Improve Bastion certs default secretName (datastax#139)

nicoloboschi · web-flow · commit e0be08410a37 · 2023-08-30T11:11:52.000+02:00
diff --git a/.github/workflows/ci-test.yaml b/.github/workflows/ci-test.yaml
@@ -32,6 +32,7 @@ jobs:
           if [[ `git status --porcelain` ]]; then
             echo "Found files changed after building, please run ./src/generate-crds-docs.sh and commit the changes"
             git status
+            git diff
             exit 1
           fi
       
diff --git a/operator/src/main/java/com/datastax/oss/kaap/controllers/BaseResourcesFactory.java b/operator/src/main/java/com/datastax/oss/kaap/controllers/BaseResourcesFactory.java
@@ -538,10 +538,6 @@ public static String getTlsSsCaSecretName(GlobalSpec global) {
                 "%s-ss-ca".formatted(global.getName()));
     }
 
-    protected String getTlsSsCaSecretName() {
-        return getTlsSsCaSecretName(global);
-    }
-
     protected String getTlsSecretNameForAutorecovery() {
         final String name = global.getTls().getAutorecovery() == null
                 ? null : global.getTls().getAutorecovery().getSecretName();
diff --git a/operator/src/main/java/com/datastax/oss/kaap/controllers/bastion/BastionResourcesFactory.java b/operator/src/main/java/com/datastax/oss/kaap/controllers/bastion/BastionResourcesFactory.java
@@ -128,8 +128,11 @@ public void patchDeployment() {
 
         List<VolumeMount> volumeMounts = new ArrayList<>();
         List<Volume> volumes = new ArrayList<>();
-        if (isTlsEnabledOnProxy() || isTlsEnabledOnBroker()) {
-            addTlsVolumes(volumeMounts, volumes, getTlsSsCaSecretName());
+        boolean targetProxy = spec.getTargetProxy() != null && spec.getTargetProxy();
+        boolean targetTlsEnabled = targetProxy ? isTlsEnabledOnProxy() : isTlsEnabledOnBroker();
+        if (targetTlsEnabled) {
+            final String secret = targetProxy ? getTlsSecretNameForProxy() : getTlsSecretNameForBroker();
+            addTlsVolumes(volumeMounts, volumes, secret);
         }
         String mainArg = "";
 
diff --git a/operator/src/test/java/com/datastax/oss/kaap/controllers/bastion/BastionControllerTest.java b/operator/src/test/java/com/datastax/oss/kaap/controllers/bastion/BastionControllerTest.java
@@ -254,10 +254,31 @@ public void testTlsEnabledOnBroker() throws Exception {
         final Deployment deployment = client.getCreatedResource(Deployment.class).getResource();
         KubeTestUtil.assertTlsVolumesMounted(
                 deployment,
-                "pul-ss-ca"
+                "pulsar-tls"
         );
     }
 
+    @Test
+    public void testTlsEnabledOnBrokerWithPerComponentCert() throws Exception {
+        String spec = """
+                global:
+                    name: pul
+                    persistence: false
+                    image: apachepulsar/pulsar:global
+                    tls:
+                        enabled: true
+                        broker:
+                            enabled: true
+                            secretName: broker-tls
+                bastion:
+                    targetProxy: false
+                """;
+        MockKubernetesClient client = invokeController(spec);
+
+        final Deployment deployment = client.getCreatedResource(Deployment.class).getResource();
+        KubeTestUtil.assertTlsVolumesMounted(deployment, "broker-tls");
+    }
+
     @Test
     public void testTlsEnabledOnProxy() throws Exception {
         String spec = """
@@ -294,10 +315,31 @@ public void testTlsEnabledOnProxy() throws Exception {
         final Deployment deployment = client.getCreatedResource(Deployment.class).getResource();
         KubeTestUtil.assertTlsVolumesMounted(
                 deployment,
-                "pul-ss-ca"
+                "pulsar-tls"
         );
     }
 
