[#623] [#667] Support cert-manager for console and acceptor/connector…

… tls configuration Co-authored-by: Bruscino Domenico Francesco <[email protected]> Co-authored-by: Gary Tully <[email protected]>
arkmq-org · Mar 29, 2024 · 564fe04 · 564fe04
1 parent 16447e4
commit 564fe04
Show file tree

Hide file tree

Showing 28 changed files with 1,550 additions and 182 deletions.
diff --git a/api/v1beta1/activemqartemis_types.go b/api/v1beta1/activemqartemis_types.go
@@ -582,6 +582,9 @@ type AcceptorType struct {
 	// Host for Ingress and Route resources of the acceptor. It supports the following variables: $(CR_NAME), $(CR_NAMESPACE), $(BROKER_ORDINAL), $(ITEM_NAME), $(RES_NAME) and $(INGRESS_DOMAIN). It is required for the acceptors exposed with the ingress mode when the ingress domain is not specified.
 	//+operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Ingress Host",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:text"}
 	IngressHost string `json:"ingressHost,omitempty"`
+	// The name of the truststore secret.
+	//+operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Trust Secret",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:text"}
+	TrustSecret *string `json:"trustSecret,omitempty"`
 }
 
 type ConnectorType struct {
@@ -642,6 +645,9 @@ type ConnectorType struct {
 	// Host for Ingress and Route resources of the acceptor. It supports the following variables: $(CR_NAME), $(CR_NAMESPACE), $(BROKER_ORDINAL), $(ITEM_NAME), $(RES_NAME) and $(INGRESS_DOMAIN). It is required for the connectors exposed with the ingress mode when the ingress domain is not specified.
 	//+operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Ingress Host",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:text"}
 	IngressHost string `json:"ingressHost,omitempty"`
+	// The name of the truststore secret.
+	//+operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Trust Secret",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:text"}
+	TrustSecret *string `json:"trustSecret,omitempty"`
 }
 
 type ConsoleType struct {
@@ -666,6 +672,9 @@ type ConsoleType struct {
 	// Host for Ingress and Route resources of the acceptor. It supports the following variables: $(CR_NAME), $(CR_NAMESPACE), $(BROKER_ORDINAL), $(ITEM_NAME), $(RES_NAME) and $(INGRESS_DOMAIN). It is required for the console exposed with the ingress mode when the ingress domain is not specified.
 	//+operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Ingress Host",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:text"}
 	IngressHost string `json:"ingressHost,omitempty"`
+	// The name of the truststore secret.
+	//+operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Trust Secret",xDescriptors={"urn:alm:descriptor:com.tectonic.ui:text"}
+	TrustSecret *string `json:"trustSecret,omitempty"`
 }
 
 // ActiveMQArtemis App product upgrade flags, this is deprecated in v1beta1, specifying the Version is sufficient
@@ -802,6 +811,7 @@ const (
 	ValidConditionFailedDuplicateAcceptorPort  = "DuplicateAcceptorPort"
 	ValidConditionFailedInvalidExposeMode      = "InvalidExposeMode"
 	ValidConditionFailedInvalidIngressSettings = "InvalidIngressSettings"
+	ValidConditionInvalidCertSecretReason      = "InvalidCertSecret"
 
 	ReadyConditionType      = "Ready"
 	ReadyConditionReason    = "ResourceReady"

diff --git a/api/v1beta1/activemqartemisaddress_webhook.go b/api/v1beta1/activemqartemisaddress_webhook.go
@@ -69,7 +69,7 @@ func (r *ActiveMQArtemisAddress) ValidateUpdate(old runtime.Object) (warnings ad
 
 // ValidateDelete implements webhook.Validator so a webhook will be registered for the type
 func (r *ActiveMQArtemisAddress) ValidateDelete() (warnings admission.Warnings, err error) {
-	activemqartemisaddresslog.V(1).Info("validate delete", "name", r.Name)
+	activemqartemisaddresslog.Info("validate delete", "name", r.Name)
 
