Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(truststore): declarative configuration of TLS trusted certificate Secrets #219

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

feat(truststore): declarative configuration of TLS trusted certificate Secrets #219

wants to merge 3 commits into from

Conversation

andrewazores
Copy link
Member

@andrewazores andrewazores commented Nov 27, 2024
edited
Loading

See also #215
Fixes #217

To test:

  1. Get a TLS certificate. I will use https://github.com/cryostatio/test-applications/blob/main/vertx-fib/src/main/extras/app/resources/vertx-fib-demo.cer as an example.
  2. Create a Secret from the cert: oc create secret generic fib-tls --from-file=./vertx-fib-demo.cer
  3. Install chart with this cert trusted: helm install --set core.config.tlsTruststore.secretNames='{fib-tls}' cryostat ./charts/cryostat
  4. Wait for Cryostat Pod to be Ready, then check its logs. Look for this:
Importing certificate /truststore/fib-tls/..2024_11_27_20_47_48.3800988412/vertx-fib-demo.cer ...
Certificate was added to keystore
  1. Open Cryostat Web UI, go to Security, and ensure that the TLS certificate list displays the certificate
  2. Deploy the vertx-fib-demo sample application:
---
apiVersion: apps/v1
kind: Deployment
metadata:
  labels:
    app: vertx-fib-demo
  name: vertx-fib-demo
spec:
  replicas: 1
  selector:
    matchLabels:
      app: vertx-fib-demo
  template:
    metadata:
      labels:
        app: vertx-fib-demo
    spec:
      containers:
        - image: quay.io/redhat-java-monitoring/vertx-cryostat-agent:latest
          imagePullPolicy: Always
          name: vertx-fib-demo
          env:
            - name: HTTP_PORT
              value: "8081"
            - name: JMX_PORT
              value: "9093"
            - name: USE_SSL
              value: "true"
          ports:
          - containerPort: 8081
            protocol: TCP
          - containerPort: 9093
            protocol: TCP
          resources:
            requests:
              cpu: 200m
              memory: 96Mi
            limits:
              cpu: 500m
              memory: 128Mi
          securityContext:
            allowPrivilegeEscalation: false
            capabilities:
              drop:
              - ALL
      restartPolicy: Always
      securityContext:
        runAsNonRoot: true
---
apiVersion: v1
kind: Service
metadata:
  labels:
    app: vertx-fib-demo
  name: vertx-fib-demo
spec:
  selector:
    app: vertx-fib-demo
  ports:
  - name: jfr-jmx
    port: 9093
    protocol: TCP
    targetPort: 9093
  - name: app-http
    port: 8081
    protocol: TCP
    targetPort: 8081

Save this to vertx-fib-demo.yaml, then oc create -f vertx-fib-demo.yaml.
8. Wait for the sample application to become ready, then check the Cryostat Web UI. Go to Topology and ensure that the application is discovered. Then go to Events, select the application, and ensure that the Event Templates and Event Types views work.
9. helm uninstall cryostat
10. helm install cryostat ./charts/cryostat ie reinstall without the TLS certificate configuration
11. Repeat test steps above, now expecting that the vertx-fib-demo application is discovered but is not connectable (due to the missing TLS cert)

@mergify mergify bot added the safe-to-test label Nov 27, 2024
@andrewazores andrewazores added the feat New feature or request label Nov 27, 2024
@andrewazores andrewazores marked this pull request as ready for review November 27, 2024 20:57
@andrewazores andrewazores requested a review from a team November 27, 2024 20:58
tthvo
tthvo reviewed Nov 30, 2024
View reviewed changes
Copy link
Member

@tthvo tthvo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Make sense to me! I have similar comments for this PR as in #215 :D

@tthvo tthvo mentioned this pull request Dec 2, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tthvo tthvo tthvo left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
feat New feature or request safe-to-test
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Task] Declarative TLS trusted certs
2 participants
@andrewazores @tthvo