[Feature] Add TLS SNI (#556)

Author: ajanikow

go.mod

@@ -45,6 +45,7 @@ require (
 	github.com/tomnomnom/linkheader v0.0.0-20180905144013-02ca5825eb80 // indirect
 	github.com/ugorji/go/codec v0.0.0-20181209151446-772ced7fd4c2 // indirect
 	github.com/voxelbrain/goptions v0.0.0-20180630082107-58cddc247ea2 // indirect
+	golang.org/x/net v0.0.0-20200226121028-0de0cce0169b
 	golang.org/x/sync v0.0.0-20200317015054-43a5402ce75a // indirect
 	golang.org/x/sys v0.0.0-20200116001909-b77594299b42
 	golang.org/x/tools v0.0.0-20200331202046-9d5940d49312 // indirect

pkg/apis/deployment/v1/plan.go

@@ -61,6 +61,8 @@ const (
 	ActionTypeRenewTLSCertificate ActionType = "RenewTLSCertificate"
 	// ActionTypeRenewTLSCACertificate causes the TLS CA certificate of the entire deployment to be renewed.
 	ActionTypeRenewTLSCACertificate ActionType = "RenewTLSCACertificate"
+	// ActionTypeUpdateTLSSNI update SNI inplace.
+	ActionTypeUpdateTLSSNI ActionType = "UpdateTLSSNI"
 	// ActionTypeSetCurrentImage causes status.CurrentImage to be updated to the image given in the action.
 	ActionTypeSetCurrentImage ActionType = "SetCurrentImage"
 	// ActionTypeDisableClusterScaling turns off scaling DBservers and coordinators

pkg/apis/deployment/v1/tls_sni_spec.go

@@ -0,0 +1,81 @@
+//
+// DISCLAIMER
+//
+// Copyright 2020 ArangoDB GmbH, Cologne, Germany
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// Copyright holder is ArangoDB GmbH, Cologne, Germany
+//
+// Author Ewout Prangsma
+//
+
+package v1
+
+import (
+	shared "github.com/arangodb/kube-arangodb/pkg/apis/shared/v1"
+	"github.com/pkg/errors"
+)
+
+type TLSSNIRotateMode string
+
+func (t *TLSSNIRotateMode) Get() TLSSNIRotateMode {
+	if t == nil {
+		return TLSSNIRotateModeInPlace
+	}
+
+	return *t
+}
+
+const (
+	TLSSNIRotateModeInPlace  TLSSNIRotateMode = "inplace"
+	TLSSNIRotateModeRecreate TLSSNIRotateMode = "recreate"
+)
+
+// TLSSNISpec holds TLS SNI additional certificates
+type TLSSNISpec struct {
+	Mapping map[string][]string `json:"sniMapping,omitempty"`
+	Mode    *TLSSNIRotateMode   `json:"mode,omitempty"`
+}
+
+func (s TLSSNISpec) Validate() error {
+	mapped := map[string]interface{}{}
+
+	for key, values := range s.Mapping {
+		if err := shared.IsValidName(key); err != nil {
+			return err
+		}
+
+		for _, value := range values {
+			if _, exists := mapped[value]; exists {
+				return errors.Errorf("sni for host %s is already defined", value)
+			}
+
+			// Mark value as existing
+			mapped[value] = nil
+
+			if err := shared.IsValidDomain(value); err != nil {
+				return err
+			}
+		}
+	}
+
+	return nil
+}
+
+// SetDefaultsFrom fills unspecified fields with a value from given source spec.
+func (s *TLSSNISpec) SetDefaultsFrom(source *TLSSNISpec) {
+	if source == nil {
+		return
+	}
+}

pkg/apis/deployment/v1/tls_spec.go

@@ -37,9 +37,10 @@ const (
 
 // TLSSpec holds TLS specific configuration settings
 type TLSSpec struct {
-	CASecretName *string   `json:"caSecretName,omitempty"`
-	AltNames     []string  `json:"altNames,omitempty"`
-	TTL          *Duration `json:"ttl,omitempty"`
+	CASecretName *string     `json:"caSecretName,omitempty"`
+	AltNames     []string    `json:"altNames,omitempty"`
+	TTL          *Duration   `json:"ttl,omitempty"`
+	SNI          *TLSSNISpec `json:",inline"`
 }
 
 const (
@@ -57,6 +58,14 @@ func (s TLSSpec) GetAltNames() []string {
 	return s.AltNames
 }
 
