feat: tls support

Author: dervoeti

deploy/helm/opa-operator/crds/crds.yaml

@@ -27,6 +27,7 @@ spec:
                 clusterConfig:
                   default:
                     listenerClass: cluster-internal
+                    tls: null
                     userInfo: null
                   description: Global OPA cluster configuration that applies to all roles and role groups.
                   properties:
@@ -47,6 +48,16 @@ spec:
                         - external-unstable
                         - external-stable
                       type: string
+                    tls:
+                      description: TLS encryption settings for the OPA server. When configured, OPA will use HTTPS (port 8443) instead of HTTP (port 8081). Clients must connect using HTTPS and trust the certificates provided by the configured SecretClass.
+                      nullable: true
+                      properties:
+                        serverSecretClass:
+                          description: Name of the SecretClass which will provide TLS certificates for the OPA server.
+                          type: string
+                      required:
+                        - serverSecretClass
+                      type: object
                     userInfo:
                       description: Configures how to fetch additional metadata about users (such as group memberships) from an external directory service.
                       nullable: true

docs/modules/opa/pages/usage-guide/tls.adoc

@@ -0,0 +1,71 @@
+= Enabling TLS Encryption
+:description: Learn how to enable TLS encryption for your OPA cluster to secure client connections.
+
+TLS encryption for securing connections between clients and the OPA server can be configured in the `OpaCluster` resource. When TLS is enabled, OPA will serve requests over HTTPS instead of HTTP.
+
+== Overview
+
+TLS encryption in OPA is disabled by default. To enable it, you need to:
+
+1. Create a `SecretClass` that provides TLS certificates
+2. Reference the `SecretClass` in your `OpaCluster` specification
+
+The operator integrates with the xref:secret-operator:index.adoc[Secret Operator] to automatically provision and mount TLS certificates to the OPA pods.
+
+== Configuration
+
+=== Creating a SecretClass
+
+First, create a `SecretClass` that will provide TLS certificates. Here's an example using xref:secret-operator:secretclass.adoc#backend-autotls[autoTls]:
+
+[source,yaml]
+----
+apiVersion: secrets.stackable.tech/v1alpha1
+kind: SecretClass
+metadata:
+  name: opa-tls
+spec:
+  backend:
+    autoTls:
+      ca:
+        autoGenerate: true
+        secret:
+          name: opa-tls-ca
+          namespace: default
+----
+
+This SecretClass uses the autoTls backend, which automatically generates a Certificate Authority (CA) and signs certificates for your OPA cluster.
+
+Similarly, you can also use xref:secret-operator:secretclass.adoc#backend[other backends] supported by Secret Operator.
+
+=== Enabling TLS in OpaCluster
+
+Once you have a SecretClass, enable TLS in your OpaCluster by setting the `.spec.clusterConfig.tls.serverSecretClass` field:
+
+[source,yaml]
+----
+kind: OpaCluster
+name: opa-with-tls
+spec:
+  clusterConfig:
+    tls:
+      serverSecretClass: opa-tls  # <1>
+----
+<1> Reference the SecretClass created above
+
+== Discovery ConfigMap
+
+The operator automatically creates a discovery ConfigMap, with the same name as the OPA cluster, that contains the connection URL for your cluster. When TLS is enabled, this ConfigMap will contain an HTTPS URL and the SecretClass name:
+
+[source,yaml]
+----
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: opa-with-tls
+data:
+  OPA: "https://opa-with-tls.default.svc.cluster.local:8443/"
+  OPA_SECRET_CLASS: "opa-tls"
+----
+
+Applications can use this ConfigMap to discover and connect to the OPA cluster automatically.

