kubedb · AbdullahAlShaad · Oct 22, 2024 · Oct 7, 2024 · Oct 7, 2024 · Oct 21, 2024
diff --git a/apis/kubedb/constants.go b/apis/kubedb/constants.go
@@ -641,22 +641,42 @@ const (
 	ZooKeeperMetricsPortName        = "metrics"
 	ZooKeeperMetricsPort            = 7000
 	ZooKeeperAdminServerPortName    = "admin-server"
+	ZooKeeperSecureClientPortName   = "secure-client"
 	ZooKeeperAdminServerPort        = 8080
+	ZooKeeperSecureClientPort       = 2182
 	ZooKeeperNode                   = "/kubedb_health_checker_node"
 	ZooKeeperData                   = "kubedb_health_checker_data"
 	ZooKeeperConfigVolumeName       = "zookeeper-config"
 	ZooKeeperConfigVolumePath       = "/conf"
+	ZooKeeperVolumeTempConfig       = "temp-config"
 	ZooKeeperDataVolumeName         = "data"
 	ZooKeeperDataVolumePath         = "/data"
 	ZooKeeperScriptVolumeName       = "script-vol"
 	ZooKeeperScriptVolumePath       = "/scripts"
 	ZooKeeperContainerName          = "zookeeper"
+	ZooKeeperUserAdmin              = "admin"
 	ZooKeeperInitContainerName      = "zookeeper" + "-init"
 
 	ZooKeeperConfigFileName               = "zoo.cfg"
 	ZooKeeperLog4jPropertiesFileName      = "log4j.properties"
 	ZooKeeperLog4jQuietPropertiesFileName = "log4j-quiet.properties"
 
+	ZooKeeperCertDir       = "/var/private/ssl"
+	ZooKeeperKeyStoreDir   = "/var/private/ssl/server.keystore.jks"
+	ZooKeeperTrustStoreDir = "/var/private/ssl/server.truststore.jks"
+
+	ZooKeeperKeystoreKey           = "keystore.jks"
+	ZooKeeperTruststoreKey         = "truststore.jks"
+	ZooKeeperServerKeystoreKey     = "server.keystore.jks"
+	ZooKeeperServerTruststoreKey   = "server.truststore.jks"
+	ZooKeeperKeyPassword           = "ssl.key.password"
+	ZooKeeperKeystorePasswordKey   = "ssl.quorum.keyStore.password"
+	ZooKeeperTruststorePasswordKey = "ssl.quorum.trustStore.password"
+	ZooKeeperKeystoreLocationKey   = "ssl.quorum.keyStore.location"
+	ZooKeeperTruststoreLocationKey = "ssl.quorum.trustStore.location"
+
+	ZooKeeperSSLPropertiesFileName = "ssl.properties"
+
 	EnvZooKeeperDomain          = "DOMAIN"
 	EnvZooKeeperQuorumPort      = "QUORUM_PORT"
 	EnvZooKeeperLeaderPort      = "LEADER_PORT"

diff --git a/apis/kubedb/v1alpha2/openapi_generated.go b/apis/kubedb/v1alpha2/openapi_generated.go
diff --git a/apis/kubedb/v1alpha2/zookeeper_helpers.go b/apis/kubedb/v1alpha2/zookeeper_helpers.go
@@ -19,6 +19,7 @@ package v1alpha2
 import (
 	"context"
 	"fmt"
+	"strings"
 
 	"kubedb.dev/apimachinery/apis"
 	catalog "kubedb.dev/apimachinery/apis/catalog/v1alpha1"
@@ -32,6 +33,7 @@ import (
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/klog/v2"
+	kmapi "kmodules.xyz/client-go/api/v1"
 	"kmodules.xyz/client-go/apiextensions"
 	coreutil "kmodules.xyz/client-go/core/v1"
 	meta_util "kmodules.xyz/client-go/meta"
@@ -145,6 +147,21 @@ func (z *ZooKeeper) GetAuthSecretName() string {
 	return meta_util.NameWithSuffix(z.OffshootName(), "auth")
 }
 
+func (z *ZooKeeper) GetKeystoreSecretName() string {
+	if z.Spec.KeystoreCredSecret != nil && z.Spec.KeystoreCredSecret.Name != "" {
+		return z.Spec.KeystoreCredSecret.Name
+	}
+	return meta_util.NameWithSuffix(z.OffshootName(), "keystore-cred")
+}
+
+func (k *ZooKeeper) DefaultUserCredSecretName(username string) string {
+	return meta_util.NameWithSuffix(k.Name, strings.ReplaceAll(fmt.Sprintf("%s-cred", username), "_", "-"))
+}
+
+func (z *ZooKeeper) DefaultKeystoreCredSecretName() string {
+	return meta_util.NameWithSuffix(z.Name, strings.ReplaceAll("keystore-cred", "_", "-"))
+}
+
 func (z *ZooKeeper) GetPersistentSecrets() []string {
 	if z == nil {
 		return nil
@@ -204,6 +221,10 @@ func (z *ZooKeeper) SetDefaults() {
 		apis.SetDefaultResourceLimits(&initContainer.Resources, kubedb.DefaultInitContainerResource)
 	}
 
+	if z.Spec.EnableSSL {
+		z.SetTLSDefaults()
+	}
+
 	z.SetHealthCheckerDefaults()
 	if z.Spec.Monitor != nil {
 		if z.Spec.Monitor.Prometheus == nil {
@@ -216,6 +237,14 @@ func (z *ZooKeeper) SetDefaults() {
 	}
 }
 
+func (z *ZooKeeper) SetTLSDefaults() {
+	if z.Spec.TLS == nil || z.Spec.TLS.IssuerRef == nil {
+		return
+	}
+	z.Spec.TLS.Certificates = kmapi.SetMissingSecretNameForCertificate(z.Spec.TLS.Certificates, string(ZooKeeperServerCert), z.CertificateName(ZooKeeperServerCert))
+	z.Spec.TLS.Certificates = kmapi.SetMissingSecretNameForCertificate(z.Spec.TLS.Certificates, string(ZooKeeperClientCert), z.CertificateName(ZooKeeperClientCert))
+}
+
 func (z *ZooKeeper) setDefaultContainerSecurityContext(zkVersion *catalog.ZooKeeperVersion, podTemplate *ofst.PodTemplateSpec) {
 	if podTemplate == nil {
 		return
@@ -347,3 +376,26 @@ func (z *ZooKeeper) ReplicasAreReady(lister pslister.PetSetLister) (bool, string
 	expectedItems := 1
 	return checkReplicasOfPetSet(lister.PetSets(z.Namespace), labels.SelectorFromSet(z.OffshootLabels()), expectedItems)
 }
+
+// CertificateName returns the default certificate name and/or certificate secret name for a certificate alias
+func (z *ZooKeeper) CertificateName(alias ZooKeeperCertificateAlias) string {
+	return meta_util.NameWithSuffix(z.Name, fmt.Sprintf("%s-cert", string(alias)))
+}
+
+// GetCertSecretName returns the secret name for a certificate alias if any,
+// otherwise returns default certificate secret name for the given alias.
+func (z *ZooKeeper) GetCertSecretName(alias ZooKeeperCertificateAlias) string {
+	if z.Spec.TLS != nil {
+		name, ok := kmapi.GetCertificateSecretName(z.Spec.TLS.Certificates, string(alias))
+		if ok {
+			return name
+		}
+	}
+	return z.CertificateName(alias)
+}
+
+// CertSecretVolumeName returns the CertSecretVolumeName
+// Values will be like: client-certs, server-certs etc.
+func (k *ZooKeeper) CertSecretVolumeName(alias ZooKeeperCertificateAlias) string {
+	return string(alias) + "-certs"
+}
diff --git a/apis/kubedb/v1alpha2/zookeeper_types.go b/apis/kubedb/v1alpha2/zookeeper_types.go
@@ -65,9 +65,16 @@ type ZooKeeperSpec struct {
 	// +kubebuilder:default=8080
 	AdminServerPort int32 `json:"adminServerPort"`
 
+	// +optional
+	// +kubebuilder:default=2182
+	ClientSecurePort int32 `json:"clientSecurePort"`
+
 	// Storage to specify how storage shall be used.
 	Storage *core.PersistentVolumeClaimSpec `json:"storage,omitempty"`
 
+	// To enable ssl for http layer
+	EnableSSL bool `json:"enableSSL,omitempty"`
+
 	// If disable Auth true then don't create any auth secret
 	// +optional
 	DisableAuth bool `json:"disableAuth,omitempty"`
@@ -81,6 +88,14 @@ type ZooKeeperSpec struct {
 	// +optional
 	ConfigSecret *core.LocalObjectReference `json:"configSecret,omitempty"`
 
+	// Keystore encryption secret
+	// +optional
+	KeystoreCredSecret *SecretReference `json:"keystoreCredSecret,omitempty"`
+
+	// TLS contains tls configurations
+	// +optional
+	TLS *kmapi.TLSConfig `json:"tls,omitempty"`
+
 	// PodTemplate is an optional configuration for pods used to expose database
 	// +optional
 	PodTemplate ofst.PodTemplateSpec `json:"podTemplate,omitempty"`
@@ -121,10 +136,27 @@ type ZooKeeperStatus struct {
 	Conditions []kmapi.Condition `json:"conditions,omitempty"`
 }
 
+// +kubebuilder:validation:Enum=server;client
+type ZooKeeperCertificateAlias string
+
+const (
+	ZooKeeperServerCert ZooKeeperCertificateAlias = "server"
+	ZooKeeperClientCert ZooKeeperCertificateAlias = "client"
+)
+
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
 type ZooKeeperList struct {
 	metav1.TypeMeta `json:",inline"`
 	metav1.ListMeta `json:"metadata,omitempty"`
 	Items           []ZooKeeper `json:"items"`
 }
+
+// +kubebuilder:validation:Enum=controller;broker;combined
+type ZooKeeperNodeRoleType string
+
+const (
+	ZooKeeperNodeRoleController ZooKeeperNodeRoleType = "controller"
+	ZooKeeperNodeRoleBroker     ZooKeeperNodeRoleType = "broker"
+	ZooKeeperNodeRoleCombined   ZooKeeperNodeRoleType = "combined"
+)
diff --git a/apis/kubedb/v1alpha2/zz_generated.deepcopy.go b/apis/kubedb/v1alpha2/zz_generated.deepcopy.go
diff --git a/apis/ops/v1alpha1/openapi_generated.go b/apis/ops/v1alpha1/openapi_generated.go
diff --git a/apis/ops/v1alpha1/zookeeper_ops_types.go b/apis/ops/v1alpha1/zookeeper_ops_types.go
@@ -49,8 +49,8 @@ type ZooKeeperOpsRequest struct {
 	Status            OpsRequestStatus        `json:"status,omitempty"`
 }
 
-// +kubebuilder:validation:Enum=UpdateVersion;HorizontalScaling;VerticalScaling;VolumeExpansion;Restart;Reconfigure
-// ENUM(UpdateVersion, HorizontalScaling, VerticalScaling, VolumeExpansion, Restart, Reconfigure)
+// +kubebuilder:validation:Enum=UpdateVersion;HorizontalScaling;VerticalScaling;VolumeExpansion;Restart;Reconfigure;ReconfigureTLS
+// ENUM(UpdateVersion, HorizontalScaling, VerticalScaling, VolumeExpansion, Restart, Reconfigure, ReconfigureTLS)
 type ZooKeeperOpsRequestType string
 
 // ZooKeeperOpsRequestSpec is the spec for ZooKeeperOpsRequest
@@ -69,6 +69,8 @@ type ZooKeeperOpsRequestSpec struct {
 	VolumeExpansion *ZooKeeperVolumeExpansionSpec `json:"volumeExpansion,omitempty"`
 	// Specifies information necessary for custom configuration of zookeeper
 	Configuration *ZooKeeperCustomConfigurationSpec `json:"configuration,omitempty"`
+	// Specifies information necessary for configuring TLS
+	TLS *TLSSpec `json:"tls,omitempty"`
 	// Specifies information necessary for restarting database
 	Restart *RestartSpec `json:"restart,omitempty"`
 	// Timeout for each step of the ops request in second. If a step doesn't finish within the specified timeout, the ops request will result in failure.

diff --git a/apis/ops/v1alpha1/zookeeper_ops_types_enum.go b/apis/ops/v1alpha1/zookeeper_ops_types_enum.go
diff --git a/apis/ops/v1alpha1/zz_generated.deepcopy.go b/apis/ops/v1alpha1/zz_generated.deepcopy.go