Skip to content

Commit

Permalink
Enabled internal TLS between k8s pods by default
Browse files Browse the repository at this point in the history
  • Loading branch information
jk464 committed May 20, 2024
1 parent 496fc58 commit 0e8bc77
Show file tree
Hide file tree
Showing 15 changed files with 416 additions and 18 deletions.
11 changes: 11 additions & 0 deletions .circleci/config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,17 @@ jobs:
- run:
name: Create new K8s cluster
command: minikube start --vm-driver=docker --memory 8192 --cpus 4 --kubernetes-version=<< parameters.kubernetes-version >>
- run:
name: Setup cert-manager
command: |
helm repo add jetstack https://charts.jetstack.io --force-update
helm repo update
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.5/cert-manager.crds.yaml
helm install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--version v1.14.5
- run:
name: Update stackstorm-ha chart dependencies
command: helm dependency update
Expand Down
11 changes: 11 additions & 0 deletions .github/workflows/e2e.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,17 @@ jobs:
with:
k3s-channel: ${{ matrix.k3s-channel }}

- name: Setup cert-manager
run: |
helm repo add jetstack https://charts.jetstack.io --force-update
helm repo update
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.5/cert-manager.crds.yaml
helm install \
cert-manager jetstack/cert-manager \
--namespace cert-manager \
--create-namespace \
--version v1.14.5
- name: Update stackstorm-ha chart dependencies
run: |
set -x
Expand Down
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@

## Development
* Updated our tests/unit to support newer versions of `unittests` - for now bumping to `v0.4.4` as `v0.5.0` has a bug that impacts us (see helm-unittest/helm-unittest#329), but testing around the bug shows `v0.5.x` should also "just work" (#414) (by @jk464)
* Enable the use of TLS between all internal components (aside from Redis), and enable it by default (#401) (by @jk464)

## v1.1.0
* Fix syntax with ensure-packs-volumes-are-writable job (#403, #411) (by @skiedude)
Expand Down
2 changes: 1 addition & 1 deletion Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ dependencies:
repository: https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami
condition: rabbitmq.enabled
- name: mongodb
version: 10.0.1
version: 13.18.5
repository: https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami
condition: mongodb.enabled
- name: external-dns
Expand Down
53 changes: 52 additions & 1 deletion templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -199,7 +199,7 @@ Reduce duplication of the st2.*.conf volume details

{{- define "stackstorm-ha.init-containers-wait-for-db" -}}
{{- if index .Values "mongodb" "enabled" }}
{{- $mongodb_port := (int (index .Values "mongodb" "service" "port")) }}
{{- $mongodb_port := (int (index .Values "mongodb" "service" "ports" "mongodb")) }}
- name: wait-for-db
image: {{ template "stackstorm-ha.utilityImage" . }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
Expand Down Expand Up @@ -422,3 +422,54 @@ Create the custom env list for each deployment
value: {{ $value | quote }}
{{- end }}
{{- end -}}

{{/*
Generate CA
*/}}
{{- define "stackstorm-ha.internal_tls.ca" }}
data:
{{- if (default false ((($.Values.secret).ca))) }}
tls.crt: "{{ .Values.secret.ca.crt }}"
tls.key: "{{ .Values.secret.ca.key }}"
{{- else }}
{{- $ca := genCA "StackStorm CA" 365 }}
tls.crt: "{{ $ca.Cert | b64enc}}"
tls.key: "{{ $ca.Key | b64enc}}"
{{- end -}}
{{- end -}}

{{/*
Set up values for Internal TLS
*/}}
{{- define "stackstorm-ha.internal_tls.cert_volume.mount" -}}
{{- if or .Values.st2.tls.enabled .Values.mongodb.tls.enabled .Values.rabbitmq.tls.enabled }}
- name: {{ .Values.st2.tls.secretName }}
mountPath: {{ .Values.st2.tls.mountPath }}/
readOnly: true
{{- end }}
{{- end -}}
{{- define "stackstorm-ha.internal_tls.cert_volume.volume" -}}
{{- if or .Values.st2.tls.enabled .Values.mongodb.tls.enabled .Values.rabbitmq.tls.enabled }}
- name: {{ .Values.st2.tls.secretName }}
secret:
secretName: {{ .Values.st2.tls.secretName }}
{{- end }}
{{- end -}}

