From 4517254d8bb9254fdc1accd427591e632f2ff065 Mon Sep 17 00:00:00 2001 From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com> Date: Fri, 4 Aug 2023 12:08:40 +0300 Subject: [PATCH 1/7] Added jvm module --- src/error.rs | 2 ++ src/jvm/mod.rs | 39 +++++++++++++++++++++++++++++++++++++++ src/lib.rs | 1 + 3 files changed, 42 insertions(+) create mode 100644 src/jvm/mod.rs diff --git a/src/error.rs b/src/error.rs index de802a3b..cb608c41 100644 --- a/src/error.rs +++ b/src/error.rs @@ -111,6 +111,8 @@ pub enum Error { container_name: String, violation: String, }, + #[error("Error creating properties file: {0}")] + JavaProperties(String), } pub type OperatorResult = std::result::Result; diff --git a/src/jvm/mod.rs b/src/jvm/mod.rs new file mode 100644 index 00000000..5818cf66 --- /dev/null +++ b/src/jvm/mod.rs @@ -0,0 +1,39 @@ +use std::collections::HashMap; + +use k8s_openapi::api::core::v1::ConfigMap; +use kube::Resource; +use product_config::writer::to_java_properties_string; +use schemars::JsonSchema; +use serde::{Deserialize, Serialize}; + +use crate::{ + builder::{ConfigMapBuilder, ObjectMetaBuilder}, + error::Error, + error::OperatorResult, +}; + +/// JVM configuration management. + +pub const SECURITY_SYSTEM_PROPERTY_NAME: &str = "java.security.properties"; +pub const SECURITY_FILE_NAME: &str = "security.properties"; + +// This is a preliminary interface. Operators should be ignorant to the actual structure. +#[derive(Clone, Debug, Default, Deserialize, Eq, JsonSchema, PartialEq, Serialize)] +pub struct Security { + properties: HashMap>, +} + +pub fn security_config_map(app: &T, sec: &Security) -> OperatorResult { + ConfigMapBuilder::new() + .metadata(ObjectMetaBuilder::new().name_and_namespace(app).build()) + .add_data( + SECURITY_FILE_NAME, + to_java_properties_string(sec.properties.iter()) + .map_err(|_| Error::JavaProperties(SECURITY_FILE_NAME.to_string()))?, + ) + .build() +} + +pub fn security_system_property(cm_name: &str, mountpoint: &str) -> String { + format!("-D{SECURITY_SYSTEM_PROPERTY_NAME}={mountpoint}/{cm_name}") +} diff --git a/src/lib.rs b/src/lib.rs index 73b26be8..0e1bf8ea 100644 --- a/src/lib.rs +++ b/src/lib.rs @@ -8,6 +8,7 @@ pub mod cpu; pub mod crd; pub mod error; pub mod iter; +pub mod jvm; pub mod label_selector; pub mod labels; pub mod logging; From 99f5f1e288740851b712d10b1b3f770d8af9be63 Mon Sep 17 00:00:00 2001 From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com> Date: Fri, 4 Aug 2023 13:29:25 +0300 Subject: [PATCH 2/7] Added default security props. --- src/jvm/mod.rs | 35 ++++++++++++++++++++++++++++++++--- 1 file changed, 32 insertions(+), 3 deletions(-) diff --git a/src/jvm/mod.rs b/src/jvm/mod.rs index 5818cf66..51dfda3d 100644 --- a/src/jvm/mod.rs +++ b/src/jvm/mod.rs @@ -1,7 +1,7 @@ use std::collections::HashMap; use k8s_openapi::api::core::v1::ConfigMap; -use kube::Resource; +use kube::{Resource, ResourceExt}; use product_config::writer::to_java_properties_string; use schemars::JsonSchema; use serde::{Deserialize, Serialize}; @@ -18,14 +18,39 @@ pub const SECURITY_SYSTEM_PROPERTY_NAME: &str = "java.security.properties"; pub const SECURITY_FILE_NAME: &str = "security.properties"; // This is a preliminary interface. Operators should be ignorant to the actual structure. -#[derive(Clone, Debug, Default, Deserialize, Eq, JsonSchema, PartialEq, Serialize)] +#[derive(Clone, Debug, Deserialize, Eq, JsonSchema, PartialEq, Serialize)] pub struct Security { properties: HashMap>, } +// TODO: decide on the defaults here +impl Default for Security { + fn default() -> Self { + Self { + properties: vec![ + ( + "networkaddress.cache.ttl".to_string(), + Some("10".to_string()), + ), + ( + "networkaddress.cache.negative.ttl".to_string(), + Some("10".to_string()), + ), + ] + .into_iter() + .collect(), + } + } +} + pub fn security_config_map(app: &T, sec: &Security) -> OperatorResult { ConfigMapBuilder::new() - .metadata(ObjectMetaBuilder::new().name_and_namespace(app).build()) + .metadata( + ObjectMetaBuilder::new() + .name_and_namespace(app) + .name(format!