Support TLS (#30)

README.md

@@ -5,22 +5,42 @@ Scalar Admin for Kubernetes is a tool that creates a paused state for ScalarDB o
 ## Usage of the CLI tool
 
 ```console
-Usage: scalar-admin-for-kubernetes-cli [-h] [-d=<pauseDuration>]
-                                       [-n=<namespace>] -r=<helmReleaseName>
+Usage: scalar-admin-for-kubernetes-cli [-h] [--tls]
+                                       [--ca-root-cert-path=<caRootCertPath>]
+                                       [--ca-root-cert-pem=<caRootCertPem>]
+                                       [-d=<pauseDuration>] [-n=<namespace>]
+                                       [--override-authority=<overrideAuthority>
+                                       ] -r=<helmReleaseName>
                                        [-w=<maxPauseWaitTime>] [-z=<zoneId>]
 Scalar Admin pause tool for the Kubernetes environment
+      --ca-root-cert-path=<caRootCertPath>
+                             A path to a root certificate file for verifying
+                               the server's certificate when wire encryption is
+                               enabled.
+      --ca-root-cert-pem=<caRootCertPem>
+                             A PEM format string of a root certificate for
+                               verifying the server's certificate when wire
+                               encryption is enabled. This option is
+                               prioritized when --ca-root-cert-path is
+                               specified.
   -d, --pause-duration=<pauseDuration>
                              The duration of the pause period by millisecond.
                                5000 (5 seconds) by default.
   -h, --help                 Display the help message.
   -n, --namespace=<namespace>
                              Namespace that Scalar products you want to pause
                                are deployed. `default` by default.
+      --override-authority=<overrideAuthority>
+                             The value to be used as the expected authority in
+                               the server's certificate when wire encryption is
+                               enabled.
   -r, --release-name=<helmReleaseName>
                              Required. The helm release name that you specify
                                when you run the `helm install <RELEASE_NAME>`
                                command. You can see the <RELEASE_NAME> by using
                                the `helm list` command.
+      --tls                  Whether wire encryption (TLS) between scalar-admin
+                               and the target is enabled.
   -w, --max-pause-wait-time=<maxPauseWaitTime>
                              The max wait time (in milliseconds) until Scalar
                                products drain outstanding requests before they

build.gradle

@@ -11,7 +11,7 @@ subprojects {
     project.version = project.findProperty('projVersion') ?: '2.0.0-SNAPSHOT'
 
     ext {
-        scalarAdminVersion = '2.1.2'
+        scalarAdminVersion = '2.2.0'
         guavaVersion = '31.1-jre'
         kubernetesClientVersion = '17.0.2'
         slf4jVersion = '1.7.36'

cli/src/main/java/com/scalar/admin/kubernetes/Cli.java

@@ -2,6 +2,11 @@
 
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.ObjectMapper;
+import java.io.File;
+import java.io.IOException;
+import java.io.UncheckedIOException;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.Files;
 import java.time.ZoneId;
 import java.util.concurrent.Callable;
 import javax.annotation.Nullable;
@@ -59,6 +64,33 @@ class Cli implements Callable<Integer> {
       defaultValue = "Etc/UTC")
   private ZoneId zoneId;
 
+  @Option(
+      names = {"--tls"},
+      description = "Whether wire encryption (TLS) between scalar-admin and the target is enabled.")
+  private boolean tlsEnabled;
+
+  @Option(
+      names = {"--ca-root-cert-path"},
+      description =
+          "A path to a root certificate file for verifying the server's certificate when wire"
+              + " encryption is enabled.")
+  private String caRootCertPath;
+
+  @Option(
+      names = {"--ca-root-cert-pem"},
+      description =
+          "A PEM format string of a root certificate for verifying the server's certificate when"
+              + " wire encryption is enabled. This option is prioritized when --ca-root-cert-path"
+              + " is specified.")
