Merge pull request #51 from marklogic/feature/CLD-278

pengzhouml · web-flow · commit 06de8d921079 · 2022-12-05T08:55:49.000-08:00
CLD-278: Enable Intra-Cluster Network Traffic Encryption (XDQP)
diff --git a/README.md b/README.md
@@ -23,6 +23,8 @@
   - [Adding and Removing Hosts from Clusters](#adding-and-removing-hosts-from-clusters)
     - [Adding Hosts](#adding-hosts)
     - [Removing Hosts](#removing-hosts)
+    - [Enabling SSL over XDQP](#enabling-ssl-over-xdqp)
+- [Deploying a MarkLogic Cluster with Multiple Groups](#deploying-a-marklogic-cluster-with-multiple-groups)
 - [Access the MarkLogic Server](#access-the-marklogic-server)
   - [Service](#service)
     - [Get the ClusterIP Service Name](#get-the-clusterip-service-name)
@@ -294,8 +296,13 @@ kubectl logs pod/terminated-host-pod-name
 ```
 
 If you are permanently removing the host from the MarkLogic cluster, once the pod is terminated, follow standard MarkLogic administrative procedures using the administrative UI or APIs to remove the MarkLogic host from the cluster. Also, because Kubernetes keeps the Persistent Volume Claims and Persistent Volumes around until they are explicitly deleted, you must manually delete them using the Kubernetes APIs before attempting to scale the hosts in the StatefulSet back up again.
+### Enabling SSL over XDQP
 
-## Deploying a MarkLogic Cluster with Multiple Groups
+To enable SSL over XDQP, set the `enableXdqpSsl` to true either in the values.yaml file or using the `--set` flag. All communications to and from hosts in the cluster will be secured. When this setting is on, default SSL certificates will be used for XDQP encryption.
+
+Note: To enable other XDQP/SSL settings like `xdqp ssl allow sslv3`, `xdqp ssl allow tls`, `xdqp ssl ciphers`, use MarkLogic REST Management API. See the MarkLogic documentation [here](https://docs.marklogic.com/REST/management).
+
+# Deploying a MarkLogic Cluster with Multiple Groups
 
 To deploy a MarkLogic cluster with multiple groups (separate E and D nodes for example) the `bootstrapHostName` and `group.name` must be configured in values.yaml or set the values provided for these configurations using the `--set` flag while installing helm charts.
 For example, if you want to create a MarkLogic cluster with three nodes in a "dnode" group and two nodes in an "enode" group, start with the following helm command:
@@ -424,7 +431,10 @@ This table describes the list of available parameters for Helm Chart.
 | `nameOverride`                       | String to override the app name                                                                                | `""`                                 |
 | `fullnameOverride`                   | String to completely replace the generated name                                                                | `""`                                 |
 | `auth.adminUsername`                 | Username for default MarkLogic Administrator                                                                   | `admin`                              |
-| `auth.adminPassword`                 | Password for default MarkLogic Administrator                                                                   | `admin`                              |
+| `auth.adminPassword`                 | Password for default MarkLogic Administrator                                                                   | `admin`     
+| `bootstrapHostName`                 | Host name of MarkLogic bootstrap host                                                                | `""`   
+| `group.name`               | group name for joining MarkLogic cluster                                                                    | `Default`                              |
+| `group.enableXdqpSsl`                 | SSL encryption for XDQP                                                                   | `true`                         |
 | `affinity`                           | Affinity property for pod assignment                                                                           | `{}`                                 |
 | `nodeSelector`                       | nodeSelector property for pod assignment                                                                       | `{}`                                 |
 | `persistence.enabled`                | Enable MarkLogic data persistence using Persistence Volume Claim (PVC). If set to false, EmptyDir will be used | `true`                               |
diff --git a/charts/templates/configmap.yaml b/charts/templates/configmap.yaml
@@ -14,6 +14,8 @@ data:
   MARKLOGIC_FQDN_SUFFIX: {{ include "marklogic.headlessURL" . }}
   MARKLOGIC_INIT: "true"
   MARKLOGIC_JOIN_CLUSTER: "true"
+  MARKLOGIC_GROUP: {{ .Values.group.name }}
+  XDQP_SSL_ENABLED: {{ quote .Values.group.enableXdqpSsl }}
 ---
 {{- if .Values.logCollection.enabled }}
 apiVersion: v1
diff --git a/charts/templates/statefulset.yaml b/charts/templates/statefulset.yaml
@@ -43,8 +43,8 @@ spec:
               log "Error: [initContainer] Bootstrap host $MARKLOGIC_BOOTSTRAP_HOST not found, exiting Init container."
