diff --git a/Base/Dockerfile b/Base/Dockerfile index 8cde08e92..2372628f0 100644 --- a/Base/Dockerfile +++ b/Base/Dockerfile @@ -8,6 +8,7 @@ ARG AUTHORS=SeleniumHQ # Default value should be aligned with upstream Selenium (https://github.com/SeleniumHQ/selenium/blob/trunk/java/maven_deps.bzl) ARG OPENTELEMETRY_VERSION=1.38.0 ARG GRPC_VERSION=1.64.0 +ARG NETTY_VERSION=4.1.108.Final ARG CS_VERSION=2.1.10 #Arguments to define the user running Selenium @@ -120,7 +121,7 @@ RUN if [ "$(dpkg --print-architecture)" = "amd64" ]; then \ && if [ -f "/tmp/cs" ]; then \ java -jar /tmp/cs fetch --classpath --cache /external_jars \ io.opentelemetry:opentelemetry-exporter-otlp:${OPENTELEMETRY_VERSION} \ - io.grpc:grpc-netty:${GRPC_VERSION} > /external_jars/.classpath.txt \ + io.grpc:grpc-netty:${GRPC_VERSION} io.netty:netty-codec-http:${NETTY_VERSION} > /external_jars/.classpath.txt \ && chmod 664 /external_jars/.classpath.txt ; \ fi \ && rm -fr /root/.cache/* \ diff --git a/Makefile b/Makefile index 510f8f586..297bb63c5 100644 --- a/Makefile +++ b/Makefile @@ -762,34 +762,40 @@ chart_test_template: ./tests/charts/bootstrap.sh chart_test_autoscaling_disabled: - PLATFORMS=$(PLATFORMS) SELENIUM_GRID_AUTOSCALING=false TEST_DELAY_AFTER_TEST=15 CHART_ENABLE_TRACING=true SELENIUM_GRID_HOST=$$(hostname -i) RELEASE_NAME=selenium \ + PLATFORMS=$(PLATFORMS) RELEASE_NAME=selenium SELENIUM_GRID_AUTOSCALING=false TEST_DELAY_AFTER_TEST=15 CHART_ENABLE_TRACING=true \ + SECURE_INGRESS_ONLY_GENERATE=true SELENIUM_GRID_PROTOCOL=https SELENIUM_GRID_HOST=$$(hostname -i) SELENIUM_GRID_PORT=443 \ VERSION=$(TAG_VERSION) VIDEO_TAG=$(FFMPEG_TAG_VERSION)-$(BUILD_DATE) NAMESPACE=$(NAMESPACE) BINDING_VERSION=$(BINDING_VERSION) \ ./tests/charts/make/chart_test.sh NoAutoscaling chart_test_autoscaling_deployment_https: - PLATFORMS=$(PLATFORMS) CHART_FULL_DISTRIBUTED_MODE=true CHART_ENABLE_INGRESS_HOSTNAME=true CHART_ENABLE_BASIC_AUTH=true SELENIUM_GRID_PROTOCOL=https SELENIUM_GRID_PORT=443 \ + PLATFORMS=$(PLATFORMS) CHART_FULL_DISTRIBUTED_MODE=true CHART_ENABLE_BASIC_AUTH=true \ + SECURE_INGRESS_ONLY_DEFAULT=true SELENIUM_GRID_PROTOCOL=https CHART_ENABLE_INGRESS_HOSTNAME=true SELENIUM_GRID_PORT=443 \ SELENIUM_GRID_AUTOSCALING_MIN_REPLICA=1 \ VERSION=$(TAG_VERSION) VIDEO_TAG=$(FFMPEG_TAG_VERSION)-$(BUILD_DATE) NAMESPACE=$(NAMESPACE) BINDING_VERSION=$(BINDING_VERSION) \ ./tests/charts/make/chart_test.sh DeploymentAutoscaling chart_test_autoscaling_deployment: - PLATFORMS=$(PLATFORMS) CHART_ENABLE_TRACING=true SELENIUM_GRID_HOST=$$(hostname -i) RELEASE_NAME=selenium \ + PLATFORMS=$(PLATFORMS) RELEASE_NAME=selenium CHART_ENABLE_TRACING=true \ + SECURE_CONNECTION_SERVER=true SECURE_USE_EXTERNAL_CERT=true SERVICE_TYPE_NODEPORT=true SELENIUM_GRID_PROTOCOL=https SELENIUM_GRID_HOST=$$(hostname -i) SELENIUM_GRID_PORT=31444 \ SELENIUM_GRID_AUTOSCALING_MIN_REPLICA=1 \ VERSION=$(TAG_VERSION) VIDEO_TAG=$(FFMPEG_TAG_VERSION)-$(BUILD_DATE) NAMESPACE=$(NAMESPACE) BINDING_VERSION=$(BINDING_VERSION) \ ./tests/charts/make/chart_test.sh DeploymentAutoscaling chart_test_autoscaling_job_https: - PLATFORMS=$(PLATFORMS) SELENIUM_GRID_PROTOCOL=https CHART_ENABLE_BASIC_AUTH=true RELEASE_NAME=selenium SELENIUM_GRID_PORT=443 