Mutual TLS and S3 TLS verification (#244)

# Description

- Now internal and client TLS can be configured instead of defaulting to "tls" secret class
- S3 now supports proper TLS authentication

closes #217



Co-authored-by: Malte Sander <malte.sander.it@gmail.com>

Author: maltesander

CHANGELOG.md

@@ -9,11 +9,15 @@ All notable changes to this project will be documented in this file.
 - Include chart name when installing with a custom release name ([#233], [#234]).
 - `operator-rs` `0.21.1` -> `0.22.0` ([#235]).
 - Add support for Hive 3.1.3 ([#243])
+- Internal and client TLS now configurable instead of defaulting to "tls" secret class ([#244]).
+- S3 TLS properly supported ([#244]).
+- Introduced global `config` for `TLS` settings ([#244]).
 
 [#233]: https://github.com/stackabletech/trino-operator/pull/233
 [#234]: https://github.com/stackabletech/trino-operator/pull/234
 [#235]: https://github.com/stackabletech/trino-operator/pull/235
 [#243]: https://github.com/stackabletech/trino-operator/pull/243
+[#244]: https://github.com/stackabletech/trino-operator/pull/244
 
 ## [0.4.0] - 2022-06-30
 

Cargo.lock

@@ -87,9 +87,9 @@ properties:
           value: "8080"
       roles:
         - name: "coordinator"
-          required: true
+          required: false
         - name: "worker"
-          required: true
+          required: false
       asOfVersion: "0.0.0"
 
   - property: &httpServerHttpsPort
@@ -108,6 +108,8 @@ properties:
       roles:
         - name: "coordinator"
           required: false
+        - name: "worker"
+          required: false
       asOfVersion: "0.0.0"
 
   - property: &queryMaxMemory
@@ -217,7 +219,7 @@ properties:
         - "INFO"
         - "DEBUG"
         - "WARN"
-        - "ERROR"          
+        - "ERROR"
       roles:
         - name: "coordinator"
           required: true

deploy/config-spec/properties.yaml

@@ -23,7 +23,6 @@ spec:
             spec:
               properties:
                 authentication:
-                  description: A reference to a secret containing username/password for defined users
                   nullable: true
                   properties:
                     method:
@@ -50,7 +49,39 @@ spec:
                   required:
                     - method
                   type: object
+                config:
+                  default:
+                    tls:
+                      secretClass: tls
+                    internalTls:
+                      secretClass: tls
+                  description: Global Trino Config for cluster settings like TLS
+                  properties:
+                    internalTls:
+                      default:
+                        secretClass: tls
+                      description: "Only affects internal communication. Use mutual verification between Trino nodes This setting controls: - Which cert the servers should use to authenticate themselves against other servers - Which ca.crt to use when validating the other server"
+                      nullable: true
+                      properties:
+                        secretClass:
+                          type: string
+                      required:
+                        - secretClass
+                      type: object
+                    tls:
+                      default:
+                        secretClass: tls
+                      description: "Only affects client connections. This setting controls: - If TLS encryption is used at all - Which cert the servers should use to authenticate themselves against the client"
+                      nullable: true
+                      properties:
+                        secretClass:
+                          type: string
+                      required:
+                        - secretClass
+                      type: object
+                  type: object
                 coordinators:
+                  description: Settings for the Coordinator Role/Process.
                   nullable: true
                   properties:
                     cliOverrides:
@@ -158,9 +189,11 @@ spec:
                     - roleGroups
                   type: object
                 hiveConfigMapName:
+                  description: The discovery ConfigMap name of the Hive cluster (usually the same as the Hive cluster name).
                   nullable: true
                   type: string
                 opa:
+                  description: The discovery ConfigMap name of the OPA cluster (usually the same as the OPA cluster name).
                   nullable: true
                   properties:
                     configMapName:
@@ -172,7 +205,7 @@ spec:
                     - configMapName
                   type: object
                 s3:
-                  description: Operators are expected to define fields for this type in order to work with S3 connections.
+                  description: A reference to a S3 bucket.
                   nullable: true
                   oneOf:
                     - required:
@@ -271,13 +304,15 @@ spec:
                       type: string
                   type: object
                 stopped:
-                  description: "Emergency stop button, if `true` then all pods are stopped without affecting configuration (as setting `replicas` to `0` would)"
+                  description: "Emergency stop button, if `true` then all pods are stopped without affecting configuration (as setting `replicas` to `0` would)."
                   nullable: true
                   type: boolean
                 version:
+                  description: "The provided trino image version in the form `xxx-stackableY.Y.Y` e.g. `387-stackable0.1.0`."
                   nullable: true
                   type: string
                 workers:
+                  description: Settings for the Worker Role/Process.
                   nullable: true
                   properties:
                     cliOverrides:

deploy/crd/trinocluster.crd.yaml

@@ -87,9 +87,9 @@ properties:
           value: "8080"
       roles:
         - name: "coordinator"
-          required: true
+          required: false
         - name: "worker"
-          required: true
+          required: false
       asOfVersion: "0.0.0"
 
   - property: &httpServerHttpsPort
@@ -108,6 +108,8 @@ properties:
       roles:
         - name: "coordinator"
           required: false
+        - name: "worker"
+          required: false
       asOfVersion: "0.0.0"
 
   - property: &queryMaxMemory
@@ -217,7 +219,7 @@ properties:
         - "INFO"
         - "DEBUG"
         - "WARN"
-        - "ERROR"          
+        - "ERROR"
       roles:
         - name: "coordinator"
           required: true

deploy/helm/trino-operator/configs/properties.yaml

@@ -24,7 +24,6 @@ spec:
             spec:
               properties:
                 authentication:
-                  description: A reference to a secret containing username/password for defined users
                   nullable: true
                   properties:
                     method:
@@ -51,7 +50,39 @@ spec:
                   required:
                     - method
                   type: object
+                config:
+                  default:
+                    tls:
+                      secretClass: tls
+                    internalTls:
+                      secretClass: tls
+                  description: Global Trino Config for cluster settings like TLS
+                  properties:
+                    internalTls:
+                      default:
+                        secretClass: tls
+                      description: 'Only affects internal communication. Use mutual verification between Trino nodes This setting controls: - Which cert the servers should use to authenticate themselves against other servers - Which ca.crt to use when validating the other server'
+                      nullable: true
+                      properties:
+                        secretClass:
+                          type: string
+                      required:
+                        - secretClass
+                      type: object
+                    tls:
+                      default:
+                        secretClass: tls
+                      description: 'Only affects client connections. This setting controls: - If TLS encryption is used at all - Which cert the servers should use to authenticate themselves against the client'
+                      nullable: true
+                      properties:
+                        secretClass:
+                          type: string
+                      required:
+                        - secretClass
+                      type: object
+                  type: object
                 coordinators:
+                  description: Settings for the Coordinator Role/Process.
                   nullable: true
                   properties:
                     cliOverrides:
@@ -159,9 +190,11 @@ spec:
                     - roleGroups
                   type: object
                 hiveConfigMapName:
+                  description: The discovery ConfigMap name of the Hive cluster (usually the same as the Hive cluster name).
                   nullable: true
                   type: string
                 opa:
+                  description: The discovery ConfigMap name of the OPA cluster (usually the same as the OPA cluster name).
                   nullable: true
                   properties:
                     configMapName:
@@ -173,7 +206,7 @@ spec:
                     - configMapName
                   type: object
                 s3:
-                  description: Operators are expected to define fields for this type in order to work with S3 connections.
+                  description: A reference to a S3 bucket.
                   nullable: true
                   oneOf:
                     - required:
@@ -272,13 +305,15 @@ spec:
                       type: string
                   type: object
                 stopped:
-                  description: Emergency stop button, if `true` then all pods are stopped without affecting configuration (as setting `replicas` to `0` would)
+                  description: Emergency stop button, if `true` then all pods are stopped without affecting configuration (as setting `replicas` to `0` would).
                   nullable: true
                   type: boolean
                 version:
+                  description: The provided trino image version in the form `xxx-stackableY.Y.Y` e.g. `387-stackable0.1.0`.
                   nullable: true
                   type: string
                 workers:
+                  description: Settings for the Worker Role/Process.
                   nullable: true
                   properties:
                     cliOverrides: