Skip to content

[Merged by Bors] - Mutual TLS and S3 TLS verification #244

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 62 commits into from
Closed

[Merged by Bors] - Mutual TLS and S3 TLS verification #244

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
62 commits
Select commit Hold shift + click to select a range
b508ffd
Client TLS now configurable instead of defaulting to "tls" SecretClass
maltesander Jul 11, 2022
60984ff
wip - separating client and internal tls
maltesander Jul 11, 2022
34bde07
wip
maltesander Jul 12, 2022
5c4959a
wip
maltesander Jul 13, 2022
6a6302d
wip
maltesander Jul 13, 2022
2fa5b08
adapted example
maltesander Jul 13, 2022
6a407cd
wip
maltesander Jul 13, 2022
bef5b43
wip
maltesander Jul 15, 2022
745c9b4
working with s3 tls
maltesander Jul 18, 2022
9b9a443
Merge remote-tracking branch 'origin/main' into s3_tls_verification
maltesander Jul 18, 2022
7aba2f9
wip
maltesander Jul 18, 2022
9d49a18
fix imports
maltesander Jul 18, 2022
1ef669d
adapted changelog
maltesander Jul 18, 2022
b4d8d4e
attempt to fix clippy
maltesander Jul 18, 2022
177c6c9
s3 tls working without client / internal tls
maltesander Jul 19, 2022
5e28ea0
wip
maltesander Jul 20, 2022
4b3edb5
external and internal tls working with different keystores
maltesander Jul 20, 2022
2ce3b5a
wip
maltesander Jul 20, 2022
1467eaf
adapted example
maltesander Jul 20, 2022
4b41256
tls tests working
maltesander Jul 22, 2022
2f13bac
adapted docs
maltesander Jul 22, 2022
44827f5
fixed typos and tabs
maltesander Jul 22, 2022
557552b
reenabled all tests
maltesander Jul 22, 2022
4bf6d9e
Merge remote-tracking branch 'origin/main' into s3_tls_verification
maltesander Jul 22, 2022
37d5770
merged main
maltesander Jul 22, 2022
ae5a497
regenerated charts
maltesander Jul 25, 2022
bf4d7cf
Merge remote-tracking branch 'origin/main' into s3_tls_verification
maltesander Jul 28, 2022
c544614
using xref instead of hard coded links
maltesander Jul 28, 2022
96673aa
removed statement for s3 and authentication being in the GlobalTrinoC…
maltesander Jul 28, 2022
e3929a3
partially adapted to pr review
maltesander Jul 28, 2022
0316b6c
regenerated charts
maltesander Jul 28, 2022
790d7ab
adapted to pr review
maltesander Jul 28, 2022
7798d0f
removed truststore from cli command
maltesander Jul 28, 2022
c301bdf
extended test cases
maltesander Jul 28, 2022
23f12d5
made GlobalTrinoConfig non optional
maltesander Jul 29, 2022
82f66ef
fixed comment for trino version
maltesander Jul 29, 2022
de5f614
internal tls activated by default
maltesander Aug 4, 2022
f2fbae5
removed nested client and internal tls directories
maltesander Aug 4, 2022
05947f2
Merge remote-tracking branch 'origin/main' into s3_tls_verification
maltesander Aug 4, 2022
76310e1
merged main and regenerated charts
maltesander Aug 4, 2022
987be8c
Update docs/modules/ROOT/pages/usage.adoc
maltesander Aug 5, 2022
bc9ef22
Update docs/modules/ROOT/pages/usage.adoc
maltesander Aug 5, 2022
96976be
Update docs/modules/ROOT/pages/usage.adoc
maltesander Aug 5, 2022
85ebbb7
now using different directory for keystores and not the secret operat…
maltesander Aug 8, 2022
67afd12
extracted tls/auth/s3 volume mounts into method
maltesander Aug 8, 2022
e62976c
Error out if client tls is explicitly set to null but authentication …
maltesander Aug 8, 2022
f9b8714
Update rust/operator-binary/src/controller.rs
maltesander Aug 11, 2022
b247d77
Added requirements.txt
maltesander Aug 11, 2022
91dc6e0
client tls volume mounts now only added if tls enabled
maltesander Aug 11, 2022
55c8e05
removed ingore filter for warnings
maltesander Aug 11, 2022
98cab2b
removed metadata.name
maltesander Aug 11, 2022
5750113
renamed untrusted-ca.crt -> untrusted-cert.crt
maltesander Aug 16, 2022
4a380b7
switched python config from yaml to json
maltesander Aug 16, 2022
ae29231
improved exception handling in check-tls.py
maltesander Aug 17, 2022
5bf6774
error type for test_query_failure now configurable
maltesander Aug 17, 2022
9d40e89
improved client / internal / auth configuration property definition
maltesander Aug 18, 2022
b82535e
regenerated charts
maltesander Aug 18, 2022
2183c26
TlsSecretClass no longer optional parameter in create_tls_volume
maltesander Aug 18, 2022
af7247f
pinned all trino client requirements
maltesander Aug 18, 2022
0c48017
fixed trino client requirements
maltesander Aug 18, 2022
b507aee
now raising exception if nothing fails in test_query_failure
maltesander Aug 18, 2022
edab5e0
Update tests/templates/kuttl/tls/check-tls.py
maltesander Aug 19, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,11 +9,15 @@ All notable changes to this project will be documented in this file.
- Include chart name when installing with a custom release name ([#233], [#234]).
- `operator-rs` `0.21.1` -> `0.22.0` ([#235]).
- Add support for Hive 3.1.3 ([#243])
- Internal and client TLS now configurable instead of defaulting to "tls" secret class ([#244]).
- S3 TLS properly supported ([#244]).
- Introduced global `config` for `TLS` settings ([#244]).

[#233]: https://github.com/stackabletech/trino-operator/pull/233
[#234]: https://github.com/stackabletech/trino-operator/pull/234
[#235]: https://github.com/stackabletech/trino-operator/pull/235
[#243]: https://github.com/stackabletech/trino-operator/pull/243
[#244]: https://github.com/stackabletech/trino-operator/pull/244

## [0.4.0] - 2022-06-30

Expand Down
1 change: 1 addition & 0 deletions Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

8 changes: 5 additions & 3 deletions deploy/config-spec/properties.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,9 +87,9 @@ properties:
value: "8080"
roles:
- name: "coordinator"
required: true
required: false
- name: "worker"
required: true
required: false
asOfVersion: "0.0.0"

- property: &httpServerHttpsPort
Expand All @@ -108,6 +108,8 @@ properties:
roles:
- name: "coordinator"
required: false
- name: "worker"
required: false
asOfVersion: "0.0.0"

- property: &queryMaxMemory
Expand Down Expand Up @@ -217,7 +219,7 @@ properties:
- "INFO"
- "DEBUG"
- "WARN"
- "ERROR"
- "ERROR"
roles:
- name: "coordinator"
required: true
Expand Down
41 changes: 38 additions & 3 deletions deploy/crd/trinocluster.crd.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,6 @@ spec:
spec:
properties:
authentication:
description: A reference to a secret containing username/password for defined users
nullable: true
properties:
method:
Expand All @@ -50,7 +49,39 @@ spec:
required:
- method
type: object
config:
default:
tls:
secretClass: tls
internalTls:
secretClass: tls
description: Global Trino Config for cluster settings like TLS
properties:
internalTls:
default:
secretClass: tls
description: "Only affects internal communication. Use mutual verification between Trino nodes This setting controls: - Which cert the servers should use to authenticate themselves against other servers - Which ca.crt to use when validating the other server"
nullable: true
properties:
secretClass:
type: string
required:
- secretClass
type: object
tls:
default:
secretClass: tls
description: "Only affects client connections. This setting controls: - If TLS encryption is used at all - Which cert the servers should use to authenticate themselves against the client"
nullable: true
properties:
secretClass:
type: string
required:
- secretClass
type: object
type: object
coordinators:
description: Settings for the Coordinator Role/Process.
nullable: true
properties:
cliOverrides:
Expand Down Expand Up @@ -158,9 +189,11 @@ spec:
- roleGroups
type: object
hiveConfigMapName:
description: The discovery ConfigMap name of the Hive cluster (usually the same as the Hive cluster name).
nullable: true
type: string
opa:
description: The discovery ConfigMap name of the OPA cluster (usually the same as the OPA cluster name).
nullable: true
properties:
configMapName:
Expand All @@ -172,7 +205,7 @@ spec:
- configMapName
type: object
s3:
description: Operators are expected to define fields for this type in order to work with S3 connections.
description: A reference to a S3 bucket.
nullable: true
oneOf:
- required:
Expand Down Expand Up @@ -271,13 +304,15 @@ spec:
type: string
type: object
stopped:
description: "Emergency stop button, if `true` then all pods are stopped without affecting configuration (as setting `replicas` to `0` would)"
description: "Emergency stop button, if `true` then all pods are stopped without affecting configuration (as setting `replicas` to `0` would)."
nullable: true
type: boolean
version:
description: "The provided trino image version in the form `xxx-stackableY.Y.Y` e.g. `387-stackable0.1.0`."
nullable: true
type: string
workers:
description: Settings for the Worker Role/Process.
nullable: true
properties:
cliOverrides:
Expand Down
8 changes: 5 additions & 3 deletions deploy/helm/trino-operator/configs/properties.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,9 +87,9 @@ properties:
value: "8080"
roles:
- name: "coordinator"
required: true
required: false
- name: "worker"
required: true
required: false
asOfVersion: "0.0.0"

