From 19dba60566401297618d2df1d2bf3e6df7d41fdf Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Thu, 14 Nov 2024 14:54:04 -0500 Subject: [PATCH 01/17] feat(oauth2proxy): enable self-signed TLS cert --- charts/cryostat/templates/NOTES.txt | 12 ++++++++---- charts/cryostat/templates/_oauth2Proxy.tpl | 4 ++++ charts/cryostat/templates/alpha_config.yaml | 8 ++++++++ .../cryostat/templates/cryostat_deployment.yaml | 5 +++++ charts/cryostat/templates/cryostat_service.yaml | 2 +- .../cryostat/templates/cryostat_tls_secret.yaml | 15 +++++++++++++++ charts/cryostat/values.yaml | 3 +++ 7 files changed, 44 insertions(+), 5 deletions(-) create mode 100644 charts/cryostat/templates/cryostat_tls_secret.yaml diff --git a/charts/cryostat/templates/NOTES.txt b/charts/cryostat/templates/NOTES.txt index 496297c0..6d140a6b 100644 --- a/charts/cryostat/templates/NOTES.txt +++ b/charts/cryostat/templates/NOTES.txt @@ -34,12 +34,16 @@ {{- if $portForwards }} -{{ $listNum }}. Forward local port to the application's pod: +{{ $listNum }}. Forward local port to the application's service: ``` kubectl -n {{ .Release.Namespace }} wait --for=condition=available --timeout=60s deploy/{{ include "cryostat.deploymentName" . }} - export POD_NAME=$(kubectl get pods -n {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "cryostat.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=cryostat" --sort-by=.metadata.creationTimestamp -o jsonpath="{.items[-1:].metadata.name}") - kubectl -n {{ .Release.Namespace }} port-forward $POD_NAME 8080:http + export SVC_NAME=$(kubectl get services -n {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "cryostat.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=cryostat" --sort-by=.metadata.creationTimestamp -o jsonpath="{.items[-1:].metadata.name}") +{{- if .Values.oauth2Proxy.service.tls.enableSelfSigned }} + kubectl -n {{ .Release.Namespace }} port-forward svc/$SVC_NAME 8443:cryostat-https +{{- else }} + kubectl -n {{ .Release.Namespace }} port-forward svc/$SVC_NAME 8080:cryostat-http +{{- end }} ``` {{- $listNum = add1 $listNum }} {{- end }} @@ -59,6 +63,6 @@ {{- else if contains "LoadBalancer" .Values.core.service.type }} echo http://$SERVICE_IP:{{ .Values.core.service.httpPort }} {{- else if contains "ClusterIP" .Values.core.service.type }} - http://localhost:8080 + {{ ternary "https" "http" .Values.oauth2Proxy.service.tls.enableSelfSigned }}://localhost:{{ ternary "8443" "8080" .Values.oauth2Proxy.service.tls.enableSelfSigned }} {{- end }} ``` diff --git a/charts/cryostat/templates/_oauth2Proxy.tpl b/charts/cryostat/templates/_oauth2Proxy.tpl index f7ebea42..dc2f0ef6 100644 --- a/charts/cryostat/templates/_oauth2Proxy.tpl +++ b/charts/cryostat/templates/_oauth2Proxy.tpl @@ -47,4 +47,8 @@ Create OAuth2 Proxy container. Configurations defined in alpha_config.yaml mountPath: /etc/oauth2_proxy/basicauth readOnly: true {{- end }} + {{- if .Values.oauth2Proxy.service.tls.enableSelfSigned }} + - name: {{ .Release.Name }}-oauth2proxy-tls + mountPath: /etc/tls/private + {{- end }} {{- end}} diff --git a/charts/cryostat/templates/alpha_config.yaml b/charts/cryostat/templates/alpha_config.yaml index f2aeaedd..212f52c0 100644 --- a/charts/cryostat/templates/alpha_config.yaml +++ b/charts/cryostat/templates/alpha_config.yaml @@ -12,6 +12,14 @@ data: alpha_config.yaml: |- server: BindAddress: http://0.0.0.0:4180 + {{- if .Values.oauth2Proxy.service.tls.enableSelfSigned }} + SecureBindAddress: https://0.0.0.0:8443 + {{- end}} + TLS: + Key: + fromFile: /etc/tls/private/KEY + Cert: + fromFile: /etc/tls/private/CERT upstreamConfig: proxyRawPath: true upstreams: diff --git a/charts/cryostat/templates/cryostat_deployment.yaml b/charts/cryostat/templates/cryostat_deployment.yaml index cb0fbcaa..9e8c8562 100644 --- a/charts/cryostat/templates/cryostat_deployment.yaml +++ b/charts/cryostat/templates/cryostat_deployment.yaml @@ -216,3 +216,8 @@ spec: secret: secretName: {{ .Release.Name }}-proxy-tls {{- end }} + {{- if (and (not (.Values.authentication.openshift).enabled) (.Values.oauth2Proxy.service.tls.enableSelfSigned)) }} + - name: {{ .Release.Name }}-oauth2proxy-tls + secret: + secretName: {{ .Release.Name }}-oauth2proxy-tls + {{- end }} diff --git a/charts/cryostat/templates/cryostat_service.yaml b/charts/cryostat/templates/cryostat_service.yaml index 46351a28..e7000640 100644 --- a/charts/cryostat/templates/cryostat_service.yaml +++ b/charts/cryostat/templates/cryostat_service.yaml @@ -19,7 +19,7 @@ spec: protocol: TCP name: http appProtocol: http - {{- if (.Values.authentication.openshift).enabled }} + {{- if or (.Values.authentication.openshift).enabled .Values.oauth2Proxy.service.tls.enableSelfSigned }} - port: 443 targetPort: 8443 protocol: TCP diff --git a/charts/cryostat/templates/cryostat_tls_secret.yaml b/charts/cryostat/templates/cryostat_tls_secret.yaml new file mode 100644 index 00000000..4e59d333 --- /dev/null +++ b/charts/cryostat/templates/cryostat_tls_secret.yaml @@ -0,0 +1,15 @@ +{{- if (and (not (.Values.authentication.openshift).enabled) (.Values.oauth2Proxy.service.tls.enableSelfSigned)) }} +{{- $fullName := include "cryostat.fullname" . }} +{{- $cert := genSelfSignedCert $fullName nil nil 365 }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-oauth2proxy-tls + labels: + {{- include "cryostat.labels" $ | nindent 4 }} +type: Opaque +immutable: true +data: + CERT: {{ $cert.Cert | b64enc }} + KEY: {{ $cert.Key | b64enc }} +{{- end -}} diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index 79fdd4d1..8fdce6e8 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -273,6 +273,9 @@ oauth2Proxy: pullPolicy: Always ## @param oauth2Proxy.image.tag Tag for the OAuth2 Proxy container image tag: "latest" + service: + tls: + enableSelfSigned: true resources: requests: ## @param oauth2Proxy.resources.requests.cpu CPU resource request for the OAuth2 Proxy container. From 1094244e65934db2f9f94d25ae1ff3028af5d3fe Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Thu, 14 Nov 2024 15:06:29 -0500 Subject: [PATCH 02/17] use https port-forward for openshift-oauth-proxy case --- charts/cryostat/templates/NOTES.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/cryostat/templates/NOTES.txt b/charts/cryostat/templates/NOTES.txt index 6d140a6b..c5c43614 100644 --- a/charts/cryostat/templates/NOTES.txt +++ b/charts/cryostat/templates/NOTES.txt @@ -39,7 +39,7 @@ kubectl -n {{ .Release.Namespace }} wait --for=condition=available --timeout=60s deploy/{{ include "cryostat.deploymentName" . }} export SVC_NAME=$(kubectl get services -n {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "cryostat.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=cryostat" --sort-by=.metadata.creationTimestamp -o jsonpath="{.items[-1:].metadata.name}") -{{- if .Values.oauth2Proxy.service.tls.enableSelfSigned }} +{{- if or .Values.authentication.openshift.enabled .Values.oauth2Proxy.service.tls.enableSelfSigned }} kubectl -n {{ .Release.Namespace }} port-forward svc/$SVC_NAME 8443:cryostat-https {{- else }} kubectl -n {{ .Release.Namespace }} port-forward svc/$SVC_NAME 8080:cryostat-http @@ -63,6 +63,6 @@ {{- else if contains "LoadBalancer" .Values.core.service.type }} echo http://$SERVICE_IP:{{ .Values.core.service.httpPort }} {{- else if contains "ClusterIP" .Values.core.service.type }} - {{ ternary "https" "http" .Values.oauth2Proxy.service.tls.enableSelfSigned }}://localhost:{{ ternary "8443" "8080" .Values.oauth2Proxy.service.tls.enableSelfSigned }} + {{ ternary "https" "http" (or .Values.authentication.openshift.enabled .Values.oauth2Proxy.service.tls.enableSelfSigned) }}://localhost:{{ ternary "8443" "8080" (or .Values.authentication.openshift.enabled .Values.oauth2Proxy.service.tls.enableSelfSigned) }} {{- end }} ``` From 67ad1f8011214a226084f8cea00f829cf1113fda Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Thu, 14 Nov 2024 15:18:00 -0500 Subject: [PATCH 03/17] cleanup --- charts/cryostat/templates/cryostat_deployment.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/charts/cryostat/templates/cryostat_deployment.yaml b/charts/cryostat/templates/cryostat_deployment.yaml index 9e8c8562..920656bb 100644 --- a/charts/cryostat/templates/cryostat_deployment.yaml +++ b/charts/cryostat/templates/cryostat_deployment.yaml @@ -215,8 +215,7 @@ spec: - name: {{ .Release.Name }}-proxy-tls secret: secretName: {{ .Release.Name }}-proxy-tls - {{- end }} - {{- if (and (not (.Values.authentication.openshift).enabled) (.Values.oauth2Proxy.service.tls.enableSelfSigned)) }} + {{- else if .Values.oauth2Proxy.service.tls.enableSelfSigned }} - name: {{ .Release.Name }}-oauth2proxy-tls secret: secretName: {{ .Release.Name }}-oauth2proxy-tls From 9348fdbe792bcf406e363936e32fdd3d17f9530a Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Thu, 14 Nov 2024 15:20:08 -0500 Subject: [PATCH 04/17] tests --- charts/cryostat/tests/notes_test.yaml | 34 ++++++++++++++++++++++++--- 1 file changed, 31 insertions(+), 3 deletions(-) diff --git a/charts/cryostat/tests/notes_test.yaml b/charts/cryostat/tests/notes_test.yaml index 19c0c358..b75f744e 100644 --- a/charts/cryostat/tests/notes_test.yaml +++ b/charts/cryostat/tests/notes_test.yaml @@ -117,12 +117,40 @@ tests: No actions required with this configuration. ``` - 2. Forward local port to the application's pod: + 2. Forward local port to the application's service: ``` kubectl -n NAMESPACE wait --for=condition=available --timeout=60s deploy/RELEASE-NAME-cryostat-v4 - export POD_NAME=$(kubectl get pods -n NAMESPACE -l "app.kubernetes.io/name=cryostat,app.kubernetes.io/instance=RELEASE-NAME,app.kubernetes.io/component=cryostat" --sort-by=.metadata.creationTimestamp -o jsonpath="{.items[-1:].metadata.name}") - kubectl -n NAMESPACE port-forward $POD_NAME 8080:http + export SVC_NAME=$(kubectl get services -n NAMESPACE -l "app.kubernetes.io/name=cryostat,app.kubernetes.io/instance=RELEASE-NAME,app.kubernetes.io/component=cryostat" --sort-by=.metadata.creationTimestamp -o jsonpath="{.items[-1:].metadata.name}") + kubectl -n NAMESPACE port-forward svc/$SVC_NAME 8443:cryostat-https + ``` + + 3. Visit the application at: + ``` + https://localhost:8443 + ``` + + - it: should render correct notes for ClusterIP service without ingress or route and TLS disabled + set: + oauth2Proxy: + service: + tls: + enableSelfSigned: false + asserts: + - equalRaw: + value: | + + 1. Configure the application to serve external traffic: + ``` + No actions required with this configuration. + ``` + + 2. Forward local port to the application's service: + ``` + kubectl -n NAMESPACE wait --for=condition=available --timeout=60s deploy/RELEASE-NAME-cryostat-v4 + + export SVC_NAME=$(kubectl get services -n NAMESPACE -l "app.kubernetes.io/name=cryostat,app.kubernetes.io/instance=RELEASE-NAME,app.kubernetes.io/component=cryostat" --sort-by=.metadata.creationTimestamp -o jsonpath="{.items[-1:].metadata.name}") + kubectl -n NAMESPACE port-forward svc/$SVC_NAME 8080:cryostat-http ``` 3. Visit the application at: From 08c2449b48c3012525aee68ade182de253583c97 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Thu, 14 Nov 2024 15:22:17 -0500 Subject: [PATCH 05/17] readme --- charts/cryostat/README.md | 17 +++++++++-------- charts/cryostat/values.schema.json | 15 +++++++++++++++ charts/cryostat/values.yaml | 1 + 3 files changed, 25 insertions(+), 8 deletions(-) diff --git a/charts/cryostat/README.md b/charts/cryostat/README.md index 62349214..eadec206 100644 --- a/charts/cryostat/README.md +++ b/charts/cryostat/README.md @@ -171,14 +171,15 @@ helm install cryostat ./charts/cryostat ### OAuth2 Proxy -| Name | Description | Value | -| --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | -| `oauth2Proxy.image.repository` | Repository for the OAuth2 Proxy container image | `quay.io/oauth2-proxy/oauth2-proxy` | -| `oauth2Proxy.image.pullPolicy` | Image pull policy for the OAuth2 Proxy container image | `Always` | -| `oauth2Proxy.image.tag` | Tag for the OAuth2 Proxy container image | `latest` | -| `oauth2Proxy.resources.requests.cpu` | CPU resource request for the OAuth2 Proxy container. | `25m` | -| `oauth2Proxy.resources.requests.memory` | Memory resource request for the OAuth2 Proxy container. | `64Mi` | -| `oauth2Proxy.securityContext` | Security Context for the OAuth2 Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1). | `{}` | +| Name | Description | Value | +| ------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | +| `oauth2Proxy.image.repository` | Repository for the OAuth2 Proxy container image | `quay.io/oauth2-proxy/oauth2-proxy` | +| `oauth2Proxy.image.pullPolicy` | Image pull policy for the OAuth2 Proxy container image | `Always` | +| `oauth2Proxy.image.tag` | Tag for the OAuth2 Proxy container image | `latest` | +| `oauth2Proxy.service.tls.enableSelfSigned` | Whether a self-signed TLS certificate for oauth2-proxy HTTPS is generated and used. | `true` | +| `oauth2Proxy.resources.requests.cpu` | CPU resource request for the OAuth2 Proxy container. | `25m` | +| `oauth2Proxy.resources.requests.memory` | Memory resource request for the OAuth2 Proxy container. | `64Mi` | +| `oauth2Proxy.securityContext` | Security Context for the OAuth2 Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1). | `{}` | ### OpenShift OAuth Proxy diff --git a/charts/cryostat/values.schema.json b/charts/cryostat/values.schema.json index 88c3baf7..d654e37b 100644 --- a/charts/cryostat/values.schema.json +++ b/charts/cryostat/values.schema.json @@ -759,6 +759,21 @@ } } }, + "service": { + "type": "object", + "properties": { + "tls": { + "type": "object", + "properties": { + "enableSelfSigned": { + "type": "boolean", + "description": "Whether a self-signed TLS certificate for oauth2-proxy HTTPS is generated and used.", + "default": true + } + } + } + } + }, "resources": { "type": "object", "properties": { diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index 8fdce6e8..35b753ab 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -275,6 +275,7 @@ oauth2Proxy: tag: "latest" service: tls: + ## @param oauth2Proxy.service.tls.enableSelfSigned Whether a self-signed TLS certificate for oauth2-proxy HTTPS is generated and used. enableSelfSigned: true resources: requests: From b22bbd10e485ca4a65067e754241040ce8dc5758 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Thu, 14 Nov 2024 16:04:18 -0500 Subject: [PATCH 06/17] rename property, disable by default --- charts/cryostat/README.md | 18 +++++++++--------- charts/cryostat/templates/NOTES.txt | 4 ++-- charts/cryostat/templates/_oauth2Proxy.tpl | 2 +- charts/cryostat/templates/alpha_config.yaml | 2 +- .../templates/cryostat_deployment.yaml | 2 +- .../cryostat/templates/cryostat_service.yaml | 2 +- .../templates/cryostat_tls_secret.yaml | 2 +- .../templates/tests/test-core-connection.yaml | 1 + .../tests/test-grafana-connection.yaml | 1 + charts/cryostat/tests/notes_test.yaml | 11 +++++++++-- charts/cryostat/values.schema.json | 13 +++++++++---- charts/cryostat/values.yaml | 5 +++-- 12 files changed, 39 insertions(+), 24 deletions(-) diff --git a/charts/cryostat/README.md b/charts/cryostat/README.md index eadec206..0d3a10e3 100644 --- a/charts/cryostat/README.md +++ b/charts/cryostat/README.md @@ -171,15 +171,15 @@ helm install cryostat ./charts/cryostat ### OAuth2 Proxy -| Name | Description | Value | -| ------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | -| `oauth2Proxy.image.repository` | Repository for the OAuth2 Proxy container image | `quay.io/oauth2-proxy/oauth2-proxy` | -| `oauth2Proxy.image.pullPolicy` | Image pull policy for the OAuth2 Proxy container image | `Always` | -| `oauth2Proxy.image.tag` | Tag for the OAuth2 Proxy container image | `latest` | -| `oauth2Proxy.service.tls.enableSelfSigned` | Whether a self-signed TLS certificate for oauth2-proxy HTTPS is generated and used. | `true` | -| `oauth2Proxy.resources.requests.cpu` | CPU resource request for the OAuth2 Proxy container. | `25m` | -| `oauth2Proxy.resources.requests.memory` | Memory resource request for the OAuth2 Proxy container. | `64Mi` | -| `oauth2Proxy.securityContext` | Security Context for the OAuth2 Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1). | `{}` | +| Name | Description | Value | +| -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | +| `oauth2Proxy.image.repository` | Repository for the OAuth2 Proxy container image | `quay.io/oauth2-proxy/oauth2-proxy` | +| `oauth2Proxy.image.pullPolicy` | Image pull policy for the OAuth2 Proxy container image | `Always` | +| `oauth2Proxy.image.tag` | Tag for the OAuth2 Proxy container image | `latest` | +| `oauth2Proxy.service.tls.selfSigned.enabled` | Whether a self-signed TLS certificate for oauth2-proxy HTTPS is generated and used. | `false` | +| `oauth2Proxy.resources.requests.cpu` | CPU resource request for the OAuth2 Proxy container. | `25m` | +| `oauth2Proxy.resources.requests.memory` | Memory resource request for the OAuth2 Proxy container. | `64Mi` | +| `oauth2Proxy.securityContext` | Security Context for the OAuth2 Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1). | `{}` | ### OpenShift OAuth Proxy diff --git a/charts/cryostat/templates/NOTES.txt b/charts/cryostat/templates/NOTES.txt index c5c43614..c7c48d46 100644 --- a/charts/cryostat/templates/NOTES.txt +++ b/charts/cryostat/templates/NOTES.txt @@ -39,7 +39,7 @@ kubectl -n {{ .Release.Namespace }} wait --for=condition=available --timeout=60s deploy/{{ include "cryostat.deploymentName" . }} export SVC_NAME=$(kubectl get services -n {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "cryostat.