[Feature] [ML] Add TLS Secrets

arangodb · Apr 30, 2024 · a4665ea · a4665ea
1 parent 3a511c3
commit a4665ea
Show file tree

Hide file tree

Showing 12 changed files with 247 additions and 9 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,7 @@
 - (Bugfix) Ensure PDB is created
 - (Bugfix) Fix Schema Apply Checksum
 - (Bugfix) Use MD5 instead of SHA256 for CRD Checksums
+- (Feature) (ML) Add TLS Secrets
 
 ## [1.2.40](https://github.com/arangodb/kube-arangodb/tree/1.2.40) (2024-04-10)
 - (Feature) Add Core fields to the Scheduler Container Spec

diff --git a/docs/api/ArangoMLExtension.V1Alpha1.md b/docs/api/ArangoMLExtension.V1Alpha1.md
@@ -567,6 +567,22 @@ Default Value: `false`
 
 ***
 
+### .spec.deployment.tls.altNames
+
+Type: `array` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.40/pkg/apis/ml/v1alpha1/extension_spec_deployment_tls.go#L28)</sup>
+
+AltNames define TLS AltNames used when TLS on the ArangoDB is enabled
+
+***
+
+### .spec.deployment.tls.enabled
+
+Type: `boolean` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.40/pkg/apis/ml/v1alpha1/extension_spec_deployment_tls.go#L25)</sup>
+
+Enabled define if TLS Should be enabled. If is not set then default is taken from ArangoDeployment settings
+
+***
+
 ### .spec.deployment.tolerations
 
 Type: `[]core.Toleration` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.40/pkg/apis/scheduler/v1alpha1/pod/resources/scheduling.go#L49)</sup>
@@ -3317,6 +3333,38 @@ UID keeps the information about object UID
 
 ***
 
+### .status.arangoDB.tls.checksum
+
+Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.40/pkg/apis/shared/v1/object.go#L61)</sup>
+
+UID keeps the information about object Checksum
+
+***
+
+### .status.arangoDB.tls.name
+
+Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.40/pkg/apis/shared/v1/object.go#L52)</sup>
+
+Name of the object
+
+***
+
+### .status.arangoDB.tls.namespace
+
+Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.40/pkg/apis/shared/v1/object.go#L55)</sup>
+
+Namespace of the object. Should default to the namespace of the parent object
+
+***
+
+### .status.arangoDB.tls.uid
+
+Type: `string` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.40/pkg/apis/shared/v1/object.go#L58)</sup>
+
+UID keeps the information about object UID
+
+***
+
 ### .status.conditions
 
 Type: `api.Conditions` <sup>[\[ref\]](https://github.com/arangodb/kube-arangodb/blob/1.2.40/pkg/apis/ml/v1alpha1/extension_status.go#L31)</sup>

diff --git a/pkg/apis/ml/v1alpha1/extension_spec_deployment.go b/pkg/apis/ml/v1alpha1/extension_spec_deployment.go
@@ -58,6 +58,9 @@ type ArangoMLExtensionSpecDeployment struct {
 	// Service defines how components will be exposed
 	Service *ArangoMLExtensionSpecDeploymentService `json:"service,omitempty"`
 
+	// TLS defined TLS Settings for extension
+	TLS *ArangoMLExtensionSpecDeploymentTLS `json:"tls,omitempty"`
+
 	// Pod defines base template for pods
 	*schedulerPodApi.Pod
 
@@ -136,6 +139,13 @@ func (s *ArangoMLExtensionSpecDeployment) GetService() *ArangoMLExtensionSpecDep
 	return s.Service
 }
 
+func (s *ArangoMLExtensionSpecDeployment) GetTLS() *ArangoMLExtensionSpecDeploymentTLS {
+	if s == nil {
+		return nil
+	}
+	return s.TLS
+}
+
 func (s *ArangoMLExtensionSpecDeployment) Validate() error {
 	if s == nil {
 		return nil

