diff --git a/charts/cryostat/README.md b/charts/cryostat/README.md index 62349214..f46927e2 100644 --- a/charts/cryostat/README.md +++ b/charts/cryostat/README.md @@ -45,6 +45,27 @@ cd cryostat-helm helm install cryostat ./charts/cryostat ``` +## Configuration + +See the sections below for Helm chart values which can be used for configuring various aspects of the Cryostat installation. + +If there are further customizations required to suit your deployment environment, choose the settings values that get +you closest to what you need, then manually edit the resulting Kubernetes objects to suit your requirements. You may +also consider using `helm install --dry-run` to render the Kubernetes YAML manifests without installing them, so that +you can apply your own customization patches as needed. + +### TLS + +When installed on OpenShift with `authentication.openshift.enabled=true`, the cluster's +["service serving certificates"](https://docs.openshift.com/container-platform/4.17/security/certificates/service-serving-certificate.html) +feature is used to enable managed TLS configuration on the exposed HTTP(S) ports. + +When installed with `authentication.openshift.enabled=false` but `oauth2Proxy.tls.selfSigned.enabled=true` then a +self-signed TLS certificate will be generated at installation time to serve similar purposes. These TLS certificates +are not managed, will not automatically rotate, and will expire after 365 days. You will need to manually rotate the +certificates, or reinstall the chart, or else apply your own customizations to the Kubernetes manifests to automate TLS +certificate issuance and rotation. + ## Parameters ### Cryostat Container @@ -176,6 +197,7 @@ helm install cryostat ./charts/cryostat | `oauth2Proxy.image.repository` | Repository for the OAuth2 Proxy container image | `quay.io/oauth2-proxy/oauth2-proxy` | | `oauth2Proxy.image.pullPolicy` | Image pull policy for the OAuth2 Proxy container image | `Always` | | `oauth2Proxy.image.tag` | Tag for the OAuth2 Proxy container image | `latest` | +| `oauth2Proxy.tls.selfSigned.enabled` | Whether a self-signed TLS certificate for oauth2-proxy HTTPS is generated and used. | `false` | | `oauth2Proxy.resources.requests.cpu` | CPU resource request for the OAuth2 Proxy container. | `25m` | | `oauth2Proxy.resources.requests.memory` | Memory resource request for the OAuth2 Proxy container. | `64Mi` | | `oauth2Proxy.securityContext` | Security Context for the OAuth2 Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1). | `{}` | diff --git a/charts/cryostat/templates/NOTES.txt b/charts/cryostat/templates/NOTES.txt index 496297c0..133c8c47 100644 --- a/charts/cryostat/templates/NOTES.txt +++ b/charts/cryostat/templates/NOTES.txt @@ -34,12 +34,12 @@ {{- if $portForwards }} -{{ $listNum }}. Forward local port to the application's pod: +{{ $listNum }}. Forward local port to the application's service: ``` kubectl -n {{ .Release.Namespace }} wait --for=condition=available --timeout=60s deploy/{{ include "cryostat.deploymentName" . }} - export POD_NAME=$(kubectl get pods -n {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "cryostat.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=cryostat" --sort-by=.metadata.creationTimestamp -o jsonpath="{.items[-1:].metadata.name}") - kubectl -n {{ .Release.Namespace }} port-forward $POD_NAME 8080:http + export SVC_NAME=$(kubectl get services -n {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "cryostat.