities.yaml b/config/crd/bases/broker.amq.io_activemqartemissecurities.yaml index 3e8452e4a..d2df47d7f 100644 --- a/config/crd/bases/broker.amq.io_activemqartemissecurities.yaml +++ b/config/crd/bases/broker.amq.io_activemqartemissecurities.yaml @@ -889,6 +889,9 @@ spec: keyStoreProvider: description: The keystore provider for management connector type: string + keyStoreType: + description: The keystore type for management connector + type: string objectName: description: The JMX object name of management type: string @@ -915,6 +918,9 @@ spec: trustStoreProvider: description: The truststore provider for management connector type: string + trustStoreType: + description: The truststore type for management connector + type: string type: object hawtioRoles: description: The roles allowed to login hawtio diff --git a/config/manifests/bases/activemq-artemis-operator.clusterserviceversion.yaml b/config/manifests/bases/activemq-artemis-operator.clusterserviceversion.yaml index f6c2ca8de..6ffcaeba3 100644 --- a/config/manifests/bases/activemq-artemis-operator.clusterserviceversion.yaml +++ b/config/manifests/bases/activemq-artemis-operator.clusterserviceversion.yaml @@ -1742,6 +1742,11 @@ spec: path: securitySettings.management.connector.keyStoreProvider x-descriptors: - urn:alm:descriptor:com.tectonic.ui:text + - description: The keystore type for management connector + displayName: KeyStore Type + path: securitySettings.management.connector.keyStoreType + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:text - description: The JMX object name of management displayName: Object Name path: securitySettings.management.connector.objectName @@ -1782,6 +1787,11 @@ spec: path: securitySettings.management.connector.trustStoreProvider x-descriptors: - urn:alm:descriptor:com.tectonic.ui:text + - description: The truststore type for management connector + displayName: TrustStore Type + path: securitySettings.management.connector.trustStoreType + x-descriptors: + - urn:alm:descriptor:com.tectonic.ui:text - description: The roles allowed to login hawtio displayName: Hawtio Roles path: securitySettings.management.hawtioRoles diff --git a/controllers/activemqartemissecurity_controller_test.go b/controllers/activemqartemissecurity_controller_test.go index c8043ef6d..e852dc1fb 100644 --- a/controllers/activemqartemissecurity_controller_test.go +++ b/controllers/activemqartemissecurity_controller_test.go @@ -66,6 +66,83 @@ var _ = Describe("security controller", func() { Context("broker with security custom resources", Label("broker-security-res"), func() { + It("management connector config", Label("mgmt-connector-config"), func() { + + By("deploy a security cr") + _, createdSecurityCr := DeploySecurity(NextSpecResourceName(), defaultNamespace, func(candidate *brokerv1beta1.ActiveMQArtemisSecurity) { + candidate.Spec.SecuritySettings.Management.Connector = brokerv1beta1.ConnectorConfigType{ + Host: StringToPtr("0.0.0.0"), + Port: common.Int32ToPtr(9091), + RmiRegistryPort: common.Int32ToPtr(1234), + JmxRealm: StringToPtr("activemq"), + ObjectName: StringToPtr("connector:name=rmi"), + AuthenticatorType: StringToPtr("password"), + Secured: &boolFalse, + KeyStoreType: StringToPtr("PKCS12"), + KeyStoreProvider: StringToPtr("SUN"), + KeyStorePath: StringToPtr("/etc/keystore/broker.ks"), + KeyStorePassword: StringToPtr("kspassword"), + TrustStoreType: StringToPtr("JKS"), + TrustStoreProvider: StringToPtr("tSUN"), + TrustStorePath: StringToPtr("/etc/truststore/broker.ts"), + TrustStorePassword: StringToPtr("tspassword"), + PasswordCodec: StringToPtr("org.apache.activemq.SomeClass"), + } + }) + + By("deploy a broker cr") + _, createdBrokerCr := DeployCustomBroker(defaultNamespace, nil) + + By("checking the security gets applied") + requestedSs := &appsv1.StatefulSet{} + Eventually(func() bool { + key := types.NamespacedName{Name: namer.CrToSS(createdBrokerCr.Name), Namespace: defaultNamespace} + err := k8sClient.Get(ctx, key, requestedSs) + if err != nil { + return false + } + + initContainer := requestedSs.Spec.Template.Spec.InitContainers[0] + secApplied := false + for _, arg := range initContainer.Args { + if strings.Contains(arg, "mkdir -p /init_cfg_root/security/security") { + secApplied = true + break + } + } + return secApplied + }, timeout, interval).Should(BeTrue()) + + expectedSecuritySecret := &corev1.Secret{} + expectedSecuritySecretKey := types.NamespacedName{Name: "secret-security-" + createdSecurityCr.Name, Namespace: defaultNamespace} + + By("checking the security secret") + Eventually(k8sClient.Get(ctx, expectedSecuritySecretKey, expectedSecuritySecret), timeout, interval).Should(Succeed()) + crData := expectedSecuritySecret.Data["Data"] + Expect(string(crData)).NotTo(BeEmpty()) + + Expect(crData).To(ContainSubstring("host: 0.0.0.0")) + Expect(crData).To(ContainSubstring("port: 9091")) + Expect(crData).To(ContainSubstring("rmiregistryport: 1234")) + Expect(crData).To(ContainSubstring("jmxrealm: activemq")) + Expect(crData).To(ContainSubstring("objectname: connector:name=rmi")) + Expect(crData).To(ContainSubstring("authenticatortype: password")) + Expect(crData).To(ContainSubstring("secured: false")) + Expect(crData).To(ContainSubstring("keystoretype: PKCS12")) + Expect(crData).To(ContainSubstring("keystoreprovider: SUN")) + Expect(crData).To(ContainSubstring("keystorepath: /etc/keystore/broker.ks")) + Expect(crData).To(ContainSubstring("keystorepassword: kspassword")) + Expect(crData).To(ContainSubstring("truststoretype: JKS")) + Expect(crData).To(ContainSubstring("truststoreprovider: tSUN")) + Expect(crData).To(ContainSubstring("truststorepath: /etc/truststore/broker.ts")) + Expect(crData).To(ContainSubstring("truststorepassword: tspassword")) + Expect(crData).To(ContainSubstring("passwordcodec: org.apache.activemq.SomeClass")) + + By("delete the broker cr") + CleanResource(createdBrokerCr, createdBrokerCr.Name, defaultNamespace) + CleanResource(createdSecurityCr, createdSecurityCr.Name, defaultNamespace) + }) + It("no password in security log test", func() { By("deploy a security cr") StartCapturingLog() diff --git a/controllers/common_util_test.go b/controllers/common_util_test.go index 9f00b8e93..ec08de4d2 100644 --- a/controllers/common_util_test.go +++ b/controllers/common_util_test.go @@ -735,3 +735,7 @@ func CreateTlsSecret(secretName string, ns string, ksPassword string, nsNames [] } return &tlsSecret, nil } + +func StringToPtr(v string) *string { + return &v +} diff --git a/deploy/crds/broker_activemqartemissecurity_crd.yaml b/deploy/crds/broker_activemqartemissecurity_crd.yaml index 35c1e23ea..e1c8654d8 100644 --- a/deploy/crds/broker_activemqartemissecurity_crd.yaml +++ b/deploy/crds/broker_activemqartemissecurity_crd.yaml @@ -842,6 +842,9 @@ spec: keyStoreProvider: description: The keystore provider for management connector type: string + keyStoreType: + description: The keystore type for management connector + type: string objectName: description: The JMX object name of management type: string @@ -868,6 +871,9 @@ spec: trustStoreProvider: description: The truststore provider for management connector type: string + trustStoreType: + description: The truststore type for management connector + type: string type: object hawtioRoles: description: The roles allowed to login hawtio