15 fix code scanning alert disabled tls certificate check (#25)

* Updated functions to use secrets * Added ca cert mechanism * Removed redundant error log * Updated README * Bumped version to 0.0.2 * Updated sample CR yaml * Returned from reconcile function if credentials not found in secrets * Consolidated secret data fetching into one function call * Updated README for secrets to be using stringData. Updated unit tests. Optimized database instance credentials fetching while provisioning. Added RBAC rules for services, endpoints, and secrets for the controller-manager.
nutanix-cloud-native · Oct 4, 2022 · 23154e5 · 23154e5
1 parent c478d4e
commit 23154e5
Show file tree

Hide file tree

Showing 18 changed files with 763 additions and 137 deletions.
diff --git a/Makefile b/Makefile
@@ -3,7 +3,7 @@
 # To re-generate a bundle for another specific version without changing the standard setup, you can:
 # - use the VERSION as arg of the bundle target (e.g make bundle VERSION=0.0.2)
 # - use environment variables to overwrite this value (e.g export VERSION=0.0.2)
-VERSION ?= 0.0.1
+VERSION ?= 0.0.2
 
 # CHANNELS define the bundle channels used in the bundle.
 # Add a new line here if you would like to change its default config. (E.g CHANNELS = "candidate,fast,stable")

diff --git a/README.md b/README.md
@@ -29,12 +29,38 @@ make deploy
 
 ### Using the Operator
 
-1. To create instances of custom resources (provision databases), edit [ndb_v1alpha1_database.yaml](config/samples/ndb_v1alpha1_database.yaml) file with the NDB installation and database instance details and run:
+1. Create the secrets that are to be used by the custom resource:
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: your-ndb-secret
+type: Opaque
+stringData:
+  username: username-for-ndb-server
+  password: password-for-ndb-server
+  ca_certificate: |
+    -----BEGIN CERTIFICATE-----
+    CA CERTIFICATE (ca_certificate is optional)
+    -----END CERTIFICATE-----
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: your-db-secret
+type: Opaque
+stringData:
+  password: password-for-the-database-instance
+  ssh_public_key: SSH-PUBLIC-KEY
+
+```
+
+2. To create instances of custom resources (provision databases), edit [ndb_v1alpha1_database.yaml](config/samples/ndb_v1alpha1_database.yaml) file with the NDB installation and database instance details and run:
 
 ```sh
 kubectl apply -f config/samples/ndb_v1alpha1_database.yaml
 ```
-2. To delete instances of custom resources (deprovision databases) run:
+3. To delete instances of custom resources (deprovision databases) run:
 
 ```sh
 kubectl delete -f config/samples/ndb_v1alpha1_database.yaml
@@ -47,36 +73,36 @@ metadata:
   # This name that will be used within the kubernetes cluster
   name: db
 spec:
+  # NDB server specific details
   ndb:
     # Cluster id of the cluster where the Database has to be provisioned
     # Can be fetched from the GET /clusters endpoint
     clusterId: "Nutanix Cluster Id" 
-    # Credentials for NDB installation
-    credentials:
-      loginUser: admin
-      password: "NDB Password"
-      sshPublicKey: "SSH Key"
+    # Credentials secret name for NDB installation
+    # data: username, password, 
+    # stringData: ca_certificate
+    credentialSecret: your-ndb-secret
     # The NDB Server
     server: https://[NDB IP]:8443/era/v0.9
-
+    # Set to true to skip SSL verification, default: false.
+    skipCertificateVerification: true
+  # Database instance specific details (that is to be provisioned)
   databaseInstance:
     # The database instance name on NDB
-    databaseInstanceName: "Database Instance Name"
+    databaseInstanceName: "Database-Instance-Name"
     # Names of the databases on that instance
     databaseNames:
       - database_one
       - database_two
       - database_three
-    # Password for the database
-    password: qwertyuiop
+    # Credentials secret name for NDB installation
+    # data: password, ssh_public_key
+    credentialSecret: your-db-secret
     size: 10
     timezone: "UTC"
     type: postgres
 ```
 
-
-
-
 ## Developement
 
 ### Installation and Running the controller locally
@@ -107,7 +133,7 @@ More information can be found via the [Kubebuilder Documentation](https://book.k
 
 ### Building and pushing to an image registry  
 Build and push your image to the location specified by `IMG`:
-	
+  
 ```sh
 make docker-build docker-push IMG=<some-registry>/ndb-operator:tag
 ```

diff --git a/api/v1alpha1/constants.go b/api/v1alpha1/constants.go
@@ -39,6 +39,10 @@ const (
 	FINALIZER_DATABASE_INSTANCE = "ndb.nutanix.com/finalizerdatabaseinstance"
 	FINALIZER_DATABASE_SERVER   = "ndb.nutanix.com/finalizerdatabaseserver"
 
+	NDB_PARAM_USERNAME       = "username"
+	NDB_PARAM_PASSWORD       = "password"
+	NDB_PARAM_SSH_PUBLIC_KEY = "ssh_public_key"
+
 	PROFILE_TYPE_COMPUTE            = "Compute"
 	PROFILE_TYPE_DATABASE_PARAMETER = "Database_Parameter"
 	PROFILE_TYPE_NETWORK            = "Network"
@@ -47,6 +51,11 @@ const (
 
 	PROPERTY_NAME_VM_IP = "vm_ip"
 
+	SECRET_DATA_KEY_CA_CERTIFICATE = "ca_certificate"
+	SECRET_DATA_KEY_PASSWORD       = "password"
+	SECRET_DATA_KEY_SSH_PUBLIC_KEY = "ssh_public_key"
+	SECRET_DATA_KEY_USERNAME       = "username"
+
 	SLA_NAME_NONE = "NONE"
 
 	TOPOLOGY_ALL      = "ALL"

diff --git a/api/v1alpha1/database_types.go b/api/v1alpha1/database_types.go
@@ -72,18 +72,17 @@ func init() {
 
 // Details of the NDB installation
 type NDB struct {
-	ClusterId   string      `json:"clusterId"`
-	Credentials Credentials `json:"credentials"`
-	Server      string      `json:"server"`
-}
-
-type Credentials struct {
-	// Username for NDB
-	LoginUser string `json:"loginUser"`
-	// Password for NDB
-	Password string `json:"password"`
-	// SSH public key for the database vm
-	SSHPublicKey string `json:"sshPublicKey"`
+	// +kubebuilder:validation:Required
+	ClusterId string `json:"clusterId"`
+	// +kubebuilder:validation:Required
+	// Name of the secret holding the credentials for NDB (username and password)
+	CredentialSecret string `json:"credentialSecret"`
+	// +kubebuilder:validation:Required
+	Server string `json:"server"`
+	// +kubebuilder:default:=false
+	// +optional
+	// Skip server's certificate and hostname verification
+	SkipCertificateVerification bool `json:"skipCertificateVerification"`
 }
 
 // Database instance specific details
@@ -95,8 +94,9 @@ type Instance struct {
 	// +kubebuilder:validation:MinItems:=1
 	// Name of the database to be provisiond in the database instance
 	DatabaseNames []string `json:"databaseNames"`
-	// Password of the database instance
-	Password string `json:"password"`
+	// +kubebuilder:validation:Required
+	// Name of the secret holding the credentials for the database instance (password and ssh key)
+	CredentialSecret string `json:"credentialSecret"`
 	// +kubebuilder:validation:Minimum:=10
 	// +kubebuilder:default:=10
 	// +optional

diff --git a/api/v1alpha1/ndb_api_helpers.go b/api/v1alpha1/ndb_api_helpers.go
@@ -30,7 +30,7 @@ import (
 
 // This function generates and returns a request for provisioning a database (and a dbserver vm) on NDB
 // The database provisioned has a NONE time machine SLA attached to it, and uses the default OOB profiles
-func GenerateProvisioningRequest(ctx context.Context, ndbclient *ndbclient.NDBClient, dbSpec DatabaseSpec) (req *DatabaseProvisionRequest, err error) {
+func GenerateProvisioningRequest(ctx context.Context, ndbclient *ndbclient.NDBClient, dbSpec DatabaseSpec, reqData map[string]interface{}) (req *DatabaseProvisionRequest, err error) {
 	log := ctrllog.FromContext(ctx)
 	log.Info("Entered ndb_api_helpers.GenerateProvisioningRequest", "database name", dbSpec.Instance.DatabaseInstanceName, "database type", dbSpec.Instance.Type)
 
@@ -50,6 +50,31 @@ func GenerateProvisioningRequest(ctx context.Context, ndbclient *ndbclient.NDBCl
 
 	database_names := strings.Join(dbSpec.Instance.DatabaseNames, ",")
 
