From ee5dcb5e1b12916db0e205f63f56950d753d8dcf Mon Sep 17 00:00:00 2001 From: Ewout Prangsma Date: Mon, 19 Mar 2018 09:44:46 +0100 Subject: [PATCH 1/3] Turn on TLS by default --- docs/user/custom_resource.md | 3 ++- docs/user/tls.md | 4 +++- examples/simple-cluster-no-tls.yaml | 8 ++++++++ examples/simple-cluster-tls.yaml | 9 --------- pkg/apis/deployment/v1alpha/deployment_spec.go | 2 +- pkg/apis/deployment/v1alpha/tls_spec.go | 7 ++++++- pkg/apis/deployment/v1alpha/tls_spec_test.go | 3 ++- 7 files changed, 22 insertions(+), 14 deletions(-) create mode 100644 examples/simple-cluster-no-tls.yaml delete mode 100644 examples/simple-cluster-tls.yaml diff --git a/docs/user/custom_resource.md b/docs/user/custom_resource.md index 06f9b554f..c3fff5797 100644 --- a/docs/user/custom_resource.md +++ b/docs/user/custom_resource.md @@ -142,7 +142,8 @@ and restarting it. This setting specifies the name of a kubernetes `Secret` that contains a standard CA certificate + private key used to sign certificates for individual ArangoDB servers. -The default value is empty. TBD +When no name is specified, it defaults to `-ca`. +To disable authentication, set this value to `None`. If you specify a name of a `Secret` that does not exist, a self-signed CA certificate + key is created and stored in a `Secret` with given name. diff --git a/docs/user/tls.md b/docs/user/tls.md index e320eeaa8..d49ea5281 100644 --- a/docs/user/tls.md +++ b/docs/user/tls.md @@ -1,11 +1,13 @@ # TLS -The ArangoDB operator allows you to create ArangoDB deployments that use +The ArangoDB operator will by default create ArangoDB deployments that use secure TLS connections. It uses a single CA certificate (stored in a Kubernetes secret) and one certificate per ArangoDB server (stored in a Kubernetes secret per server). +To disable TLS, set `spec.tls.caSecretName` to `None`. + ## Install CA certificate If the CA certificate is self-signed, it will not be trusted by browsers, diff --git a/examples/simple-cluster-no-tls.yaml b/examples/simple-cluster-no-tls.yaml new file mode 100644 index 000000000..68e000155 --- /dev/null +++ b/examples/simple-cluster-no-tls.yaml @@ -0,0 +1,8 @@ +apiVersion: "database.arangodb.com/v1alpha" +kind: "ArangoDeployment" +metadata: + name: "example-simple-cluster-no-tls" +spec: + mode: cluster + tls: + caSecretName: None diff --git a/examples/simple-cluster-tls.yaml b/examples/simple-cluster-tls.yaml deleted file mode 100644 index 18f97aa56..000000000 --- a/examples/simple-cluster-tls.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: "database.arangodb.com/v1alpha" -kind: "ArangoDeployment" -metadata: - name: "example-simple-cluster-tls" -spec: - mode: cluster - tls: - caSecretName: example-simple-cluster-tls - altNames: ["kube-01", "kube-02", "kube-03"] diff --git a/pkg/apis/deployment/v1alpha/deployment_spec.go b/pkg/apis/deployment/v1alpha/deployment_spec.go index 99973a314..d112df828 100644 --- a/pkg/apis/deployment/v1alpha/deployment_spec.go +++ b/pkg/apis/deployment/v1alpha/deployment_spec.go @@ -92,7 +92,7 @@ func (s *DeploymentSpec) SetDefaults(deploymentName string) { } s.RocksDB.SetDefaults() s.Authentication.SetDefaults(deploymentName + "-jwt") - s.TLS.SetDefaults("") + s.TLS.SetDefaults(deploymentName + "-ca") s.Sync.SetDefaults(s.Image, s.ImagePullPolicy, deploymentName+"-sync-jwt", deploymentName+"-sync-ca") s.Single.SetDefaults(ServerGroupSingle, s.Mode.HasSingleServers(), s.Mode) s.Agents.SetDefaults(ServerGroupAgents, s.Mode.HasAgents(), s.Mode) diff --git a/pkg/apis/deployment/v1alpha/tls_spec.go b/pkg/apis/deployment/v1alpha/tls_spec.go index 896b28031..47eb2b16e 100644 --- a/pkg/apis/deployment/v1alpha/tls_spec.go +++ b/pkg/apis/deployment/v1alpha/tls_spec.go @@ -42,9 +42,14 @@ type TLSSpec struct { TTL time.Duration `json:"ttl,omitempty"` } +const ( + // CASecretNameDisabled is the value of CASecretName to use for disabling authentication. + CASecretNameDisabled = "None" +) + // IsSecure returns true when a CA secret has been set, false otherwise. func (s TLSSpec) IsSecure() bool { - return s.CASecretName != "" + return s.CASecretName != CASecretNameDisabled } // GetAltNames splits the list of AltNames into DNS names, IP addresses & email addresses. diff --git a/pkg/apis/deployment/v1alpha/tls_spec_test.go b/pkg/apis/deployment/v1alpha/tls_spec_test.go index fcd30bb07..9c2783572 100644 --- a/pkg/apis/deployment/v1alpha/tls_spec_test.go +++ b/pkg/apis/deployment/v1alpha/tls_spec_test.go @@ -43,8 +43,9 @@ func TestTLSSpecValidate(t *testing.T) { } func TestTLSSpecIsSecure(t *testing.T) { - assert.False(t, TLSSpec{CASecretName: ""}.IsSecure()) + assert.True(t, TLSSpec{CASecretName: ""}.IsSecure()) assert.True(t, TLSSpec{CASecretName: "foo"}.IsSecure()) + assert.False(t, TLSSpec{CASecretName: "None"}.IsSecure()) } func TestTLSSpecSetDefaults(t *testing.T) { From ea9c4b20e354135c287897354b268f2ea88fc814 Mon Sep 17 00:00:00 2001 From: Ewout Prangsma Date: Mon, 19 Mar 2018 11:24:29 +0100 Subject: [PATCH 2/3] Fixed unit tests --- pkg/deployment/pod_creator_agent_args_test.go | 44 +++++++++------- .../pod_creator_coordinator_args_test.go | 52 ++++++++++--------- .../pod_creator_dbserver_args_test.go | 52 ++++++++++--------- .../pod_creator_single_args_test.go | 36 ++++++++----- 4 files changed, 102 insertions(+), 82 deletions(-) diff --git a/pkg/deployment/pod_creator_agent_args_test.go b/pkg/deployment/pod_creator_agent_args_test.go index 38f10f12c..540690d7f 100644 --- a/pkg/deployment/pod_creator_agent_args_test.go +++ b/pkg/deployment/pod_creator_agent_args_test.go @@ -54,9 +54,9 @@ func TestCreateArangodArgsAgent(t *testing.T) { assert.Equal(t, []string{ "--agency.activate=true", - "--agency.endpoint=tcp://name-agent-a2.name-int.ns.svc:8529", - "--agency.endpoint=tcp://name-agent-a3.name-int.ns.svc:8529", - "--agency.my-address=tcp://name-agent-a1.name-int.ns.svc:8529", + "--agency.endpoint=ssl://name-agent-a2.name-int.ns.svc:8529", + "--agency.endpoint=ssl://name-agent-a3.name-int.ns.svc:8529", + "--agency.my-address=ssl://name-agent-a1.name-int.ns.svc:8529", "--agency.size=3", "--agency.supervision=true", "--cluster.my-id=a1", @@ -65,16 +65,18 @@ func TestCreateArangodArgsAgent(t *testing.T) { "--log.level=INFO", "--log.output=+", "--server.authentication=true", - "--server.endpoint=tcp://[::]:8529", + "--server.endpoint=ssl://[::]:8529", "--server.jwt-secret=$(ARANGOD_JWT_SECRET)", "--server.statistics=false", "--server.storage-engine=rocksdb", + "--ssl.ecdh-curve=", + "--ssl.keyfile=/secrets/tls/tls.keyfile", }, cmdline, ) } - // Default+TLS deployment + // Default+TLS disabled deployment { apiObject := &api.ArangoDeployment{ ObjectMeta: metav1.ObjectMeta{ @@ -84,7 +86,7 @@ func TestCreateArangodArgsAgent(t *testing.T) { Spec: api.DeploymentSpec{ Mode: api.DeploymentModeCluster, TLS: api.TLSSpec{ - CASecretName: "test-ca", + CASecretName: "None", }, }, } @@ -98,9 +100,9 @@ func TestCreateArangodArgsAgent(t *testing.T) { assert.Equal(t, []string{ "--agency.activate=true", - "--agency.endpoint=ssl://name-agent-a2.name-int.ns.svc:8529", - "--agency.endpoint=ssl://name-agent-a3.name-int.ns.svc:8529", - "--agency.my-address=ssl://name-agent-a1.name-int.ns.svc:8529", + "--agency.endpoint=tcp://name-agent-a2.name-int.ns.svc:8529", + "--agency.endpoint=tcp://name-agent-a3.name-int.ns.svc:8529", + "--agency.my-address=tcp://name-agent-a1.name-int.ns.svc:8529", "--agency.size=3", "--agency.supervision=true", "--cluster.my-id=a1", @@ -109,12 +111,10 @@ func TestCreateArangodArgsAgent(t *testing.T) { "--log.level=INFO", "--log.output=+", "--server.authentication=true", - "--server.endpoint=ssl://[::]:8529", + "--server.endpoint=tcp://[::]:8529", "--server.jwt-secret=$(ARANGOD_JWT_SECRET)", "--server.statistics=false", "--server.storage-engine=rocksdb", - "--ssl.ecdh-curve=", - "--ssl.keyfile=/secrets/tls/tls.keyfile", }, cmdline, ) @@ -143,9 +143,9 @@ func TestCreateArangodArgsAgent(t *testing.T) { assert.Equal(t, []string{ "--agency.activate=true", - "--agency.endpoint=tcp://name-agent-a2.name-int.ns.svc:8529", - "--agency.endpoint=tcp://name-agent-a3.name-int.ns.svc:8529", - "--agency.my-address=tcp://name-agent-a1.name-int.ns.svc:8529", + "--agency.endpoint=ssl://name-agent-a2.name-int.ns.svc:8529", + "--agency.endpoint=ssl://name-agent-a3.name-int.ns.svc:8529", + "--agency.my-address=ssl://name-agent-a1.name-int.ns.svc:8529", "--agency.size=3", "--agency.supervision=true", "--cluster.my-id=a1", @@ -154,9 +154,11 @@ func TestCreateArangodArgsAgent(t *testing.T) { "--log.level=INFO", "--log.output=+", "--server.authentication=false", - "--server.endpoint=tcp://[::]:8529", + "--server.endpoint=ssl://[::]:8529", "--server.statistics=false", "--server.storage-engine=mmfiles", + "--ssl.ecdh-curve=", + "--ssl.keyfile=/secrets/tls/tls.keyfile", }, cmdline, ) @@ -184,9 +186,9 @@ func TestCreateArangodArgsAgent(t *testing.T) { assert.Equal(t, []string{ "--agency.activate=true", - "--agency.endpoint=tcp://name-agent-a2.name-int.ns.svc:8529", - "--agency.endpoint=tcp://name-agent-a3.name-int.ns.svc:8529", - "--agency.my-address=tcp://name-agent-a1.name-int.ns.svc:8529", + "--agency.endpoint=ssl://name-agent-a2.name-int.ns.svc:8529", + "--agency.endpoint=ssl://name-agent-a3.name-int.ns.svc:8529", + "--agency.my-address=ssl://name-agent-a1.name-int.ns.svc:8529", "--agency.size=3", "--agency.supervision=true", "--cluster.my-id=a1", @@ -195,10 +197,12 @@ func TestCreateArangodArgsAgent(t *testing.T) { "--log.level=INFO", "--log.output=+", "--server.authentication=true", - "--server.endpoint=tcp://[::]:8529", + "--server.endpoint=ssl://[::]:8529", "--server.jwt-secret=$(ARANGOD_JWT_SECRET)", "--server.statistics=false", "--server.storage-engine=rocksdb", + "--ssl.ecdh-curve=", + "--ssl.keyfile=/secrets/tls/tls.keyfile", "--foo1", "--foo2", }, diff --git a/pkg/deployment/pod_creator_coordinator_args_test.go b/pkg/deployment/pod_creator_coordinator_args_test.go index c66c55eef..cdf3afdca 100644 --- a/pkg/deployment/pod_creator_coordinator_args_test.go +++ b/pkg/deployment/pod_creator_coordinator_args_test.go @@ -53,10 +53,10 @@ func TestCreateArangodArgsCoordinator(t *testing.T) { cmdline := createArangodArgs(apiObject, apiObject.Spec, api.ServerGroupCoordinators, apiObject.Spec.Coordinators, agents, "id1") assert.Equal(t, []string{ - "--cluster.agency-endpoint=tcp://name-agent-a1.name-int.ns.svc:8529", - "--cluster.agency-endpoint=tcp://name-agent-a2.name-int.ns.svc:8529", - "--cluster.agency-endpoint=tcp://name-agent-a3.name-int.ns.svc:8529", - "--cluster.my-address=tcp://name-coordinator-id1.name-int.ns.svc:8529", + "--cluster.agency-endpoint=ssl://name-agent-a1.name-int.ns.svc:8529", + "--cluster.agency-endpoint=ssl://name-agent-a2.name-int.ns.svc:8529", + "--cluster.agency-endpoint=ssl://name-agent-a3.name-int.ns.svc:8529", + "--cluster.my-address=ssl://name-coordinator-id1.name-int.ns.svc:8529", "--cluster.my-id=id1", "--cluster.my-role=COORDINATOR", "--database.directory=/data", @@ -64,16 +64,18 @@ func TestCreateArangodArgsCoordinator(t *testing.T) { "--log.level=INFO", "--log.output=+", "--server.authentication=true", - "--server.endpoint=tcp://[::]:8529", + "--server.endpoint=ssl://[::]:8529", "--server.jwt-secret=$(ARANGOD_JWT_SECRET)", "--server.statistics=true", "--server.storage-engine=rocksdb", + "--ssl.ecdh-curve=", + "--ssl.keyfile=/secrets/tls/tls.keyfile", }, cmdline, ) } - // Default+TLS deployment + // Default+TLS disabled deployment { apiObject := &api.ArangoDeployment{ ObjectMeta: metav1.ObjectMeta{ @@ -83,7 +85,7 @@ func TestCreateArangodArgsCoordinator(t *testing.T) { Spec: api.DeploymentSpec{ Mode: api.DeploymentModeCluster, TLS: api.TLSSpec{ - CASecretName: "test-ca", + CASecretName: "None", }, }, } @@ -96,10 +98,10 @@ func TestCreateArangodArgsCoordinator(t *testing.T) { cmdline := createArangodArgs(apiObject, apiObject.Spec, api.ServerGroupCoordinators, apiObject.Spec.Coordinators, agents, "id1") assert.Equal(t, []string{ - "--cluster.agency-endpoint=ssl://name-agent-a1.name-int.ns.svc:8529", - "--cluster.agency-endpoint=ssl://name-agent-a2.name-int.ns.svc:8529", - "--cluster.agency-endpoint=ssl://name-agent-a3.name-int.ns.svc:8529", - "--cluster.my-address=ssl://name-coordinator-id1.name-int.ns.svc:8529", + "--cluster.agency-endpoint=tcp://name-agent-a1.name-int.ns.svc:8529", + "--cluster.agency-endpoint=tcp://name-agent-a2.name-int.ns.svc:8529", + "--cluster.agency-endpoint=tcp://name-agent-a3.name-int.ns.svc:8529", + "--cluster.my-address=tcp://name-coordinator-id1.name-int.ns.svc:8529", "--cluster.my-id=id1", "--cluster.my-role=COORDINATOR", "--database.directory=/data", @@ -107,12 +109,10 @@ func TestCreateArangodArgsCoordinator(t *testing.T) { "--log.level=INFO", "--log.output=+", "--server.authentication=true", - "--server.endpoint=ssl://[::]:8529", + "--server.endpoint=tcp://[::]:8529", "--server.jwt-secret=$(ARANGOD_JWT_SECRET)", "--server.statistics=true", "--server.storage-engine=rocksdb", - "--ssl.ecdh-curve=", - "--ssl.keyfile=/secrets/tls/tls.keyfile", }, cmdline, ) @@ -139,10 +139,10 @@ func TestCreateArangodArgsCoordinator(t *testing.T) { cmdline := createArangodArgs(apiObject, apiObject.Spec, api.ServerGroupCoordinators, apiObject.Spec.Coordinators, agents, "id1") assert.Equal(t, []string{ - "--cluster.agency-endpoint=tcp://name-agent-a1.name-int.ns.svc:8529", - "--cluster.agency-endpoint=tcp://name-agent-a2.name-int.ns.svc:8529", - "--cluster.agency-endpoint=tcp://name-agent-a3.name-int.ns.svc:8529", - "--cluster.my-address=tcp://name-coordinator-id1.name-int.ns.svc:8529", + "--cluster.agency-endpoint=ssl://name-agent-a1.name-int.ns.svc:8529", + "--cluster.agency-endpoint=ssl://name-agent-a2.name-int.ns.svc:8529", + "--cluster.agency-endpoint=ssl://name-agent-a3.name-int.ns.svc:8529", + "--cluster.my-address=ssl://name-coordinator-id1.name-int.ns.svc:8529", "--cluster.my-id=id1", "--cluster.my-role=COORDINATOR", "--database.directory=/data", @@ -150,9 +150,11 @@ func TestCreateArangodArgsCoordinator(t *testing.T) { "--log.level=INFO", "--log.output=+", "--server.authentication=false", - "--server.endpoint=tcp://[::]:8529", + "--server.endpoint=ssl://[::]:8529", "--server.statistics=true", "--server.storage-engine=rocksdb", + "--ssl.ecdh-curve=", + "--ssl.keyfile=/secrets/tls/tls.keyfile", }, cmdline, ) @@ -180,10 +182,10 @@ func TestCreateArangodArgsCoordinator(t *testing.T) { cmdline := createArangodArgs(apiObject, apiObject.Spec, api.ServerGroupCoordinators, apiObject.Spec.Coordinators, agents, "id1") assert.Equal(t, []string{ - "--cluster.agency-endpoint=tcp://name-agent-a1.name-int.ns.svc:8529", - "--cluster.agency-endpoint=tcp://name-agent-a2.name-int.ns.svc:8529", - "--cluster.agency-endpoint=tcp://name-agent-a3.name-int.ns.svc:8529", - "--cluster.my-address=tcp://name-coordinator-id1.name-int.ns.svc:8529", + "--cluster.agency-endpoint=ssl://name-agent-a1.name-int.ns.svc:8529", + "--cluster.agency-endpoint=ssl://name-agent-a2.name-int.ns.svc:8529", + "--cluster.agency-endpoint=ssl://name-agent-a3.name-int.ns.svc:8529", + "--cluster.my-address=ssl://name-coordinator-id1.name-int.ns.svc:8529", "--cluster.my-id=id1", "--cluster.my-role=COORDINATOR", "--database.directory=/data", @@ -191,10 +193,12 @@ func TestCreateArangodArgsCoordinator(t *testing.T) { "--log.level=INFO", "--log.output=+", "--server.authentication=true", - "--server.endpoint=tcp://[::]:8529", + "--server.endpoint=ssl://[::]:8529", "--server.jwt-secret=$(ARANGOD_JWT_SECRET)", "--server.statistics=true", "--server.storage-engine=mmfiles", + "--ssl.ecdh-curve=", + "--ssl.keyfile=/secrets/tls/tls.keyfile", "--foo1", "--foo2", }, diff --git a/pkg/deployment/pod_creator_dbserver_args_test.go b/pkg/deployment/pod_creator_dbserver_args_test.go index da4b49352..ac14f07a3 100644 --- a/pkg/deployment/pod_creator_dbserver_args_test.go +++ b/pkg/deployment/pod_creator_dbserver_args_test.go @@ -53,10 +53,10 @@ func TestCreateArangodArgsDBServer(t *testing.T) { cmdline := createArangodArgs(apiObject, apiObject.Spec, api.ServerGroupDBServers, apiObject.Spec.DBServers, agents, "id1") assert.Equal(t, []string{ - "--cluster.agency-endpoint=tcp://name-agent-a1.name-int.ns.svc:8529", - "--cluster.agency-endpoint=tcp://name-agent-a2.name-int.ns.svc:8529", - "--cluster.agency-endpoint=tcp://name-agent-a3.name-int.ns.svc:8529", - "--cluster.my-address=tcp://name-dbserver-id1.name-int.ns.svc:8529", + "--cluster.agency-endpoint=ssl://name-agent-a1.name-int.ns.svc:8529", + "--cluster.agency-endpoint=ssl://name-agent-a2.name-int.ns.svc:8529", + "--cluster.agency-endpoint=ssl://name-agent-a3.name-int.ns.svc:8529", + "--cluster.my-address=ssl://name-dbserver-id1.name-int.ns.svc:8529", "--cluster.my-id=id1", "--cluster.my-role=PRIMARY", "--database.directory=/data", @@ -64,16 +64,18 @@ func TestCreateArangodArgsDBServer(t *testing.T) { "--log.level=INFO", "--log.output=+", "--server.authentication=true", - "--server.endpoint=tcp://[::]:8529", + "--server.endpoint=ssl://[::]:8529", "--server.jwt-secret=$(ARANGOD_JWT_SECRET)", "--server.statistics=true", "--server.storage-engine=rocksdb", + "--ssl.ecdh-curve=", + "--ssl.keyfile=/secrets/tls/tls.keyfile", }, cmdline, ) } - // Default+TLS deployment + // Default+TLS disabled deployment { apiObject := &api.ArangoDeployment{ ObjectMeta: metav1.ObjectMeta{ @@ -83,7 +85,7 @@ func TestCreateArangodArgsDBServer(t *testing.T) { Spec: api.DeploymentSpec{ Mode: api.DeploymentModeCluster, TLS: api.TLSSpec{ - CASecretName: "test-ca", + CASecretName: "None", }, }, } @@ -96,10 +98,10 @@ func TestCreateArangodArgsDBServer(t *testing.T) { cmdline := createArangodArgs(apiObject, apiObject.Spec, api.ServerGroupDBServers, apiObject.Spec.DBServers, agents, "id1") assert.Equal(t, []string{ - "--cluster.agency-endpoint=ssl://name-agent-a1.name-int.ns.svc:8529", - "--cluster.agency-endpoint=ssl://name-agent-a2.name-int.ns.svc:8529", - "--cluster.agency-endpoint=ssl://name-agent-a3.name-int.ns.svc:8529", - "--cluster.my-address=ssl://name-dbserver-id1.name-int.ns.svc:8529", + "--cluster.agency-endpoint=tcp://name-agent-a1.name-int.ns.svc:8529", + "--cluster.agency-endpoint=tcp://name-agent-a2.name-int.ns.svc:8529", + "--cluster.agency-endpoint=tcp://name-agent-a3.name-int.ns.svc:8529", + "--cluster.my-address=tcp://name-dbserver-id1.name-int.ns.svc:8529", "--cluster.my-id=id1", "--cluster.my-role=PRIMARY", "--database.directory=/data", @@ -107,12 +109,10 @@ func TestCreateArangodArgsDBServer(t *testing.T) { "--log.level=INFO", "--log.output=+", "--server.authentication=true", - "--server.endpoint=ssl://[::]:8529", + "--server.endpoint=tcp://[::]:8529", "--server.jwt-secret=$(ARANGOD_JWT_SECRET)", "--server.statistics=true", "--server.storage-engine=rocksdb", - "--ssl.ecdh-curve=", - "--ssl.keyfile=/secrets/tls/tls.keyfile", }, cmdline, ) @@ -139,10 +139,10 @@ func TestCreateArangodArgsDBServer(t *testing.T) { cmdline := createArangodArgs(apiObject, apiObject.Spec, api.ServerGroupDBServers, apiObject.Spec.DBServers, agents, "id1") assert.Equal(t, []string{ - "--cluster.agency-endpoint=tcp://name-agent-a1.name-int.ns.svc:8529", - "--cluster.agency-endpoint=tcp://name-agent-a2.name-int.ns.svc:8529", - "--cluster.agency-endpoint=tcp://name-agent-a3.name-int.ns.svc:8529", - "--cluster.my-address=tcp://name-dbserver-id1.name-int.ns.svc:8529", + "--cluster.agency-endpoint=ssl://name-agent-a1.name-int.ns.svc:8529", + "--cluster.agency-endpoint=ssl://name-agent-a2.name-int.ns.svc:8529", + "--cluster.agency-endpoint=ssl://name-agent-a3.name-int.ns.svc:8529", + "--cluster.my-address=ssl://name-dbserver-id1.name-int.ns.svc:8529", "--cluster.my-id=id1", "--cluster.my-role=PRIMARY", "--database.directory=/data", @@ -150,9 +150,11 @@ func TestCreateArangodArgsDBServer(t *testing.T) { "--log.level=INFO", "--log.output=+", "--server.authentication=false", - "--server.endpoint=tcp://[::]:8529", + "--server.endpoint=ssl://[::]:8529", "--server.statistics=true", "--server.storage-engine=rocksdb", + "--ssl.ecdh-curve=", + "--ssl.keyfile=/secrets/tls/tls.keyfile", }, cmdline, ) @@ -180,10 +182,10 @@ func TestCreateArangodArgsDBServer(t *testing.T) { cmdline := createArangodArgs(apiObject, apiObject.Spec, api.ServerGroupDBServers, apiObject.Spec.DBServers, agents, "id1") assert.Equal(t, []string{ - "--cluster.agency-endpoint=tcp://name-agent-a1.name-int.ns.svc:8529", - "--cluster.agency-endpoint=tcp://name-agent-a2.name-int.ns.svc:8529", - "--cluster.agency-endpoint=tcp://name-agent-a3.name-int.ns.svc:8529", - "--cluster.my-address=tcp://name-dbserver-id1.name-int.ns.svc:8529", + "--cluster.agency-endpoint=ssl://name-agent-a1.name-int.ns.svc:8529", + "--cluster.agency-endpoint=ssl://name-agent-a2.name-int.ns.svc:8529", + "--cluster.agency-endpoint=ssl://name-agent-a3.name-int.ns.svc:8529", + "--cluster.my-address=ssl://name-dbserver-id1.name-int.ns.svc:8529", "--cluster.my-id=id1", "--cluster.my-role=PRIMARY", "--database.directory=/data", @@ -191,10 +193,12 @@ func TestCreateArangodArgsDBServer(t *testing.T) { "--log.level=INFO", "--log.output=+", "--server.authentication=true", - "--server.endpoint=tcp://[::]:8529", + "--server.endpoint=ssl://[::]:8529", "--server.jwt-secret=$(ARANGOD_JWT_SECRET)", "--server.statistics=true", "--server.storage-engine=mmfiles", + "--ssl.ecdh-curve=", + "--ssl.keyfile=/secrets/tls/tls.keyfile", "--foo1", "--foo2", }, diff --git a/pkg/deployment/pod_creator_single_args_test.go b/pkg/deployment/pod_creator_single_args_test.go index 7ede1717f..be3f8674c 100644 --- a/pkg/deployment/pod_creator_single_args_test.go +++ b/pkg/deployment/pod_creator_single_args_test.go @@ -49,22 +49,24 @@ func TestCreateArangodArgsSingle(t *testing.T) { "--log.level=INFO", "--log.output=+", "--server.authentication=true", - "--server.endpoint=tcp://[::]:8529", + "--server.endpoint=ssl://[::]:8529", "--server.jwt-secret=$(ARANGOD_JWT_SECRET)", "--server.statistics=true", "--server.storage-engine=rocksdb", + "--ssl.ecdh-curve=", + "--ssl.keyfile=/secrets/tls/tls.keyfile", }, cmdline, ) } - // Default+TLS deployment + // Default+TLS disabled deployment { apiObject := &api.ArangoDeployment{ Spec: api.DeploymentSpec{ Mode: api.DeploymentModeSingle, TLS: api.TLSSpec{ - CASecretName: "test-ca", + CASecretName: "None", }, }, } @@ -77,12 +79,10 @@ func TestCreateArangodArgsSingle(t *testing.T) { "--log.level=INFO", "--log.output=+", "--server.authentication=true", - "--server.endpoint=ssl://[::]:8529", + "--server.endpoint=tcp://[::]:8529", "--server.jwt-secret=$(ARANGOD_JWT_SECRET)", "--server.statistics=true", "--server.storage-engine=rocksdb", - "--ssl.ecdh-curve=", - "--ssl.keyfile=/secrets/tls/tls.keyfile", }, cmdline, ) @@ -105,10 +105,12 @@ func TestCreateArangodArgsSingle(t *testing.T) { "--log.level=INFO", "--log.output=+", "--server.authentication=true", - "--server.endpoint=tcp://[::]:8529", + "--server.endpoint=ssl://[::]:8529", "--server.jwt-secret=$(ARANGOD_JWT_SECRET)", "--server.statistics=true", "--server.storage-engine=mmfiles", + "--ssl.ecdh-curve=", + "--ssl.keyfile=/secrets/tls/tls.keyfile", }, cmdline, ) @@ -131,9 +133,11 @@ func TestCreateArangodArgsSingle(t *testing.T) { "--log.level=INFO", "--log.output=+", "--server.authentication=false", - "--server.endpoint=tcp://[::]:8529", + "--server.endpoint=ssl://[::]:8529", "--server.statistics=true", "--server.storage-engine=rocksdb", + "--ssl.ecdh-curve=", + "--ssl.keyfile=/secrets/tls/tls.keyfile", }, cmdline, ) @@ -156,10 +160,12 @@ func TestCreateArangodArgsSingle(t *testing.T) { "--log.level=INFO", "--log.output=+", "--server.authentication=true", - "--server.endpoint=tcp://[::]:8529", + "--server.endpoint=ssl://[::]:8529", "--server.jwt-secret=$(ARANGOD_JWT_SECRET)", "--server.statistics=true", "--server.storage-engine=rocksdb", + "--ssl.ecdh-curve=", + "--ssl.keyfile=/secrets/tls/tls.keyfile", "--foo1", "--foo2", }, @@ -187,10 +193,10 @@ func TestCreateArangodArgsSingle(t *testing.T) { cmdline := createArangodArgs(apiObject, apiObject.Spec, api.ServerGroupSingle, apiObject.Spec.Single, agents, "id1") assert.Equal(t, []string{ - "--cluster.agency-endpoint=tcp://name-agent-a1.name-int.ns.svc:8529", - "--cluster.agency-endpoint=tcp://name-agent-a2.name-int.ns.svc:8529", - "--cluster.agency-endpoint=tcp://name-agent-a3.name-int.ns.svc:8529", - "--cluster.my-address=tcp://name-single-id1.name-int.ns.svc:8529", + "--cluster.agency-endpoint=ssl://name-agent-a1.name-int.ns.svc:8529", + "--cluster.agency-endpoint=ssl://name-agent-a2.name-int.ns.svc:8529", + "--cluster.agency-endpoint=ssl://name-agent-a3.name-int.ns.svc:8529", + "--cluster.my-address=ssl://name-single-id1.name-int.ns.svc:8529", "--cluster.my-id=id1", "--cluster.my-role=SINGLE", "--database.directory=/data", @@ -199,10 +205,12 @@ func TestCreateArangodArgsSingle(t *testing.T) { "--log.output=+", "--replication.automatic-failover=true", "--server.authentication=true", - "--server.endpoint=tcp://[::]:8529", + "--server.endpoint=ssl://[::]:8529", "--server.jwt-secret=$(ARANGOD_JWT_SECRET)", "--server.statistics=true", "--server.storage-engine=rocksdb", + "--ssl.ecdh-curve=", + "--ssl.keyfile=/secrets/tls/tls.keyfile", }, cmdline, ) From 3300f35ba3ce1a9db7a4698d814ab3e58f32a59a Mon Sep 17 00:00:00 2001 From: Ewout Prangsma Date: Mon, 19 Mar 2018 11:40:11 +0100 Subject: [PATCH 3/3] Fixed client wrt https --- pkg/util/arangod/client.go | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/pkg/util/arangod/client.go b/pkg/util/arangod/client.go index 95459a579..8b36da1e1 100644 --- a/pkg/util/arangod/client.go +++ b/pkg/util/arangod/client.go @@ -24,6 +24,7 @@ package arangod import ( "context" + "crypto/tls" "fmt" "net" nhttp "net/http" @@ -70,6 +71,19 @@ var ( TLSHandshakeTimeout: 10 * time.Second, ExpectContinueTimeout: 1 * time.Second, } + sharedHTTPSTransport = &nhttp.Transport{ + Proxy: nhttp.ProxyFromEnvironment, + DialContext: (&net.Dialer{ + Timeout: 30 * time.Second, + KeepAlive: 30 * time.Second, + DualStack: true, + }).DialContext, + MaxIdleConns: 100, + IdleConnTimeout: 90 * time.Second, + TLSHandshakeTimeout: 10 * time.Second, + ExpectContinueTimeout: 1 * time.Second, + TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, + } ) // CreateArangodClient creates a go-driver client for a specific member in the given group. @@ -97,11 +111,16 @@ func CreateArangodDatabaseClient(ctx context.Context, cli corev1.CoreV1Interface // CreateArangodClientForDNSName creates a go-driver client for a given DNS name. func createArangodClientForDNSName(ctx context.Context, cli corev1.CoreV1Interface, apiObject *api.ArangoDeployment, dnsName string) (driver.Client, error) { scheme := "http" + transport := sharedHTTPTransport + if apiObject.Spec.IsSecure() { + scheme = "https" + transport = sharedHTTPSTransport + } connConfig := http.ConnectionConfig{ Endpoints: []string{scheme + "://" + net.JoinHostPort(dnsName, strconv.Itoa(k8sutil.ArangoPort))}, - Transport: sharedHTTPTransport, + Transport: transport, } - // TODO deal with TLS + // TODO deal with TLS with proper CA checking conn, err := http.NewConnection(connConfig) if err != nil { return nil, maskAny(err)