adding denyHTTP option to NooBaa CR

Signed-off-by: jackyalbo <jacky.albo@gmail.com>
jackyalbo · Mar 10, 2024 · 9975b2b · 9975b2b
1 parent ec7f5df
commit 9975b2b
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 4 deletions.
diff --git a/deploy/crds/noobaa.io_noobaas.yaml b/deploy/crds/noobaa.io_noobaas.yaml
@@ -1344,6 +1344,10 @@ spec:
                 required:
                 - type
                 type: object
+              denyHTTP:
+                description: DenyHTTP (optional) if given will deny access to the
+                  NooBaa S3 service using HTTP (only HTTPS)
+                type: boolean
               disableLoadBalancerService:
                 description: DisableLoadBalancerService (optional) sets the service
                   type to ClusterIP instead of LoadBalancer

diff --git a/pkg/apis/noobaa/v1alpha1/noobaa_types.go b/pkg/apis/noobaa/v1alpha1/noobaa_types.go
@@ -218,6 +218,10 @@ type NooBaaSpec struct {
 	// Configuration related to autoscaling
 	// +optional
 	Autoscaler AutoscalerSpec `json:"autoscaler,omitempty"`
+
+	// DenyHTTP (optional) if given will deny access to the NooBaa S3 service using HTTP (only HTTPS)
+	// +optional
+	DenyHTTP bool `json:"denyHTTP,omitempty"`
 }
 
 // AutoscalerSpec defines different actoscaling spec such as autoscaler type and prometheus namespace
@@ -408,8 +412,8 @@ type AccountsStatus struct {
 
 // ServicesStatus is the status info of the system's services
 type ServicesStatus struct {
-	ServiceMgmt   ServiceStatus `json:"serviceMgmt"`
-	ServiceS3     ServiceStatus `json:"serviceS3"`
+	ServiceMgmt ServiceStatus `json:"serviceMgmt"`
+	ServiceS3   ServiceStatus `json:"serviceS3"`
 	// +optional
 	ServiceSts    ServiceStatus `json:"serviceSts,omitempty"`
 	ServiceSyslog ServiceStatus `json:"serviceSyslog,omitempty"`

diff --git a/pkg/bundle/deploy.go b/pkg/bundle/deploy.go
@@ -1471,7 +1471,7 @@ spec:
       status: {}
 `
 
-const Sha256_deploy_crds_noobaa_io_noobaas_yaml = "343bbc46804fc8442eb4473f8ee3dcd0cd3d05b95ce670f9aad035770e2ba9d3"
+const Sha256_deploy_crds_noobaa_io_noobaas_yaml = "4200a7b49710d910c6bb6ac21b2d1675997001e6a0e2305c2a7a76913856d3b8"
 
 const File_deploy_crds_noobaa_io_noobaas_yaml = `---
 apiVersion: apiextensions.k8s.io/v1
@@ -2819,6 +2819,10 @@ spec:
                 required:
                 - type
                 type: object
+              denyHTTP:
+                description: DenyHTTP (optional) if given will deny access to the
+                  NooBaa S3 service using HTTP (only HTTPS)
+                type: boolean
               disableLoadBalancerService:
                 description: DisableLoadBalancerService (optional) sets the service
                   type to ClusterIP instead of LoadBalancer

diff --git a/pkg/system/phase2_creating.go b/pkg/system/phase2_creating.go
@@ -69,7 +69,7 @@ func (r *Reconciler) ReconcilePhaseCreating() error {
 	if err := r.ReconcileObject(r.ServiceS3, r.SetDesiredServiceS3); err != nil {
 		return err
 	}
-	if err := r.ReconcileObjectOptional(r.RouteS3, nil); err != nil {
+	if err := r.ReconcileObjectOptional(r.RouteS3, r.SetDesiredRouteS3); err != nil {
 		return err
 	}
 	if err := r.ReconcileObject(r.ServiceSts, r.SetDesiredServiceSts); err != nil {
@@ -229,6 +229,15 @@ func (r *Reconciler) SetDesiredServiceS3() error {
 	return nil
 }
 
+// SetDesiredRouteS3 updates the RouteS3 as desired for reconciling
+func (r *Reconciler) SetDesiredRouteS3() error {
+	r.RouteS3.Spec.TLS.InsecureEdgeTerminationPolicy = "Allow"
+	if r.NooBaa.Spec.DenyHTTP {
+		r.RouteS3.Spec.TLS.InsecureEdgeTerminationPolicy = "None"
+	}
+	return nil
+}
+
 // SetDesiredServiceSts updates the ServiceSts as desired for reconciling
 func (r *Reconciler) SetDesiredServiceSts() error {
 	if r.NooBaa.Spec.DisableLoadBalancerService {