From c94d78b9c597eba8337d105ba742726db0674c6d Mon Sep 17 00:00:00 2001 From: Evan Cordell Date: Tue, 21 Nov 2023 10:04:25 -0500 Subject: [PATCH] allow configuring the filepath for the ca from the secret the cert may be mounted at tls.crt or ca.crt depending on how the secret is generated --- e2e/cluster_test.go | 2 + pkg/config/config.go | 5 +- pkg/config/config_test.go | 455 ++++++++++++++++++++------------------ 3 files changed, 244 insertions(+), 218 deletions(-) diff --git a/e2e/cluster_test.go b/e2e/cluster_test.go index c37eef3a..e050432d 100644 --- a/e2e/cluster_test.go +++ b/e2e/cluster_test.go @@ -278,6 +278,7 @@ var _ = Describe("SpiceDBClusters", func() { "cmd": spicedbCmd, "tlsSecretName": "spicedb-grpc-tls", "dispatchUpstreamCASecretName": "spicedb-grpc-tls", + "dispatchUpstreamCAFilePath": "ca.crt", "serviceAccountName": "spicedb-non-default", "extraServiceAccountAnnotations": "authzed.com/e2e=true", "datastoreConnpoolReadMinOpen": 1, @@ -577,6 +578,7 @@ var _ = Describe("SpiceDBClusters", func() { "datastoreEngine": "postgres", "tlsSecretName": "spicedb-grpc-tls", "dispatchUpstreamCASecretName": "spicedb-grpc-tls", + "dispatchUpstreamCAFilePath": "ca.crt", } cluster.Spec.Version = "v1.13.0" diff --git a/pkg/config/config.go b/pkg/config/config.go index fcfece03..5baa0f72 100644 --- a/pkg/config/config.go +++ b/pkg/config/config.go @@ -60,6 +60,7 @@ var ( projectAnnotations = newBoolOrStringKey("projectAnnotations", true) tlsSecretNameKey = newStringKey("tlsSecretName") dispatchCAKey = newStringKey("dispatchUpstreamCASecretName") + dispatchCAFilePathKey = newKey("dispatchUpstreamCAFilePath", "tls.crt") dispatchEnabledKey = newBoolOrStringKey("dispatchEnabled", true) telemetryCAKey = newStringKey("telemetryCASecretName") envPrefixKey = newKey("envPrefix", "SPICEDB") @@ -149,6 +150,7 @@ type SpiceConfig struct { TLSSecretName string DispatchEnabled bool DispatchUpstreamCASecretName string + DispatchUpstreamCASecretPath string TelemetryTLSCASecretName string SecretName string ExtraPodLabels map[string]string @@ -182,6 +184,7 @@ func NewConfig(cluster *v1alpha1.SpiceDBCluster, globalConfig *OperatorConfig, s TLSSecretName: tlsSecretNameKey.pop(config), ServiceAccountName: serviceAccountNameKey.pop(config), DispatchUpstreamCASecretName: dispatchCAKey.pop(config), + DispatchUpstreamCASecretPath: dispatchCAFilePathKey.pop(config), TelemetryTLSCASecretName: telemetryCAKey.pop(config), EnvPrefix: envPrefixKey.pop(config), SpiceDBCmd: spiceDBCmdKey.pop(config), @@ -347,7 +350,7 @@ func NewConfig(cluster *v1alpha1.SpiceDBCluster, globalConfig *OperatorConfig, s } if len(spiceConfig.DispatchUpstreamCASecretName) > 0 && spiceConfig.DispatchEnabled { - passthroughConfig["dispatchUpstreamCAPath"] = "/dispatch-tls/tls.crt" + passthroughConfig["dispatchUpstreamCAPath"] = "/dispatch-tls/" + spiceConfig.DispatchUpstreamCASecretPath } if len(spiceConfig.TelemetryTLSCASecretName) > 0 { diff --git a/pkg/config/config_test.go b/pkg/config/config_test.go index 29d2cab2..60f71c68 