Issuing certs for MaxScale admin and listeners

2025-08-15 21:02:38 +00:00 · 2024-12-27 15:59:28 +01:00
parent ef324dfaed
commit d9f59a2920
8 changed files with 152 additions and 41 deletions
--- a/api/v1alpha1/maxscale_types.go
+++ b/api/v1alpha1/maxscale_types.go
@ -1009,6 +1009,22 @@ func (m *MaxScale) DefaultPort() (*int32, error) {
 	return &m.Spec.Services[0].Listener.Port, nil
 }

+// TLSAdminDNSNames are the Service DNS names used by admin TLS certificates.
+func (m *MaxScale) TLSAdminDNSNames() []string {
+	var names []string
+	names = append(names, statefulset.ServiceNameVariants(m.ObjectMeta, m.GuiServiceKey().Name)...)
+	names = append(names, statefulset.HeadlessServiceNameVariants(m.ObjectMeta, "*", m.InternalServiceKey().Name)...)
+	return names
+}
+
+// TLSListenerDNSNames are the Service DNS names used by listener TLS certificates.
+func (m *MaxScale) TLSListenerDNSNames() []string {
+	var names []string
+	names = append(names, statefulset.ServiceNameVariants(m.ObjectMeta, m.Name)...)
+	names = append(names, statefulset.HeadlessServiceNameVariants(m.ObjectMeta, "*", m.InternalServiceKey().Name)...)
+	return names
+}
+
 func (m *MaxScale) apiUrlWithAddress(addr string) string {
 	scheme := "http"
 	if m.IsTLSEnabled() {
--- a/cmd/controller/main.go
+++ b/cmd/controller/main.go
@ -308,6 +308,7 @@ var rootCmd = &cobra.Command{
 			ServiceReconciler:        serviceReconciler,
 			DeploymentReconciler:     deployReconciler,
 			ServiceMonitorReconciler: svcMonitorReconciler,
+			CertReconciler:           certReconciler,

 			SuspendEnabled: featureMaxScaleSuspend,

--- a/cmd/enterprise/main.go
+++ b/cmd/enterprise/main.go
@ -329,6 +329,7 @@ var rootCmd = &cobra.Command{
 			ServiceReconciler:        serviceReconciler,
 			DeploymentReconciler:     deployReconciler,
 			ServiceMonitorReconciler: svcMonitorReconciler,
+			CertReconciler:           certReconciler,

 			SuspendEnabled: featureMaxScaleSuspend,

--- a/examples/manifests/maxscale_galera_tls.yaml
+++ b/examples/manifests/maxscale_galera_tls.yaml
@ -0,0 +1,44 @@
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: MaxScale
+metadata:
+  name: maxscale-galera
+spec:
+  replicas: 3
+
+  mariaDbRef:
+    name: mariadb-galera
+
+  admin:
+    port: 8989
+    guiEnabled: true
+
+  auth:
+    generate: true
+
+  kubernetesService:
+    type: LoadBalancer
+    metadata:
+      annotations:
+        metallb.universe.tf/loadBalancerIPs: 172.18.0.224
+  
+  guiKubernetesService:
+    type: LoadBalancer
+    metadata:
+      annotations:
+        metallb.universe.tf/loadBalancerIPs: 172.18.0.231
+
+  connection:
+    secretName: mxs-galera-conn
+    port: 3306
+
+  metrics:
+    enabled: true
+
+  tls:
+    enabled: true
+    serverCASecretRef:
+      name: mariadb-galera-ca-bundle
+    serverCertSecretRef:
+      name: mariadb-galera-client-cert
+    verifyPeerCertificate: true
+    verifyPeerHost: false
--- a/internal/controller/mariadb_controller_tls.go
+++ b/internal/controller/mariadb_controller_tls.go
@ -38,6 +38,47 @@ func (r *MariaDBReconciler) reconcileTLS(ctx context.Context, mariadb *mariadbv1
 	return ctrl.Result{}, nil
 }

