enable tls

Author: maltesander

rust/operator-binary/src/command.rs

@@ -1,16 +1,20 @@
 use stackable_operator::crd::s3;
 
-use crate::crd::{
-    DB_PASSWORD_ENV, DB_PASSWORD_PLACEHOLDER, DB_USERNAME_ENV, DB_USERNAME_PLACEHOLDER,
-    HIVE_METASTORE_LOG4J2_PROPERTIES, HIVE_SITE_XML, STACKABLE_CONFIG_DIR,
-    STACKABLE_CONFIG_MOUNT_DIR, STACKABLE_LOG_CONFIG_MOUNT_DIR, STACKABLE_TRUST_STORE,
-    STACKABLE_TRUST_STORE_PASSWORD, v1alpha1,
+use crate::{
+    config::opa::HiveOpaConfig,
+    crd::{
+        DB_PASSWORD_ENV, DB_PASSWORD_PLACEHOLDER, DB_USERNAME_ENV, DB_USERNAME_PLACEHOLDER,
+        HIVE_METASTORE_LOG4J2_PROPERTIES, HIVE_SITE_XML, STACKABLE_CONFIG_DIR,
+        STACKABLE_CONFIG_MOUNT_DIR, STACKABLE_LOG_CONFIG_MOUNT_DIR, STACKABLE_TRUST_STORE,
+        STACKABLE_TRUST_STORE_PASSWORD, v1alpha1,
+    },
 };
 
 pub fn build_container_command_args(
     hive: &v1alpha1::HiveCluster,
     start_command: String,
     s3_connection_spec: Option<&s3::v1alpha1::ConnectionSpec>,
+    hive_opa_config: Option<&HiveOpaConfig>,
 ) -> Vec<String> {
     let mut args = vec![
         // copy config files to a writeable empty folder in order to set s3 access and secret keys
@@ -51,6 +55,14 @@ pub fn build_container_command_args(
         }
     }
 
+    if let Some(opa) = hive_opa_config {
+        if let Some(ca_cert_dir) = opa.tls_ca_cert_mount_path() {
+            args.push(format!(
+                "cert-tools generate-pkcs12-truststore --pkcs12 {STACKABLE_TRUST_STORE}:{STACKABLE_TRUST_STORE_PASSWORD} --pem {ca_cert_dir}/ca.crt --out {STACKABLE_TRUST_STORE} --out-password {STACKABLE_TRUST_STORE_PASSWORD}"
+            ));
+        }
+    }
+
     // db credentials
     args.extend([
         format!("echo replacing {DB_USERNAME_PLACEHOLDER} and {DB_PASSWORD_PLACEHOLDER} with secret values."),

rust/operator-binary/src/config/opa.rs

@@ -121,7 +121,7 @@ impl HiveOpaConfig {
         ])
     }
 
-    pub fn tls_mount_path(&self) -> Option<String> {
+    pub fn tls_ca_cert_mount_path(&self) -> Option<String> {
         self.tls_secret_class
             .as_ref()
             .map(|_| format!("/stackable/secrets/{OPA_TLS_VOLUME_NAME}"))

rust/operator-binary/src/controller.rs

@@ -28,7 +28,7 @@ use stackable_operator::{
             security::PodSecurityContextBuilder,
             volume::{
                 ListenerOperatorVolumeSourceBuilder, ListenerOperatorVolumeSourceBuilderError,
-                ListenerReference, VolumeBuilder,
+                ListenerReference, SecretOperatorVolumeSourceBuilder, VolumeBuilder,
             },
         },
     },
@@ -86,7 +86,7 @@ use crate::{
     command::build_container_command_args,
     config::{
         jvm::{construct_hadoop_heapsize_env, construct_non_heap_jvm_args},
-        opa::HiveOpaConfig,
+        opa::{HiveOpaConfig, OPA_TLS_VOLUME_NAME},
     },
     crd::{
         APP_NAME, CORE_SITE_XML, Container, DB_PASSWORD_ENV, DB_USERNAME_ENV, HIVE_PORT,
@@ -323,6 +323,11 @@ pub enum Error {
     InvalidOpaConfig {
         source: stackable_operator::commons::opa::Error,
     },
+
+    #[snafu(display("failed to build TLS certificate SecretClass Volume"))]
+    TlsCertSecretClassVolumeBuild {
+        source: stackable_operator::builder::pod::volume::SecretOperatorVolumeSourceBuilderError,
+    },
 }
 type Result<T, E = Error> = std::result::Result<T, E>;
 