100644 --- a/pkg/config/config_test.go +++ b/pkg/config/config_test.go @@ -131,19 +131,20 @@ func TestNewConfig(t *testing.T) { }, }, SpiceConfig: SpiceConfig{ - LogLevel: "info", - SkipMigrations: false, - Name: "test", - Namespace: "test", - UID: "1", - Replicas: 2, - PresharedKey: "psk", - EnvPrefix: "SPICEDB", - SpiceDBCmd: "spicedb", - ServiceAccountName: "test", - DispatchEnabled: true, - ProjectLabels: true, - ProjectAnnotations: true, + LogLevel: "info", + SkipMigrations: false, + Name: "test", + Namespace: "test", + UID: "1", + Replicas: 2, + PresharedKey: "psk", + EnvPrefix: "SPICEDB", + SpiceDBCmd: "spicedb", + ServiceAccountName: "test", + DispatchEnabled: true, + DispatchUpstreamCASecretPath: "tls.crt", + ProjectLabels: true, + ProjectAnnotations: true, Passthrough: map[string]string{ "datastoreEngine": "cockroachdb", "dispatchClusterEnabled": "true", @@ -211,19 +212,20 @@ func TestNewConfig(t *testing.T) { }, }, SpiceConfig: SpiceConfig{ - LogLevel: "info", - SkipMigrations: false, - Name: "test", - Namespace: "test", - UID: "1", - Replicas: 2, - PresharedKey: "psk", - EnvPrefix: "SPICEDB", - SpiceDBCmd: "spicedb", - ServiceAccountName: "test", - DispatchEnabled: true, - ProjectLabels: true, - ProjectAnnotations: true, + LogLevel: "info", + SkipMigrations: false, + Name: "test", + Namespace: "test", + UID: "1", + Replicas: 2, + PresharedKey: "psk", + EnvPrefix: "SPICEDB", + SpiceDBCmd: "spicedb", + ServiceAccountName: "test", + DispatchEnabled: true, + DispatchUpstreamCASecretPath: "tls.crt", + ProjectLabels: true, + ProjectAnnotations: true, Passthrough: map[string]string{ "datastoreEngine": "cockroachdb", "dispatchClusterEnabled": "true", @@ -289,19 +291,20 @@ func TestNewConfig(t *testing.T) { }, }, SpiceConfig: SpiceConfig{ - LogLevel: "info", - SkipMigrations: false, - Name: "test", - Namespace: "test", - UID: "1", - Replicas: 1, - PresharedKey: "psk", - EnvPrefix: "SPICEDB", - SpiceDBCmd: "spicedb", - ServiceAccountName: "test", - DispatchEnabled: false, - ProjectLabels: true, - ProjectAnnotations: true, + LogLevel: "info", + SkipMigrations: false, + Name: "test", + Namespace: "test", + UID: "1", + Replicas: 1, + PresharedKey: "psk", + EnvPrefix: "SPICEDB", + SpiceDBCmd: "spicedb", + ServiceAccountName: "test", + DispatchEnabled: false, + DispatchUpstreamCASecretPath: "tls.crt", + ProjectLabels: true, + ProjectAnnotations: true, Passthrough: map[string]string{ "datastoreEngine": "memory", "dispatchClusterEnabled": "false", @@ -348,19 +351,20 @@ func TestNewConfig(t *testing.T) { TargetMigration: "head", }, SpiceConfig: SpiceConfig{ - LogLevel: "info", - SkipMigrations: false, - Name: "test", - Namespace: "test", - UID: "1", - Replicas: 2, - PresharedKey: "psk", - EnvPrefix: "SPICEDB", - SpiceDBCmd: "spicedb", - ServiceAccountName: "test", - DispatchEnabled: true, - ProjectLabels: true, - ProjectAnnotations: true, + LogLevel: "info", + SkipMigrations: false, + Name: "test", + Namespace: "test", + UID: "1", + Replicas: 2, + PresharedKey: "psk", + EnvPrefix: "SPICEDB", + SpiceDBCmd: "spicedb", + ServiceAccountName: "test", + DispatchEnabled: true, + DispatchUpstreamCASecretPath: "tls.crt", + ProjectLabels: true, + ProjectAnnotations: true, Passthrough: map[string]string{ "datastoreEngine": "cockroachdb", "dispatchClusterEnabled": "true", @@ -409,19 +413,20 @@ func TestNewConfig(t *testing.T) { TargetMigration: "head", }, SpiceConfig: SpiceConfig{ - LogLevel: "info", - SkipMigrations: false, - Name: "test", - Namespace: "test", - UID: "1", - Replicas: 2, - PresharedKey: "psk", - EnvPrefix: "SPICEDB", - SpiceDBCmd: "spicedb", - ServiceAccountName: "test", - DispatchEnabled: true, - ProjectLabels: true, - ProjectAnnotations: true, + LogLevel: "info", + SkipMigrations: false, + Name: "test", + Namespace: "test", + UID: "1", + Replicas: 2, + PresharedKey: "psk", + EnvPrefix: "SPICEDB", + SpiceDBCmd: "spicedb", + ServiceAccountName: "test", + DispatchEnabled: true, + DispatchUpstreamCASecretPath: "tls.crt", + ProjectLabels: true, + ProjectAnnotations: true, Passthrough: map[string]string{ "datastoreEngine": "cockroachdb", "dispatchClusterEnabled": "true", @@ -489,19 +494,20 @@ func TestNewConfig(t *testing.T) { }, }, SpiceConfig: SpiceConfig{ - LogLevel: "info", - SkipMigrations: false, - Name: "test", - Namespace: "test", - UID: "1", - Replicas: 3, - PresharedKey: "psk", - EnvPrefix: "SPICEDB", - SpiceDBCmd: "spicedb", - ServiceAccountName: "test", - DispatchEnabled: true, - ProjectLabels: true, - ProjectAnnotations: true, + LogLevel: "info", + SkipMigrations: false, + Name: "test", + Namespace: "test", + UID: "1", + Replicas: 3, + PresharedKey: "psk", + EnvPrefix: "SPICEDB", + SpiceDBCmd: "spicedb", + ServiceAccountName: "test", + DispatchEnabled: true, + DispatchUpstreamCASecretPath: "tls.crt", + ProjectLabels: true, + ProjectAnnotations: true, Passthrough: map[string]string{ "datastoreEngine": "cockroachdb", "dispatchClusterEnabled": "true", @@ -569,19 +575,20 @@ func TestNewConfig(t *testing.T) { }, }, SpiceConfig: SpiceConfig{ - LogLevel: "info", - SkipMigrations: false, - Name: "test", - Namespace: "test", - UID: "1", - Replicas: 3, - PresharedKey: "psk", - EnvPrefix: "SPICEDB", - SpiceDBCmd: "spicedb", - ServiceAccountName: "test", - DispatchEnabled: true, - ProjectLabels: true, - ProjectAnnotations: true, + LogLevel: "info", + SkipMigrations: false, + Name: "test", + Namespace: "test", + UID: "1", + Replicas: 3, + PresharedKey: "psk", + EnvPrefix: "SPICEDB", + SpiceDBCmd: "spicedb", + ServiceAccountName: "test", + DispatchEnabled: true, + DispatchUpstreamCASecretPath: "tls.crt", + ProjectLabels: true, + ProjectAnnotations: true, Passthrough: map[string]string{ "datastoreEngine": "cockroachdb", "dispatchClusterEnabled": "true", @@ -662,10 +669,11 @@ func TestNewConfig(t *testing.T) { "test": "label", "other": "label", }, - ServiceAccountName: "test", - DispatchEnabled: true, - ProjectLabels: true, - ProjectAnnotations: true, + ServiceAccountName: "test", + DispatchEnabled: true, + DispatchUpstreamCASecretPath: "tls.crt", + ProjectLabels: true, + ProjectAnnotations: true, Passthrough: map[string]string{ "datastoreEngine": "cockroachdb", "dispatchClusterEnabled": "true", @@ -749,10 +757,11 @@ func TestNewConfig(t *testing.T) { "test": "label", "other": "label", }, - ServiceAccountName: "test", - DispatchEnabled: true, - ProjectLabels: true, - ProjectAnnotations: true, + ServiceAccountName: "test", + DispatchEnabled: true, + DispatchUpstreamCASecretPath: "tls.crt", + ProjectLabels: true, + ProjectAnnotations: true, Passthrough: map[string]string{ "datastoreEngine": "cockroachdb", "dispatchClusterEnabled": "true", @@ -822,19 +831,20 @@ func TestNewConfig(t *testing.T) { }, }, SpiceConfig: SpiceConfig{ - LogLevel: "info", - SkipMigrations: true, - Name: "test", - Namespace: "test", - UID: "1", - Replicas: 2, - PresharedKey: "psk", - EnvPrefix: "SPICEDB", - SpiceDBCmd: "spicedb", - ServiceAccountName: "test", - DispatchEnabled: true, - ProjectLabels: true, - ProjectAnnotations: true, + LogLevel: "info", + SkipMigrations: true, + Name: "test", + Namespace: "test", + UID: "1", + Replicas: 2, + PresharedKey: "psk", + EnvPrefix: "SPICEDB", + SpiceDBCmd: "spicedb", + ServiceAccountName: "test", + DispatchEnabled: true, + DispatchUpstreamCASecretPath: "tls.crt", + ProjectLabels: true, + ProjectAnnotations: true, Passthrough: map[string]string{ "datastoreEngine": "cockroachdb", "dispatchClusterEnabled": "true", @@ -904,19 +914,20 @@ func TestNewConfig(t *testing.T) { }, }, SpiceConfig: SpiceConfig{ - LogLevel: "info", - SkipMigrations: true, - Name: "test", - Namespace: "test", - UID: "1", - Replicas: 2, - PresharedKey: "psk", - EnvPrefix: "SPICEDB", - SpiceDBCmd: "spicedb", - ServiceAccountName: "test", - DispatchEnabled: true, - ProjectLabels: true, - ProjectAnnotations: true, + LogLevel: "info", + SkipMigrations: true, + Name: "test", + Namespace: "test", + UID: "1", + Replicas: 2, + PresharedKey: "psk", + EnvPrefix: "SPICEDB", + SpiceDBCmd: "spicedb", + ServiceAccountName: "test", + DispatchEnabled: true, + DispatchUpstreamCASecretPath: "tls.crt", + ProjectLabels: true, + ProjectAnnotations: true, Passthrough: map[string]string{ "datastoreEngine": "cockroachdb", "dispatchClusterEnabled": "true", @@ -997,10 +1008,11 @@ func TestNewConfig(t *testing.T) { "app.kubernetes.io/name": "test", "app.kubernetes.io/managed-by": "test-owner", }, - ServiceAccountName: "test", - DispatchEnabled: true, - ProjectLabels: true, - ProjectAnnotations: true, + ServiceAccountName: "test", + DispatchEnabled: true, + DispatchUpstreamCASecretPath: "tls.crt", + ProjectLabels: true, + ProjectAnnotations: true, Passthrough: map[string]string{ "datastoreEngine": "cockroachdb", "dispatchClusterEnabled": "true", @@ -1084,10 +1096,11 @@ func TestNewConfig(t *testing.T) { "app.kubernetes.io/name": "test", "app.kubernetes.io/managed-by": "test-owner", }, - ServiceAccountName: "test", - DispatchEnabled: true, - ProjectLabels: true, - ProjectAnnotations: true, + ServiceAccountName: "test", + DispatchEnabled: true, + DispatchUpstreamCASecretPath: "tls.crt", + ProjectLabels: true, + ProjectAnnotations: true, Passthrough: map[string]string{ "datastoreEngine": "cockroachdb", "dispatchClusterEnabled": "true", @@ -1169,9 +1182,10 @@ func TestNewConfig(t *testing.T) { ExtraServiceAccountAnnotations: map[string]string{ "iam.gke.io/gcp-service-account": "authzed-operator@account-12345.iam.gserviceaccount.com", }, - DispatchEnabled: true, - ProjectLabels: true, - ProjectAnnotations: true, + DispatchEnabled: true, + DispatchUpstreamCASecretPath: "tls.crt", + ProjectLabels: true, + ProjectAnnotations: true, Passthrough: map[string]string{ "datastoreEngine": "cockroachdb", "dispatchClusterEnabled": "true", @@ -1255,9 +1269,10 @@ func TestNewConfig(t *testing.T) { ExtraServiceAccountAnnotations: map[string]string{ "iam.gke.io/gcp-service-account": "authzed-operator@account-12345.iam.gserviceaccount.com", }, - DispatchEnabled: true, - ProjectLabels: true, - ProjectAnnotations: true, + DispatchEnabled: true, + DispatchUpstreamCASecretPath: "tls.crt", + ProjectLabels: true, + ProjectAnnotations: true, Passthrough: map[string]string{ "datastoreEngine": "cockroachdb", "dispatchClusterEnabled": "true", @@ -1329,19 +1344,20 @@ func TestNewConfig(t *testing.T) { }, }, SpiceConfig: SpiceConfig{ - LogLevel: "debug", - SkipMigrations: true, - Name: "test", - Namespace: "test", - UID: "1", - Replicas: 2, - PresharedKey: "psk", - EnvPrefix: "SPICEDB", - SpiceDBCmd: "spicedb", - ServiceAccountName: "test", - DispatchEnabled: true, - ProjectLabels: true, - ProjectAnnotations: true, + LogLevel: "debug", + SkipMigrations: true, + Name: "test", + Namespace: "test", + UID: "1", + Replicas: 2, + PresharedKey: "psk", + EnvPrefix: "SPICEDB", + SpiceDBCmd: "spicedb", + ServiceAccountName: "test", + DispatchEnabled: true, + DispatchUpstreamCASecretPath: "tls.crt", + ProjectLabels: true, + ProjectAnnotations: true, Passthrough: map[string]string{ "datastoreEngine": "cockroachdb", "dispatchClusterEnabled": "true", @@ -1412,19 +1428,20 @@ func TestNewConfig(t *testing.T) { }, }, SpiceConfig: SpiceConfig{ - LogLevel: "debug", - SkipMigrations: false, - Name: "test", - Namespace: "test", - UID: "1", - Replicas: 2, - PresharedKey: "psk", - EnvPrefix: "SPICEDB", - SpiceDBCmd: "spicedb", - ServiceAccountName: "test", - DispatchEnabled: false, - ProjectLabels: true, - ProjectAnnotations: true, + LogLevel: "debug", + SkipMigrations: false, + Name: "test", + Namespace: "test", + UID: "1", + Replicas: 2, + PresharedKey: "psk", + EnvPrefix: "SPICEDB", + SpiceDBCmd: "spicedb", + ServiceAccountName: "test", + DispatchEnabled: false, + DispatchUpstreamCASecretPath: "tls.crt", + ProjectLabels: true, + ProjectAnnotations: true, Passthrough: map[string]string{ "datastoreEngine": "cockroachdb", "dispatchClusterEnabled": "false", @@ -1496,19 +1513,20 @@ func TestNewConfig(t *testing.T) { }, }, SpiceConfig: SpiceConfig{ - LogLevel: "debug", - SkipMigrations: false, - Name: "test", - Namespace: "test", - UID: "1", - Replicas: 2, - PresharedKey: "psk", - EnvPrefix: "SPICEDB", - SpiceDBCmd: "spicedb", - ServiceAccountName: "test", - DispatchEnabled: true, - ProjectLabels: true, - ProjectAnnotations: true, + LogLevel: "debug", + SkipMigrations: false, + Name: "test", + Namespace: "test", + UID: "1", + Replicas: 2, + PresharedKey: "psk", + EnvPrefix: "SPICEDB", + SpiceDBCmd: "spicedb", + ServiceAccountName: "test", + DispatchEnabled: true, + DispatchUpstreamCASecretPath: "tls.crt", + ProjectLabels: true, + ProjectAnnotations: true, Passthrough: map[string]string{ "datastoreEngine": "cockroachdb", "datastoreMigrationPhase": "phase1", @@ -1587,19 +1605,20 @@ func TestNewConfig(t *testing.T) { }, }, SpiceConfig: SpiceConfig{ - LogLevel: "debug", - SkipMigrations: false, - Name: "test", - Namespace: "test", - UID: "1", - Replicas: 2, - PresharedKey: "psk", - EnvPrefix: "SPICEDB", - SpiceDBCmd: "spicedb", - ServiceAccountName: "test", - DispatchEnabled: true, - ProjectLabels: true, - ProjectAnnotations: true, + LogLevel: "debug", + SkipMigrations: false, + Name: "test", + Namespace: "test", + UID: "1", + Replicas: 2, + PresharedKey: "psk", + EnvPrefix: "SPICEDB", + SpiceDBCmd: "spicedb", + ServiceAccountName: "test", + DispatchEnabled: true, + DispatchUpstreamCASecretPath: "tls.crt", + ProjectLabels: true, + ProjectAnnotations: true, Passthrough: map[string]string{ "datastoreEngine": "cockroachdb", "datastoreMigrationPhase": "phase1", @@ -1682,19 +1701,20 @@ func TestNewConfig(t *testing.T) { }, }, SpiceConfig: SpiceConfig{ - LogLevel: "debug", - SkipMigrations: false, - Name: "test", - Namespace: "test", - UID: "1", - Replicas: 2, - PresharedKey: "psk", - EnvPrefix: "SPICEDB", - SpiceDBCmd: "spicedb", - ServiceAccountName: "test", - DispatchEnabled: true, - ProjectLabels: true, - ProjectAnnotations: true, + LogLevel: "debug", + SkipMigrations: false, + Name: "test", + Namespace: "test", + UID: "1", + Replicas: 2, + PresharedKey: "psk", + EnvPrefix: "SPICEDB", + SpiceDBCmd: "spicedb", + ServiceAccountName: "test", + DispatchEnabled: true, + DispatchUpstreamCASecretPath: "tls.crt", + ProjectLabels: true, + ProjectAnnotations: true, Passthrough: map[string]string{ "datastoreEngine": "cockroachdb", "datastoreMigrationPhase": "phase1", @@ -1765,19 +1785,20 @@ func TestNewConfig(t *testing.T) { }, }, SpiceConfig: SpiceConfig{ - LogLevel: "info", - SkipMigrations: false, - Name: "test", - Namespace: "test", - UID: "1", - Replicas: 2, - PresharedKey: "psk", - EnvPrefix: "SPICEDB", - SpiceDBCmd: "spicedb", - ServiceAccountName: "test", - DispatchEnabled: true, - ProjectLabels: true, - ProjectAnnotations: true, + LogLevel: "info", + SkipMigrations: false, + Name: "test", + Namespace: "test", + UID: "1", + Replicas: 2, + PresharedKey: "psk", + EnvPrefix: "SPICEDB", + SpiceDBCmd: "spicedb", + ServiceAccountName: "test", + DispatchEnabled: true, + DispatchUpstreamCASecretPath: "tls.crt", + ProjectLabels: true, + ProjectAnnotations: true, Passthrough: map[string]string{ "datastoreEngine": "spanner", "dispatchClusterEnabled": "true",