mirrors/object-browser
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Enable user provided certificates for Console (#239)

Browse Source 
Co-authored-by: Daniel Valdivia <hola@danielvaldivia.com>
This commit is contained in:
Lenin Alevski
2020-08-09 14:47:06 -07:00
committed by GitHub
parent bdfa6dc9bf
commit a6ccae52d2
7 changed files with 247 additions and 289 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
models/create_tenant_request.go
View File

@@ -45,8 +45,8 @@ type CreateTenantRequest struct {
// enable console
EnableConsole *bool `json:"enable_console,omitempty"`
// enable ssl
EnableSsl *bool `json:"enable_ssl,omitempty"`
// enable tls
EnableTLS *bool `json:"enable_tls,omitempty"`
// encryption
Encryption *EncryptionConfiguration `json:"encryption,omitempty"`

141
models/encryption_configuration.go
View File

@@ -26,7 +26,6 @@ import (
"github.com/go-openapi/errors"
"github.com/go-openapi/strfmt"
"github.com/go-openapi/swag"
"github.com/go-openapi/validate"
)
// EncryptionConfiguration encryption configuration
@@ -38,7 +37,7 @@ type EncryptionConfiguration struct {
Aws *AwsConfiguration `json:"aws,omitempty"`
// client
Client *EncryptionConfigurationClient `json:"client,omitempty"`
Client *KeyPairConfiguration `json:"client,omitempty"`
// gemalto
Gemalto *GemaltoConfiguration `json:"gemalto,omitempty"`
@@ -47,7 +46,7 @@ type EncryptionConfiguration struct {
Image string `json:"image,omitempty"`
// server
Server *EncryptionConfigurationServer `json:"server,omitempty"`
Server *KeyPairConfiguration `json:"server,omitempty"`
// vault
Vault *VaultConfiguration `json:"vault,omitempty"`
@@ -190,139 +189,3 @@ func (m *EncryptionConfiguration) UnmarshalBinary(b []byte) error {
*m = res
return nil
}
// EncryptionConfigurationClient encryption configuration client
//
// swagger:model EncryptionConfigurationClient
type EncryptionConfigurationClient struct {
// crt
// Required: true
Crt *string `json:"crt"`
// key
// Required: true
Key *string `json:"key"`
}
// Validate validates this encryption configuration client
func (m *EncryptionConfigurationClient) Validate(formats strfmt.Registry) error {
var res []error
if err := m.validateCrt(formats); err != nil {
res = append(res, err)
}
if err := m.validateKey(formats); err != nil {
res = append(res, err)
}
if len(res) > 0 {
return errors.CompositeValidationError(res...)
}
return nil
}
func (m *EncryptionConfigurationClient) validateCrt(formats strfmt.Registry) error {
if err := validate.Required("client"+"."+"crt", "body", m.Crt); err != nil {
return err
}
return nil
}
func (m *EncryptionConfigurationClient) validateKey(formats strfmt.Registry) error {
if err := validate.Required("client"+"."+"key", "body", m.Key); err != nil {
return err
}
return nil
}
// MarshalBinary interface implementation
func (m *EncryptionConfigurationClient) MarshalBinary() ([]byte, error) {
if m == nil {
return nil, nil
}
return swag.WriteJSON(m)
}
// UnmarshalBinary interface implementation
func (m *EncryptionConfigurationClient) UnmarshalBinary(b []byte) error {
var res EncryptionConfigurationClient
if err := swag.ReadJSON(b, &res); err != nil {
return err
}
*m = res
return nil
}
// EncryptionConfigurationServer encryption configuration server
//
// swagger:model EncryptionConfigurationServer
type EncryptionConfigurationServer struct {
// crt
// Required: true
Crt *string `json:"crt"`
// key
// Required: true
Key *string `json:"key"`
}
// Validate validates this encryption configuration server
func (m *EncryptionConfigurationServer) Validate(formats strfmt.Registry) error {
var res []error
if err := m.validateCrt(formats); err != nil {
res = append(res, err)
}
if err := m.validateKey(formats); err != nil {
res = append(res, err)
}
if len(res) > 0 {
return errors.CompositeValidationError(res...)
}
return nil
}
func (m *EncryptionConfigurationServer) validateCrt(formats strfmt.Registry) error {
if err := validate.Required("server"+"."+"crt", "body", m.Crt); err != nil {
return err
}
return nil
}
func (m *EncryptionConfigurationServer) validateKey(formats strfmt.Registry) error {
if err := validate.Required("server"+"."+"key", "body", m.Key); err != nil {
return err
}
return nil
}
// MarshalBinary interface implementation
func (m *EncryptionConfigurationServer) MarshalBinary() ([]byte, error) {
if m == nil {
return nil, nil
}
return swag.WriteJSON(m)
}
// UnmarshalBinary interface implementation
func (m *EncryptionConfigurationServer) UnmarshalBinary(b []byte) error {
var res EncryptionConfigurationServer
if err := swag.ReadJSON(b, &res); err != nil {
return err
}
*m = res
return nil
}

98
models/key_pair_configuration.go Normal file
View File

@@ -0,0 +1,98 @@
// Code generated by go-swagger; DO NOT EDIT.
// This file is part of MinIO Console Server
// Copyright (c) 2020 MinIO, Inc.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <http://www.gnu.org/licenses/>.
//
package models
// This file was generated by the swagger tool.
// Editing this file might prove futile when you re-run the swagger generate command
import (
"github.com/go-openapi/errors"
"github.com/go-openapi/strfmt"
"github.com/go-openapi/swag"
"github.com/go-openapi/validate"
)
// KeyPairConfiguration key pair configuration
//
// swagger:model keyPairConfiguration
type KeyPairConfiguration struct {
// crt
// Required: true
Crt *string `json:"crt"`
// key
// Required: true
Key *string `json:"key"`
}
// Validate validates this key pair configuration
func (m *KeyPairConfiguration) Validate(formats strfmt.Registry) error {
var res []error
if err := m.validateCrt(formats); err != nil {
res = append(res, err)
}
if err := m.validateKey(formats); err != nil {
res = append(res, err)
}
if len(res) > 0 {
return errors.CompositeValidationError(res...)
}
return nil
}
func (m *KeyPairConfiguration) validateCrt(formats strfmt.Registry) error {
if err := validate.Required("crt", "body", m.Crt); err != nil {
return err
}
return nil
}
func (m *KeyPairConfiguration) validateKey(formats strfmt.Registry) error {
if err := validate.Required("key", "body", m.Key); err != nil {
return err
}
return nil
}
// MarshalBinary interface implementation
func (m *KeyPairConfiguration) MarshalBinary() ([]byte, error) {
if m == nil {
return nil, nil
}
return swag.WriteJSON(m)
}
// UnmarshalBinary interface implementation
func (m *KeyPairConfiguration) UnmarshalBinary(b []byte) error {
var res KeyPairConfiguration
if err := swag.ReadJSON(b, &res); err != nil {
return err
}
*m = res
return nil
}

