-
-
Notifications
You must be signed in to change notification settings - Fork 10
Expand file tree
/
Copy pathsecurity.rs
More file actions
317 lines (292 loc) · 12.5 KB
/
security.rs
File metadata and controls
317 lines (292 loc) · 12.5 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
//! A helper module to process Apache ZooKeeper security configuration
//!
//! This module merges the `tls` and `authentication` module and offers better accessibility
//! and helper functions
//!
//! This is required due to overlaps between TLS encryption and e.g. mTLS authentication or Kerberos
use std::collections::BTreeMap;
use snafu::{ResultExt, Snafu};
use stackable_operator::{
builder::{
self,
pod::{
PodBuilder,
container::ContainerBuilder,
volume::{
SecretFormat, SecretOperatorVolumeSourceBuilder,
SecretOperatorVolumeSourceBuilderError, VolumeBuilder,
},
},
},
client::Client,
crd::authentication::core,
k8s_openapi::api::core::v1::Volume,
shared::time::Duration,
};
use crate::{
crd::{
authentication::{self, ResolvedAuthenticationClasses},
tls, v1alpha1,
},
zk_controller::LISTENER_VOLUME_NAME,
};
type Result<T, E = Error> = std::result::Result<T, E>;
#[derive(Snafu, Debug)]
pub enum Error {
#[snafu(display("failed to process authentication class"))]
InvalidAuthenticationClassConfiguration { source: authentication::Error },
#[snafu(display("failed to build TLS volume for {volume_name:?}"))]
BuildTlsVolume {
source: SecretOperatorVolumeSourceBuilderError,
volume_name: String,
},
#[snafu(display("failed to add needed volume"))]
AddVolume { source: builder::pod::Error },
#[snafu(display("failed to add needed volumeMount"))]
AddVolumeMount {
source: builder::pod::container::Error,
},
}
/// Helper struct combining TLS settings for server and quorum with the resolved AuthenticationClasses
pub struct ZookeeperSecurity {
resolved_authentication_classes: ResolvedAuthenticationClasses,
server_secret_class: Option<String>,
quorum_secret_class: String,
}
impl ZookeeperSecurity {
pub const ADMIN_PORT: u16 = 8080;
pub const CLIENT_PORT: u16 = 2181;
pub const QUORUM_TLS_DIR: &'static str = "/stackable/quorum_tls";
pub const QUORUM_TLS_MOUNT_DIR: &'static str = "/stackable/quorum_tls_mount";
pub const SECURE_CLIENT_PORT: u16 = 2282;
pub const SERVER_CNXN_FACTORY: &'static str = "serverCnxnFactory";
pub const SERVER_TLS_DIR: &'static str = "/stackable/server_tls";
pub const SERVER_TLS_MOUNT_DIR: &'static str = "/stackable/server_tls_mount";
// Common TLS
pub const SSL_AUTH_PROVIDER_X509: &'static str = "authProvider.x509";
// Client TLS
pub const SSL_CLIENT_AUTH: &'static str = "ssl.clientAuth";
pub const SSL_HOST_NAME_VERIFICATION: &'static str = "ssl.hostnameVerification";
pub const SSL_KEY_STORE_LOCATION: &'static str = "ssl.keyStore.location";
pub const SSL_KEY_STORE_PASSWORD: &'static str = "ssl.keyStore.password";
// Quorum TLS
pub const SSL_QUORUM: &'static str = "sslQuorum";
pub const SSL_QUORUM_CLIENT_AUTH: &'static str = "ssl.quorum.clientAuth";
pub const SSL_QUORUM_HOST_NAME_VERIFICATION: &'static str = "ssl.quorum.hostnameVerification";
pub const SSL_QUORUM_KEY_STORE_LOCATION: &'static str = "ssl.quorum.keyStore.location";
pub const SSL_QUORUM_KEY_STORE_PASSWORD: &'static str = "ssl.quorum.keyStore.password";
pub const SSL_QUORUM_TRUST_STORE_LOCATION: &'static str = "ssl.quorum.trustStore.location";
pub const SSL_QUORUM_TRUST_STORE_PASSWORD: &'static str = "ssl.quorum.trustStore.password";
pub const SSL_TRUST_STORE_LOCATION: &'static str = "ssl.trustStore.location";
pub const SSL_TRUST_STORE_PASSWORD: &'static str = "ssl.trustStore.password";
// Mis
pub const STORE_PASSWORD_ENV: &'static str = "STORE_PASSWORD";
pub const SYSTEM_TRUST_STORE_DIR: &'static str = "/etc/pki/java/cacerts";
/// Create a `ZookeeperSecurity` struct from the Zookeeper custom resource and resolve
/// all provided `AuthenticationClass` references.
pub async fn new_from_zookeeper_cluster(
client: &Client,
zk: &v1alpha1::ZookeeperCluster,
) -> Result<Self, Error> {
Ok(ZookeeperSecurity {
resolved_authentication_classes: authentication::resolve_authentication_classes(
client,
&zk.spec.cluster_config.authentication,
)
.await
.context(InvalidAuthenticationClassConfigurationSnafu)?,
server_secret_class: zk
.spec
.cluster_config
.tls
.as_ref()
.and_then(|tls| tls.server_secret_class.clone()),
quorum_secret_class: zk
.spec
.cluster_config
.tls
.as_ref()
.map(|tls| tls.quorum_secret_class.clone())
.unwrap_or_else(tls::quorum_tls_default),
})
}
/// Check if TLS encryption is enabled. This could be due to:
/// - A provided server `SecretClass`
/// - A provided client `AuthenticationClass`
///
/// This affects init container commands, ZooKeeper configuration, volume mounts and
/// the ZooKeeper client port
pub fn tls_enabled(&self) -> bool {
// TODO: This must be adapted if other authentication methods are supported and require TLS
self.server_secret_class.is_some()
|| self
.resolved_authentication_classes
.get_tls_authentication_class()
.is_some()
}
/// Return the ZooKeeper (secure) client port depending on tls or authentication settings.
pub fn client_port(&self) -> u16 {
if self.tls_enabled() {
Self::SECURE_CLIENT_PORT
} else {
Self::CLIENT_PORT
}
}
/// Adds required volumes and volume mounts to the pod and container builders
/// depending on the tls and authentication settings.
pub fn add_volume_mounts(
&self,
pod_builder: &mut PodBuilder,
cb_zookeeper: &mut ContainerBuilder,
requested_secret_lifetime: &Duration,
) -> Result<()> {
let tls_secret_class = self.get_tls_secret_class();
if let Some(secret_class) = tls_secret_class {
let tls_volume_name = "server-tls";
cb_zookeeper
.add_volume_mount(tls_volume_name, Self::SERVER_TLS_DIR)
.context(AddVolumeMountSnafu)?;
pod_builder
.add_volume(Self::create_server_tls_volume(
tls_volume_name,
secret_class,
requested_secret_lifetime,
)?)
.context(AddVolumeSnafu)?;
}
// quorum
let tls_volume_name = "quorum-tls";
cb_zookeeper
.add_volume_mount(tls_volume_name, Self::QUORUM_TLS_DIR)
.context(AddVolumeMountSnafu)?;
pod_builder
.add_volume(Self::create_quorum_tls_volume(
tls_volume_name,
&self.quorum_secret_class,
requested_secret_lifetime,
)?)
.context(AddVolumeSnafu)?;
Ok(())
}
/// Returns required ZooKeeper configuration settings for the `zoo.cfg` properties file
/// depending on the tls and authentication settings.
pub fn config_settings(&self) -> BTreeMap<String, String> {
let mut config = BTreeMap::new();
// Quorum TLS
config.insert(Self::SSL_QUORUM.to_string(), "true".to_string());
config.insert(
Self::SSL_QUORUM_HOST_NAME_VERIFICATION.to_string(),
"true".to_string(),
);
config.insert(Self::SSL_QUORUM_CLIENT_AUTH.to_string(), "need".to_string());
config.insert(
Self::SERVER_CNXN_FACTORY.to_string(),
"org.apache.zookeeper.server.NettyServerCnxnFactory".to_string(),
);
config.insert(
Self::SSL_AUTH_PROVIDER_X509.to_string(),
"org.apache.zookeeper.server.auth.X509AuthenticationProvider".to_string(),
);
// The keystore and truststore passwords should not be in the configmap and are generated
// and written later via script in the init container
config.insert(
Self::SSL_QUORUM_KEY_STORE_LOCATION.to_string(),
format!("{dir}/keystore.p12", dir = Self::QUORUM_TLS_DIR),
);
config.insert(
Self::SSL_QUORUM_TRUST_STORE_LOCATION.to_string(),
format!("{dir}/truststore.p12", dir = Self::QUORUM_TLS_DIR),
);
// Server TLS
if self.tls_enabled() {
config.insert(
Self::SSL_HOST_NAME_VERIFICATION.to_string(),
"true".to_string(),
);
// The keystore and truststore passwords should not be in the configmap and are generated
// and written later via script in the init container
config.insert(
Self::SSL_KEY_STORE_LOCATION.to_string(),
format!("{dir}/keystore.p12", dir = Self::SERVER_TLS_DIR),
);
config.insert(
Self::SSL_TRUST_STORE_LOCATION.to_string(),
format!("{dir}/truststore.p12", dir = Self::SERVER_TLS_DIR),
);
// Check if we need to enable client TLS authentication
if self
.resolved_authentication_classes
.get_tls_authentication_class()
.is_some()
{
config.insert(Self::SSL_CLIENT_AUTH.to_string(), "need".to_string());
}
}
config
}
/// Returns the `SecretClass` provided in a `AuthenticationClass` for TLS.
fn get_tls_secret_class(&self) -> Option<&String> {
self.resolved_authentication_classes
.get_tls_authentication_class()
.and_then(|auth_class| match &auth_class.spec.provider {
core::v1alpha1::AuthenticationClassProvider::Tls(tls) => {
tls.client_cert_secret_class.as_ref()
}
core::v1alpha1::AuthenticationClassProvider::Ldap(_)
| core::v1alpha1::AuthenticationClassProvider::Oidc(_)
| core::v1alpha1::AuthenticationClassProvider::Static(_)
| core::v1alpha1::AuthenticationClassProvider::Kerberos(_) => None,
})
.or(self.server_secret_class.as_ref())
}
/// Creates ephemeral volumes to mount the `SecretClass` with the listener-volume scope into the Pods.
///
/// The resulting volume will contain TLS certificates with the FQDN reported in the applicable [ListenerStatus].
///
/// [ListenerStatus]: ::stackable_operator::crd::listener::v1alpha1::ListenerStatus
fn create_server_tls_volume(
volume_name: &str,
secret_class_name: &str,
requested_secret_lifetime: &Duration,
) -> Result<Volume> {
let volume = VolumeBuilder::new(volume_name)
.ephemeral(
SecretOperatorVolumeSourceBuilder::new(secret_class_name)
.with_listener_volume_scope(LISTENER_VOLUME_NAME)
.with_format(SecretFormat::TlsPkcs12)
.with_auto_tls_cert_lifetime(*requested_secret_lifetime)
.build()
.context(BuildTlsVolumeSnafu { volume_name })?,
)
.build();
Ok(volume)
}
/// Creates ephemeral volumes to mount the `SecretClass` with the pod scope into the Pods.
///
/// The resulting volume will contain TLS certificates with the FQDN of the Pod in relation to the StatefulSet's headless service.
fn create_quorum_tls_volume(
volume_name: &str,
secret_class_name: &str,
requested_secret_lifetime: &Duration,
) -> Result<Volume> {
let volume = VolumeBuilder::new(volume_name)
.ephemeral(
SecretOperatorVolumeSourceBuilder::new(secret_class_name)
.with_pod_scope()
.with_format(SecretFormat::TlsPkcs12)
.with_auto_tls_cert_lifetime(*requested_secret_lifetime)
.build()
.context(BuildTlsVolumeSnafu { volume_name })?,
)
.build();
Ok(volume)
}
/// USE ONLY IN TESTS! We can not put it behind `#[cfg(test)]` because of <https://github.com/rust-lang/cargo/issues/8379>
pub fn new_for_tests() -> Self {
ZookeeperSecurity {
resolved_authentication_classes: ResolvedAuthenticationClasses::new_for_tests(),
server_secret_class: Some("tls".to_owned()),
quorum_secret_class: "tls".to_string(),
}
}
}