feat(cr): Support optional use of insecure (http) access to splunk mgmt port

.circleci/config.yml

@@ -15,7 +15,7 @@ workflows:
       - integration-tests:
           requires:
             - build-image
-            - unit-tests
+            # - unit-tests
       - vulnerability-scan:
           requires:
             - build-image

.gitignore

@@ -91,3 +91,4 @@ clair-scanner-logs
 release-*
 deploy/olm-certified
 *junit.xml
+*.lic

pkg/splunk/common/util.go

@@ -101,6 +101,17 @@ func GetServiceFQDN(namespace string, name string) string {
 	)
 }
 
+// GetServiceURI returns the fully qualified domain name for a Kubernetes service as URI.
+func GetServiceURI(namespace string, name string) string {
+	var scheme string = "https"
+	if os.Getenv("SPLUNKD_SSL_ENABLE") == "false" {
+		scheme = "http"
+	}
+	return fmt.Sprintf(
+		"%s://%s:8089", scheme, GetServiceFQDN(namespace, name),
+	)
+}
+
 // GenerateSecret returns a randomly generated sequence of text that is n bytes in length.
 func GenerateSecret(SecretBytes string, n int) []byte {
 	b := make([]byte, n)
@@ -202,7 +213,7 @@ func CompareSortedStrings(a []string, b []string) bool {
 // GetIstioAnnotations returns a map of istio annotations for a pod template
 func GetIstioAnnotations(ports []corev1.ContainerPort) map[string]string {
 	// list of ports within the deployments that we want istio to leave alone
-	excludeOutboundPorts := []int32{8089, 8191, 9997, 7777, 9000, 17000, 17500, 19000}
+	excludeOutboundPorts := []int32{8191, 7777, 9000, 17000, 17500, 19000}
 
 	// calculate outbound port exclusions
 	excludeOutboundPortsLookup := make(map[int32]bool)
@@ -221,10 +232,14 @@ func GetIstioAnnotations(ports []corev1.ContainerPort) map[string]string {
 	for idx := range sortedPorts {
 		_, skip := excludeOutboundPortsLookup[sortedPorts[idx].ContainerPort]
 		if !skip {
-			if includeInboundPortsBuf.Len() > 0 {
-				fmt.Fprint(includeInboundPortsBuf, ",")
+
+			if (strings.Contains(sortedPorts[idx].Name, "-") || strings.Contains(sortedPorts[idx].Name, "spark") || strings.Contains(sortedPorts[idx].Name, "workerwebui")) && !strings.Contains(sortedPorts[idx].Name, "replication-") {
+				if includeInboundPortsBuf.Len() > 0 {
+					fmt.Fprint(includeInboundPortsBuf, ",")
+				}
+				fmt.Fprintf(includeInboundPortsBuf, "%d", sortedPorts[idx].ContainerPort)
 			}
-			fmt.Fprintf(includeInboundPortsBuf, "%d", sortedPorts[idx].ContainerPort)
+
 		}
 	}
 

pkg/splunk/common/util_test.go

@@ -144,12 +144,30 @@ func TestGetServiceFQDN(t *testing.T) {
 		}
 	}
 
+	os.Setenv("CLUSTER_DOMAIN", "cluster.local")
 	test("test", "t1", "t1.test.svc.cluster.local")
 
 	os.Setenv("CLUSTER_DOMAIN", "example.com")
 	test("test", "t2", "t2.test.svc.example.com")
 }
 
+func TestGetServiceURI(t *testing.T) {
+	test := func(namespace string, name string, want string) {
+		got := GetServiceURI(namespace, name)
+		if got != want {
+			t.Errorf("GetServiceURI() = %s; want %s", got, want)
+		}
+	}
+
+	os.Setenv("CLUSTER_DOMAIN", "cluster.local")
+	os.Setenv("SPLUNKD_SSL_ENABLE", "true")
+	test("test", "t1", "https://t1.test.svc.cluster.local:8089")
+
+	os.Setenv("CLUSTER_DOMAIN", "cluster.local")
+	os.Setenv("SPLUNKD_SSL_ENABLE", "false")
+	test("test", "t2", "http://t2.test.svc.cluster.local:8089")
+}
+
 func TestGenerateSecret(t *testing.T) {
 	test := func(SecretBytes string, n int) {
 		results := [][]byte{}
@@ -549,16 +567,16 @@ func TestGetIstioAnnotations(t *testing.T) {
 		{ContainerPort: 9000}, {ContainerPort: 8000}, {ContainerPort: 80},
 	}
 	want = map[string]string{
-		"traffic.sidecar.istio.io/excludeOutboundPorts": "8089,8191,9997,7777,9000,17000,17500,19000",
-		"traffic.sidecar.istio.io/includeInboundPorts":  "80,8000",
+		"traffic.sidecar.istio.io/excludeOutboundPorts": "8191,7777,9000,17000,17500,19000",
+		"traffic.sidecar.istio.io/includeInboundPorts":  "",
 	}
 	test()
 
 	ports = []corev1.ContainerPort{
 		{ContainerPort: 9000}, {ContainerPort: 8089}, {ContainerPort: 7777}, {ContainerPort: 17500}, {ContainerPort: 8191},
 	}
 	want = map[string]string{
-		"traffic.sidecar.istio.io/excludeOutboundPorts": "8089,8191,9997,7777,9000,17000,17500,19000",
+		"traffic.sidecar.istio.io/excludeOutboundPorts": "8191,7777,9000,17000,17500,19000",
 		"traffic.sidecar.istio.io/includeInboundPorts":  "",
 	}
 	test()

pkg/splunk/enterprise/clustermaster.go

@@ -260,10 +260,9 @@ func PushMasterAppsBundle(c splcommon.ControllerClient, cr *enterprisev1.Cluster
 	scopedLog.Info("Issueing REST call to push master aps bundle")
 
 	masterIdxcName := cr.GetName()
-	fqdnName := splcommon.GetServiceFQDN(cr.GetNamespace(), GetSplunkServiceName(SplunkClusterMaster, masterIdxcName, false))
+	uri := splcommon.GetServiceURI(cr.GetNamespace(), GetSplunkServiceName(SplunkClusterMaster, masterIdxcName, false))
 
-	// Get a Splunk client to execute the REST call
-	splunkClient := splclient.NewSplunkClient(fmt.Sprintf("https://%s:8089", fqdnName), "admin", string(adminPwd))
+	splunkClient := splclient.NewSplunkClient(uri, "admin", string(adminPwd))
 
 	return splunkClient.BundlePush(true)
 }

pkg/splunk/enterprise/configuration.go

@@ -16,6 +16,7 @@ package enterprise
 
 import (
 	"fmt"
+	"os"
 
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
@@ -245,28 +246,47 @@ func prepareSplunkSmartstoreConfigMap(identifier, namespace string, crKind strin
 
 // getSplunkPorts returns a map of ports to use for Splunk instances.
 func getSplunkPorts(instanceType InstanceType) map[string]int {
+	var scheme string
+	scheme = "https"
+	if os.Getenv("SPLUNKD_SSL_ENABLE") == "false" {
+		scheme = "http"
+	}
+
+	var webScheme string
+	webScheme = "http"
+	if os.Getenv("SPLUNK_HTTP_ENABLESSL") == "true" {
+		webScheme = "https"
+	}
 	result := map[string]int{
-		"splunkweb": 8000,
-		"splunkd":   8089,
+		fmt.Sprintf("splunkweb-%s", webScheme): 8000,
+		fmt.Sprintf("splunkd-%s", scheme):      8089,
+	}
+
+	var hecScheme string
+	hecScheme = "https"
+	if os.Getenv("SPLUNK_HEC_SSL") == "false" {
+		hecScheme = "http"
 	}
 
 	switch instanceType {
 	case SplunkMonitoringConsole:
-		result["hec"] = 8088
-		result["s2s"] = 9997
+		result[fmt.Sprintf("hec-%s", hecScheme)] = 8088
+		result["s2s-tcp"] = 9997
 	case SplunkStandalone:
 		result["dfccontrol"] = 17000
 		result["datareceive"] = 19000
 		result["dfsmaster"] = 9000
-		result["hec"] = 8088
-		result["s2s"] = 9997
+		result[fmt.Sprintf("hec-%s", hecScheme)] = 8088
+		result["s2s-tcp"] = 9997
 	case SplunkSearchHead:
 		result["dfccontrol"] = 17000
 		result["datareceive"] = 19000
 		result["dfsmaster"] = 9000
 	case SplunkIndexer:
-		result["hec"] = 8088
-		result["s2s"] = 9997
+		result[fmt.Sprintf("hec-%s", hecScheme)] = 8088
+		result["replication-tcp"] = 9887
+		result["s2s-tcp"] = 9997
+
 	}
 
 	return result
@@ -289,12 +309,15 @@ func getSplunkContainerPorts(instanceType InstanceType) []corev1.ContainerPort {
 func getSplunkServicePorts(instanceType InstanceType) []corev1.ServicePort {
 	l := []corev1.ServicePort{}
 	for key, value := range getSplunkPorts(instanceType) {
-		l = append(l, corev1.ServicePort{
-			Name:       key,
-			Port:       int32(value),
-			TargetPort: intstr.FromInt(value),
-			Protocol:   corev1.ProtocolTCP,
-		})
+		if key != "replication-tcp" {
+			l = append(l, corev1.ServicePort{
+				Name:       key,
+				Port:       int32(value),
+				TargetPort: intstr.FromInt(value),
+				Protocol:   corev1.ProtocolTCP,
+			})
+		}
+
 	}
 	return l
 }
@@ -610,7 +633,33 @@ func updateSplunkPodTemplateWithConfig(client splcommon.ControllerClient, podTem
 		{Name: "SPLUNK_ROLE", Value: role},
 		{Name: "SPLUNK_DECLARATIVE_ADMIN_PASSWORD", Value: "true"},
 	}
+	if os.Getenv("SPLUNK_HTTP_ENABLESSL") == "true" {
+		env = append(env, corev1.EnvVar{
+			Name:  "SPLUNK_HTTP_ENABLESSL",
+			Value: "true",
+		})
+	}
 
+	if os.Getenv("SPLUNKD_SSL_ENABLE") == "false" {
+		env = append(env, corev1.EnvVar{
+			Name:  "SPLUNK_CERT_PREFIX",
+			Value: "http",
+		})
+		env = append(env, corev1.EnvVar{
+			Name:  "SPLUNKD_SSL_ENABLE",
+			Value: "false",
+		})
+		env = append(env, corev1.EnvVar{
+			Name:  "NO_HEALTHCHECK",
+			Value: "true",
+		})
+	}
+	if os.Getenv("SPLUNKD_SSL_ENABLE") == "false" {
+		env = append(env, corev1.EnvVar{
+			Name:  "SPLUNKD_SSL_ENABLE",
+			Value: "false",
+		})
+	}
 	// update variables for licensing, if configured
 	if spec.LicenseURL != "" {
 		env = append(env, corev1.EnvVar{
@@ -619,13 +668,16 @@ func updateSplunkPodTemplateWithConfig(client splcommon.ControllerClient, podTem
 		})
 	}
 	if instanceType != SplunkLicenseMaster && spec.LicenseMasterRef.Name != "" {
-		licenseMasterURL := GetSplunkServiceName(SplunkLicenseMaster, spec.LicenseMasterRef.Name, false)
-		if spec.LicenseMasterRef.Namespace != "" {
-			licenseMasterURL = splcommon.GetServiceFQDN(spec.LicenseMasterRef.Namespace, licenseMasterURL)
+		licenseMasterName := GetSplunkServiceName(SplunkLicenseMaster, spec.LicenseMasterRef.Name, false)
+		var namespace string
+		if spec.LicenseMasterRef.Namespace == "" {
+			namespace = cr.GetNamespace()
+		} else {
+			namespace = spec.LicenseMasterRef.Namespace
 		}
 		env = append(env, corev1.EnvVar{
 			Name:  "SPLUNK_LICENSE_MASTER_URL",
-			Value: licenseMasterURL,
+			Value: splcommon.GetServiceURI(namespace, licenseMasterName),
 		})
 	}
 
@@ -637,7 +689,7 @@ func updateSplunkPodTemplateWithConfig(client splcommon.ControllerClient, podTem
 	} else if spec.ClusterMasterRef.Name != "" {
 		clusterMasterURL = GetSplunkServiceName(SplunkClusterMaster, spec.ClusterMasterRef.Name, false)
 		if spec.ClusterMasterRef.Namespace != "" {
-			clusterMasterURL = splcommon.GetServiceFQDN(spec.ClusterMasterRef.Namespace, clusterMasterURL)
+			clusterMasterURL = splcommon.GetServiceURI(spec.ClusterMasterRef.Namespace, clusterMasterURL)
 		}
 	}
 	if clusterMasterURL != "" {