45
models/tls_configuration.go
View File

@@ -26,7 +26,6 @@ import (
"github.com/go-openapi/errors"
"github.com/go-openapi/strfmt"
"github.com/go-openapi/swag"
"github.com/go-openapi/validate"
)
// TLSConfiguration tls configuration
@@ -34,24 +33,22 @@ import (
// swagger:model tlsConfiguration
type TLSConfiguration struct {
// crt
// Required: true
Crt *string `json:"crt"`
// console
Console *KeyPairConfiguration `json:"console,omitempty"`
// key
// Required: true
Key *string `json:"key"`
// minio
Minio *KeyPairConfiguration `json:"minio,omitempty"`
}
// Validate validates this tls configuration
func (m *TLSConfiguration) Validate(formats strfmt.Registry) error {
var res []error
if err := m.validateCrt(formats); err != nil {
if err := m.validateConsole(formats); err != nil {
res = append(res, err)
}
if err := m.validateKey(formats); err != nil {
if err := m.validateMinio(formats); err != nil {
res = append(res, err)
}
@@ -61,19 +58,37 @@ func (m *TLSConfiguration) Validate(formats strfmt.Registry) error {
return nil
}
func (m *TLSConfiguration) validateCrt(formats strfmt.Registry) error {
func (m *TLSConfiguration) validateConsole(formats strfmt.Registry) error {
if err := validate.Required("crt", "body", m.Crt); err != nil {
return err
if swag.IsZero(m.Console) { // not required
return nil
}
if m.Console != nil {
if err := m.Console.Validate(formats); err != nil {
if ve, ok := err.(*errors.Validation); ok {
return ve.ValidateName("console")
}
return err
}
}
return nil
}
func (m *TLSConfiguration) validateKey(formats strfmt.Registry) error {
func (m *TLSConfiguration) validateMinio(formats strfmt.Registry) error {
if err := validate.Required("key", "body", m.Key); err != nil {
return err
if swag.IsZero(m.Minio) { // not required
return nil
}
if m.Minio != nil {
if err := m.Minio.Validate(formats); err != nil {
if ve, ok := err.(*errors.Validation); ok {
return ve.ValidateName("minio")
}
return err
}
}
return nil