diff --git a/pkg/apis/ml/v1alpha1/extension_spec_deployment_tls.go b/pkg/apis/ml/v1alpha1/extension_spec_deployment_tls.go
@@ -0,0 +1,29 @@
+//
+// DISCLAIMER
+//
+// Copyright 2024 ArangoDB GmbH, Cologne, Germany
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// Copyright holder is ArangoDB GmbH, Cologne, Germany
+//
+
+package v1alpha1
+
+type ArangoMLExtensionSpecDeploymentTLS struct {
+	// Enabled define if TLS Should be enabled. If is not set then default is taken from ArangoDeployment settings
+	Enabled *bool `json:"enabled,omitempty"`
+
+	// AltNames define TLS AltNames used when TLS on the ArangoDB is enabled
+	AltNames []string `json:"altNames,omitempty"`
+}
diff --git a/pkg/apis/ml/v1alpha1/extension_status_arangodb_ref.go b/pkg/apis/ml/v1alpha1/extension_status_arangodb_ref.go
@@ -1,7 +1,7 @@
 //
 // DISCLAIMER
 //
-// Copyright 2023 ArangoDB GmbH, Cologne, Germany
+// Copyright 2023-2024 ArangoDB GmbH, Cologne, Germany
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -25,6 +25,8 @@ import sharedApi "github.com/arangodb/kube-arangodb/pkg/apis/shared/v1"
 type ArangoMLExtensionStatusArangoDBRef struct {
 	// Secret keeps the information about ArangoDB deployment
 	Secret *sharedApi.Object `json:"secret,omitempty"`
+	// TLS keeps information about TLS Secret rendered from ArangoDB deployment
+	TLS *sharedApi.Object `json:"tls,omitempty"`
 	// JWTTokenSecret keeps the JWT for ArangoDB authentication (only when ArangoDeployment has JWT enabled)
 	JWTTokenSecret *sharedApi.Object `json:"jwtTokenSecret,omitempty"`
 }
diff --git a/pkg/apis/ml/v1alpha1/zz_generated.deepcopy.go b/pkg/apis/ml/v1alpha1/zz_generated.deepcopy.go
diff --git a/pkg/apis/shared/v1/object.go b/pkg/apis/shared/v1/object.go
@@ -94,6 +94,20 @@ func (o *Object) GetUID() types.UID {
 	return ""
 }
 
+func (o *Object) AsUIDPrecondition() *meta.Preconditions {
+	if o == nil || o.UID == nil {
+		return nil
+	}
+
+	uid := o.GetUID()
+
+	if uid == "" {
+		return nil
+	}
+
+	return meta.NewUIDPreconditions(string(uid))
+}
+
 func (o *Object) GetChecksum() string {
 	if o != nil {
 		if n := o.Checksum; n != nil {

diff --git a/pkg/crd/crds/ml-extension.schema.generated.yaml b/pkg/crd/crds/ml-extension.schema.generated.yaml
@@ -1441,6 +1441,18 @@ v1alpha1:
                 type: string
               shareProcessNamespace:
                 type: boolean
+              tls:
+                description: TLS defined TLS Settings for extension
+                properties:
+                  altNames:
+                    description: AltNames define TLS AltNames used when TLS on the ArangoDB is enabled
+                    items:
+                      type: string
+                    type: array
+                  enabled:
+                    description: Enabled define if TLS Should be enabled. If is not set then default is taken from ArangoDeployment settings
+                    type: boolean
+                type: object
               tolerations:
                 items:
                   properties:

diff --git a/pkg/deployment/resources/certificates_tls.go b/pkg/deployment/resources/certificates_tls.go
@@ -1,7 +1,7 @@
 //
 // DISCLAIMER
 //
-// Copyright 2016-2022 ArangoDB GmbH, Cologne, Germany
+// Copyright 2016-2024 ArangoDB GmbH, Cologne, Germany
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -113,7 +113,8 @@ func createTLSServerCertificate(ctx context.Context, log logging.Logger, cachedS
 		strings.TrimSpace(priv)
 
 	err = globals.GetGlobalTimeouts().Kubernetes().RunWithTimeout(ctx, func(ctxChild context.Context) error {
-		return k8sutil.CreateTLSKeyfileSecret(ctxChild, secrets, secretName, keyfile, ownerRef)
+		_, err := k8sutil.CreateTLSKeyfileSecret(ctxChild, secrets, secretName, keyfile, ownerRef)
+		return err
 	})
 	if err != nil {
 		if kerrors.IsAlreadyExists(err) {

diff --git a/pkg/util/context.go b/pkg/util/context.go
@@ -1,7 +1,7 @@
 //
 // DISCLAIMER
 //
-// Copyright 2023 ArangoDB GmbH, Cologne, Germany
+// Copyright 2023-2024 ArangoDB GmbH, Cologne, Germany
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -64,6 +64,39 @@ func WithContextTimeoutP2A2[P1, P2, A1, A2 interface{}](ctx context.Context, tim
 	return f(nCtx, a1, a2)
 }
 