               exit 1
             fi
-            GROUP_CFG_TEMPLATE='{"group-name":"%s"}'
-            GROUP_CFG=$(printf "$GROUP_CFG_TEMPLATE" "$MARKLOGIC_GROUP")
+            GROUP_CFG_TEMPLATE='{"group-name":"%s", "xdqp-ssl-enabled":"%s"}'
+            GROUP_CFG=$(printf "$GROUP_CFG_TEMPLATE" "$MARKLOGIC_GROUP" "$XDQP_SSL_ENABLED") 
             GROUP_RESP_CODE=`curl --anyauth -m 20 -s -o /dev/null -w "%{http_code}" -X GET http://${MARKLOGIC_BOOTSTRAP_HOST}:8002/manage/v2/groups/${MARKLOGIC_GROUP} --anyauth --user ${MARKLOGIC_ADMIN_USERNAME}:${MARKLOGIC_ADMIN_PASSWORD}`
             if [[ ${GROUP_RESP_CODE} -eq 200 ]]; then
               log "Info: [initContainer] Skipping creation of group $MARKLOGIC_GROUP as it already exists on the MarkLogic cluster." 
@@ -67,8 +67,6 @@ spec:
               exit 1
             fi                      
         env: 
-        - name: MARKLOGIC_GROUP
-          value: {{ .Values.group.name }}
         - name: MARKLOGIC_ADMIN_USERNAME
           valueFrom:
             secretKeyRef:
@@ -108,8 +106,6 @@ spec:
                   secretKeyRef:
                     name: {{ include "marklogic.fullname" . }}-admin
                     key: password
-            - name: MARKLOGIC_GROUP
-              value: {{ .Values.group.name }}
             - name: POD_NAME
               valueFrom:
                 fieldRef:
@@ -148,19 +144,19 @@ spec:
                       echo "${TIMESTAMP}  $@" > /proc/$pid/fd/1
                     }
                     log "Info: [poststart] Begin Poststart Hook Execution"
-                    if [[ $MARKLOGIC_GROUP == "Default" || $POD_NAME != *-0 ]]; then
-                      log "Info: [poststart] This is not a bootstrap host or group specified is Default"
+                    if [[ $POD_NAME != *-0 ]]; then
+                      log "Info: [poststart] Skipping group configuration."
                     else
                       while [ ! -f /var/opt/MarkLogic/ready ]; do
+                        log "[poststart] wait for marklogic server to be ready"
                         sleep 5s
                       done
-                      
-                      GROUP_CFG_TEMPLATE='{"group-name":"%s"}'
-                      GROUP_CFG=$(printf "$GROUP_CFG_TEMPLATE" "$MARKLOGIC_GROUP")
-                      
-                      log "Info: [poststart] Updating Default group on cluster"
-                      curl --anyauth -m 20 -s -X PUT -H "Content-type: application/json" -d "${GROUP_CFG}" http://${MARKLOGIC_BOOTSTRAP_HOST}:8002/manage/v2/groups/Default/properties --user ${MARKLOGIC_ADMIN_USERNAME}:${MARKLOGIC_ADMIN_PASSWORD}
                       sleep 10s
+                      GROUP_CFG_TEMPLATE='{"group-name":"%s", "xdqp-ssl-enabled":"%s"}'
+                      GROUP_CFG=$(printf "$GROUP_CFG_TEMPLATE" "$MARKLOGIC_GROUP" "$XDQP_SSL_ENABLED") 
+                      log "Info: [poststart] Updating group configuration: ${GROUP_CFG}"
+                      curl --anyauth -m 20 -X PUT -H "Content-type: application/json" -d "${GROUP_CFG}" http://${MARKLOGIC_BOOTSTRAP_HOST}:8002/manage/v2/groups/Default/properties --user ${MARKLOGIC_ADMIN_USERNAME}:${MARKLOGIC_ADMIN_PASSWORD}
+                      sleep 2s
                     fi
                     log "Info: [poststart] Poststart Hook Execution Completed"
             {{- end }}
diff --git a/charts/values.yaml b/charts/values.yaml
@@ -10,11 +10,12 @@ terminationGracePeriod: 120
 group:
   # the group name of the current Marklogic Helm Deployment
   name: Default
+  # xdqp encryption for intra cluster network traffic
+  enableXdqpSsl: true
 
 # The name of the host to join. If not provided, the deployment is a bootstrap host.
 bootstrapHostName: ""
 
-
 # Marklogic image parameters
 image:
   repository: marklogicdb/marklogic-db
diff --git a/test/e2e/install_test.go b/test/e2e/install_test.go
@@ -113,7 +113,26 @@ func TestHelmInstall(t *testing.T) {
 	// the generated password should be able to access the manage endpoint
 	assert.Equal(t, 200, response.StatusCode)
 
-	t.Log("====Verify no groups beyond enode were created/modified====")
+	t.Log("====Verify xdqp-ssl-enabled is set to true by default")
+	endpoint := fmt.Sprintf("http://%s/manage/v2/groups/Default/properties?format=json", tunnel8002.Endpoint())
+	t.Logf(`Endpoint for group properties: %s`, endpoint)
+
+	request = digestAuth.NewRequest(username, password, "GET", endpoint, "")
+	resp, err = request.Execute()
+	if err != nil {
+		t.Fatalf(err.Error())
+	}
+	defer resp.Body.Close()
+	body, err = ioutil.ReadAll(resp.Body)
+	if err != nil {
+		t.Fatalf(err.Error())
+	}
+
+	xdqpSSLEnabled := gjson.Get(string(body), `xdqp-ssl-enabled`)
+	// verify xdqp-ssl-enabled is set to trues
+	assert.Equal(t, true, xdqpSSLEnabled.Bool(), "xdqp-ssl-enabled should be set to true")
+
+	t.Log("====Verify no groups beyond default were created/modified====")
 	groupStatusEndpoint := fmt.Sprintf("http://%s/manage/v2/groups?format=json", tunnel8002.Endpoint())
 	groupStatus := digestAuth.NewRequest(username, password, "GET", groupStatusEndpoint, "")
 	t.Logf(`groupStatusEndpoint: %s`, groupStatusEndpoint)
@@ -129,5 +148,4 @@ func TestHelmInstall(t *testing.T) {
 		t.Errorf("Only one group should exist, instead %v groups exist", groupQuantityJSON.Num)
 	}
 
-	t.Logf("Groups status response:\n" + string(body))
 }
diff --git a/test/e2e/separate_nodes_test.go b/test/e2e/separate_nodes_test.go
@@ -3,7 +3,6 @@ package e2e
 import (
 	"fmt"
 	"io/ioutil"
-	"net/http"
 	"os"
 	"path/filepath"
 	"strings"
@@ -13,15 +12,12 @@ import (
 	"github.com/gruntwork-io/terratest/modules/helm"
 	"github.com/gruntwork-io/terratest/modules/k8s"
 	"github.com/gruntwork-io/terratest/modules/random"
+	"github.com/stretchr/testify/assert"
 	"github.com/tidwall/gjson"
 	digestAuth "github.com/xinsnake/go-http-digest-auth-client"
 )
 
 func TestSeparateEDnode(t *testing.T) {
-	var resp *http.Response
-	var body []byte
-	var err error
-
 	username := "admin"
 	password := "admin"
 	imageRepo, repoPres := os.LookupEnv("dockerRepository")
@@ -60,6 +56,7 @@ func TestSeparateEDnode(t *testing.T) {
 			"auth.adminUsername":    username,
 			"auth.adminPassword":    password,
 			"group.name":            "dnode",
+			"group.enableXdqpSsl":   "true",
 			"logCollection.enabled": "false",
 		},
 	}
@@ -86,14 +83,15 @@ func TestSeparateEDnode(t *testing.T) {
 
 	getHostsDR := digestAuth.NewRequest(username, password, "GET", hostsEndpoint, "")
 
-	if resp, err = getHostsDR.Execute(); err != nil {
+	resp, err := getHostsDR.Execute()
+	if err != nil {
 		t.Fatalf(err.Error())
 	}
 	defer resp.Body.Close()
-	if body, err = ioutil.ReadAll(resp.Body); err != nil {
+	body, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
 		t.Fatalf(err.Error())
 	}
-	t.Logf("Get hosts response:\n" + string(body))
 
 	bootstrapHostJSON := gjson.Get(string(body), `host-default-list.list-items.list-item.#(roleref="bootstrap").nameref`)
 	t.Logf(`BootstrapHost: = %s`, bootstrapHostJSON)
@@ -102,6 +100,25 @@ func TestSeparateEDnode(t *testing.T) {
 		t.Errorf("Bootstrap does not exists on cluster")
 	}
 
+	t.Log("====Verify xdqp-ssl-enabled is set to true")
+	endpoint := fmt.Sprintf("http://%s/manage/v2/groups/dnode/properties?format=json", tunnel.Endpoint())
+	t.Logf(`Endpoint for group properties: %s`, endpoint)
+
+	request := digestAuth.NewRequest(username, password, "GET", endpoint, "")
+	resp, err = request.Execute()
+	if err != nil {
+		t.Fatalf(err.Error())
+	}
+	defer resp.Body.Close()
+	body, err = ioutil.ReadAll(resp.Body)
+	if err != nil {
+		t.Fatalf(err.Error())
+	}
+
+	xdqpSSLEnabled := gjson.Get(string(body), `xdqp-ssl-enabled`)
+	// verify xdqp-ssl-enabled is set to trues
+	assert.Equal(t, true, xdqpSSLEnabled.Bool(), "xdqp-ssl-enabled should be set to true")
+
 	enodeOptions := &helm.Options{
 		KubectlOptions: kubectlOptions,
 		SetValues: map[string]string{
@@ -113,6 +130,7 @@ func TestSeparateEDnode(t *testing.T) {
 			"auth.adminPassword":    password,
 			"group.name":            "enode",
 			"bootstrapHostName":     bootstrapHostJSON.Str,
+			"group.enableXdqpSsl":   "false",
 			"logCollection.enabled": "false",
 		},
 	}
@@ -122,6 +140,25 @@ func TestSeparateEDnode(t *testing.T) {
 	// wait until the first enode pod is in Ready status
 	k8s.WaitUntilPodAvailable(t, kubectlOptions, enodePodName0, 45, 20*time.Second)
 
+	t.Log("====Verify xdqp-ssl-enabled is set to false on Enode")
+	endpoint = fmt.Sprintf("http://%s/manage/v2/groups/enode/properties?format=json", tunnel.Endpoint())
+	t.Logf(`Endpoint for group properties: %s`, endpoint)
+
+	request = digestAuth.NewRequest(username, password, "GET", endpoint, "")
+	resp, err = request.Execute()
+	if err != nil {
+		t.Fatalf(err.Error())
+	}
+	defer resp.Body.Close()
+	body, err = ioutil.ReadAll(resp.Body)
+	if err != nil {
+		t.Fatalf(err.Error())
+	}
+
+	xdqpSSLEnabled = gjson.Get(string(body), `xdqp-ssl-enabled`)
+	// verify xdqp-ssl-enabled is set to false
+	assert.Equal(t, false, xdqpSSLEnabled.Bool())
+
 	groupEndpoint := fmt.Sprintf("http://%s/manage/v2/groups", tunnel.Endpoint())
 	t.Logf(`Endpoint: %s`, groupEndpoint)
 
@@ -134,7 +171,6 @@ func TestSeparateEDnode(t *testing.T) {
 	if body, err = ioutil.ReadAll(resp.Body); err != nil {
 		t.Fatalf(err.Error())
 	}
-	t.Logf("Groups status response:\n" + string(body))
 
 	// verify groups dnode, enode exists on the cluster
 	if !strings.Contains(string(body), "<nameref>dnode</nameref>") && !strings.Contains(string(body), "<nameref>enode</nameref>") {
@@ -149,12 +185,14 @@ func TestSeparateEDnode(t *testing.T) {
 
 	getEnodeDR := digestAuth.NewRequest(username, password, "GET", enodeEndpoint, "")
 
-	if resp, err = getEnodeDR.Execute(); err != nil {
+	resp, err = getEnodeDR.Execute()
+	if err != nil {
 		t.Fatalf(err.Error())
 	}
 	defer resp.Body.Close()
 
-	if body, err = ioutil.ReadAll(resp.Body); err != nil {
+	body, err = ioutil.ReadAll(resp.Body)
+	if err != nil {
 		t.Fatalf(err.Error())
 	}
 	t.Logf("Get enode group response:\n" + string(body))
@@ -169,10 +207,6 @@ func TestSeparateEDnode(t *testing.T) {
 }
 
 func TestIncorrectBootsrapHostname(t *testing.T) {
-	var resp *http.Response
-	var body []byte
-	var err error
-
 	username := "admin"
 	password := "admin"
 	imageRepo, repoPres := os.LookupEnv("dockerRepository")
@@ -184,7 +218,7 @@ func TestIncorrectBootsrapHostname(t *testing.T) {
