ca support

Signed-off-by: Achref Ben Saad <[email protected]>

deployments/helm/KubeArmorOperator/crds/operator.kubearmor.com_kubearmorconfigs.yaml

@@ -51,6 +51,12 @@ spec:
                         type: string
                       auth:
                         properties:
+                          allowInsecureTLS:
+                            type: boolean
+                          caCertKey:
+                            type: string
+                          caCertSecretName:
+                            type: string
                           passwordKey:
                             type: string
                           secretName:

deployments/operator/operator.yaml

@@ -50,6 +50,12 @@ spec:
                         type: string
                       auth:
                         properties:
+                          allowInsecureTLS:
+                            type: boolean
+                          caCertKey:
+                            type: string
+                          caCertSecretName:
+                            type: string
                           passwordKey:
                             type: string
                           secretName:

pkg/KubeArmorOperator/api/operator.kubearmor.com/v1/kubearmorconfig_types.go

@@ -40,9 +40,12 @@ type RecommendedPolicies struct {
 }
 
 type ElasticSearchAuth struct {
-	SecretName  string `json:"secretName,omitempty"`
-	UserNameKey string `json:"usernameKey,omitempty"`
-	PasswordKey string `json:"passwordKey,omitempty"`
+	SecretName       string `json:"secretName,omitempty"`
+	UserNameKey      string `json:"usernameKey,omitempty"`
+	PasswordKey      string `json:"passwordKey,omitempty"`
+	AllowTlsInsecure bool   `json:"allowInsecureTLS,omitempty"`
+	CAcertSecretName string `json:"caCertSecretName,omitempty"`
+	CaCertKey        string `json:"caCertKey,omitempty"`
 }
 
 type ElasticSearchAdapter struct {

pkg/KubeArmorOperator/common/defaults.go

@@ -146,12 +146,17 @@ var (
 			Url:             "",
 			AlertsIndexName: "kubearmor-alerts",
 			Auth: opv1.ElasticSearchAuth{
-				SecretName:  "elastic-secret",
-				UserNameKey: "username",
-				PasswordKey: "password",
+				SecretName:       "elastic-secret",
+				UserNameKey:      "username",
+				PasswordKey:      "password",
+				AllowTlsInsecure: false,
+				CAcertSecretName: "",
+				CaCertKey:        "ca.crt",
 			},
 		},
 	}
+
+	ElasticSearchAdapterCaCertPath = "/cert"
 )
 var Pointer2True bool = true
 

pkg/KubeArmorOperator/config/crd/bases/operator.kubearmor.com_kubearmorconfigs.yaml

@@ -51,6 +51,12 @@ spec:
                         type: string
                       auth:
                         properties:
+                          allowInsecureTLS:
+                            type: boolean
+                          caCertKey:
+                            type: string
+                          caCertSecretName:
+                            type: string
                           passwordKey:
                             type: string
                           secretName:

pkg/KubeArmorOperator/internal/controller/cluster.go

@@ -509,6 +509,50 @@ func (clusterWatcher *ClusterWatcher) UpdateKubearmorRelayEnv(cfg *opv1.KubeArmo
 				},
 			},
 		}
+
+		ElasticSearchAdapterCaVolume := []corev1.Volume{
+			{
+				Name: "elastic-ca",
+				VolumeSource: corev1.VolumeSource{
+					Secret: &corev1.SecretVolumeSource{
+						SecretName: common.Adapter.ElasticSearch.Auth.CAcertSecretName,
+						Items: []corev1.KeyToPath{
+							{
+								Key:  common.Adapter.ElasticSearch.Auth.CaCertKey,
+								Path: common.ElasticSearchAdapterCaCertPath,
+							},
+						},
+					},
+				},
+			},
+		}
+
+		ElasticSearchAdapterCaVolumeMount := []corev1.VolumeMount{
+			{
+				Name:      "elastic-ca",
+				MountPath: common.ElasticSearchAdapterCaCertPath,
+			},
+		}
+		if common.Adapter.ElasticSearch.Auth.CAcertSecretName != "" {
+			relay.Spec.Template.Spec.Containers[0].Env = append(relay.Spec.Template.Spec.Containers[0].Env, corev1.EnvVar{
+				Name:  "ES_CA_CERT_PATH",
+				Value: common.ElasticSearchAdapterCaCertPath + "/" + common.Adapter.ElasticSearch.Auth.CaCertKey,
+			})
+
+			common.AddOrRemoveVolume(&ElasticSearchAdapterCaVolume, &relay.Spec.Template.Spec.Volumes, common.AddAction)
+			common.AddOrRemoveVolumeMount(&ElasticSearchAdapterCaVolumeMount, &relay.Spec.Template.Spec.Containers[0].VolumeMounts, common.AddAction)
+		} else {
+			common.AddOrRemoveVolume(&ElasticSearchAdapterCaVolume, &relay.Spec.Template.Spec.Volumes, common.DeleteAction)
+			common.AddOrRemoveVolumeMount(&ElasticSearchAdapterCaVolumeMount, &relay.Spec.Template.Spec.Containers[0].VolumeMounts, common.DeleteAction)
+		}
+
+		if common.Adapter.ElasticSearch.Auth.AllowTlsInsecure {
+			relay.Spec.Template.Spec.Containers[0].Env = append(relay.Spec.Template.Spec.Containers[0].Env, corev1.EnvVar{
+				Name:  "ES_ALLOW_INSECURE_TLS",
+				Value: "true",
+			})
+		}
+
 		_, err = clusterWatcher.Client.AppsV1().Deployments(common.Namespace).Update(context.Background(), relay, v1.UpdateOptions{})
 		if err != nil {
 			clusterWatcher.Log.Warnf("Cannot update deployment=%s error=%s", deployments.RelayDeploymentName, err.Error())
@@ -998,6 +1042,10 @@ func UpdatedKubearmorRelayEnv(config *opv1.KubeArmorConfigSpec) bool {
 			updated = true
 			common.Adapter.ElasticSearch.Enabled = config.Adapters.ElasticSearch.Enabled
 		}
+		if common.Adapter.ElasticSearch.Auth.AllowTlsInsecure != config.Adapters.ElasticSearch.Auth.AllowTlsInsecure {
+			updated = true
+			common.Adapter.ElasticSearch.Auth.AllowTlsInsecure = config.Adapters.ElasticSearch.Auth.AllowTlsInsecure
+		}
 		if common.Adapter.ElasticSearch.AlertsIndexName != config.Adapters.ElasticSearch.AlertsIndexName {
 			updated = true
 			common.Adapter.ElasticSearch.AlertsIndexName = config.Adapters.ElasticSearch.AlertsIndexName
@@ -1006,18 +1054,22 @@ func UpdatedKubearmorRelayEnv(config *opv1.KubeArmorConfigSpec) bool {
 			updated = true
 			common.Adapter.ElasticSearch.Url = config.Adapters.ElasticSearch.Url
 		}
-		if common.Adapter.ElasticSearch.Auth.SecretName != config.Adapters.ElasticSearch.Auth.SecretName {
+		if config.Adapters.ElasticSearch.Auth.SecretName != "" && common.Adapter.ElasticSearch.Auth.SecretName != config.Adapters.ElasticSearch.Auth.SecretName {
 			updated = true
 			common.Adapter.ElasticSearch.Auth.SecretName = config.Adapters.ElasticSearch.Auth.SecretName
 		}
-		if common.Adapter.ElasticSearch.Auth.UserNameKey != config.Adapters.ElasticSearch.Auth.UserNameKey {
+		if config.Adapters.ElasticSearch.Auth.UserNameKey != "" && common.Adapter.ElasticSearch.Auth.UserNameKey != config.Adapters.ElasticSearch.Auth.UserNameKey {
 			updated = true
 			common.Adapter.ElasticSearch.Auth.UserNameKey = config.Adapters.ElasticSearch.Auth.UserNameKey
 		}
-		if common.Adapter.ElasticSearch.Auth.PasswordKey != config.Adapters.ElasticSearch.Auth.PasswordKey {
+		if config.Adapters.ElasticSearch.Auth.PasswordKey != "" && common.Adapter.ElasticSearch.Auth.PasswordKey != config.Adapters.ElasticSearch.Auth.PasswordKey {
 			updated = true
 			common.Adapter.ElasticSearch.Auth.PasswordKey = config.Adapters.ElasticSearch.Auth.PasswordKey
 		}
+		if config.Adapters.ElasticSearch.Auth.CAcertSecretName != "" && common.Adapter.ElasticSearch.Auth.CAcertSecretName != config.Adapters.ElasticSearch.Auth.CAcertSecretName {
+			updated = true
+			common.Adapter.ElasticSearch.Auth.CAcertSecretName = config.Adapters.ElasticSearch.Auth.CAcertSecretName
+		}
 	}
 	return updated
 }

