From 8124b6980da40c1699b1f870dc5f420a29a89cbd Mon Sep 17 00:00:00 2001 From: Christian Kruse Date: Tue, 17 Dec 2024 14:46:24 -0800 Subject: [PATCH] always on tls Signed-off-by: Christian Kruse --- charts/network-observer/templates/NOTES.txt | 24 ------ .../templates/_deployment.yaml | 59 ++++++++++++++ .../network-observer/templates/_helpers.tpl | 15 +++- .../templates/basic_auth_secret.yaml | 11 +++ .../templates/deployment.yaml | 22 +++--- .../templates/nginx_config.yaml | 39 +++++++++ .../templates/prometheusconfig.yaml | 6 -- charts/network-observer/templates/route.yaml | 6 +- .../templates/routeraccess.yaml | 2 +- .../network-observer/templates/service.yaml | 6 +- .../templates/service_account.yaml | 10 +++ .../templates/skupper_certificate.yaml | 14 ++++ charts/network-observer/values.yaml | 79 ++++++++++++------- 13 files changed, 214 insertions(+), 79 deletions(-) delete mode 100644 charts/network-observer/templates/NOTES.txt create mode 100644 charts/network-observer/templates/_deployment.yaml create mode 100644 charts/network-observer/templates/basic_auth_secret.yaml create mode 100644 charts/network-observer/templates/nginx_config.yaml create mode 100644 charts/network-observer/templates/service_account.yaml create mode 100644 charts/network-observer/templates/skupper_certificate.yaml diff --git a/charts/network-observer/templates/NOTES.txt b/charts/network-observer/templates/NOTES.txt deleted file mode 100644 index 49da3ea9a..000000000 --- a/charts/network-observer/templates/NOTES.txt +++ /dev/null @@ -1,24 +0,0 @@ -Skupper network observer installed. To access the application run the following commands. -{{- if .Values.ingress.enabled }} -{{- range $host := .Values.ingress.hosts }} - {{- range .paths }} - http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }} - {{- end }} -{{- end }} -{{- else if contains "NodePort" .Values.service.type }} - export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "network-observer.fullname" . }}) - export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") - echo http://$NODE_IP:$NODE_PORT -{{- else if contains "LoadBalancer" .Values.service.type }} - NOTE: It may take a few minutes for the LoadBalancer IP to be available. - You can watch its status by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "network-observer.fullname" . }}' - export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "network-observer.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}") - echo http://$SERVICE_IP:{{ .Values.service.port }} -{{- else if contains "ClusterIP" .Values.service.type }} - export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "network-observer.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") - export CONTAINER_PORT=$(kubectl get pod --namespace {{ .Release.Namespace }} $POD_NAME -o jsonpath="{.spec.containers[0].ports[0].containerPort}") - echo "Visit http://127.0.0.1:8080 to use your application" - kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:$CONTAINER_PORT -{{- else if .Values.openshift.route.enabled }} - oc get route --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "network-observer.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -{{- end }} diff --git a/charts/network-observer/templates/_deployment.yaml b/charts/network-observer/templates/_deployment.yaml new file mode 100644 index 000000000..bf1833e11 --- /dev/null +++ b/charts/network-observer/templates/_deployment.yaml @@ -0,0 +1,59 @@ +{{- define "network-observer.proxyVolumeMounts" -}} +{{- if not (eq .Values.auth.strategy "openshift") }} +- name: nginx-config + configMap: + defaultMode: 420 + name: {{ include "network-observer.nginxConfigMapName" . }} +{{- if eq .Values.auth.strategy "basic" }} +- name: nginx-htpasswd + secret: + defaultMode: 420 + secretName: {{ include "network-observer.basicAuthSecretName" . }} +{{- end }} +{{- end }} +{{- end -}} + +{{- define "network-observer.nginxProxySpec" -}} +securityContext: + {{- toYaml .Values.securityContext | nindent 4 }} +image: "{{ .Values.nginx.repository }}:{{ .Values.nginx.tag }}" +imagePullPolicy: {{ .Values.nginx.pullPolicy }} +ports: + - name: https + containerPort: 8443 + protocol: TCP +volumeMounts: + - mountPath: /etc/certificates/ + name: {{ include "network-observer.tlsSecretName" . }} + - mountPath: /etc/nginx/nginx.conf + name: nginx-config + subPath: nginx.conf +{{- if eq .Values.auth.strategy "basic" }} + - mountPath: /etc/nginx/.htpasswd + name: nginx-htpasswd + subPath: htpasswd +{{- end }} +{{- end -}} + +{{- define "network-observer.openshiftOauthProxySpec" -}} +securityContext: + {{- toYaml .Values.securityContext | nindent 4 }} +image: "{{ .Values.openshiftOauthProxy.repository }}:{{ .Values.openshiftOauthProxy.tag }}" +imagePullPolicy: {{ .Values.openshiftOauthProxy.pullPolicy }} +args: + - --https-address=:8443 + - --provider=openshift + - --openshift-service-account={{ (include "network-observer.serviceAccountName" .) }} + - --upstream=http://127.0.0.1:8080 + - -tls-cert=/etc/certificates/tls.crt + - -tls-key=/etc/certificates/tls.key + - --cookie-secret={{ (randAlphaNum 32 | nospace) }} +ports: + - name: https + containerPort: 8443 + protocol: TCP +volumeMounts: + - mountPath: /etc/certificates/ + name: {{ include "network-observer.tlsSecretName" . }} +{{- end -}} + diff --git a/charts/network-observer/templates/_helpers.tpl b/charts/network-observer/templates/_helpers.tpl index de9e73dcb..89b8079ec 100644 --- a/charts/network-observer/templates/_helpers.tpl +++ b/charts/network-observer/templates/_helpers.tpl @@ -57,15 +57,15 @@ app.kubernetes.io/instance: {{ .Release.Name }} Create the name of the service account to use */}} {{- define "network-observer.serviceAccountName" -}} -{{- if .Values.openshift.oauthProxy.enabled }} -{{- .Values.openshift.oauthProxy.serviceAccount.nameOverride | default (include "network-observer.fullname" .) }} +{{- if eq .Values.auth.strategy "openshift" -}} +{{- .Values.auth.openshift.serviceAccount.nameOverride | default (include "network-observer.fullname" .) }} {{- end }} {{- end }} {{/* Create the Skupper Certificate Name */}} -{{- define "network-observer.certificateName" -}} +{{- define "network-observer.routerClientCertificate" -}} {{- .Values.router.certificate.nameOverride | default (include "network-observer.fullname" .) }} {{- end }} @@ -75,3 +75,12 @@ Create the TLS Secret Name {{- define "network-observer.tlsSecretName" -}} {{- .Values.tls.secretName | default (printf "%s-cert" (include "network-observer.fullname" .)) }} {{- end }} +{{/* +Create the nginx configmap name +*/}} +{{- define "network-observer.nginxConfigMapName" -}} +{{- (printf "%s-nginx" (include "network-observer.fullname" .)) }} +{{- end }} +{{- define "network-observer.basicAuthSecretName" -}} +{{- .Values.auth.basic.secretName | default (printf "%s-auth" (include "network-observer.fullname" .)) }} +{{- end }} diff --git a/charts/network-observer/templates/basic_auth_secret.yaml b/charts/network-observer/templates/basic_auth_secret.yaml new file mode 100644 index 000000000..087feaf88 --- /dev/null +++ b/charts/network-observer/templates/basic_auth_secret.yaml @@ -0,0 +1,11 @@ +{{- if and (eq .Values.auth.strategy "basic") .Values.auth.basic.create }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "network-observer.basicAuthSecretName" . }} + labels: + {{- include "network-observer.labels" . | nindent 4 }} +stringData: + htpasswd: |- + {{- .Values.auth.basic.htpasswd | nindent 4}} +{{- end }} diff --git a/charts/network-observer/templates/deployment.yaml b/charts/network-observer/templates/deployment.yaml index 9e6a94e2b..e7de3af68 100644 --- a/charts/network-observer/templates/deployment.yaml +++ b/charts/network-observer/templates/deployment.yaml @@ -37,15 +37,12 @@ spec: image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} args: - - -listen=:8080 + - -listen=127.0.0.1:8080 + - -prometheus-api=http://127.0.0.1:9090 - -router-endpoint={{ .Values.router.endpoint }} - -router-tls-ca=/etc/messaging/ca.crt - -router-tls-cert=/etc/messaging/tls.crt - -router-tls-key=/etc/messaging/tls.key - {{- if .Values.tls.enabled }} - - -tls-cert=/etc/certificates/tls.crt - - -tls-key=/etc/certificates/tls.key - {{- end }} {{- range .Values.extraArgs }} - {{ . }} {{- end }} @@ -58,10 +55,12 @@ spec: volumeMounts: - mountPath: /etc/messaging/ name: skupper-management-client - {{- if .Values.tls.enabled }} - - mountPath: /etc/certificates/ - name: {{ include "network-observer.tlsSecretName" . }} - {{- end }} + - name: proxy + {{- if eq "openshift" .Values.auth.strategy }} + {{- (include "network-observer.openshiftOauthProxySpec" .) | nindent 10 }} + {{- else }} + {{- (include "network-observer.nginxProxySpec" .) | nindent 10 }} + {{- end }} - name: prometheus securityContext: {{- toYaml .Values.prometheus.securityContext | nindent 12 }} @@ -91,13 +90,12 @@ spec: - name: skupper-management-client secret: defaultMode: 420 - secretName: {{ include "network-observer.certificateName" . }} - {{- if .Values.tls.enabled }} + secretName: {{ include "network-observer.routerClientCertificate" . }} - name: {{ include "network-observer.tlsSecretName" . }} secret: defaultMode: 420 secretName: {{ include "network-observer.tlsSecretName" . }} - {{- end }} + {{- (include "network-observer.proxyVolumeMounts" .) | nindent 6 }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/network-observer/templates/nginx_config.yaml b/charts/network-observer/templates/nginx_config.yaml new file mode 100644 index 000000000..a67bd5974 --- /dev/null +++ b/charts/network-observer/templates/nginx_config.yaml @@ -0,0 +1,39 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "network-observer.nginxConfigMapName" . }} + labels: + {{- include "network-observer.labels" . | nindent 4 }} +data: + nginx.conf: | + worker_processes auto; + pid /tmp/nginx.pid; + + events {} + http { + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 10m; + + server { + listen 8443 ssl; + keepalive_timeout 70; + + ssl_certificate /etc/certificates/tls.crt; + ssl_certificate_key /etc/certificates/tls.key; + ssl_protocols TLSv1.3; + add_header Strict-Transport-Security "max-age=63072000" always; + + {{- if eq .Values.auth.strategy "basic" }} + location /api/ { + auth_basic "Skupper"; + auth_basic_user_file /etc/nginx/.htpasswd; + proxy_pass http://localhost:8080; + } + {{- end }} + location / { + proxy_pass http://localhost:8080; + } + } + } + diff --git a/charts/network-observer/templates/prometheusconfig.yaml b/charts/network-observer/templates/prometheusconfig.yaml index fc50ba772..c52eb33c6 100644 --- a/charts/network-observer/templates/prometheusconfig.yaml +++ b/charts/network-observer/templates/prometheusconfig.yaml @@ -21,9 +21,3 @@ data: enable_http2: true static_configs: - targets: [ "localhost:8080" ] - - job_name: "network-observer-secure" - scheme: https - follow_redirects: true - enable_http2: true - static_configs: - - targets: [ "localhost:8443" ] diff --git a/charts/network-observer/templates/route.yaml b/charts/network-observer/templates/route.yaml index 0ccadbd8a..020b43416 100644 --- a/charts/network-observer/templates/route.yaml +++ b/charts/network-observer/templates/route.yaml @@ -1,4 +1,4 @@ -{{- if .Values.openshift.route.enabled -}} +{{- if .Values.route.enabled -}} --- apiVersion: route.openshift.io/v1 kind: Route @@ -8,10 +8,10 @@ metadata: name: {{ include "network-observer.fullname" . }} spec: tls: - termination: {{ ternary "reencrypt" "edge" .Values.tls.enabled }} + termination: "reencrypt" insecureEdgeTerminationPolicy: Redirect port: - targetPort: http + targetPort: https to: kind: Service name: {{ include "network-observer.fullname" . }} diff --git a/charts/network-observer/templates/routeraccess.yaml b/charts/network-observer/templates/routeraccess.yaml index 50292684f..a2e1cbee4 100644 --- a/charts/network-observer/templates/routeraccess.yaml +++ b/charts/network-observer/templates/routeraccess.yaml @@ -3,7 +3,7 @@ apiVersion: skupper.io/v2alpha1 kind: Certificate metadata: - name: {{ include "network-observer.certificateName" . }} + name: {{ include "network-observer.routerClientCertificate" . }} labels: {{- include "network-observer.labels" . | nindent 4 }} spec: diff --git a/charts/network-observer/templates/service.yaml b/charts/network-observer/templates/service.yaml index f32e94287..0d7b8649b 100644 --- a/charts/network-observer/templates/service.yaml +++ b/charts/network-observer/templates/service.yaml @@ -5,15 +5,15 @@ metadata: labels: {{- include "network-observer.labels" . | nindent 4 }} annotations: - {{- if .Values.service.openshiftServiceCA }} + {{- if .Values.tls.openshiftIssued }} service.beta.openshift.io/serving-cert-secret-name: {{ include "network-observer.tlsSecretName" . }} {{- end }} spec: type: {{ .Values.service.type }} ports: - port: {{ .Values.service.port }} - targetPort: api + targetPort: https protocol: TCP - name: http + name: https selector: {{- include "network-observer.selectorLabels" . | nindent 4 }} diff --git a/charts/network-observer/templates/service_account.yaml b/charts/network-observer/templates/service_account.yaml new file mode 100644 index 000000000..b4db716b2 --- /dev/null +++ b/charts/network-observer/templates/service_account.yaml @@ -0,0 +1,10 @@ +{{- if and (eq .Values.auth.strategy "openshift") .Values.auth.openshift.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ (include "network-observer.serviceAccountName" .) }} + labels: + {{- include "network-observer.labels" . | nindent 4 }} + annotations: + serviceaccounts.openshift.io/oauth-redirectreference.primary: '{"kind":"OAuthRedirectReference","apiVersion":"v1","reference":{"kind":"Route","name":"{{ include "network-observer.fullname" . }}"}}' +{{- end }} diff --git a/charts/network-observer/templates/skupper_certificate.yaml b/charts/network-observer/templates/skupper_certificate.yaml new file mode 100644 index 000000000..d860b4d66 --- /dev/null +++ b/charts/network-observer/templates/skupper_certificate.yaml @@ -0,0 +1,14 @@ +{{- if and (not .Values.tls.secretName) .Values.tls.skupperIssued -}} +apiVersion: skupper.io/v2alpha1 +kind: Certificate +metadata: + name: {{ (include "network-observer.tlsSecretName" .) }} + labels: + {{- include "network-observer.labels" . | nindent 4 }} +spec: + ca: skupper-local-ca + hosts: + - {{ include "network-observer.fullname" . }} + server: true + subject: {{ include "network-observer.fullname" . }} +{{- end }} diff --git a/charts/network-observer/values.yaml b/charts/network-observer/values.yaml index 76a04e839..c094288a0 100644 --- a/charts/network-observer/values.yaml +++ b/charts/network-observer/values.yaml @@ -14,31 +14,67 @@ image: # Overrides the image tag whose default is the chart appVersion. tag: "" +# prometheus configures the promehteus container image +prometheus: + repository: "docker.io/prom/prometheus" + pullPolicy: IfNotPresent + tag: "v3.0.1" + securityContext: + runAsNonRoot: true + +# nginx configuration for reverse proxy (excluding openshift auth) +nginx: + repository: "docker.io/nginxinc/nginx-unprivileged" + tag: "1.27.3-alpine" + pullPolicy: IfNotPresent + +# openshift oauth proxy configuration when auth strategy is openshift +openshiftOauthProxy: + repository: "quay.io/openshift/origin-oauth-proxy" + tag: "4.14.0" + pullPolicy: IfNotPresent + # extraArgs to pass to the network-observer container extraArgs: # - -enable-console=false # - -flow-record-ttl=10m +# router configuration establishes the point at which the network observer attaches to the skupper network router: endpoint: "amqps://skupper-router-local" certificate: create: true nameOverride: "" - # + # This block configures the network-observer http service with TLS tls: - enabled: false + # secretName set to the secret containing the TLS certificate and key secretName: "" + # openshiftIssued - configure annotations so that openshift will issue a + # certificate + openshiftIssued: false + # skupperIssued configures the network-observer with a TLS certificate issued + # by the skupper controller using the same mechanisim used to provision + # certificates for linking sites. + skupperIssued: true + + +# This block configures authentication strategies +auth: + # strategy is one of none, basic, or openshift + strategy: "basic" + basic: + create: true + secretName: "" + htpasswd: | + # skupper: skupper + skupper:$2y$05$Fz95zqZnAapAe5BqmRjx3.vCOzepI6h/UCdDQfP5cdsLoaef2HMaq + openshift: + # Service account for openshift auth + serviceAccount: + create: true + nameOverride: "" -prometheus: - repository: "docker.io/prom/prometheus" - pullPolicy: IfNotPresent - tag: "v3.0.1" - securityContext: - runAsUser: 65534 - runAsNonRoot: true - runAsGroup: 65534 - fsGroup: 65534 # This is for setting Kubernetes Annotations to a Pod. podAnnotations: {} @@ -64,9 +100,7 @@ service: # This sets the service type type: ClusterIP # Port exposed by the service - port: 80 - # Openshift Service CA - include service certificate annotation - openshiftServiceCA: false + port: 443 # This block is for setting up the ingress for more information can be found here: https://kubernetes.io/docs/concepts/services-networking/ingress/ ingress: @@ -85,19 +119,10 @@ ingress: # hosts: # - chart-example.local -# Openshift specific configuration block -openshift: - # This block is for configuring an route to expose the network observer - route: - enabled: false - # This block is for configuring an oauth proxy to authenticate users - # accessing the network observer HTTP service - oauthProxy: - enabled: false - # Service account overrides - serviceAccount: - create: true - nameOverride: "" +# This block is for configuring an openshift route to expose the network +# observer +route: + enabled: false resources: {} # limits: