always on tls

Signed-off-by: Christian Kruse <[email protected]>
skupperproject · Dec 18, 2024 · 8124b69 · 8124b69
1 parent 7132bb7
commit 8124b69
Show file tree

Hide file tree

Showing 13 changed files with 214 additions and 79 deletions.
diff --git a/charts/network-observer/templates/NOTES.txt b/charts/network-observer/templates/NOTES.txt
diff --git a/charts/network-observer/templates/_deployment.yaml b/charts/network-observer/templates/_deployment.yaml
@@ -0,0 +1,59 @@
+{{- define "network-observer.proxyVolumeMounts" -}}
+{{- if not (eq .Values.auth.strategy "openshift") }}
+- name: nginx-config
+  configMap:
+    defaultMode: 420
+    name: {{ include "network-observer.nginxConfigMapName" . }}
+{{- if eq .Values.auth.strategy "basic" }}
+- name: nginx-htpasswd
+  secret:
+    defaultMode: 420
+    secretName: {{ include "network-observer.basicAuthSecretName" . }}
+{{- end }}
+{{- end }}
+{{- end -}}
+
+{{- define "network-observer.nginxProxySpec" -}}
+securityContext:
+  {{- toYaml .Values.securityContext | nindent 4 }}
+image: "{{ .Values.nginx.repository }}:{{ .Values.nginx.tag }}"
+imagePullPolicy: {{ .Values.nginx.pullPolicy }}
+ports:
+  - name: https
+    containerPort: 8443
+    protocol: TCP
+volumeMounts:
+  - mountPath: /etc/certificates/
+    name: {{ include "network-observer.tlsSecretName" . }}
+  - mountPath: /etc/nginx/nginx.conf
+    name: nginx-config
+    subPath: nginx.conf
+{{- if eq .Values.auth.strategy "basic" }}
+  - mountPath: /etc/nginx/.htpasswd
+    name: nginx-htpasswd
+    subPath: htpasswd
+{{- end }}
+{{- end -}}
+
+{{- define "network-observer.openshiftOauthProxySpec" -}}
+securityContext:
+  {{- toYaml .Values.securityContext | nindent 4 }}
+image: "{{ .Values.openshiftOauthProxy.repository }}:{{ .Values.openshiftOauthProxy.tag }}"
+imagePullPolicy: {{ .Values.openshiftOauthProxy.pullPolicy }}
+args:
+  - --https-address=:8443
+  - --provider=openshift
+  - --openshift-service-account={{ (include "network-observer.serviceAccountName" .) }}
+  - --upstream=http://127.0.0.1:8080
+  - -tls-cert=/etc/certificates/tls.crt
+  - -tls-key=/etc/certificates/tls.key
+  - --cookie-secret={{ (randAlphaNum 32 | nospace) }}
+ports:
+  - name: https
+    containerPort: 8443
+    protocol: TCP
+volumeMounts:
+  - mountPath: /etc/certificates/
+    name: {{ include "network-observer.tlsSecretName" . }}
+{{- end -}}
+
diff --git a/charts/network-observer/templates/_helpers.tpl b/charts/network-observer/templates/_helpers.tpl
@@ -57,15 +57,15 @@ app.kubernetes.io/instance: {{ .Release.Name }}
 Create the name of the service account to use
 */}}
 {{- define "network-observer.serviceAccountName" -}}
-{{- if .Values.openshift.oauthProxy.enabled }}
-{{- .Values.openshift.oauthProxy.serviceAccount.nameOverride | default (include "network-observer.fullname" .) }}
+{{- if eq .Values.auth.strategy "openshift" -}}
+{{- .Values.auth.openshift.serviceAccount.nameOverride | default (include "network-observer.fullname" .) }}
 {{- end }}
 {{- end }}
 
 {{/*
 Create the Skupper Certificate Name
 */}}
-{{- define "network-observer.certificateName" -}}
+{{- define "network-observer.routerClientCertificate" -}}
 {{- .Values.router.certificate.nameOverride | default (include "network-observer.fullname" .) }}
 {{- end }}
 
@@ -75,3 +75,12 @@ Create the TLS Secret Name
 {{- define "network-observer.tlsSecretName" -}}
 {{- .Values.tls.secretName | default (printf "%s-cert" (include "network-observer.fullname" .)) }}
 {{- end }}
+{{/*
+Create the nginx configmap name
+*/}}
+{{- define "network-observer.nginxConfigMapName" -}}
+{{- (printf "%s-nginx" (include "network-observer.fullname" .)) }}
+{{- end }}
+{{- define "network-observer.basicAuthSecretName" -}}
+{{- .Values.auth.basic.secretName | default (printf "%s-auth" (include "network-observer.fullname" .)) }}
+{{- end }}
diff --git a/charts/network-observer/templates/basic_auth_secret.yaml b/charts/network-observer/templates/basic_auth_secret.yaml
@@ -0,0 +1,11 @@
+{{- if and (eq .Values.auth.strategy "basic") .Values.auth.basic.create }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "network-observer.basicAuthSecretName" . }}
+  labels:
+    {{- include "network-observer.labels" . | nindent 4 }}
+stringData:
+  htpasswd: |-
+    {{- .Values.auth.basic.htpasswd | nindent 4}}
+{{- end }}
diff --git a/charts/network-observer/templates/deployment.yaml b/charts/network-observer/templates/deployment.yaml
@@ -37,15 +37,12 @@ spec:
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           args:
-            - -listen=:8080
+            - -listen=127.0.0.1:8080
+            - -prometheus-api=http://127.0.0.1:9090
             - -router-endpoint={{ .Values.router.endpoint }}
             - -router-tls-ca=/etc/messaging/ca.crt
             - -router-tls-cert=/etc/messaging/tls.crt
             - -router-tls-key=/etc/messaging/tls.key
-            {{- if .Values.tls.enabled }}
-            - -tls-cert=/etc/certificates/tls.crt
-            - -tls-key=/etc/certificates/tls.key
-            {{- end }}
             {{- range .Values.extraArgs }}
             - {{ . }}
             {{- end }}
@@ -58,10 +55,12 @@ spec:
           volumeMounts:
             - mountPath: /etc/messaging/
               name: skupper-management-client
-            {{- if .Values.tls.enabled }}
-            - mountPath: /etc/certificates/
-              name: {{ include "network-observer.tlsSecretName" . }}
-            {{- end }}
+        - name: proxy
+          {{- if eq "openshift" .Values.auth.strategy }}
+          {{- (include "network-observer.openshiftOauthProxySpec" .) | nindent 10 }}
+          {{- else }}
+          {{- (include "network-observer.nginxProxySpec" .) | nindent 10 }}
+          {{- end }}
         - name: prometheus
           securityContext:
             {{- toYaml .Values.prometheus.securityContext | nindent 12 }}
@@ -91,13 +90,12 @@ spec:
       - name: skupper-management-client
         secret:
           defaultMode: 420
-          secretName: {{ include "network-observer.certificateName" . }}
-      {{- if .Values.tls.enabled }}
+          secretName: {{ include "network-observer.routerClientCertificate" . }}
       - name: {{ include "network-observer.tlsSecretName" . }}
         secret:
           defaultMode: 420
           secretName: {{ include "network-observer.tlsSecretName" . }}
-      {{- end }}
+      {{- (include "network-observer.proxyVolumeMounts" .) | nindent 6 }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

diff --git a/charts/network-observer/templates/nginx_config.yaml b/charts/network-observer/templates/nginx_config.yaml
@@ -0,0 +1,39 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "network-observer.nginxConfigMapName" . }}
+  labels:
+    {{- include "network-observer.labels" . | nindent 4 }}
+data:
+  nginx.conf: |
+    worker_processes auto;
+    pid /tmp/nginx.pid;
+    
+    events {}
+    http {
+        ssl_session_cache   shared:SSL:10m;
+        ssl_session_timeout 10m;
+    
+        server {
+            listen              8443 ssl;
+            keepalive_timeout   70;
+    
+            ssl_certificate     /etc/certificates/tls.crt;
+            ssl_certificate_key /etc/certificates/tls.key;
+            ssl_protocols       TLSv1.3;
+            add_header Strict-Transport-Security "max-age=63072000" always;
+            
+            {{- if eq .Values.auth.strategy "basic" }}
+            location /api/ {
+              auth_basic           "Skupper";
+              auth_basic_user_file /etc/nginx/.htpasswd;
+              proxy_pass  http://localhost:8080;
+            }
+            {{- end }}
+            location / {
+              proxy_pass  http://localhost:8080;
+            }
+        }
+    }
+
diff --git a/charts/network-observer/templates/prometheusconfig.yaml b/charts/network-observer/templates/prometheusconfig.yaml
@@ -21,9 +21,3 @@ data:
         enable_http2: true
         static_configs:
           - targets: [ "localhost:8080" ]
-      - job_name: "network-observer-secure"
-        scheme: https
-        follow_redirects: true
-        enable_http2: true
-        static_configs:
-          - targets: [ "localhost:8443" ]
diff --git a/charts/network-observer/templates/route.yaml b/charts/network-observer/templates/route.yaml
@@ -1,4 +1,4 @@
-{{- if .Values.openshift.route.enabled -}}
+{{- if .Values.route.enabled -}}
 ---
 apiVersion: route.openshift.io/v1
 kind: Route
@@ -8,10 +8,10 @@ metadata:
   name: {{ include "network-observer.fullname" . }}
 spec:
   tls:
-    termination: {{ ternary "reencrypt" "edge" .Values.tls.enabled }}
+    termination: "reencrypt"
     insecureEdgeTerminationPolicy: Redirect
   port:
-    targetPort: http
+    targetPort: https
   to:
     kind: Service
     name: {{ include "network-observer.fullname" . }}

diff --git a/charts/network-observer/templates/routeraccess.yaml b/charts/network-observer/templates/routeraccess.yaml
@@ -3,7 +3,7 @@
 apiVersion: skupper.io/v2alpha1
 kind: Certificate
 metadata:
-  name: {{ include "network-observer.certificateName" . }}
+  name: {{ include "network-observer.routerClientCertificate" . }}
   labels:
     {{- include "network-observer.labels" . | nindent 4 }}
 spec:

diff --git a/charts/network-observer/templates/service.yaml b/charts/network-observer/templates/service.yaml
@@ -5,15 +5,15 @@ metadata:
   labels:
     {{- include "network-observer.labels" . | nindent 4 }}
   annotations:
-    {{- if .Values.service.openshiftServiceCA }}
+    {{- if .Values.tls.openshiftIssued }}
     service.beta.openshift.io/serving-cert-secret-name: {{ include "network-observer.tlsSecretName" . }}
     {{- end }}
 spec:
   type: {{ .Values.service.type }}
   ports:
     - port: {{ .Values.service.port }}
-      targetPort: api
+      targetPort: https
       protocol: TCP
-      name: http
+      name: https
   selector:
     {{- include "network-observer.selectorLabels" . | nindent 4 }}
diff --git a/charts/network-observer/templates/service_account.yaml b/charts/network-observer/templates/service_account.yaml
@@ -0,0 +1,10 @@
+{{- if and (eq .Values.auth.strategy "openshift") .Values.auth.openshift.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ (include "network-observer.serviceAccountName" .) }}
+  labels:
+    {{- include "network-observer.labels" . | nindent 4 }}
+  annotations:
+    serviceaccounts.openshift.io/oauth-redirectreference.primary: '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"{{ include "network-observer.fullname" . }}"}}'
+{{- end }}
diff --git a/charts/network-observer/templates/skupper_certificate.yaml b/charts/network-observer/templates/skupper_certificate.yaml
@@ -0,0 +1,14 @@
+{{- if and (not .Values.tls.secretName) .Values.tls.skupperIssued -}}
+apiVersion: skupper.io/v2alpha1
+kind: Certificate
+metadata:
+  name: {{ (include "network-observer.tlsSecretName" .) }}
+  labels:
+    {{- include "network-observer.labels" . | nindent 4 }}
+spec:
+  ca: skupper-local-ca
+  hosts:
+  - {{ include "network-observer.fullname" . }}
+  server: true
+  subject: {{ include "network-observer.fullname" . }}
+{{- end }}