diff --git a/deployments/helm/KubeArmorOperator/crds/operator.kubearmor.com_kubearmorconfigs.yaml b/deployments/helm/KubeArmorOperator/crds/operator.kubearmor.com_kubearmorconfigs.yaml index e5a5fe122..e85301c1b 100644 --- a/deployments/helm/KubeArmorOperator/crds/operator.kubearmor.com_kubearmorconfigs.yaml +++ b/deployments/helm/KubeArmorOperator/crds/operator.kubearmor.com_kubearmorconfigs.yaml @@ -51,6 +51,12 @@ spec: type: string auth: properties: + allowInsecureTLS: + type: boolean + caCertKey: + type: string + caCertSecretName: + type: string passwordKey: type: string secretName: diff --git a/deployments/operator/operator.yaml b/deployments/operator/operator.yaml index 21c6a9faa..8d93ce1f0 100644 --- a/deployments/operator/operator.yaml +++ b/deployments/operator/operator.yaml @@ -50,6 +50,12 @@ spec: type: string auth: properties: + allowInsecureTLS: + type: boolean + caCertKey: + type: string + caCertSecretName: + type: string passwordKey: type: string secretName: diff --git a/pkg/KubeArmorOperator/api/operator.kubearmor.com/v1/kubearmorconfig_types.go b/pkg/KubeArmorOperator/api/operator.kubearmor.com/v1/kubearmorconfig_types.go index b2185f469..cfdb7e37b 100644 --- a/pkg/KubeArmorOperator/api/operator.kubearmor.com/v1/kubearmorconfig_types.go +++ b/pkg/KubeArmorOperator/api/operator.kubearmor.com/v1/kubearmorconfig_types.go @@ -40,9 +40,12 @@ type RecommendedPolicies struct { } type ElasticSearchAuth struct { - SecretName string `json:"secretName,omitempty"` - UserNameKey string `json:"usernameKey,omitempty"` - PasswordKey string `json:"passwordKey,omitempty"` + SecretName string `json:"secretName,omitempty"` + UserNameKey string `json:"usernameKey,omitempty"` + PasswordKey string `json:"passwordKey,omitempty"` + AllowTlsInsecure bool `json:"allowInsecureTLS,omitempty"` + CAcertSecretName string `json:"caCertSecretName,omitempty"` + CaCertKey string `json:"caCertKey,omitempty"` } type ElasticSearchAdapter struct { diff --git a/pkg/KubeArmorOperator/common/defaults.go b/pkg/KubeArmorOperator/common/defaults.go index 40cff161c..8684a2a50 100644 --- a/pkg/KubeArmorOperator/common/defaults.go +++ b/pkg/KubeArmorOperator/common/defaults.go @@ -146,12 +146,17 @@ var ( Url: "", AlertsIndexName: "kubearmor-alerts", Auth: opv1.ElasticSearchAuth{ - SecretName: "elastic-secret", - UserNameKey: "username", - PasswordKey: "password", + SecretName: "elastic-secret", + UserNameKey: "username", + PasswordKey: "password", + AllowTlsInsecure: false, + CAcertSecretName: "", + CaCertKey: "ca.crt", }, }, } + + ElasticSearchAdapterCaCertPath = "/cert" ) var Pointer2True bool = true diff --git a/pkg/KubeArmorOperator/config/crd/bases/operator.kubearmor.com_kubearmorconfigs.yaml b/pkg/KubeArmorOperator/config/crd/bases/operator.kubearmor.com_kubearmorconfigs.yaml index e5a5fe122..e85301c1b 100644 --- a/pkg/KubeArmorOperator/config/crd/bases/operator.kubearmor.com_kubearmorconfigs.yaml +++ b/pkg/KubeArmorOperator/config/crd/bases/operator.kubearmor.com_kubearmorconfigs.yaml @@ -51,6 +51,12 @@ spec: type: string auth: properties: + allowInsecureTLS: + type: boolean + caCertKey: + type: string + caCertSecretName: + type: string passwordKey: type: string secretName: diff --git a/pkg/KubeArmorOperator/internal/controller/cluster.go b/pkg/KubeArmorOperator/internal/controller/cluster.go index 4d2ef3b7e..49ebbf0c4 100644 --- a/pkg/KubeArmorOperator/internal/controller/cluster.go +++ b/pkg/KubeArmorOperator/internal/controller/cluster.go @@ -509,6 +509,50 @@ func (clusterWatcher *ClusterWatcher) UpdateKubearmorRelayEnv(cfg *opv1.KubeArmo }, }, } + + ElasticSearchAdapterCaVolume := []corev1.Volume{ + { + Name: "elastic-ca", + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: common.Adapter.ElasticSearch.Auth.CAcertSecretName, + Items: []corev1.KeyToPath{ + { + Key: common.Adapter.ElasticSearch.Auth.CaCertKey, + Path: common.ElasticSearchAdapterCaCertPath, + }, + }, + }, + }, + }, + } + + ElasticSearchAdapterCaVolumeMount := []corev1.VolumeMount{ + { + Name: "elastic-ca", + MountPath: common.ElasticSearchAdapterCaCertPath, + }, + } + if common.Adapter.ElasticSearch.Auth.CAcertSecretName != "" { + relay.Spec.Template.Spec.Containers[0].Env = append(relay.Spec.Template.Spec.Containers[0].Env, corev1.EnvVar{ + Name: "ES_CA_CERT_PATH", + Value: common.ElasticSearchAdapterCaCertPath + "/" + common.Adapter.ElasticSearch.Auth.CaCertKey, + }) + + common.AddOrRemoveVolume(&ElasticSearchAdapterCaVolume, &relay.Spec.Template.Spec.Volumes, common.AddAction) + common.AddOrRemoveVolumeMount(&ElasticSearchAdapterCaVolumeMount, &relay.Spec.Template.Spec.Containers[0].VolumeMounts, common.AddAction) + } else { + common.AddOrRemoveVolume(&ElasticSearchAdapterCaVolume, &relay.Spec.Template.Spec.Volumes, common.DeleteAction) + common.AddOrRemoveVolumeMount(&ElasticSearchAdapterCaVolumeMount, &relay.Spec.Template.Spec.Containers[0].VolumeMounts, common.DeleteAction) + } + + if common.Adapter.ElasticSearch.Auth.AllowTlsInsecure { + relay.Spec.Template.Spec.Containers[0].Env = append(relay.Spec.Template.Spec.Containers[0].Env, corev1.EnvVar{ + Name: "ES_ALLOW_INSECURE_TLS", + Value: "true", + }) + } + _, err = clusterWatcher.Client.AppsV1().Deployments(common.Namespace).Update(context.Background(), relay, v1.UpdateOptions{}) if err != nil { clusterWatcher.Log.Warnf("Cannot update deployment=%s error=%s", deployments.RelayDeploymentName, err.Error()) @@ -998,6 +1042,10 @@ func UpdatedKubearmorRelayEnv(config *opv1.KubeArmorConfigSpec) bool { updated = true common.Adapter.ElasticSearch.Enabled = config.Adapters.ElasticSearch.Enabled } + if common.Adapter.ElasticSearch.Auth.AllowTlsInsecure != config.Adapters.ElasticSearch.Auth.AllowTlsInsecure { + updated = true + common.Adapter.ElasticSearch.Auth.AllowTlsInsecure = config.Adapters.ElasticSearch.Auth.AllowTlsInsecure + } if common.Adapter.ElasticSearch.AlertsIndexName != config.Adapters.ElasticSearch.AlertsIndexName { updated = true common.Adapter.ElasticSearch.AlertsIndexName = config.Adapters.ElasticSearch.AlertsIndexName @@ -1006,18 +1054,22 @@ func UpdatedKubearmorRelayEnv(config *opv1.KubeArmorConfigSpec) bool { updated = true common.Adapter.ElasticSearch.Url = config.Adapters.ElasticSearch.Url } - if common.Adapter.ElasticSearch.Auth.SecretName != config.Adapters.ElasticSearch.Auth.SecretName { + if config.Adapters.ElasticSearch.Auth.SecretName != "" && common.Adapter.ElasticSearch.Auth.SecretName != config.Adapters.ElasticSearch.Auth.SecretName { updated = true common.Adapter.ElasticSearch.Auth.SecretName = config.Adapters.ElasticSearch.Auth.SecretName } - if common.Adapter.ElasticSearch.Auth.UserNameKey != config.Adapters.ElasticSearch.Auth.UserNameKey { + if config.Adapters.ElasticSearch.Auth.UserNameKey != "" && common.Adapter.ElasticSearch.Auth.UserNameKey != config.Adapters.ElasticSearch.Auth.UserNameKey { updated = true common.Adapter.ElasticSearch.Auth.UserNameKey = config.Adapters.ElasticSearch.Auth.UserNameKey } - if common.Adapter.ElasticSearch.Auth.PasswordKey != config.Adapters.ElasticSearch.Auth.PasswordKey { + if config.Adapters.ElasticSearch.Auth.PasswordKey != "" && common.Adapter.ElasticSearch.Auth.PasswordKey != config.Adapters.ElasticSearch.Auth.PasswordKey { updated = true common.Adapter.ElasticSearch.Auth.PasswordKey = config.Adapters.ElasticSearch.Auth.PasswordKey } + if config.Adapters.ElasticSearch.Auth.CAcertSecretName != "" && common.Adapter.ElasticSearch.Auth.CAcertSecretName != config.Adapters.ElasticSearch.Auth.CAcertSecretName { + updated = true + common.Adapter.ElasticSearch.Auth.CAcertSecretName = config.Adapters.ElasticSearch.Auth.CAcertSecretName + } } return updated } diff --git a/pkg/KubeArmorOperator/internal/controller/resources.go b/pkg/KubeArmorOperator/internal/controller/resources.go index b51705205..68eea98e3 100644 --- a/pkg/KubeArmorOperator/internal/controller/resources.go +++ b/pkg/KubeArmorOperator/internal/controller/resources.go @@ -586,6 +586,49 @@ func (clusterWatcher *ClusterWatcher) WatchRequiredResources() { }, } + ElasticSearchAdapterCaVolume := []corev1.Volume{ + { + Name: "elastic-ca", + VolumeSource: corev1.VolumeSource{ + Secret: &corev1.SecretVolumeSource{ + SecretName: common.Adapter.ElasticSearch.Auth.CAcertSecretName, + Items: []corev1.KeyToPath{ + { + Key: common.Adapter.ElasticSearch.Auth.CaCertKey, + Path: common.ElasticSearchAdapterCaCertPath, + }, + }, + }, + }, + }, + } + + ElasticSearchAdapterCaVolumeMount := []corev1.VolumeMount{ + { + Name: "elastic-ca", + MountPath: common.ElasticSearchAdapterCaCertPath, + }, + } + + if common.Adapter.ElasticSearch.Auth.CAcertSecretName != "" { + relayServer.Spec.Template.Spec.Containers[0].Env = append(relayServer.Spec.Template.Spec.Containers[0].Env, corev1.EnvVar{ + Name: "ES_CA_CERT_PATH", + Value: common.ElasticSearchAdapterCaCertPath + "/" + common.Adapter.ElasticSearch.Auth.CaCertKey, + }) + + common.AddOrRemoveVolume(&ElasticSearchAdapterCaVolume, &relayServer.Spec.Template.Spec.Volumes, common.AddAction) + common.AddOrRemoveVolumeMount(&ElasticSearchAdapterCaVolumeMount, &relayServer.Spec.Template.Spec.Containers[0].VolumeMounts, common.AddAction) + } else { + common.AddOrRemoveVolume(&ElasticSearchAdapterCaVolume, &relayServer.Spec.Template.Spec.Volumes, common.DeleteAction) + common.AddOrRemoveVolumeMount(&ElasticSearchAdapterCaVolumeMount, &relayServer.Spec.Template.Spec.Containers[0].VolumeMounts, common.DeleteAction) + } + + if common.Adapter.ElasticSearch.Auth.AllowTlsInsecure { + relayServer.Spec.Template.Spec.Containers[0].Env = append(relayServer.Spec.Template.Spec.Containers[0].Env, corev1.EnvVar{ + Name: "ES_ALLOW_INSECURE_TLS", + Value: "true", + }) + } if common.EnableTls { relayServer.Spec.Template.Spec.Containers[0].VolumeMounts = append(relayServer.Spec.Template.Spec.Containers[0].VolumeMounts, common.KubeArmorRelayTlsVolumeMount...)