add auth enabler

.gitignore

@@ -22,6 +22,7 @@ vendor
 
 # editor and IDE paraphernalia
 .idea
+.vscode
 *.swp
 *.swo
 *~

api/v1alpha1/aux_functions.go

@@ -0,0 +1,25 @@
+package v1alpha1
+
+func IsClientSecurityEnabled(c *EtcdCluster) bool {
+	clientSecurityEnabled := false
+	if c.Spec.Security != nil && c.Spec.Security.TLS.ClientSecret != "" {
+		clientSecurityEnabled = true
+	}
+	return clientSecurityEnabled
+}
+
+func IsServerSecurityEnabled(c *EtcdCluster) bool {
+	serverSecurityEnabled := false
+	if c.Spec.Security != nil && c.Spec.Security.TLS.ServerSecret != "" {
+		serverSecurityEnabled = true
+	}
+	return serverSecurityEnabled
+}
+
+func IsServerCADefined(c *EtcdCluster) bool {
+	serverCADefined := false
+	if c.Spec.Security != nil && c.Spec.Security.TLS.ServerTrustedCASecret != "" {
+		serverCADefined = true
+	}
+	return serverCADefined
+}

api/v1alpha1/etcdcluster_types.go

@@ -174,24 +174,36 @@ type SecuritySpec struct {
 	// Section for user-managed tls certificates
 	// +optional
 	TLS TLSSpec `json:"tls,omitempty"`
+	// Section to enable etcd auth
+	EnableAuth bool `json:"enableAuth,omitempty"`
 }
 
 // TLSSpec defines user-managed certificates names.
 type TLSSpec struct {
-	// Trusted CA certificate secret to secure peer-to-peer communication between etcd nodes. It is expected to have tls.crt field in the secret.
+	// Trusted CA certificate secret to secure peer-to-peer communication between etcd nodes. It is expected to have ca.crt field in the secret.
+	// This secret must be created in the namespace with etcdCluster CR.
 	// +optional
 	PeerTrustedCASecret string `json:"peerTrustedCASecret,omitempty"`
 	// Certificate secret to secure peer-to-peer communication between etcd nodes. It is expected to have tls.crt and tls.key fields in the secret.
+	// This secret must be created in the namespace with etcdCluster CR.
 	// +optional
 	PeerSecret string `json:"peerSecret,omitempty"`
+	// Trusted CA for etcd server certificates for client-server communication. Is necessary to set trust between operator and etcd.
+	// It is expected to have ca.crt field in the secret. If it is not specified, then insecure communication will be used.
+	// This secret must be created in the namespace with etcdCluster CR.
+	// +optional
+	ServerTrustedCASecret string `json:"serverTrustedCASecret,omitempty"`
 	// Server certificate secret to secure client-server communication. Is provided to the client who connects to etcd by client port (2379 by default).
 	// It is expected to have tls.crt and tls.key fields in the secret.
+	// This secret must be created in the namespace with etcdCluster CR.
 	// +optional
 	ServerSecret string `json:"serverSecret,omitempty"`
-	// Trusted CA for client certificates that are provided by client to etcd. It is expected to have tls.crt field in the secret.
+	// Trusted CA for client certificates that are provided by client to etcd. It is expected to have ca.crt field in the secret.
+	// This secret must be created in the namespace with etcdCluster CR.
 	// +optional
 	ClientTrustedCASecret string `json:"clientTrustedCASecret,omitempty"`
 	// Client certificate for etcd-operator to do maintenance. It is expected to have tls.crt and tls.key fields in the secret.
+	// This secret must be created in the namespace with etcdCluster CR.
 	// +optional
 	ClientSecret string `json:"clientSecret,omitempty"`
 }

api/v1alpha1/etcdcluster_webhook.go

@@ -281,6 +281,15 @@ func (r *EtcdCluster) validateSecurity() field.ErrorList {
 		)
 	}
 
+	if security.EnableAuth && (security.TLS.ClientSecret == "" || security.TLS.ServerSecret == "") {
+
+		allErrors = append(allErrors, field.Invalid(
+			field.NewPath("spec", "security"),
+			security.TLS,
+			"if auth is enabled, client secret and server secret must be provided"),
+		)
+	}
+
 	if len(allErrors) > 0 {
 		return allErrors
 	}

charts/etcd-operator/crds/etcd-cluster.yaml

@@ -202,25 +202,43 @@ spec:
                 security:
                   description: Security describes security settings of etcd (authentication, certificates, rbac)
                   properties:
+                    enableAuth:
+                      description: Section to enable etcd auth
+                      type: boolean
                     tls:
                       description: Section for user-managed tls certificates
                       properties:
                         clientSecret:
-                          description: Client certificate for etcd-operator to do maintenance. It is expected to have tls.crt and tls.key fields in the secret.
+                          description: |-
+                            Client certificate for etcd-operator to do maintenance. It is expected to have tls.crt and tls.key fields in the secret.
+                            This secret must be created in the namespace with etcd-operator.
                           type: string
                         clientTrustedCASecret:
-                          description: Trusted CA for client certificates that are provided by client to etcd. It is expected to have tls.crt field in the secret.
+                          description: |-
+                            Trusted CA for client certificates that are provided by client to etcd. It is expected to have tls.crt field in the secret.
+                            This secret must be created in the namespace with etcdCluster CR.
                           type: string
                         peerSecret:
-                          description: Certificate secret to secure peer-to-peer communication between etcd nodes. It is expected to have tls.crt and tls.key fields in the secret.
+                          description: |-
+                            Certificate secret to secure peer-to-peer communication between etcd nodes. It is expected to have tls.crt and tls.key fields in the secret.
+                            This secret must be created in the namespace with etcdCluster CR.
                           type: string
                         peerTrustedCASecret:
-                          description: Trusted CA certificate secret to secure peer-to-peer communication between etcd nodes. It is expected to have tls.crt field in the secret.
+                          description: |-
+                            Trusted CA certificate secret to secure peer-to-peer communication between etcd nodes. It is expected to have tls.crt field in the secret.
+                            This secret must be created in the namespace with etcdCluster CR.
                           type: string
                         serverSecret:
                           description: |-
                             Server certificate secret to secure client-server communication. Is provided to the client who connects to etcd by client port (2379 by default).
                             It is expected to have tls.crt and tls.key fields in the secret.
+                            This secret must be created in the namespace with etcdCluster CR.
+                          type: string
+                        serverTrustedCASecret:
+                          description: |-
+                            Trusted CA for etcd server certificates for client-server communication. Is necessary to set trust between operator and etcd.
+                            It is expected to have tls.crt field in the secret. If it is not specified, then insecure communication will be used.
+                            This secret must be created in the namespace with etcd-operator.
                           type: string
                       type: object
                   type: object

charts/etcd-operator/templates/workload/deployment.yml

@@ -58,6 +58,12 @@ spec:
             - configMapRef:
                 name: {{ include "etcd-operator.fullname" . }}-env
           {{- end }}
+          env:
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: metadata.namespace
           volumeMounts:
             - mountPath: /tmp/k8s-webhook-server/serving-certs
               name: cert

config/crd/bases/etcd.aenix.io_etcdclusters.yaml

@@ -192,25 +192,43 @@ spec:
                 security:
                   description: Security describes security settings of etcd (authentication, certificates, rbac)
                   properties:
+                    enableAuth:
+                      description: Section to enable etcd auth
+                      type: boolean
                     tls:
                       description: Section for user-managed tls certificates
                       properties:
                         clientSecret:
-                          description: Client certificate for etcd-operator to do maintenance. It is expected to have tls.crt and tls.key fields in the secret.
+                          description: |-
+                            Client certificate for etcd-operator to do maintenance. It is expected to have tls.crt and tls.key fields in the secret.
+                            This secret must be created in the namespace with etcdCluster CR.
                           type: string
                         clientTrustedCASecret:
-                          description: Trusted CA for client certificates that are provided by client to etcd. It is expected to have tls.crt field in the secret.
+                          description: |-
+                            Trusted CA for client certificates that are provided by client to etcd. It is expected to have ca.crt field in the secret.
+                            This secret must be created in the namespace with etcdCluster CR.
                           type: string
                         peerSecret:
-                          description: Certificate secret to secure peer-to-peer communication between etcd nodes. It is expected to have tls.crt and tls.key fields in the secret.
+                          description: |-
+                            Certificate secret to secure peer-to-peer communication between etcd nodes. It is expected to have tls.crt and tls.key fields in the secret.
+                            This secret must be created in the namespace with etcdCluster CR.
                           type: string
                         peerTrustedCASecret:
-                          description: Trusted CA certificate secret to secure peer-to-peer communication between etcd nodes. It is expected to have tls.crt field in the secret.
+                          description: |-
+                            Trusted CA certificate secret to secure peer-to-peer communication between etcd nodes. It is expected to have ca.crt field in the secret.
+                            This secret must be created in the namespace with etcdCluster CR.
                           type: string
                         serverSecret:
                           description: |-
                             Server certificate secret to secure client-server communication. Is provided to the client who connects to etcd by client port (2379 by default).
                             It is expected to have tls.crt and tls.key fields in the secret.
+                            This secret must be created in the namespace with etcdCluster CR.
+                          type: string
+                        serverTrustedCASecret:
+                          description: |-
+                            Trusted CA for etcd server certificates for client-server communication. Is necessary to set trust between operator and etcd.
+                            It is expected to have ca.crt field in the secret. If it is not specified, then insecure communication will be used.
+                            This secret must be created in the namespace with etcdCluster CR.
                           type: string
                       type: object
                   type: object

config/manager/manager.yaml

@@ -99,5 +99,11 @@ spec:
           requests:
             cpu: 10m
             memory: 64Mi
+        env:
+        - name: POD_NAMESPACE
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.namespace
       serviceAccountName: controller-manager
       terminationGracePeriodSeconds: 10