[Pause Progress] Client proxy support tls certs

api/v1/helpers.go

@@ -26,6 +26,7 @@ import (
 
 	vmeta "github.com/vertica/vertica-kubernetes/pkg/meta"
 	"github.com/vertica/vertica-kubernetes/pkg/paths"
+	"github.com/vertica/vertica-kubernetes/pkg/secrets"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/meta"
 	"k8s.io/apimachinery/pkg/api/resource"
@@ -800,6 +801,18 @@ func (v *VerticaDB) IsMonolithicDeploymentEnabled() bool {
 	return !v.IsNMASideCarDeploymentEnabled()
 }
 
+// IsMonolithicDeploymentEnabled returns true if NMA must run in the
+// same container as vertica
+func (v *VerticaDB) IsProxyTLSEnabled() bool {
+	if !vmeta.UseVProxy(v.Annotations) {
+		return false
+	}
+	if v.Spec.Proxy == nil {
+		return false
+	}
+	return v.Spec.Proxy.TLSSecret != "" && secrets.IsK8sSecret(v.Spec.Proxy.TLSSecret)
+}
+
 // IsKSafety0 returns true if k-safety of 0 is set.
 func (v *VerticaDB) IsKSafety0() bool {
 	return vmeta.IsKSafety0(v.Annotations)

api/v1/verticadb_webhook.go

@@ -58,6 +58,7 @@ const (
 	trueString            = "true"
 	VProxyDefaultImage    = "opentext/client-proxy:latest"
 	VProxyDefaultReplicas = 1
+	VProxyCertsMountName  = "vproxy-certs"
 )
 
 // hdfsPrefixes are prefixes for an HDFS path.

pkg/builder/builder.go

@@ -211,6 +211,18 @@ func buildNMAVolumeMounts(vdb *vapi.VerticaDB) []corev1.VolumeMount {
 	return volMnts
 }
 
+// buildVProxyVolumeMounts returns the volume mounts to include
+// in the server container
+func buildVProxyVolumeMounts(vdb *vapi.VerticaDB) []corev1.VolumeMount {
+	volMnts := []corev1.VolumeMount{
+		{Name: vProxyVolumeName, MountPath: "/config"},
+	}
+	if vdb.IsProxyTLSEnabled() && vmeta.UseVProxyCertsMount(vdb.Annotations) {
+		volMnts = append(volMnts, buildVProxyCertsVolumeMount()...)
+	}
+	return volMnts
+}
+
 // buildVolumeMounts returns standard volume mounts common to all containers
 func buildVolumeMounts(vdb *vapi.VerticaDB) []corev1.VolumeMount {
 	volMnts := []corev1.VolumeMount{
@@ -458,6 +470,15 @@ func buildNMACertsVolumeMount() []corev1.VolumeMount {
 	}
 }
 
+func buildVProxyCertsVolumeMount() []corev1.VolumeMount {
+	return []corev1.VolumeMount{
+		{
+			Name:      vapi.VProxyCertsMountName,
+			MountPath: paths.VProxyCertsRoot,
+		},
+	}
+}
+
 // buildCertSecretVolumeMounts returns the volume mounts for any cert secrets that are in the vdb
 func buildCertSecretVolumeMounts(vdb *vapi.VerticaDB) []corev1.VolumeMount {
 	mnts := []corev1.VolumeMount{}
@@ -526,6 +547,26 @@ func buildScrutinizeVolumes(vscr *v1beta1.VerticaScrutinize, vdb *vapi.VerticaDB
 	return vols
 }
 
+func buildVProxyVolumes(vdb *vapi.VerticaDB, sc *vapi.Subcluster) []corev1.Volume {
+	vols := []corev1.Volume{
+		{
+			Name: vProxyVolumeName,
+			VolumeSource: corev1.VolumeSource{
+				ConfigMap: &corev1.ConfigMapVolumeSource{
+					LocalObjectReference: corev1.LocalObjectReference{Name: sc.GetVProxyConfigMapName(vdb)},
+				},
+			},
+		},
+	}
+	if vmeta.UseVClusterOps(vdb.Annotations) &&
+		vmeta.UseVProxyCertsMount(vdb.Annotations) &&
+		vdb.Spec.Proxy.TLSSecret != "" &&
+		secrets.IsK8sSecret(vdb.Spec.Proxy.TLSSecret) {
+		vols = append(vols, buildVProxySecretVolume(vdb))
+	}
+	return vols
+}
+
 func buildDefaultScrutinizeVolume() corev1.Volume {
 	return buildEmptyDirVolume(scrutinizeMountName)
 }
@@ -784,6 +825,17 @@ func buildNMACertsSecretVolume(vdb *vapi.VerticaDB) corev1.Volume {
 	}
 }
 
+func buildVProxySecretVolume(vdb *vapi.VerticaDB) corev1.Volume {
+	return corev1.Volume{
+		Name: vapi.VProxyCertsMountName,
+		VolumeSource: corev1.VolumeSource{
+			Secret: &corev1.SecretVolumeSource{
+				SecretName: vdb.Spec.Proxy.TLSSecret,
+			},
+		},
+	}
+}
+
 // buildEmptyDirVolume returns a generic 'emptyDir' volume
 func buildEmptyDirVolume(volName string) corev1.Volume {
 	return corev1.Volume{
@@ -901,16 +953,7 @@ func buildVProxyPodSpec(vdb *vapi.VerticaDB, sc *vapi.Subcluster) corev1.PodSpec
 		TerminationGracePeriodSeconds: &termGracePeriod,
 		ServiceAccountName:            vdb.Spec.ServiceAccountName,
 		SecurityContext:               vdb.Spec.PodSecurityContext,
-		Volumes: []corev1.Volume{
-			{
-				Name: vProxyVolumeName,
-				VolumeSource: corev1.VolumeSource{
-					ConfigMap: &corev1.ConfigMapVolumeSource{
-						LocalObjectReference: corev1.LocalObjectReference{Name: sc.GetVProxyConfigMapName(vdb)},
-					},
-				},
-			},
-		},
+		Volumes:                       buildVProxyVolumes(vdb, sc),
 	}
 }
 
@@ -1021,9 +1064,7 @@ func makeVProxyContainer(vdb *vapi.VerticaDB, sc *vapi.Subcluster) corev1.Contai
 		Ports: []corev1.ContainerPort{
 			{ContainerPort: VerticaClientPort, Name: "vertica"},
 		},
-		VolumeMounts: []corev1.VolumeMount{
-			{Name: vProxyVolumeName, MountPath: "/config"},
-		},
+		VolumeMounts: buildVProxyVolumeMounts(vdb),
 	}
 }
 
@@ -1786,9 +1827,12 @@ func buildNMATLSCertsEnvVars(vdb *vapi.VerticaDB) []corev1.EnvVar {
 
 // buildVProxyTLSCertsEnvVars returns environment variables about proxy certs
 func buildVProxyTLSCertsEnvVars(vdb *vapi.VerticaDB) []corev1.EnvVar {
-	if vmeta.UseVProxyCertsMount(vdb.Annotations) && secrets.IsK8sSecret(vdb.Spec.Proxy.TLSSecret) {
+	if vdb.IsProxyTLSEnabled() {
 		return []corev1.EnvVar{
-			// TODO: use proxy certs
+			// Provide the path to each of the certs that are mounted in the container.
+			{Name: VProxyRootCAEnv, Value: fmt.Sprintf("%s/%s", paths.VProxyCertsRoot, paths.HTTPServerCACrtName)},
+			{Name: VProxyCertEnv, Value: fmt.Sprintf("%s/%s", paths.VProxyCertsRoot, corev1.TLSCertKey)},
+			{Name: VProxyKeyEnv, Value: fmt.Sprintf("%s/%s", paths.VProxyCertsRoot, corev1.TLSPrivateKeyKey)},
 		}
 	}
 	return []corev1.EnvVar{

pkg/paths/paths.go

@@ -52,6 +52,7 @@ const (
 	EulaAcceptanceScript      = "/opt/vertica/config/accept_eula.py"
 	CertsRoot                 = "/certs"
 	NMACertsRoot              = "/certs/nma"
+	VProxyCertsRoot           = "/certs/vproxy"
 	Krb5Conf                  = "/etc/krb5.conf"
 	Krb5Keytab                = "/etc/krb5/krb5.keytab"
 	DBAdminSSHPath            = "/home/dbadmin/.ssh"