Add helm chart for CRL proxy (#3896)

wireapp · Feb 22, 2024 · 11fd095 · 11fd095
1 parent 4ac0ffd
commit 11fd095
Show file tree

Hide file tree

Showing 7 changed files with 87 additions and 1 deletion.
diff --git a/Makefile b/Makefile
@@ -18,7 +18,7 @@ fake-aws fake-aws-s3 fake-aws-sqs aws-ingress fluent-bit kibana backoffice		\
 calling-test demo-smtp elasticsearch-curator elasticsearch-external				\
 elasticsearch-ephemeral minio-external cassandra-external						\
 nginx-ingress-controller ingress-nginx-controller nginx-ingress-services reaper sftd restund coturn		\
-inbucket k8ssandra-test-cluster postgresql
+inbucket k8ssandra-test-cluster postgresql smallstep-accomp
 KIND_CLUSTER_NAME     := wire-server
 HELM_PARALLELISM      ?= 1 # 1 for sequential tests; 6 for all-parallel tests
 

diff --git a/changelog.d/2-features/WPB-6252 b/changelog.d/2-features/WPB-6252
@@ -0,0 +1 @@
+Add Helm chart `smallstep-accomp` that provides a CRL endpoint proxy for federated E2EI
diff --git a/charts/smallstep-accomp/Chart.yaml b/charts/smallstep-accomp/Chart.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+description: Accompanying chart for Smallstep E2EI support
+name: smallstep-accomp
+version: 1.0.0
diff --git a/charts/smallstep-accomp/README.md b/charts/smallstep-accomp/README.md
@@ -0,0 +1,18 @@
+This Helm chart installs a reverse proxy that proxies the Certificate Revocation List (CRL) Distribution Point of the Smallstep servers CRL Certificate Authority (CA) from federating domains and the own domain. It is required to be installed alongside the Smallstep helm chart.
+
+The Helm chart deploys a nginx server that reverse-proxies `https://<nginx.ingress.hostname>/proxyCrl/<other_acme_domain>` to `http://{other_acme_domain}/crl` (note: http, not https) as well as an ingress for the `/proxyCrl` endpoint. For example if `upstreams.proxiedHosts` is set to `[acme.alpha.example.com, acme.beta.example.com]` and the host for the Smallstep server on the own domain is `acme.alpha.example.com` this helm chart will forward requests
+
+- `https://acme.alpha.example.com/proxyCrl/acme.alpha.example.com` to `http://acme.alpha.example.com/crl`
+- `https://acme.alpha.example.com/proxyCrl/acme.beta.example.com` to `http://acme.beta.example.com/crl`
+
+## Parameters
+
+| Name                      | Description                                                                               |
+| ------------------------- | ----------------------------------------------------------------------------------------- |
+| `upstreams.enable`        | Set to `false` in case you want to write custom nginx server block for the upstream rules |
+| `upstreams.dnsResolver`   | DNS server that nginx uses to resolve the proxied hostnames                               |
+| `upstreams.proxiedHosts`  | List of smallstep hostnames to proxy. Please also include the own smallstep host here     |
+| `nginx.ingress.enable`    | Set to `false` in case you'd like to define a custom ingress for the /proxyCrl endpoint  |
+| `nginx.ingress.hostname`  | Hostname of the Smallstep server                                                          |
+
+For more details on `nginx.*` parameters see README.md documentation in the `nginx` dependency chart.
diff --git a/charts/smallstep-accomp/requirements.yaml b/charts/smallstep-accomp/requirements.yaml
@@ -0,0 +1,4 @@
+dependencies:
+- name: nginx
+  version: 15.10.4
+  repository: https://charts.bitnami.com/bitnami
diff --git a/charts/smallstep-accomp/templates/server-block-configmap.yaml b/charts/smallstep-accomp/templates/server-block-configmap.yaml
@@ -0,0 +1,30 @@
+{{- if and .Values.upstreams.enable .Values.nginx.existingServerBlockConfigmap }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Values.nginx.existingServerBlockConfigmap }}
+  labels:
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+data:
+  server.conf: |
+    resolver {{ .Values.upstreams.dnsResolver }};
+
+    server {
+      listen 0.0.0.0:8080;
+
+      {{- range .Values.upstreams.proxiedHosts }}
+
+      location /proxyCrl/{{ . }} {
+        proxy_redirect off;
+        proxy_set_header X-Forwarded-Host $http_host;
+        proxy_set_header Host {{ . }};
+        proxy_hide_header Content-Type;
+        add_header Content-Type application/pkix-crl;
+        proxy_pass "http://{{ . }}/crl";
+      }
+
+      {{- end }}
+    }
+{{- end }}
diff --git a/charts/smallstep-accomp/values.yaml b/charts/smallstep-accomp/values.yaml
@@ -0,0 +1,29 @@
+upstreams:
+  enable: true
+  # dnsResolver: 9.9.9.9
+
+  # Note: include the smallstep host of the own domain here as well
+  proxiedHosts: []
+  # proxiedHosts: 
+  #   - acme.alpha.example.com
+  #   - acme.beta.example.com
+  #   - acme.gamma.example.com
+
+nginx:
+  existingServerBlockConfigmap: "smallstep-accomp-server-block"
+
+  service:
+    type: ClusterIP
+
+  ingress:
+    enabled: true
+    # ingressClassName: "nginx"
+
+    # hostname: "acme.alpha.example.com"
+    path: "/proxyCrl"
+    pathType: "Prefix"
+
+    # extraTls: 
+    #   - 
+    #     hosts: [ "acme.alpha.example.com" ]
+    #     secretName: "smallstep-step-certificates-ingress-cert"
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Add Helm chart `smallstep-accomp` that provides a CRL endpoint proxy for federated E2EI