Merge branch 'master' into rotateKeys

.github/workflows/mkdocs.yml

@@ -16,6 +16,6 @@ jobs:
         uses: actions/checkout@v1
 
       - name: Deploy docs
-        uses: mhausenblas/mkdocs-deploy-gh-pages@1.12
+        uses: mhausenblas/mkdocs-deploy-gh-pages@1.11
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

cmd/qliksense/preflight.go

@@ -472,42 +472,3 @@ func pfCleanupCmd(q *qliksense.Qliksense) *cobra.Command {
 	f.BoolVarP(&preflightOpts.Verbose, "verbose", "v", false, "verbose mode")
 	return pfCleanCmd
 }
-
-func pfVerifyCAChainCmd(q *qliksense.Qliksense) *cobra.Command {
-	out := ansi.NewColorableStdout()
-	preflightOpts := &preflight.PreflightOptions{
-		MongoOptions: &preflight.MongoOptions{},
-	}
-
-	var pfVerifyCAChainCmd = &cobra.Command{
-		Use:     "verify-ca-chain",
-		Short:   "verify-ca-chain using openssl verify",
-		Long:    `verify the CA chain using openssl verify to ensure that mongodb certificate is valid`,
-		Example: `qliksense preflight verify-ca-chain`,
-		RunE: func(cmd *cobra.Command, args []string) error {
-			qp := &preflight.QliksensePreflight{Q: q, P: preflightOpts, CG: &api.ClientGoUtils{Verbose: preflightOpts.Verbose}}
-
-			// Preflight service check
-			namespace, kubeConfigContents, err := qp.CG.LoadKubeConfigAndNamespace()
-			if err != nil {
-				fmt.Fprintf(out, "%s\n", Red("FAILED"))
-				fmt.Printf("Error: %v\n", err)
-				return nil
-			}
-
-			if namespace == "" {
-				namespace = "default"
-			}
-			if err = qp.VerifyCAChain(kubeConfigContents, namespace, preflightOpts, false); err != nil {
-				fmt.Fprintf(out, "%s\n", Red("FAILED"))
-				fmt.Printf("Error: %v\n", err)
-				return nil
-			}
-			fmt.Fprintf(out, "%s\n", Green("PASSED"))
-			return nil
-		},
-	}
-	f := pfVerifyCAChainCmd.Flags()
-	f.BoolVarP(&preflightOpts.Verbose, "verbose", "v", false, "verbose mode")
-	return pfVerifyCAChainCmd
-}

cmd/qliksense/root.go

@@ -209,7 +209,6 @@ func rootCmd(p *qliksense.Qliksense) *cobra.Command {
 	preflightCmd.AddCommand(pfCreateRoleBindingCheckCmd(p))
 	preflightCmd.AddCommand(pfCreateServiceAccountCheckCmd(p))
 	preflightCmd.AddCommand(pfCreateAuthCheckCmd(p))
-	preflightCmd.AddCommand(pfVerifyCAChainCmd(p))
 	preflightCmd.AddCommand(pfCleanupCmd(p))
 
 	cmd.AddCommand(preflightCmd)

