slococo-uni
/
kube-exam
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Accept self-generated certificates

This commit is contained in:
Santiago Lo Coco 2023-11-20 11:41:09 -03:00
parent 568bb08da7
commit dcde25aec3
7 changed files with 43 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
.gitignore vendored
View File

@ -4,3 +4,5 @@ old
consignas.txt consignas.txt
other other
*.tgz *.tgz
*.crt
*.key

24
helm/README.md
View File

@ -112,3 +112,27 @@ ingress:
- api.kube.slc.ar - api.kube.slc.ar
``` ```
----
Se puede pasar certificados autogenerados en ingress.ssl.* PERO se debe notar las restricciones de helm de seguridad: solo se pueden usar archivos relativos al path del chart. Por lo tanto, si se desea usar un archivo de "afuera" se puede hacer un symbolic link. Por ejemplo: cd helm && ln -sf /usr/local/etc/ssl/certs/ca.crt ca.crt && ln -sf /usr/local/etc/ssl/private/ca.key ca.key. Y luego se puede pasar esos archivos al ingress.ssl.*.
Note que para que se usen estos secrets:
1) si ya existía el secret-crt se debe borrar y hacer un helm upgrade
2) si no existía con un install basta (o mismo un upgrade si ya estaba andando)
Por lo tanto, supongamos que se quieren actualizar los certificados por unos autogenerados por usted (y para actualizarlos una vez expirados los autogenerados por usted). Los pasos son los siguientes:
1) Borrar `exam-crt`
2) Actualizar certificados
3) Ponerlos en el values.yaml de haberse modificado el path o si antes se usaba uno autogenerado por helm
4) Hacer upgrade
Si se quiere actualizar los autogenerados por helm los pasos son:
1) Borrar `exam-crt`
2) Hacer upgrade
Note que si se hace un upgrade solo NO se regenerará el exam-crt. Esto es esperado ya que sino cada vez que modificamos algo se estará autogenerando un nuevo certificado!!

2
helm/templates/_helpers.tpl
View File

@ -65,7 +65,7 @@ Create the name of the service account to use
Return true if a TLS secret should be created Return true if a TLS secret should be created
*/}} */}}
{{- define "exam.createTlsSecret" -}} {{- define "exam.createTlsSecret" -}}
{{- if .Values.ingress.ssl -}} {{- if and .Values.ingress.ssl.enabled (not .Values.ingress.ssl.cert) -}}
{{- true -}} {{- true -}}
{{- end -}} {{- end -}}
{{- end -}} {{- end -}}

2
helm/templates/ingress.yaml
View File

@ -24,7 +24,7 @@ spec:
{{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
ingressClassName: {{ .Values.ingress.className }} ingressClassName: {{ .Values.ingress.className }}
{{- end }} {{- end }}
{{- if and (include "exam.createTlsSecret" . ) .Values.ingress.tls }} {{- if .Values.ingress.tls }}
tls: tls:
{{- range .Values.ingress.tls }} {{- range .Values.ingress.tls }}
- hosts: - hosts:

16
helm/templates/secrets.yaml
View File

@ -11,23 +11,25 @@ data:
{{- end }} {{- end }}
type: Opaque type: Opaque
--- ---
{{- if (include "exam.createTlsSecret" . ) }} {{- if .Values.ingress.ssl.enabled }}
{{- $secretName := printf "%s-crt" (include "exam.fullname" .) }} {{- $secretName := printf "%s-crt" (include "exam.fullname" .) }}
{{- $ca := genCA "ingress-ca" 365 }}
{{- $fullname := (include "exam.host" . ) }}
{{- $cert := genSignedCert $fullname nil nil 365 $ca }}
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
metadata: metadata:
name: {{ $secretName }} name: {{ $secretName }}
labels: labels:
{{- include "exam.labels" . | nindent 4 }} {{- include "exam.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": "pre-install"
"helm.sh/hook-delete-policy": "before-hook-creation"
type: kubernetes.io/tls type: kubernetes.io/tls
data: data:
{{- if (include "exam.createTlsSecret" . ) }}
{{- $ca := genCA "ingress-ca" 365 }}
{{- $fullname := (include "exam.host" . ) }}
{{- $cert := genSignedCert $fullname nil nil 365 $ca }}
tls.crt: {{ include "exam.lookup" (dict "secret" $secretName "key" "tls.crt" "defaultValue" $cert.Cert "context" $) }} tls.crt: {{ include "exam.lookup" (dict "secret" $secretName "key" "tls.crt" "defaultValue" $cert.Cert "context" $) }}
tls.key: {{ include "exam.lookup" (dict "secret" $secretName "key" "tls.key" "defaultValue" $cert.Key "context" $) }} tls.key: {{ include "exam.lookup" (dict "secret" $secretName "key" "tls.key" "defaultValue" $cert.Key "context" $) }}
ca.crt: {{ include "exam.lookup" (dict "secret" $secretName "key" "ca.crt" "defaultValue" $ca.Cert "context" $) }} ca.crt: {{ include "exam.lookup" (dict "secret" $secretName "key" "ca.crt" "defaultValue" $ca.Cert "context" $) }}
{{- else }}
tls.crt: {{ .Files.Get $.Values.ingress.ssl.cert | b64enc | quote }}
tls.key: {{ .Files.Get $.Values.ingress.ssl.key | b64enc | quote }}
{{- end }}
{{- end }} {{- end }}

5
helm/values.yaml
View File

@ -14,7 +14,10 @@ shared:
tier: &clientTier "frontend" tier: &clientTier "frontend"
ingress: ingress:
ssl: true ssl:
enabled: true
# cert: ca.crt
# key: ca.key
annotations: annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$2 nginx.ingress.kubernetes.io/rewrite-target: /$2
nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/ssl-redirect: "true"

2
run.sh
View File

@ -77,7 +77,7 @@ fi
$START_MINIKUBE && minikube addons enable ingress $START_MINIKUBE && minikube addons enable ingress
helm dependency build helm helm dependency list helm | grep -q "missing" && helm dependency build helm
if [ "$fluentd" == true ] || [ "$fluentd" == "y" ] || [ "$fluentd" == "Y" ]; then if [ "$fluentd" == true ] || [ "$fluentd" == "y" ] || [ "$fluentd" == "Y" ]; then
VALUES=("-f" "helm/values.yaml" "-f" "helm/fluentd.yaml") VALUES=("-f" "helm/values.yaml" "-f" "helm/fluentd.yaml")