mirror of
https://github.com/mariadb-operator/mariadb-operator.git
synced 2025-07-25 01:28:31 +00:00
208 lines
6.5 KiB
Go
208 lines
6.5 KiB
Go
/*
|
|
Copyright © 2023 Martín Montes <martin11lrx@gmail.com>
|
|
|
|
Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
of this software and associated documentation files (the "Software"), to deal
|
|
in the Software without restriction, including without limitation the rights
|
|
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
copies of the Software, and to permit persons to whom the Software is
|
|
furnished to do so, subject to the following conditions:
|
|
|
|
The above copyright notice and this permission notice shall be included in
|
|
all copies or substantial portions of the Software.
|
|
|
|
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
|
|
THE SOFTWARE.
|
|
*/
|
|
package main
|
|
|
|
import (
|
|
"context"
|
|
"crypto/x509"
|
|
"fmt"
|
|
"net/http"
|
|
"os"
|
|
"path/filepath"
|
|
"time"
|
|
|
|
mariadbv1alpha1 "github.com/mariadb-operator/mariadb-operator/api/v1alpha1"
|
|
"github.com/mariadb-operator/mariadb-operator/pkg/log"
|
|
"github.com/mariadb-operator/mariadb-operator/pkg/pki"
|
|
"github.com/spf13/cobra"
|
|
ctrl "sigs.k8s.io/controller-runtime"
|
|
metricsserver "sigs.k8s.io/controller-runtime/pkg/metrics/server"
|
|
"sigs.k8s.io/controller-runtime/pkg/webhook"
|
|
)
|
|
|
|
var (
|
|
caCertPath string
|
|
certDir string
|
|
dnsName string
|
|
port int
|
|
|
|
tlsCert = "tls.crt"
|
|
tlsKey = "tls.key"
|
|
)
|
|
|
|
func init() {
|
|
webhookCmd.Flags().StringVar(&caCertPath, "ca-cert-path", "/tmp/k8s-webhook-server/certificate-authority/tls.crt",
|
|
"Path containing the CA TLS certificate for the webhook server.")
|
|
webhookCmd.Flags().StringVar(&certDir, "cert-dir", "/tmp/k8s-webhook-server/serving-certs",
|
|
"Directory containing the TLS certificate for the webhook server. 'tls.crt' and 'tls.key' must be present in this directory.")
|
|
webhookCmd.Flags().StringVar(&dnsName, "dns-name", "mariadb-operator-webhook.default.svc",
|
|
"TLS certificate DNS name.")
|
|
webhookCmd.Flags().IntVar(&port, "port", 9443, "Port to be used by the webhook server.")
|
|
}
|
|
|
|
var webhookCmd = &cobra.Command{
|
|
Use: "webhook",
|
|
Short: "MariaDB operator webhook server.",
|
|
Long: `Provides validation and inmutability checks for MariaDB resources.`,
|
|
Run: func(cmd *cobra.Command, args []string) {
|
|
log.SetupLogger(logLevel, logTimeEncoder, logDev)
|
|
|
|
err := waitForCerts(dnsName, time.Now(), 3*time.Minute)
|
|
if err != nil {
|
|
setupLog.Error(err, "Unable to validate certificates")
|
|
os.Exit(1)
|
|
}
|
|
|
|
mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
|
|
Scheme: scheme,
|
|
Metrics: metricsserver.Options{
|
|
BindAddress: metricsAddr,
|
|
},
|
|
HealthProbeBindAddress: healthAddr,
|
|
WebhookServer: webhook.NewServer(webhook.Options{
|
|
CertDir: certDir,
|
|
Port: port,
|
|
}),
|
|
})
|
|
if err != nil {
|
|
setupLog.Error(err, "Unable to start manager")
|
|
os.Exit(1)
|
|
}
|
|
|
|
if err = (&mariadbv1alpha1.MariaDB{}).SetupWebhookWithManager(mgr); err != nil {
|
|
setupLog.Error(err, "Unable to create webhook", "webhook", "MariaDB")
|
|
os.Exit(1)
|
|
}
|
|
if err = (&mariadbv1alpha1.Backup{}).SetupWebhookWithManager(mgr); err != nil {
|
|
setupLog.Error(err, "Unable to create webhook", "webhook", "Backup")
|
|
os.Exit(1)
|
|
}
|
|
