Merge pull request #366 from rabbitmq/vault-tls

Support connecting Vault with TLS and check rabbitmqcluster status

Author: ChunyiLyu

internal/cluster_reference.go

@@ -32,7 +32,8 @@ var SecretStoreClientProvider = GetSecretStoreClient
 
 var (
 	NoSuchRabbitmqClusterError = errors.New("RabbitmqCluster object does not exist")
-	ResourceNotAllowedError    = errors.New("Resource is not allowed to reference defined cluster reference. Check the namespace of the resource is allowed as part of the cluster's `rabbitmq.com/topology-allowed-namespaces` annotation")
+	ResourceNotAllowedError    = errors.New("resource is not allowed to reference defined cluster reference. Check the namespace of the resource is allowed as part of the cluster's `rabbitmq.com/topology-allowed-namespaces` annotation")
+	NoServiceReferenceSetError = errors.New("RabbitmqCluster has no ServiceReference set in status.defaultUser")
 )
 
 func ParseRabbitmqClusterReference(ctx context.Context, c client.Client, rmq topology.RabbitmqClusterReference, requestNamespace string, clusterDomain string) (ConnectionCredentials, bool, error) {
@@ -60,6 +61,10 @@ func ParseRabbitmqClusterReference(ctx context.Context, c client.Client, rmq top
 		return nil, false, ResourceNotAllowedError
 	}
 
+	if cluster.Status.DefaultUser == nil || cluster.Status.DefaultUser.ServiceReference == nil {
+		return nil, false, NoServiceReferenceSetError
+	}
+
 	var user, pass string
 	if cluster.Spec.SecretBackend.Vault != nil && cluster.Spec.SecretBackend.Vault.DefaultUserPath != "" {
 		// ask the configured secure store for the credentials available at the path retrieved from the cluster resource
@@ -78,10 +83,6 @@ func ParseRabbitmqClusterReference(ctx context.Context, c client.Client, rmq top
 			return nil, false, errors.New("no status.binding set")
 		}
 
-		if cluster.Status.DefaultUser == nil {
-			return nil, false, errors.New("no status.defaultUser set")
-		}
-
 		secret := &corev1.Secret{}
 		if err := c.Get(ctx, types.NamespacedName{Namespace: namespace, Name: cluster.Status.Binding.Name}, secret); err != nil {
 			return nil, false, err

internal/cluster_reference_test.go

@@ -114,7 +114,7 @@ var _ = Describe("ParseRabbitmqClusterReference", func() {
 
 			It("errors", func() {
 				_, _, err := internal.ParseRabbitmqClusterReference(ctx, fakeClient, topology.RabbitmqClusterReference{Name: existingRabbitMQCluster.Name}, existingRabbitMQCluster.Namespace, "")
-				Expect(err).To(MatchError("no status.defaultUser set"))
+				Expect(err).To(MatchError(internal.NoServiceReferenceSetError))
 			})
 		})
 
@@ -181,6 +181,35 @@ var _ = Describe("ParseRabbitmqClusterReference", func() {
 				Expect(passwordBytes).To(Equal([]byte(existingRabbitMQPassword)))
 				Expect(uriBytes).To(Equal([]byte("http://rmq.rabbitmq-system.svc:15672")))
 			})
+
+			When("RabbitmqCluster does not have status.defaultUser set", func() {
+				BeforeEach(func() {
+					*existingRabbitMQCluster = rabbitmqv1beta1.RabbitmqCluster{
+						ObjectMeta: metav1.ObjectMeta{
+							Name:      "rmq-vault-incomplete-status",
+							Namespace: namespace,
+						},
+						Spec: rabbitmqv1beta1.RabbitmqClusterSpec{
+							SecretBackend: rabbitmqv1beta1.SecretBackend{
+								Vault: &rabbitmqv1beta1.VaultSpec{
+									Role:            "sausage",
+									DefaultUserPath: "/some/path",
+								},
+							},
+						},
+					}
+					fakeSecretStoreClient = &internalfakes.FakeSecretStoreClient{}
+					fakeSecretStoreClient.ReadCredentialsReturns(existingRabbitMQUsername, existingRabbitMQPassword, nil)
+					internal.SecretStoreClientProvider = func() (internal.SecretStoreClient, error) {
+						return fakeSecretStoreClient, nil
+					}
+				})
+
+				It("errors", func() {
+					_, _, err := internal.ParseRabbitmqClusterReference(ctx, fakeClient, topology.RabbitmqClusterReference{Name: existingRabbitMQCluster.Name}, existingRabbitMQCluster.Namespace, "")
+					Expect(err).To(MatchError(internal.NoServiceReferenceSetError))
+				})
+			})
 		})
 	})
 

internal/vault_reader.go

@@ -1,9 +1,12 @@
 package internal
 
 import (
+	"crypto/x509"
 	"errors"
 	"fmt"
+	"net/http"
 	"os"
+	"strings"
 	"sync"
 	"time"
 
@@ -63,7 +66,24 @@ func GetSecretStoreClient() (SecretStoreClient, error) {
 func InitializeClient() func() {
 	return func() {
 		// VAULT_ADDR environment variable will be the address that pod uses to communicate with Vault.
+		// returns error when not set
+		vaultURL := os.Getenv("VAULT_ADDR")
+		if vaultURL == "" {
+			SecretClientCreationError = fmt.Errorf("VAULT_ADDR environment variable not set; cannot initialize vault client")
+			return
+		}
+
 		config := vault.DefaultConfig() // modify for more granular configuration
+
+		if strings.HasPrefix(vaultURL, "https") {
+			systemCertPool, err := x509.SystemCertPool()
+			if err != nil {
+				SecretClientCreationError = fmt.Errorf("failed to retrieve system trusted certs: %w", err)
+				return
+			}
+			config.HttpClient.Transport.(*http.Transport).TLSClientConfig.RootCAs = systemCertPool
+		}
+
 		vaultClient, err := vault.NewClient(config)
 		if err != nil {
 			SecretClientCreationError = fmt.Errorf("unable to initialize Vault client: %w", err)

internal/vault_reader_test.go

@@ -300,11 +300,12 @@ var _ = Describe("VaultReader", func() {
 			vaultSpec                  *rabbitmqv1beta1.VaultSpec
 			getSecretStoreClientTester func(vaultSpec *rabbitmqv1beta1.VaultSpec) (internal.SecretStoreClient, error)
 		)
+		BeforeEach(func() {
+			os.Setenv("VAULT_ADDR", "vault-address")
+		})
 
 		When("vault role is not set in the environment", func() {
-			var (
-				vaultRoleUsedForLogin string
-			)
+			var vaultRoleUsedForLogin string
 
 			BeforeEach(func() {
 				internal.FirstLoginAttemptResultCh = make(chan error, 1)
@@ -530,5 +531,13 @@ var _ = Describe("VaultReader", func() {
 				Expect(secretStoreClient).ToNot(BeNil())
 			})
 		})
+
+		When("VAULT_ADDR is not set", func() {
+			It("returns an error", func() {
+				os.Unsetenv("VAULT_ADDR")
+				secretStoreClient, err = getSecretStoreClientTester(vaultSpec)
+				Expect(err).To(MatchError("VAULT_ADDR environment variable not set; cannot initialize vault client"))
+			})
+		})
 	})
 })