Add SSL and password for Dashboards

Includes a refactor of the password generation and certs to make things cleaner.

Signed-off-by: Dan Bason <[email protected]>

Author: dbason

README.md

@@ -122,11 +122,15 @@ spec:
 | affinity | No | [Affinity](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#affinity-v1-core) | Affinity settings for the workload pods |
 | nodeSelector | No | map | NodeSelector for the workload pods.  If this exists it will override the globalNodeSelector |
 | tolerations | No | [Toleration](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#toleration-v1-core) *array* | Tolerations for the workload.  These will be combined with the globalTolerations (if any) |
-| opensearch | No | [OpensearchClusterRef](#opensearchclusterref) | Reference to an existing OpensearchCluster to point the Dashboards deployment at |
+| opensearch | No | [LocalObjectReference](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#localobjectreference-v1-core)| Reference to an existing OpensearchCluster to point the Dashboards deployment at.  Must be in the same namespace |
+| opensearchConfig | No | [OpensearchConfigSpec](#opensearchconfigspec)| Configuration for an external Opensearch cluster |
+| tlsSecret | No | [LocalObjectReference](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#localobjectreference-v1-core)| A TLS secret containing the cert and key to use for Dashboards SSL.  If the opensearch field is preset this isn't required as it will reuse the Opensearch HTTP CA to generate a cert |
 
-#### OpensearchClusterRef
+#### OpensearchConfigSpec
 
 | Field | Required | Type | Description |
 |:------|:---------|:-----|:------------|
-| name | Yes | *string* | Name of the OpensearchCluster resource |
-| namespace | No | *string* | Namespace of the OpensearchCluster resource.  Defaults to the namespace of the Dashboards resource |
+| url | Yes | *string* | Endpoint for the Opensearch cluster |
+| username | Yes | *string* | Username to connect to the cluster with |
+| passwordFrom | Yes | [SecretKeySelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#secretkeyselector-v1-core) | Secret key which contains the password for the cluster |
+| verifySSL | No | *bool* | Whether to use strict SSL checking.  Defaults to true |

api/v1beta1/dashboards_types.go

@@ -23,8 +23,8 @@ import (
 
 // DashboardsSpec defines the desired state of OpensearchDashboard
 type DashboardsSpec struct {
-	OpensearchCluster *OpensearchClusterRef        `json:"opensearch,omitempty"`
-	OpensearchURL     string                       `json:"opensearchUrl,omitempty"`
+	OpensearchCluster *corev1.LocalObjectReference `json:"opensearch,omitempty"`
+	OpensearchConfig  *OpensearchConfigSpec        `json:"opensearchConfig,omitempty"`
 	Version           string                       `json:"version"`
 	DefaultRepo       *string                      `json:"defaultRepo,omitempty"`
 	Image             *ImageSpec                   `json:"image,omitempty"`
@@ -34,11 +34,14 @@ type DashboardsSpec struct {
 	NodeSelector      map[string]string            `json:"nodeSelector,omitempty"`
 	Tolerations       []corev1.Toleration          `json:"tolerations,omitempty"`
 	Persistence       *PersistenceSpec             `json:"persistence,omitempty"`
+	TLSSecret         *corev1.LocalObjectReference `json:"tlsSecret,omitempty"`
 }
 
-type OpensearchClusterRef struct {
-	Name      string `json:"name,omitempty"`
-	Namespace string `json:"namepace,omitempty"`
+type OpensearchConfigSpec struct {
+	URL          string                    `json:"url,omitempty"`
+	Username     string                    `json:"username,omitempty"`
+	PasswordFrom *corev1.SecretKeySelector `json:"passwordFrom,omitempty"`
+	VerifySSL    *bool                     `json:"verifySSL,omitempty"`
 }
 
 // DashboardsStatus defines the observed state of OpensearchDashboard

api/v1beta1/opensearchcluster_types.go

@@ -74,7 +74,7 @@ const (
 )
 
 type AuthStatus struct {
-	GenerateOpensearchHash     *bool                     `json:"generateOpensearchHash"`
+	GenerateOpensearchHash     *bool                     `json:"generateOpensearchHash,omitempty"`
 	OpensearchAuthSecretKeyRef *corev1.SecretKeySelector `json:"elasticsearchAuthSecretKeyRef,omitempty"`
 }
 

