Generate both TLS and mTLS manifests

Issue: #57
stolostron · Jun 8, 2020 · f3e41c7 · f3e41c7
1 parent a89822f
commit f3e41c7
Show file tree

Hide file tree

Showing 7 changed files with 193 additions and 6 deletions.
diff --git a/examples/main.jsonnet b/examples/main.jsonnet
@@ -64,8 +64,15 @@ local apiWithTLS = api + api.withTLS {
   config+:: {
     tls+: {
       certFile: './tmp/certs/server.pem',
-      privateKeyFile: './tmp/certs/ca.pem',
-      clientCAFile: './tmp/certs/server.key',
+      privateKeyFile: './tmp/certs/server.key',
+    },
+  },
+};
+
+local withMTLS = apiWithTLS + api.withMTLS {
+  config+:: {
+    tls+: {
+      clientCAFile: './tmp/certs/ca.pem',
     },
   },
 };
@@ -79,4 +86,9 @@ local apiWithTLS = api + api.withTLS {
   ['%s-with-tls' % name]: apiWithTLS[name]
   for name in std.objectFields(api)
   if apiWithTLS[name] != null
+} +
+{
+  ['%s-with-mtls' % name]: withMTLS[name]
+  for name in std.objectFields(api)
+  if withMTLS[name] != null
 }
diff --git a/examples/manifests/configmap-with-mtls.yaml b/examples/manifests/configmap-with-mtls.yaml
@@ -0,0 +1,27 @@
+apiVersion: v1
+data:
+  rbac.yaml: |-
+    "roleBindings":
+    - "name": "telemeter"
+      "roles":
+      - "read-write"
+      "subjects":
+      - "[email protected]"
+    "roles":
+    - "name": "read-write"
+      "permissions":
+      - "read"
+      - "write"
+      "resources":
+      - "metrics"
+      "tenants":
+      - "telemeter"
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: api
+    app.kubernetes.io/instance: observatorium-api
+    app.kubernetes.io/name: observatorium-api
+    app.kubernetes.io/version: master-2020-05-04-v0.1.1-21-gabb9864
+  name: observatorium-api
+  namespace: observatorium
diff --git a/examples/manifests/deployment-with-mtls.yaml b/examples/manifests/deployment-with-mtls.yaml
@@ -0,0 +1,81 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/component: api
+    app.kubernetes.io/instance: observatorium-api
+    app.kubernetes.io/name: observatorium-api
+    app.kubernetes.io/version: master-2020-05-04-v0.1.1-21-gabb9864
+  name: observatorium-api
+  namespace: observatorium
+spec:
+  replicas: 3
+  selector:
+    matchLabels:
+      app.kubernetes.io/component: api
+      app.kubernetes.io/instance: observatorium-api
+      app.kubernetes.io/name: observatorium-api
+  strategy:
+    rollingUpdate:
+      maxSurge: 0
+      maxUnavailable: 1
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/component: api
+        app.kubernetes.io/instance: observatorium-api
+        app.kubernetes.io/name: observatorium-api
+        app.kubernetes.io/version: master-2020-05-04-v0.1.1-21-gabb9864
+    spec:
+      containers:
+      - args:
+        - --web.listen=0.0.0.0:8080
+        - --web.internal.listen=0.0.0.0:8081
+        - --logs.read.endpoint=http://127.0.0.1:3100
+        - --logs.write.endpoint=http://127.0.0.1:3100
+        - --metrics.read.endpoint=http://127.0.0.1:9091
+        - --metrics.write.endpoint=http://127.0.0.1:19291
+        - --log.level=warn
+        - --rbac.config=/etc/observatorium/rbac.yaml
+        - --tenants.config=/etc/observatorium/tenants.yaml
+        - --tls-cert-file=./tmp/certs/server.pem
+        - --tls-private-key-file=./tmp/certs/server.key
+        - --tls-reload-interval=1m
+        - --tls-client-ca-file=./tmp/certs/ca.pem
+        image: quay.io/observatorium/observatorium:master-2020-05-04-v0.1.1-21-gabb9864
+        livenessProbe:
+          failureThreshold: 10
+          httpGet:
+            path: /live
+            port: 8081
+            scheme: HTTP
+          periodSeconds: 30
+        name: observatorium-api
+        ports:
+        - containerPort: 8081
+          name: internal
+        - containerPort: 8080
+          name: public
+        readinessProbe:
+          failureThreshold: 12
+          httpGet:
+            path: /ready
+            port: 8081
+            scheme: HTTP
+          periodSeconds: 5
+        volumeMounts:
+        - mountPath: /etc/observatorium/rbac.yaml
+          name: rbac
+          readOnly: true
+          subPath: rbac.yaml
+        - mountPath: /etc/observatorium/tenants.yaml
+          name: tenants
+          readOnly: true
+          subPath: tenants.yaml
+      volumes:
+      - configMap:
+          name: observatorium-api
+        name: rbac
+      - name: tenants
+        secret:
+          secretName: observatorium-api
diff --git a/examples/manifests/deployment-with-tls.yaml b/examples/manifests/deployment-with-tls.yaml
@@ -39,8 +39,7 @@ spec:
         - --rbac.config=/etc/observatorium/rbac.yaml
         - --tenants.config=/etc/observatorium/tenants.yaml
         - --tls-cert-file=./tmp/certs/server.pem
-        - --tls-private-key-file=./tmp/certs/ca.pem
-        - --tls-client-ca-file=./tmp/certs/server.key
+        - --tls-private-key-file=./tmp/certs/server.key
         - --tls-reload-interval=1m
         image: quay.io/observatorium/observatorium:master-2020-05-04-v0.1.1-21-gabb9864
         livenessProbe:

