Merge pull request #5 from GitGuardian/ggueutier/web-tunnel

Ggueutier/web tunnel

README.md

@@ -57,7 +57,7 @@ services:
 Here is an example of a Helm values file to deploy the ggbridge client:
 
 ```yaml
-subdomain: my-subdomain
+hostname: my-subdomain.ggbridge.gitguardian.com
 
 tls:
   enabled: true

helm/ggbridge/files/nginx.conf

@@ -1,3 +1,5 @@
+{{- $tunnels :=  ternary .Values.server.tunnels .Values.client.tunnels (eq .Values.mode "server") -}}
+
 load_module "/usr/lib/nginx/modules/ngx_stream_module.so";
 
 worker_processes 1;
@@ -10,15 +12,20 @@ events {
 }
 
 http {
-    log_format main '$remote_addr - $remote_user [$time_local] '
-                             '"$request" $status $body_bytes_sent '
-                             '"$http_referer" "$http_user_agent"';
+    log_format health 'health $remote_addr [$time_local] '
+                        '127.0.0.1 ' '"$request" $status $body_bytes_sent '
+                        '"$http_referer" "$http_user_agent"';
 
-    access_log /dev/stdout main;
+    log_format web 'web $remote_addr [$time_local] '
+                        '$web_host ' '"$request" $status $body_bytes_sent '
+                        '"$http_referer" "$http_user_agent"';
 
+    # health server
     server {
         listen 127.0.0.1:{{ .Values.proxy.service.ports.health.remoteContainerPort }};
 
+        access_log /dev/stdout health;
+
         location / {
             return 404;
         }
@@ -28,29 +35,67 @@ http {
             return 200 "OK\n";
         }
     }
+
+    {{- if $tunnels.web.enabled }}
+    map $host $web_host {
+        {{- range $tunnels.web.listeners }}
+        {{ printf "%s %s;" .hostname (default .hostname .upstream) }}
+        {{- end }}
+        default $host;
+    }
+
+    # web proxy server
+    server {
+        listen {{ .Values.proxy.service.ports.web.containerPort }};
+
+        access_log /dev/stdout web;
+
+        location / {
+            proxy_pass https://127.0.0.1:{{ .Values.proxy.service.ports.web.internalPort }};
+
+            proxy_ssl_server_name on;
+            proxy_ssl_name $web_host;
+
+            {{- if or .Values.caBundle.certs .Values.caBundle.existingSecret }}
+            proxy_ssl_verify on;
+            proxy_ssl_trusted_certificate /ca-certs/ca-bundle.crt;
+            {{- end }}
+
+            proxy_set_header Host $web_host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        }
+    }
+    {{- end }}
 }
 
 stream {
-    log_format main '$proxy_protocol_addr - $remote_addr [$time_local] '
-                    '$protocol $status $bytes_sent $bytes_received '
-                    '$session_time "$upstream_addr" '
-                      '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
+    log_format stream 'stream $proxy_protocol_addr - $remote_addr [$time_local] '
+                        '$protocol $status $bytes_sent $bytes_received '
+                        '$session_time "$upstream_addr" '
+                        '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
 
-    access_log /dev/stdout main;
+    access_log /dev/stdout stream;
 
     map $ssl_preread_server_name $backend_name {
-        {{ range $config := .Values.proxy.service.ports.tls.hosts }}
-        {{ printf "%s %s:%d;" $config.host $config.host ($config.port | int) }}
-        {{ end }}
+        {{- if .Values.whitelist }}
+            {{- range $hostname := .Values.whitelist }}
+        {{ printf "%s %s:443;" $hostname $hostname }}
+            {{- end }}
+        {{- else }}
+        default $ssl_preread_server_name;
+        {{- end }}
     }
 
     resolver {{ printf "kube-dns.kube-system.svc.%s" .Values.clusterDomain }} valid=30s;
     resolver_timeout 5s;
 
+    ### web/tls stream server
+    # Forwards TLS requests originating from web or tls tunnels.
     server {
         listen 127.0.0.1:{{ .Values.proxy.service.ports.tls.remoteContainerPort }} proxy_protocol;
         ssl_preread on;
         proxy_pass $backend_name;
-        proxy_protocol {{ ternary "on" "off" .Values.proxy.service.ports.tls.proxyProtocolEnabled }};
+        proxy_protocol {{ ternary "on" "off" .Values.proxyProtocol.enabled }};
     }
 }

helm/ggbridge/files/proxy/nginx.conf

@@ -36,15 +36,15 @@ stream {
     log_format main '$remote_addr [$time_local] '
                     '$protocol $status $bytes_sent $bytes_received '
                     '$session_time "$upstream_addr" '
-                      '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
+                    '"$upstream_bytes_sent" "$upstream_bytes_received" "$upstream_connect_time"';
 
     access_log /dev/stdout main;
 
     resolver {{ printf "kube-dns.kube-system.svc.%s" $clusterDomain }} valid=30s;
     resolver_timeout 5s;
 
-    {{ range $protocol, $config := $ports }}
-    upstream {{ $protocol }} {
+    {{ range $tunnel, $config := $ports }}
+    upstream {{ $tunnel }} {
         {{- range $idx := until ($context.Values.deploymentCount | int) }}
           {{- $indexProxyFullname := printf "%s-proxy-%d" $fullname ($idx | int) }}
           {{- $weight := ternary 100 1 (eq $idx $index) }}
@@ -53,10 +53,10 @@ stream {
     }
     {{ end }}
 
-    {{ range $protocol, $config := $ports }}
+    {{ range $tunnel, $config := $ports }}
     server {
         listen {{ $config.containerPort }};
-        proxy_pass {{ $protocol }};
+        proxy_pass {{ $tunnel }};
         proxy_timeout 600s;
         proxy_connect_timeout 5s;
     }

helm/ggbridge/templates/_helpers.tpl

@@ -476,23 +476,38 @@ Returns server ingress annotations
 {{- end -}}
 
 {{/*
-Returns proxy ingress annotations
-{{ include "ggbridge.proxy.ingress.annotations" $ }}
+Returns proxy TLS ingress annotations
+{{ include "ggbridge.proxy.tls.ingress.annotations" $ }}
 */}}
-{{- define "ggbridge.proxy.ingress.annotations" -}}
+{{- define "ggbridge.proxy.ingress.tls.annotations" -}}
 {{- $annotations := dict -}}
-{{- if eq .Values.proxy.ingress.controller "nginx" -}}
+{{- if eq .Values.proxy.ingress.tls.controller "nginx" -}}
   {{- $_ := set $annotations "nginx.ingress.kubernetes.io/backend-protocol" "HTTPS" -}}
   {{- $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-passthrough" "true" -}}
   {{- $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-redirect" "true" -}}
-{{- else if .Values.proxy.ingress.controller "aws" -}}
-  {{- $_ := set $annotations "service.beta.kubernetes.io/aws-load-balancer-type" "nlb" -}}
-  {{- $_ := set $annotations "service.beta.kubernetes.io/aws-load-balancer-scheme" "internal" -}}
-  {{- $_ := set $annotations "service.beta.kubernetes.io/aws-load-balancer-backend-protocol" "tcp" -}}
-  {{- $_ := set $annotations "service.beta.kubernetes.io/aws-load-balancer-ssl-ports" "443" -}}
-  {{- $_ := set $annotations "service.beta.kubernetes.io/aws-load-balancer-proxy-protocol" "*" -}}
-{{- end -}}
-{{- $annotations = include "ggbridge.tplvalues.merge" ( dict "values" ( list .Values.proxy.ingress.annotations $annotations .Values.commonAnnotations ) "context" . ) | fromYaml -}}
+{{- end -}}
+{{- $annotations = include "ggbridge.tplvalues.merge" ( dict "values" ( list .Values.proxy.ingress.tls.annotations $annotations .Values.commonAnnotations ) "context" . ) | fromYaml -}}
+{{ include "ggbridge.tplvalues.render" ( dict "value" $annotations "context" .) }}
+{{- end -}}
+
+{{/*
+Returns proxy WEB ingress annotations
+{{ include "ggbridge.proxy.web.ingress.annotations" $ }}
+*/}}
+{{- define "ggbridge.proxy.ingress.web.annotations" -}}
+{{- $proxyFullname := include "ggbridge.proxy.fullname" . }}
+{{- $tunnel :=  ternary .Values.server.tunnels.web .Values.client.tunnels.web (eq .Values.mode "server") -}}
+{{- $annotations := dict -}}