docs/preflight_checks.md

@@ -305,21 +305,3 @@ Removing mongo check components...
 Preflight cleanup complete
 
 ```
-
-### Verify-ca-chain check
-We use the command below to verify the ca certificate chain and server certificate. We run this check over mongodbUrl and discoveryUrl we inferred from idpconfigs in the CR.
-```shell
-$ qliksense preflight preflight verify-ca-chain -v
-
-Preflight verify-ca-chain check... 
------------------------------------ 
-Openssl verify mongodbUrl:
-Mongodb url inferred form CR: <mongodbUrl_from_CR>
-Host: <host extracted from mongodbUrl>
-
-Openssl verify discoveryUrl:
-Discovery url: <discoveryUrl_from_CR>
-Host: <host extracted from discoveryUrl>
-Completed preflight verify-CA-chain check
-PASSED
-```

mkdocs.yml

@@ -1,13 +1,11 @@
 site_name: Qlik Sense on Kubernetes CLI
 repo_url: 'https://github.com/qlik-oss/sense-installer'
 strict: true
-
 theme:
   name: "material"
   palette:
     primary: 'green'
     accent: 'indigo'
-
 markdown_extensions:
   - toc:
       permalink: true
@@ -17,7 +15,6 @@ markdown_extensions:
   - pymdownx.superfences
   - pymdownx.details
   - pymdownx.tabbed
-
 nav:
   - Overview: index.md
   - getting_started.md

pkg/preflight/all_checks.go

@@ -103,16 +103,6 @@ func (qp *QliksensePreflight) RunAllPreflightChecks(kubeConfigContents []byte, n
 	}
 	totalCount++
 
-	// Preflight verify ca chain check
-	if err := qp.VerifyCAChain(kubeConfigContents, namespace, preflightOpts, false); err != nil {
-		fmt.Fprintf(out, "%s\n", Red("FAILED"))
-		fmt.Printf("Error: %v\n\n", err)
-	} else {
-		fmt.Fprintf(out, "%s\n\n", Green("PASSED"))
-		checkCount++
-	}
-	totalCount++
-
 	if checkCount == totalCount {
 		// All preflight checks were successful
 		return nil

pkg/preflight/verify_ca.go

@@ -1,123 +0,0 @@
-package preflight
-
-import (
-	"crypto/tls"
-	"crypto/x509"
-	"encoding/json"
-	"fmt"
-	"net/url"
-	"strings"
-
-	qapi "github.com/qlik-oss/sense-installer/pkg/api"
-)
-
-func (qp *QliksensePreflight) VerifyCAChain(kubeConfigContents []byte, namespace string, preflightOpts *PreflightOptions, cleanup bool) error {
-
-	var currentCR *qapi.QliksenseCR
-	var err error
-	qConfig := qapi.NewQConfig(qp.Q.QliksenseHome)
-	qConfig.SetNamespace(namespace)
-
-	fmt.Print("Preflight verify-ca-chain check... ")
-	qp.CG.LogVerboseMessage("\n----------------------------------- \n")
-
-	currentCR, err = qConfig.GetCurrentCR()
-	if err != nil {
-		qp.CG.LogVerboseMessage("Unable to retrieve current CR: %v\n", err)
-		return err
-	}
-	decryptedCR, err := qConfig.GetDecryptedCr(currentCR)
-	if err != nil {
-		qp.CG.LogVerboseMessage("An error occurred while retrieving mongodbUrl from current CR: %v\n", err)
-		return err
-	}
-
-	// infer ca certs form CR
-	caCertificates := strings.TrimSpace(decryptedCR.Spec.GetFromSecrets("qliksense", "caCertificates"))
-
-	fmt.Println("Openssl verify mongodbUrl:")
-	// infer mongodb url from CR
-	mongodbUrl := strings.TrimSpace(decryptedCR.Spec.GetFromSecrets("qliksense", "mongodbUri"))
-	qp.CG.LogVerboseMessage("Mongodb url inferred form CR: %s\n", mongodbUrl)
-
-	// parse out server and port from mongodb url and execute openssl verify
-	if err := qp.extractCertAndVerify(mongodbUrl, caCertificates); err != nil {
-		return err
-	}
-
-	fmt.Printf("\nOpenssl verify discoveryUrl:\n")
-	// infer idpConfigs form CR
-	idpConfigs := strings.TrimSpace(decryptedCR.Spec.GetFromSecrets("identity-providers", "idpConfigs"))
-
-	data := []map[string]interface{}{}
-	if err := json.Unmarshal([]byte(idpConfigs), &data); err != nil {
-		panic(err)
-	}
-
-	var discoveryUrl string
-	for _, idpData := range data {
-		discoveryUrl = idpData["discoveryUrl"].(string)
-		qp.CG.LogVerboseMessage("Discovery url: %s\n", discoveryUrl)
-	}
-	if err := qp.extractCertAndVerify(discoveryUrl, caCertificates); err != nil {
-		return err
-	}
-
-	qp.CG.LogVerboseMessage("Completed preflight verify-ca-chain check\n")
-	return nil
-}
-
-func (qp *QliksensePreflight) extractCertAndVerify(server string, caCertificates string) error {
-	u, err := url.Parse(server)
-	if err != nil {
-		return fmt.Errorf("unable to parse url: %v", err)
-	}
-
-	switch strings.ToLower(u.Scheme) {
-	case "http":
-		return fmt.Errorf("http url is not supported for this operation")
-	case "https":
-		if u.Port() == "" {
-			u.Host += ":443"
-		}
-	}
-
-	qp.CG.LogVerboseMessage("Host: %s, port: %s\n", u.Host, u.Port())
-	conn, err := tls.Dial("tcp", u.Host, &tls.Config{})
-	qp.CG.LogVerboseMessage("Host: %s\n", u.Host)
-	if err != nil {
-		return fmt.Errorf("failed to connect: " + err.Error())
-	}
-	defer conn.Close()
-
-	// Get the ConnectionState struct as that's the one which gives us x509.Certificate struct
-	x509Certificates := conn.ConnectionState().PeerCertificates
-
-	var serverCert *x509.Certificate
-	if len(x509Certificates) == 0 {
-		return fmt.Errorf("no server certificates retrieved from the server")
-	}
-	// we retrieve and verify the server certificate, we ignore intermediate certificates at this point.
-	for _, x509Cert := range x509Certificates {
-		if !x509Cert.IsCA {
-			serverCert = x509Cert
-			break
-		}
-	}
-	if serverCert == nil {
-		return fmt.Errorf("no valid server certificates retrieved from the server")
-	}
-	roots := x509.NewCertPool()
-	if ok := roots.AppendCertsFromPEM([]byte(caCertificates)); !ok {
-		return fmt.Errorf("failed to parse root certificate.")
-	}
-
-	opts := x509.VerifyOptions{
-		Roots:   roots,
-		DNSName: u.Hostname(),
-	}
-	if _, err := serverCert.Verify(opts); err != nil {
-		return fmt.Errorf("failed to verify certificate: " + err.Error())
-	}
-	return nil
-}