THREESCALE-11156 add change the apimanager tls enabled flag location …

…and add reconciler check for empty values
3scale · Feb 11, 2025 · efc2e6f · efc2e6f
1 parent 247a2e0
commit efc2e6f
Show file tree

Hide file tree

Showing 9 changed files with 116 additions and 28 deletions.
diff --git a/apis/apps/v1alpha1/apimanager_types.go b/apis/apps/v1alpha1/apimanager_types.go
@@ -84,10 +84,6 @@ type APIManagerSpec struct {
 	PodDisruptionBudget *PodDisruptionBudgetSpec `json:"podDisruptionBudget,omitempty"`
 	// +optional
 	Monitoring *MonitoringSpec `json:"monitoring,omitempty"`
-	// +optional
-	SystemDatabaseTLSEnabled *bool `json:"systemDatabaseTLSEnabled,omitempty"`
-	// +optional
-	ZyncDatabaseTLSEnabled *bool `json:"zyncDatabaseTLSEnabled,omitempty"`
 }
 
 // APIManagerStatus defines the observed state of APIManager
@@ -520,6 +516,9 @@ type SystemSpec struct {
 
 	// +optional
 	SearchdSpec *SystemSearchdSpec `json:"searchdSpec,omitempty"`
+
+	// +optional
+	SystemDatabaseTLSEnabled *bool `json:"systemDatabaseTLSEnabled,omitempty"`
 }
 
 type SystemAppSpec struct {
@@ -733,6 +732,8 @@ type ZyncSpec struct {
 	DatabaseLabels map[string]string `json:"databaseLabels,omitempty"`
 	// +optional
 	DatabaseAnnotations map[string]string `json:"databaseAnnotations,omitempty"`
+	// +optional
+	ZyncDatabaseTLSEnabled *bool `json:"zyncDatabaseTLSEnabled,omitempty"`
 }
 
 type ZyncAppSpec struct {
@@ -1706,9 +1707,9 @@ func init() {
 }
 
 func (apimanager *APIManager) IsSystemDatabaseTLSEnabled() bool {
-	return apimanager.Spec.SystemDatabaseTLSEnabled != nil && *apimanager.Spec.SystemDatabaseTLSEnabled
+	return apimanager.Spec.System != nil && apimanager.Spec.System.SystemDatabaseTLSEnabled != nil && *apimanager.Spec.System.SystemDatabaseTLSEnabled
 }
 
 func (apimanager *APIManager) IsZyncDatabaseTLSEnabled() bool {
-	return apimanager.Spec.ZyncDatabaseTLSEnabled != nil && *apimanager.Spec.ZyncDatabaseTLSEnabled
+	return apimanager.Spec.Zync != nil && apimanager.Spec.Zync.ZyncDatabaseTLSEnabled != nil && *apimanager.Spec.Zync.ZyncDatabaseTLSEnabled
 }
diff --git a/apis/apps/v1alpha1/zz_generated.deepcopy.go b/apis/apps/v1alpha1/zz_generated.deepcopy.go
diff --git a/bundle/manifests/apps.3scale.net_apimanagers.yaml b/bundle/manifests/apps.3scale.net_apimanagers.yaml
@@ -16602,9 +16602,9 @@ spec:
                           type: object
                         type: array
                     type: object
+                  systemDatabaseTLSEnabled:
+                    type: boolean
                 type: object
-              systemDatabaseTLSEnabled:
-                type: boolean
               tenantName:
                 type: string
               wildcardDomain:
@@ -20011,9 +20011,9 @@ spec:
                           type: object
                         type: array
                     type: object
+                  zyncDatabaseTLSEnabled:
+                    type: boolean
                 type: object
-              zyncDatabaseTLSEnabled:
-                type: boolean
             required:
             - wildcardDomain
             type: object

diff --git a/config/crd/bases/apps.3scale.net_apimanagers.yaml b/config/crd/bases/apps.3scale.net_apimanagers.yaml
@@ -17392,9 +17392,9 @@ spec:
                           type: object
                         type: array
                     type: object
+                  systemDatabaseTLSEnabled:
+                    type: boolean
                 type: object
-              systemDatabaseTLSEnabled:
-                type: boolean
               tenantName:
                 type: string
               wildcardDomain:
@@ -20961,9 +20961,9 @@ spec:
                           type: object
                         type: array
                     type: object
+                  zyncDatabaseTLSEnabled:
+                    type: boolean
                 type: object
-              zyncDatabaseTLSEnabled:
-                type: boolean
             required:
             - wildcardDomain
             type: object