+{{- if eq .Values.proxy.ingress.web.controller "traefik" -}}
+  {{- if $tunnel.tls.enabled -}}
+    {{- $_ := set $annotations "traefik.ingress.kubernetes.io/router.middlewares" (printf "%s-%s-web@kubernetescrd" .Release.Namespace $proxyFullname ) -}}
+  {{- end }}
+{{- else if eq .Values.proxy.ingress.web.controller "nginx" -}}
+  {{- if $tunnel.tls.enabled -}}
+    {{- $_ := set $annotations "nginx.ingress.kubernetes.io/ssl-redirect" "true" -}}
+  {{- end }}
+{{- end -}}
+{{- $annotations = include "ggbridge.tplvalues.merge" ( dict "values" ( list .Values.proxy.ingress.web.annotations $annotations .Values.commonAnnotations ) "context" . ) | fromYaml -}}
 {{ include "ggbridge.tplvalues.render" ( dict "value" $annotations "context" .) }}
 {{- end -}}
 

helm/ggbridge/templates/client/deployment.yaml

@@ -51,7 +51,7 @@ spec:
       securityContext:
         {{- toYaml (omit $.Values.podSecurityContext "enabled") | nindent 8 }}
       {{- end }}
-      {{- if and $.Values.tls.enabled $.Values.client.tlsVerifyCert }}
+      {{- if or (or $.Values.caBundle.certs $.Values.caBundle.existingSecret) (and $.Values.tls.enabled $.Values.client.tlsVerifyCert) }}
       initContainers:
         - name: ca
           {{- if $.Values.containerSecurityContext.enabled }}
@@ -63,17 +63,28 @@ spec:
           command: ["/bin/sh", "-c"]
           args:
             - |
+              set -x
               cat $SSL_CERT_FILE > /ca-certs/ca-bundle.crt
+              if [ -s /ca-bundle/ca-bundle.crt ]; then
+                cat /ca-bundle/ca-bundle.crt  >> /ca-certs/ca-bundle.crt
+              fi
               if [ -s /certs/ca.crt ]; then
                 cat /certs/ca.crt  >> /ca-certs/ca-bundle.crt
               fi
               chmod 0444 /ca-certs/ca-bundle.crt
           volumeMounts:
             - name: ca-certs
               mountPath: /ca-certs
+            {{- if or $.Values.caBundle.certs $.Values.caBundle.existingSecret }}
+            - name: ca-bundle
+              mountPath: /ca-bundle
+              readOnly: true
+            {{- end }}
+            {{- if $.Values.tls.enabled }}
             - name: tls-secret
               mountPath: /certs
               readOnly: true
+            {{- end }}
       {{- end }}
       containers:
         - name: ggbridge
@@ -104,7 +115,7 @@ spec:
             - name: TLS_ENABLED
               value: {{ $.Values.tls.enabled | quote }}
             - name: TLS_VERIFY_CERTIFICATE
-              value: {{ (and $.Values.tls.enabled $.Values.client.tlsVerifyCert) | quote }}
+              value: {{ (and $.Values.tls.enabled $.Values.tls.verifyCert) | quote }}
             - name: NGINX_EMBEDDED
               value: "false"
             {{- with $.Values.dnsResolver }}
@@ -123,21 +134,29 @@ spec:
               value: {{ $.Values.client.tunnels.socks.enabled | quote }}
             - name: CLIENT_TUNNEL_TLS_ENABLED
               value: {{ $.Values.client.tunnels.tls.enabled | quote }}
+            - name: CLIENT_TUNNEL_WEB_ENABLED
+              value: {{ $.Values.client.tunnels.web.enabled | quote }}
             - name: SERVER_TUNNEL_SOCKS_ENABLED
               value: {{ $.Values.server.tunnels.socks.enabled | quote }}
             - name: SERVER_TUNNEL_TLS_ENABLED
               value: {{ $.Values.server.tunnels.tls.enabled | quote }}
+            - name: SERVER_TUNNEL_WEB_ENABLED
+              value: {{ $.Values.server.tunnels.web.enabled | quote }}
+            - name: TUNNEL_HEALTH_PORT
+              value: {{ $.Values.proxy.service.ports.health.containerPort | quote }}
+            - name: TUNNEL_HEALTH_REMOTE_PORT
+              value: {{ $.Values.proxy.service.ports.health.remoteContainerPort | quote }}
             - name: TUNNEL_SOCKS_PORT
               value: {{ $.Values.proxy.service.ports.socks.containerPort | quote }}
             - name: TUNNEL_TLS_PORT
