Skip to content

Add user parameter to client certificate logic #973

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add user parameter to client certificate logic #973

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion pkg/actor/decommission.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -107,7 +107,7 @@ func (d decommission) Act(ctx context.Context, cluster *resource.Cluster, log lo
// see https://github.com/cockroachdb/cockroach-operator/issues/204 for above TODO
if cluster.Spec().TLSEnabled {
conn.UseSSL = true
conn.ClientCertificateSecretName = cluster.ClientTLSSecretName()
conn.ClientCertificateSecretName = cluster.ClientTLSSecretName("root")
conn.RootCertificateSecretName = cluster.NodeTLSSecretName()
}
db, err := database.NewDbConnection(conn)
Expand Down
18 changes: 9 additions & 9 deletions pkg/actor/generate_cert.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,7 @@ func (rc *generateCert) Act(ctx context.Context, cluster *resource.Cluster, log
// certificate should we delete the node secret?

// generate the client certificates for the database to use
if err := rc.generateClientCert(ctx, log, cluster); err != nil {
if err := rc.generateClientCert(ctx, log, cluster, "root"); err != nil {
msg := "error generating Client Certificate"
log.Error(err, msg)
return errors.Wrap(err, msg)
Expand Down Expand Up @@ -330,11 +330,11 @@ func (rc *generateCert) generateNodeCert(ctx context.Context, log logr.Logger, c
return rc.getCertificateExpirationDate(ctx, log, pemCert)
}

func (rc *generateCert) generateClientCert(ctx context.Context, log logr.Logger, cluster *resource.Cluster) error {
func (rc *generateCert) generateClientCert(ctx context.Context, log logr.Logger, cluster *resource.Cluster, user string) error {
log.V(DEBUGLEVEL).Info("generating client certificate")

// load the secret. If it exists don't update the cert
secret, err := resource.LoadTLSSecret(cluster.ClientTLSSecretName(),
secret, err := resource.LoadTLSSecret(cluster.ClientTLSSecretName(user),
resource.NewKubeResource(ctx, rc.client, cluster.Namespace(), kube.DefaultPersister))
if client.IgnoreNotFound(err) != nil {
return errors.Wrap(err, "failed to get client TLS secret")
Expand All @@ -350,7 +350,7 @@ func (rc *generateCert) generateClientCert(ctx context.Context, log logr.Logger,

// Create the user for the certificate
u := &security.SQLUsername{
U: "root",
U: user,
}

// Create the client certificates
Expand All @@ -373,18 +373,18 @@ func (rc *generateCert) generateClientCert(ctx context.Context, log logr.Logger,
return errors.Wrap(err, "unable to read ca.crt")
}

pemCert, err := os.ReadFile(filepath.Join(rc.CertsDir, "client.root.crt"))
pemCert, err := os.ReadFile(filepath.Join(rc.CertsDir, fmt.Sprintf("client.%s.crt", user)))
if err != nil {
return errors.Wrap(err, "unable to read client.root.crt")
return errors.Wrap(err, fmt.Sprintf("unable to read client.%s.crt", user))
}

pemKey, err := os.ReadFile(filepath.Join(rc.CertsDir, "client.root.key"))
pemKey, err := os.ReadFile(filepath.Join(rc.CertsDir, fmt.Sprintf("client.%s.key", user)))
if err != nil {
return errors.Wrap(err, "unable to read client.root.key")
return errors.Wrap(err, fmt.Sprintf("unable to read client.%s.key", user))
}

// create and save the TLS certificates into a secret
secret = resource.CreateTLSSecret(cluster.ClientTLSSecretName(),
secret = resource.CreateTLSSecret(cluster.ClientTLSSecretName(user),
resource.NewKubeResource(ctx, rc.client, cluster.Namespace(), kube.DefaultPersister))

if err = secret.UpdateCertAndKeyAndCA(pemCert, pemKey, ca, log); err != nil {
Expand Down
2 changes: 1 addition & 1 deletion pkg/actor/partitioned_update.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -155,7 +155,7 @@ func (up *partitionedUpdate) Act(ctx context.Context, cluster *resource.Cluster,

if cluster.Spec().TLSEnabled {
conn.UseSSL = true
conn.ClientCertificateSecretName = cluster.ClientTLSSecretName()
conn.ClientCertificateSecretName = cluster.ClientTLSSecretName("root")
conn.RootCertificateSecretName = cluster.NodeTLSSecretName()
}

Expand Down
4 changes: 2 additions & 2 deletions pkg/resource/cluster.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -307,12 +307,12 @@ func (cluster Cluster) NodeTLSSecretName() string {
return fmt.Sprintf("%s-node", cluster.Name())
}

func (cluster Cluster) ClientTLSSecretName() string {
func (cluster Cluster) ClientTLSSecretName(user string) string {
if cluster.Spec().ClientTLSSecret != "" {
return cluster.Spec().ClientTLSSecret
}

return fmt.Sprintf("%s-root", cluster.Name())
return fmt.Sprintf("%s-%s", cluster.Name(), user)
}
func (cluster Cluster) CASecretName() string {
return fmt.Sprintf("%s-ca", cluster.Name())
Expand Down
4 changes: 2 additions & 2 deletions pkg/resource/cluster_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

https://www.apache.org/licenses/LICENSE-2.0
https://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
Expand Down Expand Up @@ -75,7 +75,7 @@ func TestClusterTLSSecrets(t *testing.T) {

if tt.clientTLSSecretName != "" {
expected = tt.clientTLSSecretName
actual = tt.cluster.ClientTLSSecretName()
actual = tt.cluster.ClientTLSSecretName("root")
}

diff := cmp.Diff(expected, actual, testutil.RuntimeObjCmpOpts...)
Expand Down
2 changes: 1 addition & 1 deletion pkg/resource/statefulset.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -344,7 +344,7 @@ func (b StatefulSetBuilder) nodeTLSSecretName() string {

func (b StatefulSetBuilder) clientTLSSecretName() string {
if b.Spec().ClientTLSSecret == "" {
return b.Cluster.ClientTLSSecretName()
return b.Cluster.ClientTLSSecretName("root")
}

return b.Spec().ClientTLSSecret
Expand Down
4 changes: 2 additions & 2 deletions pkg/testutil/require.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -230,7 +230,7 @@ func RequireDownGradeOptionSet(t *testing.T, sb testenv.DiffingSandbox, b Cluste
DatabaseName: "system",

RunningInsideK8s: false,
ClientCertificateSecretName: b.Cluster().ClientTLSSecretName(),
ClientCertificateSecretName: b.Cluster().ClientTLSSecretName("root"),
RootCertificateSecretName: b.Cluster().NodeTLSSecretName(),
}

Expand Down Expand Up @@ -391,7 +391,7 @@ func requireDatabaseToFunction(t *testing.T, sb testenv.DiffingSandbox, b Cluste

// set the client certs since we are using SSL
if useSSL {
conn.ClientCertificateSecretName = b.Cluster().ClientTLSSecretName()
conn.ClientCertificateSecretName = b.Cluster().ClientTLSSecretName("root")
conn.RootCertificateSecretName = b.Cluster().NodeTLSSecretName()
}

Expand Down