[SECURESIGN-1393] Migrate trillian

Author: bouskaJ

internal/controller/common/utils/kubernetes/ensure/deployment.go

@@ -8,15 +8,23 @@ import (
 	corev1 "k8s.io/api/core/v1"
 )
 
+const (
+	CaTrustVolumeName = "ca-trust"
+	TLSVolumeName     = "tls-cert"
+
+	TLSVolumeMount = "/var/run/secrets/tas"
+
+	TLSKeyPath  = TLSVolumeMount + "/tls.key"
+	TLSCertPath = TLSVolumeMount + "/tls.crt"
+)
+
 func Proxy() func(*v1.Deployment) error {
 	return func(dp *v1.Deployment) error {
 		utils.SetProxyEnvs(dp)
 		return nil
 	}
 }
 
-const CaTrustVolumeName = "ca-trust"
-
 // TrustedCA mount config map with trusted CA bundle to all deployment's containers.
 func TrustedCA(lor *v1alpha1.LocalObjectReference) func(dp *v1.Deployment) error {
 	return func(dp *v1.Deployment) error {
@@ -52,3 +60,50 @@ func TrustedCA(lor *v1alpha1.LocalObjectReference) func(dp *v1.Deployment) error
 		return nil
 	}
 }
+
+// TLS mount secret with tls cert to all deployment's containers.
+func TLS(tls v1alpha1.TLS) func(dp *v1.Deployment) error {
+	return func(dp *v1.Deployment) error {
+		template := &dp.Spec.Template
+
+		for i := range template.Spec.Containers {
+			volumeMount := kubernetes.FindVolumeMountByNameOrCreate(&template.Spec.Containers[i], TLSVolumeName)
+			volumeMount.MountPath = TLSVolumeMount
+			volumeMount.ReadOnly = true
+		}
+
+		volume := kubernetes.FindVolumeByNameOrCreate(&template.Spec, TLSVolumeName)
+		if volume.Projected == nil {
+			volume.Projected = &corev1.ProjectedVolumeSource{}
+		}
+		volume.Projected.Sources = []corev1.VolumeProjection{
+			{
+				Secret: &corev1.SecretProjection{
+					LocalObjectReference: corev1.LocalObjectReference{
+						Name: tls.CertRef.Name,
+					},
+					Items: []corev1.KeyToPath{
+						{
+							Key:  tls.CertRef.Key,
+							Path: "tls.crt",
+						},
+					},
+				},
+			},
+			{
+				Secret: &corev1.SecretProjection{
+					LocalObjectReference: corev1.LocalObjectReference{
+						Name: tls.PrivateKeyRef.Name,
+					},
+					Items: []corev1.KeyToPath{
+						{
+							Key:  tls.PrivateKeyRef.Key,
+							Path: "tls.key",
+						},
+					},
+				},
+			},
+		}
+		return nil
+	}
+}

internal/controller/common/utils/kubernetes/ensure/deployment_test.go

@@ -5,6 +5,7 @@ import (
 	"testing"
 
 	"github.com/onsi/gomega"
+	"github.com/securesign/operator/api/v1alpha1"
 	"github.com/securesign/operator/internal/controller/annotations"
 	"github.com/securesign/operator/internal/controller/common/utils"
 	"github.com/securesign/operator/internal/controller/common/utils/kubernetes"
@@ -63,3 +64,76 @@ func TestEnsureTrustedCAFromAnnotations(t *testing.T) {
 
 	})
 }
+
+func TestEnsureTLS(t *testing.T) {
+	gomega.RegisterTestingT(t)
+	t.Run("update existing object", func(t *testing.T) {
+
+		ctx := context.TODO()
+		c := testAction.FakeClientBuilder().
+			WithObjects(&v1.Deployment{
+				ObjectMeta: v2.ObjectMeta{Name: name, Namespace: "default"},
+				Spec: v1.DeploymentSpec{
+					Template: v3.PodTemplateSpec{
+						Spec: v3.PodSpec{
+							Containers: []v3.Container{
+								{Name: name, Image: "test"},
+							},
+						},
+					},
+				},
+			}).
+			Build()
+
+		result, err := kubernetes.CreateOrUpdate(ctx, c,
+			&v1.Deployment{ObjectMeta: v2.ObjectMeta{Name: name, Namespace: "default"}},
+			TLS(v1alpha1.TLS{
+				PrivateKeyRef: &v1alpha1.SecretKeySelector{
+					LocalObjectReference: v1alpha1.LocalObjectReference{
+						Name: "testSecret",
+					},
+					Key: "key",
+				},
+				CertRef: &v1alpha1.SecretKeySelector{
+					LocalObjectReference: v1alpha1.LocalObjectReference{
+						Name: "testSecret",
+					},
+					Key: "cert",
+				},
+			}),
+		)
+		gomega.Expect(err).ToNot(gomega.HaveOccurred())
+
+		gomega.Expect(result).To(gomega.Equal(controllerutil.OperationResultUpdated))
+
+		existing := &v1.Deployment{}
+		gomega.Expect(c.Get(ctx, client.ObjectKey{Namespace: "default", Name: name}, existing)).To(gomega.Succeed())
+
+		gomega.Expect(existing.Spec.Template.Spec.Containers[0].VolumeMounts).To(gomega.HaveLen(1))
+		gomega.Expect(existing.Spec.Template.Spec.Containers[0].VolumeMounts[0].Name).To(gomega.Equal(TLSVolumeName))
+		gomega.Expect(existing.Spec.Template.Spec.Containers[0].VolumeMounts[0].MountPath).To(gomega.Equal("/var/run/secrets/tas"))
+
+		gomega.Expect(existing.Spec.Template.Spec.Volumes).To(gomega.HaveLen(1))
+		gomega.Expect(existing.Spec.Template.Spec.Volumes[0].Name).To(gomega.Equal(TLSVolumeName))
+		gomega.Expect(existing.Spec.Template.Spec.Volumes[0].Projected.Sources).To(gomega.HaveLen(2))
+		gomega.Expect(existing.Spec.Template.Spec.Volumes[0].Projected.Sources).To(gomega.ContainElements(
+			gomega.And(
+				gomega.WithTransform(func(s v3.VolumeProjection) string {
+					return s.Secret.Name
+				}, gomega.Equal("testSecret")),
+				gomega.WithTransform(func(s v3.VolumeProjection) string {
+					return s.Secret.Items[0].Key
+				}, gomega.Equal("key")),
+			),
+			gomega.And(
+				gomega.WithTransform(func(s v3.VolumeProjection) string {
+					return s.Secret.Name
+				}, gomega.Equal("testSecret")),
+				gomega.WithTransform(func(s v3.VolumeProjection) string {
+					return s.Secret.Items[0].Key
+				}, gomega.Equal("cert")),
+			),
+		))
+
+	})
+}

internal/controller/common/utils/set_tls.go

@@ -22,4 +22,11 @@ const (
 	ServerPortName  = "grpc"
 	MetricsPort     = 8090
 	MetricsPortName = "metrics"
+
+	SecretRootPassword = "mysql-root-password"
+	SecretPassword     = "mysql-password"
+	SecretDatabaseName = "mysql-database"
+	SecretUser         = "mysql-user"
+	SecretPort         = "mysql-port"
+	SecretHost         = "mysql-host"
 )