HoustonPutman commented on a change in pull request #151:
URL:
https://github.com/apache/lucene-solr-operator/pull/151#discussion_r569735125
##########
File path: controllers/util/solr_util.go
##########
@@ -899,3 +953,409 @@ func CreateNodeIngressRule(solrCloud *solr.SolrCloud,
nodeName string, domainNam
}
return ingressRule
}
+
+func GenerateCertificate(solrCloud *solr.SolrCloud) certv1.Certificate {
+
+ dnsNames := findDNSNamesForCertificate(solrCloud)
+
+ // convert something like: CN=localhost, OU=Organizational Unit,
O=Organization, L=Location, ST=State, C=Country
+ // into an X509Subject to be used during cert creation
+ subjectMap :=
parseSubjectDName(solrCloud.Spec.SolrTLS.AutoCreate.SubjectDistinguishedName)
+ subject := toX509Subject(subjectMap)
+ commonName := subjectMap["CN"]
+
+ var issuerRef certmetav1.ObjectReference
+ if solrCloud.Spec.SolrTLS.AutoCreate.IssuerRef != nil {
+ issuerRef = certmetav1.ObjectReference{
+ Name: solrCloud.Spec.SolrTLS.AutoCreate.IssuerRef.Name,
+ Kind: solrCloud.Spec.SolrTLS.AutoCreate.IssuerRef.Kind,
+ }
+ } else {
+ issuerRef = certmetav1.ObjectReference{
+ Name: fmt.Sprintf("%s-selfsigned-issuer",
solrCloud.Name),
+ Kind: "Issuer",
+ }
+ }
+
+ cert := certv1.Certificate{
+ ObjectMeta: metav1.ObjectMeta{
+ Name: solrCloud.Spec.SolrTLS.AutoCreate.Name,
+ Namespace: solrCloud.Namespace,
+ },
+ Spec: certv1.CertificateSpec{
+ Subject: subject,
+ CommonName: commonName,
+ SecretName: solrCloud.Spec.SolrTLS.PKCS12Secret.Name,
+ DNSNames: dnsNames,
+ Keystores: &certv1.CertificateKeystores{
+ PKCS12: &certv1.PKCS12Keystore{
+ Create: true,
+ PasswordSecretRef:
certmetav1.SecretKeySelector{
+ Key:
solrCloud.Spec.SolrTLS.KeyStorePasswordSecret.Key,
+ LocalObjectReference:
certmetav1.LocalObjectReference{
+ Name:
solrCloud.Spec.SolrTLS.KeyStorePasswordSecret.Name,
+ },
+ },
+ },
+ },
+ IssuerRef: issuerRef,
+ },
+ }
+
+ return cert
+}
+
+func toX509Subject(subjectMap map[string]string) *certv1.X509Subject {
+ var provinces []string
+ // sometimes it's ST and other times it's S ... handle both
+ if subjectMap["ST"] != "" {
+ provinces = append(provinces, subjectMap["ST"])
+ }
+ if subjectMap["S"] != "" {
+ provinces = append(provinces, subjectMap["S"])
+ }
+ return &certv1.X509Subject{
+ Organizations: toX509SubjectField(subjectMap["O"]),
+ Countries: toX509SubjectField(subjectMap["C"]),
+ OrganizationalUnits: toX509SubjectField(subjectMap["OU"]),
+ Localities: toX509SubjectField(subjectMap["L"]),
+ Provinces: provinces,
+ StreetAddresses: toX509SubjectField(subjectMap["STREET"]),
+ PostalCodes: toX509SubjectField(subjectMap["PC"]),
+ SerialNumber: subjectMap["SERIALNUMBER"],
+ }
+}
+
+func toX509SubjectField(fieldValue string) []string {
+ if fieldValue != "" {
+ return []string{fieldValue}
+ } else {
+ return nil
+ }
+}
+
+func parseSubjectDName(dname string) map[string]string {
+ parsed := make(map[string]string)
+ fields := []string{"CN", "O", "OU", "L", "ST", "S", "C",
"SERIALNUMBER", "STREET", "PC"}
+ for _, f := range fields {
+ regex := fmt.Sprintf("(?i)%s=([^,]+)", f)
+ match := regexp.MustCompile(regex).FindStringSubmatch(dname)
+ if len(match) == 2 {
+ parsed[f] = match[1]
+ }
+ }
+ return parsed
+}
+
+// used to generate a random password to be used for the keystore
+func randomPasswordB64() []byte {
+ rand.Seed(time.Now().UnixNano())
+ lower := "abcdefghijklmnpqrstuvwxyz" // no 'o'
+ chars := lower + strings.ToUpper(lower) + "0123456789()[]~%$!#"
+ pass := make([]byte, 12)
+ perm := rand.Perm(len(chars))
+ for i := 0; i < len(pass); i++ {
+ pass[i] = chars[perm[i]]
+ }
+ return []byte(b64.StdEncoding.EncodeToString(pass))
+}
+
+func GenerateKeystoreSecret(solrCloud *solr.SolrCloud) corev1.Secret {
+ secretName := solrCloud.Spec.SolrTLS.KeyStorePasswordSecret.Name
+ data := map[string][]byte{}
+ data["password-key"] = randomPasswordB64()
+ return corev1.Secret{
+ ObjectMeta: metav1.ObjectMeta{Name: secretName, Namespace:
solrCloud.Namespace},
+ Data: data,
+ Type: corev1.SecretTypeOpaque,
+ }
+}
+
+func GenerateSelfSignedIssuer(solrCloud *solr.SolrCloud, issuerName string)
certv1.Issuer {
+ return certv1.Issuer{
+ ObjectMeta: metav1.ObjectMeta{Name: issuerName, Namespace:
solrCloud.Namespace},
+ Spec: certv1.IssuerSpec{
+ IssuerConfig: certv1.IssuerConfig{
+ SelfSigned: &certv1.SelfSignedIssuer{},
+ },
+ },
+ }
+}
+
+func GenerateUrlSchemeJob(solrCloud *solr.SolrCloud, solrCloudStatus
*solr.SolrCloudStatus) kbatch.Job {
+ zkConnectionStr, zkServer, zkChroot := solrCloudStatus.DissectZkInfo()
+ envVars := []corev1.EnvVar{
+ {
+ Name: "ZK_HOST",
+ Value: zkConnectionStr,
+ },
+ {
+ Name: "ZK_CHROOT",
+ Value: zkChroot,
+ },
+ {
+ Name: "ZK_SERVER",
+ Value: zkServer,
+ },
+ }
+
+ /*
Review comment:
This PR has been merged 😃
You will also need to include the envVars from the ACL secret. But I think
there may be a method to generate these values for you already....
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
