Enabled internal TLS between k8s pods by default

Author: jk464

CHANGELOG.md

@@ -1,6 +1,7 @@
 # Changelog
 
 ## Development
+* Enable the use of TLS between all internal components (aside from Redis), and enable it by default (#401) (by @jk464)
 
 ## v1.1.0
 * Fix syntax with ensure-packs-volumes-are-writable job (#403, #411) (by @skiedude)

templates/_helpers.tpl

@@ -422,3 +422,39 @@ Create the custom env list for each deployment
   value: {{ $value | quote }}
   {{- end }}
 {{- end -}}
+
+{{/*
+Set up values for Internal TLS
+*/}}
+{{- define "stackstorm-ha.internal_tls.cert_volume.mount" -}}
+{{- if or .Values.st2.tls.enabled .Values.mongodb.tls.enabled .Values.rabbitmq.tls.enabled }}
+- name: {{ .Values.st2.tls.secretName }}
+  mountPath: {{ .Values.st2.tls.mountPath }}/
+  readOnly: true
+{{- end }}
+{{- end -}}
+{{- define "stackstorm-ha.internal_tls.cert_volume.volume" -}}
+{{- if or .Values.st2.tls.enabled .Values.mongodb.tls.enabled .Values.rabbitmq.tls.enabled }}
+- name: {{ .Values.st2.tls.secretName }}
+  secret:
+    secretName: {{ .Values.st2.tls.secretName }}
+{{- end }}
+{{- end -}}
+
+{{/*
+Define st2web ports
+*/}}
+{{- define "stackstorm-ha.st2web.http_port" -}}
+{{- if ne (default 0 ((($.Values.st2web.securityContext).runAsUser) | int)) 0 -}}
+8080
+{{- else -}}
+80
+{{- end -}}
+{{- end -}}
+{{- define "stackstorm-ha.st2web.https_port" -}}
+{{- if ne (default 0 ((($.Values.st2web.securityContext).runAsUser) | int)) 0 -}}
+8443
+{{- else -}}
+443
+{{- end -}}
+{{- end -}}

templates/ca.yaml

@@ -0,0 +1,21 @@
+{{- if not ( .Values.st2.tls.certificate_issuer.existing ) -}}
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ .Values.st2.tls.certificate_issuer.name }}
+  namespace: "{{ $.Release.Namespace }}"
+spec:
+  ca:
+    secretName: {{ .Values.st2.tls.certificate_issuer.name }}-tls
+---
+apiVersion: v1
+data:
+  tls.crt: "{{ .Values.secret.ca.crt }}"
+  tls.key: "{{ .Values.secret.ca.key }}"
+kind: Secret
+metadata:
+  name: {{ .Values.st2.tls.certificate_issuer.name }}-tls
+  namespace: "{{ $.Release.Namespace }}"
+type: kubernetes.io/tls
+{{- end -}}

templates/certificate.yaml

@@ -0,0 +1,28 @@
+{{- if or .Values.st2.tls.enabled .Values.mongodb.tls.enabled .Values.rabbitmq.tls.enabled }}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ .Values.st2.tls.secretName }}
+  labels:
+    app: stackstorm
+    heritage: {{.Release.Service | quote}}
+    release: {{.Release.Name | quote}}
+    chart: {{ replace "+" "_" .Chart.Version | printf "%s-%s" .Chart.Name }}
+spec:
+  secretName: {{ .Values.st2.tls.secretName }}
+  dnsNames:
+    - "*.{{ $.Release.Namespace }}.svc.{{ $.Values.clusterDomain }}"
+{{ include "stackstorm-ha.mongodb-nodes" $ | splitList "," | toYaml | indent 4 }}
+  ipAddresses:
+    - "127.0.0.1"
+  renewBefore: 360h # 15d
+  privateKey:
+    rotationPolicy: Always
+    algorithm: RSA
+    size: 3072
+  issuerRef:
+    name: {{ .Values.st2.tls.certificate_issuer.name }}
+    kind: Issuer
+    group: cert-manager.io
+{{- end -}}

templates/configmaps_st2-conf.yaml

@@ -11,19 +11,49 @@ data:
   # The order of merging: st2.conf < st2.docker.conf < st2.user.conf
   st2.docker.conf: |
     [auth]
+    {{- if .Values.rabbitmq.tls.enabled }}
+    api_url = https://{{ .Release.Name }}-st2api:9111/
+    {{- else }}
     api_url = http://{{ .Release.Name }}-st2api:9101/
+    {{- end -}}
+    {{- if and .Values.st2.tls.enabled .Values.st2auth.tls.enabled }}
+    use_ssl = True
+    key = {{ .Values.st2.tls.mountPath }}/tls.key
+    cert = {{ .Values.st2.tls.mountPath }}/tls.crt
+    debug = False
+    enable = True
+    {{- else }}
+    use_ssl = False
+    {{- end }}
+
     [system_user]
     user = {{ .Values.st2.system_user.user }}
     ssh_key_file = {{ tpl .Values.st2.system_user.ssh_key_file . }}
     {{- if index .Values "redis" "enabled" }}
+
     [coordination]
     url = redis://{{ template "stackstorm-ha.redis-password" $ }}{{ template "stackstorm-ha.redis-nodes" $ }}
     {{- end }}
     {{- if index .Values "rabbitmq" "enabled" }}
+
     [messaging]
+    {{- if .Values.rabbitmq.tls.enabled }}
+    url = amqp://{{ required "rabbitmq.auth.username is required!" (index .Values "rabbitmq" "auth" "username") }}:{{ required "rabbitmq.auth.password is required!" (index .Values "rabbitmq" "auth" "password") }}@{{ .Release.Name }}-rabbitmq:5671{{ required "rabbitmq.ingress.path is required!" (index .Values "rabbitmq" "ingress" "path") }}
+    {{- else }}
     url = amqp://{{ required "rabbitmq.auth.username is required!" (index .Values "rabbitmq" "auth" "username") }}:{{ required "rabbitmq.auth.password is required!" (index .Values "rabbitmq" "auth" "password") }}@{{ .Release.Name }}-rabbitmq:5672{{ required "rabbitmq.ingress.path is required!" (index .Values "rabbitmq" "ingress" "path") }}
+    {{- end -}}
     {{- end }}
     {{- if index .Values "mongodb" "enabled" }}
+    {{- if .Values.rabbitmq.tls.enabled }}
+    ssl = True
+    ssl_ca_certs = {{ .Values.st2.tls.mountPath }}/ca.crt
+    ssl_cert_reqs = optional
+    ssl_certfile = {{ .Values.st2.tls.mountPath }}/tls.crt
+    ssl_keyfile = {{ .Values.st2.tls.mountPath }}/tls.key
+    {{- else }}
+    ssl = False
+    {{- end }}
+
     [database]
     {{- if index .Values "mongodb" "auth" "enabled" }}
     host = mongodb://{{ template "stackstorm-ha.mongodb-nodes" $ }}/{{ required "mongodb.auth.database is required!" (index .Values "mongodb" "auth" "database") }}?authSource={{ required "mongodb.auth.database is required!" (index .Values "mongodb" "auth" "database") }}&replicaSet={{ index .Values "mongodb" "replicaSetName" }}
@@ -36,10 +66,21 @@ data:
     port = {{ index .Values "mongodb" "service" "port" }}
     {{- end }}
     {{- if ne "disable" (default "" .Values.st2.datastore_crypto_key) }}
+    {{- if .Values.mongodb.tls.enabled }}
+    ssl = True
+    ssl_ca_certs = {{ .Values.st2.tls.mountPath }}/ca.crt
+    ssl_cert_reqs = optional
+    ssl_certfile = {{ .Values.st2.tls.mountPath }}/tls.crt
+    ssl_keyfile = {{ .Values.st2.tls.mountPath }}/tls.key
+    {{- else }}
+    ssl = False
+    {{- end }}
+
     [keyvalue]
     encryption_key_path = /etc/st2/keys/datastore_key.json
     {{- end }}
     {{- if .Values.st2.rbac.enabled }}
+
     [rbac]
     enable = True
     backend = default

templates/configmaps_st2-urls.yaml

@@ -7,6 +7,18 @@ metadata:
     description: StackStorm service URLs, used across entire st2 cluster
   labels: {{- include "stackstorm-ha.labels" (list $ "st2") | nindent 4 }}
 data:
+  {{- if and .Values.st2.tls.enabled .Values.st2auth.tls.enabled }}
+  ST2_AUTH_URL: https://{{ .Release.Name }}-st2auth:9100/
+  {{- else }}
   ST2_AUTH_URL: http://{{ .Release.Name }}-st2auth:9100/
+  {{- end }}
+  {{- if and .Values.st2.tls.enabled .Values.st2api.tls.enabled }}
+  ST2_API_URL: https://{{ .Release.Name }}-st2api:9111/
+  {{- else }}
   ST2_API_URL: http://{{ .Release.Name }}-st2api:9101/
+  {{- end }}
+  {{- if and .Values.st2.tls.enabled .Values.st2stream.tls.enabled }}
+  ST2_STREAM_URL: https://{{ .Release.Name }}-st2stream:9112/
+  {{- else }}
   ST2_STREAM_URL: http://{{ .Release.Name }}-st2stream:9102/
+  {{- end }}