Skip to content

Commit

Permalink
Enabling mTLS in storage
Browse files Browse the repository at this point in the history 
Signed-off-by: Ben <ben@armosec.io>
  • Loading branch information
@slashben
slashben committed Jan 23, 2025
1 parent 46b4505 commit 4730d64
Show file tree
Hide file tree
Showing 5 changed files with 67 additions and 3 deletions.
24 changes: 22 additions & 2 deletions charts/kubescape-operator/templates/storage/_helpersKubescapeStorage.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,28 @@ Create the name of the Kubescape Storage Auth Reader RoleBinding to use
{{- end }}

{{/*
Create the name of the Kubescape Storage Auth Reader ClusterRoleBinding to use
*/}}
Create the name of the Kubescape Storage Auth Reader ClusterRoleBinding to use
*/}}
{{- define "storage.authDelegatorClusterRoleBindingName" -}}
{{- .Values.storage.name | printf "%s:system:auth-delegator" }}
{{- end }}

{{/*
Generate a private key and certificate pair for mTLS
*/}}
{{- define "storage.generateCerts.ca" -}}
{{- if not .Values.global.storageCA -}}
{{- $cn := .Values.storage.name -}}
{{- $ca := genCA (printf "%s-ca" $cn) (int .Values.storage.mtls.certificateValidityInDays) -}}
{{- $_ := set .Values.global "storageCA" $ca -}}
{{- end -}}
{{- .Values.global.storageCA | toJson -}}
{{- end -}}

{{- define "storage.generateCerts.cert" -}}
{{- $cn := printf "%s.%s.svc" .Values.storage.name .Release.Namespace -}}
{{- $ca := .Values.global.storageCA -}}
{{- $dnsNames := list $cn (printf "%s.%s.svc" .Values.storage.name .Release.Namespace) (printf "%s.%s.svc.cluster.local" .Values.storage.name .Release.Namespace) -}}
{{- $cert := genSignedCert $cn nil $dnsNames (int .Values.storage.mtls.certificateValidityInDays) $ca -}}
{{- $cert | toJson -}}
{{- end -}}
7 changes: 7 additions & 0 deletions charts/kubescape-operator/templates/storage/apiservice.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -7,12 +7,19 @@ metadata:
labels:
{{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.storage.name "tier" .Values.global.namespaceTier) | nindent 4 }}
spec:
{{- if .Values.storage.mtls.enabled }}
insecureSkipTLSVerify: false
{{- else }}
insecureSkipTLSVerify: true
{{- end }}
group: "spdx.softwarecomposition.kubescape.io"
groupPriorityMinimum: 1000
versionPriority: 15
version: "v1beta1"
service:
name: {{ .Values.storage.name }}
namespace: {{ .Values.ksNamespace }}
{{- if .Values.storage.mtls.enabled }}
caBundle: {{ .Values.global.storageCA.Cert | b64enc }}
{{- end }}
{{- end }}
16 changes: 16 additions & 0 deletions charts/kubescape-operator/templates/storage/ca-secret.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
{{- if .Values.storage.mtls.enabled }}
{{- $ca := include "storage.generateCerts.ca" . | fromJson }}
{{- $cert := include "storage.generateCerts.cert" . | fromJson }}
apiVersion: v1
kind: Secret
metadata:
name: {{ .Values.storage.name }}-ca
namespace: {{ .Values.ksNamespace }}
labels:
{{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.storage.name "tier" .Values.global.namespaceTier) | nindent 4 }}
type: kubernetes.io/tls
data:
tls.crt: {{ $cert.Cert | b64enc }}
tls.key: {{ $cert.Key | b64enc }}
ca.crt: {{ $ca.Cert | b64enc }}
{{- end }}
18 changes: 18 additions & 0 deletions charts/kubescape-operator/templates/storage/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,14 @@ spec:
value: "{{ .Values.logger.level }}"
- name: KS_LOGGER_NAME
value: "{{ .Values.logger.name }}"
{{- if .Values.storage.mtls.enabled }}
- name: TLS_CLIENT_CA_FILE
value: "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
- name: TLS_SERVER_CERT_FILE
value: "/etc/storage-ca-certificates/tls.crt"
- name: TLS_SERVER_KEY_FILE
value: "/etc/storage-ca-certificates/tls.key"
{{- end }}
{{- if $components.otelCollector.enabled }}
- name: ACCOUNT_ID
valueFrom:
Expand All @@ -83,6 +91,11 @@ spec:
- name: {{ .Values.global.cloudConfig }}
mountPath: /etc/config
readOnly: true
{{- if .Values.storage.mtls.enabled }}
- name: "ca-certificates"
mountPath: /etc/storage-ca-certificates
readOnly: true
{{- end }}
resources:
{{ toYaml .Values.storage.resources | indent 12 }}
nodeSelector:
Expand Down Expand Up @@ -121,4 +134,9 @@ spec:
- key: "services"
path: "services.json"
{{- end }}
{{- if .Values.storage.mtls.enabled }}
- name: "ca-certificates"
secret:
secretName: {{ .Values.storage.name }}-ca
{{- end }}
{{- end }}
5 changes: 4 additions & 1 deletion charts/kubescape-operator/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -412,6 +412,9 @@ storage:

# Values or the Aggregated APIServer
name: "storage"
mtls:
enabled: true
certificateValidityInDays: 730

image:
# -- source code: https://github.com/kubescape/storage
Expand Down Expand Up @@ -547,7 +550,7 @@ nodeAgent:

nodeSelector:
kubernetes.io/os: linux

startupJitterContainer:
enabled: false
maxStartupJitter: 60
Expand Down

0 comments on commit 4730d64

Please sign in to comment.