- property: &httpServerHttpsPort
Expand All @@ -108,6 +108,8 @@ properties:
roles:
- name: "coordinator"
required: false
- name: "worker"
required: false
asOfVersion: "0.0.0"

- property: &queryMaxMemory
Expand Down Expand Up @@ -217,7 +219,7 @@ properties:
- "INFO"
- "DEBUG"
- "WARN"
- "ERROR"
- "ERROR"
roles:
- name: "coordinator"
required: true
Expand Down
41 changes: 38 additions & 3 deletions deploy/helm/trino-operator/crds/crds.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,6 @@ spec:
spec:
properties:
authentication:
description: A reference to a secret containing username/password for defined users
nullable: true
properties:
method:
Expand All @@ -51,7 +50,39 @@ spec:
required:
- method
type: object
config:
default:
tls:
secretClass: tls
internalTls:
secretClass: tls
description: Global Trino Config for cluster settings like TLS
properties:
internalTls:
default:
secretClass: tls
description: 'Only affects internal communication. Use mutual verification between Trino nodes This setting controls: - Which cert the servers should use to authenticate themselves against other servers - Which ca.crt to use when validating the other server'
nullable: true
properties:
secretClass:
type: string
required:
- secretClass
type: object
tls:
default:
secretClass: tls
description: 'Only affects client connections. This setting controls: - If TLS encryption is used at all - Which cert the servers should use to authenticate themselves against the client'
nullable: true
properties:
secretClass:
type: string
required:
- secretClass
type: object
type: object
coordinators:
description: Settings for the Coordinator Role/Process.
nullable: true
properties:
cliOverrides:
Expand Down Expand Up @@ -159,9 +190,11 @@ spec:
- roleGroups
type: object
hiveConfigMapName:
description: The discovery ConfigMap name of the Hive cluster (usually the same as the Hive cluster name).
nullable: true
type: string
opa:
description: The discovery ConfigMap name of the OPA cluster (usually the same as the OPA cluster name).
nullable: true
properties:
configMapName:
Expand All @@ -173,7 +206,7 @@ spec:
- configMapName
type: object
s3:
description: Operators are expected to define fields for this type in order to work with S3 connections.
description: A reference to a S3 bucket.
nullable: true
oneOf:
- required:
Expand Down Expand Up @@ -272,13 +305,15 @@ spec:
type: string
type: object
stopped:
description: Emergency stop button, if `true` then all pods are stopped without affecting configuration (as setting `replicas` to `0` would)
description: Emergency stop button, if `true` then all pods are stopped without affecting configuration (as setting `replicas` to `0` would).
nullable: true
type: boolean
version:
description: The provided trino image version in the form `xxx-stackableY.Y.Y` e.g. `387-stackable0.1.0`.
nullable: true
type: string
workers:
description: Settings for the Worker Role/Process.
nullable: true
properties:
cliOverrides:
Expand Down
Loading