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=cryostat" --sort-by=.metadata.creationTimestamp -o jsonpath="{.items[-1:].metadata.name}") + kubectl -n {{ .Release.Namespace }} port-forward svc/$SVC_NAME {{ include "cryostat.core.service.port" . }}:{{ include "cryostat.core.service.scheme" . }} ``` {{- $listNum = add1 $listNum }} {{- end }} @@ -59,6 +59,6 @@ {{- else if contains "LoadBalancer" .Values.core.service.type }} echo http://$SERVICE_IP:{{ .Values.core.service.httpPort }} {{- else if contains "ClusterIP" .Values.core.service.type }} - http://localhost:8080 + {{ include "cryostat.core.service.scheme" . }}://localhost:{{ include "cryostat.core.service.port" . }} {{- end }} ``` diff --git a/charts/cryostat/templates/_helpers.tpl b/charts/cryostat/templates/_helpers.tpl index 518e294c..0a8e7e52 100644 --- a/charts/cryostat/templates/_helpers.tpl +++ b/charts/cryostat/templates/_helpers.tpl @@ -62,6 +62,27 @@ Create the name of the service account to use. {{- end }} {{- end }} +{{/* +Cryostat service TLS enablement. Returns the string values "true" or "false". +*/}} +{{- define "cryostat.core.service.tls" -}} +{{ or .Values.authentication.openshift.enabled .Values.oauth2Proxy.tls.selfSigned.enabled }} +{{- end }} + +{{/* +Cryostat service protocol. HTTPS if TLS is enabled, HTTP otherwise. +*/}} +{{- define "cryostat.core.service.scheme" -}} +{{ ternary "https" "http" ( include "cryostat.core.service.tls" . | eq "true" ) }} +{{- end }} + +{{/* +Cryostat service port. 8443 if TLS is enabled, 8080 otherwise. +*/}} +{{- define "cryostat.core.service.port" -}} +{{ ternary 8443 8080 ( ( include "cryostat.core.service.scheme" . ) | eq "https" ) }} +{{- end }} + {{/* Get or generate a default connection key for database. */}} diff --git a/charts/cryostat/templates/_oauth2Proxy.tpl b/charts/cryostat/templates/_oauth2Proxy.tpl index f7ebea42..db3fc6b9 100644 --- a/charts/cryostat/templates/_oauth2Proxy.tpl +++ b/charts/cryostat/templates/_oauth2Proxy.tpl @@ -47,4 +47,8 @@ Create OAuth2 Proxy container. Configurations defined in alpha_config.yaml mountPath: /etc/oauth2_proxy/basicauth readOnly: true {{- end }} + {{- if .Values.oauth2Proxy.tls.selfSigned.enabled }} + - name: {{ .Release.Name }}-oauth2proxy-tls + mountPath: /etc/tls/private + {{- end }} {{- end}} diff --git a/charts/cryostat/templates/_reports_authproxy.tpl b/charts/cryostat/templates/_reports_authproxy.tpl index 41840778..90292e70 100644 --- a/charts/cryostat/templates/_reports_authproxy.tpl +++ b/charts/cryostat/templates/_reports_authproxy.tpl @@ -45,6 +45,62 @@ readOnly: true terminationMessagePath: /dev/termination-log terminationMessagePolicy: File +{{- else if .Values.oauth2Proxy.tls.selfSigned.enabled }} +- name: {{ printf "%s-reports-%s" .Chart.Name "authproxy" }} + securityContext: + {{- toYaml (.Values.oauth2Proxy).securityContext | nindent 4 }} + image: "{{ (.Values.oauth2Proxy).image.repository }}:{{ (.Values.oauth2Proxy).image.tag }}" + imagePullPolicy: {{ (.Values.oauth2Proxy).image.pullPolicy }} + env: + - name: OAUTH2_PROXY_CLIENT_ID + value: dummy + - name: OAUTH2_PROXY_CLIENT_SECRET + value: none + - name: OAUTH2_PROXY_HTTP_ADDRESS + value: 0.0.0.0:4180 + - name: OAUTH2_PROXY_HTTPS_ADDRESS + value: :8443 + - name: OAUTH2_PROXY_TLS_CERT_FILE + value: /etc/tls/private/cert + - name: OAUTH2_PROXY_TLS_KEY_FILE + value: /etc/tls/private/key + - name: OAUTH2_PROXY_UPSTREAMS + value: http://localhost:10001/ + - name: OAUTH2_PROXY_REDIRECT_URL + value: "http://localhost:4180/oauth2/callback" + - name: OAUTH2_PROXY_COOKIE_SECRET + valueFrom: + secretKeyRef: + name: {{ default (printf "%s-cookie-secret" .Release.Name) .Values.authentication.cookieSecretName }} + key: COOKIE_SECRET + optional: false + - name: OAUTH2_PROXY_EMAIL_DOMAINS + value: "*" + - name: OAUTH2_PROXY_HTPASSWD_USER_GROUP + value: write + - name: OAUTH2_PROXY_HTPASSWD_FILE + value: /etc/oauth2_proxy/basicauth/htpasswd + - name: OAUTH2_PROXY_SKIP_AUTH_ROUTES + value: "^/health$" + - name: OAUTH2_PROXY_PROXY_WEBSOCKETS + value: "false" + ports: + - containerPort: 4180 + name: http + protocol: TCP + - containerPort: 8443 + name: https + protocol: TCP + resources: + {{- toYaml .Values.oauth2Proxy.resources | nindent 4 }} + volumeMounts: + - name: {{ .Release.Name }}-reports-secret + mountPath: /etc/oauth2_proxy/basicauth + readOnly: true + {{- if .Values.oauth2Proxy.tls.selfSigned.enabled }} + - name: {{ .Release.Name }}-oauth2proxy-reports-tls + mountPath: /etc/tls/private + {{- end }} {{- else }} - name: {{ printf "%s-reports-%s" .Chart.Name "authproxy" }} securityContext: diff --git a/charts/cryostat/templates/alpha_config.yaml b/charts/cryostat/templates/alpha_config.yaml index f2aeaedd..63094fe4 100644 --- a/charts/cryostat/templates/alpha_config.yaml +++ b/charts/cryostat/templates/alpha_config.yaml @@ -12,6 +12,14 @@ data: alpha_config.yaml: |- server: BindAddress: http://0.0.0.0:4180 + {{- if .Values.oauth2Proxy.tls.selfSigned.enabled }} + SecureBindAddress: https://0.0.0.0:8443 + TLS: + Key: + fromFile: /etc/tls/private/key + Cert: + fromFile: /etc/tls/private/cert + {{- end}} upstreamConfig: proxyRawPath: true upstreams: diff --git a/charts/cryostat/templates/cryostat_deployment.yaml b/charts/cryostat/templates/cryostat_deployment.yaml index cb0fbcaa..882c5cb5 100644 --- a/charts/cryostat/templates/cryostat_deployment.yaml +++ b/charts/cryostat/templates/cryostat_deployment.yaml @@ -75,7 +75,7 @@ spec: - name: QUARKUS_REST_CLIENT_EXTENSIONS_API_VERIFY_HOST value: "false" - name: QUARKUS_REST_CLIENT_REPORTS_URL - value: {{ printf "%s://cryostat:$(REPORTS_PASS_SECRET_KEY)@%s-reports.%s.svc:%d" (ternary "https" "http" (.Values.authentication.openshift).enabled) $fullName $.Release.Namespace (int .Values.reports.service.httpPort) }} + value: {{ printf "%s://cryostat:$(REPORTS_PASS_SECRET_KEY)@%s-reports.%s.svc:%d" (include "cryostat.core.service.scheme" .) $fullName $.Release.Namespace (int .Values.reports.service.httpPort) }} {{- end }} - name: QUARKUS_DATASOURCE_USERNAME value: cryostat @@ -215,4 +215,8 @@ spec: - name: {{ .Release.Name }}-proxy-tls secret: secretName: {{ .Release.Name }}-proxy-tls + {{- else if .Values.oauth2Proxy.tls.selfSigned.enabled }} + - name: {{ .Release.Name }}-oauth2proxy-tls + secret: + secretName: {{ .Release.Name }}-oauth2proxy-tls {{- end }} diff --git a/charts/cryostat/templates/cryostat_service.yaml b/charts/cryostat/templates/cryostat_service.yaml index 46351a28..36261e43 100644 --- a/charts/cryostat/templates/cryostat_service.yaml +++ b/charts/cryostat/templates/cryostat_service.yaml @@ -19,7 +19,7 @@ spec: protocol: TCP name: http appProtocol: http - {{- if (.Values.authentication.openshift).enabled }} + {{- if ( include "cryostat.core.service.tls" . | eq "true" ) }} - port: 443 targetPort: 8443 protocol: TCP diff --git a/charts/cryostat/templates/cryostat_tls_secret.yaml b/charts/cryostat/templates/cryostat_tls_secret.yaml new file mode 100644 index 00000000..0d057454 --- /dev/null +++ b/charts/cryostat/templates/cryostat_tls_secret.yaml @@ -0,0 +1,15 @@ +{{- if ( include "cryostat.core.service.tls" . | eq "true" ) }} +{{- $fullName := include "cryostat.fullname" . }} +{{- $cert := genSelfSignedCert $fullName nil nil 365 }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-oauth2proxy-tls + labels: + {{- include "cryostat.labels" $ | nindent 4 }} +type: Opaque +immutable: true +data: + cert: {{ $cert.Cert | b64enc }} + key: {{ $cert.Key | b64enc }} +{{- end -}} diff --git a/charts/cryostat/templates/reports_deployment.yaml b/charts/cryostat/templates/reports_deployment.yaml index 05c846dc..1ad5acac 100644 --- a/charts/cryostat/templates/reports_deployment.yaml +++ b/charts/cryostat/templates/reports_deployment.yaml @@ -83,5 +83,9 @@ spec: - name: {{ .Release.Name }}-proxy-tls secret: secretName: {{ .Release.Name }}-proxy-tls + {{- else if .Values.oauth2Proxy.tls.selfSigned.enabled }} + - name: {{ .Release.Name }}-oauth2proxy-reports-tls + secret: + secretName: {{ .Release.Name }}-oauth2proxy-reports-tls {{- end }} {{- end -}} diff --git a/charts/cryostat/templates/reports_service.yaml b/charts/cryostat/templates/reports_service.yaml index 5ebb9be3..a54836a6 100644 --- a/charts/cryostat/templates/reports_service.yaml +++ b/charts/cryostat/templates/reports_service.yaml @@ -11,7 +11,7 @@ spec: type: {{ .Values.reports.service.type }} ports: - port: {{ .Values.reports.service.httpPort }} - targetPort: {{ ternary "https" "http" (.Values.authentication.openshift).enabled }} + targetPort: {{ include "cryostat.core.service.scheme" . }} selector: {{- include "cryostat.selectorLabels" $ | nindent 4 }} app.kubernetes.io/component: reports diff --git a/charts/cryostat/templates/reports_tls_secret.yaml b/charts/cryostat/templates/reports_tls_secret.yaml new file mode 100644 index 00000000..79dbf258 --- /dev/null +++ b/charts/cryostat/templates/reports_tls_secret.yaml @@ -0,0 +1,15 @@ +{{- if ( include "cryostat.core.service.tls" . | eq "true" ) }} +{{- $fullName := include "cryostat.fullname" . }} +{{- $cert := genSelfSignedCert (printf "%s-reports" $fullName) nil nil 365 }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-oauth2proxy-reports-tls + labels: + {{- include "cryostat.labels" $ | nindent 4 }} +type: Opaque +immutable: true +data: + cert: {{ $cert.Cert | b64enc }} + key: {{ $cert.Key | b64enc }} +{{- end -}} diff --git a/charts/cryostat/templates/tests/test-core-connection.yaml b/charts/cryostat/templates/tests/test-core-connection.yaml index 89242bd4..75a24eb8 100644 --- a/charts/cryostat/templates/tests/test-core-connection.yaml +++ b/charts/cryostat/templates/tests/test-core-connection.yaml @@ -5,6 +5,7 @@ metadata: labels: {{- include "cryostat.labels" . | nindent 4 }} app.kubernetes.io/component: test-core-connection + charts.cryostat.io/role: helm-test annotations: "helm.sh/hook": test