diff --git a/examples/manifests/secret-with-mtls.yaml b/examples/manifests/secret-with-mtls.yaml
@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  labels:
+    app.kubernetes.io/component: api
+    app.kubernetes.io/instance: observatorium-api
+    app.kubernetes.io/name: observatorium-api
+    app.kubernetes.io/version: master-2020-05-04-v0.1.1-21-gabb9864
+  name: observatorium-api
+  namespace: observatorium
+stringData:
+  tenants.yaml: |-
+    "tenants":
+    - "id": "FB870BF3-9F3A-44FF-9BF7-D7A047A52F43"
+      "name": "telemeter"
+      "oidc":
+        "clientID": "telemeter"
+        "clientSecret": "ov7zikeipai4neih7Chahcae"
+        "issuerURL": "http://127.0.0.1:5556/dex"
+        "redirectURL": "http://localhost:8080/oidc/telemeter/callback"
+        "usernameClaim": "email"
diff --git a/examples/manifests/service-with-mtls.yaml b/examples/manifests/service-with-mtls.yaml
@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/component: api
+    app.kubernetes.io/instance: observatorium-api
+    app.kubernetes.io/name: observatorium-api
+    app.kubernetes.io/version: master-2020-05-04-v0.1.1-21-gabb9864
+  name: observatorium-api
+  namespace: observatorium
+spec:
+  ports:
+  - name: internal
+    port: 8081
+    targetPort: 8081
+  - name: public
+    port: 8080
+    targetPort: 8080
+  selector:
+    app.kubernetes.io/component: api
+    app.kubernetes.io/instance: observatorium-api
+    app.kubernetes.io/name: observatorium-api
diff --git a/jsonnet/lib/observatorium-api.libsonnet b/jsonnet/lib/observatorium-api.libsonnet
@@ -226,7 +226,6 @@ local k = import 'ksonnet/ksonnet.beta.4/k.libsonnet';
       tls: {
         certFile: error 'must provide cert file',
         privateKeyFile: error 'must provide private key file',
-        clientCAFile: error 'must provide client ca file',
         reloadInterval: '1m',
       },
     },
@@ -240,7 +239,6 @@ local k = import 'ksonnet/ksonnet.beta.4/k.libsonnet';
                 args+: [
                   '--tls-cert-file=' + api.config.tls.certFile,
                   '--tls-private-key-file=' + api.config.tls.privateKeyFile,
-                  '--tls-client-ca-file=' + api.config.tls.clientCAFile,
                   '--tls-reload-interval=' + api.config.tls.reloadInterval,
                 ],
               } else c
@@ -251,4 +249,31 @@ local k = import 'ksonnet/ksonnet.beta.4/k.libsonnet';
       },
     },
   },
+
+  withMTLS:: {
+    local api = self,
+
+    config+:: {
+      tls+: {
+        clientCAFile: error 'must provide client ca file',
+      },
+    },
+
+    deployment+: {
+      spec+: {
+        template+: {
+          spec+: {
+            containers: [
+              if c.name == 'observatorium-api' then c {
+                args+: [
+                  '--tls-client-ca-file=' + api.config.tls.clientCAFile,
+                ],
+              } else c
+              for c in super.containers
+            ],
+          },
+        },
+      },
+    },
+  },
 }