From 404547d215e5a8f31d3c73a866c0038f81a43b1a Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Wed, 27 Nov 2024 15:49:30 -0500 Subject: [PATCH 1/3] feat(truststore): declarative configuration of TLS trusted certificate Secrets --- charts/cryostat/README.md | 1 + .../cryostat/templates/cryostat_deployment.yaml | 11 +++++++++++ charts/cryostat/values.schema.json | 16 ++++++++++++++++ charts/cryostat/values.yaml | 4 ++++ 4 files changed, 32 insertions(+) diff --git a/charts/cryostat/README.md b/charts/cryostat/README.md index 6234921..2bebe0b 100644 --- a/charts/cryostat/README.md +++ b/charts/cryostat/README.md @@ -84,6 +84,7 @@ helm install cryostat ./charts/cryostat | `core.discovery.kubernetes.portNames` | List of port names that the Cryostat application should look for in order to consider a target as JMX connectable | `[]` | | `core.discovery.kubernetes.builtInPortNumbersDisabled` | When false and `portNumbers` is empty, the Cryostat application will use the default port number `9091` to look for JMX connectable targets. | `false` | | `core.discovery.kubernetes.portNumbers` | List of port numbers that the Cryostat application should look for in order to consider a target as JMX connectable | `[]` | +| `core.config.tlsTruststore.secretNames` | List of Secret names. Each Secret is expected to contain one or more files, which are TLS certificates which target applications may use for their JMX servers, to be mounted to the Cryostat container for its TLS truststore. | `[]` | ### Report Generator Deployment diff --git a/charts/cryostat/templates/cryostat_deployment.yaml b/charts/cryostat/templates/cryostat_deployment.yaml index cb0fbca..30a22df 100644 --- a/charts/cryostat/templates/cryostat_deployment.yaml +++ b/charts/cryostat/templates/cryostat_deployment.yaml @@ -141,6 +141,12 @@ spec: failureThreshold: 18 resources: {{- toYaml .Values.core.resources | nindent 12 }} + volumeMounts: + {{- range .Values.core.config.tlsTruststore.secretNames }} + - name: {{ . }} + mountPath: /truststore/{{ . }} + readOnly: true + {{- end }} - name: {{ printf "%s-%s" .Chart.Name "grafana" }} securityContext: {{- toYaml .Values.grafana.securityContext | nindent 12 }} @@ -216,3 +222,8 @@ spec: secret: secretName: {{ .Release.Name }}-proxy-tls {{- end }} + {{- range .Values.core.config.tlsTruststore.secretNames }} + - name: {{ . }} + secret: + secretName: {{ . }} + {{- end }} diff --git a/charts/cryostat/values.schema.json b/charts/cryostat/values.schema.json index 88c3baf..d622fee 100644 --- a/charts/cryostat/values.schema.json +++ b/charts/cryostat/values.schema.json @@ -258,6 +258,22 @@ } } } + }, + "config": { + "type": "object", + "properties": { + "tlsTruststore": { + "type": "object", + "properties": { + "secretNames": { + "type": "array", + "description": "List of Secret names. Each Secret is expected to contain one or more files, which are TLS certificates which target applications may use for their JMX servers, to be mounted to the Cryostat container for its TLS truststore.", + "default": [], + "items": {} + } + } + } + } } } }, diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index 79fdd4d..894cdd8 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -85,6 +85,10 @@ core: builtInPortNumbersDisabled: false ## @param core.discovery.kubernetes.portNumbers [array] List of port numbers that the Cryostat application should look for in order to consider a target as JMX connectable portNumbers: [] + config: + tlsTruststore: + ## @param core.config.tlsTruststore.secretNames [array] List of Secret names. Each Secret is expected to contain one or more files, which are TLS certificates which target applications may use for their JMX servers, to be mounted to the Cryostat container for its TLS truststore. + secretNames: [] ## @section Report Generator Deployment ## @extra reports Configuration for the Reports Generator deployment From 8554e111f27175d876659bfcbec01fd2aa37167b Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Wed, 27 Nov 2024 15:56:43 -0500 Subject: [PATCH 2/3] test --- .../tests/cryostat_deployment_test.yaml | 27 +++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/charts/cryostat/tests/cryostat_deployment_test.yaml b/charts/cryostat/tests/cryostat_deployment_test.yaml index 0548fc7..48340af 100644 --- a/charts/cryostat/tests/cryostat_deployment_test.yaml +++ b/charts/cryostat/tests/cryostat_deployment_test.yaml @@ -180,6 +180,8 @@ tests: requests: cpu: 500m memory: 384Mi + - notExists: + path: spec.template.spec.contains[?(@.name=='cryostat')].volumeMounts - it: should set log level set: @@ -514,3 +516,28 @@ tests: path: spec.template.spec.containers[?(@.name=='cryostat-jfr-datasource')].imagePullPolicy value: "IfNotPresent" + - it: should add volume mounts for declarative TLS truststore + set: + core.config.tlsTruststore.secretNames: ['a', 'b'] + asserts: + - equal: + path: spec.template.spec.containers[?(@.name=='cryostat')].volumeMounts + value: + - name: a + mountPath: /truststore/a + readOnly: true + - name: b + mountPath: /truststore/b + readOnly: true + - equal: + path: spec.template.spec.volumes + value: + - name: alpha-config + configMap: + name: RELEASE-NAME-alpha-config + - name: a + secret: + secretName: a + - name: b + secret: + secretName: b From c400d0dd88e7ed60b81fc6ead01c37dcb5702b3d Mon Sep 17 00:00:00 2001 From: Andrew Azores Date: Wed, 4 Dec 2024 14:11:22 -0500 Subject: [PATCH 3/3] projected volume --- charts/cryostat/README.md | 1 + .../templates/cryostat_deployment.yaml | 20 ++++++++-------- .../tests/cryostat_deployment_test.yaml | 23 ++++++++++--------- charts/cryostat/values.schema.json | 10 ++++++++ charts/cryostat/values.yaml | 3 +++ 5 files changed, 37 insertions(+), 20 deletions(-) diff --git a/charts/cryostat/README.md b/charts/cryostat/README.md index 2bebe0b..2ee22f4 100644 --- a/charts/cryostat/README.md +++ b/charts/cryostat/README.md @@ -84,6 +84,7 @@ helm install cryostat ./charts/cryostat | `core.discovery.kubernetes.portNames` | List of port names that the Cryostat application should look for in order to consider a target as JMX connectable | `[]` | | `core.discovery.kubernetes.builtInPortNumbersDisabled` | When false and `portNumbers` is empty, the Cryostat application will use the default port number `9091` to look for JMX connectable targets. | `false` | | `core.discovery.kubernetes.portNumbers` | List of port numbers that the Cryostat application should look for in order to consider a target as JMX connectable | `[]` | +| `core.config.declarative.fsMode` | default filesystem mode (permissions) for declarative configuration volumes | `440` | | `core.config.tlsTruststore.secretNames` | List of Secret names. Each Secret is expected to contain one or more files, which are TLS certificates which target applications may use for their JMX servers, to be mounted to the Cryostat container for its TLS truststore. | `[]` | ### Report Generator Deployment diff --git a/charts/cryostat/templates/cryostat_deployment.yaml b/charts/cryostat/templates/cryostat_deployment.yaml index 30a22df..337729e 100644 --- a/charts/cryostat/templates/cryostat_deployment.yaml +++ b/charts/cryostat/templates/cryostat_deployment.yaml @@ -142,11 +142,9 @@ spec: resources: {{- toYaml .Values.core.resources | nindent 12 }} volumeMounts: - {{- range .Values.core.config.tlsTruststore.secretNames }} - - name: {{ . }} - mountPath: /truststore/{{ . }} + - name: declarative-trusted-tls-certs + mountPath: /truststore readOnly: true - {{- end }} - name: {{ printf "%s-%s" .Chart.Name "grafana" }} securityContext: {{- toYaml .Values.grafana.securityContext | nindent 12 }} @@ -222,8 +220,12 @@ spec: secret: secretName: {{ .Release.Name }}-proxy-tls {{- end }} - {{- range .Values.core.config.tlsTruststore.secretNames }} - - name: {{ . }} - secret: - secretName: {{ . }} - {{- end }} + - name: declarative-trusted-tls-certs + projected: + defaultMode: {{ .Values.core.config.declarative.fsMode }} + sources: + {{- range .Values.core.config.tlsTruststore.secretNames }} + - secret: + secretName: {{ . }} + optional: false + {{- end }} diff --git a/charts/cryostat/tests/cryostat_deployment_test.yaml b/charts/cryostat/tests/cryostat_deployment_test.yaml index 48340af..680b53c 100644 --- a/charts/cryostat/tests/cryostat_deployment_test.yaml +++ b/charts/cryostat/tests/cryostat_deployment_test.yaml @@ -523,11 +523,8 @@ tests: - equal: path: spec.template.spec.containers[?(@.name=='cryostat')].volumeMounts value: - - name: a - mountPath: /truststore/a - readOnly: true - - name: b - mountPath: /truststore/b + - name: declarative-trusted-tls-certs + mountPath: /truststore readOnly: true - equal: path: spec.template.spec.volumes @@ -535,9 +532,13 @@ tests: - name: alpha-config configMap: name: RELEASE-NAME-alpha-config - - name: a - secret: - secretName: a - - name: b - secret: - secretName: b + - name: declarative-trusted-tls-certs + projected: + defaultMode: 0440 + sources: + - secret: + secretName: a + optional: false + - secret: + secretName: b + optional: false diff --git a/charts/cryostat/values.schema.json b/charts/cryostat/values.schema.json index d622fee..f600e23 100644 --- a/charts/cryostat/values.schema.json +++ b/charts/cryostat/values.schema.json @@ -262,6 +262,16 @@ "config": { "type": "object", "properties": { + "declarative": { + "type": "object", + "properties": { + "fsMode": { + "type": "number", + "description": "default filesystem mode (permissions) for declarative configuration volumes", + "default": 440 + } + } + }, "tlsTruststore": { "type": "object", "properties": { diff --git a/charts/cryostat/values.yaml b/charts/cryostat/values.yaml index 894cdd8..34df797 100644 --- a/charts/cryostat/values.yaml +++ b/charts/cryostat/values.yaml @@ -86,6 +86,9 @@ core: ## @param core.discovery.kubernetes.portNumbers [array] List of port numbers that the Cryostat application should look for in order to consider a target as JMX connectable portNumbers: [] config: + declarative: + ## @param core.config.declarative.fsMode default filesystem mode (permissions) for declarative configuration volumes + fsMode: 0440 tlsTruststore: ## @param core.config.tlsTruststore.secretNames [array] List of Secret names. Each Secret is expected to contain one or more files, which are TLS certificates which target applications may use for their JMX servers, to be mounted to the Cryostat container for its TLS truststore. secretNames: []