Disabletls (#952)

* Initial changes to allow for disable tls flag (with port) and no verify tls

* Added error handling for missing port value

* Converted ansible service.json to template for apiserver port update.
Removed duplicate variable reference.

* Added Ansible template for service.json, default values for both Bash and Ansible install and documentation updates.

* Removed preflight port check since default is set. Cleanup comments and fixed comma error.

* Updated service.json path in main.yml

* Added a note about updates to TLS or port settings.

* Updated default behavior in deploy.sh

Author: tjmoore4

ansible/inventory

@@ -72,8 +72,10 @@ pgo_image_tag='centos7-4.1.0'
 pgo_client_install='true'
 pgo_client_version='v4.1.0'
 
-# PGO TLS
-pgo_tls_no_verify='false'
+# PGO Apiserver TLS Settings
+#pgo_tls_no_verify='false'
+#pgo_disable_tls='false'
+#pgo_apiserver_port=8443
 
 # Set to 'true' to assign the cluster-admin role to the PGO service account.  Needed for
 # OCP installs to enable dynamic namespace creation (see the PGO docs for more details).

ansible/roles/pgo-operator/defaults/main.yml

@@ -21,7 +21,9 @@ crunchy_debug: "false"
 pgo_client_install: "true"
 pgo_cluster_admin: "false"
 pgo_disable_tls: "false"
+pgo_tls_no_verify: "false"
 pgo_disable_eventing: "false"
+pgo_apiserver_port: 8443
 
 delete_operator_namespace: "false"
 delete_watched_namespaces: "false"

ansible/roles/pgo-operator/files/service.json

@@ -131,6 +131,13 @@
         mode: '0600'
       tags: [install, update]
 
+    - name: Template PGO Service Configuration
+      template:
+        src: service.json.j2
+        dest: "{{ output_dir }}/service.json"
+        mode: '0600'
+      tags: [install, update]
+
     - name: Template BackRest AWS S3 Configuration
       template:
         src: aws-s3-credentials.yaml.j2
@@ -166,7 +173,7 @@
 
     - name: Create PGO Service
       command: |
-        {{ kubectl_or_oc }} create --filename='{{ role_path }}/files/service.json' -n {{ pgo_operator_namespace }}
+        {{ kubectl_or_oc }} create --filename='{{ output_dir }}/service.json' -n {{ pgo_operator_namespace }}
       tags: [install, update]
 
     - name: Template PGO Deployment

ansible/roles/pgo-operator/tasks/main.yml

@@ -25,7 +25,7 @@
                         "imagePullPolicy": "IfNotPresent",
                         "ports": [
                             {
-                                "containerPort": 8443
+                                "containerPort": {{ pgo_apiserver_port }}
                             }
                         ],
                         "env": [
@@ -35,7 +35,7 @@
                             },
                             {
                                 "name": "PORT",
-                                "value": "8443"
+                                "value": "{{ pgo_apiserver_port }}"
                             },
                             {
                                 "name": "PGO_INSTALLATION_NAME",

ansible/roles/pgo-operator/templates/deployment.json.j2

@@ -0,0 +1,37 @@
+{
+    "kind": "Service",
+    "apiVersion": "v1",
+    "metadata": {
+	"name": "postgres-operator",
+        "labels": {
+            "name": "postgres-operator"
+        }
+    },
+    "spec": {
+        "ports": [
+            {
+                "name": "apiserver",
+                "protocol": "TCP",
+                "port": {{ pgo_apiserver_port }},
+                "targetPort": {{ pgo_apiserver_port }}
+            },
+	        {
+                "name": "nsqadmin",
+                "protocol": "TCP",
+                "port": 4151,
+                "targetPort": 4151
+            },
+	        {
+                "name": "nsqd",
+                "protocol": "TCP",
+                "port": 4150,
+                "targetPort": 4150
+            }
+	    ],
+        "selector": {
+            "name": "postgres-operator"
+        },
+        "type": "ClusterIP",
+        "sessionAffinity": "None"
+    }
+}

ansible/roles/pgo-operator/templates/service.json.j2

@@ -48,8 +48,19 @@ $PGO_CMD --namespace=$PGO_OPERATOR_NAMESPACE create secret tls pgo.tls --key=$PG
 $PGO_CMD --namespace=$PGO_OPERATOR_NAMESPACE create configmap pgo-config \
 	--from-file=$PGOROOT/conf/postgres-operator
 
+
+#
+# check if custom port value is set, otherwise set default values
+#
+
+if [[ -z ${PGO_APISERVER_PORT} ]]
+then
+        echo "PGO_APISERVER_PORT is not set. Setting to default port value of 8443."
+		export PGO_APISERVER_PORT=8443
+fi
+
 #
 # create the postgres-operator Deployment and Service
 #
 expenv -f $DIR/deployment.json | $PGO_CMD --namespace=$PGO_OPERATOR_NAMESPACE create -f -
-$PGO_CMD --namespace=$PGO_OPERATOR_NAMESPACE create -f $DIR/service.json
+expenv -f $DIR/service.json | $PGO_CMD --namespace=$PGO_OPERATOR_NAMESPACE create -f -

deploy/deploy.sh

@@ -24,7 +24,7 @@
                         "imagePullPolicy": "IfNotPresent",
                         "ports": [
                             {
-                                "containerPort": 8443
+                                "containerPort": $PGO_APISERVER_PORT
                             }
                         ],
                         "env": [
@@ -34,7 +34,7 @@
                             },
                             {
                                 "name": "PORT",
-                                "value": "8443"
+                                "value": "$PGO_APISERVER_PORT"
                             },
                             {
                                 "name": "PGO_INSTALLATION_NAME",
@@ -50,15 +50,15 @@
                             },
                             {
                                 "name": "TLS_NO_VERIFY",
-                                "value": "false"
+                                "value": "$TLS_NO_VERIFY"
                             },
                             {
                                 "name": "DISABLE_TLS",
-                                "value": "false"
+                                "value": "$DISABLE_TLS"
                             },
                             {
                                 "name": "DISABLE_EVENTING",
-                                "value": "false"
+                                "value": "$DISABLE_EVENTING"
                             },
                             {
                                 "name": "EVENT_ADDR",
@@ -112,7 +112,7 @@
                             },
                             {
                                 "name": "DISABLE_EVENTING",
-                                "value": "false"
+                                "value": "$DISABLE_EVENTING"
                             },
                             {
                                 "name": "EVENT_ADDR",

deploy/deployment.json

@@ -12,8 +12,8 @@
 	{
             "name": "apiserver",
             "protocol": "TCP",
-            "port": 8443,
-            "targetPort": 8443
+            "port": $PGO_APISERVER_PORT,
+            "targetPort": $PGO_APISERVER_PORT
         },
 	{
             "name": "nsqadmin",

deploy/service.json

@@ -24,6 +24,15 @@ export PGO_BASEOS=centos7
 export PGO_VERSION=4.1.0
 export PGO_IMAGE_TAG=$PGO_BASEOS-$PGO_VERSION
 
+# for setting the pgo apiserver port, disabling TLS or not verifying TLS
+# if TLS is disabled, ensure setip() function port is updated and http is used in place of https
+export PGO_APISERVER_PORT=8443		# Defaults: 8443 for TLS enabled, 8080 for TLS disabled
+export DISABLE_TLS=false
+export TLS_NO_VERIFY=false
+
+# for disabling the Operator eventing
+export DISABLE_EVENTING=false
+
 # for the pgo CLI to authenticate with using TLS
 export PGO_CA_CERT=$PGOROOT/conf/postgres-operator/server.crt
 export PGO_CLIENT_CERT=$PGOROOT/conf/postgres-operator/server.crt

