Add SingleStore TLS

Signed-off-by: ashraful <[email protected]>

go.mod

@@ -25,7 +25,7 @@ require (
 	k8s.io/klog/v2 v2.120.1
 	kmodules.xyz/client-go v0.29.13
 	kmodules.xyz/custom-resources v0.29.1
-	kubedb.dev/apimachinery v0.44.1-0.20240418111017-ee6ba81797f6
+	kubedb.dev/apimachinery v0.44.1-0.20240424083633-36da0c72ae58
 	sigs.k8s.io/controller-runtime v0.17.2
 	xorm.io/xorm v1.3.6
 )

go.sum

@@ -585,8 +585,8 @@ kmodules.xyz/monitoring-agent-api v0.29.0 h1:gpFl6OZrlMLb/ySMHdREI9EwGtnJ91oZBn9
 kmodules.xyz/monitoring-agent-api v0.29.0/go.mod h1:iNbvaMTgVFOI5q2LJtGK91j4Dmjv4ZRiRdasGmWLKQI=
 kmodules.xyz/offshoot-api v0.29.0 h1:GHLhxxT9jU1N8+FvOCCeJNyU5g0duYS46UGrs6AHNLY=
 kmodules.xyz/offshoot-api v0.29.0/go.mod h1:5NxhBblXoDHWStx9HCDJR2KFTwYjEZ7i1Id3jelIunw=
-kubedb.dev/apimachinery v0.44.1-0.20240418111017-ee6ba81797f6 h1:VrQhjNOGtqmMiT7lMxIydlfhuL8Ya+uitzyvBbvToQ4=
-kubedb.dev/apimachinery v0.44.1-0.20240418111017-ee6ba81797f6/go.mod h1:7daaaWragCFLV38plrrJtsOuzinBSX3enMpliqlm3Uo=
+kubedb.dev/apimachinery v0.44.1-0.20240424083633-36da0c72ae58 h1:EWL4TKROjG6YoMewmr8Bq8SrZHZ34w1BuV988v4/X80=
+kubedb.dev/apimachinery v0.44.1-0.20240424083633-36da0c72ae58/go.mod h1:7daaaWragCFLV38plrrJtsOuzinBSX3enMpliqlm3Uo=
 kubeops.dev/petset v0.0.5 h1:VVXi39JhjondlbHyZ98z0MLp6VCmiCMinL59K48Y2zA=
 kubeops.dev/petset v0.0.5/go.mod h1:ijtKT1HlAht2vBEZj5LW7C00XEs3B0d1VdCQgd5V4cA=
 lukechampine.com/uint128 v1.1.1/go.mod h1:c4eWIwlEGaxC/+H1VguhU4PHXNWDCDMUlWdIWl2j1gk=

singlestore/kubedb_client_builder.go

@@ -18,10 +18,12 @@ package singlestore
 
 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"database/sql"
 	"fmt"
 
-	_ "github.com/go-sql-driver/mysql"
+	sql_driver "github.com/go-sql-driver/mysql"
 	core "k8s.io/api/core/v1"
 	"k8s.io/klog/v2"
 	api "kubedb.dev/apimachinery/apis/kubedb/v1alpha2"
@@ -147,10 +149,10 @@ func (o *KubeDBClientBuilder) getConnectionString() (string, error) {
 	}
 
 	tlsConfig := ""
-	/*if o.db.Spec.RequireSSL && o.db.Spec.TLS != nil {
+	if o.db.Spec.TLS != nil {
 		// get client-secret
 		var clientSecret core.Secret
-		err := o.kc.Get(o.ctx, client.ObjectKey{Namespace: o.db.GetNamespace(), Name: o.db.GetCertSecretName(api.MySQLClientCert)}, &clientSecret)
+		err := o.kc.Get(o.ctx, client.ObjectKey{Namespace: o.db.GetNamespace(), Name: o.db.GetCertSecretName(api.SinglestoreClientCert)}, &clientSecret)
 		if err != nil {
 			return "", err
 		}
@@ -168,19 +170,15 @@ func (o *KubeDBClientBuilder) getConnectionString() (string, error) {
 		clientCert = append(clientCert, cert)
 
 		// tls custom setup
-		if o.db.Spec.RequireSSL {
-			err = sql_driver.RegisterTLSConfig(api.MySQLTLSConfigCustom, &tls.Config{
-				RootCAs:      certPool,
-				Certificates: clientCert,
-			})
-			if err != nil {
-				return "", err
-			}
-			tlsConfig = fmt.Sprintf("tls=%s", api.MySQLTLSConfigCustom)
-		} else {
-			tlsConfig = fmt.Sprintf("tls=%s", api.MySQLTLSConfigSkipVerify)
+		err = sql_driver.RegisterTLSConfig(api.SinglestoreTLSConfigCustom, &tls.Config{
+			RootCAs:      certPool,
+			Certificates: clientCert,
+		})
+		if err != nil {
+			return "", err
 		}
-	}*/
+		tlsConfig = fmt.Sprintf("tls=%s", api.SinglestoreTLSConfigCustom)
+	}
 
 	connector := fmt.Sprintf("%v:%v@tcp(%s:%d)/%s?%s", user, pass, o.url, 3306, "memsql", tlsConfig)
 	return connector, nil

vendor/kubedb.dev/apimachinery/apis/kubedb/v1alpha2/constants.go

@@ -325,19 +325,22 @@ const (
 	SinglestoreDatabasePortName       = "db"
 	SinglestorePrimaryServicePortName = "primary"
 	SinglestoreStudioPortName         = "studio"
-	SinglestoreDatabasePort           = 3306
-	SinglestoreStudioPort             = 8081
-	SinglestoreExporterPort           = 9104
-	SinglestoreRootUserName           = "ROOT_USERNAME"
-	SinglestoreRootPassword           = "ROOT_PASSWORD"
-	SinglestoreRootUser               = "root"
-	DatabasePodMaster                 = "Master"
-	DatabasePodAggregator             = "Aggregator"
-	DatabasePodLeaf                   = "Leaf"
-	PetSetTypeAggregator              = "aggregator"
-	PetSetTypeLeaf                    = "leaf"
-	SinglestoreDatabaseHealth         = "singlestore_health"
-	SinglestoreTableHealth            = "singlestore_health_table"
+
+	SinglestoreDatabasePort = 3306
+	SinglestoreStudioPort   = 8081
+	SinglestoreExporterPort = 9104
+
+	SinglestoreRootUserName = "ROOT_USERNAME"
+	SinglestoreRootPassword = "ROOT_PASSWORD"
+	SinglestoreRootUser     = "root"
+	DatabasePodMaster       = "Master"
+	DatabasePodAggregator   = "Aggregator"
+	DatabasePodLeaf         = "Leaf"
+	PetSetTypeAggregator    = "aggregator"
+	PetSetTypeLeaf          = "leaf"
+
+	SinglestoreDatabaseHealth = "singlestore_health"
+	SinglestoreTableHealth    = "singlestore_health_table"
 
 	SinglestoreCoordinatorContainerName = "singlestore-coordinator"
 	SinglestoreContainerName            = "singlestore"
@@ -351,6 +354,14 @@ const (
 	SinglestoreVolumeMountPathInitScript     = "/scripts"
 	SinglestoreVolumeNameData                = "data"
 	SinglestoreVolumeMountPathData           = "/var/lib/memsql"
+	SinglestoreVolumeNameTLS                 = "tls-volume"
+	SinglestoreVolumeMountPathTLS            = "/etc/memsql/certs"
+
+	SinglestoreTLSConfigCustom     = "custom"
+	SinglestoreTLSConfigSkipVerify = "skip-verify"
+	SinglestoreTLSConfigTrue       = "true"
+	SinglestoreTLSConfigFalse      = "false"
+	SinglestoreTLSConfigPreferred  = "preferred"
 
 	// =========================== PostgreSQL Constants ============================
 	PostgresDatabasePortName          = "db"
@@ -767,6 +778,7 @@ const (
 	ResourcePluralSolr    = "solrs"
 	SolrPortName          = "http"
 	SolrRestPort          = 8983
+	SolrExporterPort      = 9854
 	SolrSecretKey         = "solr.xml"
 	SolrContainerName     = "solr"
 	SolrInitContainerName = "init-solr"
@@ -1225,6 +1237,17 @@ var (
 			core.ResourceMemory: resource.MustParse("2Gi"),
 		},
 	}
+
+	// DefaultResourcesMemoryIntensive must be used for Druid MiddleManagers
+	DefaultResourcesMemoryIntensiveDruid = core.ResourceRequirements{
+		Requests: core.ResourceList{
+			core.ResourceCPU:    resource.MustParse(".500"),
+			core.ResourceMemory: resource.MustParse("2.5Gi"),
+		},
+		Limits: core.ResourceList{
+			core.ResourceMemory: resource.MustParse("2.5Gi"),
+		},
+	}
 )
 
 func DefaultArbiter(computeOnly bool) core.ResourceRequirements {

vendor/kubedb.dev/apimachinery/apis/kubedb/v1alpha2/druid_helpers.go

@@ -380,7 +380,7 @@ func (d *Druid) SetDefaults() {
 					d.Spec.Topology.Coordinators.PodTemplate.Spec.SecurityContext = &v1.PodSecurityContext{FSGroup: druidVersion.Spec.SecurityContext.RunAsUser}
 				}
 				d.setDefaultContainerSecurityContext(&druidVersion, &d.Spec.Topology.Coordinators.PodTemplate)
-				d.setDefaultContainerResourceLimits(&d.Spec.Topology.Coordinators.PodTemplate)
+				d.setDefaultContainerResourceLimits(&d.Spec.Topology.Coordinators.PodTemplate, DruidNodeRoleCoordinators)
 			}
 		}
 		if d.Spec.Topology.Overlords != nil {
@@ -392,7 +392,7 @@ func (d *Druid) SetDefaults() {
 					d.Spec.Topology.Overlords.PodTemplate.Spec.SecurityContext = &v1.PodSecurityContext{FSGroup: druidVersion.Spec.SecurityContext.RunAsUser}
 				}
 				d.setDefaultContainerSecurityContext(&druidVersion, &d.Spec.Topology.Overlords.PodTemplate)
-				d.setDefaultContainerResourceLimits(&d.Spec.Topology.Overlords.PodTemplate)
+				d.setDefaultContainerResourceLimits(&d.Spec.Topology.Overlords.PodTemplate, DruidNodeRoleOverlords)
 			}
 		}
 		if d.Spec.Topology.MiddleManagers != nil {
@@ -404,7 +404,7 @@ func (d *Druid) SetDefaults() {
 					d.Spec.Topology.MiddleManagers.PodTemplate.Spec.SecurityContext = &v1.PodSecurityContext{FSGroup: druidVersion.Spec.SecurityContext.RunAsUser}
 				}
 				d.setDefaultContainerSecurityContext(&druidVersion, &d.Spec.Topology.MiddleManagers.PodTemplate)
-				d.setDefaultContainerResourceLimits(&d.Spec.Topology.MiddleManagers.PodTemplate)
+				d.setDefaultContainerResourceLimits(&d.Spec.Topology.MiddleManagers.PodTemplate, DruidNodeRoleMiddleManagers)
 			}
 		}
 		if d.Spec.Topology.Historicals != nil {
@@ -416,7 +416,7 @@ func (d *Druid) SetDefaults() {
 					d.Spec.Topology.Historicals.PodTemplate.Spec.SecurityContext = &v1.PodSecurityContext{FSGroup: druidVersion.Spec.SecurityContext.RunAsUser}
 				}
 				d.setDefaultContainerSecurityContext(&druidVersion, &d.Spec.Topology.Historicals.PodTemplate)
-				d.setDefaultContainerResourceLimits(&d.Spec.Topology.Historicals.PodTemplate)
+				d.setDefaultContainerResourceLimits(&d.Spec.Topology.Historicals.PodTemplate, DruidNodeRoleHistoricals)
 			}
 		}
 		if d.Spec.Topology.Brokers != nil {
@@ -428,7 +428,7 @@ func (d *Druid) SetDefaults() {
 					d.Spec.Topology.Brokers.PodTemplate.Spec.SecurityContext = &v1.PodSecurityContext{FSGroup: druidVersion.Spec.SecurityContext.RunAsUser}
 				}
 				d.setDefaultContainerSecurityContext(&druidVersion, &d.Spec.Topology.Brokers.PodTemplate)
-				d.setDefaultContainerResourceLimits(&d.Spec.Topology.Brokers.PodTemplate)
+				d.setDefaultContainerResourceLimits(&d.Spec.Topology.Brokers.PodTemplate, DruidNodeRoleBrokers)
 
 			}
 		}
@@ -441,7 +441,7 @@ func (d *Druid) SetDefaults() {
 					d.Spec.Topology.Routers.PodTemplate.Spec.SecurityContext = &v1.PodSecurityContext{FSGroup: druidVersion.Spec.SecurityContext.RunAsUser}
 				}
 				d.setDefaultContainerSecurityContext(&druidVersion, &d.Spec.Topology.Routers.PodTemplate)
-				d.setDefaultContainerResourceLimits(&d.Spec.Topology.Routers.PodTemplate)
+				d.setDefaultContainerResourceLimits(&d.Spec.Topology.Routers.PodTemplate, DruidNodeRoleRouters)
 			}
 		}
 	}
@@ -498,10 +498,14 @@ func (d *Druid) assignDefaultContainerSecurityContext(druidVersion *catalog.Drui
 	}
 }
 
-func (d *Druid) setDefaultContainerResourceLimits(podTemplate *ofst.PodTemplateSpec) {
+func (d *Druid) setDefaultContainerResourceLimits(podTemplate *ofst.PodTemplateSpec, nodeRole DruidNodeRoleType) {
 	dbContainer := coreutil.GetContainerByName(podTemplate.Spec.Containers, DruidContainerName)
 	if dbContainer != nil && (dbContainer.Resources.Requests == nil && dbContainer.Resources.Limits == nil) {
-		apis.SetDefaultResourceLimits(&dbContainer.Resources, DefaultResources)
+		if nodeRole == DruidNodeRoleMiddleManagers {
+			apis.SetDefaultResourceLimits(&dbContainer.Resources, DefaultResourcesMemoryIntensiveDruid)
+		} else {
+			apis.SetDefaultResourceLimits(&dbContainer.Resources, DefaultResources)
+		}
 	}
 
 	initContainer := coreutil.GetContainerByName(podTemplate.Spec.InitContainers, DruidInitContainerName)

vendor/kubedb.dev/apimachinery/apis/kubedb/v1alpha2/singlestore_helpers.go

@@ -118,7 +118,33 @@ func (s singlestoreStatsService) Scheme() string {
 }
 
 func (s singlestoreStatsService) TLSConfig() *promapi.TLSConfig {
-	return nil
+	return &promapi.TLSConfig{
+		SafeTLSConfig: promapi.SafeTLSConfig{
+			CA: promapi.SecretOrConfigMap{
+				Secret: &core.SecretKeySelector{
+					LocalObjectReference: core.LocalObjectReference{
+						Name: s.GetCertSecretName(SinglestoreClientCert),
+					},
+					Key: CACert,
+				},
+			},
+			Cert: promapi.SecretOrConfigMap{
+				Secret: &core.SecretKeySelector{
+					LocalObjectReference: core.LocalObjectReference{
+						Name: s.GetCertSecretName(SinglestoreClientCert),
+					},
+					Key: core.TLSCertKey,
+				},
+			},
+			KeySecret: &core.SecretKeySelector{
+				LocalObjectReference: core.LocalObjectReference{
+					Name: s.GetCertSecretName(SinglestoreClientCert),
+				},
+				Key: core.TLSPrivateKeyKey,
+			},
+			InsecureSkipVerify: false,
+		},
+	}
 }
 
 func (s Singlestore) StatsService() mona.StatsAccessor {
@@ -251,6 +277,23 @@ func (s *Singlestore) SetHealthCheckerDefaults() {
 	}
 }
 
