Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

K8SPXC-1411: allow to enable/disable TLS in a running cluster #1844

Open
wants to merge 22 commits into
base: main
Choose a base branch
from

Conversation

pooknull
Copy link
Contributor

@pooknull pooknull commented Oct 14, 2024

K8SPXC-1411 Powered by Pull Request Badge

https://perconadev.atlassian.net/browse/K8SPXC-1411

DESCRIPTION

This PR allows operator to enable/disable TLS in a running cluster by automating the following tasks:

when .spec.tls.enabled is switched to false:

  1. patch .spec.pause to true
  2. wait until all pods are deleted
  3. patch spec.unsafeFlags.tls to true
  4. delete TLS secrets
  5. patch .spec.pause to false

when .spec.tls.enabled is switched to true:

  1. patch .spec.pause to true
  2. wait until all pods are deleted
  3. patch spec.unsafeFlags.tls to false
  4. patch .spec.pause to false

A tls condition has also been added to a cluster. It will show the state of .spec.tls.enabled field before it was switched. The values of this condition are enabled and disabled values. After all automated tasks have been completed, it will be updated with the actual state of .spec.tls.enabled.

Note to developers: the deploy method contained a lot of duplicated code from the updatePod method. In this PR I decided to minimize it by using the updatePod inside.

CHECKLIST

Jira

  • Is the Jira ticket created and referenced properly?
  • Does the Jira ticket have the proper statuses for documentation (Needs Doc) and QA (Needs QA)?
  • Does the Jira ticket link to the proper milestone (Fix Version field)?

Tests

  • Is an E2E test/test case added for the new feature/change?
  • Are unit tests added where appropriate?
  • Are OpenShift compare files changed for E2E tests (compare/*-oc.yml)?

Config/Logging/Testability

  • Are all needed new/changed options added to default YAML files?
  • Are all needed new/changed options added to the Helm Chart?
  • Did we add proper logging messages for operator actions?
  • Did we ensure compatibility with the previous version or cluster upgrade process?
  • Does the change support oldest and newest supported PXC version?
  • Does the change support oldest and newest supported Kubernetes version?

@pull-request-size pull-request-size bot added the size/XL 500-999 lines label Oct 14, 2024
@pooknull pooknull changed the title K8SPXC-1411: allow to enable/disable running cluster K8SPXC-1411: allow to enable/disable TLS in a running cluster Oct 14, 2024
return nil
}

annotationTLSState, ok := cr.Annotations[naming.AnnotationTLS]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would do this with a status field or with status.conditions rather than with an annotation

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Comment on lines 356 to 358
crOrig := cr.DeepCopy()
cr.Spec.Unsafe.TLS = !*cr.Spec.TLS.Enabled
if cr.Spec.Unsafe.TLS != crOrig.Spec.Unsafe.TLS {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if TLS is disabled without enabling the unsafe flag we'll return an error before (in CheckNSetDefaults) and won't enter this function. so I'm not sure if we need to do this check

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

inelpandzic
inelpandzic previously approved these changes Oct 29, 2024
@hors hors requested a review from egegunes November 8, 2024 10:07
hors
hors previously approved these changes Nov 8, 2024
inelpandzic
inelpandzic previously approved these changes Nov 18, 2024
@egegunes egegunes added this to the v1.16.0 milestone Nov 18, 2024
egegunes
egegunes previously approved these changes Nov 20, 2024
inelpandzic
inelpandzic previously approved these changes Nov 21, 2024
@pooknull pooknull dismissed stale reviews from inelpandzic and egegunes via cde7573 December 2, 2024 23:07
@pull-request-size pull-request-size bot added size/XXL 1000+ lines and removed size/XL 500-999 lines labels Dec 2, 2024
@JNKPercona
Copy link
Collaborator

Test name Status
affinity-8-0 passed
auto-tuning-8-0 passed
cross-site-8-0 passed
demand-backup-cloud-8-0 failure
demand-backup-encrypted-with-tls-8-0 passed
demand-backup-8-0 passed
haproxy-5-7 passed
haproxy-8-0 passed
init-deploy-5-7 passed
init-deploy-8-0 passed
limits-8-0 passed
monitoring-2-0-8-0 passed
one-pod-5-7 passed
one-pod-8-0 passed
pitr-8-0 passed
pitr-gap-errors-8-0 passed
proxy-protocol-8-0 passed
proxysql-sidecar-res-limits-8-0 passed
pvc-resize-5-7 passed
pvc-resize-8-0 passed
recreate-8-0 passed
restore-to-encrypted-cluster-8-0 passed
scaling-proxysql-8-0 passed
scaling-8-0 passed
scheduled-backup-5-7 passed
scheduled-backup-8-0 passed
security-context-8-0 passed
smart-update1-8-0 passed
smart-update2-8-0 passed
storage-8-0 passed
tls-issue-cert-manager-ref-8-0 passed
tls-issue-cert-manager-8-0 passed
tls-issue-self-8-0 passed
upgrade-consistency-8-0 passed
upgrade-haproxy-5-7 passed
upgrade-haproxy-8-0 passed
upgrade-proxysql-5-7 passed
upgrade-proxysql-8-0 passed
users-5-7 passed
users-8-0 passed
validation-hook-8-0 passed
We run 41 out of 41

commit: 9b7bdf0
image: perconalab/percona-xtradb-cluster-operator:PR-1844-9b7bdf0e

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
size/XXL 1000+ lines
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants