diff --git a/pkg/actor/decommission.go b/pkg/actor/decommission.go index ffc05a9fb..8d44a0712 100644 --- a/pkg/actor/decommission.go +++ b/pkg/actor/decommission.go @@ -107,7 +107,7 @@ func (d decommission) Act(ctx context.Context, cluster *resource.Cluster, log lo // see https://github.com/cockroachdb/cockroach-operator/issues/204 for above TODO if cluster.Spec().TLSEnabled { conn.UseSSL = true - conn.ClientCertificateSecretName = cluster.ClientTLSSecretName() + conn.ClientCertificateSecretName = cluster.ClientTLSSecretName("root") conn.RootCertificateSecretName = cluster.NodeTLSSecretName() } db, err := database.NewDbConnection(conn) diff --git a/pkg/actor/generate_cert.go b/pkg/actor/generate_cert.go index e47fa4a2e..654636333 100644 --- a/pkg/actor/generate_cert.go +++ b/pkg/actor/generate_cert.go @@ -101,7 +101,7 @@ func (rc *generateCert) Act(ctx context.Context, cluster *resource.Cluster, log // certificate should we delete the node secret? // generate the client certificates for the database to use - if err := rc.generateClientCert(ctx, log, cluster); err != nil { + if err := rc.generateClientCert(ctx, log, cluster, "root"); err != nil { msg := "error generating Client Certificate" log.Error(err, msg) return errors.Wrap(err, msg) @@ -330,11 +330,11 @@ func (rc *generateCert) generateNodeCert(ctx context.Context, log logr.Logger, c return rc.getCertificateExpirationDate(ctx, log, pemCert) } -func (rc *generateCert) generateClientCert(ctx context.Context, log logr.Logger, cluster *resource.Cluster) error { +func (rc *generateCert) generateClientCert(ctx context.Context, log logr.Logger, cluster *resource.Cluster, user string) error { log.V(DEBUGLEVEL).Info("generating client certificate") // load the secret. If it exists don't update the cert - secret, err := resource.LoadTLSSecret(cluster.ClientTLSSecretName(), + secret, err := resource.LoadTLSSecret(cluster.ClientTLSSecretName(user), resource.NewKubeResource(ctx, rc.client, cluster.Namespace(), kube.DefaultPersister)) if client.IgnoreNotFound(err) != nil { return errors.Wrap(err, "failed to get client TLS secret") @@ -350,7 +350,7 @@ func (rc *generateCert) generateClientCert(ctx context.Context, log logr.Logger, // Create the user for the certificate u := &security.SQLUsername{ - U: "root", + U: user, } // Create the client certificates @@ -373,18 +373,18 @@ func (rc *generateCert) generateClientCert(ctx context.Context, log logr.Logger, return errors.Wrap(err, "unable to read ca.crt") } - pemCert, err := os.ReadFile(filepath.Join(rc.CertsDir, "client.root.crt")) + pemCert, err := os.ReadFile(filepath.Join(rc.CertsDir, fmt.Sprintf("client.%s.crt", user))) if err != nil { - return errors.Wrap(err, "unable to read client.root.crt") + return errors.Wrap(err, fmt.Sprintf("unable to read client.%s.crt", user)) } - pemKey, err := os.ReadFile(filepath.Join(rc.CertsDir, "client.root.key")) + pemKey, err := os.ReadFile(filepath.Join(rc.CertsDir, fmt.Sprintf("client.%s.key", user))) if err != nil { - return errors.Wrap(err, "unable to read client.root.key") + return errors.Wrap(err, fmt.Sprintf("unable to read client.