From 83a8e634ad6f69ffb6f4dc7dd76ca21cff9768be Mon Sep 17 00:00:00 2001 From: Caleb Doxsey Date: Wed, 13 Dec 2023 07:02:13 -0700 Subject: [PATCH] ingress-controller/config: remove redis (#835) * ingress-controller/config: remove redis * fix whitespace --- apis/ingress/v1/deprecation.go | 20 +- apis/ingress/v1/deprecation_test.go | 13 +- apis/ingress/v1/pomerium_types.go | 37 +--- apis/ingress/v1/zz_generated.deepcopy.go | 30 --- .../bases/ingress.pomerium.io_pomerium.yaml | 30 --- controllers/settings/fetch.go | 12 +- controllers/settings/fetch_test.go | 44 ----- deployment.yaml | 30 --- pomerium/config.go | 2 +- pomerium/ctrl/bootstrap.go | 36 +--- reference.md | 186 +++++++++++------- 11 files changed, 135 insertions(+), 305 deletions(-) diff --git a/apis/ingress/v1/deprecation.go b/apis/ingress/v1/deprecation.go index 54880409..8cd6c598 100644 --- a/apis/ingress/v1/deprecation.go +++ b/apis/ingress/v1/deprecation.go @@ -10,19 +10,13 @@ import ( "github.com/iancoleman/strcase" ) -var ( - deprecatedFields = map[string]pom_cfg.FieldMsg{ - "idp_directory_sync": { - DocsURL: "https://docs.pomerium.com/docs/overview/upgrading#idp-directory-sync", - FieldCheckMsg: pom_cfg.FieldCheckMsgRemoved, - KeyAction: pom_cfg.KeyActionWarn, - }, - "redis": { - FieldCheckMsg: "not recommended for new deployments, use PostgreSQL", - KeyAction: pom_cfg.KeyActionWarn, - }, - } -) +var deprecatedFields = map[string]pom_cfg.FieldMsg{ + "idp_directory_sync": { + DocsURL: "https://docs.pomerium.com/docs/overview/upgrading#idp-directory-sync", + FieldCheckMsg: pom_cfg.FieldCheckMsgRemoved, + KeyAction: pom_cfg.KeyActionWarn, + }, +} // GetDeprecations returns deprecation warnings func GetDeprecations(spec *PomeriumSpec) ([]pom_cfg.FieldMsg, error) { diff --git a/apis/ingress/v1/deprecation_test.go b/apis/ingress/v1/deprecation_test.go index ece70e58..f551d9a5 100644 --- a/apis/ingress/v1/deprecation_test.go +++ b/apis/ingress/v1/deprecation_test.go @@ -14,20 +14,17 @@ import ( func TestDeprecations(t *testing.T) { msgs, err := api.GetDeprecations(&api.PomeriumSpec{ Authenticate: new(api.Authenticate), - IdentityProvider: &api.IdentityProvider{Provider: "google", URL: proto.String("http://google.com"), + IdentityProvider: &api.IdentityProvider{ + Provider: "google", URL: proto.String("http://google.com"), ServiceAccountFromSecret: proto.String("secret"), RefreshDirectory: &api.RefreshDirectorySettings{ Interval: v1.Duration{Duration: time.Minute}, Timeout: v1.Duration{Duration: time.Minute}, - }}, - Certificates: []string{}, - Secrets: "", - Storage: &api.Storage{ - Redis: &api.RedisStorage{ - Secret: "redis", }, }, + Certificates: []string{}, + Secrets: "", }) require.NoError(t, err) - require.Len(t, msgs, 3) + require.Len(t, msgs, 2) } diff --git a/apis/ingress/v1/pomerium_types.go b/apis/ingress/v1/pomerium_types.go index 1a95d8be..b8c1041b 100644 --- a/apis/ingress/v1/pomerium_types.go +++ b/apis/ingress/v1/pomerium_types.go @@ -79,35 +79,6 @@ type RefreshDirectorySettings struct { Timeout metav1.Duration `json:"timeout"` } -// RedisStorage defines REDIS databroker storage backend bootstrap parameters. -// Redis is supported for legacy deployments, new deployments should use PostgreSQL. -type RedisStorage struct { - // Secret specifies a name of a Secret that must contain - // connection key. - // +kubebuilder:validation:Required - // +kubebuilder:validation:Type=string - // +kubebuilder:validation:MinLength=1 - // +kubebuilder:validation:Format="namespace/name" - Secret string `json:"secret"` - // TLSSecret should refer to a k8s secret of type kubernetes.io/tls - // that would be used to perform TLS connection to REDIS. - // +kubebuilder:validation:Optional - // +kubebuilder:validation:Type=string - // +kubebuilder:validation:MinLength=1 - // +kubebuilder:validation:Format="namespace/name" - TLSSecret *string `json:"tlsSecret"` - // CASecret should refer to a k8s secret with key ca.crt that must be a PEM-encoded - // certificate authority to use when connecting to the databroker storage engine. - // +kubebuilder:validation:Optional - // +kubebuilder:validation:Type=string - // +kubebuilder:validation:Format="namespace/name" - CASecret *string `json:"caSecret"` - // TLSSkipVerify disables TLS certificate chain validation. - // +kubebuilder:validation:Optional - // +kubebuilder:validation:Type=boolean - TLSSkipVerify bool `json:"tlsSkipVerify"` -} - // PostgresStorage defines Postgres connection parameters. type PostgresStorage struct { // Secret specifies a name of a Secret that must contain @@ -144,13 +115,9 @@ type PostgresStorage struct { // Storage defines persistent storage option for the databroker // and is only applied for all-in-one pomerium bootstrap, // and has no effect for the split-mode deployment. -// If Storage is specified, either `redis` or `postgresql` parameter should be set. -// Omit setting storage to use in-memory storage implementation. +// If Storage is specified, the `postgresql` parameter should be set. +// Omit setting storage to use the in-memory storage implementation. type Storage struct { - // Redis defines REDIS connection parameters - // +kubebuilder:validation:Optional - Redis *RedisStorage `json:"redis" deprecated:"redis"` - // Postgres specifies PostgreSQL database connection parameters // +kubebuilder:validation:Optional Postgres *PostgresStorage `json:"postgres"` diff --git a/apis/ingress/v1/zz_generated.deepcopy.go b/apis/ingress/v1/zz_generated.deepcopy.go index 16d6a469..80f8b001 100644 --- a/apis/ingress/v1/zz_generated.deepcopy.go +++ b/apis/ingress/v1/zz_generated.deepcopy.go @@ -330,31 +330,6 @@ func (in *PostgresStorage) DeepCopy() *PostgresStorage { return out } -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *RedisStorage) DeepCopyInto(out *RedisStorage) { - *out = *in - if in.TLSSecret != nil { - in, out := &in.TLSSecret, &out.TLSSecret - *out = new(string) - **out = **in - } - if in.CASecret != nil { - in, out := &in.CASecret, &out.CASecret - *out = new(string) - **out = **in - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RedisStorage. -func (in *RedisStorage) DeepCopy() *RedisStorage { - if in == nil { - return nil - } - out := new(RedisStorage) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *RefreshDirectorySettings) DeepCopyInto(out *RefreshDirectorySettings) { *out = *in @@ -401,11 +376,6 @@ func (in *ResourceStatus) DeepCopy() *ResourceStatus { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Storage) DeepCopyInto(out *Storage) { *out = *in - if in.Redis != nil { - in, out := &in.Redis, &out.Redis - *out = new(RedisStorage) - (*in).DeepCopyInto(*out) - } if in.Postgres != nil { in, out := &in.Postgres, &out.Postgres *out = new(PostgresStorage) diff --git a/config/crd/bases/ingress.pomerium.io_pomerium.yaml b/config/crd/bases/ingress.pomerium.io_pomerium.yaml index 1e5a813e..ce27932e 100644 --- a/config/crd/bases/ingress.pomerium.io_pomerium.yaml +++ b/config/crd/bases/ingress.pomerium.io_pomerium.yaml @@ -289,36 +289,6 @@ spec: required: - secret type: object - redis: - description: Redis defines REDIS connection parameters - properties: - caSecret: - description: CASecret should refer to a k8s secret with key - ca.crt that must be a PEM-encoded certificate - authority to use when connecting to the databroker storage - engine. - format: namespace/name - type: string - secret: - description: Secret specifies a name of a Secret that must - contain connection key. - format: namespace/name - minLength: 1 - type: string - tlsSecret: - description: TLSSecret should refer to a k8s secret of type - kubernetes.io/tls that would be used to perform - TLS connection to REDIS. - format: namespace/name - minLength: 1 - type: string - tlsSkipVerify: - description: TLSSkipVerify disables TLS certificate chain - validation. - type: boolean - required: - - secret - type: object type: object timeouts: description: Timeout specifies the global diff --git a/controllers/settings/fetch.go b/controllers/settings/fetch.go index d88ef0b3..1bb1b950 100644 --- a/controllers/settings/fetch.go +++ b/controllers/settings/fetch.go @@ -126,15 +126,7 @@ func fetchConfigSecrets(ctx context.Context, client client.Client, cfg *model.Co return nil } - if r := s.Storage.Redis; r != nil { - if err := applyAll( - apply("connection", required(&r.Secret), &cfg.StorageSecrets.Secret), - apply("tls", optional(r.TLSSecret), &cfg.StorageSecrets.TLS), - apply("ca", optional(r.CASecret), &cfg.StorageSecrets.CA), - ); err != nil { - return fmt.Errorf("redis: %w", err) - } - } else if p := s.Storage.Postgres; p != nil { + if p := s.Storage.Postgres; p != nil { if err := applyAll( apply("connection", required(&p.Secret), &cfg.StorageSecrets.Secret), apply("tls", optional(p.TLSSecret), &cfg.StorageSecrets.TLS), @@ -143,7 +135,7 @@ func fetchConfigSecrets(ctx context.Context, client client.Client, cfg *model.Co return fmt.Errorf("postgresql: %w", err) } } else { - return fmt.Errorf("if storage is specified, either redis or postgres storage should be provided") + return fmt.Errorf("if storage is specified, postgres storage should be provided") } return cfg.StorageSecrets.Validate() diff --git a/controllers/settings/fetch_test.go b/controllers/settings/fetch_test.go index 59b74979..6b33978b 100644 --- a/controllers/settings/fetch_test.go +++ b/controllers/settings/fetch_test.go @@ -42,25 +42,6 @@ func TestFetchConstraints(t *testing.T) { }{ "idp-secrets": {}, "bootstrap-secrets": {}, - "redis": { - corev1.SecretTypeOpaque, - map[string][]byte{ - model.StorageConnectionStringKey: []byte("redis://"), - }, - }, - "redis-ca": { - corev1.SecretTypeOpaque, - map[string][]byte{ - model.CAKey: []byte("ca-data"), - }, - }, - "redis-tls": { - corev1.SecretTypeTLS, - map[string][]byte{ - corev1.TLSCertKey: []byte("cert-data"), - corev1.TLSPrivateKeyKey: []byte("key-data"), - }, - }, "postgres": { corev1.SecretTypeOpaque, map[string][]byte{ @@ -119,31 +100,6 @@ func TestFetchConstraints(t *testing.T) { Secrets: "pomerium/bootstrap-secrets", Storage: &icsv1.Storage{}, }, assert.Error}, - {"redis: secret missing", icsv1.PomeriumSpec{ - Authenticate: new(icsv1.Authenticate), - IdentityProvider: &icsv1.IdentityProvider{Secret: "pomerium/idp-secrets"}, - Certificates: []string{}, - Secrets: "pomerium/bootstrap-secrets", - Storage: &icsv1.Storage{Redis: &icsv1.RedisStorage{}}, - }, assert.Error}, - {"redis: secret present", icsv1.PomeriumSpec{ - Authenticate: new(icsv1.Authenticate), - IdentityProvider: &icsv1.IdentityProvider{Secret: "pomerium/idp-secrets"}, - Certificates: []string{}, - Secrets: "pomerium/bootstrap-secrets", - Storage: &icsv1.Storage{Redis: &icsv1.RedisStorage{Secret: "pomerium/redis"}}, - }, assert.NoError}, - {"redis: ca + tls", icsv1.PomeriumSpec{ - Authenticate: new(icsv1.Authenticate), - IdentityProvider: &icsv1.IdentityProvider{Secret: "pomerium/idp-secrets"}, - Certificates: []string{}, - Secrets: "pomerium/bootstrap-secrets", - Storage: &icsv1.Storage{Redis: &icsv1.RedisStorage{ - Secret: "pomerium/redis", - CASecret: proto.String("pomerium/redis-ca"), - TLSSecret: proto.String("pomerium/redis-tls"), - }}, - }, assert.NoError}, {"postgres: secret missing", icsv1.PomeriumSpec{ Authenticate: new(icsv1.Authenticate), IdentityProvider: &icsv1.IdentityProvider{Secret: "pomerium/idp-secrets"}, diff --git a/deployment.yaml b/deployment.yaml index 89712b38..5cd12594 100644 --- a/deployment.yaml +++ b/deployment.yaml @@ -297,36 +297,6 @@ spec: required: - secret type: object - redis: - description: Redis defines REDIS connection parameters - properties: - caSecret: - description: CASecret should refer to a k8s secret with key - ca.crt that must be a PEM-encoded certificate - authority to use when connecting to the databroker storage - engine. - format: namespace/name - type: string - secret: - description: Secret specifies a name of a Secret that must - contain connection key. - format: namespace/name - minLength: 1 - type: string - tlsSecret: - description: TLSSecret should refer to a k8s secret of type - kubernetes.io/tls that would be used to perform - TLS connection to REDIS. - format: namespace/name - minLength: 1 - type: string - tlsSkipVerify: - description: TLSSkipVerify disables TLS certificate chain - validation. - type: boolean - required: - - secret - type: object type: object timeouts: description: Timeout specifies the global diff --git a/pomerium/config.go b/pomerium/config.go index 86514c51..c719b2f6 100644 --- a/pomerium/config.go +++ b/pomerium/config.go @@ -61,7 +61,7 @@ func applyConfig(ctx context.Context, p *pb.Config, c *model.Config) error { } func checkForWarnings(ctx context.Context, _ *pb.Config, c *model.Config) error { - if c.Spec.Storage == nil || (c.Spec.Storage.Redis == nil && c.Spec.Storage.Postgres == nil) { + if c.Spec.Storage == nil || c.Spec.Storage.Postgres == nil { util.Add(ctx, config.FieldMsg{ Key: "storage", DocsURL: "https://www.pomerium.com/docs/topics/data-storage#persistence", diff --git a/pomerium/ctrl/bootstrap.go b/pomerium/ctrl/bootstrap.go index c790ce6b..ae30dc62 100644 --- a/pomerium/ctrl/bootstrap.go +++ b/pomerium/ctrl/bootstrap.go @@ -82,42 +82,8 @@ func applyStorage(ctx context.Context, dst *config.Options, src *model.Config) e if src.Spec.Storage.Postgres != nil { return applyStoragePostgres(dst, src) } - if src.Spec.Storage.Redis != nil { - return applyStorageRedis(dst, src) - } - - return fmt.Errorf("if storage is specified, it must contain either redis or postgresql config. omit storage key for in-memory") -} - -func applyStorageRedis(dst *config.Options, src *model.Config) error { - conn, ok := src.StorageSecrets.Secret.Data[model.StorageConnectionStringKey] - if !ok { - return fmt.Errorf("storage secret must have %s key", model.StorageConnectionStringKey) - } - - dst.DataBrokerStorageConnectionString = string(conn) - dst.DataBrokerStorageCertSkipVerify = src.Spec.Storage.Redis.TLSSkipVerify - if src.StorageSecrets.CA != nil { - ca, err := storageFiles.CreateFile("ca.pem", src.StorageSecrets.Secret.Data[model.CAKey]) - if err != nil { - return fmt.Errorf("ca: %w", err) - } - dst.DataBrokerStorageCAFile = ca - } - if src.StorageSecrets.TLS != nil { - cert, err := storageFiles.CreateFile("cert.pem", src.StorageSecrets.TLS.Data[corev1.TLSCertKey]) - if err != nil { - return fmt.Errorf("tls cert: %w", err) - } - key, err := storageFiles.CreateFile("key.pem", src.StorageSecrets.TLS.Data[corev1.TLSPrivateKeyKey]) - if err != nil { - return fmt.Errorf("tls key: %w", err) - } - dst.DataBrokerStorageCertFile = cert - dst.DataBrokerStorageCertKeyFile = key - } - return nil + return fmt.Errorf("if storage is specified, it must contain postgresql config. omit storage key for in-memory") } func applyStoragePostgres(dst *config.Options, src *model.Config) error { diff --git a/reference.md b/reference.md index f3a157ac..c86e1b38 100644 --- a/reference.md +++ b/reference.md @@ -23,6 +23,22 @@ PomeriumSpec defines Pomerium-specific configuration parameters. + + +

+ accessLogFields   + + []string  + +

+

+ + AccessLogFields sets the access fields to log. +

+ + + +

@@ -40,6 +56,22 @@ PomeriumSpec defines Pomerium-specific configuration parameters. + + +

+ authorizeLogFields   + + []string  + +

+

+ + AuthorizeLogFields sets the authorize fields to log. +

+ + + +

@@ -125,6 +157,22 @@ PomeriumSpec defines Pomerium-specific configuration parameters. + + +

+ passIdentityHeaders   + + boolean  + +

+

+ + PassIdentityHeaders sets the pass identity headers option. +

+ + + +

@@ -194,6 +242,39 @@ PomeriumSpec defines Pomerium-specific configuration parameters. + + +

+ timeouts   + + object  + (timeouts) + +

+

+ + Timeout specifies the global timeouts for all routes. +

+ + + + + + +

+ useProxyProtocol   + + boolean  + +

+

+ + UseProxyProtocol enables Proxy Protocol support. +

+ + + + @@ -586,9 +667,9 @@ Postgres specifies PostgreSQL database connection parameters -### `redis` +### `refreshDirectory` -Redis defines REDIS connection parameters +RefreshDirectory is no longer supported, please see Upgrade Guide. @@ -598,18 +679,18 @@ Redis defines REDIS connection parameters @@ -617,52 +698,48 @@ Redis defines REDIS connection parameters - -

- caSecret   + interval   string  - (namespace/name) + (duration)

- - CASecret should refer to a k8s secret with key ca.crt that must be a PEM-encoded certificate authority to use when connecting to the databroker storage engine. + Required.  + interval is the time that pomerium will sync your IDP directory.

- Format: reference to Kubernetes resource with namespace prefix: namespace/name format. + Format: a duration string like "22s" as parsed by Golang time.ParseDuration.

- secret   + timeout   string  - (namespace/name) + (duration)

Required.  - Secret specifies a name of a Secret that must contain connection key. + timeout is the maximum time allowed each run.

- Format: reference to Kubernetes resource with namespace prefix: namespace/name format. + Format: a duration string like "22s" as parsed by Golang time.ParseDuration.
-

- tlsSecret   + +

- string  - (namespace/name) -

-

- TLSSecret should refer to a k8s secret of type kubernetes.io/tls that would be used to perform TLS connection to REDIS. -

+### `storage` - Format: reference to Kubernetes resource with namespace prefix: namespace/name format. +Storage defines persistent storage for sessions and other data. See Storage for details. If no storage is specified, Pomerium would use a transient in-memory storage (not recommended for production). - - + + + + @@ -673,9 +750,9 @@ Redis defines REDIS connection parameters -### `refreshDirectory` +### `timeouts` -RefreshDirectory is no longer supported, please see Upgrade Guide. +Timeout specifies the global timeouts for all routes.

- tlsSkipVerify   + postgres   - boolean  + object  + (postgres)

- TLSSkipVerify disables TLS certificate chain validation. + Postgres specifies PostgreSQL database connection parameters

@@ -685,15 +762,15 @@ RefreshDirectory is no longer supported, please see Storage for details. If no storage is specified, Pomerium would use a transient in-memory storage (not recommended for production). - -
- - - - - - - -

- postgres   + write   - object  - (postgres) + string  + (duration)

- Postgres specifies PostgreSQL database connection parameters + Write specifies max stream duration is the maximum time that a stream’s lifetime will span. An HTTP request/response exchange fully consumes a single stream. Therefore, this value must be greater than read_timeout as it covers both request and response time.

-
-

- redis   - - object  - (redis) - -

-

- - Redis defines REDIS connection parameters -

+ Format: a duration string like "22s" as parsed by Golang time.ParseDuration.