docs/modules/opa/partials/nav.adoc

@@ -9,6 +9,7 @@
 ** xref:opa:usage-guide/logging.adoc[]
 ** xref:opa:usage-guide/monitoring.adoc[]
 ** xref:opa:usage-guide/configuration-environment-overrides.adoc[]
+** xref:opa:usage-guide/tls.adoc[]
 ** xref:opa:usage-guide/operations/index.adoc[]
 *** xref:opa:usage-guide/operations/cluster-operations.adoc[]
 // *** xref:hdfs:usage-guide/operations/pod-placement.adoc[] Missing

rust/operator-binary/src/controller.rs

@@ -23,7 +23,7 @@ use stackable_operator::{
             container::{ContainerBuilder, FieldPathEnvVar},
             resources::ResourceRequirementsBuilder,
             security::PodSecurityContextBuilder,
-            volume::VolumeBuilder,
+            volume::{SecretOperatorVolumeSourceBuilder, VolumeBuilder},
         },
     },
     cluster_resources::{ClusterResourceApplyStrategy, ClusterResources},
@@ -84,7 +84,9 @@ pub const OPA_FULL_CONTROLLER_NAME: &str = concatcp!(OPA_CONTROLLER_NAME, '.', O
 
 pub const CONFIG_FILE: &str = "config.json";
 pub const APP_PORT: u16 = 8081;
+pub const APP_TLS_PORT: u16 = 8443;
 pub const APP_PORT_NAME: &str = "http";
+pub const APP_TLS_PORT_NAME: &str = "https";
 pub const METRICS_PORT_NAME: &str = "metrics";
 pub const BUNDLES_ACTIVE_DIR: &str = "/bundles/active";
 pub const BUNDLES_INCOMING_DIR: &str = "/bundles/incoming";
@@ -101,6 +103,8 @@ const USER_INFO_FETCHER_CREDENTIALS_VOLUME_NAME: &str = "credentials";
 const USER_INFO_FETCHER_CREDENTIALS_DIR: &str = "/stackable/credentials";
 const USER_INFO_FETCHER_KERBEROS_VOLUME_NAME: &str = "kerberos";
 const USER_INFO_FETCHER_KERBEROS_DIR: &str = "/stackable/kerberos";
+const TLS_VOLUME_NAME: &str = "tls";
+const TLS_STORE_DIR: &str = "/stackable/tls";
 
 const DOCKER_IMAGE_BASE_NAME: &str = "opa";
 
@@ -314,6 +318,11 @@ pub enum Error {
     AddVolumeMount {
         source: builder::pod::container::Error,
     },
+
+    #[snafu(display("failed to build TLS volume"))]
+    TlsVolumeBuild {
+        source: builder::pod::volume::SecretOperatorVolumeSourceBuilderError,
+    },
 }
 type Result<T, E = Error> = std::result::Result<T, E>;
 
@@ -600,11 +609,17 @@ pub fn build_server_role_service(
     let service_selector_labels =
         Labels::role_selector(opa, APP_NAME, &role_name).context(BuildLabelSnafu)?;
 
+    let (port_name, port) = if opa.spec.cluster_config.tls.is_some() {
+        (APP_TLS_PORT_NAME, APP_TLS_PORT)
+    } else {
+        (APP_PORT_NAME, APP_PORT)
+    };
+
     let service_spec = ServiceSpec {
         type_: Some(opa.spec.cluster_config.listener_class.k8s_service_type()),
         ports: Some(vec![ServicePort {
-            name: Some(APP_PORT_NAME.to_string()),
-            port: APP_PORT.into(),
+            name: Some(port_name.to_string()),
+            port: port.into(),
             protocol: Some("TCP".to_string()),
             ..ServicePort::default()
         }]),
@@ -654,7 +669,7 @@ fn build_rolegroup_service(
         // Internal communication does not need to be exposed
         type_: Some("ClusterIP".to_string()),
         cluster_ip: Some("None".to_string()),
-        ports: Some(service_ports()),
+        ports: Some(service_ports(opa.spec.cluster_config.tls.is_some())),
         selector: Some(service_selector_labels.into()),
         publish_not_ready_addresses: Some(true),
         ..ServiceSpec::default()
@@ -839,6 +854,8 @@ fn build_server_rolegroup_daemonset(
             ..Probe::default()
         });
 
