Skip to content

Commit

Permalink
enable self-signed TLS on reports oauth2proxy
Browse files Browse the repository at this point in the history
  • Loading branch information
andrewazores committed Nov 22, 2024
1 parent 0e41a22 commit cfb739e
Show file tree
Hide file tree
Showing 5 changed files with 77 additions and 2 deletions.
56 changes: 56 additions & 0 deletions charts/cryostat/templates/_reports_authproxy.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,62 @@
readOnly: true
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
{{- else if .Values.oauth2Proxy.tls.selfSigned.enabled }}
- name: {{ printf "%s-reports-%s" .Chart.Name "authproxy" }}
securityContext:
{{- toYaml (.Values.oauth2Proxy).securityContext | nindent 4 }}
image: "{{ (.Values.oauth2Proxy).image.repository }}:{{ (.Values.oauth2Proxy).image.tag }}"
imagePullPolicy: {{ (.Values.oauth2Proxy).image.pullPolicy }}
env:
- name: OAUTH2_PROXY_CLIENT_ID
value: dummy
- name: OAUTH2_PROXY_CLIENT_SECRET
value: none
- name: OAUTH2_PROXY_HTTP_ADDRESS
value: 0.0.0.0:4180
- name: OAUTH2_PROXY_HTTPS_ADDRESS
value: :8443
- name: OAUTH2_PROXY_TLS_CERT_FILE
value: /etc/tls/private/cert
- name: OAUTH2_PROXY_TLS_KEY_FILE
value: /etc/tls/private/key
- name: OAUTH2_PROXY_UPSTREAMS
value: http://localhost:10001/
- name: OAUTH2_PROXY_REDIRECT_URL
value: "http://localhost:4180/oauth2/callback"
- name: OAUTH2_PROXY_COOKIE_SECRET
valueFrom:
secretKeyRef:
name: {{ default (printf "%s-cookie-secret" .Release.Name) .Values.authentication.cookieSecretName }}
key: COOKIE_SECRET
optional: false
- name: OAUTH2_PROXY_EMAIL_DOMAINS
value: "*"
- name: OAUTH2_PROXY_HTPASSWD_USER_GROUP
value: write
- name: OAUTH2_PROXY_HTPASSWD_FILE
value: /etc/oauth2_proxy/basicauth/htpasswd
- name: OAUTH2_PROXY_SKIP_AUTH_ROUTES
value: "^/health$"
- name: OAUTH2_PROXY_PROXY_WEBSOCKETS
value: "false"
ports:
- containerPort: 4180
name: http
protocol: TCP
- containerPort: 8443
name: https
protocol: TCP
resources:
{{- toYaml .Values.oauth2Proxy.resources | nindent 4 }}
volumeMounts:
- name: {{ .Release.Name }}-reports-secret
mountPath: /etc/oauth2_proxy/basicauth
readOnly: true
{{- if .Values.oauth2Proxy.tls.selfSigned.enabled }}
- name: {{ .Release.Name }}-oauth2proxy-reports-tls
mountPath: /etc/tls/private
{{- end }}
{{- else }}
- name: {{ printf "%s-reports-%s" .Chart.Name "authproxy" }}
securityContext:
Expand Down
2 changes: 1 addition & 1 deletion charts/cryostat/templates/cryostat_deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@ spec:
- name: QUARKUS_REST_CLIENT_EXTENSIONS_API_VERIFY_HOST
value: "false"
- name: QUARKUS_REST_CLIENT_REPORTS_URL
value: {{ printf "%s://cryostat:$(REPORTS_PASS_SECRET_KEY)@%s-reports.%s.svc:%d" (ternary "https" "http" (.Values.authentication.openshift).enabled) $fullName $.Release.Namespace (int .Values.reports.service.httpPort) }}
value: {{ printf "%s://cryostat:$(REPORTS_PASS_SECRET_KEY)@%s-reports.%s.svc:%d" (ternary "https" "http" (or (.Values.authentication.openshift).enabled .Values.oauth2Proxy.tls.selfSigned.enabled)) $fullName $.Release.Namespace (int .Values.reports.service.httpPort) }}
{{- end }}
- name: QUARKUS_DATASOURCE_USERNAME
value: cryostat
Expand Down
4 changes: 4 additions & 0 deletions charts/cryostat/templates/reports_deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -83,5 +83,9 @@ spec:
- name: {{ .Release.Name }}-proxy-tls
secret:
secretName: {{ .Release.Name }}-proxy-tls
{{- else if .Values.oauth2Proxy.tls.selfSigned.enabled }}
- name: {{ .Release.Name }}-oauth2proxy-reports-tls
secret:
secretName: {{ .Release.Name }}-oauth2proxy-reports-tls
{{- end }}
{{- end -}}
2 changes: 1 addition & 1 deletion charts/cryostat/templates/reports_service.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ spec:
type: {{ .Values.reports.service.type }}
ports:
- port: {{ .Values.reports.service.httpPort }}
targetPort: {{ ternary "https" "http" (.Values.authentication.openshift).enabled }}
targetPort: {{ ternary "https" "http" (or (.Values.authentication.openshift).enabled .Values.oauth2Proxy.tls.selfSigned.enabled) }}
selector:
{{- include "cryostat.selectorLabels" $ | nindent 4 }}
app.kubernetes.io/component: reports
Expand Down
15 changes: 15 additions & 0 deletions charts/cryostat/templates/reports_tls_secret.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
{{- if (and (not (.Values.authentication.openshift).enabled) (.Values.oauth2Proxy.tls.selfSigned.enabled)) }}
{{- $fullName := include "cryostat.fullname" . }}
{{- $cert := genSelfSignedCert (printf "%s-reports" $fullName) nil nil 365 }}
apiVersion: v1
kind: Secret
metadata:
name: {{ .Release.Name }}-oauth2proxy-reports-tls
labels:
{{- include "cryostat.labels" $ | nindent 4 }}
type: Opaque
immutable: true
data:
cert: {{ $cert.Cert | b64enc }}
key: {{ $cert.Key | b64enc }}
{{- end -}}

0 comments on commit cfb739e

Please sign in to comment.