pkg/KubeArmorOperator/internal/controller/resources.go

@@ -586,6 +586,49 @@ func (clusterWatcher *ClusterWatcher) WatchRequiredResources() {
 		},
 	}
 
+	ElasticSearchAdapterCaVolume := []corev1.Volume{
+		{
+			Name: "elastic-ca",
+			VolumeSource: corev1.VolumeSource{
+				Secret: &corev1.SecretVolumeSource{
+					SecretName: common.Adapter.ElasticSearch.Auth.CAcertSecretName,
+					Items: []corev1.KeyToPath{
+						{
+							Key:  common.Adapter.ElasticSearch.Auth.CaCertKey,
+							Path: common.ElasticSearchAdapterCaCertPath,
+						},
+					},
+				},
+			},
+		},
+	}
+
+	ElasticSearchAdapterCaVolumeMount := []corev1.VolumeMount{
+		{
+			Name:      "elastic-ca",
+			MountPath: common.ElasticSearchAdapterCaCertPath,
+		},
+	}
+
+	if common.Adapter.ElasticSearch.Auth.CAcertSecretName != "" {
+		relayServer.Spec.Template.Spec.Containers[0].Env = append(relayServer.Spec.Template.Spec.Containers[0].Env, corev1.EnvVar{
+			Name:  "ES_CA_CERT_PATH",
+			Value: common.ElasticSearchAdapterCaCertPath + "/" + common.Adapter.ElasticSearch.Auth.CaCertKey,
+		})
+
+		common.AddOrRemoveVolume(&ElasticSearchAdapterCaVolume, &relayServer.Spec.Template.Spec.Volumes, common.AddAction)
+		common.AddOrRemoveVolumeMount(&ElasticSearchAdapterCaVolumeMount, &relayServer.Spec.Template.Spec.Containers[0].VolumeMounts, common.AddAction)
+	} else {
+		common.AddOrRemoveVolume(&ElasticSearchAdapterCaVolume, &relayServer.Spec.Template.Spec.Volumes, common.DeleteAction)
+		common.AddOrRemoveVolumeMount(&ElasticSearchAdapterCaVolumeMount, &relayServer.Spec.Template.Spec.Containers[0].VolumeMounts, common.DeleteAction)
+	}
+
+	if common.Adapter.ElasticSearch.Auth.AllowTlsInsecure {
+		relayServer.Spec.Template.Spec.Containers[0].Env = append(relayServer.Spec.Template.Spec.Containers[0].Env, corev1.EnvVar{
+			Name:  "ES_ALLOW_INSECURE_TLS",
+			Value: "true",
+		})
+	}
 	if common.EnableTls {
 		relayServer.Spec.Template.Spec.Containers[0].VolumeMounts =
 			append(relayServer.Spec.Template.Spec.Containers[0].VolumeMounts, common.KubeArmorRelayTlsVolumeMount...)