From 7b83f3926fe098d2782a78e64a9000cf69fe2fc3 Mon Sep 17 00:00:00 2001
From: Andrew Azores <aazores@redhat.com>
Date: Fri, 4 Oct 2024 16:21:29 -0400
Subject: [PATCH] sample app agent fixup, TLS

---
 Makefile                                      | 10 +-
 .../samples/sample-app-agent-tls-proxy.yaml   | 95 +++++++++++++++++++
 config/samples/sample-app-agent.yaml          | 21 ++--
 3 files changed, 117 insertions(+), 9 deletions(-)
 create mode 100644 config/samples/sample-app-agent-tls-proxy.yaml

diff --git a/Makefile b/Makefile
index e760a8c8..22d04014 100644
--- a/Makefile
+++ b/Makefile
@@ -388,7 +388,7 @@ SAMPLE_APP_FLAGS += -n $(SAMPLE_APP_NAMESPACE)
 endif
 
 .PHONY: sample_app
-sample_app: ## Deploy sample app.
+sample_app: undeploy_sample_app ## Deploy sample app.
 	$(CLUSTER_CLIENT) apply $(SAMPLE_APP_FLAGS) -f config/samples/sample-app.yaml
 
 .PHONY: undeploy_sample_app
@@ -408,6 +408,14 @@ sample_app_agent: undeploy_sample_app_agent ## Deploy sample app with Cryostat A
 	$(CLUSTER_CLIENT) apply $(SAMPLE_APP_FLAGS) -f config/samples/sample-app-agent.yaml; \
 	$(CLUSTER_CLIENT) set env $(SAMPLE_APP_FLAGS) deployment/quarkus-cryostat-agent CRYOSTAT_AGENT_AUTHORIZATION="Bearer $(AUTH_TOKEN)"
 