diff --git a/doc/apimanager-reference.md b/doc/apimanager-reference.md
@@ -338,6 +338,7 @@ Some examples are available [here](/doc/adding-apicast-custom-environments.md)
 | MemcachedPriorityClassName | `memcachedPriorityClassName`         | string                                                                                                                                    | No           | N/A                                                                                                                                            | If specified, indicates the pod's priority. "system-node-critical" and "system-cluster-critical" are two special keywords which indicate the highest priorities with the former being the highest priority. Any other name must be defined by creating a PriorityClass object with that name. If not specified, the pod priority will be default or zero if there is no default. (see [docs](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/)) |
 | MemcachedTopologySpreadConstraints | `memcachedTopologySpreadConstraints` | \[\][v1.TopologySpreadConstraint](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#topologyspreadconstraint-v1-core) | No           | `nil`                                                                                                                                          | Specifies how to spread matching pods among the given topology                                                                                                                                                                                                                                          |
 | MemcachedLabels                    | `memcachedLabels`                    | map[string]string                                                                                                                        | No           | `nil `                                                                                                                                         | Specifies labels that should be added to component                                                                                                                                                                                                                                                                                   |
+| SystemDatabaseTLSEnabled | `systemDatabaseTLSEnabled`| bool | No | false | Use external databases only |
 | RedisPriorityClassName | `redisPriorityClassName` | string | No | N/A | **[DEPRECATED]** Use external databases only |
 | RedisTopologySpreadConstraints | `redisTopologySpreadConstraints` | \[\][v1.TopologySpreadConstraint](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#topologyspreadconstraint-v1-core) | No | `nil` |  **[DEPRECATED]** Use external databases only |
 | RedisLabels | `redisLabels` | map[string]string | No | `nil ` |  **[DEPRECATED]** Use external databases only |
@@ -528,6 +529,7 @@ Note: Deploying databases internally with this section is meant for evaluation p
 | DatabaseTopologySpreadConstraints | `databaseTopologySpreadConstraints` | \[\][v1.TopologySpreadConstraint](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.25/#topologyspreadconstraint-v1-core) | No | `nil` | Specifies how to spread matching pods among the given topology |
 | DatabaseLabels | `databaseLabels` | map[string]string | No | `nil ` | Specifies labels that should be added to component |
 | DatabaseAnnotations | `databaseAnnotations` | map[string]string  | No | `nil ` | Specifies Annotations that should be added to component |
+| ZyncDatabaseTLSEnabled | `zyncDatabaseTLSEnabled`| bool | No | false | Use external databases only |
 
 ### ZyncAppSpec
 

diff --git a/doc/operator-user-guide.md b/doc/operator-user-guide.md
@@ -297,8 +297,8 @@ See [Zync secret](apimanager-reference.md#zync) for reference.
 It is possible to connect to both the system-database and zync database via TLS provided these databases have TLS enabled. To enable TLS communication to these databases you will need to configure the ApiManager and the database secret.
 
 In ApiManager CR we set the boolean to enable TLS configuration for the respictive databases
-- `spec.zyncDatabaseTLSEnabled: true`
-- `spec.systemDatabaseTLSEnabled: true`
+- `spec.zync.zyncDatabaseTLSEnabled: true`
+- `spec.system.systemDatabaseTLSEnabled: true`
 
 We pass the cert files in via the respective secret i.e. system-database & zync
 

diff --git a/pkg/3scale/amp/component/highavailability_options.go b/pkg/3scale/amp/component/highavailability_options.go
@@ -10,9 +10,19 @@ type HighAvailabilityOptions struct {
 	BackendRedisStorageSentinelHosts string
 	BackendRedisStorageSentinelRole  string
 	SystemDatabaseURL                string
+	SystemDatabaseSslCa              string
+	SystemDatabaseSslMode            string
+	SystemDatabaseSslCert            string
+	SystemDatabaseSslKey             string
 	SystemRedisURL                   string
 	SystemRedisSentinelsHosts        string
 	SystemRedisSentinelsRole         string
+	ZyncDatabaseURL                  string
+	ZyncDatabasePassword             string
+	ZyncDatabaseSslCa                string
+	ZyncDatabaseSslMode              string
+	ZyncDatabaseSslCert              string
+	ZyncDatabaseSslKey               string
 }
 
 func NewHighAvailabilityOptions() *HighAvailabilityOptions {

diff --git a/pkg/3scale/amp/component/system_searchd.go b/pkg/3scale/amp/component/system_searchd.go
@@ -93,8 +93,7 @@ func (s *SystemSearchd) Deployment(ctx context.Context, k8sclient client.Client,
 							Name:            SystemSearchdDeploymentName,
 							Image:           containerImage,
 							ImagePullPolicy: v1.PullIfNotPresent,
-							//Env:             s.commonSearchdEnvVars(),
-							VolumeMounts: s.searchDVolumeMounts(),
+							VolumeMounts:    s.searchDVolumeMounts(),
 							LivenessProbe: &v1.Probe{
 								ProbeHandler: v1.ProbeHandler{
 									TCPSocket: &v1.TCPSocketAction{

