Merged in master

Author: ewoutp

docs/design/testing.md

@@ -0,0 +1,32 @@
+# Testing
+
+## Scenario's
+
+The following test scenario's must be covered by automated tests:
+
+- Creating 1 deployment (all modes, all environments, all storage engines)
+- Creating multiple deployments (all modes, all environments, all storage engines),
+  controlling each individually
+- Creating deployment with/without authentication
+- Creating deployment with/without TLS
+
+- Updating deployment wrt:
+  - Number of servers (scaling, up/down)
+  - Image version (upgrading, downgrading within same minor version range (e.g. 3.2.x))
+  - Immutable fields (should be reset automatically)
+
+- Resilience:
+  - Delete individual pods
+  - Delete individual PVCs
+  - Delete individual Services
+  - Delete Node
+  - Restart Node
+  - API server unavailable
+
+## Test environments
+
+- Kubernetes clusters
+  - Single node
+  - Multi node
+  - Access control mode (RBAC, ...)
+  - Persistent volumes ...

docs/user/custom_resource.md

@@ -126,7 +126,7 @@ an encryption key that is exactly 32 bytes long.
 This setting specifies the name of a kubernetes `Secret` that contains
 the JWT token used for accessing all ArangoDB servers.
 When no name is specified, it defaults to `<deployment-name>-jwt`.
-To disable authentication, set this value to `-`.
+To disable authentication, set this value to `None`.
 
 If you specify a name of a `Secret`, that secret must have the token
 in a data field named `token`.

examples/setup-rbac.sh

@@ -1,7 +1,11 @@
 #!/bin/bash
 
+ROLE_NAME="${ROLE_NAME:-arangodb-operator}"
+ROLE_BINDING_NAME="${ROLE_BINDING_NAME:-arangodb-operator}"
+NAMESPACE="${NAMESPACE:-default}"
+
 function usage {
-  echo "$(basename "$0") - Create Kubernetes RBAC role and bindings for ArangoDB operator
+echo "$(basename "$0") - Create Kubernetes RBAC role and bindings for ArangoDB operator
 Usage: $(basename "$0") [options...]
 Options:
   --role-name=STRING         Name of ClusterRole to create
@@ -13,12 +17,8 @@ Options:
 " >&2
 }
 
-ROLE_NAME="${ROLE_NAME:-arangodb-operator}"
-ROLE_BINDING_NAME="${ROLE_BINDING_NAME:-arangodb-operator}"
-NAMESPACE="${NAMESPACE:-default}"
-
 function setupRole {
-  yaml=$(cat << EOYAML
+kubectl apply -f - << EOYAML
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
@@ -54,12 +54,15 @@ rules:
   verbs:
   - "*"
 EOYAML
-)
-  echo "$yaml" | kubectl apply -f -
+
+local code=$?
+if (code != 0); then
+    exit $code
+fi
 }
 
 function setupRoleBinding {
-  yaml=$(cat << EOYAML
+kubectl apply -f - << EOYAML
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
@@ -73,31 +76,33 @@ subjects:
   name: default
   namespace: ${NAMESPACE}
 EOYAML
-)
-  echo "$yaml" | kubectl apply -f -
+
+local code=$?
+if (code != 0); then
+    exit $code
+fi
 }
 
-for i in "$@"
-do
-case $i in
-    --role-name=*)
-    ROLE_NAME="${i#*=}"
-    ;;
-    --role-binding-name=*)
-    ROLE_BINDING_NAME="${i#*=}"
-    ;;
-    --namespace=*)
-    NAMESPACE="${i#*=}"
-    ;;
-    -h|--help)
-      usage
-      exit 0
-    ;;
-    *)
-      usage
-      exit 1
-    ;;
-esac
+for i in "$@"; do
+    case $i in
+        --role-name=*)
+        ROLE_NAME="${i#*=}"
+        ;;
+        --role-binding-name=*)
+        ROLE_BINDING_NAME="${i#*=}"
+        ;;
+        --namespace=*)
+        NAMESPACE="${i#*=}"
+        ;;
+        -h|--help)
+          usage
+          exit 0
+        ;;
+        *)
+          usage
+          exit 1
+        ;;
+    esac
 done
 
 setupRole

examples/single-server-no-auth.yaml

@@ -0,0 +1,9 @@
+apiVersion: "database.arangodb.com/v1alpha"
+kind: "ArangoDeployment"
+metadata:
+  name: "example-simple-single-no-auth"
+spec:
+  mode: single
+  auth:
+    jwtSecretName: None
+

pkg/apis/arangodb/v1alpha/deployment_spec.go

@@ -179,23 +179,35 @@ type AuthenticationSpec struct {
 	JWTSecretName string `json:"jwtSecretName,omitempty"`
 }
 
+const (
+	// JWTSecretNameDisabled is the value of JWTSecretName to use for disabling authentication.
+	JWTSecretNameDisabled = "None"
+)
+
+// IsAuthenticated returns true if authentication is enabled.
+// Returns false other (when JWTSecretName == "None").
+func (s AuthenticationSpec) IsAuthenticated() bool {
+	return s.JWTSecretName != JWTSecretNameDisabled
+}
+
 // Validate the given spec
-func (s AuthenticationSpec) Validate(required, allowed bool) error {
-	if required && s.JWTSecretName == "" {
-		return maskAny(errors.Wrap(ValidationError, "Missing JWT secret"))
+func (s AuthenticationSpec) Validate(required bool) error {
+	if required && !s.IsAuthenticated() {
+		return maskAny(errors.Wrap(ValidationError, "JWT secret is required"))
 	}
-	if !allowed && s.JWTSecretName != "" {
-		return maskAny(errors.Wrap(ValidationError, "Non-empty JWT secret name is not allowed"))
-	}
-	if err := k8sutil.ValidateOptionalResourceName(s.JWTSecretName); err != nil {
-		return maskAny(err)
+	if s.IsAuthenticated() {
+		if err := k8sutil.ValidateResourceName(s.JWTSecretName); err != nil {
+			return maskAny(err)
+		}
 	}
 	return nil
 }
 
 // SetDefaults fills in missing defaults
-func (s *AuthenticationSpec) SetDefaults() {
-	// Nothing needed
+func (s *AuthenticationSpec) SetDefaults(defaultJWTSecretName string) {
+	if s.JWTSecretName == "" {
+		s.JWTSecretName = defaultJWTSecretName
+	}
 }
 
 // SSLSpec holds SSL specific configuration settings
@@ -256,7 +268,7 @@ func (s SyncSpec) Validate(mode DeploymentMode) error {
 	if s.Image == "" {
 		return maskAny(errors.Wrapf(ValidationError, "image must be set"))
 	}
-	if err := s.Authentication.Validate(s.Enabled, s.Enabled); err != nil {
+	if err := s.Authentication.Validate(s.Enabled); err != nil {
 		return maskAny(err)
 	}
 	if err := s.Monitoring.Validate(); err != nil {
@@ -266,14 +278,14 @@ func (s SyncSpec) Validate(mode DeploymentMode) error {
 }
 
 // SetDefaults fills in missing defaults
-func (s *SyncSpec) SetDefaults(defaultImage string, defaulPullPolicy v1.PullPolicy) {
+func (s *SyncSpec) SetDefaults(defaultImage string, defaulPullPolicy v1.PullPolicy, defaultJWTSecretName string) {
 	if s.Image == "" {
 		s.Image = defaultImage
 	}
 	if s.ImagePullPolicy == "" {
 		s.ImagePullPolicy = defaulPullPolicy
 	}
-	s.Authentication.SetDefaults()
+	s.Authentication.SetDefaults(defaultJWTSecretName)
 	s.Monitoring.SetDefaults()
 }
 
@@ -420,7 +432,7 @@ type DeploymentSpec struct {
 
 // IsAuthenticated returns true when authentication is enabled
 func (s DeploymentSpec) IsAuthenticated() bool {
-	return s.Authentication.JWTSecretName != ""
+	return s.Authentication.IsAuthenticated()
 }
 
 // IsSecure returns true when SSL is enabled
@@ -429,7 +441,7 @@ func (s DeploymentSpec) IsSecure() bool {
 }
 
 // SetDefaults fills in default values when a field is not specified.
-func (s *DeploymentSpec) SetDefaults() {
+func (s *DeploymentSpec) SetDefaults(deploymentName string) {
 	if s.Mode == "" {
 		s.Mode = DeploymentModeCluster
 	}
@@ -446,9 +458,9 @@ func (s *DeploymentSpec) SetDefaults() {
 		s.ImagePullPolicy = v1.PullIfNotPresent
 	}
 	s.RocksDB.SetDefaults()
-	s.Authentication.SetDefaults()
+	s.Authentication.SetDefaults(deploymentName + "-jwt")
 	s.SSL.SetDefaults()
-	s.Sync.SetDefaults(s.Image, s.ImagePullPolicy)
+	s.Sync.SetDefaults(s.Image, s.ImagePullPolicy, deploymentName+"-sync-jwt")
 	s.Single.SetDefaults(ServerGroupSingle, s.Mode.HasSingleServers(), s.Mode)
 	s.Agents.SetDefaults(ServerGroupAgents, s.Mode.HasAgents(), s.Mode)
 	s.DBServers.SetDefaults(ServerGroupDBServers, s.Mode.HasDBServers(), s.Mode)
@@ -461,31 +473,31 @@ func (s *DeploymentSpec) SetDefaults() {
 // Return errors when validation fails, nil on success.
 func (s *DeploymentSpec) Validate() error {
 	if err := s.Mode.Validate(); err != nil {
-		return maskAny(err)
+		return maskAny(errors.Wrap(err, "spec.mode"))
 	}
 	if err := s.Environment.Validate(); err != nil {
-		return maskAny(err)
+		return maskAny(errors.Wrap(err, "spec.environment"))
 	}
 	if err := s.StorageEngine.Validate(); err != nil {
-		return maskAny(err)
+		return maskAny(errors.Wrap(err, "spec.storageEngine"))
 	}
 	if err := validatePullPolicy(s.ImagePullPolicy); err != nil {
-		return maskAny(err)
+		return maskAny(errors.Wrap(err, "spec.imagePullPolicy"))
 	}
 	if s.Image == "" {
-		return maskAny(errors.Wrapf(ValidationError, "image must be set"))
+		return maskAny(errors.Wrapf(ValidationError, "spec.image must be set"))
 	}
 	if err := s.RocksDB.Validate(); err != nil {
-		return maskAny(err)
+		return maskAny(errors.Wrap(err, "spec.rocksdb"))
 	}
-	if err := s.Authentication.Validate(false, true); err != nil {
-		return maskAny(err)
+	if err := s.Authentication.Validate(false); err != nil {
+		return maskAny(errors.Wrap(err, "spec.auth"))
 	}
 	if err := s.SSL.Validate(); err != nil {
-		return maskAny(err)
+		return maskAny(errors.Wrap(err, "spec.ssl"))
 	}
 	if err := s.Sync.Validate(s.Mode); err != nil {
-		return maskAny(err)
+		return maskAny(errors.Wrap(err, "spec.sync"))
 	}
 	if err := s.Single.Validate(ServerGroupSingle, s.Mode.HasSingleServers(), s.Mode); err != nil {
 		return maskAny(err)