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=cryostat" --sort-by=.metadata.creationTimestamp -o jsonpath="{.items[-1:].metadata.name}") -{{- if or .Values.authentication.openshift.enabled .Values.oauth2Proxy.service.tls.enableSelfSigned }} +{{- if or .Values.authentication.openshift.enabled .Values.oauth2Proxy.service.tls.selfSigned.enabled }} kubectl -n {{ .Release.Namespace }} port-forward svc/$SVC_NAME 8443:cryostat-https {{- else }} kubectl -n {{ .Release.Namespace }} port-forward svc/$SVC_NAME 8080:cryostat-http @@ -63,6 +63,6 @@ {{- else if contains "LoadBalancer" .Values.core.service.type }} echo http://$SERVICE_IP:{{ .Values.core.service.httpPort }} {{- else if contains "ClusterIP" .Values.core.service.type }} - {{ ternary "https" "http" (or .Values.authentication.openshift.enabled .Values.oauth2Proxy.service.tls.enableSelfSigned) }}://localhost:{{ ternary "8443" "8080" (or .Values.authentication.openshift.enabled .Values.oauth2Proxy.service.tls.enableSelfSigned) }} + {{ ternary "https" "http" (or .Values.authentication.openshift.enabled .Values.oauth2Proxy.service.tls.selfSigned.enabled) }}://localhost:{{ ternary "8443" "8080" (or .Values.authentication.openshift.enabled .Values.oauth2Proxy.service.tls.selfSigned.enabled) }} {{- end }} ``` diff --git a/charts/cryostat/templates/_oauth2Proxy.tpl b/charts/cryostat/templates/_oauth2Proxy.tpl index dc2f0ef6..e4b2a820 100644 --- a/charts/cryostat/templates/_oauth2Proxy.tpl +++ b/charts/cryostat/templates/_oauth2Proxy.tpl @@ -47,7 +47,7 @@ Create OAuth2 Proxy container. Configurations defined in alpha_config.yaml mountPath: /etc/oauth2_proxy/basicauth readOnly: true {{- end }} - {{- if .Values.oauth2Proxy.service.tls.enableSelfSigned }} + {{- if .Values.oauth2Proxy.service.tls.selfSigned.enabled }} - name: {{ .Release.Name }}-oauth2proxy-tls mountPath: /etc/tls/private {{- end }} diff --git a/charts/cryostat/templates/alpha_config.yaml b/charts/cryostat/templates/alpha_config.yaml index 212f52c0..7e61c6f8 100644 --- a/charts/cryostat/templates/alpha_config.yaml +++ b/charts/cryostat/templates/alpha_config.yaml @@ -12,7 +12,7 @@ data: alpha_config.yaml: |- server: BindAddress: http://0.0.0.0:4180 - {{- if .Values.oauth2Proxy.service.tls.enableSelfSigned }} + {{- if .Values.oauth2Proxy.service.tls.selfSigned.enabled }} SecureBindAddress: https://0.0.0.0:8443 {{- end}} TLS: diff --git a/charts/cryostat/templates/cryostat_deployment.yaml b/charts/cryostat/templates/cryostat_deployment.yaml index 920656bb..03d2feef 100644 --- a/charts/cryostat/templates/cryostat_deployment.yaml +++ b/charts/cryostat/templates/cryostat_deployment.yaml @@ -215,7 +215,7 @@ spec: - name: {{ .Release.Name }}-proxy-tls secret: secretName: {{ .Release.Name }}-proxy-tls - {{- else if .Values.oauth2Proxy.service.tls.enableSelfSigned }} + {{- else if .Values.oauth2Proxy.service.tls.selfSigned.enabled }} - name: {{ .Release.Name }}-oauth2proxy-tls secret: secretName: {{ .Release.Name }}-oauth2proxy-tls diff --git a/charts/cryostat/templates/cryostat_service.yaml b/charts/cryostat/templates/cryostat_service.yaml index e7000640..86371dca 100644 --- a/charts/cryostat/templates/cryostat_service.yaml +++ b/charts/cryostat/templates/cryostat_service.yaml @@ -19,7 +19,7 @@ spec: protocol: TCP name: http appProtocol: http - {{- if or (.Values.authentication.openshift).enabled .Values.oauth2Proxy.service.tls.enableSelfSigned }} + {{- if or (.Values.authentication.openshift).enabled .Values.oauth2Proxy.service.tls.selfSigned.enabled }} - port: 443 targetPort: 8443 protocol: TCP diff --git a/charts/cryostat/templates/cryostat_tls_secret.yaml b/charts/cryostat/templates/cryostat_tls_secret.yaml index 4e59d333..a0d24407 100644 --- a/charts/cryostat/templates/cryostat_tls_secret.yaml +++ b/charts/cryostat/templates/cryostat_tls_secret.yaml @@ -1,4 +1,4 @@ -{{- if (and (not (.Values.authentication.openshift).enabled) (.Values.oauth2Proxy.service.tls.enableSelfSigned)) }} +{{- if (and (not (.Values.authentication.openshift).enabled) (.Values.oauth2Proxy.service.tls.selfSigned.enabled)) }} {{- $fullName := include "cryostat.fullname" . }} {{- $cert := genSelfSignedCert $fullName nil nil 365 }} apiVersion: v1 diff --git a/charts/cryostat/templates/tests/test-core-connection.yaml b/charts/cryostat/templates/tests/test-core-connection.yaml index 89242bd4..b3d5220f 100644 --- a/charts/cryostat/templates/tests/test-core-connection.yaml +++ b/charts/cryostat/templates/tests/test-core-connection.yaml @@ -5,6 +5,7 @@ metadata: labels: {{- include "cryostat.labels" . | nindent 4 }} app.kubernetes.io/component: test-core-connection + helm-test: cryostat annotations: "helm.sh/hook": test spec: diff --git a/charts/cryostat/templates/tests/test-grafana-connection.yaml b/charts/cryostat/templates/tests/test-grafana-connection.yaml index 9b68ad6b..3aeae40a 100644 --- a/charts/cryostat/templates/tests/test-grafana-connection.yaml +++ b/charts/cryostat/templates/tests/test-grafana-connection.yaml @@ -5,6 +5,7 @@ metadata: labels: {{- include "cryostat.labels" . | nindent 4 }} app.kubernetes.io/component: test-grafana-connection + helm-test: cryostat annotations: "helm.sh/hook": test spec: diff --git a/charts/cryostat/tests/notes_test.yaml b/charts/cryostat/tests/notes_test.yaml index b75f744e..5912df4b 100644 --- a/charts/cryostat/tests/notes_test.yaml +++ b/charts/cryostat/tests/notes_test.yaml @@ -107,7 +107,13 @@ tests: echo http://$SERVICE_IP:8181 ``` - - it: should render correct notes for ClusterIP service without ingress or route + - it: should render correct notes for ClusterIP service without ingress or route and TLS enabled + set: + oauth2Proxy: + service: + tls: + selfSigned: + enabled: true asserts: - equalRaw: value: | @@ -135,7 +141,8 @@ tests: oauth2Proxy: service: tls: - enableSelfSigned: false + selfSigned: + enabled: false asserts: - equalRaw: value: | diff --git a/charts/cryostat/values.schema.json b/charts/cryostat/values.schema.json index d654e37b..6e97d2b3 100644 --- a/charts/cryostat/values.schema.json +++ b/charts/cryostat/values.schema.json @@ -765,10 +765,15 @@ "tls": { "type": "object", "properties": { - "enableSelfSigned": { - "type": "boolean", - "description": "Whether a self-signed TLS certificate for oauth2-proxy HTTPS is generated and used.", - "default": true + "selfSigned": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean", + "description": "Whether a self-signed TLS certificate for oauth2-proxy HTTPS is generated and used.", + "default": false + } + } } } } diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index 35b753ab..b5d3db71 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -275,8 +275,9 @@ oauth2Proxy: tag: "latest" service: tls: - ## @param oauth2Proxy.service.tls.enableSelfSigned Whether a self-signed TLS certificate for oauth2-proxy HTTPS is generated and used. - enableSelfSigned: true + selfSigned: + ## @param oauth2Proxy.service.tls.selfSigned.enabled Whether a self-signed TLS certificate for oauth2-proxy HTTPS is generated and used. + enabled: false resources: requests: ## @param oauth2Proxy.resources.requests.cpu CPU resource request for the OAuth2 Proxy container. From 18b080deb62126dc1b6a0ef309cb4b93fc60f2bf Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Thu, 14 Nov 2024 16:20:02 -0500 Subject: [PATCH 07/17] rename secret data keys, add test --- charts/cryostat/templates/alpha_config.yaml | 4 +- .../templates/cryostat_tls_secret.yaml | 4 +- .../tests/cryostat_tls_secret_test.yaml | 47 +++++++++++++++++++ 3 