+	// Type assertion
+	dbPassword, ok := reqData[NDB_PARAM_PASSWORD].(string)
+	if !ok || dbPassword == "" {
+		err = errors.New("invalid database password")
+		var errStatement string
+		if !ok {
+			errStatement = "Type assertion failed for database password. Expected a string value"
+		} else {
+			errStatement = "Empty database password"
+		}
+		log.Error(err, errStatement)
+	}
+	// Type assertion
+	SSHPublicKey, ok := reqData[NDB_PARAM_SSH_PUBLIC_KEY].(string)
+	if !ok || SSHPublicKey == "" {
+		err = errors.New("invalid ssh public key")
+		var errStatement string
+		if !ok {
+			errStatement = "Type assertion failed for SSHPublicKey. Expected a string value"
+		} else {
+			errStatement = "Empty SSHPublicKey"
+		}
+		log.Error(err, errStatement)
+	}
+
 	// Creating a provisioning request based on the database type
 	req = &DatabaseProvisionRequest{
 		DatabaseType:             GetDatabaseEngineName(dbSpec.Instance.Type),
@@ -64,7 +89,7 @@ func GenerateProvisioningRequest(ctx context.Context, ndbclient *ndbclient.NDBCl
 		CreateDbServer:           true,
 		NodeCount:                1,
 		NxClusterId:              dbSpec.NDB.ClusterId,
-		SSHPublicKey:             dbSpec.NDB.Credentials.SSHPublicKey,
+		SSHPublicKey:             SSHPublicKey,
 		Clustered:                false,
 		AutoTuneStagingDrive:     true,
 		TimeMachineInfo: TimeMachineInfo{
@@ -114,7 +139,7 @@ func GenerateProvisioningRequest(ctx context.Context, ndbclient *ndbclient.NDBCl
 			},
 			{
 				Name:  "db_password",
-				Value: dbSpec.Instance.Password,
+				Value: dbPassword,
 			},
 		},
 		Nodes: []Node{

diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/ndb.nutanix.com_databases.yaml b/config/crd/bases/ndb.nutanix.com_databases.yaml
@@ -54,6 +54,10 @@ spec:
               databaseInstance:
                 description: Database instance specific details
                 properties:
+                  credentialSecret:
+                    description: Name of the secret holding the credentials for the
+                      database instance (password and ssh key)
+                    type: string
                   databaseInstanceName:
                     default: database_instance_name
                     description: Name of the database instance
@@ -69,9 +73,6 @@ spec:
                       type: string
                     minItems: 1
                     type: array
-                  password:
-                    description: Password of the database instance
-                    type: string
                   profiles:
                     properties:
                       compute:
@@ -119,37 +120,29 @@ spec:
                     - mongodb
                     type: string
                 required:
+                - credentialSecret
                 - databaseInstanceName
                 - databaseNames
-                - password
                 - type
                 type: object
               ndb:
                 description: Details of the NDB installation
                 properties:
                   clusterId:
                     type: string
-                  credentials:
-                    properties:
-                      loginUser:
-                        description: Username for NDB
-                        type: string
-                      password:
-                        description: Password for NDB
-                        type: string
-                      sshPublicKey:
-                        description: SSH public key for the database vm
-                        type: string
-                    required:
-                    - loginUser
-                    - password
-                    - sshPublicKey
-                    type: object
+                  credentialSecret:
+                    description: Name of the secret holding the credentials for NDB
+                      (username and password)
+                    type: string
                   server:
                     type: string
+                  skipCertificateVerification:
+                    default: false
+                    description: Skip server's certificate and hostname verification
+                    type: boolean
                 required:
                 - clusterId
-                - credentials
+                - credentialSecret
                 - server
                 type: object
             required:

diff --git a/config/rbac/role.yaml b/config/rbac/role.yaml
@@ -31,3 +31,24 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - ""
+  resources:
+  - services
+  - endpoints
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - get
+  - list
+  - watch
diff --git a/config/samples/ndb_v1alpha1_database.yaml b/config/samples/ndb_v1alpha1_database.yaml
@@ -5,19 +5,16 @@ metadata:
 spec:
   ndb:
     clusterId: "Nutanix Cluster Id"
-    credentials:
-      loginUser: admin
-      password: "NDB Password"
-      sshPublicKey: "SSH Key"
+    credentialSecret : ndb-secret-name
     server: https://[NDB IP]:8443/era/v0.9
-
+    skipCertificateVerification: true
   databaseInstance:
     databaseInstanceName: "Database Instance Name"
     databaseNames:
       - database_one
       - database_two
       - database_three
-    password: 
+    credentialSecret: db-instance-secret-name
     size: 10
     timezone: "UTC"
     type: postgres