spec: diff --git a/charts/cryostat/templates/tests/test-grafana-connection.yaml b/charts/cryostat/templates/tests/test-grafana-connection.yaml index 9b68ad6b..84b3dfce 100644 --- a/charts/cryostat/templates/tests/test-grafana-connection.yaml +++ b/charts/cryostat/templates/tests/test-grafana-connection.yaml @@ -5,6 +5,7 @@ metadata: labels: {{- include "cryostat.labels" . | nindent 4 }} app.kubernetes.io/component: test-grafana-connection + charts.cryostat.io/role: helm-test annotations: "helm.sh/hook": test spec: diff --git a/charts/cryostat/tests/alpha_config_test.yaml b/charts/cryostat/tests/alpha_config_test.yaml index 7b5e6f1f..c0312ad3 100644 --- a/charts/cryostat/tests/alpha_config_test.yaml +++ b/charts/cryostat/tests/alpha_config_test.yaml @@ -18,6 +18,23 @@ tests: path: data['alpha_config.yaml'] pattern: "providers:\\s*- id: dummy\\s*name: Unused - Sign In Below\\s*clientId: CLIENT_ID\\s*clientSecret: CLIENT_SECRET\\s*provider: google" + - it: should create configmap with correct alpha configurations when self-signed TLS is enabled + set: + oauth2Proxy.tls.selfSigned.enabled: true + asserts: + - matchRegex: + path: data['alpha_config.yaml'] + pattern: "server:\\s*BindAddress: http://0.0.0.0:4180\\s*SecureBindAddress: https://0.0.0.0:8443" + - matchRegex: + path: data['alpha_config.yaml'] + pattern: "upstreamConfig:\\s*proxyRawPath: true\\s*upstreams:\\s*- id: cryostat\\s*path: /\\s*uri: http://localhost:8181" + - matchRegex: + path: data['alpha_config.yaml'] + pattern: "- id: grafana\\s*path: /grafana/\\s*uri: http://localhost:3000" + - matchRegex: + path: data['alpha_config.yaml'] + pattern: "providers:\\s*- id: dummy\\s*name: Unused - Sign In Below\\s*clientId: CLIENT_ID\\s*clientSecret: CLIENT_SECRET\\s*provider: google" + - it: should not create alpha_config when openshift authentication is enabled set: authentication: diff --git a/charts/cryostat/tests/cryostat_deployment_test.yaml b/charts/cryostat/tests/cryostat_deployment_test.yaml index 0548fc79..49771225 100644 --- a/charts/cryostat/tests/cryostat_deployment_test.yaml +++ b/charts/cryostat/tests/cryostat_deployment_test.yaml @@ -416,11 +416,30 @@ tests: - it: should validate volumes and volume mounts asserts: + - lengthEqual: + count: 1 + path: spec.template.spec.volumes - exists: path: spec.template.spec.volumes[?(@.name=='alpha-config')] - exists: path: spec.template.spec.containers[?(@.name=='cryostat-authproxy')].volumeMounts[?(@.mountPath=='/etc/oauth2_proxy/alpha_config')] + - it: should validate volumes and volume mounts with oauth2-proxy self-signed TLS enabled + set: + oauth2Proxy.tls.selfSigned.enabled: true + asserts: + - lengthEqual: + count: 2 + path: spec.template.spec.volumes + - exists: + path: spec.template.spec.volumes[?(@.name=='alpha-config')] + - exists: + path: spec.template.spec.containers[?(@.name=='cryostat-authproxy')].volumeMounts[?(@.mountPath=='/etc/oauth2_proxy/alpha_config')] + - exists: + path: spec.template.spec.volumes[?(@.name=='RELEASE-NAME-oauth2proxy-tls')] + - exists: + path: spec.template.spec.containers[?(@.name=='cryostat-authproxy')].volumeMounts[?(@.mountPath=='/etc/tls/private')] + - it: should set image pull secrets if specified set: imagePullSecrets: diff --git a/charts/cryostat/tests/cryostat_service_test.yaml b/charts/cryostat/tests/cryostat_service_test.yaml index f051287e..1279ab2c 100644 --- a/charts/cryostat/tests/cryostat_service_test.yaml +++ b/charts/cryostat/tests/cryostat_service_test.yaml @@ -20,6 +20,9 @@ tests: - equal: path: spec.type value: ClusterIP + - lengthEqual: + path: spec.ports + count: 1 - equal: path: spec.ports[0].port value: 8080 @@ -61,6 +64,9 @@ tests: - equal: path: spec.type value: ClusterIP + - lengthEqual: + path: spec.ports + count: 2 - equal: path: spec.ports[0].port value: 8181 @@ -109,7 +115,6 @@ tests: path: metadata.annotations value: service.alpha.openshift.io/serving-cert-secret-name: RELEASE-NAME-proxy-tls - - it: should include OpenShift specific annotations when OpenShift auth is enabled set: @@ -128,3 +133,63 @@ tests: asserts: - notExists: path: metadata.annotations.`service.alpha.openshift.io/serving-cert-secret-name` + + - it: should create a Service with the correct settings when oauth2-proxy self-signed TLS is enabled + set: + oauth2Proxy.tls.selfSigned.enabled: true + asserts: + - hasDocuments: + count: 1 + - equal: + path: kind + value: Service + - equal: + path: metadata.name + value: RELEASE-NAME-cryostat + - equal: + path: spec.type + value: ClusterIP + - lengthEqual: + path: spec.ports + count: 2 + - equal: + path: spec.ports[0].port + value: 8181 + - equal: + path: spec.ports[0].targetPort + value: 4180 + - equal: + path: spec.ports[0].protocol + value: TCP + - equal: + path: spec.ports[0].name + value: http + - equal: + path: spec.ports[1].port + value: 443 + - equal: + path: spec.ports[1].targetPort + value: 8443 + - equal: + path: spec.ports[1].protocol + value: TCP + - equal: + path: spec.ports[1].name + value: https + - equal: + path: spec.selector + value: + app.kubernetes.io/name: cryostat + app.kubernetes.io/part-of: cryostat + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/component: cryostat + - equal: + path: metadata.labels + value: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cryostat + app.kubernetes.io/part-of: cryostat + app.kubernetes.io/version: "4.0.0-dev" + helm.sh/chart: cryostat-2.0.0-dev + app.kubernetes.io/component: cryostat diff --git a/charts/cryostat/tests/cryostat_tls_secret_test.yaml b/charts/cryostat/tests/cryostat_tls_secret_test.yaml new file mode 100644 index 00000000..dc4e918d --- /dev/null +++ b/charts/cryostat/tests/cryostat_tls_secret_test.yaml @@ -0,0 +1,46 @@ +suite: test cryostat_tls_secret.yaml +templates: + - cryostat_tls_secret.yaml + +tests: + - it: should create a TLS cert secret if oauth2Proxy.tls.selfSigned.enabled is set + set: + oauth2Proxy: + tls: + selfSigned: + enabled: true + asserts: + - hasDocuments: + count: 1 + - equal: + path: kind + value: Secret + - equal: + path: metadata.name + value: RELEASE-NAME-oauth2proxy-tls + - equal: + path: type + value: Opaque + - exists: + path: data.key + - exists: + path: data.cert + - equal: + path: metadata.labels + value: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cryostat + app.kubernetes.io/part-of: cryostat + app.kubernetes.io/version: 4.0.0-dev + helm.sh/chart: cryostat-2.0.0-dev + + - it: should not create a TLS cert secret if oauth2Proxy.tls.selfSigned.enabled is not set + set: + oauth2Proxy: + tls: + selfSigned: + enabled: false + asserts: + - hasDocuments: + count: 0 diff --git a/charts/cryostat/tests/notes_test.yaml b/charts/cryostat/tests/notes_test.yaml index 19c0c358..dfaf5259 100644 --- a/charts/cryostat/tests/notes_test.yaml +++ b/charts/cryostat/tests/notes_test.yaml @@ -107,7 +107,40 @@ tests: echo http://$SERVICE_IP:8181 ``` - - it: should render correct notes for ClusterIP service without ingress or route + - it: should render correct notes for ClusterIP service without ingress or route and TLS enabled + set: + oauth2Proxy: + tls: + selfSigned: + enabled: true + asserts: + - equalRaw: + value: | + + 1. Configure the application to serve external traffic: + ``` + No actions required with this configuration. + ``` + + 2. Forward local port to the application's service: + ``` + kubectl -n NAMESPACE wait --for=condition=available --timeout=60s deploy/RELEASE-NAME-cryostat-v4 + + export SVC_NAME=$(kubectl get services -n NAMESPACE -l "app.kubernetes.io/name=cryostat,app.kubernetes.io/instance=RELEASE-NAME,app.kubernetes.io/component=cryostat" --sort-by=.metadata.creationTimestamp -o jsonpath="{.items[-1:].metadata.name}") + kubectl -n NAMESPACE port-forward svc/$SVC_NAME 8443:https + ``` + + 3. Visit the application at: + ``` + https://localhost:8443 + ``` + + - it: should render correct notes for ClusterIP service without ingress or route and TLS disabled + set: + oauth2Proxy: + tls: + selfSigned: + enabled: false asserts: - equalRaw: value: | @@ -117,12 +150,12 @@ tests: No actions required with this configuration. ``` - 2. Forward local port to the application's pod: + 2. Forward local port to the application's service: ``` kubectl -n NAMESPACE wait --for=condition=available --timeout=60s deploy/RELEASE-NAME-cryostat-v4 - export POD_NAME=$(kubectl get pods -n NAMESPACE -l "app.kubernetes.io/name=cryostat,app.kubernetes.io/instance=RELEASE-NAME,app.kubernetes.io/component=cryostat" --sort-by=.metadata.creationTimestamp -o jsonpath="{.items[-1:].metadata.name}") - kubectl -n NAMESPACE port-forward $POD_NAME 8080:http + export SVC_NAME=$(kubectl get services -n NAMESPACE -l "app.kubernetes.io/name=cryostat,app.kubernetes.io/instance=RELEASE-NAME,app.kubernetes.io/component=cryostat" --sort-by=.metadata.creationTimestamp -o jsonpath="{.items[-1:].metadata.name}") + kubectl -n NAMESPACE port-forward svc/$SVC_NAME 8080:http ``` 3. Visit the application at: diff --git a/charts/cryostat/values.schema.json b/charts/cryostat/values.schema.json index 88c3baf7..ba099d70 100644 --- a/charts/cryostat/values.schema.json +++ b/charts/cryostat/values.schema.json @@ -759,6 +759,21 @@ } } }, + "tls": { + "type": "object", + "properties": { + "selfSigned": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "Whether a self-signed TLS certificate for oauth2-proxy HTTPS is generated and used.", + "default": false + } + } + } + } + }, "resources": { "type": "object", "properties": { diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index 79fdd4d1..a2511e1b 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -273,6 +273,10 @@ oauth2Proxy: pullPolicy: Always ## @param oauth2Proxy.image.tag Tag for the OAuth2 Proxy container image tag: "latest" + tls: + selfSigned: + ## @param oauth2Proxy.tls.selfSigned.enabled Whether a self-signed TLS certificate for oauth2-proxy HTTPS is generated and used. + enabled: false resources: requests: ## @param oauth2Proxy.resources.requests.cpu CPU resource request for the OAuth2 Proxy container.