From 940b62d527a6e5e4ce4445d1183b5d0d9277438e Mon Sep 17 00:00:00 2001 From: wangyelei Date: Tue, 21 Jan 2025 17:14:15 +0800 Subject: [PATCH] chore: support to get ca-key file when enabling tls --- apis/apps/v1/componentdefinition_types.go | 7 +++++++ apis/apps/v1/zz_generated.deepcopy.go | 5 +++++ .../apps.kubeblocks.io_componentdefinitions.yaml | 7 +++++++ .../apps.kubeblocks.io_componentdefinitions.yaml | 7 +++++++ docs/developer_docs/api-reference/cluster.md | 13 +++++++++++++ pkg/controller/plan/tls.go | 13 +++++++++---- pkg/controller/plan/tls_test.go | 8 +++++--- 7 files changed, 53 insertions(+), 7 deletions(-) diff --git a/apis/apps/v1/componentdefinition_types.go b/apis/apps/v1/componentdefinition_types.go index bfa84e7602b..10a9b22fbf9 100644 --- a/apis/apps/v1/componentdefinition_types.go +++ b/apis/apps/v1/componentdefinition_types.go @@ -1275,6 +1275,13 @@ type TLS struct { // +optional CAFile *string `json:"caFile,omitempty"` + // The CA key file of the TLS. + // + // This field is immutable once set. + // + // +optional + CAKeyFile *string `json:"caKeyFile,omitempty"` + // The certificate file of the TLS. // // This field is immutable once set. diff --git a/apis/apps/v1/zz_generated.deepcopy.go b/apis/apps/v1/zz_generated.deepcopy.go index 8c210044fc0..c94c7d9c99e 100644 --- a/apis/apps/v1/zz_generated.deepcopy.go +++ b/apis/apps/v1/zz_generated.deepcopy.go @@ -3311,6 +3311,11 @@ func (in *TLS) DeepCopyInto(out *TLS) { *out = new(string) **out = **in } + if in.CAKeyFile != nil { + in, out := &in.CAKeyFile, &out.CAKeyFile + *out = new(string) + **out = **in + } if in.CertFile != nil { in, out := &in.CertFile, &out.CertFile *out = new(string) diff --git a/config/crd/bases/apps.kubeblocks.io_componentdefinitions.yaml b/config/crd/bases/apps.kubeblocks.io_componentdefinitions.yaml index 70b38b24029..fba6cdd7891 100644 --- a/config/crd/bases/apps.kubeblocks.io_componentdefinitions.yaml +++ b/config/crd/bases/apps.kubeblocks.io_componentdefinitions.yaml @@ -16780,6 +16780,13 @@ spec: The CA file of the TLS. + This field is immutable once set. + type: string + caKeyFile: + description: |- + The CA key file of the TLS. + + This field is immutable once set. type: string certFile: diff --git a/deploy/helm/crds/apps.kubeblocks.io_componentdefinitions.yaml b/deploy/helm/crds/apps.kubeblocks.io_componentdefinitions.yaml index 70b38b24029..fba6cdd7891 100644 --- a/deploy/helm/crds/apps.kubeblocks.io_componentdefinitions.yaml +++ b/deploy/helm/crds/apps.kubeblocks.io_componentdefinitions.yaml @@ -16780,6 +16780,13 @@ spec: The CA file of the TLS. + This field is immutable once set. + type: string + caKeyFile: + description: |- + The CA key file of the TLS. + + This field is immutable once set. type: string certFile: diff --git a/docs/developer_docs/api-reference/cluster.md b/docs/developer_docs/api-reference/cluster.md index 9bd796ce90d..de70fe512c7 100644 --- a/docs/developer_docs/api-reference/cluster.md +++ b/docs/developer_docs/api-reference/cluster.md @@ -11385,6 +11385,19 @@ string +caKeyFile
+ +string + + + +(Optional) +

The CA key file of the TLS.

+

This field is immutable once set.

+ + + + certFile
string diff --git a/pkg/controller/plan/tls.go b/pkg/controller/plan/tls.go index 0730327d972..650ebaaf1bb 100644 --- a/pkg/controller/plan/tls.go +++ b/pkg/controller/plan/tls.go @@ -78,27 +78,32 @@ func ComposeTLSSecret(compDef *appsv1.ComponentDefinition, synthesizedComp compo {{- $cert := genSignedCert "%s peer" (list "127.0.0.1" "::1") (list "localhost" "*.%s-%s-headless.%s.svc.cluster.local") 36500 $ca -}} {{- $ca.Cert -}} {{- print "%s" -}} + {{- $ca.Key -}} + {{- print "%s" -}} {{- $cert.Cert -}} {{- print "%s" -}} {{- $cert.Key -}} -`, compName, clusterName, compName, namespace, spliter, spliter) +`, compName, clusterName, compName, namespace, spliter, spliter, spliter) out, err := buildFromTemplate(SignedCertTpl, nil) if err != nil { return nil, err } parts := strings.Split(out, spliter) - if len(parts) != 3 { + if len(parts) != 4 { return nil, errors.Errorf("generate TLS certificates failed with cluster name %s, component name %s in namespace %s", clusterName, compName, namespace) } if compDef.Spec.TLS.CAFile != nil { secret.StringData[*compDef.Spec.TLS.CAFile] = parts[0] } + if compDef.Spec.TLS.CAKeyFile != nil { + secret.StringData[*compDef.Spec.TLS.CAKeyFile] = parts[1] + } if compDef.Spec.TLS.CertFile != nil { - secret.StringData[*compDef.Spec.TLS.CertFile] = parts[1] + secret.StringData[*compDef.Spec.TLS.CertFile] = parts[2] } if compDef.Spec.TLS.KeyFile != nil { - secret.StringData[*compDef.Spec.TLS.KeyFile] = parts[2] + secret.StringData[*compDef.Spec.TLS.KeyFile] = parts[3] } return secret, nil } diff --git a/pkg/controller/plan/tls_test.go b/pkg/controller/plan/tls_test.go index db9dda34a8f..6b25ff0afd0 100644 --- a/pkg/controller/plan/tls_test.go +++ b/pkg/controller/plan/tls_test.go @@ -46,9 +46,10 @@ var _ = Describe("TLSUtilsTest", func() { compDef := &appsv1.ComponentDefinition{ Spec: appsv1.ComponentDefinitionSpec{ TLS: &appsv1.TLS{ - CAFile: ptr.To("ca.pem"), - CertFile: ptr.To("cert.pem"), - KeyFile: ptr.To("key.pem"), + CAFile: ptr.To("ca.pem"), + CAKeyFile: ptr.To("ca-key.pem"), + CertFile: ptr.To("cert.pem"), + KeyFile: ptr.To("key.pem"), }, }, } @@ -67,6 +68,7 @@ var _ = Describe("TLSUtilsTest", func() { Expect(secret.Labels[constant.KBAppComponentLabelKey]).Should(Equal(synthesizedComp.Name)) Expect(secret.StringData).ShouldNot(BeNil()) Expect(secret.StringData[*compDef.Spec.TLS.CAFile]).ShouldNot(BeZero()) + Expect(secret.StringData[*compDef.Spec.TLS.CAKeyFile]).ShouldNot(BeZero()) Expect(secret.StringData[*compDef.Spec.TLS.CertFile]).ShouldNot(BeZero()) Expect(secret.StringData[*compDef.Spec.TLS.KeyFile]).ShouldNot(BeZero()) })