Skip to content

Commit

Permalink
feat: Add support for custom certificates in database connection (#259)
Browse files Browse the repository at this point in the history
  • Loading branch information
@ruivieira
ruivieira authored Aug 1, 2024
1 parent c537e14 commit 1515872
Show file tree
Hide file tree
Showing 3 changed files with 54 additions and 16 deletions.
15 changes: 15 additions & 0 deletions controllers/deployment.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,7 @@ type DeploymentConfig struct {
CustomCertificatesBundle CustomCertificatesBundle
Version string
BatchSize int
UseDBTLSCerts bool
}

// createDeploymentObject returns a Deployment for the TrustyAI Service instance
Expand Down Expand Up @@ -70,6 +71,20 @@ func (r *TrustyAIServiceReconciler) createDeploymentObject(ctx context.Context,
BatchSize: batchSize,
}

if instance.Spec.Storage.IsStorageDatabase() {
_, err := r.getSecret(ctx, instance.Name+"-db-tls", instance.Namespace)
if err != nil {
deploymentConfig.UseDBTLSCerts = false
log.FromContext(ctx).Error(err, "Using insecure database connection. Certificates "+instance.Name+"-db-tls not found")
} else {
deploymentConfig.UseDBTLSCerts = true
log.FromContext(ctx).Info("Using secure database connection with certificates " + instance.Name + "-db-tls")
}
} else {
deploymentConfig.UseDBTLSCerts = false
log.FromContext(ctx).Info("No need to check database secrets. Using PVC-mode.")
}

var deployment *appsv1.Deployment
deployment, err = templateParser.ParseResource[appsv1.Deployment](deploymentTemplatePath, deploymentConfig, reflect.TypeOf(&appsv1.Deployment{}))
if err != nil {
Expand Down
38 changes: 23 additions & 15 deletions controllers/secrets.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,34 +9,42 @@ import (
"sigs.k8s.io/controller-runtime/pkg/client"
)

// getSecret retrieves a secret if it exists, returns an error if not
func (r *TrustyAIServiceReconciler) getSecret(ctx context.Context, name, namespace string) (*corev1.Secret, error) {
secret := &corev1.Secret{}
err := r.Get(ctx, client.ObjectKey{Name: name, Namespace: namespace}, secret)
if err != nil {
if errors.IsNotFound(err) {
return nil, fmt.Errorf("secret %s not found in namespace %s: %w", name, namespace, err)
}
return nil, fmt.Errorf("failed to get secret %s in namespace %s: %w", name, namespace, err)
}
return secret, nil
}

// findDatabaseSecret finds the DB configuration secret named (specified or default) in the same namespace as the CR
func (r *TrustyAIServiceReconciler) findDatabaseSecret(ctx context.Context, instance *trustyaiopendatahubiov1alpha1.TrustyAIService) (*corev1.Secret, error) {

databaseConfigurationsName := instance.Spec.Storage.DatabaseConfigurations
defaultDatabaseConfigurationsName := instance.Name + dbCredentialsSuffix

secret := &corev1.Secret{}

if databaseConfigurationsName != "" {
secret := &corev1.Secret{}
err := r.Get(ctx, client.ObjectKey{Name: databaseConfigurationsName, Namespace: instance.Namespace}, secret)
if err == nil {
return secret, nil
secret, err := r.getSecret(ctx, databaseConfigurationsName, instance.Namespace)
if err != nil {
return nil, err
}
if !errors.IsNotFound(err) {
return nil, fmt.Errorf("failed to get secret %s in namespace %s: %w", databaseConfigurationsName, instance.Namespace, err)
if secret != nil {
return secret, nil
}
} else {
// If specified not found, try the default

err := r.Get(ctx, client.ObjectKey{Name: defaultDatabaseConfigurationsName, Namespace: instance.Namespace}, secret)
if err == nil {
return secret, nil
secret, err := r.getSecret(ctx, defaultDatabaseConfigurationsName, instance.Namespace)
if err != nil {
return nil, err
}
if !errors.IsNotFound(err) {
return nil, fmt.Errorf("failed to get secret %s in namespace %s: %w", defaultDatabaseConfigurationsName, instance.Namespace, err)
if secret != nil {
return secret, nil
}

}

return nil, fmt.Errorf("neither secret %s nor %s found in namespace %s", databaseConfigurationsName, defaultDatabaseConfigurationsName, instance.Namespace)
Expand Down
17 changes: 16 additions & 1 deletion controllers/templates/service/deployment.tmpl.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -94,7 +94,11 @@ spec:
name: {{ .Instance.Spec.Storage.DatabaseConfigurations }}
key: databasePort
- name: QUARKUS_DATASOURCE_JDBC_URL
{{ if .UseDBTLSCerts }}
value: "jdbc:${QUARKUS_DATASOURCE_DB_KIND}://${DATABASE_SERVICE}:${DATABASE_PORT}/trustyai_database?sslMode=verify-ca&serverSslCert=/etc/tls/db/tls.crt"
{{ else }}
value: "jdbc:${QUARKUS_DATASOURCE_DB_KIND}://${DATABASE_SERVICE}:${DATABASE_PORT}/trustyai_database"
{{ end }}
- name: SERVICE_DATA_FORMAT
value: "HIBERNATE"
- name: QUARKUS_DATASOURCE_GENERATION
Expand All @@ -121,7 +125,12 @@ spec:
- name: {{ .VolumeMountName }}
mountPath: {{ .Instance.Spec.Storage.Folder }}
readOnly: false
{{ end }}
{{ end }}
{{ if .UseDBTLSCerts }}
- name: db-tls-certs
mountPath: /etc/tls/db
readOnly: true
{{ end }}
- resources:
limits:
cpu: 100m
Expand Down Expand Up @@ -209,3 +218,9 @@ spec:
secret:
secretName: {{ .Instance.Name }}-internal
defaultMode: 420
{{ if .UseDBTLSCerts }}
- name: db-tls-certs
secret:
secretName: {{ .Instance.Name }}-db-tls
defaultMode: 420
{{ end }}

0 comments on commit 1515872

Please sign in to comment.