Docs & fixes

2024-12-14 11:57:37 +00:00 · 2018-03-12 09:52:52 +01:00 · 2018-03-12 09:52:52 +01:00 · 15d93f9b95
commit 15d93f9b95
parent 8b1053a7b2
5 changed files with 59 additions and 6 deletions
--- a/docs/user/README.md
+++ b/docs/user/README.md
@ -7,4 +7,5 @@
 - [Scaling](./scaling.md)
 - [Services & Load balancer](./services_and_loadbalancer.md)
 - [Storage](./storage.md)
+- [TLS](./tls.md)
 - [Upgrading](./upgrading.md)
--- a/docs/user/tls.md
+++ b/docs/user/tls.md
@ -0,0 +1,42 @@
+# TLS
+
+The ArangoDB operator allows you to create ArangoDB deployments that use
+secure TLS connections.
+
+It uses a single CA certificate (stored in a Kubernetes secret) and
+one certificate per ArangoDB server (stored in a Kubernetes secret per server).
+
+## Install CA certificate
+
+If the CA certificate is self-signed, it will not be trusted by browsers,
+until you install it in the local operating system or browser.
+This process differs per operating system.
+
+To do so, you first have to fetch the CA certificate from its Kubernetes
+secret.
+
+```bash
+kubectl get secret <deploy-name> --template='{{index .data "ca.crt"}}' | base64 -D > ca.crt
+```
+
+### Windows
+
+TODO
+
+### MacOS
+
+To install a CA certificate in MacOS, run:
+
+```bash
+sudo /usr/bin/security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain ca.crt
+```
+
+To uninstall a CA certificate in MacOS, run:
+
+```bash
+sudo /usr/bin/security remove-trusted-cert -d ca.crt
+```
+
+### Linux
+
+TODO
--- a/examples/simple-cluster-tls.yaml
+++ b/examples/simple-cluster-tls.yaml
@ -6,4 +6,4 @@ spec:
  mode: cluster
  tls:
    caSecretName: example-simple-cluster-tls
-    altNames: ["localhost"]
+    altNames: ["kube-01", "kube-02", "kube-03"]
--- a/pkg/apis/arangodb/v1alpha/tls_spec.go
+++ b/pkg/apis/arangodb/v1alpha/tls_spec.go
@ -38,7 +38,7 @@ const (
 // TLSSpec holds TLS specific configuration settings
 type TLSSpec struct {
 	CASecretName string        `json:"caSecretName,omitempty"`
-	AltNames     []string      `json:"serverName,omitempty"`
+	AltNames     []string      `json:"altNames,omitempty"`
 	TTL          time.Duration `json:"ttl,omitempty"`
 }

--- a/pkg/deployment/tls.go
+++ b/pkg/deployment/tls.go
@ -44,6 +44,7 @@ const (
 // createCACertificate creates a CA certificate and stores it in a secret with name
 // specified in the given spec.
 func createCACertificate(log zerolog.Logger, cli v1.CoreV1Interface, spec api.TLSSpec, deploymentName, namespace string, ownerRef *metav1.OwnerReference) error {
+	log = log.With().Str("secret", spec.CASecretName).Logger()
 	dnsNames, ipAddresses, emailAddress, err := spec.GetAltNames()
 	if err != nil {
 		log.Debug().Err(err).Msg("Failed to get alternate names")
@ -65,16 +66,21 @@ func createCACertificate(log zerolog.Logger, cli v1.CoreV1Interface, spec api.TL
 		return maskAny(err)
 	}
 	if err := k8sutil.CreateCASecret(cli, spec.CASecretName, namespace, cert, priv, ownerRef); err != nil {
-		log.Debug().Err(err).Msg("Failed to create CA Secret")
+		if k8sutil.IsAlreadyExists(err) {
+			log.Debug().Msg("CA Secret already exists")
+		} else {
+			log.Debug().Err(err).Msg("Failed to create CA Secret")
+		}
 		return maskAny(err)
 	}
-	log.Debug().Str("secret", spec.CASecretName).Msg("Created CA Secret")
+	log.Debug().Msg("Created CA Secret")
 	return nil
 }

 // createServerCertificate creates a TLS certificate for a specific server and stores
 // it in a secret with the given name.
 func createServerCertificate(log zerolog.Logger, cli v1.CoreV1Interface, serverNames []string, spec api.TLSSpec, secretName, namespace string, ownerRef *metav1.OwnerReference) error {
+	log = log.With().Str("secret", secretName).Logger()
 	// Load alt names
 	dnsNames, ipAddresses, emailAddress, err := spec.GetAltNames()
 	if err != nil {
@ -111,9 +117,13 @@ func createServerCertificate(log zerolog.Logger, cli v1.CoreV1Interface, serverN
 	keyfile := strings.TrimSpace(cert) + "\n" +
 		strings.TrimSpace(priv)
 	if err := k8sutil.CreateTLSKeyfileSecret(cli, secretName, namespace, keyfile, ownerRef); err != nil {
-		log.Debug().Err(err).Msg("Failed to create server Secret")
+		if k8sutil.IsAlreadyExists(err) {
+			log.Debug().Msg("Server Secret already exists")
+		} else {
+			log.Debug().Err(err).Msg("Failed to create server Secret")
+		}
 		return maskAny(err)
 	}
-	log.Debug().Str("secret", secretName).Msg("Created server Secret")
+	log.Debug().Msg("Created server Secret")
 	return nil
 }