 	// TODO(user): fill in your validation logic upon object deletion.
 	return nil, nil

diff --git a/api/v1beta1/zz_generated.deepcopy.go b/api/v1beta1/zz_generated.deepcopy.go
diff --git a/bundle/manifests/activemq-artemis-operator.clusterserviceversion.yaml b/bundle/manifests/activemq-artemis-operator.clusterserviceversion.yaml
@@ -598,6 +598,11 @@ spec:
         path: acceptors[0].suppressInternalManagementObjects
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
+      - description: The name of the truststore secret.
+        displayName: Trust Secret
+        path: acceptors[0].trustSecret
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:text
       - description: Provider used for the truststore; "SUN", "SunJCE", etc. Default
           in broker is null
         displayName: TrustStore Provider
@@ -1111,6 +1116,11 @@ spec:
         path: connectors[0].sslSecret
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:text
+      - description: The name of the truststore secret.
+        displayName: Trust Secret
+        path: connectors[0].trustSecret
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:text
       - description: Provider used for the truststore; "SUN", "SunJCE", etc. Default
           in broker is null
         displayName: TrustStore Provider
@@ -1180,6 +1190,11 @@ spec:
         path: console.sslSecret
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:text
+      - description: The name of the truststore secret.
+        displayName: Trust Secret
+        path: console.trustSecret
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:text
       - description: If the embedded server requires client authentication
         displayName: Use Client Auth
         path: console.useClientAuth

diff --git a/bundle/manifests/broker.amq.io_activemqartemises.yaml b/bundle/manifests/broker.amq.io_activemqartemises.yaml
@@ -125,6 +125,9 @@ spec:
                       description: If prevents advisory addresses/queues to be registered
                         to management service, default false
                       type: boolean
+                    trustSecret:
+                      description: The name of the truststore secret.
+                      type: string
                     trustStoreProvider:
                       description: Provider used for the truststore; "SUN", "SunJCE",
                         etc. Default in broker is null
@@ -539,6 +542,9 @@ spec:
                     sslSecret:
                       description: Name of the secret to use for ssl information
                       type: string
+                    trustSecret:
+                      description: The name of the truststore secret.
+                      type: string
                     trustStoreProvider:
                       description: Provider used for the truststore; "SUN", "SunJCE",
                         etc. Default in broker is null
@@ -598,6 +604,9 @@ spec:
                   sslSecret:
                     description: Name of the secret to use for ssl information
                     type: string
+                  trustSecret:
+                    description: The name of the truststore secret.
+                    type: string
                   useClientAuth:
                     description: If the embedded server requires client authentication
                     type: boolean

diff --git a/config/crd/bases/broker.amq.io_activemqartemises.yaml b/config/crd/bases/broker.amq.io_activemqartemises.yaml
@@ -126,6 +126,9 @@ spec:
                       description: If prevents advisory addresses/queues to be registered
                         to management service, default false
                       type: boolean
+                    trustSecret:
+                      description: The name of the truststore secret.
+                      type: string
                     trustStoreProvider:
                       description: Provider used for the truststore; "SUN", "SunJCE",
                         etc. Default in broker is null
@@ -540,6 +543,9 @@ spec:
                     sslSecret:
                       description: Name of the secret to use for ssl information
                       type: string
+                    trustSecret:
+                      description: The name of the truststore secret.
+                      type: string
                     trustStoreProvider:
                       description: Provider used for the truststore; "SUN", "SunJCE",
                         etc. Default in broker is null
@@ -599,6 +605,9 @@ spec:
                   sslSecret:
                     description: Name of the secret to use for ssl information
                     type: string
+                  trustSecret:
+                    description: The name of the truststore secret.
+                    type: string
                   useClientAuth:
                     description: If the embedded server requires client authentication
                     type: boolean

