From c5111d710b7d9d5f149065dfb6ce99fd4547c6ca Mon Sep 17 00:00:00 2001 From: Walter Behmann Date: Fri, 26 Jan 2024 09:30:28 +0100 Subject: [PATCH 1/4] Limit system user login to 10.0.0.0/8 --- CHANGES.rst | 2 ++ crate/operator/create.py | 2 ++ 2 files changed, 4 insertions(+) diff --git a/CHANGES.rst b/CHANGES.rst index ea0305d0..51aa4c42 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -14,6 +14,8 @@ Unreleased * Added the Prometheus annotations to ``grandCentral`` to allow metrics scrapping on it. +* system user login restricted to 10.0.0.0/8 + 2.33.0 (2023-11-14) ------------------- diff --git a/crate/operator/create.py b/crate/operator/create.py index 786f8e48..9f729fde 100644 --- a/crate/operator/create.py +++ b/crate/operator/create.py @@ -420,6 +420,8 @@ def get_statefulset_crate_command( "-Cauth.host_based.config.0.user": "crate", "-Cauth.host_based.config.0.address": "_local_", "-Cauth.host_based.config.0.method": "trust", + "-Cauth.host_based.config.1.user": "system", + "-Cauth.host_based.config.1.address": "10.0.0.0/8", "-Cauth.host_based.config.99.method": "password", "-Cpath.data": ",".join( f"/data/data{i}" for i in range(node_spec["resources"]["disk"]["count"]) From 42a8ea476ff6ab8bfd90776026627217ae516313 Mon Sep 17 00:00:00 2001 From: Walter Behmann Date: Fri, 26 Jan 2024 09:32:24 +0100 Subject: [PATCH 2/4] fixup! Limit system user login to 10.0.0.0/8 --- CHANGES.rst | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGES.rst b/CHANGES.rst index 51aa4c42..f492c4be 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -14,7 +14,7 @@ Unreleased * Added the Prometheus annotations to ``grandCentral`` to allow metrics scrapping on it. -* system user login restricted to 10.0.0.0/8 +* Restricted system user login to 10.0.0.0/8 2.33.0 (2023-11-14) From 24683aa7d0c456f0dc8cf84b0090a10c79d05686 Mon Sep 17 00:00:00 2001 From: Walter Behmann Date: Fri, 26 Jan 2024 11:11:02 +0100 Subject: [PATCH 3/4] Add CIDR to CRD --- crate/operator/config.py | 3 +++ crate/operator/create.py | 2 +- .../crate-operator-crds/templates/cratedbs-cloud-crate-io.yaml | 3 +++ 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/crate/operator/config.py b/crate/operator/config.py index 5bb1d216..325517bb 100644 --- a/crate/operator/config.py +++ b/crate/operator/config.py @@ -158,6 +158,9 @@ class Config: #: backup when restoring a snapshot. RESTORE_BACKUP_SECRET_NAME = "restore-from-backup-{name}" + #: CIDR the system user is allowed to login from. + ALLOWED_SYSTEM_USER_CIDR = "10.0.0.0/8" + def __init__(self, *, prefix: str): self._prefix = prefix diff --git a/crate/operator/create.py b/crate/operator/create.py index 9f729fde..7a12929f 100644 --- a/crate/operator/create.py +++ b/crate/operator/create.py @@ -421,7 +421,7 @@ def get_statefulset_crate_command( "-Cauth.host_based.config.0.address": "_local_", "-Cauth.host_based.config.0.method": "trust", "-Cauth.host_based.config.1.user": "system", - "-Cauth.host_based.config.1.address": "10.0.0.0/8", + "-Cauth.host_based.config.1.address": config.ALLOWED_SYSTEM_USER_CIDR, "-Cauth.host_based.config.99.method": "password", "-Cpath.data": ",".join( f"/data/data{i}" for i in range(node_spec["resources"]["disk"]["count"]) diff --git a/deploy/charts/crate-operator-crds/templates/cratedbs-cloud-crate-io.yaml b/deploy/charts/crate-operator-crds/templates/cratedbs-cloud-crate-io.yaml index 575073b9..c7277d1b 100644 --- a/deploy/charts/crate-operator-crds/templates/cratedbs-cloud-crate-io.yaml +++ b/deploy/charts/crate-operator-crds/templates/cratedbs-cloud-crate-io.yaml @@ -173,6 +173,9 @@ spec: items: type: string type: array + allowedSystemUserCIDR: + description: Limit system User to specific subnet + type: string externalDNS: description: The external DNS name record that should point to the CrateDB cluster. From 002c552f1f727b310dae33817f3f62c72b876c01 Mon Sep 17 00:00:00 2001 From: Walter Behmann Date: Fri, 26 Jan 2024 16:36:25 +0100 Subject: [PATCH 4/4] Restart cratedb on change --- crate/operator/handlers/handle_update_cratedb.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/crate/operator/handlers/handle_update_cratedb.py b/crate/operator/handlers/handle_update_cratedb.py index 3d45f1ea..f5985ae8 100644 --- a/crate/operator/handlers/handle_update_cratedb.py +++ b/crate/operator/handlers/handle_update_cratedb.py @@ -118,6 +118,8 @@ async def update_cratedb( do_restart = True elif field_path == ("spec", "nodes", "master", "replicas"): do_scale = True + elif field_path == ("spec", "allowedSystemUserCIDR"): + do_restart = True elif field_path == ("spec", "nodes", "data"): for node_spec_idx in range(len(old_spec)): old_spec = old_spec[node_spec_idx]