api/v1beta1/zz_generated.deepcopy.go

@@ -406,11 +406,27 @@ spec:
                 properties:
                   name:
                     type: string
-                  namepace:
+                type: object
+              opensearchConfig:
+                properties:
+                  passwordFrom:
+                    properties:
+                      key:
+                        type: string
+                      name:
+                        type: string
+                      optional:
+                        type: boolean
+                    required:
+                    - key
+                    type: object
+                  url:
+                    type: string
+                  username:
                     type: string
+                  verifySSL:
+                    type: boolean
                 type: object
-              opensearchUrl:
-                type: string
               persistence:
                 properties:
                   accessModes:
@@ -450,6 +466,11 @@ spec:
                       x-kubernetes-int-or-string: true
                     type: object
                 type: object
+              tlsSecret:
+                properties:
+                  name:
+                    type: string
+                type: object
               tolerations:
                 items:
                   properties:

config/crd/bases/opensearch.opni.io_dashboards.yaml

@@ -1535,8 +1535,6 @@ spec:
                     type: object
                   generateOpensearchHash:
                     type: boolean
-                required:
-                - generateOpensearchHash
                 type: object
               conditions:
                 items:

config/crd/bases/opensearch.opni.io_opensearchclusters.yaml

@@ -35,7 +35,7 @@ var _ = Describe("OpensearchCluster Controller", Label("controller"), func() {
 			},
 			Spec: v1beta1.DashboardsSpec{
 				Version: "1.0.0",
-				OpensearchCluster: &v1beta1.OpensearchClusterRef{
+				OpensearchCluster: &corev1.LocalObjectReference{
 					Name: "test-cluster",
 				},
 				NodeSelector: map[string]string{

controllers/dashboards_controller_test.go

@@ -221,7 +221,8 @@ var _ = Describe("OpensearchCluster Controller", Label("controller"), func() {
 			},
 		})).Should(ExistAnd(
 			HaveOwner(osCluster),
-			HaveData("password", nil),
+			HaveData("admin", nil),
+			HaveData("dashboards", nil),
 		))
 		Eventually(Object(&corev1.Secret{
 			ObjectMeta: metav1.ObjectMeta{

controllers/opensearchcluster_controller_test.go

@@ -3,7 +3,9 @@ package pki
 import "errors"
 
 var (
-	ErrDecodeCA     = errors.New("unable to decode CA PEM")
-	ErrDecodeCAKey  = errors.New("unabled to decode CA key PEM")
-	ErrCertExpiring = errors.New("cert expiring within 10 days")
+	ErrDecodeCA          = errors.New("unable to decode CA PEM")
+	ErrDecodeCAKey       = errors.New("unabled to decode CA key PEM")
+	ErrCertExpiring      = errors.New("cert expiring within 10 days")
+	ErrSecretDataMissing = errors.New("data missing from secret")
+	ErrCARecreate        = errors.New("ca needs to be recreated but can't be")
 )

pkg/pki/errors.go

@@ -2,20 +2,35 @@ package pki
 
 import (
 	"bytes"
+	"context"
 	"crypto/rand"
 	"crypto/rsa"
 	"crypto/tls"
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/pem"
+	"fmt"
 	"math/big"
 	"time"
+
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/types"
+	"sigs.k8s.io/controller-runtime/pkg/client"
 )
 
 const (
 	CertificatePEMType = "CERTIFICATE"
 	RSAKeyPEMType      = "RSA PRIVATE KEY"
 	PKCS8KeyPEMType    = "PRIVATE KEY"
+
+	TransportCASecretField    = "transportca.crt"
+	TransportCAKeySecretField = "transportca.key"
+	RESTCASecretField         = "httpca.crt"
+	RESTCAKeySecretField      = "httpca.key"
+	TransportCertField        = "transport.crt"
+	TransportKeyField         = "transport.key"
+	RESTCertField             = "http.crt"
+	RESTKeyField              = "http.key"
 )
 
 func CreateCA(commonName string) (ca []byte, cakey []byte, err error) {
@@ -100,3 +115,39 @@ func SignCertificate(ca *tls.Certificate, cert *x509.Certificate, pubKey *rsa.Pu
 
 	return certPEMBuffer.Bytes(), nil
 }
+
+func IsSecretDataMissing(err error) bool {
+	return err == ErrSecretDataMissing
+}
+
+func RetrieveCert(
+	certField string,
+	keyField string,
+	opensearchName string,
+	namespace string,
+	client client.Client,
+) (
+	cert []byte,
+	key []byte,
+	err error,
+) {
+	secret := &corev1.Secret{}
+
+	err = client.Get(context.Background(), types.NamespacedName{
+		Name:      fmt.Sprintf("%s-os-pki", opensearchName),
+		Namespace: namespace,
+	}, secret)
+
+	if err != nil {
+		return
+	}
+
+	var certOK, keyOK bool
+	cert, certOK = secret.Data[certField]
+	key, keyOK = secret.Data[keyField]
+	if !certOK || !keyOK {
+		err = ErrSecretDataMissing
+		return
+	}
+	return
+}