Skip to content

ROX-28296: reencrypt route operator integration #14771

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
stehessel merged 20 commits into from
Apr 16, 2025
Merged

ROX-28296: reencrypt route operator integration #14771

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
20 commits
Select commit Hold shift + click to select a range
ce18672
ROX-28296: reencrypt route operator integration
stehessel Apr 7, 2025
0afbf20
Update operator/api/v1alpha1/central_types.go
stehessel Apr 10, 2025
75f861f
Update operator/api/v1alpha1/central_types.go
stehessel Apr 10, 2025
0c9e640
Update operator/api/v1alpha1/central_types.go
stehessel Apr 10, 2025
3c58fc6
Update operator/api/v1alpha1/central_types.go
stehessel Apr 10, 2025
1b0e796
Update operator/api/v1alpha1/central_types.go
stehessel Apr 10, 2025
817a9c0
Update operator/api/v1alpha1/central_types.go
stehessel Apr 10, 2025
060468c
Update operator/api/v1alpha1/central_types.go
stehessel Apr 10, 2025
ae95a72
Update operator/api/v1alpha1/central_types.go
stehessel Apr 10, 2025
883cb4a
Update operator/api/v1alpha1/central_types.go
stehessel Apr 10, 2025
caaf8bd
Update operator/api/v1alpha1/central_types.go
stehessel Apr 10, 2025
65671f0
address comments
stehessel Apr 10, 2025
e74a7e4
use utils.GetWithFallbackToUncached
stehessel Apr 10, 2025
c9ec5fd
generate manifests
stehessel Apr 11, 2025
86ab4ca
Update operator/api/v1alpha1/central_types.go
stehessel Apr 15, 2025
c2e91a8
Update operator/internal/route/translation.go
stehessel Apr 15, 2025
e77bb30
adjust comment and rename const
stehessel Apr 15, 2025
c332795
fix manifests
stehessel Apr 15, 2025
567d144
rename central -> Central in route config
stehessel Apr 15, 2025
6f58aca
exit early if reencrypt route is disabled
stehessel Apr 15, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
59 changes: 55 additions & 4 deletions operator/api/v1alpha1/central_types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -422,7 +422,7 @@ type DBPersistentVolumeClaim struct {
StorageClassName *string `json:"storageClassName,omitempty"`
}

// Exposure defines how central is exposed.
// Exposure defines how Central is exposed.
type Exposure struct {
// Expose Central through an OpenShift route.
//+operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="Route"
Expand Down Expand Up @@ -468,16 +468,67 @@ type ExposureNodePort struct {
Port *int32 `json:"port,omitempty"`
}

// ExposureRoute defines settings for exposing central via a Route.
// ExposureRoute defines settings for exposing Central via a Route.
type ExposureRoute struct {
// Expose Central with a passthrough route.
//+kubebuilder:default=false
//+operator-sdk:csv:customresourcedefinitions:type=spec,order=1
Enabled *bool `json:"enabled,omitempty"`

// Specify a custom hostname for the central route.
// If unspecified, an appropriate default value will be automatically chosen by OpenShift route operator.
// Specify a custom hostname for the Central route.
// If unspecified, an appropriate default value will be automatically chosen by the OpenShift route operator.
//+operator-sdk:csv:customresourcedefinitions:type=spec,order=2
Host *string `json:"host,omitempty"`

// Set up a Central route with reencrypt TLS termination.
// For reencrypt routes, the request is terminated on the OpenShift router with a custom certificate.
// The request is then reencrypted by the OpenShift router and sent to Central.
// [user] --TLS--> [OpenShift router] --TLS--> [Central]
//+operator-sdk:csv:customresourcedefinitions:type=spec,order=3,displayName="Re-Encrypt Route"
Reencrypt *ExposureRouteReencrypt `json:"reencrypt,omitempty"`
}

// ExposureRouteReencrypt defines settings for exposing Central via a reencrypt Route.
type ExposureRouteReencrypt struct {
// Expose Central with a reencrypt route.
// Should not be used for sensor communication.
//+kubebuilder:default=false
//+operator-sdk:csv:customresourcedefinitions:type=spec,order=1
Enabled *bool `json:"enabled,omitempty"`

