updates

deploy/crds/crd-qdrantcluster.yaml

@@ -45,10 +45,6 @@ spec:
             x-kubernetes-validations:
             - rule: (self.apikey == 'false' && self.readApikey == 'false') || ( self.apikey != 'false')
               message: "spec.readApikey can be used only with spec.apikey enabled"
-            - rule: (self.tls.enabled == false && self.tls.mtls == false) || ( self.tls.enabled != false)
-              message: "spec.tls.mtls can be used only with spec.tls.enabled"
-            - rule: (self.tls.enabled == false && self.tls.internodeEnabled == false) || ( self.tls.enabled != false)
-              message: "spec.tls.internodeEnabled can be used only with spec.tls.enabled"
             required: ["replicas","image"]
             properties:
               apikey:
@@ -114,14 +110,6 @@ spec:
                     default: false
                   secretName:
                     type: string
-                  internodeEnabled:
-                    type: boolean
-                    default: false
-                  mtls:
-                    type: boolean
-                    default: false
-                  clientSecretName:
-                    type: string
               # scheduling options
               tolerations:
                 type: array

deploy/operator.yaml

@@ -27,6 +27,9 @@ rules:
   - apiGroups: ["apps"]
     resources: ["statefulsets"]
     verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
+  - apiGroups: ["policy"]
+    resources: ["poddisruptionbudgets"]
+    verbs: ["get", "list", "create", "update", "delete", "patch", "watch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
@@ -71,7 +74,7 @@ spec:
       serviceAccountName: qdrant-operator-sa
       containers:
       - name: operator
-        image: docker.io/dganochenko/qdrant-operator:0.1.2
+        image: docker.io/dganochenko/qdrant-operator:0.1.3
         imagePullPolicy: Always
         # debug
         # command: ["/bin/sh"]

docs/qdrantclusters-api.md

@@ -24,8 +24,6 @@ spec:
     storageClassName: default
   tls:
     enabled: true
-    internodeEnabled: true
-    mtls: true
   resources:
     requests:
       cpu: 10m

docs/tls.md

@@ -0,0 +1,84 @@
+# Qdrant TLS Guide
+
+In this guide you create a Qdrant cluster with enabled TLS encryption.
+
+1. Create Qdrant Cluster
+
+```bash
+cat <<EOF | kubectl apply -f -
+apiVersion: qdrant.operator/v1alpha1
+kind: QdrantCluster
+metadata:
+  name: my-auth-cluster
+spec:
+  replicas: 1
+  image: qdrant/qdrant:v1.7.3
+  tls:
+    enabled: true
+EOF
+```
+
+2. Create a new collection to check if operator can connect to the cluster:
+
+```bash
+cat <<EOF | kubectl apply -f -
+apiVersion: qdrant.operator/v1alpha1
+kind: QdrantCluster
+metadata:
+  name: my-notls-cluster
+spec:
+  replicas: 1
+  image: qdrant/qdrant:v1.7.3
+EOF
+```
+
+3. Start a new pod with a Certificate Authority, mounted as a volume from the Kubernetes secret:
+
+```bash
+cat <<EOF | kubectl apply -f -
+apiVersion: v1
+kind: Pod
+metadata:
+  name: tlsclient
+spec:
+  containers:
+  - image: curlimages/curl
+    name: mycurlpod
+    command: ["/bin/sh"]
+    args: ["-c", "while true; do echo hello; sleep 10;done"]
+    volumeMounts:
+      - name: cert
+        readOnly: true
+        mountPath: "/cert/cacert.pem"
+        subPath: cacert.pem
+  volumes:
+    - name: cert
+      secret:
+        secretName: my-tls-cluster-server-cert
+        items:
+          - key: cacert.pem
+            path: cacert.pem
+EOF
+```
+
+4. Wait for the pod readiness and connect to it:
+
+```bash
+kubectl wait pods tlsclient --for condition=Ready --timeout=300s
+kubectl exec -it tlsclient -- sh
+```
+
+5. Request the collection list to check if HTTPS works:
+
+```bash
+curl --cacert /cert/cacert.pem https://my-tls-cluster.default:6333/collections
+```
+
+You will see a similar output:
+
+```console
+{"result":{"collections":[{"name":"my-tls-collection"}]},"status":"ok","time":0.000017}
+```
+
+6. Press `CTRL-D` to exit the pod shell.
+

examples/qdrant-cluster-complete.yaml

@@ -24,11 +24,6 @@ spec:
     # Optional. This secret should contain the next fields: cert.pem, key.pem and cacert.pem
     # If not declared - the operator will generate new CA and certificate
     # !! future options !!
-    internodeEnabled: true
-    mtls: true
-    # clientSecretName: clientsecretname
-    # Optional. This secret should contain the next fields: cert.pem, key.pem and cacert.pem
-    # If not declared - the operator will generate new CA and certificate
   resources:
     requests:
       cpu: 10m

examples/qdrant-cluster-tls.yaml

@@ -0,0 +1,11 @@
+apiVersion: qdrant.operator/v1alpha1
+kind: QdrantCluster
+metadata:
+  name: my-cluster
+spec:
+  replicas: 3
+  image: qdrant/qdrant:v1.7.3
+  tls:
+    enabled: true
+    mtls: true 
+

src/certificate.js

@@ -136,7 +136,7 @@ const createServerCert = async (commonName, validDomains, rootCA) => {
   return {
     certificate: pemServerCert,
     privateKey: pemServerKey,
-    notAfter: newServerCert.validity.notBefore,
+    notBefore: newServerCert.validity.notBefore,
     notAfter: newServerCert.validity.notAfter
   };
 };
@@ -154,6 +154,7 @@ export const generateCert = async (apiObj) => {
       name + '-headless',
       name + '.' + namespace,
       name + '-headless.' + namespace,
+      '*.' + name + '-headless.' + namespace,
       '*.' + namespace + '.svc.' + clusterDomain
     ],
     CA

src/cluster-ops.js

@@ -50,9 +50,6 @@ export const applyCluster = async (apiObj, k8sAppsApi, k8sCoreApi) => {
   const name = apiObj.metadata.name;
   const namespace = apiObj.metadata.namespace;
 
-  if (typeof apiObj.spec.tls == 'undefined') {
-    apiObj.spec.tls = { enabled: false };
-  }
   if (
     apiObj.spec.tls.enabled &&
     typeof apiObj.spec.tls.secretName == 'undefined'
@@ -351,7 +348,7 @@ export const applyPdbCluster = async (apiObj, k8sPolicyApi) => {
   try {
     k8sPolicyApi.createNamespacedPodDisruptionBudget(
       `${namespace}`,
-      newPDBClusterTemplate
+      newPdbClusterTemplate
     );
     log(`PDB "${name}" was successfully created!`);
   } catch (err) {

src/templates/configmap.jsr

@@ -14,8 +14,8 @@ data:
     SET_INDEX=${HOSTNAME##*-}
     echo "Starting initializing for pod $SET_INDEX"
     if [ "$SET_INDEX" = "0" ]; then
-      exec ./entrypoint.sh --uri 'http://{{:metadata.name}}-0.{{:metadata.name}}-headless:6335'
+      exec ./entrypoint.sh --uri 'http://{{:metadata.name}}-0.{{:metadata.name}}-headless.{{:metadata.namespace}}:6335'
     else
-      exec ./entrypoint.sh --bootstrap 'http://{{:metadata.name}}-0.{{:metadata.name}}-headless:6335' --uri 'http://{{:metadata.name}}-'"$SET_INDEX"'.{{:metadata.name}}-headless:6335'
+      exec ./entrypoint.sh --bootstrap 'http://{{:metadata.name}}-0.{{:metadata.name}}-headless.{{:metadata.namespace}}:6335' --uri 'http://{{:metadata.name}}-'"$SET_INDEX"'.{{:metadata.name}}-headless.{{:metadata.namespace}}:6335'
     fi
   production.yaml: ''  

src/templates/secret-client-cert.jsr

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{:metadata.name}}-client-cert
+  namespace: {{:metadata.namespace}}
+  ownerReferences:
+  - apiVersion: {{:apiVersion}}
+    kind: {{:kind}}
+    name: {{:metadata.name}}
+    uid: {{:metadata.uid}}
+data:
+  cert.pem: ''
+  key.pem: ''
+  cacert.pem: ''

src/templates/statefulset.jsr

@@ -49,12 +49,8 @@ spec:
           - name: p2p
             containerPort: 6335
           readinessProbe:
-            httpGet:
-              path: /
+            tcpSocket:
               port: 6333
-              {{if spec.tls.enabled }}
-              scheme: HTTPS
-              {{/if}}
             initialDelaySeconds: 5
             periodSeconds: 10
             timeoutSeconds: 1