files changed, 51 insertions(+), 4 deletions(-) create mode 100644 charts/cryostat/tests/cryostat_tls_secret_test.yaml diff --git a/charts/cryostat/templates/alpha_config.yaml b/charts/cryostat/templates/alpha_config.yaml index 7e61c6f8..6655c001 100644 --- a/charts/cryostat/templates/alpha_config.yaml +++ b/charts/cryostat/templates/alpha_config.yaml @@ -17,9 +17,9 @@ data: {{- end}} TLS: Key: - fromFile: /etc/tls/private/KEY + fromFile: /etc/tls/private/key Cert: - fromFile: /etc/tls/private/CERT + fromFile: /etc/tls/private/cert upstreamConfig: proxyRawPath: true upstreams: diff --git a/charts/cryostat/templates/cryostat_tls_secret.yaml b/charts/cryostat/templates/cryostat_tls_secret.yaml index a0d24407..2e1354d5 100644 --- a/charts/cryostat/templates/cryostat_tls_secret.yaml +++ b/charts/cryostat/templates/cryostat_tls_secret.yaml @@ -10,6 +10,6 @@ metadata: type: Opaque immutable: true data: - CERT: {{ $cert.Cert | b64enc }} - KEY: {{ $cert.Key | b64enc }} + cert: {{ $cert.Cert | b64enc }} + key: {{ $cert.Key | b64enc }} {{- end -}} diff --git a/charts/cryostat/tests/cryostat_tls_secret_test.yaml b/charts/cryostat/tests/cryostat_tls_secret_test.yaml new file mode 100644 index 00000000..4613e5a7 --- /dev/null +++ b/charts/cryostat/tests/cryostat_tls_secret_test.yaml @@ -0,0 +1,47 @@ +suite: test cryostat_tls_secret.yaml +templates: + - cryostat_tls_secret.yaml + +tests: + - it: should create a TLS cert secret if oauth2Proxy.service.tls.selfSigned.enabled is set + set: + oauth2Proxy: + service: + tls: + selfSigned: + enabled: true + asserts: + - hasDocuments: + count: 1 + - equal: + path: kind + value: Secret + - equal: + path: metadata.name + value: RELEASE-NAME-oauth2proxy-tls + - equal: + path: type + value: Opaque + - exists: + path: data.key + - exists: + path: data.cert + - equal: + path: metadata.labels + value: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cryostat + app.kubernetes.io/version: 4.0.0-dev + helm.sh/chart: cryostat-2.0.0-dev + + - it: should not create a TLS cert secret if oauth2Proxy.service.tls.selfSigned.enabled is not set + set: + oauth2Proxy: + service: + tls: + selfSigned: + enabled: false + asserts: + - hasDocuments: + count: 0 From 0ec750073a2292416a8185af145931bede3a0da1 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Thu, 14 Nov 2024 16:32:16 -0500 Subject: [PATCH 08/17] tests --- charts/cryostat/tests/alpha_config_test.yaml | 17 +++++ .../tests/cryostat_deployment_test.yaml | 19 ++++++ .../cryostat/tests/cryostat_service_test.yaml | 65 ++++++++++++++++++- 3 files changed, 100 insertions(+), 1 deletion(-) diff --git a/charts/cryostat/tests/alpha_config_test.yaml b/charts/cryostat/tests/alpha_config_test.yaml index 7b5e6f1f..f41d73dc 100644 --- a/charts/cryostat/tests/alpha_config_test.yaml +++ b/charts/cryostat/tests/alpha_config_test.yaml @@ -18,6 +18,23 @@ tests: path: data['alpha_config.yaml'] pattern: "providers:\\s*- id: dummy\\s*name: Unused - Sign In Below\\s*clientId: CLIENT_ID\\s*clientSecret: CLIENT_SECRET\\s*provider: google" + - it: should create configmap with correct alpha configurations when self-signed TLS is enabled + set: + oauth2Proxy.service.tls.selfSigned.enabled: true + asserts: + - matchRegex: + path: data['alpha_config.yaml'] + pattern: "server:\\s*BindAddress: http://0.0.0.0:4180\\s*SecureBindAddress: https://0.0.0.0:8443" + - matchRegex: + path: data['alpha_config.yaml'] + pattern: "upstreamConfig:\\s*proxyRawPath: true\\s*upstreams:\\s*- id: cryostat\\s*path: /\\s*uri: http://localhost:8181" + - matchRegex: + path: data['alpha_config.yaml'] + pattern: "- id: grafana\\s*path: /grafana/\\s*uri: http://localhost:3000" + - matchRegex: + path: data['alpha_config.yaml'] + pattern: "providers:\\s*- id: dummy\\s*name: Unused - Sign In Below\\s*clientId: CLIENT_ID\\s*clientSecret: CLIENT_SECRET\\s*provider: google" + - it: should not create alpha_config when openshift authentication is enabled set: authentication: diff --git a/charts/cryostat/tests/cryostat_deployment_test.yaml b/charts/cryostat/tests/cryostat_deployment_test.yaml index 0548fc79..46fa6fc1 100644 --- a/charts/cryostat/tests/cryostat_deployment_test.yaml +++ b/charts/cryostat/tests/cryostat_deployment_test.yaml @@ -416,11 +416,30 @@ tests: - it: should validate volumes and volume mounts asserts: + - lengthEqual: + count: 1 + path: spec.template.spec.volumes - exists: path: spec.template.spec.volumes[?(@.name=='alpha-config')] - exists: path: spec.template.spec.containers[?(@.name=='cryostat-authproxy')].volumeMounts[?(@.mountPath=='/etc/oauth2_proxy/alpha_config')] + - it: should validate volumes and volume mounts with oauth2-proxy self-signed TLS enabled + set: + oauth2Proxy.service.tls.selfSigned.enabled: true + asserts: + - lengthEqual: + count: 2 + path: spec.template.spec.volumes + - exists: + path: spec.template.spec.volumes[?(@.name=='alpha-config')] + - exists: + path: spec.template.spec.containers[?(@.name=='cryostat-authproxy')].volumeMounts[?(@.mountPath=='/etc/oauth2_proxy/alpha_config')] + - exists: + path: spec.template.spec.volumes[?(@.name=='RELEASE-NAME-oauth2proxy-tls')] + - exists: + path: spec.template.spec.containers[?(@.name=='cryostat-authproxy')].volumeMounts[?(@.mountPath=='/etc/tls/private')] + - it: should set image pull secrets if specified set: imagePullSecrets: diff --git a/charts/cryostat/tests/cryostat_service_test.yaml b/charts/cryostat/tests/cryostat_service_test.yaml index f051287e..510d32c3 100644 --- a/charts/cryostat/tests/cryostat_service_test.yaml +++ b/charts/cryostat/tests/cryostat_service_test.yaml @@ -20,6 +20,9 @@ tests: - equal: path: spec.type value: ClusterIP + - lengthEqual: + path: spec.ports + count: 1 - equal: path: spec.ports[0].port value: 8080 @@ -61,6 +64,9 @@ tests: - equal: path: spec.type value: ClusterIP + - lengthEqual: + path: spec.ports + count: 2 - equal: path: spec.ports[0].port value: 8181 @@ -109,7 +115,6 @@ tests: path: metadata.annotations value: service.alpha.openshift.io/serving-cert-secret-name: RELEASE-NAME-proxy-tls - - it: should include OpenShift specific annotations when OpenShift auth is enabled set: @@ -128,3 +133,61 @@ tests: asserts: - notExists: path: metadata.annotations.`service.alpha.openshift.io/serving-cert-secret-name` + + - it: should create a Service with the correct settings when oauth2-proxy self-signed TLS is enabled + set: + oauth2Proxy.service.tls.selfSigned.enabled: true + asserts: + - hasDocuments: + count: 1 + - equal: + path: kind + value: Service + - equal: + path: metadata.name + value: RELEASE-NAME-cryostat + - equal: + path: spec.type + value: ClusterIP + - lengthEqual: + path: spec.ports + count: 2 + - equal: + path: spec.ports[0].port + value: 8181 + - equal: + path: spec.ports[0].targetPort + value: 4180 + - equal: + path: spec.ports[0].protocol + value: TCP + - equal: + path: spec.ports[0].name + value: cryostat-http + - equal: + path: spec.ports[1].port + value: 443 + - equal: + path: spec.ports[1].targetPort + value: 8443 + - equal: + path: spec.ports[1].protocol + value: TCP + - equal: + path: spec.ports[1].name + value: cryostat-https + - equal: + path: spec.selector + value: + app.kubernetes.io/name: cryostat + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/component: cryostat + - equal: + path: metadata.labels + value: + app.kubernetes.io/instance: RELEASE-NAME + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/name: cryostat + app.kubernetes.io/version: "4.0.0-dev" + helm.sh/chart: cryostat-2.0.0-dev + app.kubernetes.io/component: cryostat From 332d928f142e7cc653ecf7043e91acf789dba073 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Thu, 21 Nov 2024 11:23:23 -0500 Subject: [PATCH 09/17] update port names --- charts/cryostat/templates/NOTES.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/cryostat/templates/NOTES.txt b/charts/cryostat/templates/NOTES.txt index c7c48d46..a7de8c14 100644 --- a/charts/cryostat/templates/NOTES.txt +++ b/charts/cryostat/templates/NOTES.txt @@ -40,9 +40,9 @@ export SVC_NAME=$(kubectl get services -n {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "cryostat.