From 3220a9d87eabd3bb6b825f194fbd185e6ae3d4c0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Alfredo=20Espa=C3=B1a?= Date: Sat, 1 Oct 2022 11:11:55 -0600 Subject: [PATCH] Add support for custom CA certs and volumes (#38) * Add support for custom CA certs and volumes --- README.md | 128 ++++++++++++++++++++++++++++- templates/deployment-api.yaml | 8 ++ templates/deployment-executor.yaml | 8 ++ templates/deployment-registry.yaml | 8 ++ templates/secrets-certs.yaml | 12 +++ values.schema.json | 42 ++++++++++ 6 files changed, 205 insertions(+), 1 deletion(-) create mode 100644 templates/secrets-certs.yaml diff --git a/README.md b/README.md index a669d7e..4d9cdc2 100644 --- a/README.md +++ b/README.md @@ -202,6 +202,7 @@ Once you have completed the above steps you can complete the file values.yaml to | security.dexClientScope | Yes | Use "email openid profile offline_access groups" | | security.dexIssuerUri | Yes | Should be "https://apiDomain/dex" | | security.gcpCredentials | No | JSON Credentials for Google Identity Authentication | +| security.caCerts | No | Custom CA certificates to be added at runtime | | storage.gcp.projectId | No | GCP Project Id for the storage | | storage.gcp.bucketName | No | GCP Bucket name for the storage | | storage.gcp.credentials | No | GCP JSON Credentials for the storage | @@ -225,6 +226,9 @@ Once you have completed the above steps you can complete the file values.yaml to | api.version | Yes | Terrakube API version | | api.replicaCount | Yes | | | api.serviceType | Yes | | +| api.env | No | | +| api.volumes | No | | +| api.volumeMounts | No | | | api.properties.databaseType | Yes | H2/SQL_AZURE/POSTGRESQL/MYSQL | | api.properties.databaseHostname | No | | | api.properties.databaseName | No | | @@ -234,12 +238,18 @@ Once you have completed the above steps you can complete the file values.yaml to | executor.version | Yes | Terrakube Executor version | | executor.replicaCount | Yes | | | executor.serviceType | Yes | ClusterIP/NodePort/LoadBalancer/ExternalName | +| executor.env | No | | +| executor.volumes | No | | +| executor.volumeMounts | No | | | executor.properties.toolsRepository | Yes | Example: https://github.com/AzBuilder/terrakube-extensions | | executor.properties.toolsBranch | Yes | Example: main | | registry.enabled | Yes | | | registry.version | Yes | | | registry.replicaCount | Yes | | | registry.serviceType | Yes | ClusterIP/NodePort/LoadBalancer/ExternalName | +| registry.env | No | | +| registry.volumes | No | | +| registry.volumeMounts | No | | | ui.enabled | Yes | true/false | | ui.version | Yes | | | ui.replicaCount | Yes | | @@ -308,7 +318,123 @@ api: databaseType: "H2" ``` -### 5. Deploy Terrakube using helm chart +### 5. Custom CA certificates at runtime + +To add custom CA certificate to Terrakube components use the folowing configuration example: + +Example property ***security.caCerts*** + +``` +security: + ..... + caCerts: + terrakubeDemo1.pem: | + -----BEGIN CERTIFICATE----- + + CERTIFICATE DATA + + -----END CERTIFICATE----- + terrakubeDemo2.pem: | + -----BEGIN CERTIFICATE----- + + CERTIFICATE DATA + + -----END CERTIFICATE----- + .... +``` + +Terrakube components configuration with custom CA certificates: + +```yaml +## API properties +api: + enabled: true + version: "2.7.0" + replicaCount: "1" + serviceType: "ClusterIP" + env: + - name: SERVICE_BINDING_ROOT + value: /mnt/platform/bindings + volumes: + - name: ca-certs + secret: + secretName: terrakube-ca-secrets + items: + - key: "terrakubeDemo1.pem" + path: "terrakubeDemo1.pem" + - key: "terrakubeDemo2.pem" + path: "terrakubeDemo2.pem" + - key: "type" + path: "type" + volumeMounts: + - name: ca-certs + mountPath: /mnt/platform/bindings/ca-certificates + readOnly: true + properties: + databaseType: "H2" + + +## Executor properties +executor: + enabled: true + version: "2.7.0" + replicaCount: "1" + serviceType: "ClusterIP" + env: + - name: SERVICE_BINDING_ROOT + value: /mnt/platform/bindings + volumes: + - name: ca-certs + secret: + secretName: terrakube-ca-secrets + items: + - key: "terrakubeDemo1.pem" + path: "terrakubeDemo1.pem" + - key: "terrakubeDemo2.pem" + path: "terrakubeDemo2.pem" + - key: "type" + path: "type" + volumeMounts: + - name: ca-certs + mountPath: /mnt/platform/bindings/ca-certificates + readOnly: true + properties: + toolsRepository: "https://github.com/AzBuilder/terrakube-extensions" + toolsBranch: "main" + +## Registry properties +registry: + enabled: true + version: "2.7.0" + replicaCount: "1" + serviceType: "ClusterIP" + env: + - name: SERVICE_BINDING_ROOT + value: /mnt/platform/bindings + volumes: + - name: ca-certs + secret: + secretName: terrakube-ca-secrets + items: + - key: "terrakubeDemo1.pem" + path: "terrakubeDemo1.pem" + - key: "terrakubeDemo2.pem" + path: "terrakubeDemo2.pem" + - key: "type" + path: "type" + volumeMounts: + - name: ca-certs + mountPath: /mnt/platform/bindings/ca-certificates + readOnly: true +``` + +If the configuration is correct the pods log will show something like this: + +``` +Added 2 additional CA certificate(s) to system truststore +``` + +### 6. Deploy Terrakube using helm chart Now you have all the information to deploy Terrakube, you can use the following example: diff --git a/templates/deployment-api.yaml b/templates/deployment-api.yaml index 5b6b52f..d2775b9 100644 --- a/templates/deployment-api.yaml +++ b/templates/deployment-api.yaml @@ -27,6 +27,10 @@ spec: env: {{- toYaml . | nindent 8 }} {{- end }} + volumeMounts: + {{- with .Values.api.volumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} envFrom: - secretRef: name: terrakube-api-secrets @@ -60,4 +64,8 @@ spec: nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} + {{- with .Values.api.volumes }} + volumes: + {{- toYaml . | nindent 6 }} + {{- end }} {{ end }} \ No newline at end of file diff --git a/templates/deployment-executor.yaml b/templates/deployment-executor.yaml index 7b388fb..fbd100b 100644 --- a/templates/deployment-executor.yaml +++ b/templates/deployment-executor.yaml @@ -27,6 +27,10 @@ spec: env: {{- toYaml . | nindent 8 }} {{- end }} + volumeMounts: + {{- with .Values.executor.volumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} envFrom: - secretRef: name: terrakube-executor-secrets @@ -60,4 +64,8 @@ spec: nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} + {{- with .Values.executor.volumes }} + volumes: + {{- toYaml . | nindent 6 }} + {{- end }} {{ end }} \ No newline at end of file diff --git a/templates/deployment-registry.yaml b/templates/deployment-registry.yaml index 3042eec..5720577 100644 --- a/templates/deployment-registry.yaml +++ b/templates/deployment-registry.yaml @@ -27,6 +27,10 @@ spec: env: {{- toYaml . | nindent 8 }} {{- end }} + volumeMounts: + {{- with .Values.registry.volumeMounts }} + {{- toYaml . | nindent 12 }} + {{- end }} envFrom: - secretRef: name: terrakube-registry-secrets @@ -60,4 +64,8 @@ spec: nodeSelector: {{- toYaml . | nindent 8 }} {{- end }} + {{- with .Values.registry.volumes }} + volumes: + {{- toYaml . | nindent 6 }} + {{- end }} {{ end }} \ No newline at end of file diff --git a/templates/secrets-certs.yaml b/templates/secrets-certs.yaml new file mode 100644 index 0000000..badc7b1 --- /dev/null +++ b/templates/secrets-certs.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Secret +metadata: + name: terrakube-ca-secrets +type: Opaque +stringData: + type: | + ca-certificates + + {{- with .Values.security.caCerts }} + {{- toYaml . | nindent 2 }} + {{- end }} \ No newline at end of file diff --git a/values.schema.json b/values.schema.json index ce55be0..70ab142 100644 --- a/values.schema.json +++ b/values.schema.json @@ -36,6 +36,12 @@ "adminGroup": { "description": "Terrakube Administrators Group", "type": "string" + }, + "caCerts": { + "type": "object", + "items": { + "type": "object" + } } } }, @@ -206,6 +212,18 @@ "type": "object" } }, + "volumes": { + "type": "array", + "items": { + "type": "object" + } + }, + "volumeMounts": { + "type": "array", + "items": { + "type": "object" + } + }, "properties": { "type": "object", "required": ["databaseType", "databaseHostname", "databaseName", "databaseUser", "databasePassword"], @@ -275,6 +293,18 @@ "type": "object" } }, + "volumes": { + "type": "array", + "items": { + "type": "object" + } + }, + "volumeMounts": { + "type": "array", + "items": { + "type": "object" + } + }, "properties": { "type": "object", "required": ["toolsRepository", "toolsBranch"], @@ -330,6 +360,18 @@ "items": { "type": "object" } + }, + "volumes": { + "type": "array", + "items": { + "type": "object" + } + }, + "volumeMounts": { + "type": "array", + "items": { + "type": "object" + } } } }