diff --git a/pkg/3scale/amp/operator/highavailability_options_provider.go b/pkg/3scale/amp/operator/highavailability_options_provider.go
@@ -1,6 +1,8 @@
 package operator
 
 import (
+	"errors"
+	"fmt"
 	appsv1alpha1 "github.com/3scale/3scale-operator/apis/apps/v1alpha1"
 	"github.com/3scale/3scale-operator/pkg/3scale/amp/component"
 	"github.com/3scale/3scale-operator/pkg/helper"
@@ -38,6 +40,9 @@ func (h *HighAvailabilityOptionsProvider) GetHighAvailabilityOptions() (*compone
 	if h.apimanager.IsExternal(appsv1alpha1.SystemDatabase) {
 		setOptionsFns = append(setOptionsFns, h.setSystemDatabaseOptions)
 	}
+	if h.apimanager.IsExternal(appsv1alpha1.ZyncDatabase) {
+		setOptionsFns = append(setOptionsFns, h.setZyncDatabaseOptions)
+	}
 
 	for _, setOptions := range setOptionsFns {
 		if err := setOptions(); err != nil {
@@ -172,6 +177,50 @@ func (h *HighAvailabilityOptionsProvider) setSystemRedisOptions() error {
 	return nil
 
 }
+func (h *HighAvailabilityOptionsProvider) setZyncDatabaseOptions() error {
+	val, err := h.secretSource.RequiredFieldValueFromRequiredSecret(
+		component.ZyncSecretName, component.ZyncSecretDatabaseURLFieldName)
+	if err != nil {
+		return err
+	}
+	h.options.ZyncDatabaseURL = val
+	val, err = h.secretSource.RequiredFieldValueFromRequiredSecret(
+		component.ZyncSecretName, component.ZyncSecretDatabasePasswordFieldName)
+	if err != nil {
+		return err
+	}
+	h.options.ZyncDatabasePassword = val
+	if h.apimanager.IsZyncDatabaseTLSEnabled() {
+		var errs []error
+
+		// Required fields
+		requiredFields := []struct {
+			field       *string
+			secretField string
+		}{
+			{&h.options.ZyncDatabaseSslCa, component.ZyncSecretSslCa},
+			{&h.options.ZyncDatabaseSslCert, component.ZyncSecretSslCert},
+			{&h.options.ZyncDatabaseSslKey, component.ZyncSecretSslKey},
+			{&h.options.ZyncDatabaseSslMode, component.ZyncSecretDatabaseSslMode},
+		}
+
+		for _, field := range requiredFields {
+			val, err := h.secretSource.RequiredFieldValueFromRequiredSecret(component.ZyncSecretName, field.secretField)
+			if err != nil {
+				errs = append(errs, fmt.Errorf("%w", err))
+			}
+			*field.field = val
+		}
+
+		// Return all accumulated errors
+		if len(errs) > 0 {
+			return fmt.Errorf("zync database'zyncDatabaseTLSEnabled: true' is set in apimanager: %v", errors.Join(errs...))
+		}
+
+	}
+
+	return nil
+}
 
 func (h *HighAvailabilityOptionsProvider) setSystemDatabaseOptions() error {
 	val, err := h.secretSource.RequiredFieldValueFromRequiredSecret(
@@ -180,6 +229,33 @@ func (h *HighAvailabilityOptionsProvider) setSystemDatabaseOptions() error {
 		return err
 	}
 	h.options.SystemDatabaseURL = val
+	if h.apimanager.IsSystemDatabaseTLSEnabled() {
+		var errs []error
+
+		// Required fields
+		requiredFields := []struct {
+			field       *string
+			secretField string
+		}{
+			{&h.options.SystemDatabaseSslCa, component.SystemSecretSslCa},
+			{&h.options.SystemDatabaseSslCert, component.SystemSecretSslCert},
+			{&h.options.SystemDatabaseSslKey, component.SystemSecretSslKey},
+			{&h.options.SystemDatabaseSslMode, component.SystemSecretDatabaseSslMode},
+		}
+
+		for _, field := range requiredFields {
+			val, err := h.secretSource.RequiredFieldValueFromRequiredSecret(component.SystemSecretSystemDatabaseSecretName, field.secretField)
+			if err != nil {
+				errs = append(errs, fmt.Errorf("%w", err))
+			}
+			*field.field = val
+		}
+
+		// Return all accumulated errors
+		if len(errs) > 0 {
+			return fmt.Errorf("system database'systemDatabaseTLSEnabled: true' is set in apimanager: %v", errors.Join(errs...))
+		}
+	}
 	return nil
 }