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=cryostat" --sort-by=.metadata.creationTimestamp -o jsonpath="{.items[-1:].metadata.name}") {{- if or .Values.authentication.openshift.enabled .Values.oauth2Proxy.service.tls.selfSigned.enabled }} - kubectl -n {{ .Release.Namespace }} port-forward svc/$SVC_NAME 8443:cryostat-https + kubectl -n {{ .Release.Namespace }} port-forward svc/$SVC_NAME 8443:https {{- else }} - kubectl -n {{ .Release.Namespace }} port-forward svc/$SVC_NAME 8080:cryostat-http + kubectl -n {{ .Release.Namespace }} port-forward svc/$SVC_NAME 8080:http {{- end }} ``` {{- $listNum = add1 $listNum }} From 45e24cb4ebe89ae983f8c62eb83bd32eaf32575d Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Thu, 21 Nov 2024 11:31:09 -0500 Subject: [PATCH 10/17] test fixup --- charts/cryostat/tests/cryostat_service_test.yaml | 6 ++++-- charts/cryostat/tests/cryostat_tls_secret_test.yaml | 1 + charts/cryostat/tests/notes_test.yaml | 4 ++-- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/charts/cryostat/tests/cryostat_service_test.yaml b/charts/cryostat/tests/cryostat_service_test.yaml index 510d32c3..95bda5c9 100644 --- a/charts/cryostat/tests/cryostat_service_test.yaml +++ b/charts/cryostat/tests/cryostat_service_test.yaml @@ -163,7 +163,7 @@ tests: value: TCP - equal: path: spec.ports[0].name - value: cryostat-http + value: http - equal: path: spec.ports[1].port value: 443 @@ -175,11 +175,12 @@ tests: value: TCP - equal: path: spec.ports[1].name - value: cryostat-https + value: https - equal: path: spec.selector value: app.kubernetes.io/name: cryostat + app.kubernetes.io/part-of: cryostat app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/component: cryostat - equal: @@ -188,6 +189,7 @@ tests: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cryostat + app.kubernetes.io/part-of: cryostat app.kubernetes.io/version: "4.0.0-dev" helm.sh/chart: cryostat-2.0.0-dev app.kubernetes.io/component: cryostat diff --git a/charts/cryostat/tests/cryostat_tls_secret_test.yaml b/charts/cryostat/tests/cryostat_tls_secret_test.yaml index 4613e5a7..c3b8bdaf 100644 --- a/charts/cryostat/tests/cryostat_tls_secret_test.yaml +++ b/charts/cryostat/tests/cryostat_tls_secret_test.yaml @@ -32,6 +32,7 @@ tests: app.kubernetes.io/instance: RELEASE-NAME app.kubernetes.io/managed-by: Helm app.kubernetes.io/name: cryostat + app.kubernetes.io/part-of: cryostat app.kubernetes.io/version: 4.0.0-dev helm.sh/chart: cryostat-2.0.0-dev diff --git a/charts/cryostat/tests/notes_test.yaml b/charts/cryostat/tests/notes_test.yaml index 5912df4b..1e791eba 100644 --- a/charts/cryostat/tests/notes_test.yaml +++ b/charts/cryostat/tests/notes_test.yaml @@ -128,7 +128,7 @@ tests: kubectl -n NAMESPACE wait --for=condition=available --timeout=60s deploy/RELEASE-NAME-cryostat-v4 export SVC_NAME=$(kubectl get services -n NAMESPACE -l "app.kubernetes.io/name=cryostat,app.kubernetes.io/instance=RELEASE-NAME,app.kubernetes.io/component=cryostat" --sort-by=.metadata.creationTimestamp -o jsonpath="{.items[-1:].metadata.name}") - kubectl -n NAMESPACE port-forward svc/$SVC_NAME 8443:cryostat-https + kubectl -n NAMESPACE port-forward svc/$SVC_NAME 8443:https ``` 3. Visit the application at: @@ -157,7 +157,7 @@ tests: kubectl -n NAMESPACE wait --for=condition=available --timeout=60s deploy/RELEASE-NAME-cryostat-v4 export SVC_NAME=$(kubectl get services -n NAMESPACE -l "app.kubernetes.io/name=cryostat,app.kubernetes.io/instance=RELEASE-NAME,app.kubernetes.io/component=cryostat" --sort-by=.metadata.creationTimestamp -o jsonpath="{.items[-1:].metadata.name}") - kubectl -n NAMESPACE port-forward svc/$SVC_NAME 8080:cryostat-http + kubectl -n NAMESPACE port-forward svc/$SVC_NAME 8080:http ``` 3. Visit the application at: From 80fedeb0629c51ed45307fca19d111c7e203353f Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Fri, 22 Nov 2024 10:22:05 -0500 Subject: [PATCH 11/17] only configure TLS if enabled --- charts/cryostat/templates/alpha_config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/cryostat/templates/alpha_config.yaml b/charts/cryostat/templates/alpha_config.yaml index 6655c001..e704f9bf 100644 --- a/charts/cryostat/templates/alpha_config.yaml +++ b/charts/cryostat/templates/alpha_config.yaml @@ -14,12 +14,12 @@ data: BindAddress: http://0.0.0.0:4180 {{- if .Values.oauth2Proxy.service.tls.selfSigned.enabled }} SecureBindAddress: https://0.0.0.0:8443 - {{- end}} TLS: Key: fromFile: /etc/tls/private/key Cert: fromFile: /etc/tls/private/cert + {{- end}} upstreamConfig: proxyRawPath: true upstreams: From 0e41a2250982c120bd24161ada4551f488e3de6b Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Fri, 22 Nov 2024 10:27:45 -0500 Subject: [PATCH 12/17] remove 'service' property layer --- charts/cryostat/README.md | 18 +++++++++--------- charts/cryostat/templates/NOTES.txt | 4 ++-- charts/cryostat/templates/_oauth2Proxy.tpl | 2 +- charts/cryostat/templates/alpha_config.yaml | 2 +- .../templates/cryostat_deployment.yaml | 2 +- .../cryostat/templates/cryostat_service.yaml | 2 +- .../templates/cryostat_tls_secret.yaml | 2 +- charts/cryostat/tests/alpha_config_test.yaml | 2 +- .../tests/cryostat_deployment_test.yaml | 2 +- .../cryostat/tests/cryostat_service_test.yaml | 2 +- .../tests/cryostat_tls_secret_test.yaml | 18 ++++++++---------- charts/cryostat/tests/notes_test.yaml | 14 ++++++-------- charts/cryostat/values.schema.json | 17 ++++++----------- charts/cryostat/values.yaml | 9 ++++----- 14 files changed, 43 insertions(+), 53 deletions(-) diff --git a/charts/cryostat/README.md b/charts/cryostat/README.md index 0d3a10e3..c2a416f3 100644 --- a/charts/cryostat/README.md +++ b/charts/cryostat/README.md @@ -171,15 +171,15 @@ helm install cryostat ./charts/cryostat ### OAuth2 Proxy -| Name | Description | Value | -| -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | -| `oauth2Proxy.image.repository` | Repository for the OAuth2 Proxy container image | `quay.io/oauth2-proxy/oauth2-proxy` | -| `oauth2Proxy.image.pullPolicy` | Image pull policy for the OAuth2 Proxy container image | `Always` | -| `oauth2Proxy.image.tag` | Tag for the OAuth2 Proxy container image | `latest` | -| `oauth2Proxy.service.tls.selfSigned.enabled` | Whether a self-signed TLS certificate for oauth2-proxy HTTPS is generated and used. | `false` | -| `oauth2Proxy.resources.requests.cpu` | CPU resource request for the OAuth2 Proxy container. | `25m` | -| `oauth2Proxy.resources.requests.memory` | Memory resource request for the OAuth2 Proxy container. | `64Mi` | -| `oauth2Proxy.securityContext` | Security Context for the OAuth2 Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1). | `{}` | +| Name | Description | Value | +| --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | +| `oauth2Proxy.image.repository` | Repository for the OAuth2 Proxy container image | `quay.io/oauth2-proxy/oauth2-proxy` | +| `oauth2Proxy.image.pullPolicy` | Image pull policy for the OAuth2 Proxy container image | `Always` | +| `oauth2Proxy.image.tag` | Tag for the OAuth2 Proxy container image | `latest` | +| `oauth2Proxy.tls.selfSigned.enabled` | Whether a self-signed TLS certificate for oauth2-proxy HTTPS is generated and used. | `false` | +| `oauth2Proxy.resources.requests.cpu` | CPU resource request for the OAuth2 Proxy container. | `25m` | +| `oauth2Proxy.resources.requests.memory` | Memory resource request for the OAuth2 Proxy container. | `64Mi` | +| `oauth2Proxy.securityContext` | Security Context for the OAuth2 Proxy container. Defaults to meet "restricted" [Pod Security Standard](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted). See: [SecurityContext](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context-1). | `{}` | ### OpenShift OAuth Proxy diff --git a/charts/cryostat/templates/NOTES.txt b/charts/cryostat/templates/NOTES.txt index a7de8c14..fa9375aa 100644 --- a/charts/cryostat/templates/NOTES.txt +++ b/charts/cryostat/templates/NOTES.txt @@ -39,7 +39,7 @@ kubectl -n {{ .Release.Namespace }} wait --for=condition=available --timeout=60s deploy/{{ include "cryostat.deploymentName" . }} export SVC_NAME=$(kubectl get services -n {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "cryostat.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=cryostat" --sort-by=.metadata.creationTimestamp -o jsonpath="{.items[-1:].metadata.name}") -{{- if or .Values.authentication.openshift.enabled .Values.oauth2Proxy.service.tls.selfSigned.enabled }} +{{- if or .Values.authentication.openshift.enabled .Values.oauth2Proxy.tls.selfSigned.enabled }} kubectl -n {{ .Release.Namespace }} port-forward svc/$SVC_NAME 8443:https {{- else }} kubectl -n {{ .Release.Namespace }} port-forward svc/$SVC_NAME 8080:http @@ -63,6 +63,6 @@ {{- else if contains "LoadBalancer" .Values.core.service.type }} echo http://$SERVICE_IP:{{ .Values.core.service.httpPort }} {{- else if contains "ClusterIP" .Values.core.service.type }} - {{ ternary "https" "http" (or .Values.authentication.openshift.enabled .Values.oauth2Proxy.service.tls.selfSigned.enabled) }}://localhost:{{ ternary "8443" "8080" (or .Values.authentication.openshift.enabled .Values.oauth2Proxy.service.tls.selfSigned.enabled) }} + {{ ternary "https" "http" (or .Values.authentication.openshift.enabled .Values.oauth2Proxy.tls.selfSigned.enabled) }}://localhost:{{ ternary "8443" "8080" (or .Values.authentication.openshift.enabled .Values.oauth2Proxy.tls.selfSigned.enabled) }} {{- end }} ``` diff --git a/charts/cryostat/templates/_oauth2Proxy.tpl b/charts/cryostat/templates/_oauth2Proxy.tpl index e4b2a820..db3fc6b9 100644 --- a/charts/cryostat/templates/_oauth2Proxy.tpl +++ b/charts/cryostat/templates/_oauth2Proxy.tpl @@ -47,7 +47,7 @@ Create OAuth2 Proxy container. Configurations defined in alpha_config.yaml mountPath: /etc/oauth2_proxy/basicauth readOnly: true {{- end }} - {{- if .Values.oauth2Proxy.service.tls.selfSigned.enabled }} + {{- if .Values.oauth2Proxy.tls.selfSigned.enabled }} - name: {{ .Release.Name }}-oauth2proxy-tls mountPath: /etc/tls/private {{- end }} diff --git a/charts/cryostat/templates/alpha_config.yaml b/charts/cryostat/templates/alpha_config.yaml index e704f9bf..63094fe4 100644 --- a/charts/cryostat/templates/alpha_config.yaml +++ b/charts/cryostat/templates/alpha_config.yaml @@ -12,7 +12,7 @@ data: alpha_config.yaml: |- server: BindAddress: http://0.0.0.0:4180 - {{- if .Values.oauth2Proxy.service.tls.selfSigned.enabled }} + {{- if .Values.oauth2Proxy.tls.selfSigned.enabled }} SecureBindAddress: https://0.0.0.0:8443 TLS: Key: diff --git a/charts/cryostat/templates/cryostat_deployment.yaml b/charts/cryostat/templates/cryostat_deployment.yaml index 03d2feef..c759628c 100644 --- a/charts/cryostat/templates/cryostat_deployment.yaml +++ b/charts/cryostat/templates/cryostat_deployment.yaml @@ -215,7 +215,7 @@ spec: - name: {{ .Release.Name }}-proxy-tls secret: secretName: {{ .Release.Name }}-proxy-tls - {{- else if .Values.oauth2Proxy.service.tls.selfSigned.enabled }} + {{- else if .Values.oauth2Proxy.tls.selfSigned.enabled }} - name: {{ .Release.Name }}-oauth2proxy-tls secret: secretName: {{ .Release.Name }}-oauth2proxy-tls diff --git a/charts/cryostat/templates/cryostat_service.yaml b/charts/cryostat/templates/cryostat_service.yaml index 86371dca..7cf7b61c 100644 --- a/charts/cryostat/templates/cryostat_service.yaml +++ b/charts/cryostat/templates/cryostat_service.yaml @@ -19,7 +19,7 @@ spec: protocol: TCP name: http appProtocol: http - {{- if or (.Values.authentication.openshift).enabled .Values.oauth2Proxy.service.tls.selfSigned.enabled }} + {{- if or (.Values.authentication.openshift).enabled .Values.oauth2Proxy.tls.selfSigned.enabled }} - port: 443 targetPort: 8443 protocol: TCP diff --git a/charts/cryostat/templates/cryostat_tls_secret.yaml b/charts/cryostat/templates/cryostat_tls_secret.yaml index 2e1354d5..13fea26d 100644 --- a/charts/cryostat/templates/cryostat_tls_secret.yaml +++ b/charts/cryostat/templates/cryostat_tls_secret.yaml @@ -1,4 +1,4 @@ -{{- if (and (not (.Values.authentication.openshift).enabled) (.Values.oauth2Proxy.service.tls.selfSigned.enabled)) }} +{{- if (and (not (.Values.authentication.openshift).enabled) (.Values.oauth2Proxy.tls.selfSigned.enabled)) }} {{- $fullName := include "cryostat.fullname" . }} {{- $cert := genSelfSignedCert $fullName nil nil 365 }} apiVersion: v1 diff --git a/charts/cryostat/tests/alpha_config_test.yaml b/charts/cryostat/tests/alpha_config_test.yaml index f41d73dc..c0312ad3 100644 --- a/charts/cryostat/tests/alpha_config_test.yaml +++ b/charts/cryostat/tests/alpha_config_test.yaml @@ -20,7 +20,7 @@ tests: - it: should create configmap with correct alpha configurations when self-signed TLS is enabled set: - oauth2Proxy.service.tls.selfSigned.enabled: true + oauth2Proxy.tls.selfSigned.enabled: true asserts: - matchRegex: path: data['alpha_config.yaml'] diff --git a/charts/cryostat/tests/cryostat_deployment_test.yaml b/charts/cryostat/tests/cryostat_deployment_test.yaml index 46fa6fc1..49771225 100644 --- a/charts/cryostat/tests/cryostat_deployment_test.yaml +++ b/charts/cryostat/tests/cryostat_deployment_test.yaml @@ -426,7 +426,7 @@ tests: - it: should validate volumes and volume mounts with oauth2-proxy self-signed TLS enabled set: - oauth2Proxy.service.tls.selfSigned.enabled: true + oauth2Proxy.tls.selfSigned.enabled: true asserts: - lengthEqual: count: 2 diff --git a/charts/cryostat/tests/cryostat_service_test.yaml b/charts/cryostat/tests/cryostat_service_test.yaml index 95bda5c9..1279ab2c 100644 --- a/charts/cryostat/tests/cryostat_service_test.yaml +++ b/charts/cryostat/tests/cryostat_service_test.yaml @@ -136,7 +136,7 @@ tests: - it: should create a Service with the correct settings when oauth2-proxy self-signed TLS is enabled set: - oauth2Proxy.service.tls.selfSigned.enabled: true + oauth2Proxy.tls.selfSigned.enabled: true asserts: - hasDocuments: count: 1 diff --git a/charts/cryostat/tests/cryostat_tls_secret_test.yaml b/charts/cryostat/tests/cryostat_tls_secret_test.yaml index c3b8bdaf..dc4e918d 100644 --- a/charts/cryostat/tests/cryostat_tls_secret_test.yaml +++ b/charts/cryostat/tests/cryostat_tls_secret_test.yaml @@ -3,13 +3,12 @@ templates: - cryostat_tls_secret.yaml tests: - - it: should create a TLS cert secret if oauth2Proxy.service.tls.selfSigned.enabled is set + - it: should create a TLS cert secret if oauth2Proxy.tls.selfSigned.enabled is set set: oauth2Proxy: - service: - tls: - selfSigned: - enabled: true + tls: + selfSigned: + enabled: true asserts: - hasDocuments: count: 1 @@ -36,13 +35,12 @@ tests: app.kubernetes.io/version: 4.0.0-dev helm.sh/chart: cryostat-2.0.0-dev - - it: should not create a TLS cert secret if oauth2Proxy.service.tls.selfSigned.enabled is not set + - it: should not create a TLS cert secret if oauth2Proxy.tls.selfSigned.enabled is not set set: oauth2Proxy: - service: - tls: - selfSigned: - enabled: false + tls: + selfSigned: + enabled: false asserts: - hasDocuments: count: 0 diff --git a/charts/cryostat/tests/notes_test.yaml b/charts/cryostat/tests/notes_test.yaml index 1e791eba..dfaf5259 100644 --- a/charts/cryostat/tests/notes_test.yaml +++ b/charts/cryostat/tests/notes_test.yaml @@ -110,10 +110,9 @@ tests: - it: should render correct notes for ClusterIP service without ingress or route and TLS enabled set: oauth2Proxy: - service: - tls: - selfSigned: - enabled: true + tls: + selfSigned: + enabled: true asserts: - equalRaw: value: | @@ -139,10 +138,9 @@ tests: - it: should render correct notes for ClusterIP service without ingress or route and TLS disabled set: oauth2Proxy: - service: - tls: - selfSigned: - enabled: false + tls: + selfSigned: + enabled: false asserts: - equalRaw: value: | diff --git a/charts/cryostat/values.schema.json b/charts/cryostat/values.schema.json index 6e97d2b3..ba099d70 100644 --- a/charts/cryostat/values.schema.json +++ b/charts/cryostat/values.schema.json @@ -759,21 +759,16 @@ } } }, - "service": { + "tls": { "type": "object", "properties": { - "tls": { + "selfSigned": { "type": "object", "properties": { - "selfSigned": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean", - "description": "Whether a self-signed TLS certificate for oauth2-proxy HTTPS is generated and used.", - "default": false - } - } + "enabled": { + "type": "boolean", + "description": "Whether a self-signed TLS certificate for oauth2-proxy HTTPS is generated and used.", + "default": false } } } diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index b5d3db71..a2511e1b 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -273,11 +273,10 @@ oauth2Proxy: pullPolicy: Always ## @param oauth2Proxy.image.tag Tag for the OAuth2 Proxy container image tag: "latest" - service: - tls: - selfSigned: - ## @param oauth2Proxy.service.tls.selfSigned.enabled Whether a self-signed TLS certificate for oauth2-proxy HTTPS is generated and used. - enabled: false + tls: + selfSigned: + ## @param oauth2Proxy.tls.selfSigned.enabled Whether a self-signed TLS certificate for oauth2-proxy HTTPS is generated