+.PHONY: undeploy_sample_app_agent_proxy
+undeploy_sample_app_agent_proxy: ## Undeploy sample app with Cryostat Agent configured for TLS client auth on nginx proxy.
+	- $(CLUSTER_CLIENT) delete $(SAMPLE_APP_FLAGS) --ignore-not-found=$(ignore-not-found) -f config/samples/sample-app-agent-tls-proxy.yaml
+
+.PHONY: sample_app_agent_proxy
+sample_app_agent_proxy: undeploy_sample_app_agent_proxy ## Deploy sample app with Cryostat Agent configured for TLS client auth on nginx proxy.
+	$(CLUSTER_CLIENT) apply $(SAMPLE_APP_FLAGS) -f config/samples/sample-app-agent-tls-proxy.yaml
+
 .PHONY: undeploy_sample_app_agent
 undeploy_sample_app_agent: ## Undeploy sample app with Cryostat Agent.
 	- $(CLUSTER_CLIENT) delete $(SAMPLE_APP_FLAGS) --ignore-not-found=$(ignore-not-found) -f config/samples/sample-app-agent.yaml
diff --git a/config/samples/sample-app-agent-tls-proxy.yaml b/config/samples/sample-app-agent-tls-proxy.yaml
new file mode 100644
index 00000000..8ecefaa4
--- /dev/null
+++ b/config/samples/sample-app-agent-tls-proxy.yaml
@@ -0,0 +1,95 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: quarkus-cryostat-agent-tls-proxy
+  name: quarkus-cryostat-agent-tls-proxy
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: quarkus-cryostat-agent-tls-proxy
+  template:
+    metadata:
+      labels:
+        app: quarkus-cryostat-agent-tls-proxy
+    spec:
+      containers:
+      - env:
+        - name: CRYOSTAT_AGENT_APP_NAME
+          value: agent-test
+        - name: NAMESPACE
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: metadata.namespace
+        - name: CRYOSTAT_AGENT_API_WRITES_ENABLED
+          value: "true"
+        - name: CRYOSTAT_AGENT_BASEURI
+          value: https://cryostat-sample-agent.$(NAMESPACE).svc:8282
+        - name: POD_IP
+          valueFrom:
+            fieldRef:
+              apiVersion: v1
+              fieldPath: status.podIP
+        - name: CRYOSTAT_AGENT_CALLBACK
+          value: http://$(POD_IP):9977
+        - name: JAVA_OPTS_APPEND
+          value: |-
+            -Dquarkus.http.host=0.0.0.0
+            -Djava.util.logging.manager=org.jboss.logmanager.LogManager
+            -javaagent:/deployments/app/cryostat-agent.jar
+            -Dcryostat.agent.webclient.tls.client-auth.cert.path=/var/run/secrets/io.cryostat/cryostat-agent/tls.crt
+            -Dcryostat.agent.webclient.tls.client-auth.key.path=/var/run/secrets/io.cryostat/cryostat-agent/tls.key
+            -Dcryostat.agent.webclient.tls.truststore.cert[0].path=/var/run/secrets/io.cryostat/cryostat-agent/ca.crt
+            -Dcryostat.agent.webclient.tls.truststore.cert[0].type=X.509
+            -Dcryostat.agent.webclient.tls.truststore.cert[0].alias=cryostat
+        image: quay.io/redhat-java-monitoring/quarkus-cryostat-agent:latest
+        imagePullPolicy: Always
+        name: quarkus-cryostat-agent-tls-proxy
+        ports:
+        - containerPort: 10010
+          protocol: TCP
+        - containerPort: 9097
+          protocol: TCP
+        resources:
+          limits:
+            cpu: 500m
+            memory: 256Mi
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop:
+            - ALL
+        volumeMounts:
+        - mountPath: /var/run/secrets/io.cryostat/cryostat-agent
+          name: agent-tls
+      restartPolicy: Always
+      securityContext:
+        runAsNonRoot: true
+      volumes:
+      - name: agent-tls
+        secret:
+          # FIXME determine the secretName at deployment time in the Makefile and patch it here
+          secretName: cryostat-agent-f46ed1c40de4d61ac533fef337f7705ac39c8690f91a9cdca5185140f0455563
+          defaultMode: 420
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: quarkus-cryostat-agent-tls-proxy
+  name: quarkus-cryostat-agent-tls-proxy
+spec:
+  selector:
+    app: quarkus-cryostat-agent-tls-proxy
+  ports:
+  - name: agent-http
+    port: 9977
+    protocol: TCP
+    targetPort: 9977
+  - name: app-http
+    port: 10010
+    protocol: TCP
+    targetPort: 10010
diff --git a/config/samples/sample-app-agent.yaml b/config/samples/sample-app-agent.yaml
index 09993380..ece50f2e 100644
--- a/config/samples/sample-app-agent.yaml
+++ b/config/samples/sample-app-agent.yaml
@@ -37,12 +37,17 @@ spec:
           value: http://$(POD_IP):9977
         - name: CRYOSTAT_AGENT_AUTHORIZATION
           value: Bearer abcd1234
-        - name: CRYOSTAT_AGENT_WEBCLIENT_TLS_TRUSTSTORE_CERT_0__PATH
-          value: /var/run/secrets/myapp/truststore.p12
-        - name: CRYOSTAT_AGENT_WEBCLIENT_TLS_TRUSTSTORE_CERT_0__TYPE
-          value: X.509
-        - name: CRYOSTAT_AGENT_WEBCLIENT_TLS_TRUSTSTORE_CERT_0__ALIAS
-          value: cryostat-sample
+        - name: JAVA_OPTS_APPEND
+          value: |-
+            -Dquarkus.http.host=0.0.0.0
+            -Djava.util.logging.manager=org.jboss.logmanager.LogManager
+            -Dcom.sun.management.jmxremote.port=9097
+            -Dcom.sun.management.jmxremote.ssl=false
+            -Dcom.sun.management.jmxremote.authenticate=false
+            -javaagent:/deployments/app/cryostat-agent.jar
+            -Dcryostat.agent.webclient.tls.truststore.cert[0].path=/var/run/secrets/myapp/ca.crt
+            -Dcryostat.agent.webclient.tls.truststore.cert[0].type=X.509
+            -Dcryostat.agent.webclient.tls.truststore.cert[0].alias=cryostat-sample
         image: quay.io/redhat-java-monitoring/quarkus-cryostat-agent:latest
         imagePullPolicy: Always
         name: quarkus-cryostat-agent
@@ -64,9 +69,9 @@ spec:
             drop:
             - ALL
         volumeMounts:
-        - mountPath: /var/run/secrets/myapp/truststore.p12
+        - mountPath: /var/run/secrets/myapp/ca.crt
           name: truststore
-          subPath: truststore.p12
+          subPath: ca.crt
       restartPolicy: Always
       securityContext:
         runAsNonRoot: true