diff --git a/config/manifests/bases/activemq-artemis-operator.clusterserviceversion.yaml b/config/manifests/bases/activemq-artemis-operator.clusterserviceversion.yaml
@@ -372,6 +372,11 @@ spec:
         path: acceptors[0].suppressInternalManagementObjects
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:booleanSwitch
+      - description: The name of the truststore secret.
+        displayName: Trust Secret
+        path: acceptors[0].trustSecret
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:text
       - description: Provider used for the truststore; "SUN", "SunJCE", etc. Default
           in broker is null
         displayName: TrustStore Provider
@@ -885,6 +890,11 @@ spec:
         path: connectors[0].sslSecret
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:text
+      - description: The name of the truststore secret.
+        displayName: Trust Secret
+        path: connectors[0].trustSecret
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:text
       - description: Provider used for the truststore; "SUN", "SunJCE", etc. Default
           in broker is null
         displayName: TrustStore Provider
@@ -954,6 +964,11 @@ spec:
         path: console.sslSecret
         x-descriptors:
         - urn:alm:descriptor:com.tectonic.ui:text
+      - description: The name of the truststore secret.
+        displayName: Trust Secret
+        path: console.trustSecret
+        x-descriptors:
+        - urn:alm:descriptor:com.tectonic.ui:text
       - description: If the embedded server requires client authentication
         displayName: Use Client Auth
         path: console.useClientAuth

diff --git a/controllers/activemqartemis_controller.go b/controllers/activemqartemis_controller.go
@@ -37,6 +37,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/source"
 
 	"github.com/artemiscloud/activemq-artemis-operator/pkg/resources"
+	"github.com/artemiscloud/activemq-artemis-operator/pkg/utils/certutil"
 	"github.com/artemiscloud/activemq-artemis-operator/pkg/utils/namer"
 	"github.com/go-logr/logr"
 	"github.com/pkg/errors"
@@ -383,6 +384,9 @@ func validateSSLEnabledSecrets(customResource *brokerv1beta1.ActiveMQArtemis, cl
 	if customResource.Spec.Console.SSLEnabled {
 
 		secretName := namer.SecretsConsoleNameBuilder.Name()
+		if customResource.Spec.Console.SSLSecret != "" {
+			secretName = customResource.Spec.Console.SSLSecret
+		}
 
 		secret := corev1.Secret{}
 		found := retrieveResource(secretName, customResource.Namespace, &secret, client)
@@ -561,6 +565,18 @@ func AssertConfigMapContainsKey(configMap corev1.ConfigMap, key string, contextM
 }
 
 func AssertSecretContainsKey(secret corev1.Secret, key string, contextMessage string) *metav1.Condition {
+	isCertSecret, isValid := certutil.IsSecretFromCert(&secret)
+	if isCertSecret {
+		if isValid {
+			return nil
+		}
+		return &metav1.Condition{
+			Type:    brokerv1beta1.ValidConditionType,
+			Status:  metav1.ConditionFalse,
+			Reason:  brokerv1beta1.ValidConditionInvalidCertSecretReason,
+			Message: fmt.Sprintf("%s certificate secret %s not valid, must have keys ca.crt tls.crt tls.key", contextMessage, secret.Name),
+		}
+	}
 	if _, present := secret.Data[key]; !present {
 		return &metav1.Condition{
 			Type:    brokerv1beta1.ValidConditionType,
@@ -573,6 +589,18 @@ func AssertSecretContainsKey(secret corev1.Secret, key string, contextMessage st
 }
 
 func AssertSecretContainsOneOf(secret corev1.Secret, keys []string, contextMessage string) *metav1.Condition {
+	ok, valid := certutil.IsSecretFromCert(&secret)
+	if ok {
+		if valid {
+			return nil
+		}
+		return &metav1.Condition{
+			Type:    brokerv1beta1.ValidConditionType,
+			Status:  metav1.ConditionFalse,
+			Reason:  brokerv1beta1.ValidConditionInvalidCertSecretReason,
+			Message: fmt.Sprintf("%s secret %s must contain keys %v", contextMessage, secret.Name, "ca.crt,tls.crt,tls.key"),
+		}
+	}
 	for _, key := range keys {
 		_, present := secret.Data[key]
 		if present {
@@ -627,6 +655,7 @@ func MakeNamers(customResource *brokerv1beta1.ActiveMQArtemis) *common.Namers {
 		newNamers.SecretsConsoleNameBuilder.Prefix(customResource.Name).Base("console").Suffix("secret").Generate()
 	}
 	newNamers.SecretsNettyNameBuilder.Prefix(customResource.Name).Base("netty").Suffix("secret").Generate()
+
 	newNamers.LabelBuilder.Base(customResource.Name).Suffix("app").Generate()
 
 	return &newNamers