if err = (&mariadbv1alpha1.Restore{}).SetupWebhookWithManager(mgr); err != nil {
|
|
setupLog.Error(err, "Unable to create webhook", "webhook", "restore")
|
|
os.Exit(1)
|
|
}
|
|
if err = (&mariadbv1alpha1.User{}).SetupWebhookWithManager(mgr); err != nil {
|
|
setupLog.Error(err, "Unable to create webhook", "webhook", "User")
|
|
os.Exit(1)
|
|
}
|
|
if err = (&mariadbv1alpha1.Grant{}).SetupWebhookWithManager(mgr); err != nil {
|
|
setupLog.Error(err, "Unable to create webhook", "webhook", "Grant")
|
|
os.Exit(1)
|
|
}
|
|
if err = (&mariadbv1alpha1.Database{}).SetupWebhookWithManager(mgr); err != nil {
|
|
setupLog.Error(err, "Unable to create webhook", "webhook", "Database")
|
|
os.Exit(1)
|
|
}
|
|
if err = (&mariadbv1alpha1.Connection{}).SetupWebhookWithManager(mgr); err != nil {
|
|
setupLog.Error(err, "Unable to create webhook", "webhook", "Connection")
|
|
os.Exit(1)
|
|
}
|
|
if err = (&mariadbv1alpha1.SqlJob{}).SetupWebhookWithManager(mgr); err != nil {
|
|
setupLog.Error(err, "Unable to create webhook", "webhook", "SqlJob")
|
|
os.Exit(1)
|
|
}
|
|
|
|
if err := mgr.AddReadyzCheck("certs", func(_ *http.Request) error {
|
|
return checkCerts(dnsName, time.Now())
|
|
}); err != nil {
|
|
setupLog.Error(err, "Unable to add readyz check")
|
|
os.Exit(1)
|
|
}
|
|
|
|
setupLog.Info("Starting manager")
|
|
if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {
|
|
setupLog.Error(err, "Error running manager")
|
|
os.Exit(1)
|
|
}
|
|
},
|
|
}
|
|
|
|
func waitForCerts(dnsName string, at time.Time, timeout time.Duration) error {
|
|
ctx, cancel := context.WithTimeout(context.Background(), timeout)
|
|
defer cancel()
|
|
for {
|
|
setupLog.Info("Validating certs")
|
|
err := checkCerts(dnsName, at)
|
|
if err == nil {
|
|
return nil
|
|
}
|
|
if err != nil {
|
|
setupLog.V(1).Info("Invalid certs. Retrying...", "error", err)
|
|
<-time.After(time.Second * 10)
|
|
}
|
|
if ctx.Err() != nil {
|
|
return ctx.Err()
|
|
}
|
|
}
|
|
}
|
|
|
|
func checkCerts(dnsName string, at time.Time) error {
|
|
caCert, err := readCert(caCertPath)
|
|
if err != nil {
|
|
setupLog.V(1).Info("Error reading CA KeyPair", "error", err)
|
|
return err
|
|
}
|
|
certKeyPair, err := readKeyPair(certDir)
|
|
if err != nil {
|
|
setupLog.V(1).Info("Error reading certificate KeyPair", "error", err)
|
|
return err
|
|
}
|
|
valid, err := pki.ValidCert(caCert, certKeyPair, dnsName, at)
|
|
if !valid || err != nil {
|
|
err := fmt.Errorf("Certificate is not valid for %s", dnsName)
|
|
setupLog.V(1).Info("Error validating certificate", "error", err)
|
|
return err
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func readCert(certPath string) (*x509.Certificate, error) {
|
|
if _, err := os.Stat(certPath); err != nil {
|
|
return nil, err
|
|
}
|
|
certBytes, err := os.ReadFile(certPath)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return pki.ParseCert(certBytes)
|
|
}
|
|
|
|
func readKeyPair(dir string) (*pki.KeyPair, error) {
|
|
certFile := filepath.Join(dir, tlsCert)
|
|
if _, err := os.Stat(certFile); err != nil {
|
|
return nil, err
|
|
}
|
|
keyFile := filepath.Join(dir, tlsKey)
|
|
if _, err := os.Stat(certFile); err != nil {
|
|
return nil, err
|
|
}
|
|
certBytes, err := os.ReadFile(certFile)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
keyBytes, err := os.ReadFile(keyFile)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
return pki.KeyPairFromPEM(certBytes, keyBytes)
|
|
}
|