Merge pull request #51 from arangodb/tls-auto-on

Turn on TLS by default

Author: ewoutp

docs/user/custom_resource.md

@@ -142,7 +142,8 @@ and restarting it.
 This setting specifies the name of a kubernetes `Secret` that contains
 a standard CA certificate + private key used to sign certificates for individual
 ArangoDB servers.
-The default value is empty. TBD
+When no name is specified, it defaults to `<deployment-name>-ca`.
+To disable authentication, set this value to `None`.
 
 If you specify a name of a `Secret` that does not exist, a self-signed CA certificate + key is created
 and stored in a `Secret` with given name.

docs/user/tls.md

@@ -1,11 +1,13 @@
 # TLS
 
-The ArangoDB operator allows you to create ArangoDB deployments that use
+The ArangoDB operator will by default create ArangoDB deployments that use
 secure TLS connections.
 
 It uses a single CA certificate (stored in a Kubernetes secret) and
 one certificate per ArangoDB server (stored in a Kubernetes secret per server).
 
+To disable TLS, set `spec.tls.caSecretName` to `None`.
+
 ## Install CA certificate
 
 If the CA certificate is self-signed, it will not be trusted by browsers,

examples/simple-cluster-no-tls.yaml

@@ -0,0 +1,8 @@
+apiVersion: "database.arangodb.com/v1alpha"
+kind: "ArangoDeployment"
+metadata:
+  name: "example-simple-cluster-no-tls"
+spec:
+  mode: cluster
+  tls:
+    caSecretName: None

examples/simple-cluster-tls.yaml

@@ -92,7 +92,7 @@ func (s *DeploymentSpec) SetDefaults(deploymentName string) {
 	}
 	s.RocksDB.SetDefaults()
 	s.Authentication.SetDefaults(deploymentName + "-jwt")
-	s.TLS.SetDefaults("")
+	s.TLS.SetDefaults(deploymentName + "-ca")
 	s.Sync.SetDefaults(s.Image, s.ImagePullPolicy, deploymentName+"-sync-jwt", deploymentName+"-sync-ca")
 	s.Single.SetDefaults(ServerGroupSingle, s.Mode.HasSingleServers(), s.Mode)
 	s.Agents.SetDefaults(ServerGroupAgents, s.Mode.HasAgents(), s.Mode)

pkg/apis/deployment/v1alpha/deployment_spec.go

@@ -42,9 +42,14 @@ type TLSSpec struct {
 	TTL          time.Duration `json:"ttl,omitempty"`
 }
 
+const (
+	// CASecretNameDisabled is the value of CASecretName to use for disabling authentication.
+	CASecretNameDisabled = "None"
+)
+
 // IsSecure returns true when a CA secret has been set, false otherwise.
 func (s TLSSpec) IsSecure() bool {
-	return s.CASecretName != ""
+	return s.CASecretName != CASecretNameDisabled
 }
 
 // GetAltNames splits the list of AltNames into DNS names, IP addresses & email addresses.

pkg/apis/deployment/v1alpha/tls_spec.go

@@ -43,8 +43,9 @@ func TestTLSSpecValidate(t *testing.T) {
 }
 
 func TestTLSSpecIsSecure(t *testing.T) {
-	assert.False(t, TLSSpec{CASecretName: ""}.IsSecure())
+	assert.True(t, TLSSpec{CASecretName: ""}.IsSecure())
 	assert.True(t, TLSSpec{CASecretName: "foo"}.IsSecure())
+	assert.False(t, TLSSpec{CASecretName: "None"}.IsSecure())
 }
 
 func TestTLSSpecSetDefaults(t *testing.T) {

pkg/apis/deployment/v1alpha/tls_spec_test.go

@@ -54,9 +54,9 @@ func TestCreateArangodArgsAgent(t *testing.T) {
 		assert.Equal(t,
 			[]string{
 				"--agency.activate=true",
-				"--agency.endpoint=tcp://name-agent-a2.name-int.ns.svc:8529",
-				"--agency.endpoint=tcp://name-agent-a3.name-int.ns.svc:8529",
-				"--agency.my-address=tcp://name-agent-a1.name-int.ns.svc:8529",
+				"--agency.endpoint=ssl://name-agent-a2.name-int.ns.svc:8529",
+				"--agency.endpoint=ssl://name-agent-a3.name-int.ns.svc:8529",
+				"--agency.my-address=ssl://name-agent-a1.name-int.ns.svc:8529",
 				"--agency.size=3",
 				"--agency.supervision=true",
 				"--cluster.my-id=a1",
@@ -65,16 +65,18 @@ func TestCreateArangodArgsAgent(t *testing.T) {
 				"--log.level=INFO",
 				"--log.output=+",
 				"--server.authentication=true",
-				"--server.endpoint=tcp://[::]:8529",
+				"--server.endpoint=ssl://[::]:8529",
 				"--server.jwt-secret=$(ARANGOD_JWT_SECRET)",
 				"--server.statistics=false",
 				"--server.storage-engine=rocksdb",
+				"--ssl.ecdh-curve=",
+				"--ssl.keyfile=/secrets/tls/tls.keyfile",
 			},
 			cmdline,
 		)
 	}
 
-	// Default+TLS deployment
+	// Default+TLS disabled deployment
 	{
 		apiObject := &api.ArangoDeployment{
 			ObjectMeta: metav1.ObjectMeta{
@@ -84,7 +86,7 @@ func TestCreateArangodArgsAgent(t *testing.T) {
 			Spec: api.DeploymentSpec{
 				Mode: api.DeploymentModeCluster,
 				TLS: api.TLSSpec{
-					CASecretName: "test-ca",
+					CASecretName: "None",
 				},
 			},
 		}
@@ -98,9 +100,9 @@ func TestCreateArangodArgsAgent(t *testing.T) {
 		assert.Equal(t,
 			[]string{
 				"--agency.activate=true",
-				"--agency.endpoint=ssl://name-agent-a2.name-int.ns.svc:8529",
-				"--agency.endpoint=ssl://name-agent-a3.name-int.ns.svc:8529",
-				"--agency.my-address=ssl://name-agent-a1.name-int.ns.svc:8529",
+				"--agency.endpoint=tcp://name-agent-a2.name-int.ns.svc:8529",
+				"--agency.endpoint=tcp://name-agent-a3.name-int.ns.svc:8529",
+				"--agency.my-address=tcp://name-agent-a1.name-int.ns.svc:8529",
 				"--agency.size=3",
 				"--agency.supervision=true",
 				"--cluster.my-id=a1",
@@ -109,12 +111,10 @@ func TestCreateArangodArgsAgent(t *testing.T) {
 				"--log.level=INFO",
 				"--log.output=+",
 				"--server.authentication=true",
-				"--server.endpoint=ssl://[::]:8529",
+				"--server.endpoint=tcp://[::]:8529",
 				"--server.jwt-secret=$(ARANGOD_JWT_SECRET)",
 				"--server.statistics=false",
 				"--server.storage-engine=rocksdb",
-				"--ssl.ecdh-curve=",
-				"--ssl.keyfile=/secrets/tls/tls.keyfile",
 			},
 			cmdline,
 		)
@@ -143,9 +143,9 @@ func TestCreateArangodArgsAgent(t *testing.T) {
 		assert.Equal(t,
 			[]string{
 				"--agency.activate=true",
-				"--agency.endpoint=tcp://name-agent-a2.name-int.ns.svc:8529",
-				"--agency.endpoint=tcp://name-agent-a3.name-int.ns.svc:8529",
-				"--agency.my-address=tcp://name-agent-a1.name-int.ns.svc:8529",
+				"--agency.endpoint=ssl://name-agent-a2.name-int.ns.svc:8529",
+				"--agency.endpoint=ssl://name-agent-a3.name-int.ns.svc:8529",
+				"--agency.my-address=ssl://name-agent-a1.name-int.ns.svc:8529",
 				"--agency.size=3",
 				"--agency.supervision=true",
 				"--cluster.my-id=a1",
@@ -154,9 +154,11 @@ func TestCreateArangodArgsAgent(t *testing.T) {
 				"--log.level=INFO",
 				"--log.output=+",
 				"--server.authentication=false",
-				"--server.endpoint=tcp://[::]:8529",
+				"--server.endpoint=ssl://[::]:8529",
 				"--server.statistics=false",
 				"--server.storage-engine=mmfiles",
+				"--ssl.ecdh-curve=",
+				"--ssl.keyfile=/secrets/tls/tls.keyfile",
 			},
 			cmdline,
 		)
@@ -184,9 +186,9 @@ func TestCreateArangodArgsAgent(t *testing.T) {
 		assert.Equal(t,
 			[]string{
 				"--agency.activate=true",
-				"--agency.endpoint=tcp://name-agent-a2.name-int.ns.svc:8529",
-				"--agency.endpoint=tcp://name-agent-a3.name-int.ns.svc:8529",
-				"--agency.my-address=tcp://name-agent-a1.name-int.ns.svc:8529",
+				"--agency.endpoint=ssl://name-agent-a2.name-int.ns.svc:8529",
+				"--agency.endpoint=ssl://name-agent-a3.name-int.ns.svc:8529",
+				"--agency.my-address=ssl://name-agent-a1.name-int.ns.svc:8529",
 				"--agency.size=3",
 				"--agency.supervision=true",
 				"--cluster.my-id=a1",
@@ -195,10 +197,12 @@ func TestCreateArangodArgsAgent(t *testing.T) {
 				"--log.level=INFO",
 				"--log.output=+",
 				"--server.authentication=true",
-				"--server.endpoint=tcp://[::]:8529",
+				"--server.endpoint=ssl://[::]:8529",
 				"--server.jwt-secret=$(ARANGOD_JWT_SECRET)",
 				"--server.statistics=false",
 				"--server.storage-engine=rocksdb",
+				"--ssl.ecdh-curve=",
+				"--ssl.keyfile=/secrets/tls/tls.keyfile",
 				"--foo1",
 				"--foo2",
 			},