+func (s TLSSpec) GetTLSSNISpec() TLSSNISpec {
+	if s.SNI == nil {
+		return TLSSNISpec{}
+	}
+
+	return *s.SNI
+}
+
 // GetTTL returns the value of ttl.
 func (s TLSSpec) GetTTL() Duration {
 	return DurationOrDefault(s.TTL)
@@ -125,4 +134,6 @@ func (s *TLSSpec) SetDefaultsFrom(source TLSSpec) {
 	if s.TTL == nil {
 		s.TTL = NewDurationOrNil(source.TTL)
 	}
+
+	s.SNI.SetDefaultsFrom(source.SNI)
 }

pkg/apis/deployment/v1/zz_generated.deepcopy.go

@@ -110,3 +110,11 @@ func IsValidName(name string) error {
 
 	return nil
 }
+
+func IsValidDomain(name string) error {
+	if res := validation.IsDNS1123Subdomain(name); len(res) > 0 {
+		return errors.Errorf("validation of domain failed: %s", strings.Join(res, ", "))
+	}
+
+	return nil
+}

pkg/apis/shared/v1/resource.go

@@ -76,7 +76,7 @@ func (d *Deployment) GetAlpineImage() string {
 	return d.config.AlpineImage
 }
 
-// GetNamespace returns the kubernetes namespace that contains
+// GetNamespSecretsInterfaceace returns the kubernetes namespace that contains
 // this deployment.
 func (d *Deployment) GetNamespace() string {
 	return d.apiObject.GetNamespace()
@@ -438,12 +438,6 @@ func (d *Deployment) DeleteSecret(secretName string) error {
 	return nil
 }
 
-// GetExpectedPodArguments creates command line arguments for a server in the given group with given ID.
-func (d *Deployment) GetExpectedPodArguments(apiObject metav1.Object, deplSpec api.DeploymentSpec, group api.ServerGroup,
-	agents api.MemberStatusList, id string, version driver.Version) []string {
-	return d.resources.GetExpectedPodArguments(apiObject, deplSpec, group, agents, id, version)
-}
-
 // GetShardSyncStatus returns true if all shards are in sync
 func (d *Deployment) GetShardSyncStatus() bool {
 	return d.resources.GetShardSyncStatus()
@@ -506,3 +500,7 @@ func (d *Deployment) WithStatusUpdate(action func(s *api.DeploymentStatus) bool,
 
 	return d.updateStatus(status, version, force...)
 }
+
+func (d *Deployment) SecretsInterface() k8sutil.SecretInterface {
+	return d.GetKubeCli().CoreV1().Secrets(d.GetNamespace())
+}

pkg/deployment/context_impl.go

@@ -1240,8 +1240,6 @@ func TestEnsurePod_ArangoDB_Core(t *testing.T) {
 
 				testCase.ExpectedPod.Spec.Containers[0].LivenessProbe = createTestLivenessProbe(true,
 					authorization, k8sutil.ArangoPort)
-				testCase.ExpectedPod.Spec.Containers[1].VolumeMounts = append(
-					testCase.ExpectedPod.Spec.Containers[1].VolumeMounts, k8sutil.TlsKeyfileVolumeMount())
 			},
 			config: Config{
 				LifecycleImage: testImageLifecycle,
@@ -1287,7 +1285,11 @@ func TestEnsurePod_ArangoDB_Core(t *testing.T) {
 							},
 							Resources: emptyResources,
 						},
-						testCreateExporterContainer(true, emptyResources),
+						func() core.Container {
+							c := testCreateExporterContainer(true, emptyResources)
+							c.VolumeMounts = append(c.VolumeMounts, k8sutil.TlsKeyfileVolumeMount())
+							return c
+						}(),
 					},
 					RestartPolicy:                 core.RestartPolicyNever,
 					TerminationGracePeriodSeconds: &defaultDBServerTerminationTimeout,

pkg/deployment/deployment_core_test.go

@@ -179,7 +179,7 @@ func (d *Deployment) inspectDeploymentWithError(ctx context.Context, lastInterva
 	}
 
 	// Create scale/update plan
-	if err, updated := d.reconciler.CreatePlan(); err != nil {
+	if err, updated := d.reconciler.CreatePlan(ctx); err != nil {
 		return minInspectionInterval, errors.Wrapf(err, "Plan creation failed")
 	} else if updated {
 		return minInspectionInterval, nil