examples/envs.sh

@@ -137,7 +137,10 @@ The following are the variables available for configuration:
 | `pgo_image_tag`                   |             | Configures the image tag used when creating containers for the Crunchy PostgreSQL Operator (apiserver, operator, scheduler..etc)                                                 |
 | `pgo_operator_namespace`          |             | Set to configure the namespace where Operator will be deployed.                                                                                                                  |
 | `pgo_tls_no_verify`               |             | Set to configure Operator to verify TLS certificates.                                                                                                                            |
-| `pgo_disable_tls`                 | false       | Set to configure whether or not TLS should be enabled for the Crunchy PostgreSQL Operator apiserver.                                                                             |
+| `pgo_disable_tls`                 | false       | Set to configure whether or not TLS should be enabled for the Crunchy PostgreSQL Operator apiserver.                 
+
+| `pgo_apiserver_port`              | 8443        | Set to configure the port used by the Crunchy PostgreSQL Operator apiserver.         
+                                                            |
 | `pgo_disable_eventing`            | false       | Set to configure whether or not eventing should be enabled for the Crunchy PostgreSQL Operator installation.                                                                                                                  |
 | `primary_storage`                 | storageos   | Set to configure which storage definition to use when creating volumes used by PostgreSQL primaries on all newly created clusters.                                               |
 | `prometheus_install`              | true        | Set to true to install Crunchy Prometheus timeseries database.                                                                                                                   |

hugo/content/Installation/install-with-ansible/prerequisites.md

@@ -84,6 +84,7 @@ To configure the environment variables used by `pgo` run the following command:
 
 Note: `<PGO_NAMESPACE>` should be replaced with the namespace the Crunchy PostgreSQL
 Operator was deployed to.
+Also, if TLS was disabled, or if the port was changed, update PGO_APISERVER_URL accordingly.
 
 ```bash
 cat <<EOF >> ~/.bashrc
@@ -114,6 +115,8 @@ kubectl port-forward <OPERATOR_POD_NAME> -n <OPERATOR_NAMESPACE> 8443:8443
 oc port-forward <OPERATOR_POD_NAME> -n <OPERATOR_NAMESPACE> 8443:8443
 ```
 
+Note: If a port other than 8443 was configured, update the above command accordingly.
+
 On a separate terminal verify the `pgo` can communicate with the Crunchy PostgreSQL 
 Operator:
 

hugo/content/Installation/install-with-ansible/updating-operator.md

@@ -315,3 +315,28 @@ following:
 
 This server.key and server.crt can then be used to access the *pgo-apiserver*
 REST API from the pgo CLI on your client host.
+
+Should you desire to alter the default TLS settings for the Postgres Operator, you can set the
+following variables in bash:
+
+To disable TLS and make an unsecured connection on port 8080 instead of connecting securely over
+the default port, 8443, set:
+    
+Bash environment variables    
+
+    DISABLE_TLS=true
+    PGO_APISERVER_PORT=8080		
+
+Or inventory variables if using Ansible
+
+    pgo_disable_tls='false'
+    pgo_apiserver_port=8443
+
+To disable TLS verifcation, set the follwing as a Bash environment variable
+    
+    export TLS_NO_VERIFY=false
+
+Or the following in the inventory file is using Ansible
+
+    pgo_tls_no_verify='false'
+

hugo/content/Security/_index.md

@@ -81,8 +81,11 @@ NSQ looks for events currently at port 4150.  The Operator sends
 events to the NSQ address as defined in the EVENT_ADDR environment
 variable.
 
-If you want to disable eventing, set the following environment
-variable in the Operator Deployment:
+If you want to disable eventing when installing with Bash, set the following 
+environment variable in the Operator Deployment:
     "name": "DISABLE_EVENTING"
     "value": "true"
 
+To disable eventing when installing with Ansible, add the following to 
+your inventory file:
+    pgo_disable_eventing='true'