Merge pull request #820 from securesign/migrate_trillian

Migrate trillian

Author: openshift-merge-bot[bot]

internal/controller/common/utils/kubernetes/deployment.go

@@ -128,6 +128,16 @@ func FindContainerByNameOrCreate(podSpec *corev1.PodSpec, containerName string)
 	return &podSpec.Containers[len(podSpec.Containers)-1]
 }
 
+func FindInitContainerByNameOrCreate(podSpec *corev1.PodSpec, containerName string) *corev1.Container {
+	for i, c := range podSpec.InitContainers {
+		if c.Name == containerName {
+			return &podSpec.InitContainers[i]
+		}
+	}
+	podSpec.InitContainers = append(podSpec.InitContainers, corev1.Container{Name: containerName})
+	return &podSpec.InitContainers[len(podSpec.InitContainers)-1]
+}
+
 func FindVolumeByNameOrCreate(podSpec *corev1.PodSpec, volumeName string) *corev1.Volume {
 	for i, v := range podSpec.Volumes {
 		if v.Name == volumeName {

internal/controller/common/utils/kubernetes/ensure/deployment.go

@@ -1,33 +1,44 @@
 package ensure
 
 import (
+	"slices"
+
 	"github.com/securesign/operator/api/v1alpha1"
 	"github.com/securesign/operator/internal/controller/common/utils"
 	"github.com/securesign/operator/internal/controller/common/utils/kubernetes"
 	v1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
 )
 
+const (
+	CaTrustVolumeName = "ca-trust"
+	TLSVolumeName     = "tls-cert"
+	CATRustMountPath  = "/var/run/configs/tas/ca-trust"
+
+	TLSVolumeMount = "/var/run/secrets/tas"
+
+	TLSKeyPath  = TLSVolumeMount + "/tls.key"
+	TLSCertPath = TLSVolumeMount + "/tls.crt"
+)
+
 func Proxy() func(*v1.Deployment) error {
 	return func(dp *v1.Deployment) error {
 		utils.SetProxyEnvs(dp)
 		return nil
 	}
 }
 
-const CaTrustVolumeName = "ca-trust"
-
 // TrustedCA mount config map with trusted CA bundle to all deployment's containers.
 func TrustedCA(lor *v1alpha1.LocalObjectReference) func(dp *v1.Deployment) error {
 	return func(dp *v1.Deployment) error {
 
 		template := &dp.Spec.Template
 		for i := range template.Spec.Containers {
 			env := kubernetes.FindEnvByNameOrCreate(&template.Spec.Containers[i], "SSL_CERT_DIR")
-			env.Value = "/var/run/configs/tas/ca-trust:/var/run/secrets/kubernetes.io/serviceaccount"
+			env.Value = CATRustMountPath + ":/var/run/secrets/kubernetes.io/serviceaccount"
 
 			volumeMount := kubernetes.FindVolumeMountByNameOrCreate(&template.Spec.Containers[i], CaTrustVolumeName)
-			volumeMount.MountPath = "/var/run/configs/tas/ca-trust"
+			volumeMount.MountPath = CATRustMountPath
 			volumeMount.ReadOnly = true
 
 		}
@@ -52,3 +63,52 @@ func TrustedCA(lor *v1alpha1.LocalObjectReference) func(dp *v1.Deployment) error
 		return nil
 	}
 }
+
+// TLS mount secret with tls cert to all deployment's containers.
+func TLS(tls v1alpha1.TLS, containerNames ...string) func(dp *v1.Deployment) error {
+	return func(dp *v1.Deployment) error {
+		template := &dp.Spec.Template
+
+		for i, c := range template.Spec.Containers {
+			if slices.Contains(containerNames, c.Name) {
+				volumeMount := kubernetes.FindVolumeMountByNameOrCreate(&template.Spec.Containers[i], TLSVolumeName)
+				volumeMount.MountPath = TLSVolumeMount
+				volumeMount.ReadOnly = true
+			}
+		}
+
+		volume := kubernetes.FindVolumeByNameOrCreate(&template.Spec, TLSVolumeName)
+		if volume.Projected == nil {
+			volume.Projected = &corev1.ProjectedVolumeSource{}
+		}
+		volume.Projected.Sources = []corev1.VolumeProjection{
+			{
+				Secret: &corev1.SecretProjection{
+					LocalObjectReference: corev1.LocalObjectReference{
+						Name: tls.CertRef.Name,
+					},
+					Items: []corev1.KeyToPath{
+						{
+							Key:  tls.CertRef.Key,
+							Path: "tls.crt",
+						},
+					},
+				},
+			},
+			{
+				Secret: &corev1.SecretProjection{
+					LocalObjectReference: corev1.LocalObjectReference{
+						Name: tls.PrivateKeyRef.Name,
+					},
+					Items: []corev1.KeyToPath{
+						{
+							Key:  tls.PrivateKeyRef.Key,
+							Path: "tls.key",
+						},
+					},
+				},
+			},
+		}
+		return nil
+	}
+}

internal/controller/common/utils/kubernetes/ensure/deployment_test.go

@@ -5,6 +5,7 @@ import (
 	"testing"
 
 	"github.com/onsi/gomega"
+	"github.com/securesign/operator/api/v1alpha1"
 	"github.com/securesign/operator/internal/controller/annotations"
 	"github.com/securesign/operator/internal/controller/common/utils"
 	"github.com/securesign/operator/internal/controller/common/utils/kubernetes"
@@ -63,3 +64,79 @@ func TestEnsureTrustedCAFromAnnotations(t *testing.T) {
 
 	})
 }
+
+func TestEnsureTLS(t *testing.T) {
+	gomega.RegisterTestingT(t)
+	t.Run("update existing object", func(t *testing.T) {
+
+		ctx := context.TODO()
+		c := testAction.FakeClientBuilder().
+			WithObjects(&v1.Deployment{
+				ObjectMeta: v2.ObjectMeta{Name: name, Namespace: "default"},
+				Spec: v1.DeploymentSpec{
+					Template: v3.PodTemplateSpec{
+						Spec: v3.PodSpec{
+							Containers: []v3.Container{
+								{Name: name, Image: "test"},
+								{Name: "doNotUpdate", Image: "test"},
+							},
+						},
+					},
+				},
+			}).
+			Build()
+
+		result, err := kubernetes.CreateOrUpdate(ctx, c,
+			&v1.Deployment{ObjectMeta: v2.ObjectMeta{Name: name, Namespace: "default"}},
+			TLS(v1alpha1.TLS{
+				PrivateKeyRef: &v1alpha1.SecretKeySelector{
+					LocalObjectReference: v1alpha1.LocalObjectReference{
+						Name: "testSecret",
+					},
+					Key: "key",
+				},
+				CertRef: &v1alpha1.SecretKeySelector{
+					LocalObjectReference: v1alpha1.LocalObjectReference{
+						Name: "testSecret",
+					},
+					Key: "cert",
+				},
+			}, name),
+		)
+		gomega.Expect(err).ToNot(gomega.HaveOccurred())
+
+		gomega.Expect(result).To(gomega.Equal(controllerutil.OperationResultUpdated))
+
+		existing := &v1.Deployment{}
+		gomega.Expect(c.Get(ctx, client.ObjectKey{Namespace: "default", Name: name}, existing)).To(gomega.Succeed())
+
+		gomega.Expect(existing.Spec.Template.Spec.Containers[0].VolumeMounts).To(gomega.HaveLen(1))
+		gomega.Expect(existing.Spec.Template.Spec.Containers[0].VolumeMounts[0].Name).To(gomega.Equal(TLSVolumeName))
+		gomega.Expect(existing.Spec.Template.Spec.Containers[0].VolumeMounts[0].MountPath).To(gomega.Equal("/var/run/secrets/tas"))
+
+		gomega.Expect(existing.Spec.Template.Spec.Containers[1].VolumeMounts).To(gomega.BeEmpty())
+
+		gomega.Expect(existing.Spec.Template.Spec.Volumes).To(gomega.HaveLen(1))
+		gomega.Expect(existing.Spec.Template.Spec.Volumes[0].Name).To(gomega.Equal(TLSVolumeName))
+		gomega.Expect(existing.Spec.Template.Spec.Volumes[0].Projected.Sources).To(gomega.HaveLen(2))
+		gomega.Expect(existing.Spec.Template.Spec.Volumes[0].Projected.Sources).To(gomega.ContainElements(
+			gomega.And(
+				gomega.WithTransform(func(s v3.VolumeProjection) string {
+					return s.Secret.Name
+				}, gomega.Equal("testSecret")),
+				gomega.WithTransform(func(s v3.VolumeProjection) string {
+					return s.Secret.Items[0].Key
+				}, gomega.Equal("key")),
+			),
+			gomega.And(
+				gomega.WithTransform(func(s v3.VolumeProjection) string {
+					return s.Secret.Name
+				}, gomega.Equal("testSecret")),
+				gomega.WithTransform(func(s v3.VolumeProjection) string {
+					return s.Secret.Items[0].Key
+				}, gomega.Equal("cert")),
+			),
+		))
+
+	})
+}

internal/controller/common/utils/set_tls.go

@@ -22,4 +22,11 @@ const (
 	ServerPortName  = "grpc"
 	MetricsPort     = 8090
 	MetricsPortName = "metrics"
+
+	SecretRootPassword = "mysql-root-password"
+	SecretPassword     = "mysql-password"
+	SecretDatabaseName = "mysql-database"
+	SecretUser         = "mysql-user"
+	SecretPort         = "mysql-port"
+	SecretHost         = "mysql-host"
 )