Skip to content

Commit

Permalink
support ssl encryption (#191)
Browse files Browse the repository at this point in the history 
* support ssl encryption

* simplify conditions
  • Loading branch information
@MegaByte875
MegaByte875 committed Apr 3, 2023
1 parent 3f39472 commit 367c133
Show file tree
Hide file tree
Showing 26 changed files with 767 additions and 56 deletions.
1 change: 0 additions & 1 deletion Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -93,7 +93,6 @@ build: generate check ## Build binary.
$(GO_BUILD) -ldflags '$(LDFLAGS)' -o images/nebula-operator/bin/scheduler cmd/scheduler/main.go

helm-charts:
cp config/crd/bases/*.yaml charts/nebula-operator/crds/
helm package charts/nebula-operator --version $(CHARTS_VERSION) --app-version $(CHARTS_VERSION)
helm package charts/nebula-cluster --version $(CHARTS_VERSION) --app-version $(CHARTS_VERSION)
mv nebula-operator-*.tgz nebula-cluster-*.tgz charts/
Expand Down
2 changes: 1 addition & 1 deletion apis/apps/v1alpha1/exporter.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -58,7 +58,7 @@ func (nc *NebulaCluster) GetExporterNodeSelector() map[string]string {
}

func (nc *NebulaCluster) GetExporterAffinity() *corev1.Affinity {
affinity := nc.Spec.Graphd.PodSpec.Affinity
affinity := nc.Spec.Exporter.PodSpec.Affinity
if affinity == nil {
affinity = nc.Spec.Affinity
}
Expand Down
24 changes: 24 additions & 0 deletions apis/apps/v1alpha1/nebulacluster.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -116,3 +116,27 @@ func (nc *NebulaCluster) IsBREnabled() bool {
func (nc *NebulaCluster) IsLogRotateEnabled() bool {
return nc.Spec.LogRotate != nil
}

func (nc *NebulaCluster) InsecureSkipVerify() bool {
skip := nc.Spec.SSLCerts.InsecureSkipVerify
if skip == nil {
return false
}
return *skip
}

func (nc *NebulaCluster) IsGraphdSSLEnabled() bool {
return nc.Spec.Graphd.Config["enable_graph_ssl"] == "true"
}

func (nc *NebulaCluster) IsMetadSSLEnabled() bool {
return nc.Spec.Graphd.Config["enable_meta_ssl"] == "true" &&
nc.Spec.Metad.Config["enable_meta_ssl"] == "true" &&
nc.Spec.Storaged.Config["enable_meta_ssl"] == "true"
}

func (nc *NebulaCluster) IsClusterEnabled() bool {
return nc.Spec.Graphd.Config["enable_ssl"] == "true" &&
nc.Spec.Metad.Config["enable_ssl"] == "true" &&
nc.Spec.Storaged.Config["enable_ssl"] == "true"
}
3 changes: 0 additions & 3 deletions apis/apps/v1alpha1/nebulacluster_common.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -109,9 +109,6 @@ func getKubernetesClusterDomain() string {
}

func joinHostPort(host string, port int32) string {
if strings.IndexByte(host, ':') >= 0 {
return fmt.Sprintf("[%s]:%d", host, port)
}
return fmt.Sprintf("%s:%d", host, port)
}

Expand Down
1 change: 1 addition & 0 deletions apis/apps/v1alpha1/nebulacluster_componentter.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,6 +46,7 @@ type NebulaClusterComponentter interface {
SidecarContainers() []corev1.Container
SidecarVolumes() []corev1.Volume
ReadinessProbe() *corev1.Probe
IsSSLEnabled() bool
IsHeadlessService() bool
GetServiceSpec() *ServiceSpec
GetServiceName() string
Expand Down
87 changes: 85 additions & 2 deletions apis/apps/v1alpha1/nebulacluster_graphd.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -155,6 +155,13 @@ func (c *graphdComponent) ReadinessProbe() *corev1.Probe {
return c.nc.Spec.Graphd.PodSpec.ReadinessProbe
}

func (c *graphdComponent) IsSSLEnabled() bool {
return (c.nc.Spec.Graphd.Config["enable_graph_ssl"] == "true" ||
c.nc.Spec.Graphd.Config["enable_meta_ssl"] == "true" ||
c.nc.Spec.Graphd.Config["enable_ssl"] == "true") &&
c.nc.Spec.SSLCerts != nil
}

func (c *graphdComponent) IsHeadlessService() bool {
return false
}
Expand Down Expand Up @@ -224,13 +231,39 @@ func (c *graphdComponent) GenerateVolumeMounts() []corev1.VolumeMount {
}

componentType := c.Type().String()
return []corev1.VolumeMount{
mounts := []corev1.VolumeMount{
{
Name: logVolume(componentType),
MountPath: "/usr/local/nebula/logs",
SubPath: "logs",
},
}

if c.IsSSLEnabled() {
certMounts := []corev1.VolumeMount{
{
Name: "server-crt",
ReadOnly: true,
MountPath: "/usr/local/nebula/certs/server.crt",
SubPath: "server.crt",
},
{
Name: "server-key",
ReadOnly: true,
MountPath: "/usr/local/nebula/certs/server.key",
SubPath: "server.key",
},
{
Name: "ca-crt",
ReadOnly: true,
MountPath: "/usr/local/nebula/certs/ca.crt",
SubPath: "ca.crt",
},
}
mounts = append(mounts, certMounts...)
}

return mounts
}

func (c *graphdComponent) GenerateVolumes() []corev1.Volume {
Expand All @@ -239,7 +272,7 @@ func (c *graphdComponent) GenerateVolumes() []corev1.Volume {
}

componentType := c.Type().String()
return []corev1.Volume{
volumes := []corev1.Volume{
{
Name: logVolume(componentType),
VolumeSource: corev1.VolumeSource{
Expand All @@ -249,6 +282,56 @@ func (c *graphdComponent) GenerateVolumes() []corev1.Volume {
},
},
}

if c.IsSSLEnabled() {
certVolumes := []corev1.Volume{
{
Name: "server-crt",
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: c.nc.Spec.SSLCerts.ServerSecret,
Items: []corev1.KeyToPath{
{
Key: c.nc.Spec.SSLCerts.ServerPublicKey,
Path: "server.crt",
},
},
},
},
},
{
Name: "server-key",
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: c.nc.Spec.SSLCerts.ServerSecret,
Items: []corev1.KeyToPath{
{
Key: c.nc.Spec.SSLCerts.ServerPrivateKey,
Path: "server.key",
},
},
},
},
},
{
Name: "ca-crt",
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: c.nc.Spec.SSLCerts.CASecret,
Items: []corev1.KeyToPath{
{
Key: c.nc.Spec.SSLCerts.CAPublicKey,
Path: "ca.crt",
},
},
},
},
},
}
volumes = append(volumes, certVolumes...)
}

return volumes
}

func (c *graphdComponent) GenerateVolumeClaim() ([]corev1.PersistentVolumeClaim, error) {
Expand Down
78 changes: 78 additions & 0 deletions apis/apps/v1alpha1/nebulacluster_metad.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -169,6 +169,12 @@ func (c *metadComponent) ReadinessProbe() *corev1.Probe {
return c.nc.Spec.Metad.PodSpec.ReadinessProbe
}

func (c *metadComponent) IsSSLEnabled() bool {
return (c.nc.Spec.Metad.Config["enable_meta_ssl"] == "true" ||
c.nc.Spec.Metad.Config["enable_ssl"] == "true") &&
c.nc.Spec.SSLCerts != nil
}

func (c *metadComponent) IsHeadlessService() bool {
return true
}
Expand Down Expand Up @@ -259,6 +265,30 @@ func (c *metadComponent) GenerateVolumeMounts() []corev1.VolumeMount {
})
}

if c.IsSSLEnabled() {
certMounts := []corev1.VolumeMount{
{
Name: "server-crt",
ReadOnly: true,
MountPath: "/usr/local/nebula/certs/server.crt",
SubPath: "server.crt",
},
{
Name: "server-key",
ReadOnly: true,
MountPath: "/usr/local/nebula/certs/server.key",
SubPath: "server.key",
},
{
Name: "ca-crt",
ReadOnly: true,
MountPath: "/usr/local/nebula/certs/ca.crt",
SubPath: "ca.crt",
},
}
mounts = append(mounts, certMounts...)
}