               value: {{ $.Values.proxy.service.ports.tls.containerPort | quote }}
             - name: TUNNEL_TLS_REMOTE_PORT
               value: {{ $.Values.proxy.service.ports.tls.remoteContainerPort | quote }}
-            - name: TUNNEL_HEALTH_PORT
-              value: {{ $.Values.proxy.service.ports.health.containerPort | quote }}
-            - name: TUNNEL_HEALTH_REMOTE_PORT
-              value: {{ $.Values.proxy.service.ports.health.remoteContainerPort | quote }}
-            {{- if $.Values.tls.enabled }}
+            - name: TUNNEL_WEB_PORT
+              value: {{ $.Values.proxy.service.ports.web.internalPort | quote }}
+            - name: TUNNEL_WEB_REMOTE_PORT
+              value: {{ $.Values.proxy.service.ports.web.remoteContainerPort | quote }}
+            {{- if or (or $.Values.caBundle.certs $.Values.caBundle.existingSecret) (and $.Values.tls.enabled $.Values.client.tlsVerifyCert) }}
             - name: SSL_CERT_FILE
               value: /ca-certs/ca-bundle.crt
             {{- end }}
@@ -151,11 +170,10 @@ spec:
           volumeMounts:
             - name: run
               mountPath: /var/run
-            {{- if $.Values.tls.enabled }}
-              {{- if  $.Values.client.tlsVerifyCert }}
             - name: ca-certs
               mountPath: /ca-certs
-              {{- end }}
+              readOnly: true
+            {{- if $.Values.tls.enabled }}
             - name: tls-secret
               mountPath: /certs
               readOnly: true
@@ -172,10 +190,18 @@ spec:
           command: ['/usr/sbin/nginx']
           args: ['-c', '/etc/nginx/nginx.conf', '-e', '/dev/stderr', '-g', 'daemon off;']
           ports:
-            - name: healthz
-              containerPort: 8081
+            - name: health
+              containerPort: {{ $.Values.proxy.service.ports.health.containerPort }}
               protocol: TCP
+          {{- if or $.Values.caBundle.certs $.Values.caBundle.existingSecret }}
+          env:
+            - name: SSL_CERT_FILE
+              value: /ca-certs/ca-bundle.crt
+          {{- end }}
           volumeMounts:
+            - name: ca-certs
+              mountPath: /ca-certs
+              readOnly: true
             - name: nginx-cache
               mountPath: /var/cache/nginx
             - name: nginx-tmp
@@ -200,11 +226,24 @@ spec:
           configMap:
             name: {{ $clientFullname }}
             defaultMode: 420
-        {{- if $.Values.tls.enabled }}
-          {{- if  $.Values.client.tlsVerifyCert }}
         - name: ca-certs
           emptyDir: {}
-          {{- end }}
+        {{- if or $.Values.caBundle.certs $.Values.caBundle.existingSecret }}
+        - name: ca-bundle
+          secret:
+            {{- if $.Values.caBundle.certs }}
+            secretName: {{ printf "%s-ca-bundle" $fullname }}
+            items:
+              - key: ca.crt
+                path: ca-bundle.crt
+            {{- else }}
+            secretName: {{ $.Values.caBundle.existingSecret }}
+            items:
+              - key: {{ default "ca.crt" $.Values.tls.existingSecretKeys.caCrt }}
+                path: ca-bundle.crt
+            {{- end }}
+        {{- end }}
+        {{- if $.Values.tls.enabled }}
         - name: tls-secret
           secret:
             {{- if $.Values.tls.existingSecret }}

helm/ggbridge/templates/proxy/deployment.yaml

@@ -62,6 +62,9 @@ spec:
           command: ['/usr/sbin/nginx']
           args: ['-c', '/etc/nginx/nginx.conf', '-e', '/dev/stderr', '-g', 'daemon off;']
           ports:
+            - name: web
+              containerPort: {{ $.Values.proxy.service.ports.web.containerPort }}
+              protocol: TCP
             {{- range $key, $value := $.Values.server.tunnels }}
               {{- if $value.enabled }}
                 {{- $port := get $.Values.proxy.service.ports $key }}