+func (r *MariaDBReconciler) reconcileTLSCerts(ctx context.Context, mdb *mariadbv1alpha1.MariaDB) error {
+	tls := ptr.Deref(mdb.Spec.TLS, mariadbv1alpha1.TLS{})
+
+	serverCertOpts := []certctrl.CertReconcilerOpt{
+		certctrl.WithCABundle(mdb.TLSCABundleSecretKeyRef(), mdb.Namespace),
+		certctrl.WithCA(
+			tls.ServerCASecretRef == nil,
+			mdb.TLSServerCASecretKey(),
+		),
+		certctrl.WithCert(
+			tls.ServerCertSecretRef == nil,
+			mdb.TLSServerCertSecretKey(),
+			mdb.TLSServerDNSNames(),
+		),
+		certctrl.WithServerCertKeyUsage(),
+		certctrl.WithRelatedObject(mdb),
+	}
+	if _, err := r.CertReconciler.Reconcile(ctx, serverCertOpts...); err != nil {
+		return fmt.Errorf("error reconciling server cert: %v", err)
+	}
+
+	clientCertOpts := []certctrl.CertReconcilerOpt{
+		certctrl.WithCABundle(mdb.TLSCABundleSecretKeyRef(), mdb.Namespace),
+		certctrl.WithCA(
+			tls.ClientCASecretRef == nil,
+			mdb.TLSClientCASecretKey(),
+		),
+		certctrl.WithCert(
+			tls.ClientCertSecretRef == nil,
+			mdb.TLSClientCertSecretKey(),
+			mdb.TLSClientNames(),
+		),
+		certctrl.WithRelatedObject(mdb),
+	}
+	if _, err := r.CertReconciler.Reconcile(ctx, clientCertOpts...); err != nil {
+		return fmt.Errorf("error reconciling client cert: %v", err)
+	}
+
+	return nil
+}
+
 func (r *MariaDBReconciler) reconcileTLSCABundle(ctx context.Context, mdb *mariadbv1alpha1.MariaDB) error {
 	logger := log.FromContext(ctx).WithName("ca-bundle")

@ -95,47 +136,6 @@ func (r *MariaDBReconciler) reconcileTLSCABundle(ctx context.Context, mdb *maria
 	return r.SecretReconciler.Reconcile(ctx, &secretReq)
 }

-func (r *MariaDBReconciler) reconcileTLSCerts(ctx context.Context, mdb *mariadbv1alpha1.MariaDB) error {
-	tls := ptr.Deref(mdb.Spec.TLS, mariadbv1alpha1.TLS{})
-
-	serverCertOpts := []certctrl.CertReconcilerOpt{
-		certctrl.WithCABundle(mdb.TLSCABundleSecretKeyRef(), mdb.Namespace),
-		certctrl.WithCA(
-			tls.ServerCASecretRef == nil,
-			mdb.TLSServerCASecretKey(),
-		),
-		certctrl.WithCert(
-			tls.ServerCertSecretRef == nil,
-			mdb.TLSServerCertSecretKey(),
-			mdb.TLSServerDNSNames(),
-		),
-		certctrl.WithServerCertKeyUsage(),
-		certctrl.WithRelatedObject(mdb),
-	}
-	if _, err := r.CertReconciler.Reconcile(ctx, serverCertOpts...); err != nil {
-		return fmt.Errorf("error reconciling server cert: %v", err)
-	}
-
-	clientCertOpts := []certctrl.CertReconcilerOpt{
-		certctrl.WithCABundle(mdb.TLSCABundleSecretKeyRef(), mdb.Namespace),
-		certctrl.WithCA(
-			tls.ClientCASecretRef == nil,
-			mdb.TLSClientCASecretKey(),
-		),
-		certctrl.WithCert(
-			tls.ClientCertSecretRef == nil,
-			mdb.TLSClientCertSecretKey(),
-			mdb.TLSClientNames(),
-		),
-		certctrl.WithRelatedObject(mdb),
-	}
-	if _, err := r.CertReconciler.Reconcile(ctx, clientCertOpts...); err != nil {
-		return fmt.Errorf("error reconciling client cert: %v", err)
-	}
-
-	return nil
-}
-
 func (r *MariaDBReconciler) reconcileTLSConfig(ctx context.Context, mariadb *mariadbv1alpha1.MariaDB) error {
 	configMapKeyRef := mariadb.TLSConfigMapKeyRef()