+func WithKubernetesContextTimeoutP1A4[P1, A1, A2, A3, A4 interface{}](ctx context.Context, f func(context.Context, A1, A2, A3, A4) P1, a1 A1, a2 A2, a3 A3, a4 A4) P1 {
+	return WithContextTimeoutP1A4(ctx, globals.GetGlobals().Timeouts().Kubernetes().Get(), f, a1, a2, a3, a4)
+}
+
+func WithContextTimeoutP1A4[P1, A1, A2, A3, A4 interface{}](ctx context.Context, timeout time.Duration, f func(context.Context, A1, A2, A3, A4) P1, a1 A1, a2 A2, a3 A3, a4 A4) P1 {
+	nCtx, c := context.WithTimeout(ctx, timeout)
+	defer c()
+
+	return f(nCtx, a1, a2, a3, a4)
+}
+
+func WithKubernetesContextTimeoutP2A4[P1, P2, A1, A2, A3, A4 interface{}](ctx context.Context, f func(context.Context, A1, A2, A3, A4) (P1, P2), a1 A1, a2 A2, a3 A3, a4 A4) (P1, P2) {
+	return WithContextTimeoutP2A4(ctx, globals.GetGlobals().Timeouts().Kubernetes().Get(), f, a1, a2, a3, a4)
+}
+
+func WithContextTimeoutP2A4[P1, P2, A1, A2, A3, A4 interface{}](ctx context.Context, timeout time.Duration, f func(context.Context, A1, A2, A3, A4) (P1, P2), a1 A1, a2 A2, a3 A3, a4 A4) (P1, P2) {
+	nCtx, c := context.WithTimeout(ctx, timeout)
+	defer c()
+
+	return f(nCtx, a1, a2, a3, a4)
+}
+
+func WithKubernetesContextTimeoutP4A3[P1, P2, P3, P4, A1, A2, A3 interface{}](ctx context.Context, f func(context.Context, A1, A2, A3) (P1, P2, P3, P4), a1 A1, a2 A2, a3 A3) (P1, P2, P3, P4) {
+	return WithContextTimeoutP4A3(ctx, globals.GetGlobals().Timeouts().Kubernetes().Get(), f, a1, a2, a3)
+}
+
+func WithContextTimeoutP4A3[P1, P2, P3, P4, A1, A2, A3 interface{}](ctx context.Context, timeout time.Duration, f func(context.Context, A1, A2, A3) (P1, P2, P3, P4), a1 A1, a2 A2, a3 A3) (P1, P2, P3, P4) {
+	nCtx, c := context.WithTimeout(ctx, timeout)
+	defer c()
+
+	return f(nCtx, a1, a2, a3)
+}
+
 type PatchInterface[P1 meta.Object] interface {
 	Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts meta.PatchOptions, subresources ...string) (P1, error)
 }

diff --git a/pkg/util/k8sutil/kerrors/errors.go b/pkg/util/k8sutil/kerrors/errors.go
@@ -1,7 +1,7 @@
 //
 // DISCLAIMER
 //
-// Copyright 2016-2022 ArangoDB GmbH, Cologne, Germany
+// Copyright 2016-2024 ArangoDB GmbH, Cologne, Germany
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
@@ -26,6 +26,47 @@ import (
 	"github.com/arangodb/kube-arangodb/pkg/util/errors"
 )
 
+func Is(err error, codes ...KErrors) bool {
+	if err == nil {
+		return false
+	}
+
+	for _, code := range codes {
+		if code.Is(err) {
+			return true
+		}
+	}
+
+	return false
+}
+
+type KErrors int
+
+const (
+	AlreadyExists KErrors = iota
+	Conflict
+	Invalid
+	NotFound
+	Forbidden
+)
+
+func (k KErrors) Is(err error) bool {
+	switch k {
+	case AlreadyExists:
+		return IsAlreadyExists(err)
+	case Conflict:
+		return IsConflict(err)
+	case Invalid:
+		return IsInvalid(err)
+	case NotFound:
+		return IsNotFound(err)
+	case Forbidden:
+		return IsForbidden(err)
+	default:
+		return false
+	}
+}
+
 func isError(err error, precondition func(err error) bool) bool {
 	if err == nil {
 		return false
@@ -62,6 +103,16 @@ func isConflictC(err error) bool {
 	return apierrors.IsConflict(err)
 }
 
+// IsForbidden returns true if the given error is or is caused by a
+// kubernetes ForbiddenError,
+func IsForbidden(err error) bool {
+	return isError(err, isConflictC)
+}
+
+func IsForbiddenC(err error) bool {
+	return apierrors.IsForbidden(err)
+}
+
 // IsNotFound returns true if the given error is or is caused by a
 // kubernetes NotFoundError,
 func IsNotFound(err error) bool {