Loading...

Type: Task
Resolution: Unresolved
Priority: Major
Fix Version/s: None
Affects Version/s: None
Component/s: 3scale Operator
Labels:
- MGDAPI
- discussed

Epic Link:
Customer provided secrets to 3scale
Blocked:
True
Blocked Reason:

Hide

https://issues.redhat.com/browse/THREESCALE-11296

Show
https://issues.redhat.com/browse/THREESCALE-11296
Ready:
False
3Scale PT Tested upstream:
Not Started
3scale PT Docs:
Not Started
3scale PT Product Specs:
Not Started
3scale PT Product Update Ready:
Not Started
3scale PT Released In Saas:
Not Started
3scale PT Verified Product:
Not Started
Target Release:

2.16.0 GA
Git Pull Request:
https://github.com/3scale/3scale-operator/pull/1026
Intelligence Requested:
Market:

Sprint:
RHOAM Sprint 64, RHOAM Sprint 65, RHOAM Sprint 66, RHOAM Sprint 67, RHOAM Sprint 68, RHOAM Sprint 69, RHOAM Sprint 70, RHOAM Sprint 71

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

We need porta and zync to be able to load TLS details to connect to external DBs. In particular, we need:

CA certificate
Client certificate
Client private key

Those can be mounted wherever the operator decides, but the operator should set the next environment variables to inform zync and porta where the files are:

DATABASE_SSL_CA for the CA certificate
DATABASE_SSL_CERT for the client certificate
DATABASE_SSL_KEY for the client key

The client might want to specify a TLS protection level as well:

DATABASE_SSL_MODE. Values: Mysql ref., Postgres ref.

The client should create the next resources

TLS Secret (docs) for the CA certificate
TLS Secret for the client cert and key

Would look like this:

apiVersion: v1
kind: Secret
metadata:
  name: secret-tls
type: kubernetes.io/tls
data:
  # values are base64 encoded, which obscures them but does NOT provide
  # any useful level of confidentiality
  tls.crt: |
    LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNVakNDQWJzQ0FnMytNQTBHQ1NxR1NJYjNE
    UUVCQlFVQU1JR2JNUXN3Q1FZRFZRUUdFd0pLVURFT01Bd0cKQTFVRUNCTUZWRzlyZVc4eEVEQU9C
    Z05WQkFjVEIwTm9kVzh0YTNVeEVUQVBCZ05WQkFvVENFWnlZVzVyTkVSRQpNUmd3RmdZRFZRUUxF
    dzlYWldKRFpYSjBJRk4xY0hCdmNuUXhHREFXQmdOVkJBTVREMFp5WVc1ck5FUkVJRmRsCllpQkRR
    VEVqTUNFR0NTcUdTSWIzRFFFSkFSWVVjM1Z3Y0c5eWRFQm1jbUZ1YXpSa1pDNWpiMjB3SGhjTk1U
    TXcKTVRFeE1EUTFNVE01V2hjTk1UZ3dNVEV3TURRMU1UTTVXakJMTVFzd0NRWURWUVFHREFKS1VE
    RVBNQTBHQTFVRQpDQXdHWEZSdmEzbHZNUkV3RHdZRFZRUUtEQWhHY21GdWF6UkVSREVZTUJZR0Ex
    VUVBd3dQZDNkM0xtVjRZVzF3CmJHVXVZMjl0TUlHYU1BMEdDU3FHU0liM0RRRUJBUVVBQTRHSUFE
    Q0JoQUo5WThFaUhmeHhNL25PbjJTbkkxWHgKRHdPdEJEVDFKRjBReTliMVlKanV2YjdjaTEwZjVN
    Vm1UQllqMUZTVWZNOU1vejJDVVFZdW4yRFljV29IcFA4ZQpqSG1BUFVrNVd5cDJRN1ArMjh1bklI
    QkphVGZlQ09PekZSUFY2MEdTWWUzNmFScG04L3dVVm16eGFLOGtCOWVaCmhPN3F1TjdtSWQxL2pW
    cTNKODhDQXdFQUFUQU5CZ2txaGtpRzl3MEJBUVVGQUFPQmdRQU1meTQzeE15OHh3QTUKVjF2T2NS
    OEtyNWNaSXdtbFhCUU8xeFEzazlxSGtyNFlUY1JxTVQ5WjVKTm1rWHYxK2VSaGcwTi9WMW5NUTRZ
    RgpnWXcxbnlESnBnOTduZUV4VzQyeXVlMFlHSDYyV1hYUUhyOVNVREgrRlowVnQvRGZsdklVTWRj
    UUFEZjM4aU9zCjlQbG1kb3YrcE0vNCs5a1h5aDhSUEkzZXZ6OS9NQT09Ci0tLS0tRU5EIENFUlRJ
    RklDQVRFLS0tLS0K    
  # In this example, the key data is not a real PEM-encoded private key
  tls.key: |
    RXhhbXBsZSBkYXRhIGZvciB0aGUgVExTIGNydCBmaWVsZA==

Then, we would need some yaml keywords so the user can mount the files easily. This is a suggestion:

apiVersion: apps.3scale.net/v1alpha1
kind: APIManager
metadata:
  name: apimanager1
spec:
  system:
    dbCaCertRef:
      name: my-secret-with-ca-cert
    dbClientCertRef:
      name: my-secret-with-client-cert
    dbClientTlsMode:verify-ca
  zync:
    dbCaCertRef:
      name: my-secret-with-ca-cert
    dbClientCertRef:
      name: my-secret-with-client-cert
    dbClientTlsMode:verify-ca

This should work for zync and system: