Turn on TLS by default

ewoutp · ewoutp · commit ee5dcb5e1b12 · 2018-03-19T09:44:46.000+01:00
diff --git a/docs/user/custom_resource.md b/docs/user/custom_resource.md
@@ -142,7 +142,8 @@ and restarting it.
 This setting specifies the name of a kubernetes `Secret` that contains
 a standard CA certificate + private key used to sign certificates for individual
 ArangoDB servers.
-The default value is empty. TBD
+When no name is specified, it defaults to `<deployment-name>-ca`.
+To disable authentication, set this value to `None`.
 
 If you specify a name of a `Secret` that does not exist, a self-signed CA certificate + key is created
 and stored in a `Secret` with given name.
diff --git a/docs/user/tls.md b/docs/user/tls.md
@@ -1,11 +1,13 @@
 # TLS
 
-The ArangoDB operator allows you to create ArangoDB deployments that use
+The ArangoDB operator will by default create ArangoDB deployments that use
 secure TLS connections.
 
 It uses a single CA certificate (stored in a Kubernetes secret) and
 one certificate per ArangoDB server (stored in a Kubernetes secret per server).
 
+To disable TLS, set `spec.tls.caSecretName` to `None`.
+
 ## Install CA certificate
 
 If the CA certificate is self-signed, it will not be trusted by browsers,
diff --git a/examples/simple-cluster-no-tls.yaml b/examples/simple-cluster-no-tls.yaml
@@ -0,0 +1,8 @@
+apiVersion: "database.arangodb.com/v1alpha"
+kind: "ArangoDeployment"
+metadata:
+  name: "example-simple-cluster-no-tls"
+spec:
+  mode: cluster
+  tls:
+    caSecretName: None
diff --git a/examples/simple-cluster-tls.yaml b/examples/simple-cluster-tls.yaml
diff --git a/pkg/apis/deployment/v1alpha/deployment_spec.go b/pkg/apis/deployment/v1alpha/deployment_spec.go
@@ -92,7 +92,7 @@ func (s *DeploymentSpec) SetDefaults(deploymentName string) {
 	}
 	s.RocksDB.SetDefaults()
 	s.Authentication.SetDefaults(deploymentName + "-jwt")
-	s.TLS.SetDefaults("")
+	s.TLS.SetDefaults(deploymentName + "-ca")
 	s.Sync.SetDefaults(s.Image, s.ImagePullPolicy, deploymentName+"-sync-jwt", deploymentName+"-sync-ca")
 	s.Single.SetDefaults(ServerGroupSingle, s.Mode.HasSingleServers(), s.Mode)
 	s.Agents.SetDefaults(ServerGroupAgents, s.Mode.HasAgents(), s.Mode)
diff --git a/pkg/apis/deployment/v1alpha/tls_spec.go b/pkg/apis/deployment/v1alpha/tls_spec.go
@@ -42,9 +42,14 @@ type TLSSpec struct {
 	TTL          time.Duration `json:"ttl,omitempty"`
 }
 
+const (
+	// CASecretNameDisabled is the value of CASecretName to use for disabling authentication.
+	CASecretNameDisabled = "None"
+)
+
 // IsSecure returns true when a CA secret has been set, false otherwise.
 func (s TLSSpec) IsSecure() bool {
-	return s.CASecretName != ""
+	return s.CASecretName != CASecretNameDisabled
 }
 
 // GetAltNames splits the list of AltNames into DNS names, IP addresses & email addresses.
diff --git a/pkg/apis/deployment/v1alpha/tls_spec_test.go b/pkg/apis/deployment/v1alpha/tls_spec_test.go
@@ -43,8 +43,9 @@ func TestTLSSpecValidate(t *testing.T) {
 }
 
 func TestTLSSpecIsSecure(t *testing.T) {
-	assert.False(t, TLSSpec{CASecretName: ""}.IsSecure())
+	assert.True(t, TLSSpec{CASecretName: ""}.IsSecure())
 	assert.True(t, TLSSpec{CASecretName: "foo"}.IsSecure())
+	assert.False(t, TLSSpec{CASecretName: "None"}.IsSecure())
 }
 
 func TestTLSSpecSetDefaults(t *testing.T) {

Original file line number	Diff line number	Diff line change
`@@ -92,7 +92,7 @@ func (s *DeploymentSpec) SetDefaults(deploymentName string) {`
`92`	`92`	`}`
`93`	`93`	`s.RocksDB.SetDefaults()`
`94`	`94`	`s.Authentication.SetDefaults(deploymentName + "-jwt")`
`95`		`- s.TLS.SetDefaults("")`
	`95`	`+ s.TLS.SetDefaults(deploymentName + "-ca")`
`96`	`96`	`s.Sync.SetDefaults(s.Image, s.ImagePullPolicy, deploymentName+"-sync-jwt", deploymentName+"-sync-ca")`
`97`	`97`	`s.Single.SetDefaults(ServerGroupSingle, s.Mode.HasSingleServers(), s.Mode)`
`98`	`98`	`s.Agents.SetDefaults(ServerGroupAgents, s.Mode.HasAgents(), s.Mode)`
Original file line number	Diff line number	Diff line change
`@@ -42,9 +42,14 @@ type TLSSpec struct {`
`42`	`42`	TTL time.Duration `json:"ttl,omitempty"`
`43`	`43`	`}`
`44`	`44`
	`45`	`+const (`
	`46`	`+ // CASecretNameDisabled is the value of CASecretName to use for disabling authentication.`
	`47`	`+ CASecretNameDisabled = "None"`
	`48`	`+)`
	`49`	`+`
`45`	`50`	`// IsSecure returns true when a CA secret has been set, false otherwise.`
`46`	`51`	`func (s TLSSpec) IsSecure() bool {`
`47`		`- return s.CASecretName != ""`
	`52`	`+ return s.CASecretName != CASecretNameDisabled`
`48`	`53`	`}`
`49`	`54`
`50`	`55`	`// GetAltNames splits the list of AltNames into DNS names, IP addresses & email addresses.`
Original file line number	Diff line number	Diff line change
`@@ -43,8 +43,9 @@ func TestTLSSpecValidate(t *testing.T) {`
`43`	`43`	`}`
`44`	`44`
`45`	`45`	`func TestTLSSpecIsSecure(t *testing.T) {`
`46`		`- assert.False(t, TLSSpec{CASecretName: ""}.IsSecure())`
	`46`	`+ assert.True(t, TLSSpec{CASecretName: ""}.IsSecure())`
`47`	`47`	`assert.True(t, TLSSpec{CASecretName: "foo"}.IsSecure())`
	`48`	`+ assert.False(t, TLSSpec{CASecretName: "None"}.IsSecure())`
`48`	`49`	`}`
`49`	`50`
`50`	`51`	`func TestTLSSpecSetDefaults(t *testing.T) {`