humio · SaaldjorMike · Aug 21, 2024 · Aug 19, 2024
@@ -327,6 +327,8 @@ type HumioClusterTLSSpec struct {
 	Enabled *bool `json:"enabled,omitempty"`
 	// CASecretName is used to point to a Kubernetes secret that holds the CA that will be used to issue intra-cluster TLS certificates
 	CASecretName string `json:"caSecretName,omitempty"`
+	// ExtraHostnames holds a list of additional hostnames that will be appended to TLS certificates.
+	ExtraHostnames []string `json:"extraHostnames,omitempty"`
 }
 
 // HumioClusterLicenseSpec points to the optional location of the Humio license

@@ -14754,6 +14754,12 @@ spec:
                       behaviour is to configure TLS if cert-manager is present, otherwise
                       we skip TLS.
                     type: boolean
+                  extraHostnames:
+                    description: ExtraHostnames holds a list of additional hostnames
+                      that will be appended to TLS certificates.
+                    items:
+                      type: string
+                    type: array
                 type: object
               tolerations:
                 description: Tolerations defines the tolerations that will be attached

@@ -14754,6 +14754,12 @@ spec:
                       behaviour is to configure TLS if cert-manager is present, otherwise
                       we skip TLS.
                     type: boolean
+                  extraHostnames:
+                    description: ExtraHostnames holds a list of additional hostnames
+                      that will be appended to TLS certificates.
+                    items:
+                      type: string
+                    type: array
                 type: object
               tolerations:
                 description: Tolerations defines the tolerations that will be attached

@@ -958,17 +958,19 @@ func (r *HumioClusterReconciler) ensureValidCASecret(ctx context.Context, hc *hu
 	}
 
 	r.Log.Info("checking for an existing CA secret")
-	validCASecret, err := validCASecret(ctx, r, hc.Namespace, getCASecretName(hc))
-	if validCASecret {
-		r.Log.Info("found valid CA secret")
+	caSecretIsValid, err := validCASecret(ctx, r, hc.Namespace, getCASecretName(hc))
+	if caSecretIsValid {
+		r.Log.Info("found valid CA secret, nothing more to do")
 		return nil
 	}
-	if err != nil && !k8serrors.IsNotFound(err) {
-		return r.logErrorAndReturn(err, "could not validate CA secret")
-	}
-
+	// CA secret is not valid, return if user specified their own custom CA secret
 	if useExistingCA(hc) {
-		return r.logErrorAndReturn(fmt.Errorf("configured to use existing CA secret, but the CA secret invalid"), "specified CA secret invalid")
+		return r.logErrorAndReturn(fmt.Errorf("configured to use existing CA secret, but the CA secret is invalid or got error when validating, err=%v", err), "specified CA secret invalid")
+	}
+	// CA secret is not valid, and should generate our own if it is not already present
+	if !k8serrors.IsNotFound(err) {
+		// Got error that was not due to the k8s secret not existing
+		return r.logErrorAndReturn(err, "could not validate CA secret")
 	}
 
 	r.Log.Info("generating new CA certificate")

@@ -815,6 +815,10 @@ func (hnp *HumioNodePool) TLSEnabled() bool {
 	return helpers.UseCertManager() && *hnp.tls.Enabled
 }
 
+func (hnp *HumioNodePool) GetTLSSpec() *humiov1alpha1.HumioClusterTLSSpec {
+	return hnp.tls
+}
+
 func (hnp *HumioNodePool) GetProbeScheme() corev1.URIScheme {
 	if !hnp.TLSEnabled() {
 		return corev1.URISchemeHTTP

@@ -64,7 +64,7 @@ func validCASecret(ctx context.Context, k8sclient client.Client, namespace, secr
 	// look up k8s secret
 	secret, err := kubernetes.GetSecret(ctx, k8sclient, secretName, namespace)
 	if err != nil {
-		return false, nil
+		return false, err
 	}
 	keys := []string{"tls.crt", "tls.key"}
 	for _, key := range keys {
@@ -165,7 +165,7 @@ func constructCAIssuer(hc *humiov1alpha1.HumioCluster) cmapi.Issuer {
 }
 
 func constructClusterCACertificateBundle(hc *humiov1alpha1.HumioCluster) cmapi.Certificate {
-	return cmapi.Certificate{
+	certificate := cmapi.Certificate{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: hc.Namespace,
 			Name:      hc.Name,
@@ -183,10 +183,14 @@ func constructClusterCACertificateBundle(hc *humiov1alpha1.HumioCluster) cmapi.C
 			SecretName: hc.Name,
 		},
 	}
+	if hc.Spec.TLS != nil {
+		certificate.Spec.DNSNames = append(certificate.Spec.DNSNames, hc.Spec.TLS.ExtraHostnames...)
+	}
+	return certificate
 }
 
 func ConstructNodeCertificate(hnp *HumioNodePool, nodeSuffix string) cmapi.Certificate {
-	return cmapi.Certificate{
+	certificate := cmapi.Certificate{
 		ObjectMeta: metav1.ObjectMeta{
 			Annotations: map[string]string{},
 			Namespace:   hnp.GetNamespace(),
@@ -200,7 +204,6 @@ func ConstructNodeCertificate(hnp *HumioNodePool, nodeSuffix string) cmapi.Certi
 				fmt.Sprintf("%s.%s", hnp.GetNodePoolName(), hnp.GetNamespace()),                                                                   // Used by ingress controllers to reach the Humio API
 				fmt.Sprintf("%s-headless.%s", hnp.GetClusterName(), hnp.GetNamespace()),                                                           // Used for intra-cluster communication
 				fmt.Sprintf("%s-internal.%s", hnp.GetClusterName(), hnp.GetNamespace()),                                                           // Used by humio-operator to reach the Humio API
-
 			},
 			IssuerRef: cmmeta.ObjectReference{
 				Name: hnp.GetClusterName(),
@@ -219,6 +222,10 @@ func ConstructNodeCertificate(hnp *HumioNodePool, nodeSuffix string) cmapi.Certi
 			},
 		},
 	}
+	if hnp.GetTLSSpec() != nil {
+		certificate.Spec.DNSNames = append(certificate.Spec.DNSNames, hnp.GetTLSSpec().ExtraHostnames...)
+	}
+	return certificate
 }
 
 func GetDesiredCertHash(hnp *HumioNodePool) string {

@@ -19,6 +19,7 @@ package clusters
 import (
 	"context"
 	"fmt"
+	cmapi "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
 	"os"
 	"reflect"
 	"strings"
@@ -3790,6 +3791,43 @@ var _ = Describe("HumioCluster Controller", func() {
 		})
 	})
 
+	Context("Humio Cluster with additional hostnames for TLS", func() {
+		It("Creating cluster with additional hostnames for TLS", func() {
+			if os.Getenv("TEST_USE_EXISTING_CLUSTER") == "true" {
+				key := types.NamespacedName{
+					Name:      "humiocluster-tls-additional-hostnames",
+					Namespace: testProcessNamespace,
+				}
+				toCreate := suite.ConstructBasicSingleNodeHumioCluster(key, true)
+				toCreate.Spec.TLS = &humiov1alpha1.HumioClusterTLSSpec{
+					Enabled: helpers.BoolPtr(true),
+					ExtraHostnames: []string{
+						"something.additional",
+						"yet.another.something.additional",
+					},
+				}
+
+				suite.UsingClusterBy(key.Name, "Creating the cluster successfully")
+				ctx := context.Background()
+				suite.CreateAndBootstrapCluster(ctx, k8sClient, humioClientForTestSuite, toCreate, true, humiov1alpha1.HumioClusterStateRunning, testTimeout)
+				defer suite.CleanupCluster(ctx, k8sClient, toCreate)
+
+				suite.UsingClusterBy(key.Name, "Confirming certificate objects contain the additional hostnames")
+
+				Eventually(func() ([]cmapi.Certificate, error) {
+					return kubernetes.ListCertificates(ctx, k8sClient, toCreate.Namespace, kubernetes.MatchingLabelsForHumio(toCreate.Name))
+				}, testTimeout, suite.TestInterval).Should(HaveLen(2))
+
+				var certificates []cmapi.Certificate
+				certificates, err = kubernetes.ListCertificates(ctx, k8sClient, toCreate.Namespace, kubernetes.MatchingLabelsForHumio(toCreate.Name))
+				Expect(err).To(Succeed())
+				for _, certificate := range certificates {
+					Expect(certificate.Spec.DNSNames).Should(ContainElements(toCreate.Spec.TLS.ExtraHostnames))
+				}
+			}
+		})
+	})
+
 	Context("Humio Cluster Ingress", func() {
 		It("Should correctly handle ingress when toggling both ESHostname and Hostname on/off", func() {
 			key := types.NamespacedName{