{{/*
Define st2web ports
*/}}
{{- define "stackstorm-ha.st2web.http_port" -}}
{{- if ne (default 0 ((($.Values.st2web.securityContext).runAsUser) | int)) 0 -}}
8080
{{- else -}}
80
{{- end -}}
{{- end -}}
{{- define "stackstorm-ha.st2web.https_port" -}}
{{- if ne (default 0 ((($.Values.st2web.securityContext).runAsUser) | int)) 0 -}}
8443
{{- else -}}
443
{{- end -}}
{{- end -}}
19 changes: 19 additions & 0 deletions templates/ca.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
{{- if not ( .Values.st2.tls.certificate_issuer.existing ) -}}
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: {{ .Values.st2.tls.certificate_issuer.name }}
namespace: "{{ $.Release.Namespace }}"
spec:
ca:
secretName: {{ .Values.st2.tls.certificate_issuer.name }}-tls
---
apiVersion: v1
{{- include "stackstorm-ha.internal_tls.ca" . }}
kind: Secret
metadata:
name: {{ .Values.st2.tls.certificate_issuer.name }}-tls
namespace: "{{ $.Release.Namespace }}"
type: kubernetes.io/tls
{{- end -}}
29 changes: 29 additions & 0 deletions templates/certificate.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
{{- if or .Values.st2.tls.enabled .Values.mongodb.tls.enabled .Values.rabbitmq.tls.enabled }}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ .Values.st2.tls.secretName }}
namespace: "{{ $.Release.Namespace }}"
labels:
app: stackstorm
heritage: {{.Release.Service | quote}}
release: {{.Release.Name | quote}}
chart: {{ replace "+" "_" .Chart.Version | printf "%s-%s" .Chart.Name }}
spec:
secretName: {{ .Values.st2.tls.secretName }}
dnsNames:
- "*.{{ $.Release.Namespace }}.svc.{{ $.Values.clusterDomain }}"
{{ include "stackstorm-ha.mongodb-nodes" $ | splitList "," | toYaml | indent 4 }}
ipAddresses:
- "127.0.0.1"
renewBefore: 360h # 15d
privateKey:
rotationPolicy: Always
algorithm: RSA
size: 3072
issuerRef:
name: {{ .Values.st2.tls.certificate_issuer.name }}
kind: Issuer
group: cert-manager.io
{{- end -}}
41 changes: 41 additions & 0 deletions templates/configmaps_st2-conf.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -11,19 +11,49 @@ data:
# The order of merging: st2.conf < st2.docker.conf < st2.user.conf
st2.docker.conf: |
[auth]
{{- if .Values.rabbitmq.tls.enabled }}
api_url = https://{{ .Release.Name }}-st2api:9111/
{{- else }}
api_url = http://{{ .Release.Name }}-st2api:9101/
{{- end -}}
{{- if and .Values.st2.tls.enabled .Values.st2auth.tls.enabled }}
use_ssl = True
key = {{ .Values.st2.tls.mountPath }}/tls.key
cert = {{ .Values.st2.tls.mountPath }}/tls.crt
debug = False
enable = True
{{- else }}
use_ssl = False
{{- end }}
[system_user]
user = {{ .Values.st2.system_user.user }}
ssh_key_file = {{ tpl .Values.st2.system_user.ssh_key_file . }}
{{- if index .Values "redis" "enabled" }}
[coordination]
url = redis://{{ template "stackstorm-ha.redis-password" $ }}{{ template "stackstorm-ha.redis-nodes" $ }}
{{- end }}
{{- if index .Values "rabbitmq" "enabled" }}
[messaging]
{{- if .Values.rabbitmq.tls.enabled }}
url = amqp://{{ required "rabbitmq.auth.username is required!" (index .Values "rabbitmq" "auth" "username") }}:{{ required "rabbitmq.auth.password is required!" (index .Values "rabbitmq" "auth" "password") }}@{{ .Release.Name }}-rabbitmq:5671{{ required "rabbitmq.ingress.path is required!" (index .Values "rabbitmq" "ingress" "path") }}
{{- else }}
url = amqp://{{ required "rabbitmq.auth.username is required!" (index .Values "rabbitmq" "auth" "username") }}:{{ required "rabbitmq.auth.password is required!" (index .Values "rabbitmq" "auth" "password") }}@{{ .Release.Name }}-rabbitmq:5672{{ required "rabbitmq.ingress.path is required!" (index .Values "rabbitmq" "ingress" "path") }}
{{- end -}}
{{- end }}
{{- if index .Values "mongodb" "enabled" }}
{{- if .Values.rabbitmq.tls.enabled }}
ssl = True
ssl_ca_certs = {{ .Values.st2.tls.mountPath }}/ca.crt
ssl_cert_reqs = optional
ssl_certfile = {{ .Values.st2.tls.mountPath }}/tls.crt
ssl_keyfile = {{ .Values.st2.tls.mountPath }}/tls.key
{{- else }}
ssl = False
{{- end }}
[database]
{{- if index .Values "mongodb" "auth" "enabled" }}
host = mongodb://{{ template "stackstorm-ha.mongodb-nodes" $ }}/{{ required "mongodb.auth.database is required!" (index .Values "mongodb" "auth" "database") }}?authSource={{ required "mongodb.auth.database is required!" (index .Values "mongodb" "auth" "database") }}&replicaSet={{ index .Values "mongodb" "replicaSetName" }}
Expand All @@ -36,10 +66,21 @@ data:
port = {{ index .Values "mongodb" "service" "port" }}
{{- end }}
{{- if ne "disable" (default "" .Values.st2.datastore_crypto_key) }}
{{- if .Values.mongodb.tls.enabled }}
ssl = True
ssl_ca_certs = {{ .Values.st2.tls.mountPath }}/ca.crt
ssl_cert_reqs = optional
ssl_certfile = {{ .Values.st2.tls.mountPath }}/tls.crt
ssl_keyfile = {{ .Values.st2.tls.mountPath }}/tls.key
{{- else }}
ssl = False
{{- end }}
[keyvalue]
encryption_key_path = /etc/st2/keys/datastore_key.json
{{- end }}
{{- if .Values.st2.rbac.enabled }}
[rbac]
enable = True
backend = default
Expand Down
18 changes: 15 additions & 3 deletions templates/configmaps_st2-urls.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,18 @@ metadata:
description: StackStorm service URLs, used across entire st2 cluster
labels: {{- include "stackstorm-ha.labels" (list $ "st2") | nindent 4 }}
data:
ST2_AUTH_URL: http://{{ .Release.Name }}-st2auth:9100/
ST2_API_URL: http://{{ .Release.Name }}-st2api:9101/
ST2_STREAM_URL: http://{{ .Release.Name }}-st2stream:9102/
{{- if and .Values.st2.tls.enabled .Values.st2auth.tls.enabled }}
ST2_AUTH_URL: https://{{ .Release.Name }}-st2auth.{{ .Release.Namespace }}.svc.{{$.Values.clusterDomain }}:9100/
{{- else }}
ST2_AUTH_URL: http://{{ .Release.Name }}-st2auth.{{ .Release.Namespace }}.svc.{{$.Values.clusterDomain }}:9100/
{{- end }}
{{- if and .Values.st2.tls.enabled .Values.st2api.tls.enabled }}
ST2_API_URL: https://{{ .Release.Name }}-st2api.{{ .Release.Namespace }}.svc.{{$.Values.clusterDomain }}:9111/
{{- else }}
ST2_API_URL: http://{{ .Release.Name }}-st2api.{{ .Release.Namespace }}.svc.{{$.Values.clusterDomain }}:9101/
{{- end }}
{{- if and .Values.st2.tls.enabled .Values.st2stream.tls.enabled }}
ST2_STREAM_URL: https://{{ .Release.Name }}-st2stream.{{ .Release.Namespace }}.svc.{{$.Values.clusterDomain }}:9112/
{{- else }}
ST2_STREAM_URL: http://{{ .Release.Name }}-st2stream.{{ .Release.Namespace }}.svc.{{$.Values.clusterDomain }}:9102/
{{- end }}
Loading

0 comments on commit 0e8bc77

Please sign in to comment.