Merge branch 'master' into feature/plan-action-timeout

Author: ewoutp

deps/github.com/arangodb/arangosync/client/client_cache.go

@@ -85,7 +85,10 @@ func (cc *ClientCache) createClient(source Endpoint, auth Authentication, insecu
 		return nil, maskAny(err)
 	}
 	ac := AuthenticationConfig{}
-	if auth.JWTSecret != "" {
+	if auth.Username != "" {
+		ac.UserName = auth.Username
+		ac.Password = auth.Password
+	} else if auth.JWTSecret != "" {
 		ac.JWTSecret = auth.JWTSecret
 	} else if auth.ClientToken != "" {
 		ac.BearerToken = auth.ClientToken
@@ -113,11 +116,13 @@ func NewAuthentication(tlsAuth TLSAuthentication, jwtSecret string) Authenticati
 type Authentication struct {
 	TLSAuthentication
 	JWTSecret string
+	Username  string
+	Password  string
 }
 
 // String returns a string used to unique identify the authentication settings.
 func (a Authentication) String() string {
-	return a.TLSAuthentication.String() + ":" + a.JWTSecret
+	return a.TLSAuthentication.String() + ":" + a.JWTSecret + ":" + a.Username + ":" + a.Password
 }
 
 // AuthProxy is a helper that implements github.com/arangodb-helper/go-certificates#TLSAuthentication.

docs/Manual/Deployment/Kubernetes/DeploymentReplicationResource.md

@@ -5,7 +5,7 @@ The ArangoDB Replication Operator creates and maintains ArangoDB
 This replication specification is a `CustomResource` following
 a `CustomResourceDefinition` created by the operator.
 
-Example minimal replication definition:
+Example minimal replication definition for 2 ArangoDB cluster with sync in the same Kubernetes cluster:
 
 ```yaml
 apiVersion: "replication.database.arangodb.com/v1alpha"
@@ -15,17 +15,46 @@ metadata:
 spec:
   source:
     deploymentName: cluster-a
+    auth:
+      keyfileSecretName: cluster-a-sync-auth
   destination:
     deploymentName: cluster-b
-  auth:
-    clientAuthSecretName: client-auth-cert
 ```
 
 This definition results in:
 
 - the arangosync `SyncMaster` in deployment `cluster-b` is called to configure a synchronization
-  from `cluster-a` to `cluster-b`, using the client authentication certificate stored in
-  `Secret` `client-auth-cert`.
+  from the syncmasters in `cluster-a` to the syncmasters in `cluster-b`,
+  using the client authentication certificate stored in `Secret` `cluster-a-sync-auth`.
+  To access `cluster-a`, the JWT secret found in the deployment of `cluster-a` is used.
+  To access `cluster-b`, the JWT secret found in the deployment of `cluster-b` is used.
+
+Example replication definition for replicating from a source that is outside the current Kubernetes cluster
+to a destination that is in the same Kubernetes cluster:
+
+```yaml
+apiVersion: "replication.database.arangodb.com/v1alpha"
+kind: "ArangoDeploymentReplication"
+metadata:
+  name: "replication-from-a-to-b"
+spec:
+  source:
+    endpoint: ["https://163.172.149.229:31888", "https://51.15.225.110:31888", "https://51.15.229.133:31888"]
+    auth:
+      keyfileSecretName: cluster-a-sync-auth
+    tls:
+      caSecretName: cluster-a-sync-ca
+  destination:
+    deploymentName: cluster-b
+```
+
+This definition results in:
+
+- the arangosync `SyncMaster` in deployment `cluster-b` is called to configure a synchronization
+  from the syncmasters located at the given list of endpoint URL's to the syncmasters `cluster-b`,
+  using the client authentication certificate stored in `Secret` `cluster-a-sync-auth`.
+  To access `cluster-a`, the keyfile (containing a client authentication certificate) is used.
+  To access `cluster-b`, the JWT secret found in the deployment of `cluster-b` is used.
 
 ## Specification reference
 
@@ -38,13 +67,7 @@ with sync enabled.
 
 This cluster configured as the replication source.
 
-### `spec.source.deploymentNamespace: string`
-
-This setting specifies the Kubernetes namespace of an `ArangoDeployment` resource specified in `spec.source.deploymentName`.
-
-If this setting is empty, the namespace of the `ArangoDeploymentReplication` is used.
-
-### `spec.source.masterEndpoints: []string`
+### `spec.source.endpoint: []string`
 
 This setting specifies zero or more master endpoint URL's of the source cluster.
 