// Specify a custom hostname for the Central reencrypt route.
// If unspecified, an appropriate default value will be automatically chosen by the OpenShift route operator.
//+operator-sdk:csv:customresourcedefinitions:type=spec,order=2
Host *string `json:"host,omitempty"`

// TLS settings for exposing Central via a reencrypt Route.
//+operator-sdk:csv:customresourcedefinitions:type=spec,order=3,displayName="TLS Settings"
TLS *ExposureRouteReencryptTLS `json:"tls,omitempty"`
}

// ExposureRouteReencryptTLS defines TLS settings for exposing Central via a reencrypt Route.
type ExposureRouteReencryptTLS struct {
// The PEM encoded certificate chain that may be used to establish a complete chain of trust.
// Defaults to the OpenShift certificate authority.
//+operator-sdk:csv:customresourcedefinitions:type=spec,order=1,displayName="CA Certificate"
CaCertificate *string `json:"caCertificate,omitempty"`

// The PEM encoded certificate that is served on the route. Must be a single serving
// certificate instead of a certificate chain.
// Defaults to a certificate signed by the OpenShift certificate authority.
//+operator-sdk:csv:customresourcedefinitions:type=spec,order=2,displayName="Certificate"
Certificate *string `json:"certificate,omitempty"`

// The CA certificate of the final destination, i.e. of Central.
// Used by the OpenShift router for health checks on the secure connection.
// Defaults to the Central certificate authority.
//+operator-sdk:csv:customresourcedefinitions:type=spec,order=3,displayName="Destination CA Certificate"
DestinationCACertificate *string `json:"destinationCACertificate,omitempty"`

// The PEM encoded private key of the certificate that is served on the route.
// Defaults to a certificate signed by the OpenShift certificate authority.
//+operator-sdk:csv:customresourcedefinitions:type=spec,order=4,displayName="Private Key"
Key *string `json:"key,omitempty"`
}

// Telemetry defines telemetry settings for Central.
Expand Down
70 changes: 70 additions & 0 deletions operator/api/v1alpha1/zz_generated.deepcopy.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

51 changes: 49 additions & 2 deletions operator/bundle/manifests/platform.stackrox.io_centrals.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

58 changes: 55 additions & 3 deletions operator/bundle/manifests/rhacs-operator.clusterserviceversion.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

51 changes: 49 additions & 2 deletions operator/config/crd/bases/platform.stackrox.io_centrals.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -380,12 +380,59 @@ spec:
properties:
enabled:
default: false
description: Expose Central with a passthrough route.
type: boolean
host:
description: |-
Specify a custom hostname for the central route.
If unspecified, an appropriate default value will be automatically chosen by OpenShift route operator.
Specify a custom hostname for the Central route.
If unspecified, an appropriate default value will be automatically chosen by the OpenShift route operator.
type: string
reencrypt:
description: |-
Set up a Central route with reencrypt TLS termination.
For reencrypt routes, the request is terminated on the OpenShift router with a custom certificate.
The request is then reencrypted by the OpenShift router and sent to Central.
[user] --TLS--> [OpenShift router] --TLS--> [Central]
properties:
enabled:
default: false
description: |-
Expose Central with a reencrypt route.
Should not be used for sensor communication.
type: boolean
host:
description: |-
Specify a custom hostname for the Central reencrypt route.
If unspecified, an appropriate default value will be automatically chosen by the OpenShift route operator.
type: string
tls:
description: TLS settings for exposing Central via
a reencrypt Route.
properties:
caCertificate:
description: |-
The PEM encoded certificate chain that may be used to establish a complete chain of trust.
Defaults to the OpenShift certificate authority.
type: string
certificate:
description: |-
The PEM encoded certificate that is served on the route. Must be a single serving
certificate instead of a certificate chain.
Defaults to a certificate signed by the OpenShift certificate authority.
type: string
destinationCACertificate:
description: |-
The CA certificate of the final destination, i.e. of Central.
Used by the OpenShift router for health checks on the secure connection.
Defaults to the Central certificate authority.
type: string
key:
description: |-
The PEM encoded private key of the certificate that is served on the route.
Defaults to a certificate signed by the OpenShift certificate authority.
type: string
type: object
type: object
type: object
type: object
hostAliases:
Expand Down
Loading
Loading