and used. + enabled: false resources: requests: ## @param oauth2Proxy.resources.requests.cpu CPU resource request for the OAuth2 Proxy container. From cfb739ee16287873d7a6ccabb3035454bd704bd1 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Fri, 22 Nov 2024 13:50:46 -0500 Subject: [PATCH 13/17] enable self-signed TLS on reports oauth2proxy --- .../cryostat/templates/_reports_authproxy.tpl | 56 +++++++++++++++++++ .../templates/cryostat_deployment.yaml | 2 +- .../templates/reports_deployment.yaml | 4 ++ .../cryostat/templates/reports_service.yaml | 2 +- .../templates/reports_tls_secret.yaml | 15 +++++ 5 files changed, 77 insertions(+), 2 deletions(-) create mode 100644 charts/cryostat/templates/reports_tls_secret.yaml diff --git a/charts/cryostat/templates/_reports_authproxy.tpl b/charts/cryostat/templates/_reports_authproxy.tpl index 41840778..90292e70 100644 --- a/charts/cryostat/templates/_reports_authproxy.tpl +++ b/charts/cryostat/templates/_reports_authproxy.tpl @@ -45,6 +45,62 @@ readOnly: true terminationMessagePath: /dev/termination-log terminationMessagePolicy: File +{{- else if .Values.oauth2Proxy.tls.selfSigned.enabled }} +- name: {{ printf "%s-reports-%s" .Chart.Name "authproxy" }} + securityContext: + {{- toYaml (.Values.oauth2Proxy).securityContext | nindent 4 }} + image: "{{ (.Values.oauth2Proxy).image.repository }}:{{ (.Values.oauth2Proxy).image.tag }}" + imagePullPolicy: {{ (.Values.oauth2Proxy).image.pullPolicy }} + env: + - name: OAUTH2_PROXY_CLIENT_ID + value: dummy + - name: OAUTH2_PROXY_CLIENT_SECRET + value: none + - name: OAUTH2_PROXY_HTTP_ADDRESS + value: 0.0.0.0:4180 + - name: OAUTH2_PROXY_HTTPS_ADDRESS + value: :8443 + - name: OAUTH2_PROXY_TLS_CERT_FILE + value: /etc/tls/private/cert + - name: OAUTH2_PROXY_TLS_KEY_FILE + value: /etc/tls/private/key + - name: OAUTH2_PROXY_UPSTREAMS + value: http://localhost:10001/ + - name: OAUTH2_PROXY_REDIRECT_URL + value: "http://localhost:4180/oauth2/callback" + - name: OAUTH2_PROXY_COOKIE_SECRET + valueFrom: + secretKeyRef: + name: {{ default (printf "%s-cookie-secret" .Release.Name) .Values.authentication.cookieSecretName }} + key: COOKIE_SECRET + optional: false + - name: OAUTH2_PROXY_EMAIL_DOMAINS + value: "*" + - name: OAUTH2_PROXY_HTPASSWD_USER_GROUP + value: write + - name: OAUTH2_PROXY_HTPASSWD_FILE + value: /etc/oauth2_proxy/basicauth/htpasswd + - name: OAUTH2_PROXY_SKIP_AUTH_ROUTES + value: "^/health$" + - name: OAUTH2_PROXY_PROXY_WEBSOCKETS + value: "false" + ports: + - containerPort: 4180 + name: http + protocol: TCP + - containerPort: 8443 + name: https + protocol: TCP + resources: + {{- toYaml .Values.oauth2Proxy.resources | nindent 4 }} + volumeMounts: + - name: {{ .Release.Name }}-reports-secret + mountPath: /etc/oauth2_proxy/basicauth + readOnly: true + {{- if .Values.oauth2Proxy.tls.selfSigned.enabled }} + - name: {{ .Release.Name }}-oauth2proxy-reports-tls + mountPath: /etc/tls/private + {{- end }} {{- else }} - name: {{ printf "%s-reports-%s" .Chart.Name "authproxy" }} securityContext: diff --git a/charts/cryostat/templates/cryostat_deployment.yaml b/charts/cryostat/templates/cryostat_deployment.yaml index c759628c..76db1b50 100644 --- a/charts/cryostat/templates/cryostat_deployment.yaml +++ b/charts/cryostat/templates/cryostat_deployment.yaml @@ -75,7 +75,7 @@ spec: - name: QUARKUS_REST_CLIENT_EXTENSIONS_API_VERIFY_HOST value: "false" - name: QUARKUS_REST_CLIENT_REPORTS_URL - value: {{ printf "%s://cryostat:$(REPORTS_PASS_SECRET_KEY)@%s-reports.%s.svc:%d" (ternary "https" "http" (.Values.authentication.openshift).enabled) $fullName $.Release.Namespace (int .Values.reports.service.httpPort) }} + value: {{ printf "%s://cryostat:$(REPORTS_PASS_SECRET_KEY)@%s-reports.%s.svc:%d" (ternary "https" "http" (or (.Values.authentication.openshift).enabled .Values.oauth2Proxy.tls.selfSigned.enabled)) $fullName $.Release.Namespace (int .Values.reports.service.httpPort) }} {{- end }} - name: QUARKUS_DATASOURCE_USERNAME value: cryostat diff --git a/charts/cryostat/templates/reports_deployment.yaml b/charts/cryostat/templates/reports_deployment.yaml index 05c846dc..1ad5acac 100644 --- a/charts/cryostat/templates/reports_deployment.yaml +++ b/charts/cryostat/templates/reports_deployment.yaml @@ -83,5 +83,9 @@ spec: - name: {{ .Release.Name }}-proxy-tls secret: secretName: {{ .Release.Name }}-proxy-tls + {{- else if .Values.oauth2Proxy.tls.selfSigned.enabled }} + - name: {{ .Release.Name }}-oauth2proxy-reports-tls + secret: + secretName: {{ .Release.Name }}-oauth2proxy-reports-tls {{- end }} {{- end -}} diff --git a/charts/cryostat/templates/reports_service.yaml b/charts/cryostat/templates/reports_service.yaml index 5ebb9be3..6ab4aadc 100644 --- a/charts/cryostat/templates/reports_service.yaml +++ b/charts/cryostat/templates/reports_service.yaml @@ -11,7 +11,7 @@ spec: type: {{ .Values.reports.service.type }} ports: - port: {{ .Values.reports.service.httpPort }} - targetPort: {{ ternary "https" "http" (.Values.authentication.openshift).enabled }} + targetPort: {{ ternary "https" "http" (or (.Values.authentication.openshift).enabled .Values.oauth2Proxy.tls.selfSigned.enabled) }} selector: {{- include "cryostat.selectorLabels" $ | nindent 4 }} app.kubernetes.io/component: reports diff --git a/charts/cryostat/templates/reports_tls_secret.yaml b/charts/cryostat/templates/reports_tls_secret.yaml new file mode 100644 index 00000000..48288089 --- /dev/null +++ b/charts/cryostat/templates/reports_tls_secret.yaml @@ -0,0 +1,15 @@ +{{- if (and (not (.Values.authentication.openshift).enabled) (.Values.oauth2Proxy.tls.selfSigned.enabled)) }} +{{- $fullName := include "cryostat.fullname" . }} +{{- $cert := genSelfSignedCert (printf "%s-reports" $fullName) nil nil 365 }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Release.Name }}-oauth2proxy-reports-tls + labels: + {{- include "cryostat.labels" $ | nindent 4 }} +type: Opaque +immutable: true +data: + cert: {{ $cert.Cert | b64enc }} + key: {{ $cert.Key | b64enc }} +{{- end -}} From 1b374ff88c814d149bfe07e5579756e00a4b2dfe Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Fri, 22 Nov 2024 14:33:39 -0500 Subject: [PATCH 14/17] add configuration notes --- charts/cryostat/README.md | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/charts/cryostat/README.md b/charts/cryostat/README.md index c2a416f3..f46927e2 100644 --- a/charts/cryostat/README.md +++ b/charts/cryostat/README.md @@ -45,6 +45,27 @@ cd cryostat-helm helm install cryostat ./charts/cryostat ``` +## Configuration + +See the sections below for Helm chart values which can be used for configuring various aspects of the Cryostat installation. + +If there are further customizations required to suit your deployment environment, choose the settings values that get +you closest to what you need, then manually edit the resulting Kubernetes objects to suit your requirements. You may +also consider using `helm install --dry-run` to render the Kubernetes YAML manifests without installing them, so that +you can apply your own customization patches as needed. + +### TLS + +When installed on OpenShift with `authentication.openshift.enabled=true`, the cluster's +["service serving certificates"](https://docs.openshift.com/container-platform/4.17/security/certificates/service-serving-certificate.html) +feature is used to enable managed TLS configuration on the exposed HTTP(S) ports. + +When installed with `authentication.openshift.enabled=false` but `oauth2Proxy.tls.selfSigned.enabled=true` then a +self-signed TLS certificate will be generated at installation time to serve similar purposes. These TLS certificates +are not managed, will not automatically rotate, and will expire after 365 days. You will need to manually rotate the +certificates, or reinstall the chart, or else apply your own customizations to the Kubernetes manifests to automate TLS +certificate issuance and rotation. + ## Parameters ### Cryostat Container From 823d5d285ff76d0cf5b9b2ee5a65ebe1daedc8a6 Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Fri, 22 Nov 2024 14:34:25 -0500 Subject: [PATCH 15/17] rename label --- charts/cryostat/templates/tests/test-core-connection.yaml | 2 +- charts/cryostat/templates/tests/test-grafana-connection.yaml | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/charts/cryostat/templates/tests/test-core-connection.yaml