@@ -53,12 +76,23 @@ that is reachable from the Kubernetes cluster the `ArangoDeploymentReplication`
 
 Specifying this setting and `spec.source.deploymentName` at the same time is not allowed.
 
-### `spec.source.auth.jwtSecretName: string`
+### `spec.source.auth.keyfileSecretName: string`
 
-This setting specifies the name of a `Secret` containing a JWT `token` used to authenticate
+This setting specifies the name of a `Secret` containing a client authentication certificate called `tls.keyfile` used to authenticate
 with the SyncMaster at the specified source.
 
-This setting is required, unless `spec.source.deploymentName` has been set.
+If `spec.source.auth.userSecretName` has not been set,
+the client authentication certificate found in the secret with this name is also used to configure
+the synchronization and fetch the synchronization status.
+
+This setting is required.
+
+### `spec.source.auth.userSecretName: string`
+
+This setting specifies the name of a `Secret` containing a `username` & `password` used to authenticate
+with the SyncMaster at the specified source in order to configure synchronization and fetch synchronization status.
+
+The user identified by the username must have write access in the `_system` database of the source ArangoDB cluster.
 
 ### `spec.source.tls.caSecretName: string`
 
@@ -74,13 +108,7 @@ with sync enabled.
 
 This cluster configured as the replication destination.
 
-### `spec.destination.deploymentNamespace: string`
-
-This setting specifies the Kubernetes namespace of an `ArangoDeployment` resource specified in `spec.destination.deploymentName`.
-
-If this setting is empty, the namespace of the `ArangoDeploymentReplication` is used.
-
-### `spec.destination.masterEndpoints: []string`
+### `spec.destination.endpoint: []string`
 
 This setting specifies zero or more master endpoint URL's of the destination cluster.
 
@@ -89,12 +117,27 @@ that is reachable from the Kubernetes cluster the `ArangoDeploymentReplication`
 
 Specifying this setting and `spec.destination.deploymentName` at the same time is not allowed.
 
-### `spec.destination.auth.jwtSecretName: string`
+### `spec.destination.auth.keyfileSecretName: string`
 
-This setting specifies the name of a `Secret` containing a JWT `token` used to authenticate
+This setting specifies the name of a `Secret` containing a client authentication certificate called `tls.keyfile` used to authenticate
 with the SyncMaster at the specified destination.
 
-This setting is required, unless `spec.destination.deploymentName` has been set.
+If `spec.destination.auth.userSecretName` has not been set,
+the client authentication certificate found in the secret with this name is also used to configure
+the synchronization and fetch the synchronization status.
+
+This setting is required, unless `spec.destination.deploymentName` or `spec.destination.auth.userSecretName` has been set.
+
+Specifying this setting and `spec.destination.userSecretName` at the same time is not allowed.
+
+### `spec.destination.auth.userSecretName: string`
+
+This setting specifies the name of a `Secret` containing a `username` & `password` used to authenticate
+with the SyncMaster at the specified destination in order to configure synchronization and fetch synchronization status.
+
+The user identified by the username must have write access in the `_system` database of the destination ArangoDB cluster.
+
+Specifying this setting and `spec.destination.keyfileSecretName` at the same time is not allowed.
 
 ### `spec.destination.tls.caSecretName: string`
 
@@ -103,8 +146,62 @@ the TLS connection created by the SyncMaster at the specified destination.
 
 This setting is required, unless `spec.destination.deploymentName` has been set.
 
-### `spec.auth.clientAuthSecretName: string`
+## Authentication details
+
+The authentication settings in a `ArangoDeploymentReplication` resource are used for two distinct purposes.
+
+The first use is the authentication of the syncmasters at the destination with the syncmasters at the source.
+This is always done using a client authentication certificate which is found in a `tls.keyfile` field
+in a secret identified by `spec.source.auth.keyfileSecretName`.
+
+The second use is the authentication of the ArangoDB Replication operator with the syncmasters at the source
+or destination. These connections are made to configure synchronization, stop configuration and fetch the status
+of the configuration.
+The method used for this authentication is derived as follows (where `X` is either `source` or `destination`):
+
+- If `spec.X.userSecretName` is set, the username + password found in the `Secret` identified by this name is used.
+- If `spec.X.keyfileSecretName` is set, the client authentication certificate (keyfile) found in the `Secret` identifier by this name is used.
+- If `spec.X.deploymentName` is set, the JWT secret found in the deployment is used.
+
+## Creating client authentication certificate keyfiles
+
+The client authentication certificates needed for the `Secrets` identified by `spec.source.auth.keyfileSecretName` & `spec.destination.auth.keyfileSecretName`
+are normal ArangoDB keyfiles that can be created by the `arangosync create client-auth keyfile` command.
+In order to do so, you must have access to the client authentication CA of the source/destination.
+
+If the client authentication CA at the source/destination also contains a private key (`ca.key`), the ArangoDeployment operator
+can be used to create such a keyfile for you, without the need to have `arangosync` installed locally.
+Read the following paragraphs for instructions on how to do that.
+
+## Creating and using access packages
+
+An access package is a YAML file that contains:
+
+- A client authentication certificate, wrapped in a `Secret` in a `tls.keyfile` data field.
+- A TLS certificate authority public key, wrapped in a `Secret` in a `ca.crt` data field.
+
+The format of the access package is such that it can be inserted into a Kubernetes cluster using the standard `kubectl` tool.
+
+To create an access package that can be used to authenticate with the ArangoDB SyncMasters of an `ArangoDeployment`,
+add a name of a non-existing `Secret` to the `spec.sync.externalAccess.accessPackageSecretNames` field of the `ArangoDeployment`.
+In response, a `Secret` is created in that Kubernetes cluster, with the given name, that contains a `accessPackage.yaml` data field
+that contains a Kubernetes resource specification that can be inserted into the other Kubernetes cluster.
+
+The process for creating and using an access package for authentication at the source cluster is as follows:
+
+- Edit the `ArangoDeployment` resource of the source cluster, set `spec.sync.externalAccess.accessPackageSecretNames` to `["my-access-package"]`
+- Wait for the `ArangoDeployment` operator to create a `Secret` named `my-access-package`.
+- Extract the access package from the Kubernetes source cluster using:
+
+```bash
+kubectl get secret my-access-package --template='{{index .data "accessPackage.yaml"}}' | base64 -D > accessPackage.yaml
+```
+
+- Insert the secrets found in the access package in the Kubernetes destination cluster using:
+
+```bash
+kubectl apply -f accessPackage.yaml
+```
 
-This setting specifies the name of a `Secret` containing a client authentication certificate,
-used to authenticate the SyncMaster in the destination cluster with the SyncMaster in the
-source cluster.
+As a result, the destination Kubernetes cluster will have 2 additional `Secrets`. One contains a client authentication certificate
+formatted as a keyfile. Another contains the public key of the TLS CA certificate of the source cluster.

docs/Manual/Deployment/Kubernetes/DeploymentResource.md

@@ -241,6 +241,19 @@ If not set, this setting defaults to:
 - If `spec.sync.externalAccess.loadBalancerIP` is set, it defaults to `https://<load-balancer-ip>:<8629>`.
 - Otherwise it defaults to `https://<sync-service-dns-name>:<8629>`.
 
+### `spec.sync.externalAccess.accessPackageSecretNames: []string`
+
+This setting specifies the names of zero of more `Secrets` that will be created by the deployment
+operator containing "access packages". An access package contains those `Secrets` that are needed
+to access the SyncMasters of this `ArangoDeployment`.
+
+By removing a name from this setting, the corresponding `Secret` is also deleted.
+Note that to remove all access packages, leave an empty array in place (`[]`).
+Completely removing the setting results in not modifying the list.
+
+See [the `ArangoDeploymentReplication` specification](./DeploymentReplicationResource.md) for more information
+on access packages.
+
 ### `spec.sync.auth.jwtSecretName: string`
 
 This setting specifies the name of a kubernetes `Secret` that contains
@@ -335,6 +348,14 @@ The default value is `8Gi`.
 This setting is not available for group `coordinators`, `syncmasters` & `syncworkers`
 because servers in these groups do not need persistent storage.
 
+### `spec.<group>.serviceAccountName: string`
+
+This setting specifies the `serviceAccountName` for the `Pods` created
+for each server of this group.
+
+Using an alternative `ServiceAccount` is typically used to separate access rights.
+The ArangoDB deployments do not require any special rights.
+
 ### `spec.<group>.storageClassName: string`
 
 This setting specifies the `storageClass` for the `PersistentVolume`s created

main.go

@@ -160,7 +160,7 @@ func cmdMainRun(cmd *cobra.Command, args []string) {
 	mux := http.NewServeMux()
 	mux.HandleFunc("/health", livenessProbe.LivenessHandler)
 	mux.HandleFunc("/ready/deployment", deploymentProbe.ReadyHandler)
-	mux.HandleFunc("/ready/deployment-replications", deploymentReplicationProbe.ReadyHandler)
+	mux.HandleFunc("/ready/deployment-replication", deploymentReplicationProbe.ReadyHandler)
 	mux.HandleFunc("/ready/storage", storageProbe.ReadyHandler)
 	mux.Handle("/metrics", prometheus.Handler())
 	listenAddr := net.JoinHostPort(serverOptions.host, strconv.Itoa(serverOptions.port))

manifests/templates/deployment-replication/deployment-replication.yaml

@@ -5,7 +5,7 @@ metadata:
   name: {{ .DeploymentReplication.OperatorDeploymentName }}
   namespace: {{ .DeploymentReplication.Operator.Namespace }}
 spec:
-  replicas: 1
+  replicas: 2
   strategy:
     type: Recreate
   template:
@@ -50,3 +50,12 @@ spec:
             scheme: HTTPS
           initialDelaySeconds: 5
           periodSeconds: 10
+      tolerations:
+      - key: "node.kubernetes.io/unreachable"
+        operator: "Exists"
+        effect: "NoExecute"
+        tolerationSeconds: 5
+      - key: "node.kubernetes.io/not-ready"
+        operator: "Exists"
+        effect: "NoExecute"
+        tolerationSeconds: 5

manifests/templates/deployment/deployment.yaml

@@ -5,7 +5,7 @@ metadata:
   name: {{ .Deployment.OperatorDeploymentName }}
   namespace: {{ .Deployment.Operator.Namespace }}
 spec:
-  replicas: 1
+  replicas: 2
   strategy:
     type: Recreate
   template:

manifests/templates/storage/deployment.yaml

@@ -13,7 +13,7 @@ metadata:
   name: {{ .Storage.OperatorDeploymentName }}
   namespace: {{ .Storage.Operator.Namespace }}
 spec:
-  replicas: 1
+  replicas: 2
   strategy:
     type: Recreate
   template:

manifests/templates/test/rbac.yaml

@@ -10,7 +10,7 @@ rules:
   resources: ["nodes"]
   verbs: ["list"]
 - apiGroups: [""]
-  resources: ["pods", "services", "persistentvolumes", "persistentvolumeclaims", "secrets"]
+  resources: ["pods", "services", "persistentvolumes", "persistentvolumeclaims", "secrets", "serviceaccounts"]
   verbs: ["*"]
 - apiGroups: ["apps"]
   resources: ["daemonsets"]

pkg/apis/deployment/v1alpha/conditions.go

@@ -46,6 +46,8 @@ const (
 	// the deployment have changed. Once that is the case, the operator will no longer
 	// touch the deployment, until the original secrets have been restored.
 	ConditionTypeSecretsChanged ConditionType = "SecretsChanged"
+	// ConditionTypeMemberOfCluster indicates that the member is a known member of the ArangoDB cluster.
+	ConditionTypeMemberOfCluster ConditionType = "MemberOfCluster"
 )
 
 // Condition represents one current condition of a deployment or deployment member.

pkg/apis/deployment/v1alpha/member_status.go

@@ -52,6 +52,11 @@ type MemberStatus struct {
 	IsInitialized bool `json:"initialized"`
 }
 
+// Age returns the duration since the creation timestamp of this member.
+func (s MemberStatus) Age() time.Duration {
+	return time.Since(s.CreatedAt.Time)
+}
+
 // RemoveTerminationsBefore removes all recent terminations before the given timestamp.
 // It returns the number of terminations that have been removed.
 func (s *MemberStatus) RemoveTerminationsBefore(timestamp time.Time) int {

pkg/apis/deployment/v1alpha/server_group.go

@@ -101,6 +101,16 @@ func (g ServerGroup) DefaultTerminationGracePeriod() time.Duration {
 	}
 }
 
+// IsStateless returns true when the groups runs servers without a persistent volume.
+func (g ServerGroup) IsStateless() bool {
+	switch g {
+	case ServerGroupCoordinators, ServerGroupSyncMasters, ServerGroupSyncWorkers:
+		return true
+	default:
+		return false
+	}
+}
+
 // IsArangod returns true when the groups runs servers of type `arangod`.
 func (g ServerGroup) IsArangod() bool {
 	switch g {