@@ -472,6 +477,7 @@ pub async fn reconcile_hive(
             s3_connection_spec.as_ref(),
             &config,
             &rbac_sa.name_any(),
+            hive_opa_config.as_ref(),
         )?;
 
         cluster_resources
@@ -742,6 +748,7 @@ fn build_metastore_rolegroup_statefulset(
     s3_connection: Option<&s3::v1alpha1::ConnectionSpec>,
     merged_config: &MetaStoreConfig,
     sa_name: &str,
+    hive_opa_config: Option<&HiveOpaConfig>,
 ) -> Result<StatefulSet> {
     let role = hive.role(hive_role).context(InternalOperatorFailureSnafu)?;
     let rolegroup = hive
@@ -815,6 +822,32 @@ fn build_metastore_rolegroup_statefulset(
         }
     }
 
+    // Add OPA TLS certs if configured
+    if let Some((tls_secret_class, tls_mount_path)) =
+        hive_opa_config.as_ref().and_then(|opa_config| {
+            opa_config
+                .tls_secret_class
+                .as_ref()
+                .zip(opa_config.tls_ca_cert_mount_path())
+        })
+    {
+        container_builder
+            .add_volume_mount(OPA_TLS_VOLUME_NAME, &tls_mount_path)
+            .context(AddVolumeMountSnafu)?;
+
+        let opa_tls_volume = VolumeBuilder::new(OPA_TLS_VOLUME_NAME)
+            .ephemeral(
+                SecretOperatorVolumeSourceBuilder::new(tls_secret_class)
+                    .build()
+                    .context(TlsCertSecretClassVolumeBuildSnafu)?,
+            )
+            .build();
+
+        pod_builder
+            .add_volume(opa_tls_volume)
+            .context(AddVolumeSnafu)?;
+    }
+
     let db_type = hive.db_type();
     let start_command = if resolved_product_image.product_version.starts_with("3.") {
         // The schematool version in 3.1.x does *not* support the `-initOrUpgradeSchema` flag yet, so we can not use that.
@@ -866,6 +899,7 @@ fn build_metastore_rolegroup_statefulset(
                     create_vector_shutdown_file_command(STACKABLE_LOG_DIR),
             },
             s3_connection,
+            hive_opa_config,
         ))
         .add_volume_mount(STACKABLE_CONFIG_DIR_NAME, STACKABLE_CONFIG_DIR)
         .context(AddVolumeMountSnafu)?

tests/templates/kuttl/logging/test_log_aggregation.py

@@ -23,9 +23,9 @@ def check_sent_events():
         },
     )
 
-    assert (
-        response.status_code == 200
-    ), "Cannot access the API of the vector aggregator."
+    assert response.status_code == 200, (
+        "Cannot access the API of the vector aggregator."
+    )
 
     result = response.json()
 
@@ -35,13 +35,13 @@ def check_sent_events():
         componentId = transform["componentId"]
 
         if componentId == "filteredInvalidEvents":
-            assert (
-                sentEvents is None or sentEvents["sentEventsTotal"] == 0
-            ), "Invalid log events were sent."
+            assert sentEvents is None or sentEvents["sentEventsTotal"] == 0, (
+                "Invalid log events were sent."
+            )
         else:
-            assert (
-                sentEvents is not None and sentEvents["sentEventsTotal"] > 0
-            ), f'No events were sent in "{componentId}".'
+            assert sentEvents is not None and sentEvents["sentEventsTotal"] > 0, (
+                f'No events were sent in "{componentId}".'
+            )
 
 
 if __name__ == "__main__":

tests/templates/kuttl/smoke/50-assert.yaml

@@ -1,9 +1,9 @@
 ---
 apiVersion: kuttl.dev/v1beta1
 kind: TestAssert
-timeout: 600
+timeout: 300
 commands:
-  - script: kubectl -n $NAMESPACE rollout status daemonset opa-server-default --timeout 600s
+  - script: kubectl -n $NAMESPACE rollout status daemonset opa-server-default --timeout 300s
 ---
 apiVersion: v1
 kind: ConfigMap

tests/templates/kuttl/smoke/50-install-opa.yaml.j2

@@ -1,36 +1,58 @@
 ---
-apiVersion: opa.stackable.tech/v1alpha1
-kind: OpaCluster
-metadata:
-  name: opa
-spec:
-  image:
+apiVersion: kuttl.dev/v1beta1
+kind: TestStep
+commands:
+  - script: |
+      kubectl apply -n $NAMESPACE -f - <<EOF
+      ---
+      apiVersion: opa.stackable.tech/v1alpha1
+      kind: OpaCluster
+      metadata:
+        name: opa
+      spec:
+        image:
 {% if test_scenario['values']['opa-latest'].find(",") > 0 %}
-    custom: "{{ test_scenario['values']['opa-latest'].split(',')[1] }}"
-    productVersion: "{{ test_scenario['values']['opa-latest'].split(',')[0] }}"
+          custom: "{{ test_scenario['values']['opa-latest'].split(',')[1] }}"
+          productVersion: "{{ test_scenario['values']['opa-latest'].split(',')[0] }}"
 {% else %}
-    productVersion: "{{ test_scenario['values']['opa-latest'] }}"
+          productVersion: "{{ test_scenario['values']['opa-latest'] }}"
 {% endif %}
-    pullPolicy: IfNotPresent
-  clusterConfig:
+          pullPolicy: IfNotPresent
+        clusterConfig:
+          tls:
+            serverSecretClass: opa-tls-$NAMESPACE
 {% if lookup('env', 'VECTOR_AGGREGATOR') %}
-    vectorAggregatorConfigMapName: vector-aggregator-discovery
+          vectorAggregatorConfigMapName: vector-aggregator-discovery
 {% endif %}
-  servers:
-    config:
-      logging:
-        enableVectorAgent: {{ lookup('env', 'VECTOR_AGGREGATOR') | length > 0 }}
-        containers:
-          opa:
-            console:
-              level: INFO
-            file:
-              level: INFO
-            loggers:
-              decision:
-                level: INFO
-    roleGroups:
-      default: {}
+        servers:
+          config:
+            logging:
+              enableVectorAgent: {{ lookup('env', 'VECTOR_AGGREGATOR') | length > 0 }}
+              containers:
+                opa:
+                  console:
+                    level: INFO
+                  file:
+                    level: INFO
+                  loggers:
+                    decision:
+                      level: INFO
+          roleGroups:
+            default: {}
+      ---
+      apiVersion: secrets.stackable.tech/v1alpha1
+      kind: SecretClass
+      metadata:
+        name: opa-tls-$NAMESPACE
+      spec:
+        backend:
+          autoTls:
+            ca:
+              autoGenerate: true
+              secret:
+                name: opa-tls-ca-$NAMESPACE
+                namespace: $NAMESPACE
+
 ---
 apiVersion: v1
 kind: ConfigMap

tests/templates/kuttl/smoke/test_metastore_opa.py

@@ -36,7 +36,9 @@ def table(db_name, table_name, location):
 
 
 if __name__ == "__main__":
-    all_args = argparse.ArgumentParser(description="Test hive-metastore-opa-authorizer and rego rules.")
+    all_args = argparse.ArgumentParser(
+        description="Test hive-metastore-opa-authorizer and rego rules."
+    )
     all_args.add_argument("-p", "--port", help="Metastore server port", default="9083")
     all_args.add_argument(
         "-d", "--database", help="Test DB name", default="db_not_allowed"
@@ -53,15 +55,21 @@ def table(db_name, table_name, location):
     # Creating database object using builder
     database = DatabaseBuilder(database_name).build()
 
-    print(f"[INFO] Trying to access '{database_name}' which is expected to fail due to 'database_allow' authorization policy...!")
+    print(
+        f"[INFO] Trying to access '{database_name}' which is expected to fail due to 'database_allow' authorization policy...!"
+    )
 
     with HiveMetastoreClient(host, port) as hive_client:
         try:
             hive_client.create_database_if_not_exists(database)
         except Exception as e:
             print(f"[DENIED] {e}")
-            print(f"[SUCCESS] Test hive-metastore-opa-authorizer succeeded. Could not access database '{database_name}'!")
+            print(
+                f"[SUCCESS] Test hive-metastore-opa-authorizer succeeded. Could not access database '{database_name}'!"
+            )
             exit(0)
 
-        print(f"[ERROR] Test hive-metastore-opa-authorizer failed. Could access database '{database_name}'!")
+        print(
+            f"[ERROR] Test hive-metastore-opa-authorizer failed. Could access database '{database_name}'!"
+        )
         exit(-1)