pkg/controller/controller.go

@@ -217,7 +217,7 @@ func (c *Controller) handleDeploymentEvent(event *Event) error {
 	}
 
 	// Fill in defaults
-	apiObject.Spec.SetDefaults()
+	apiObject.Spec.SetDefaults(apiObject.GetName())
 	// Validate deployment spec
 	if err := apiObject.Spec.Validate(); err != nil {
 		return maskAny(errors.Wrapf(err, "invalid deployment spec. please fix the following problem with the deployment spec: %v", err))

pkg/deployment/client_cache.go

@@ -23,6 +23,7 @@
 package deployment
 
 import (
+	"context"
 	"fmt"
 	"sync"
 
@@ -52,7 +53,7 @@ func newClientCache(kubecli kubernetes.Interface, apiObject *api.ArangoDeploymen
 
 // Get a cached client for the given ID in the given group, creating one
 // if needed.
-func (cc *clientCache) Get(group api.ServerGroup, id string) (driver.Client, error) {
+func (cc *clientCache) Get(ctx context.Context, group api.ServerGroup, id string) (driver.Client, error) {
 	cc.mutex.Lock()
 	defer cc.mutex.Unlock()
 
@@ -63,7 +64,7 @@ func (cc *clientCache) Get(group api.ServerGroup, id string) (driver.Client, err
 	}
 
 	// Not found, create a new client
-	c, err := arangod.CreateArangodClient(cc.kubecli, cc.apiObject, group, id)
+	c, err := arangod.CreateArangodClient(ctx, cc.kubecli, cc.apiObject, group, id)
 	if err != nil {
 		return nil, maskAny(err)
 	}
@@ -73,7 +74,7 @@ func (cc *clientCache) Get(group api.ServerGroup, id string) (driver.Client, err
 
 // GetDatabase returns a cached client for the entire database (cluster coordinators or single server),
 // creating one if needed.
-func (cc *clientCache) GetDatabase() (driver.Client, error) {
+func (cc *clientCache) GetDatabase(ctx context.Context) (driver.Client, error) {
 	cc.mutex.Lock()
 	defer cc.mutex.Unlock()
 
@@ -82,7 +83,7 @@ func (cc *clientCache) GetDatabase() (driver.Client, error) {
 	}
 
 	// Not found, create a new client
-	c, err := arangod.CreateArangodDatabaseClient(cc.kubecli, cc.apiObject)
+	c, err := arangod.CreateArangodDatabaseClient(ctx, cc.kubecli, cc.apiObject)
 	if err != nil {
 		return nil, maskAny(err)
 	}

pkg/deployment/deployment.go

@@ -153,6 +153,12 @@ func (d *Deployment) run() {
 	log := d.deps.Log
 
 	if d.status.State == api.DeploymentStateNone {
+		// Create secrets
+		if err := d.createSecrets(d.apiObject); err != nil {
+			d.failOnError(err, "Failed to create secrets")
+			return
+		}
+
 		// Create services
 		if err := d.createServices(d.apiObject); err != nil {
 			d.failOnError(err, "Failed to create services")
@@ -272,7 +278,7 @@ func (d *Deployment) handleArangoDeploymentUpdatedEvent(event *deploymentEvent)
 	}
 
 	newAPIObject := current.DeepCopy()
-	newAPIObject.Spec.SetDefaults()
+	newAPIObject.Spec.SetDefaults(newAPIObject.GetName())
 	newAPIObject.Status = d.status
 	resetFields := d.apiObject.Spec.ResetImmutableFields(&newAPIObject.Spec)
 	if len(resetFields) > 0 {