pkg/deployment/pod_creator_agent_args_test.go

@@ -53,27 +53,29 @@ func TestCreateArangodArgsCoordinator(t *testing.T) {
 		cmdline := createArangodArgs(apiObject, apiObject.Spec, api.ServerGroupCoordinators, apiObject.Spec.Coordinators, agents, "id1")
 		assert.Equal(t,
 			[]string{
-				"--cluster.agency-endpoint=tcp://name-agent-a1.name-int.ns.svc:8529",
-				"--cluster.agency-endpoint=tcp://name-agent-a2.name-int.ns.svc:8529",
-				"--cluster.agency-endpoint=tcp://name-agent-a3.name-int.ns.svc:8529",
-				"--cluster.my-address=tcp://name-coordinator-id1.name-int.ns.svc:8529",
+				"--cluster.agency-endpoint=ssl://name-agent-a1.name-int.ns.svc:8529",
+				"--cluster.agency-endpoint=ssl://name-agent-a2.name-int.ns.svc:8529",
+				"--cluster.agency-endpoint=ssl://name-agent-a3.name-int.ns.svc:8529",
+				"--cluster.my-address=ssl://name-coordinator-id1.name-int.ns.svc:8529",
 				"--cluster.my-id=id1",
 				"--cluster.my-role=COORDINATOR",
 				"--database.directory=/data",
 				"--foxx.queues=true",
 				"--log.level=INFO",
 				"--log.output=+",
 				"--server.authentication=true",
-				"--server.endpoint=tcp://[::]:8529",
+				"--server.endpoint=ssl://[::]:8529",
 				"--server.jwt-secret=$(ARANGOD_JWT_SECRET)",
 				"--server.statistics=true",
 				"--server.storage-engine=rocksdb",
+				"--ssl.ecdh-curve=",
+				"--ssl.keyfile=/secrets/tls/tls.keyfile",
 			},
 			cmdline,
 		)
 	}
 
-	// Default+TLS deployment
+	// Default+TLS disabled deployment
 	{
 		apiObject := &api.ArangoDeployment{
 			ObjectMeta: metav1.ObjectMeta{
@@ -83,7 +85,7 @@ func TestCreateArangodArgsCoordinator(t *testing.T) {
 			Spec: api.DeploymentSpec{
 				Mode: api.DeploymentModeCluster,
 				TLS: api.TLSSpec{
-					CASecretName: "test-ca",
+					CASecretName: "None",
 				},
 			},
 		}
@@ -96,23 +98,21 @@ func TestCreateArangodArgsCoordinator(t *testing.T) {
 		cmdline := createArangodArgs(apiObject, apiObject.Spec, api.ServerGroupCoordinators, apiObject.Spec.Coordinators, agents, "id1")
 		assert.Equal(t,
 			[]string{
-				"--cluster.agency-endpoint=ssl://name-agent-a1.name-int.ns.svc:8529",
-				"--cluster.agency-endpoint=ssl://name-agent-a2.name-int.ns.svc:8529",
-				"--cluster.agency-endpoint=ssl://name-agent-a3.name-int.ns.svc:8529",
-				"--cluster.my-address=ssl://name-coordinator-id1.name-int.ns.svc:8529",
+				"--cluster.agency-endpoint=tcp://name-agent-a1.name-int.ns.svc:8529",
+				"--cluster.agency-endpoint=tcp://name-agent-a2.name-int.ns.svc:8529",
+				"--cluster.agency-endpoint=tcp://name-agent-a3.name-int.ns.svc:8529",
+				"--cluster.my-address=tcp://name-coordinator-id1.name-int.ns.svc:8529",
 				"--cluster.my-id=id1",
 				"--cluster.my-role=COORDINATOR",
 				"--database.directory=/data",
 				"--foxx.queues=true",
 				"--log.level=INFO",
 				"--log.output=+",
 				"--server.authentication=true",
-				"--server.endpoint=ssl://[::]:8529",
+				"--server.endpoint=tcp://[::]:8529",
 				"--server.jwt-secret=$(ARANGOD_JWT_SECRET)",
 				"--server.statistics=true",
 				"--server.storage-engine=rocksdb",
-				"--ssl.ecdh-curve=",
-				"--ssl.keyfile=/secrets/tls/tls.keyfile",
 			},
 			cmdline,
 		)
@@ -139,20 +139,22 @@ func TestCreateArangodArgsCoordinator(t *testing.T) {
 		cmdline := createArangodArgs(apiObject, apiObject.Spec, api.ServerGroupCoordinators, apiObject.Spec.Coordinators, agents, "id1")
 		assert.Equal(t,
 			[]string{
-				"--cluster.agency-endpoint=tcp://name-agent-a1.name-int.ns.svc:8529",
-				"--cluster.agency-endpoint=tcp://name-agent-a2.name-int.ns.svc:8529",
-				"--cluster.agency-endpoint=tcp://name-agent-a3.name-int.ns.svc:8529",
-				"--cluster.my-address=tcp://name-coordinator-id1.name-int.ns.svc:8529",
+				"--cluster.agency-endpoint=ssl://name-agent-a1.name-int.ns.svc:8529",
+				"--cluster.agency-endpoint=ssl://name-agent-a2.name-int.ns.svc:8529",
+				"--cluster.agency-endpoint=ssl://name-agent-a3.name-int.ns.svc:8529",
+				"--cluster.my-address=ssl://name-coordinator-id1.name-int.ns.svc:8529",
 				"--cluster.my-id=id1",
 				"--cluster.my-role=COORDINATOR",
 				"--database.directory=/data",
 				"--foxx.queues=true",
 				"--log.level=INFO",
 				"--log.output=+",
 				"--server.authentication=false",
-				"--server.endpoint=tcp://[::]:8529",
+				"--server.endpoint=ssl://[::]:8529",
 				"--server.statistics=true",
 				"--server.storage-engine=rocksdb",
+				"--ssl.ecdh-curve=",
+				"--ssl.keyfile=/secrets/tls/tls.keyfile",
 			},
 			cmdline,
 		)
@@ -180,21 +182,23 @@ func TestCreateArangodArgsCoordinator(t *testing.T) {
 		cmdline := createArangodArgs(apiObject, apiObject.Spec, api.ServerGroupCoordinators, apiObject.Spec.Coordinators, agents, "id1")
 		assert.Equal(t,
 			[]string{
-				"--cluster.agency-endpoint=tcp://name-agent-a1.name-int.ns.svc:8529",
-				"--cluster.agency-endpoint=tcp://name-agent-a2.name-int.ns.svc:8529",
-				"--cluster.agency-endpoint=tcp://name-agent-a3.name-int.ns.svc:8529",
-				"--cluster.my-address=tcp://name-coordinator-id1.name-int.ns.svc:8529",
+				"--cluster.agency-endpoint=ssl://name-agent-a1.name-int.ns.svc:8529",
+				"--cluster.agency-endpoint=ssl://name-agent-a2.name-int.ns.svc:8529",
+				"--cluster.agency-endpoint=ssl://name-agent-a3.name-int.ns.svc:8529",
+				"--cluster.my-address=ssl://name-coordinator-id1.name-int.ns.svc:8529",
 				"--cluster.my-id=id1",
 				"--cluster.my-role=COORDINATOR",
 				"--database.directory=/data",
 				"--foxx.queues=true",
 				"--log.level=INFO",
 				"--log.output=+",
 				"--server.authentication=true",
-				"--server.endpoint=tcp://[::]:8529",
+				"--server.endpoint=ssl://[::]:8529",
 				"--server.jwt-secret=$(ARANGOD_JWT_SECRET)",
 				"--server.statistics=true",
 				"--server.storage-engine=mmfiles",
+				"--ssl.ecdh-curve=",
+				"--ssl.keyfile=/secrets/tls/tls.keyfile",
 				"--foo1",
 				"--foo2",
 			},