("{}-jvm-security", app.name_any())) + .build(), + ) .add_data( SECURITY_FILE_NAME, to_java_properties_string(sec.properties.iter()) @@ -34,6 +59,10 @@ pub fn security_config_map(app: &T, sec: &Security) -> OperatorResu .build() } +pub fn default_security_config_map(app: &T) -> OperatorResult { + security_config_map(app, &Security::default()) +} + pub fn security_system_property(cm_name: &str, mountpoint: &str) -> String { format!("-D{SECURITY_SYSTEM_PROPERTY_NAME}={mountpoint}/{cm_name}") } From 7ff08e3f8a0b554a15137d54441484ddc1e292b0 Mon Sep 17 00:00:00 2001 From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com> Date: Fri, 4 Aug 2023 15:10:35 +0300 Subject: [PATCH 3/7] Fix system property value. --- src/jvm/mod.rs | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/jvm/mod.rs b/src/jvm/mod.rs index 51dfda3d..97c9f23a 100644 --- a/src/jvm/mod.rs +++ b/src/jvm/mod.rs @@ -63,6 +63,6 @@ pub fn default_security_config_map(app: &T) -> OperatorResult String { - format!("-D{SECURITY_SYSTEM_PROPERTY_NAME}={mountpoint}/{cm_name}") +pub fn security_system_property(mountpoint: &str) -> String { + format!("-D{SECURITY_SYSTEM_PROPERTY_NAME}={mountpoint}/{SECURITY_FILE_NAME}") } From a6db0aba91168e0d21a92ebaa38757b1c2364875 Mon Sep 17 00:00:00 2001 From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com> Date: Fri, 4 Aug 2023 16:14:04 +0300 Subject: [PATCH 4/7] Add labels to jvm security config map --- src/jvm/mod.rs | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/src/jvm/mod.rs b/src/jvm/mod.rs index 97c9f23a..42ab76ff 100644 --- a/src/jvm/mod.rs +++ b/src/jvm/mod.rs @@ -10,6 +10,7 @@ use crate::{ builder::{ConfigMapBuilder, ObjectMetaBuilder}, error::Error, error::OperatorResult, + labels::build_common_labels_for_all_managed_resources, }; /// JVM configuration management. @@ -43,12 +44,21 @@ impl Default for Security { } } -pub fn security_config_map(app: &T, sec: &Security) -> OperatorResult { +pub fn security_config_map>( + owner: &T, + app_name: &str, + sec: &Security, +) -> OperatorResult { ConfigMapBuilder::new() .metadata( ObjectMetaBuilder::new() - .name_and_namespace(app) - .name(format!("{}-jvm-security", app.name_any())) + .name_and_namespace(owner) + .name(format!("{}-jvm-security", owner.name_any())) + .ownerreference_from_resource(owner, None, Some(true))? + .with_labels(build_common_labels_for_all_managed_resources( + app_name, + owner.name_any().as_str(), + )) .build(), ) .add_data( @@ -59,8 +69,11 @@ pub fn security_config_map(app: &T, sec: &Security) -> OperatorResu .build() } -pub fn default_security_config_map(app: &T) -> OperatorResult { - security_config_map(app, &Security::default()) +pub fn default_security_config_map>( + owner: &T, + app_name: &str, +) -> OperatorResult { + security_config_map(owner, app_name, &Security::default()) } pub fn security_system_property(mountpoint: &str) -> String { From f923647ca1130924107da8cb7bd8619aa896299c Mon Sep 17 00:00:00 2001 From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com> Date: Fri, 4 Aug 2023 16:52:10 +0300 Subject: [PATCH 5/7] Set more labels. --- src/jvm/mod.rs | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/src/jvm/mod.rs b/src/jvm/mod.rs index 42ab76ff..70146f0c 100644 --- a/src/jvm/mod.rs +++ b/src/jvm/mod.rs @@ -1,4 +1,4 @@ -use std::collections::HashMap; +use std::collections::{BTreeMap, HashMap}; use k8s_openapi::api::core::v1::ConfigMap; use kube::{Resource, ResourceExt}; @@ -10,7 +10,6 @@ use crate::{ builder::{ConfigMapBuilder, ObjectMetaBuilder}, error::Error, error::OperatorResult, - labels::build_common_labels_for_all_managed_resources, }; /// JVM configuration management. @@ -46,7 +45,7 @@ impl Default for Security { pub fn security_config_map>( owner: &T, - app_name: &str, + labels: BTreeMap, sec: &Security, ) -> OperatorResult { ConfigMapBuilder::new() @@ -55,10 +54,7 @@ pub fn security_config_map>( .name_and_namespace(owner) .name(format!("{}-jvm-security", owner.name_any())) .ownerreference_from_resource(owner, None, Some(true))? - .with_labels(build_common_labels_for_all_managed_resources( - app_name, - owner.name_any().as_str(), - )) + .with_labels(labels) .build(), ) .add_data( @@ -71,9 +67,9 @@ pub fn security_config_map>( pub fn default_security_config_map>( owner: &T, - app_name: &str, + labels: BTreeMap, ) -> OperatorResult { - security_config_map(owner, app_name, &Security::default()) + security_config_map(owner, labels, &Security::default()) } pub fn security_system_property(mountpoint: &str) -> String { From cf8143a640d689d5f26ed3f7610827a089002e09 Mon Sep 17 00:00:00 2001 From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com> Date: Fri, 4 Aug 2023 18:08:57 +0300 Subject: [PATCH 6/7] Some cleanup. --- src/jvm/mod.rs | 43 ++++++++++++++++++++++++++++--------------- 1 file changed, 28 insertions(+), 15 deletions(-) diff --git a/src/jvm/mod.rs b/src/jvm/mod.rs index 70146f0c..a38b779a 100644 --- a/src/jvm/mod.rs +++ b/src/jvm/mod.rs @@ -1,3 +1,5 @@ +//! JVM configuration management. +//! Currently it supports only JVM security properties. use std::collections::{BTreeMap, HashMap}; use k8s_openapi::api::core::v1::ConfigMap; @@ -12,28 +14,34 @@ use crate::{ error::OperatorResult, }; -/// JVM configuration management. - +/// Java system property that points to the location of the custom security configuration file pub const SECURITY_SYSTEM_PROPERTY_NAME: &str = "java.security.properties"; +/// Name of the custom security configuration file pub const SECURITY_FILE_NAME: &str = "security.properties"; -// This is a preliminary interface. Operators should be ignorant to the actual structure. +/// Seconds to cache positive DNS results. +pub const PROP_NAME_NET_ADDR_CACHE_TTL: &str = "networkaddress.cache.ttl"; +/// Seconds to cache negative DNS results. +pub const PROP_NAME_NET_ADDR_CACHE_NEGATIVE_TTL: &str = "networkaddress.cache.negative.ttl"; + +/// TODO: This is a preliminary interface. Operators should be ignorant to the actual structure. +/// Structure that holds Java security properties. #[derive(Clone, Debug, Deserialize, Eq, JsonSchema, PartialEq, Serialize)] pub struct Security { properties: HashMap>, } -// TODO: decide on the defaults here +/// TODO: decide on the defaults here impl Default for Security { fn default() -> Self { Self { properties: vec![ ( - "networkaddress.cache.ttl".to_string(), + PROP_NAME_NET_ADDR_CACHE_TTL.to_string(), Some("10".to_string()), ), ( - "networkaddress.cache.negative.ttl".to_string(), + PROP_NAME_NET_ADDR_CACHE_NEGATIVE_TTL.to_string(), Some("10".to_string()), ), ] @@ -43,11 +51,22 @@ impl Default for Security { } } +/// Generate a config map for the given Security object. +/// +/// If no security object is given, the default from this module is used. +/// +/// The generated config map data contains a single entry with the name and contents +/// of the custom security configuration file. pub fn security_config_map>( owner: &T, labels: BTreeMap, - sec: &Security, + security_opt: &Option, ) -> OperatorResult { + let props = match security_opt { + Some(sec) => sec.properties.clone(), + _ => Security::default().properties, + }; + ConfigMapBuilder::new() .metadata( ObjectMetaBuilder::new() @@ -59,19 +78,13 @@ pub fn security_config_map>( ) .add_data( SECURITY_FILE_NAME, - to_java_properties_string(sec.properties.iter()) + to_java_properties_string(props.iter()) .map_err(|_| Error::JavaProperties(SECURITY_FILE_NAME.to_string()))?, ) .build() } -pub fn default_security_config_map>( - owner: &T, - labels: BTreeMap, -) -> OperatorResult { - security_config_map(owner, labels, &Security::default()) -} - +/// Java CLI argument for custom security configuration. pub fn security_system_property(mountpoint: &str) -> String { format!("-D{SECURITY_SYSTEM_PROPERTY_NAME}={mountpoint}/{SECURITY_FILE_NAME}") } From 2f017e4e3bf304650e77682c76091ebe34d9a4e9 Mon Sep 17 00:00:00 2001 From: Razvan-Daniel Mihai <84674+razvan@users.noreply.github.com> Date: Fri, 4 Aug 2023 18:13:19 +0300 Subject: [PATCH 7/7] Fix typo. --- src/jvm/mod.rs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/jvm/mod.rs b/src/jvm/mod.rs index a38b779a..0756e5ab 100644 --- a/src/jvm/mod.rs +++ b/src/jvm/mod.rs @@ -60,7 +60,7 @@ impl Default for Security { pub fn security_config_map>( owner: &T, labels: BTreeMap, - security_opt: &Option, + security_opt: Option<&Security>, ) -> OperatorResult { let props = match security_opt { Some(sec) => sec.properties.clone(),