+    @Test
+    public void testTlsEnabledOnProxyWithPerComponentCert() throws Exception {
+        String spec = """
+                global:
+                    name: pul
+                    persistence: false
+                    image: apachepulsar/pulsar:global
+                    tls:
+                        enabled: true
+                        proxy:
+                            enabled: true
+                            secretName: proxy-tls
+                bastion:
+                    targetProxy: true
+                """;
+        MockKubernetesClient client = invokeController(spec);
+
+        final Deployment deployment = client.getCreatedResource(Deployment.class).getResource();
+        KubeTestUtil.assertTlsVolumesMounted(deployment, "proxy-tls");
+    }
+
 
     @Test
     public void testReplicas() throws Exception {
diff --git a/src/generate-crds-docs.sh b/src/generate-crds-docs.sh
@@ -18,7 +18,7 @@
 
 set -e
 echo "Generating CRDs docs"
-mvn package -Pupdate-crds -pl operator
+mvn clean package -Pupdate-crds -pl operator
 docker run -u $(id -u):$(id -g) --rm -v ${PWD}:/workdir ghcr.io/fybrik/crdoc:latest \
   --resources /workdir/helm/kaap/crds/pulsarclusters.kaap.oss.datastax.com-v1.yml \
   --template /workdir/src/reference-markdown-template.tmpl \
diff --git a/tests/src/test/java/com/datastax/oss/kaap/tests/BaseK8sEnvTest.java b/tests/src/test/java/com/datastax/oss/kaap/tests/BaseK8sEnvTest.java
@@ -30,6 +30,9 @@
 import com.datastax.oss.kaap.tests.env.ExistingK8sEnv;
 import com.datastax.oss.kaap.tests.env.K3sEnv;
 import com.datastax.oss.kaap.tests.env.K8sEnv;
+import io.fabric8.certmanager.api.model.v1.Certificate;
+import io.fabric8.certmanager.api.model.v1.CertificateRequest;
+import io.fabric8.certmanager.api.model.v1.Issuer;
 import io.fabric8.kubernetes.api.model.HasMetadata;
 import io.fabric8.kubernetes.api.model.NamespaceBuilder;
 import io.fabric8.kubernetes.api.model.Node;
@@ -459,14 +462,35 @@ protected void dumpAllResources(String filePrefix) {
         dumpResources(filePrefix, FunctionsWorker.class);
         dumpResources(filePrefix, Bastion.class);
         dumpResources(filePrefix, Autorecovery.class);
+        dumpResourcesAllNamespaces(filePrefix, CertificateRequest.class);
+        dumpResourcesAllNamespaces(filePrefix, Certificate.class);
+        dumpResourcesAllNamespaces(filePrefix, Issuer.class);
+    }
+
+    private void dumpResourcesAllNamespaces(String filePrefix, Class<? extends HasMetadata> clazz) {
+        try {
+            client.namespaces().list()
+                    .getItems()
+                    .forEach(ns -> dumpResources(filePrefix, clazz, ns.getMetadata().getName()));
+        } catch (Throwable t) {
+            log.error("failed to list namespaces for getting resource of class {}: {}", clazz, t.getMessage());
+        }
     }
 
     private void dumpResources(String filePrefix, Class<? extends HasMetadata> clazz) {
-        client.resources(clazz)
-                .inNamespace(namespace)
-                .list()
-                .getItems()
-                .forEach(resource -> dumpResource(filePrefix, resource));
+        dumpResources(filePrefix, clazz, namespace);
+    }
+
+    private void dumpResources(String filePrefix, Class<? extends HasMetadata> clazz, String namespace) {
+        try {
+            client.resources(clazz)
+                    .inNamespace(namespace)
+                    .list()
+                    .getItems()
+                    .forEach(resource -> dumpResource(filePrefix, resource));
+        } catch (Throwable t) {
+            log.error("failed to dump resources of type {}: {}", clazz, t.getMessage());
+        }
     }
 
     protected void dumpResource(String filePrefix, HasMetadata resource) {
