[#1036] allow operator default cert and ca secret names to be overridden

controllers/activemqartemis_controller_cert_manager_test.go

@@ -53,12 +53,10 @@ const (
 )
 
 var (
-	serverCert       = "server-cert"
-	rootIssuer       = &cmv1.ClusterIssuer{}
-	rootCert         = &cmv1.Certificate{}
-	caIssuer         = &cmv1.ClusterIssuer{}
-	caBundleName     = "operator-ca"
-	operatorCertName = "operator-cert"
+	serverCert = "server-cert"
+	rootIssuer = &cmv1.ClusterIssuer{}
+	rootCert   = &cmv1.Certificate{}
+	caIssuer   = &cmv1.ClusterIssuer{}
 )
 
 type ConnectorConfig struct {
@@ -96,13 +94,13 @@ var _ = Describe("artemis controller with cert manager test", Label("controller-
 					SecretName: rootCertSecretName,
 				}
 			})
-			InstallCaBundle(caBundleName, rootCertSecretName, caPemTrustStoreName)
+			InstallCaBundle(common.DefaultOperatorCASecretName, rootCertSecretName, caPemTrustStoreName)
 		}
 	})
 
 	AfterEach(func() {
 		if os.Getenv("USE_EXISTING_CLUSTER") == "true" {
-			UnInstallCaBundle(caBundleName)
+			UnInstallCaBundle(common.DefaultOperatorCASecretName)
 			UninstallClusteredIssuer(caIssuerName)
 			UninstallCert(rootCert.Name, rootCert.Namespace)
 			UninstallClusteredIssuer(rootIssuerName)
@@ -255,7 +253,7 @@ var _ = Describe("artemis controller with cert manager test", Label("controller-
 		})
 		It("test configured with cert and ca bundle", func() {
 			if os.Getenv("USE_EXISTING_CLUSTER") == "true" {
-				testConfiguredWithCertAndBundle(serverCert+"-secret", caBundleName)
+				testConfiguredWithCertAndBundle(serverCert+"-secret", common.DefaultOperatorCASecretName)
 			}
 		})
 		It("test console cert broker status access", Label("console-tls-broker-status-access"), func() {
@@ -1202,7 +1200,7 @@ func testConfiguredWithCertAndBundle(certSecret string, caSecret string) {
 
 	}, existingClusterTimeout, existingClusterInterval).Should(Succeed())
 
-	UninstallCert(operatorCertName, defaultNamespace)
+	UninstallCert(common.DefaultOperatorCertSecretName, defaultNamespace)
 	CleanResource(createdBrokerCr, brokerCr.Name, createdBrokerCr.Namespace)
 
 	By("Deploying the broker cr exposing acceptor ssl and connector ssl")
@@ -1256,7 +1254,7 @@ func testConfiguredWithCertAndBundle(certSecret string, caSecret string) {
 	By("checking the broker message send and receive")
 	Eventually(func(g Gomega) {
 		g.Expect(k8sClient.Get(ctx, crdRef, createdBrokerCr)).Should(Succeed())
-		checkMessagingInPod(pod0Name, createdBrokerCr.Name, "62666", "/etc/"+caBundleName+"-volume/"+caPemTrustStoreName, g)
+		checkMessagingInPod(pod0Name, createdBrokerCr.Name, "62666", "/etc/"+common.DefaultOperatorCASecretName+"-volume/"+caPemTrustStoreName, g)
 	}, existingClusterTimeout, existingClusterInterval).Should(Succeed())
 
 	By("checking connector parameters")
@@ -1267,7 +1265,7 @@ func testConfiguredWithCertAndBundle(certSecret string, caSecret string) {
 		g.Expect(connectorCfg["port"]).To(Equal("62666"))
 		g.Expect(connectorCfg["sslEnabled"]).To(Equal("true"))
 		g.Expect(connectorCfg["host"]).To(Equal(pod0Name))
-		g.Expect(connectorCfg["trustStorePath"]).To(Equal("/etc/" + caBundleName + "-volume/" + caPemTrustStoreName))
+		g.Expect(connectorCfg["trustStorePath"]).To(Equal("/etc/" + common.DefaultOperatorCASecretName + "-volume/" + caPemTrustStoreName))
 		g.Expect(connectorCfg["trustStoreType"]).To(Equal("PEMCA"))
 		g.Expect(connectorCfg["keyStorePath"]).To(Equal("/etc/secret-server-cert-secret-pemcfg/" + certSecret + ".pemcfg"))
 	}, existingClusterTimeout, existingClusterInterval).Should(Succeed())

controllers/controll_plane_test.go

@@ -73,7 +73,7 @@ var _ = Describe("minimal", func() {
 					SecretName: rootCertSecretName,
 				}
 			})
-			InstallCaBundle(caBundleName, rootCertSecretName, caPemTrustStoreName)
+			InstallCaBundle(common.DefaultOperatorCASecretName, rootCertSecretName, caPemTrustStoreName)
 
 		}
 
@@ -82,7 +82,7 @@ var _ = Describe("minimal", func() {
 	AfterEach(func() {
 
 		if false && os.Getenv("USE_EXISTING_CLUSTER") == "true" {
-			UnInstallCaBundle(caBundleName)
+			UnInstallCaBundle(common.DefaultOperatorCASecretName)
 			UninstallClusteredIssuer(caIssuerName)
 			UninstallCert(rootCert.Name, rootCert.Namespace)
 			UninstallClusteredIssuer(rootIssuerName)
@@ -104,8 +104,8 @@ var _ = Describe("minimal", func() {
 			}
 
 			By("installing operator cert")
-			InstallCert("operator-cert", defaultNamespace, func(candidate *cmv1.Certificate) {
-				candidate.Spec.SecretName = "operator-cert"
+			InstallCert(common.DefaultOperatorCertSecretName, defaultNamespace, func(candidate *cmv1.Certificate) {
+				candidate.Spec.SecretName = common.DefaultOperatorCertSecretName
 				candidate.Spec.CommonName = "activemq-artemis-operator"
 				candidate.Spec.IssuerRef = cmmetav1.ObjectReference{
 					Name: caIssuer.Name,
@@ -161,7 +161,7 @@ var _ = Describe("minimal", func() {
 
 			Expect(k8sClient.Delete(ctx, createdCrd)).Should(Succeed())
 
-			UninstallCert("operator-cert", defaultNamespace)
+			UninstallCert(common.DefaultOperatorCertSecretName, defaultNamespace)
 			UninstallCert(sharedOperandCertName, defaultNamespace)
 		})
 	})

docs/help/operator.md

@@ -1048,6 +1048,11 @@ With the possiblity of configuring arbritary jaas login modules directly, the Ar
 ## restricted mode (experimental)
 The CR supports a boolean restricted attribute. For single pod broker deployments this provides an empty broker that is configured through brokerProperties. The broker is secured with PKI, there are no passwords. Cert manager can be used to create the necessary PKI secrets.  The end result is a minimal broker deployment; an embedded broker with an mtls endpoint for the jolokia jvm agent and RBAC that allows just the operator to check the broker status. There is no init container, no jetty and no xml.
 
+## operator PKI
+In order for the operator to be able to use mtls to connect to the broker operand it needs a client certificate and a trust bundle listing the trusted CAs. The user needs to provide these two secrets in the operator namespace; cert manager can be used to create and populate both. If CRs use the restricted flag, these secrets are a prerequisit.
+The default operator cert secret name is `activemq-artemis-manager-cert` and the default operator trust bundle secret name is `activemq-artemis-manager-ca`. 
+If either of these secrets need to be named differently, an enviroment variable can provide the alternative name using key ACTIVEMQ_ARTEMIS_MANAGER_CERT_SECRET_NAME or ACTIVEMQ_ARTEMIS_MANAGER_CA_SECRET_NAME.
+
 ## Locking down a broker deployment
 
 Often when verificiation is complete it is desirable to lock down the broker images and prevent auto upgrades, which will result in a roll out of images and a restart of your broker.

pkg/utils/common/common.go

@@ -66,8 +66,8 @@ const (
 	defaultRetryInterval = 3 * time.Second
 
 	// https://cert-manager.io/docs/trust/trust-manager/#preparing-for-production
-	DefaultOperatorCertSecretName = "operator-cert"
-	DefaultOperatorCASecretName   = "operator-ca"
+	DefaultOperatorCertSecretName = "activemq-artemis-manager-cert"
+	DefaultOperatorCASecretName   = "activemq-artemis-manager-ca"
 	DefaultOperandCertSecretName  = "broker-cert" // or can be prefixed with `cr.Name-`
 )
 
@@ -740,14 +740,14 @@ func GetOperandCertSecretName(cr *brokerv1beta1.ActiveMQArtemis, client rtclient
 
 func GetOperatorCertSecretName() string {
 	if operatorCertSecretName == nil {
-		operatorCertSecretName = fromEnv("OPERATOR_CERT_SECRET_NAME", DefaultOperatorCertSecretName)
+		operatorCertSecretName = fromEnv("ACTIVEMQ_ARTEMIS_MANAGER_CERT_SECRET_NAME", DefaultOperatorCertSecretName)
 	}
 	return *operatorCertSecretName
 }
 
 func GetOperatorCASecretName() string {
 	if operatorCASecretName == nil {
-		operatorCASecretName = fromEnv("OPERATOR_CA_SECRET_NAME", DefaultOperatorCASecretName)
+		operatorCASecretName = fromEnv("ACTIVEMQ_ARTEMIS_MANAGER_CA_SECRET_NAME", DefaultOperatorCASecretName)
 	}
 	return *operatorCASecretName
 }