return mounts
}

Expand Down Expand Up @@ -303,6 +333,54 @@ func (c *metadComponent) GenerateVolumes() []corev1.Volume {
})
}

if c.IsSSLEnabled() {
certVolumes := []corev1.Volume{
{
Name: "server-crt",
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: c.nc.Spec.SSLCerts.ServerSecret,
Items: []corev1.KeyToPath{
{
Key: c.nc.Spec.SSLCerts.ServerPublicKey,
Path: "server.crt",
},
},
},
},
},
{
Name: "server-key",
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: c.nc.Spec.SSLCerts.ServerSecret,
Items: []corev1.KeyToPath{
{
Key: c.nc.Spec.SSLCerts.ServerPrivateKey,
Path: "server.key",
},
},
},
},
},
{
Name: "ca-crt",
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: c.nc.Spec.SSLCerts.CASecret,
Items: []corev1.KeyToPath{
{
Key: c.nc.Spec.SSLCerts.CAPublicKey,
Path: "ca.crt",
},
},
},
},
},
}
volumes = append(volumes, certVolumes...)
}

return volumes
}

Expand Down
78 changes: 78 additions & 0 deletions apis/apps/v1alpha1/nebulacluster_storaged.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -174,6 +174,12 @@ func (c *storagedComponent) ReadinessProbe() *corev1.Probe {
return c.nc.Spec.Storaged.PodSpec.ReadinessProbe
}

func (c *storagedComponent) IsSSLEnabled() bool {
return (c.nc.Spec.Storaged.Config["enable_meta_ssl"] == "true" ||
c.nc.Spec.Storaged.Config["enable_ssl"] == "true") &&
c.nc.Spec.SSLCerts != nil
}

func (c *storagedComponent) IsHeadlessService() bool {
return true
}
Expand Down Expand Up @@ -271,6 +277,30 @@ func (c *storagedComponent) GenerateVolumeMounts() []corev1.VolumeMount {
})
}

if c.IsSSLEnabled() {
certMounts := []corev1.VolumeMount{
{
Name: "server-crt",
ReadOnly: true,
MountPath: "/usr/local/nebula/certs/server.crt",
SubPath: "server.crt",
},
{
Name: "server-key",
ReadOnly: true,
MountPath: "/usr/local/nebula/certs/server.key",
SubPath: "server.key",
},
{
Name: "ca-crt",
ReadOnly: true,
MountPath: "/usr/local/nebula/certs/ca.crt",
SubPath: "ca.crt",
},
}
mounts = append(mounts, certMounts...)
}

return mounts
}

Expand Down Expand Up @@ -302,6 +332,54 @@ func (c *storagedComponent) GenerateVolumes() []corev1.Volume {
})
}

if c.IsSSLEnabled() {
certVolumes := []corev1.Volume{
{
Name: "server-crt",
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: c.nc.Spec.SSLCerts.ServerSecret,
Items: []corev1.KeyToPath{
{
Key: c.nc.Spec.SSLCerts.ServerPublicKey,
Path: "server.crt",
},
},
},
},
},
{
Name: "server-key",
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: c.nc.Spec.SSLCerts.ServerSecret,
Items: []corev1.KeyToPath{
{
Key: c.nc.Spec.SSLCerts.ServerPrivateKey,
Path: "server.key",
},
},
},
},
},
{
Name: "ca-crt",
VolumeSource: corev1.VolumeSource{
Secret: &corev1.SecretVolumeSource{
SecretName: c.nc.Spec.SSLCerts.CASecret,
Items: []corev1.KeyToPath{
{
Key: c.nc.Spec.SSLCerts.CAPublicKey,
Path: "ca.crt",
},
},
},
},
},
}
volumes = append(volumes, certVolumes...)
}

return volumes
}

Expand Down
Loading

0 comments on commit 367c133

Please sign in to comment.