+  private String caRootCertPem;
+
+  @Option(
+      names = {"--override-authority"},
+      description =
+          "The value to be used as the expected authority in the server's certificate when wire"
+              + " encryption is enabled.")
+  private String overrideAuthority;
+
   @Option(
       names = {"-h", "--help"},
       usageHelp = true,
@@ -76,7 +108,11 @@ public Integer call() {
     Result result = null;
 
     try {
-      Pauser pauser = new Pauser(namespace, helmReleaseName);
+      Pauser pauser =
+          tlsEnabled
+              ? new TlsPauser(namespace, helmReleaseName, getCaRootCert(), overrideAuthority)
+              : new Pauser(namespace, helmReleaseName);
+
       PausedDuration duration = pauser.pause(pauseDuration, maxPauseWaitTime);
 
       result = new Result(namespace, helmReleaseName, duration, zoneId);
@@ -98,4 +134,22 @@ public Integer call() {
 
     return 0;
   }
+
+  private String getCaRootCert() {
+    String caRootCert = null;
+
+    if (caRootCertPem != null) {
+      caRootCert = caRootCertPem.replace("\\n", System.lineSeparator());
+    } else if (caRootCertPath != null) {
+      try {
+        caRootCert =
+            new String(
+                Files.readAllBytes(new File(caRootCertPath).toPath()), StandardCharsets.UTF_8);
+      } catch (IOException e) {
+        throw new UncheckedIOException("Couldn't read the file: " + caRootCertPath, e);
+      }
+    }
+
+    return caRootCert;
+  }
 }

lib/src/main/java/com/scalar/admin/kubernetes/Pauser.java

@@ -84,11 +84,7 @@ public PausedDuration pause(int pauseDuration, @Nullable Long maxPauseWaitTime)
       throw new PauserException("Failed to find the target pods to pause.", e);
     }
 
-    RequestCoordinator coordinator =
-        new RequestCoordinator(
-            target.getPods().stream()
-                .map(p -> new InetSocketAddress(p.getStatus().getPodIP(), target.getAdminPort()))
-                .collect(Collectors.toList()));
+    RequestCoordinator coordinator = getRequestCoordinator(target);
 
     coordinator.pause(true, maxPauseWaitTime);
 
@@ -137,4 +133,11 @@ private void unpauseWithRetry(
       }
     }
   }
+
+  RequestCoordinator getRequestCoordinator(TargetSnapshot target) {
+    return new RequestCoordinator(
+        target.getPods().stream()
+            .map(p -> new InetSocketAddress(p.getStatus().getPodIP(), target.getAdminPort()))
+            .collect(Collectors.toList()));
+  }
 }

lib/src/main/java/com/scalar/admin/kubernetes/TlsPauser.java

@@ -0,0 +1,35 @@
+package com.scalar.admin.kubernetes;
+
+import com.scalar.admin.RequestCoordinator;
+import com.scalar.admin.TlsRequestCoordinator;
+import java.net.InetSocketAddress;
+import java.util.stream.Collectors;
+import javax.annotation.Nullable;
+
+public class TlsPauser extends Pauser {
+
+  private final String caRootCert;
+  private final String overrideAuthority;
+
+  public TlsPauser(
+      String namespace,
+      String helmReleaseName,
+      @Nullable String caRootCert,
+      @Nullable String overrideAuthority)
+      throws PauserException {
+    super(namespace, helmReleaseName);
+
+    this.caRootCert = caRootCert;
+    this.overrideAuthority = overrideAuthority;
+  }
+
+  @Override
+  RequestCoordinator getRequestCoordinator(TargetSnapshot target) {
+    return new TlsRequestCoordinator(
+        target.getPods().stream()
+            .map(p -> new InetSocketAddress(p.getStatus().getPodIP(), target.getAdminPort()))
+            .collect(Collectors.toList()),
+        caRootCert,
+        overrideAuthority);
+  }
+}