%s.key", user)) } // create and save the TLS certificates into a secret - secret = resource.CreateTLSSecret(cluster.ClientTLSSecretName(), + secret = resource.CreateTLSSecret(cluster.ClientTLSSecretName(user), resource.NewKubeResource(ctx, rc.client, cluster.Namespace(), kube.DefaultPersister)) if err = secret.UpdateCertAndKeyAndCA(pemCert, pemKey, ca, log); err != nil { diff --git a/pkg/actor/partitioned_update.go b/pkg/actor/partitioned_update.go index c9bf48c3c..5078e085f 100644 --- a/pkg/actor/partitioned_update.go +++ b/pkg/actor/partitioned_update.go @@ -155,7 +155,7 @@ func (up *partitionedUpdate) Act(ctx context.Context, cluster *resource.Cluster, if cluster.Spec().TLSEnabled { conn.UseSSL = true - conn.ClientCertificateSecretName = cluster.ClientTLSSecretName() + conn.ClientCertificateSecretName = cluster.ClientTLSSecretName("root") conn.RootCertificateSecretName = cluster.NodeTLSSecretName() } diff --git a/pkg/resource/cluster.go b/pkg/resource/cluster.go index cbbeb3b4b..1323a7739 100644 --- a/pkg/resource/cluster.go +++ b/pkg/resource/cluster.go @@ -307,12 +307,12 @@ func (cluster Cluster) NodeTLSSecretName() string { return fmt.Sprintf("%s-node", cluster.Name()) } -func (cluster Cluster) ClientTLSSecretName() string { +func (cluster Cluster) ClientTLSSecretName(user string) string { if cluster.Spec().ClientTLSSecret != "" { return cluster.Spec().ClientTLSSecret } - return fmt.Sprintf("%s-root", cluster.Name()) + return fmt.Sprintf("%s-%s", cluster.Name(), user) } func (cluster Cluster) CASecretName() string { return fmt.Sprintf("%s-ca", cluster.Name()) diff --git a/pkg/resource/cluster_test.go b/pkg/resource/cluster_test.go index ea82ee860..b09f633ba 100644 --- a/pkg/resource/cluster_test.go +++ b/pkg/resource/cluster_test.go @@ -5,7 +5,7 @@ Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at - https://www.apache.org/licenses/LICENSE-2.0 + https://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, @@ -75,7 +75,7 @@ func TestClusterTLSSecrets(t *testing.T) { if tt.clientTLSSecretName != "" { expected = tt.clientTLSSecretName - actual = tt.cluster.ClientTLSSecretName() + actual = tt.cluster.ClientTLSSecretName("root") } diff := cmp.Diff(expected, actual, testutil.RuntimeObjCmpOpts...) diff --git a/pkg/resource/statefulset.go b/pkg/resource/statefulset.go index f12fd5cd0..3e8dfeeed 100644 --- a/pkg/resource/statefulset.go +++ b/pkg/resource/statefulset.go @@ -344,7 +344,7 @@ func (b StatefulSetBuilder) nodeTLSSecretName() string { func (b StatefulSetBuilder) clientTLSSecretName() string { if b.Spec().ClientTLSSecret == "" { - return b.Cluster.ClientTLSSecretName() + return b.Cluster.ClientTLSSecretName("root") } return b.Spec().ClientTLSSecret diff --git a/pkg/testutil/require.go b/pkg/testutil/require.go index 8255d4c43..eeda81aeb 100644 --- a/pkg/testutil/require.go +++ b/pkg/testutil/require.go @@ -230,7 +230,7 @@ func RequireDownGradeOptionSet(t *testing.T, sb testenv.DiffingSandbox, b Cluste DatabaseName: "system", RunningInsideK8s: false, - ClientCertificateSecretName: b.Cluster().ClientTLSSecretName(), + ClientCertificateSecretName: b.Cluster().ClientTLSSecretName("root"), RootCertificateSecretName: b.Cluster().NodeTLSSecretName(), } @@ -391,7 +391,7 @@ func requireDatabaseToFunction(t *testing.T, sb testenv.DiffingSandbox, b Cluste // set the client certs since we are using SSL if useSSL { - conn.ClientCertificateSecretName = b.Cluster().ClientTLSSecretName() + conn.ClientCertificateSecretName = b.Cluster().ClientTLSSecretName("root") conn.RootCertificateSecretName = b.Cluster().NodeTLSSecretName() }