 	dnodePodName := dnodeReleaseName + "-marklogic-0"
 
 	// Incorrect boostrap hostname for negative test
-	bootstrapHost := "Incorrect Host Name"
+	incorrectBootstrapHost := "Incorrect Host Name"
 
 	// Path to the helm chart we will test
 	helmChartPath, e := filepath.Abs("../../charts")
@@ -240,19 +274,19 @@ func TestIncorrectBootsrapHostname(t *testing.T) {
 	t.Logf(`Endpoint: %s`, hostsEndpoint)
 
 	getHostsRequest := digestAuth.NewRequest(username, password, "GET", hostsEndpoint, "")
-
-	if resp, err = getHostsRequest.Execute(); err != nil {
+	resp, err := getHostsRequest.Execute()
+	if err != nil {
 		t.Fatalf(err.Error())
 	}
 
 	defer resp.Body.Close()
 
-	if body, err = ioutil.ReadAll(resp.Body); err != nil {
+	body, err := ioutil.ReadAll(resp.Body)
+	if err != nil {
 		t.Fatalf(err.Error())
 	}
 
-	t.Logf("Response:\n" + string(body))
-	t.Logf(`BootstrapHost: = %s`, bootstrapHost)
+	t.Logf(`BootstrapHost: = %s`, incorrectBootstrapHost)
 
 	// Helm options for enode creation
 	enodeOptions := &helm.Options{
@@ -265,7 +299,7 @@ func TestIncorrectBootsrapHostname(t *testing.T) {
 			"auth.adminUsername":    username,
 			"auth.adminPassword":    password,
 			"group.name":            "enode",
-			"bootstrapHostName":     bootstrapHost,
+			"bootstrapHostName":     incorrectBootstrapHost,
 			"logCollection.enabled": "false",
 		},
 	}
@@ -276,32 +310,34 @@ func TestIncorrectBootsrapHostname(t *testing.T) {
 	// Give pod time to fail before checking if it did
 	time.Sleep(20 * time.Second)
 
+	totalHostsJSON := gjson.Get(string(body), "host-default-list.list-items.list-count.value")
+
+	// Total hosts be one as second host should have failed to create
+	if totalHostsJSON.Num != 1 {
+		t.Errorf("Wrong number of hosts: %v instead of 1", totalHostsJSON.Num)
+	}
+
 	// Verify clustering failed given incorrect hostname
 	clusterStatusEndpoint := fmt.Sprintf("http://%s/manage/v2?view=status", tunnel.Endpoint())
 	clusterStatus := digestAuth.NewRequest(username, password, "GET", clusterStatusEndpoint, "")
 	t.Logf(`clusterStatusEndpoint: %s`, clusterStatusEndpoint)
-	if resp, err = clusterStatus.Execute(); err != nil {
+	resp, err = clusterStatus.Execute()
+	if err != nil {
 		t.Fatalf(err.Error())
 	}
-	totalHostsJSON := gjson.Get(string(body), "host-default-list.list-items.list-count.value")
-	// Total hosts be one as second host should have failed to create
-	if totalHostsJSON.Num != 1 {
-		t.Errorf("Wrong number of hosts: %v instead of 1", totalHostsJSON.Num)
+	_, err = ioutil.ReadAll(resp.Body)
+	if err != nil {
+		t.Fatalf(err.Error())
 	}
-	t.Logf("\nCluster Status Response:\n\n" + string(body))
 
 	// Verify enode group creation failed given incorrect hostname
 	enodeGroupStatusEndpoint := fmt.Sprintf("http://%s/manage/v2/groups/enode", tunnel.Endpoint())
 	groupStatus := digestAuth.NewRequest(username, password, "GET", enodeGroupStatusEndpoint, "")
 	t.Logf(`enodeGroupStatusEndpoint: %s`, enodeGroupStatusEndpoint)
-	if resp, err = groupStatus.Execute(); err != nil {
+	resp, err = groupStatus.Execute()
+	if err != nil {
 		t.Fatalf(err.Error())
 	}
-	if body, err = ioutil.ReadAll(resp.Body); err != nil {
-		t.Fatalf(err.Error())
-	}
-	if !strings.Contains(string(body), "404") {
-		t.Errorf("Enode group should not exist")
-	}
-	t.Logf("Enode group status response:\n" + string(body))
+	// the request for enode should be 404
+	assert.Equal(t, 404, resp.StatusCode)
 }
