Support TLS authentication & encryption with provided certificates #6
Description
This is the same as we did for ZooKeeper in stackabletech/zookeeper-operator#466 but with a new structure according to stackabletech/issues#293.
apiVersion: druid.stackable.tech/v1alpha1
kind: DruidCluster
metadata:
name: druid
spec:
version: 24.0.0-stackable0.1.0
commonConfig:
tls:
# client-server encryption (only server requires a trusted certificate)
serverSecretClass: String # defaults to "tls"
# server-server encryption
internalSecretClass: String # defaults to "tls"
# This should be a Vector. Can be a vector of Strings but preferably an extra struct containing at least a
# String to reference the operator-rs AuthenticationClass (plus optional settings if required)
authentication:
# mTLS (client and server require a trusted certificate)
- authenticationClass: druid-tls-authentication-class # String
authorization:
opa:
configMapName: druid-opa
# all other top level configuration should be under shared-/global-/cluster-config as well
zookeeperConfigMapName: simple-druid-znode
metadataStorageDatabase:
dbType: postgresql
connString: jdbc:postgresql://druid-postgresql/druid
host: druid-postgresql
port: 5432
user: druid
password: druid
deepStorage: ...
This is done when
- Client-Server communication can be encrypted via TLS (on by default)
- Server-Server communication can be encrypted via TLS (on by default - can be deactivated if performance impacted heavily)
- The common foundations are used (
SecretClass,AuthenticationClass) - Documentation has been added and adapted to the new structure
- Integration tests have been added and adapted to the new structure
- Examples have been added and adapted to the new structure
- All top level fields except
versionorimageandstoppedare moved tocommonConfig(See next for opa config map) - Opa discovery config map name field moved to
commonConfig.authorization - Feature tracker has been updated (@lfrancke can do this if needed, ping him)