+    let opa_tls_config = opa.spec.cluster_config.tls.as_ref();
+
     cb_opa
         .image_from_product_image(resolved_product_image)
         .command(vec![
@@ -851,24 +868,45 @@ fn build_server_rolegroup_daemonset(
         .args(vec![build_opa_start_command(
             merged_config,
             &opa_container_name,
+            opa_tls_config,
         )])
         .add_env_vars(env)
         .add_env_var(
             "CONTAINERDEBUG_LOG_DIRECTORY",
             format!("{STACKABLE_LOG_DIR}/containerdebug"),
-        )
-        .add_container_port(APP_PORT_NAME, APP_PORT.into())
+        );
+
+    // Add appropriate container port based on TLS configuration
+    if opa_tls_config.is_some() {
+        cb_opa.add_container_port(APP_TLS_PORT_NAME, APP_TLS_PORT.into());
+        cb_opa
+            .add_volume_mount(TLS_VOLUME_NAME, TLS_STORE_DIR)
+            .context(AddVolumeMountSnafu)?;
+    } else {
+        cb_opa.add_container_port(APP_PORT_NAME, APP_PORT.into());
+    }
+
+    cb_opa
         .add_volume_mount(CONFIG_VOLUME_NAME, CONFIG_DIR)
         .context(AddVolumeMountSnafu)?
         .add_volume_mount(LOG_VOLUME_NAME, STACKABLE_LOG_DIR)
         .context(AddVolumeMountSnafu)?
-        .resources(merged_config.resources.to_owned().into())
+        .resources(merged_config.resources.to_owned().into());
+
+    let (probe_port_name, probe_scheme) = if opa_tls_config.is_some() {
+        (APP_TLS_PORT_NAME, Some("HTTPS".to_string()))
+    } else {
+        (APP_PORT_NAME, Some("HTTP".to_string()))
+    };
+
+    cb_opa
         .readiness_probe(Probe {
             initial_delay_seconds: Some(5),
             period_seconds: Some(10),
             failure_threshold: Some(5),
             http_get: Some(HTTPGetAction {
-                port: IntOrString::String(APP_PORT_NAME.to_string()),
+                port: IntOrString::String(probe_port_name.to_string()),
+                scheme: probe_scheme.clone(),
                 ..HTTPGetAction::default()
             }),
             ..Probe::default()
@@ -877,7 +915,8 @@ fn build_server_rolegroup_daemonset(
             initial_delay_seconds: Some(30),
             period_seconds: Some(10),
             http_get: Some(HTTPGetAction {
-                port: IntOrString::String(APP_PORT_NAME.to_string()),
+                port: IntOrString::String(probe_port_name.to_string()),
+                scheme: probe_scheme,
                 ..HTTPGetAction::default()
             }),
             ..Probe::default()
@@ -929,6 +968,20 @@ fn build_server_rolegroup_daemonset(
         .service_account_name(service_account.name_any())
         .security_context(PodSecurityContextBuilder::new().fs_group(1000).build());
 
+    if let Some(tls) = opa_tls_config {
+        pb.add_volume(
+            VolumeBuilder::new(TLS_VOLUME_NAME)
+                .ephemeral(
+                    SecretOperatorVolumeSourceBuilder::new(&tls.server_secret_class)
+                        .with_service_scope(opa_name)
+                        .build()
+                        .context(TlsVolumeBuildSnafu)?,
+                )
+                .build(),
+        )
+        .context(AddVolumeSnafu)?;
+    }
+
     if let Some(user_info) = &opa.spec.cluster_config.user_info {
         let mut cb_user_info_fetcher =
             ContainerBuilder::new("user-info-fetcher").context(IllegalContainerNameSnafu)?;
@@ -1150,7 +1203,11 @@ fn build_config_file(merged_config: &v1alpha1::OpaConfig) -> String {
     serde_json::to_string_pretty(&json!(config)).unwrap()
 }
 
-fn build_opa_start_command(merged_config: &v1alpha1::OpaConfig, container_name: &str) -> String {
+fn build_opa_start_command(
+    merged_config: &v1alpha1::OpaConfig,
+    container_name: &str,
+    tls_config: Option<&v1alpha1::OpaTls>,
+) -> String {
     let mut file_log_level = DEFAULT_FILE_LOG_LEVEL;
     let mut console_log_level = DEFAULT_CONSOLE_LOG_LEVEL;
     let mut server_log_level = DEFAULT_SERVER_LOG_LEVEL;
@@ -1191,6 +1248,17 @@ fn build_opa_start_command(merged_config: &v1alpha1::OpaConfig, container_name:
         }
     }
 
+    let (bind_port, tls_flags) = if tls_config.is_some() {
+        (
+            APP_TLS_PORT,
+            format!(
+                "--tls-cert-file {TLS_STORE_DIR}/tls.crt --tls-private-key-file {TLS_STORE_DIR}/tls.key"
+            ),
+        )
+    } else {
+        (APP_PORT, String::new())
+    };
+
     // Redirects matter!
     // We need to watch out, that the following "$!" call returns the PID of the main (opa-bundle-builder) process,
     // and not some utility (e.g. multilog or tee) process.
@@ -1206,7 +1274,7 @@ fn build_opa_start_command(merged_config: &v1alpha1::OpaConfig, container_name:
         {remove_vector_shutdown_file_command}
         prepare_signal_handlers
         containerdebug --output={STACKABLE_LOG_DIR}/containerdebug-state.json --loop &
-        opa run -s -a 0.0.0.0:{APP_PORT} -c {CONFIG_DIR}/{CONFIG_FILE} -l {opa_log_level} --shutdown-grace-period {shutdown_grace_period_s} --disable-telemetry {logging_redirects} &
+        opa run -s -a 0.0.0.0:{bind_port} -c {CONFIG_DIR}/{CONFIG_FILE} -l {opa_log_level} --shutdown-grace-period {shutdown_grace_period_s} --disable-telemetry {tls_flags} {logging_redirects} &
         wait_for_termination $!
         {create_vector_shutdown_file_command}
         ",
@@ -1305,19 +1373,33 @@ fn build_prepare_start_command(
     prepare_container_args
 }
 
-fn service_ports() -> Vec<ServicePort> {
+fn service_ports(tls_enabled: bool) -> Vec<ServicePort> {
+    let (port_name, port, target_port) = if tls_enabled {
+        (
+            APP_TLS_PORT_NAME,
+            APP_TLS_PORT,
+            IntOrString::String(APP_TLS_PORT_NAME.to_string()),
+        )
+    } else {
+        (
+            APP_PORT_NAME,
+            APP_PORT,
+            IntOrString::String(APP_PORT_NAME.to_string()),
+        )
+    };
+
     vec![
         ServicePort {
-            name: Some(APP_PORT_NAME.to_string()),
-            port: APP_PORT.into(),
+            name: Some(port_name.to_string()),
+            port: port.into(),
             protocol: Some("TCP".to_string()),
             ..ServicePort::default()
         },
         ServicePort {
             name: Some(METRICS_PORT_NAME.to_string()),
             port: 9504, // Arbitrary port number, this is never actually used anywhere
             protocol: Some("TCP".to_string()),
-            target_port: Some(IntOrString::String(APP_PORT_NAME.to_string())),
+            target_port: Some(target_port),
             ..ServicePort::default()
         },
     ]

rust/operator-binary/src/crd/mod.rs

@@ -111,6 +111,18 @@ pub mod versioned {
         /// from an external directory service.
         #[serde(default)]
         pub user_info: Option<user_info_fetcher::v1alpha1::Config>,
+        /// TLS encryption settings for the OPA server.
+        /// When configured, OPA will use HTTPS (port 8443) instead of HTTP (port 8081).
+        /// Clients must connect using HTTPS and trust the certificates provided by the configured SecretClass.
+        #[serde(default)]
+        pub tls: Option<v1alpha1::OpaTls>,
+    }
+
+    #[derive(Clone, Debug, Deserialize, Eq, JsonSchema, PartialEq, Serialize)]
+    #[serde(rename_all = "camelCase")]
+    pub struct OpaTls {
+        /// Name of the SecretClass which will provide TLS certificates for the OPA server.
+        pub server_secret_class: String,
     }
 
     // TODO: Temporary solution until listener-operator is finished