72
restapi/admin_tenants.go
View File

@@ -466,26 +466,26 @@ func getTenantCreatedResponse(session *models.Principal, params admin_api.Create
}
}
// operator request AutoCert feature
encryption := false
if tenantReq.EnableSsl != nil {
encryption = true
minInst.Spec.RequestAutoCert = *tenantReq.EnableSsl
isEncryptionAvailable := false
if *tenantReq.EnableTLS {
// If user request autoCert, Operator will generate certificate keypair for MinIO (server), Console (server) and KES (server and app mTLS)
isEncryptionAvailable = true
minInst.Spec.RequestAutoCert = *tenantReq.EnableTLS
}
// User provided TLS certificates (this will take priority over autoCert)
if tenantReq.TLS != nil && tenantReq.TLS.Crt != nil && tenantReq.TLS.Key != nil {
encryption = true
if !minInst.Spec.RequestAutoCert && tenantReq.TLS != nil && tenantReq.TLS.Minio != nil {
// User provided TLS certificates for MinIO
isEncryptionAvailable = true
externalTLSCertificateSecretName := fmt.Sprintf("%s-instance-external-certificates", secretName)
// disable autoCert
minInst.Spec.RequestAutoCert = false
tlsCrt, err := base64.StdEncoding.DecodeString(*tenantReq.TLS.Crt)
tlsCrt, err := base64.StdEncoding.DecodeString(*tenantReq.TLS.Minio.Crt)
if err != nil {
return nil, err
}
tlsKey, err := base64.StdEncoding.DecodeString(*tenantReq.TLS.Key)
tlsKey, err := base64.StdEncoding.DecodeString(*tenantReq.TLS.Minio.Key)
if err != nil {
return nil, err
}
@@ -512,16 +512,18 @@ func getTenantCreatedResponse(session *models.Principal, params admin_api.Create
}
}
if tenantReq.Encryption != nil && encryption {
if tenantReq.Encryption != nil && isEncryptionAvailable {
// Enable auto encryption
minInst.Spec.Env = append(minInst.Spec.Env, corev1.EnvVar{
Name: "MINIO_KMS_AUTO_ENCRYPTION",
Value: "on",
})
// KES client mTLSCertificates used by MinIO instance
minInst.Spec.ExternalClientCertSecret, err = getTenantExternalClientCertificates(ctx, clientset, ns, tenantReq.Encryption, secretName)
if err != nil {
return nil, err
// KES client mTLSCertificates used by MinIO instance, only if autoCert is not enabled
if !minInst.Spec.RequestAutoCert {
minInst.Spec.ExternalClientCertSecret, err = getTenantExternalClientCertificates(ctx, clientset, ns, tenantReq.Encryption, secretName)
if err != nil {
return nil, err
}
}
// KES configuration for Tenant instance
minInst.Spec.KES, err = getKESConfiguration(ctx, clientset, ns, tenantReq.Encryption, secretName, minInst.Spec.RequestAutoCert)
@@ -534,10 +536,8 @@ func getTenantCreatedResponse(session *models.Principal, params admin_api.Create
var consoleAccess string
var consoleSecret string
enableConsole := true
if tenantReq.EnableConsole != nil {
enableConsole = *tenantReq.EnableConsole
}
//enableConsole := true
enableConsole := *tenantReq.EnableConsole
if enableConsole {
consoleSelector := fmt.Sprintf("%s-console", *tenantReq.Name)
@@ -596,6 +596,39 @@ func getTenantCreatedResponse(session *models.Principal, params admin_api.Create
},
},
}
if !minInst.Spec.RequestAutoCert && tenantReq.TLS.Console != nil {
consoleExternalTLSCertificateSecretName := fmt.Sprintf("%s-console-external-certificates", secretName)
tlsCrt, err := base64.StdEncoding.DecodeString(*tenantReq.TLS.Console.Crt)
if err != nil {
return nil, err
}
tlsKey, err := base64.StdEncoding.DecodeString(*tenantReq.TLS.Console.Key)
if err != nil {
return nil, err
}
consoleExternalTLSCertificateSecret := corev1.Secret{
ObjectMeta: metav1.ObjectMeta{
Name: consoleExternalTLSCertificateSecretName,
},
Type: corev1.SecretTypeTLS,
Immutable: &imm,
Data: map[string][]byte{
"tls.crt": tlsCrt,
"tls.key": tlsKey,
},
}
_, err = clientset.CoreV1().Secrets(ns).Create(ctx, &consoleExternalTLSCertificateSecret, metav1.CreateOptions{})
if err != nil {
return nil, err
}
// Certificates used by the minio instance
minInst.Spec.Console.ExternalCertSecret = &operator.LocalCertificateReference{
Name: consoleExternalTLSCertificateSecretName,
Type: "kubernetes.io/tls",
}
}
}
// set the service name if provided
@@ -1501,6 +1534,7 @@ func getKESConfiguration(ctx context.Context, clientSet *kubernetes.Clientset, n
// Vault mTLS kesConfiguration
if encryptionCfg.Vault.TLS != nil {
vaultTLSConfig := encryptionCfg.Vault.TLS
kesConfig.Keys.Vault.TLS = &kes.VaultTLS{}
if vaultTLSConfig.Crt != "" {
clientCrt, err := base64.StdEncoding.DecodeString(vaultTLSConfig.Crt)
if err != nil {

144
restapi/embedded_spec.go
View File

@@ -2028,7 +2028,7 @@ func init() {
"type": "boolean",
"default": true
},
"enable_ssl": {
"enable_tls": {
"type": "boolean",
"default": true
},
@@ -2108,18 +2108,7 @@ func init() {
},
"client": {
"type": "object",
"required": [
"crt",
"key"
],
"properties": {
"crt": {
"type": "string"
},
"key": {
"type": "string"
}
}
"$ref": "#/definitions/keyPairConfiguration"
},
"gemalto": {
"type": "object",
@@ -2130,18 +2119,7 @@ func init() {
},
"server": {
"type": "object",
"required": [
"crt",
"key"
],
"properties": {
"crt": {
"type": "string"
},
"key": {
"type": "string"
}
}
"$ref": "#/definitions/keyPairConfiguration"
},
"vault": {
"type": "object",
@@ -2311,6 +2289,21 @@ func init() {
}
}
},
"keyPairConfiguration": {
"type": "object",
"required": [
"crt",
"key"
],
"properties": {
"crt": {
"type": "string"
},
"key": {
"type": "string"
}
}
},
"listBucketEventsResponse": {
"type": "object",
"properties": {
@@ -3034,16 +3027,14 @@ func init() {
},
"tlsConfiguration": {
"type": "object",
"required": [
"crt",
"key"
],
"properties": {
"crt": {
"type": "string"
"console": {
"type": "object",
"$ref": "#/definitions/keyPairConfiguration"
},
"key": {
"type": "string"
"minio": {
"type": "object",
"$ref": "#/definitions/keyPairConfiguration"
}
}
},
@@ -5258,36 +5249,6 @@ func init() {
}
}
},
"EncryptionConfigurationClient": {
"type": "object",
"required": [
"crt",
"key"
],
"properties": {
"crt": {
"type": "string"
},
"key": {
"type": "string"
}
}
},
"EncryptionConfigurationServer": {
"type": "object",
"required": [
"crt",
"key"
],
"properties": {
"crt": {
"type": "string"
},
"key": {
"type": "string"
}
}
},
"GemaltoConfigurationKeysecure": {
"type": "object",
"required": [
@@ -5981,7 +5942,7 @@ func init() {
"type": "boolean",
"default": true
},
"enable_ssl": {
"enable_tls": {
"type": "boolean",
"default": true
},
@@ -6061,18 +6022,7 @@ func init() {
},
"client": {
"type": "object",
"required": [
"crt",
"key"
],
"properties": {
"crt": {
"type": "string"
},
"key": {
"type": "string"
}
}
"$ref": "#/definitions/keyPairConfiguration"
},
"gemalto": {
"type": "object",
@@ -6083,18 +6033,7 @@ func init() {
},
"server": {
"type": "object",
"required": [
"crt",
"key"
],
"properties": {
"crt": {
"type": "string"
},
"key": {
"type": "string"
}
}
"$ref": "#/definitions/keyPairConfiguration"
},
"vault": {
"type": "object",
@@ -6264,6 +6203,21 @@ func init() {
}
}
},
"keyPairConfiguration": {
"type": "object",
"required": [
"crt",
"key"
],
"properties": {
"crt": {
"type": "string"
},
"key": {
"type": "string"
}
}
},
"listBucketEventsResponse": {
"type": "object",
"properties": {
@@ -6921,16 +6875,14 @@ func init() {
},
"tlsConfiguration": {
"type": "object",
"required": [
"crt",
"key"
],
"properties": {
"crt": {
"type": "string"
"console": {
"type": "object",
"$ref": "#/definitions/keyPairConfiguration"
},
"key": {
"type": "string"
"minio": {
"type": "object",
"$ref": "#/definitions/keyPairConfiguration"
}
}
},

32
swagger.yml
View File

@@ -1822,7 +1822,7 @@ definitions:
enable_console:
type: boolean
default: true
enable_ssl:
enable_tls:
type: boolean
default: true
namespace:
@@ -1845,7 +1845,7 @@ definitions:
type: object
$ref: "#/definitions/encryptionConfiguration"
tlsConfiguration:
keyPairConfiguration:
type: object
required:
- crt
@@ -1856,6 +1856,16 @@ definitions:
key:
type: string
tlsConfiguration:
type: object
properties:
minio:
type: object
$ref: "#/definitions/keyPairConfiguration"
console:
type: object
$ref: "#/definitions/keyPairConfiguration"
idpConfiguration:
type: object
properties:
@@ -1903,24 +1913,10 @@ definitions:
type: string
server:
type: object
required:
- crt
- key
properties:
crt:
type: string
key:
type: string
$ref: "#/definitions/keyPairConfiguration"
client:
type: object
required:
- crt
- key
properties:
crt:
type: string
key:
type: string
$ref: "#/definitions/keyPairConfiguration"
gemalto:
type: object
$ref: "#/definitions/gemaltoConfiguration"