b/charts/cryostat/templates/tests/test-core-connection.yaml index b3d5220f..75a24eb8 100644 --- a/charts/cryostat/templates/tests/test-core-connection.yaml +++ b/charts/cryostat/templates/tests/test-core-connection.yaml @@ -5,7 +5,7 @@ metadata: labels: {{- include "cryostat.labels" . | nindent 4 }} app.kubernetes.io/component: test-core-connection - helm-test: cryostat + charts.cryostat.io/role: helm-test annotations: "helm.sh/hook": test spec: diff --git a/charts/cryostat/templates/tests/test-grafana-connection.yaml b/charts/cryostat/templates/tests/test-grafana-connection.yaml index 3aeae40a..84b3dfce 100644 --- a/charts/cryostat/templates/tests/test-grafana-connection.yaml +++ b/charts/cryostat/templates/tests/test-grafana-connection.yaml @@ -5,7 +5,7 @@ metadata: labels: {{- include "cryostat.labels" . | nindent 4 }} app.kubernetes.io/component: test-grafana-connection - helm-test: cryostat + charts.cryostat.io/role: helm-test annotations: "helm.sh/hook": test spec: From 9751c56dc2d547a969899d1b6479dabc730e594f Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Fri, 22 Nov 2024 14:52:36 -0500 Subject: [PATCH 16/17] refactor --- charts/cryostat/templates/NOTES.txt | 8 ++----- charts/cryostat/templates/_helpers.tpl | 21 +++++++++++++++++++ .../templates/cryostat_deployment.yaml | 2 +- .../cryostat/templates/cryostat_service.yaml | 2 +- .../templates/cryostat_tls_secret.yaml | 2 +- .../cryostat/templates/reports_service.yaml | 2 +- .../templates/reports_tls_secret.yaml | 2 +- 7 files changed, 28 insertions(+), 11 deletions(-) diff --git a/charts/cryostat/templates/NOTES.txt b/charts/cryostat/templates/NOTES.txt index fa9375aa..133c8c47 100644 --- a/charts/cryostat/templates/NOTES.txt +++ b/charts/cryostat/templates/NOTES.txt @@ -39,11 +39,7 @@ kubectl -n {{ .Release.Namespace }} wait --for=condition=available --timeout=60s deploy/{{ include "cryostat.deploymentName" . }} export SVC_NAME=$(kubectl get services -n {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "cryostat.name" . }},app.kubernetes.io/instance={{ .Release.Name }},app.kubernetes.io/component=cryostat" --sort-by=.metadata.creationTimestamp -o jsonpath="{.items[-1:].metadata.name}") -{{- if or .Values.authentication.openshift.enabled .Values.oauth2Proxy.tls.selfSigned.enabled }} - kubectl -n {{ .Release.Namespace }} port-forward svc/$SVC_NAME 8443:https -{{- else }} - kubectl -n {{ .Release.Namespace }} port-forward svc/$SVC_NAME 8080:http -{{- end }} + kubectl -n {{ .Release.Namespace }} port-forward svc/$SVC_NAME {{ include "cryostat.core.service.port" . }}:{{ include "cryostat.core.service.scheme" . }} ``` {{- $listNum = add1 $listNum }} {{- end }} @@ -63,6 +59,6 @@ {{- else if contains "LoadBalancer" .Values.core.service.type }} echo http://$SERVICE_IP:{{ .Values.core.service.httpPort }} {{- else if contains "ClusterIP" .Values.core.service.type }} - {{ ternary "https" "http" (or .Values.authentication.openshift.enabled .Values.oauth2Proxy.tls.selfSigned.enabled) }}://localhost:{{ ternary "8443" "8080" (or .Values.authentication.openshift.enabled .Values.oauth2Proxy.tls.selfSigned.enabled) }} + {{ include "cryostat.core.service.scheme" . }}://localhost:{{ include "cryostat.core.service.port" . }} {{- end }} ``` diff --git a/charts/cryostat/templates/_helpers.tpl b/charts/cryostat/templates/_helpers.tpl index 518e294c..0a8e7e52 100644 --- a/charts/cryostat/templates/_helpers.tpl +++ b/charts/cryostat/templates/_helpers.tpl @@ -62,6 +62,27 @@ Create the name of the service account to use. {{- end }} {{- end }} +{{/* +Cryostat service TLS enablement. Returns the string values "true" or "false". +*/}} +{{- define "cryostat.core.service.tls" -}} +{{ or .Values.authentication.openshift.enabled .Values.oauth2Proxy.tls.selfSigned.enabled }} +{{- end }} + +{{/* +Cryostat service protocol. HTTPS if TLS is enabled, HTTP otherwise. +*/}} +{{- define "cryostat.core.service.scheme" -}} +{{ ternary "https" "http" ( include "cryostat.core.service.tls" . | eq "true" ) }} +{{- end }} + +{{/* +Cryostat service port. 8443 if TLS is enabled, 8080 otherwise. +*/}} +{{- define "cryostat.core.service.port" -}} +{{ ternary 8443 8080 ( ( include "cryostat.core.service.scheme" . ) | eq "https" ) }} +{{- end }} + {{/* Get or generate a default connection key for database. */}} diff --git a/charts/cryostat/templates/cryostat_deployment.yaml b/charts/cryostat/templates/cryostat_deployment.yaml index 76db1b50..882c5cb5 100644 --- a/charts/cryostat/templates/cryostat_deployment.yaml +++ b/charts/cryostat/templates/cryostat_deployment.yaml @@ -75,7 +75,7 @@ spec: - name: QUARKUS_REST_CLIENT_EXTENSIONS_API_VERIFY_HOST value: "false" - name: QUARKUS_REST_CLIENT_REPORTS_URL - value: {{ printf "%s://cryostat:$(REPORTS_PASS_SECRET_KEY)@%s-reports.%s.svc:%d" (ternary "https" "http" (or (.Values.authentication.openshift).enabled .Values.oauth2Proxy.tls.selfSigned.enabled)) $fullName $.Release.Namespace (int .Values.reports.service.httpPort) }} + value: {{ printf "%s://cryostat:$(REPORTS_PASS_SECRET_KEY)@%s-reports.%s.svc:%d" (include "cryostat.core.service.scheme" .) $fullName $.Release.Namespace (int .Values.reports.service.httpPort) }} {{- end }} - name: QUARKUS_DATASOURCE_USERNAME value: cryostat diff --git a/charts/cryostat/templates/cryostat_service.yaml b/charts/cryostat/templates/cryostat_service.yaml index 7cf7b61c..36261e43 100644 --- a/charts/cryostat/templates/cryostat_service.yaml +++ b/charts/cryostat/templates/cryostat_service.yaml @@ -19,7 +19,7 @@ spec: protocol: TCP name: http appProtocol: http - {{- if or (.Values.authentication.openshift).enabled .Values.oauth2Proxy.tls.selfSigned.enabled }} + {{- if ( include "cryostat.core.service.tls" . | eq "true" ) }} - port: 443 targetPort: 8443 protocol: TCP diff --git a/charts/cryostat/templates/cryostat_tls_secret.yaml b/charts/cryostat/templates/cryostat_tls_secret.yaml index 13fea26d..0d057454 100644 --- a/charts/cryostat/templates/cryostat_tls_secret.yaml +++ b/charts/cryostat/templates/cryostat_tls_secret.yaml @@ -1,4 +1,4 @@ -{{- if (and (not (.Values.authentication.openshift).enabled) (.Values.oauth2Proxy.tls.selfSigned.enabled)) }} +{{- if ( include "cryostat.core.service.tls" . | eq "true" ) }} {{- $fullName := include "cryostat.fullname" . }} {{- $cert := genSelfSignedCert $fullName nil nil 365 }} apiVersion: v1 diff --git a/charts/cryostat/templates/reports_service.yaml b/charts/cryostat/templates/reports_service.yaml index 6ab4aadc..a54836a6 100644 --- a/charts/cryostat/templates/reports_service.yaml +++ b/charts/cryostat/templates/reports_service.yaml @@ -11,7 +11,7 @@ spec: type: {{ .Values.reports.service.type }} ports: - port: {{ .Values.reports.service.httpPort }} - targetPort: {{ ternary "https" "http" (or (.Values.authentication.openshift).enabled .Values.oauth2Proxy.tls.selfSigned.enabled) }} + targetPort: {{ include "cryostat.core.service.scheme" . }} selector: {{- include "cryostat.selectorLabels" $ | nindent 4 }} app.kubernetes.io/component: reports diff --git a/charts/cryostat/templates/reports_tls_secret.yaml b/charts/cryostat/templates/reports_tls_secret.yaml index 48288089..a27d0d0d 100644 --- a/charts/cryostat/templates/reports_tls_secret.yaml +++ b/charts/cryostat/templates/reports_tls_secret.yaml @@ -1,4 +1,4 @@ -{{- if (and (not (.Values.authentication.openshift).enabled) (.Values.oauth2Proxy.tls.selfSigned.enabled)) }} +{{- if ( include "cryostat.core.service.tls" | eq "true" ) }} {{- $fullName := include "cryostat.fullname" . }} {{- $cert := genSelfSignedCert (printf "%s-reports" $fullName) nil nil 365 }} apiVersion: v1 From 7629bf9fb42350e58725bb1f4168c5a5950cd4cd Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Fri, 22 Nov 2024 15:13:00 -0500 Subject: [PATCH 17/17] typo --- charts/cryostat/templates/reports_tls_secret.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/cryostat/templates/reports_tls_secret.yaml b/charts/cryostat/templates/reports_tls_secret.yaml index a27d0d0d..79dbf258 100644 --- a/charts/cryostat/templates/reports_tls_secret.yaml +++ b/charts/cryostat/templates/reports_tls_secret.yaml @@ -1,4 +1,4 @@ -{{- if ( include "cryostat.core.service.tls" | eq "true" ) }} +{{- if ( include "cryostat.core.service.tls" . | eq "true" ) }} {{- $fullName := include "cryostat.fullname" . }} {{- $cert := genSelfSignedCert (printf "%s-reports" $fullName) nil nil 365 }} apiVersion: v1