--- a/internal/controller/maxscale_controller.go
+++ b/internal/controller/maxscale_controller.go
@ -13,6 +13,7 @@ import (
 	labels "github.com/mariadb-operator/mariadb-operator/pkg/builder/labels"
 	condition "github.com/mariadb-operator/mariadb-operator/pkg/condition"
 	"github.com/mariadb-operator/mariadb-operator/pkg/controller/auth"
+	certctrl "github.com/mariadb-operator/mariadb-operator/pkg/controller/certificate"
 	"github.com/mariadb-operator/mariadb-operator/pkg/controller/deployment"
 	"github.com/mariadb-operator/mariadb-operator/pkg/controller/rbac"
 	"github.com/mariadb-operator/mariadb-operator/pkg/controller/secret"
@ -65,6 +66,7 @@ type MaxScaleReconciler struct {
 	ServiceReconciler        *service.ServiceReconciler
 	DeploymentReconciler     *deployment.DeploymentReconciler
 	ServiceMonitorReconciler *servicemonitor.ServiceMonitorReconciler
+	CertReconciler           *certctrl.CertReconciler

 	SuspendEnabled bool

--- a/internal/controller/maxscale_controller_tls.go
+++ b/internal/controller/maxscale_controller_tls.go
@ -5,6 +5,7 @@ import (
 	"fmt"

 	mariadbv1alpha1 "github.com/mariadb-operator/mariadb-operator/api/v1alpha1"
+	certctrl "github.com/mariadb-operator/mariadb-operator/pkg/controller/certificate"
 	"github.com/mariadb-operator/mariadb-operator/pkg/controller/secret"
 	"github.com/mariadb-operator/mariadb-operator/pkg/metadata"
 	"github.com/mariadb-operator/mariadb-operator/pkg/pki"
@ -19,12 +20,57 @@ func (r *MaxScaleReconciler) reconcileTLS(ctx context.Context, req *requestMaxSc
 	if !req.mxs.IsTLSEnabled() {
 		return ctrl.Result{}, nil
 	}
+	if err := r.reconcileTLSCerts(ctx, req.mxs); err != nil {
+		return ctrl.Result{}, err
+	}
 	if err := r.reconcileTLSCABundle(ctx, req.mxs); err != nil {
 		return ctrl.Result{}, err
 	}
 	return ctrl.Result{}, nil
 }

+func (r *MaxScaleReconciler) reconcileTLSCerts(ctx context.Context, mxs *mariadbv1alpha1.MaxScale) error {
+	tls := ptr.Deref(mxs.Spec.TLS, mariadbv1alpha1.MaxScaleTLS{})
+
+	adminCertOpts := []certctrl.CertReconcilerOpt{
+		certctrl.WithCABundle(mxs.TLSCABundleSecretKeyRef(), mxs.Namespace),
+		certctrl.WithCA(
+			tls.AdminCASecretRef == nil,
+			mxs.TLSAdminCASecretKey(),
+		),
+		certctrl.WithCert(
+			tls.AdminCertSecretRef == nil,
+			mxs.TLSAdminCertSecretKey(),
+			mxs.TLSAdminDNSNames(),
+		),
+		certctrl.WithServerCertKeyUsage(),
+		certctrl.WithRelatedObject(mxs),
+	}
+	if _, err := r.CertReconciler.Reconcile(ctx, adminCertOpts...); err != nil {
+		return fmt.Errorf("error reconciling admin cert: %v", err)
+	}
+
+	listenerCertOpts := []certctrl.CertReconcilerOpt{
+		certctrl.WithCABundle(mxs.TLSCABundleSecretKeyRef(), mxs.Namespace),
+		certctrl.WithCA(
+			tls.ListenerCASecretRef == nil,
+			mxs.TLSAdminCASecretKey(),
+		),
+		certctrl.WithCert(
+			tls.ListenerCertSecretRef == nil,
+			mxs.TLSListenerCertSecretKey(),
+			mxs.TLSListenerDNSNames(),
+		),
+		certctrl.WithServerCertKeyUsage(),
+		certctrl.WithRelatedObject(mxs),
+	}
+	if _, err := r.CertReconciler.Reconcile(ctx, listenerCertOpts...); err != nil {
+		return fmt.Errorf("error reconciling listener cert: %v", err)
+	}
+
+	return nil
+}
+
 func (r *MaxScaleReconciler) reconcileTLSCABundle(ctx context.Context, mxs *mariadbv1alpha1.MaxScale) error {
 	logger := log.FromContext(ctx).WithName("ca-bundle")

--- a/internal/controller/suite_test.go
+++ b/internal/controller/suite_test.go
@ -244,6 +244,7 @@ var _ = BeforeSuite(func() {
 		ServiceReconciler:        serviceReconciler,
 		DeploymentReconciler:     deployReconciler,
 		ServiceMonitorReconciler: svcMonitorReconciler,
+		CertReconciler:           certReconciler,

 		SuspendEnabled: false,