+// CertificateName returns the default certificate name and/or certificate secret name for a certificate alias
+func (s *Singlestore) CertificateName(alias SinglestoreCertificateAlias) string {
+	return metautil.NameWithSuffix(s.Name, fmt.Sprintf("%s-cert", string(alias)))
+}
+
+// GetCertSecretName returns the secret name for a certificate alias if any
+// otherwise returns default certificate secret name for the given alias.
+func (s *Singlestore) GetCertSecretName(alias SinglestoreCertificateAlias) string {
+	if s.Spec.TLS != nil {
+		name, ok := kmapi.GetCertificateSecretName(s.Spec.TLS.Certificates, string(alias))
+		if ok {
+			return name
+		}
+	}
+	return s.CertificateName(alias)
+}
+
 func (s *Singlestore) GetAuthSecretName() string {
 	if s.Spec.AuthSecret != nil && s.Spec.AuthSecret.Name != "" {
 		return s.Spec.AuthSecret.Name
@@ -461,11 +504,6 @@ func (s *Singlestore) SetTLSDefaults() {
 	s.Spec.TLS.Certificates = kmapi.SetMissingSecretNameForCertificate(s.Spec.TLS.Certificates, string(SinglestoreClientCert), s.CertificateName(SinglestoreClientCert))
 }
 
-// CertificateName returns the default certificate name and/or certificate secret name for a certificate alias
-func (s *Singlestore) CertificateName(alias SinglestoreCertificateAlias) string {
-	return metautil.NameWithSuffix(s.Name, fmt.Sprintf("%s-cert", string(alias)))
-}
-
 func (s *Singlestore) ReplicasAreReady(lister pslister.PetSetLister) (bool, string, error) {
 	// Desire number of petSets
 	expectedItems := 1

vendor/kubedb.dev/apimachinery/apis/kubedb/v1alpha2/singlestore_webhook.go

@@ -215,13 +215,15 @@ var sdbReservedVolumes = []string{
 	SinglestoreVolumeNameCustomConfig,
 	SinglestoreVolmeNameInitScript,
 	SinglestoreVolumeNameData,
+	SinglestoreVolumeNameTLS,
 }
 
 var sdbReservedVolumesMountPaths = []string{
 	SinglestoreVolumeMountPathData,
 	SinglestoreVolumeMountPathInitScript,
 	SinglestoreVolumeMountPathCustomConfig,
 	SinglestoreVolumeMountPathUserInitScript,
+	SinglestoreVolumeMountPathTLS,
 }
 
 func sdbValidateVersion(s *Singlestore) error {

vendor/kubedb.dev/apimachinery/apis/kubedb/v1alpha2/solr_helpers.go

@@ -320,6 +320,16 @@ func (s *Solr) SetDefaults(slVersion *catalog.SolrVersion) {
 		s.setDefaultContainerSecurityContext(slVersion, &s.Spec.PodTemplate)
 		s.setDefaultContainerResourceLimits(&s.Spec.PodTemplate)
 	}
+
+	if s.Spec.Monitor != nil {
+		if s.Spec.Monitor.Prometheus == nil {
+			s.Spec.Monitor.Prometheus = &mona.PrometheusSpec{}
+		}
+		if s.Spec.Monitor.Prometheus != nil && s.Spec.Monitor.Prometheus.Exporter.Port == 0 {
+			s.Spec.Monitor.Prometheus.Exporter.Port = SolrExporterPort
+		}
+		s.Spec.Monitor.SetDefaults()
+	}
 }
 
 func (s *Solr) setDefaultContainerSecurityContext(slVersion *catalog.SolrVersion, podTemplate *ofst.PodTemplateSpec) {