SUB_PATH=/ \ + PLATFORMS=$(PLATFORMS) RELEASE_NAME=selenium CHART_ENABLE_BASIC_AUTH=true \ + SECURE_CONNECTION_SERVER=true SELENIUM_GRID_PROTOCOL=https SELENIUM_GRID_PORT=443 SUB_PATH=/ \ VERSION=$(TAG_VERSION) VIDEO_TAG=$(FFMPEG_TAG_VERSION)-$(BUILD_DATE) NAMESPACE=$(NAMESPACE) BINDING_VERSION=$(BINDING_VERSION) \ ./tests/charts/make/chart_test.sh JobAutoscaling chart_test_autoscaling_job_hostname: - PLATFORMS=$(PLATFORMS) CHART_ENABLE_TRACING=true CHART_ENABLE_INGRESS_HOSTNAME=true CHART_ENABLE_BASIC_AUTH=true \ + PLATFORMS=$(PLATFORMS) CHART_ENABLE_TRACING=true CHART_ENABLE_BASIC_AUTH=true \ + SECURE_INGRESS_ONLY_DEFAULT=true SECURE_USE_EXTERNAL_CERT=true SELENIUM_GRID_PROTOCOL=https SELENIUM_GRID_HOST=$$(hostname -i) SELENIUM_GRID_PORT=443 \ VERSION=$(TAG_VERSION) VIDEO_TAG=$(FFMPEG_TAG_VERSION)-$(BUILD_DATE) NAMESPACE=$(NAMESPACE) BINDING_VERSION=$(BINDING_VERSION) \ ./tests/charts/make/chart_test.sh JobAutoscaling chart_test_autoscaling_job: - PLATFORMS=$(PLATFORMS) CHART_ENABLE_TRACING=true CHART_FULL_DISTRIBUTED_MODE=true CHART_ENABLE_INGRESS_HOSTNAME=true SELENIUM_GRID_HOST=selenium-grid.local RELEASE_NAME=selenium SUB_PATH=/ \ + PLATFORMS=$(PLATFORMS) RELEASE_NAME=selenium CHART_ENABLE_TRACING=true CHART_FULL_DISTRIBUTED_MODE=true \ + SECURE_INGRESS_ONLY_GENERATE=true CHART_ENABLE_INGRESS_HOSTNAME=true SELENIUM_GRID_PROTOCOL=https SELENIUM_GRID_HOST=selenium-grid.prod SUB_PATH=/ SELENIUM_GRID_PORT=443 \ VERSION=$(TAG_VERSION) VIDEO_TAG=$(FFMPEG_TAG_VERSION)-$(BUILD_DATE) NAMESPACE=$(NAMESPACE) BINDING_VERSION=$(BINDING_VERSION) \ ./tests/charts/make/chart_test.sh JobAutoscaling diff --git a/charts/selenium-grid/README.md b/charts/selenium-grid/README.md index 60809aea7..065fafcfb 100644 --- a/charts/selenium-grid/README.md +++ b/charts/selenium-grid/README.md @@ -31,9 +31,11 @@ This chart enables the creation of a Selenium Grid Server in Kubernetes. * [Configuration of video recorder and video uploader](#configuration-of-video-recorder-and-video-uploader) * [Video recorder](#video-recorder) * [Video uploader](#video-uploader) - * [Configuration of Secure Communication (HTTPS)](#configuration-of-secure-communication-https) - * [Secure Communication](#secure-communication) - * [Node Registration](#node-registration) + * [Configuration of Secure Communication](#configuration-of-secure-communication) + * [Create TLS Secret](#create-tls-secret) + * [Secure Connection to Selenium Grid components](#secure-connection-to-selenium-grid-components) + * [Secure Connection to the Ingress proxy](#secure-connection-to-the-ingress-proxy) + * [Node Registration](#node-registration) * [Configuration of tracing observability](#configuration-of-tracing-observability) * [Configuration of Selenium Grid chart](#configuration-of-selenium-grid-chart) * [Configuration of KEDA](#configuration-of-keda) @@ -600,76 +602,172 @@ videoRecorder: imageTag: latest ``` -### Configuration of Secure Communication (HTTPS) +### Configuration of Secure Communication Selenium Grid supports secure communication between components. Refer to the [instructions](https://github.com/SeleniumHQ/selenium/blob/trunk/java/src/org/openqa/selenium/grid/commands/security.txt) and [options](https://www.selenium.dev/documentation/grid/configuration/cli_options/#server) are able to configure the secure communication. Below is the details on how to enable secure communication in Selenium Grid chart. -#### Secure Communication +In the chart, there is directory [certs](./certs) contains the default self-signed certificate, private key (as PKCS8 format), and Java Keystore (JKS) to teach Java about secure connection (since we are using a non-standard CA) for your trial, local testing purpose. You can generate your own self-signed certificate put them in that default directory by using script [certs/cert.sh](./certs/cert.sh) with adjust needed information. The certificate, private key, truststore are mounted to the components via `Secret`. -In the chart, there is directory [certs](./certs) contains the default certificate, private key (as PKCS8 format), and Java Keystore (JKS) to teach Java about secure connection (since we are using a non-standard CA) for your trial, local testing purpose. You can generate your own self-signed certificate put them in that default directory by using script [cert.sh](./certs/cert.sh) with adjust needed information. The certificate, private key, truststore are mounted to the components via `Secret`. +Usage of [certs/cert.sh](./certs/cert.sh) script: -There are multiple ways to configure your certificate, private key, truststore to the components. You can choose one of them or combine them. +```bash +# Generate self-signed to target directory +./certs/cert.sh -d /path/to/your/ +# Add current host IP to the certificate +ADD_IP_ADDRESS=hostname ./certs/cert.sh -d /path/to/your/ +# Add multiple IP addresses to the certificate (comma-separated) +ADD_IP_ADDRESS=",IP:10.10.10.10,IP:10.10.11.11" ./certs/cert.sh -d /path/to/your/ +# Other environment variables that script consumes +# CERTNAME, STOREPASS, KEYPASS, ALIAS, SERVER_KEYSTORE, BASE64_ONLY +``` -- Use the default directory [certs](./certs). Rename your own files to be same as the default files and replace them. Give `--set tls.enabled=true` to enable secure communication. +#### Create TLS Secret -- Use the default directory [certs](./certs). Copy your own files to there and adjust the file name under config `tls.defaultFile`, those will be picked up when installing chart. For example: +There are multiple ways to insert your certificate, private key, truststore to the components. You can choose one of following ways: - ```yaml - tls: - enabled: true - trustStorePassword: "your_truststore_password" - defaultFile: - certificate: "certs/your_cert.pem" - privateKey: "certs/your_private_key.pkcs8" - trustStore: "certs/your_truststore.jks" +1. Replace your certificate, private key, truststore to the default directory [certs](./certs) in chart with the same name before deploying the chart. + +2. Use Helm CLI to pass your certificate, private key, truststore via `--set-file` when deploying the chart. For example (replace `$RELEASENAME` and `$NAMESPACE` with your values): + + ```bash + helm upgrade -i $RELEASENAME -n $NAMESPACE docker-selenium/selenium-grid \ + --set tls.enabled=true \ + --set-file tls.secretFiles.tls\.crt=/path/to/your/tls.crt \ + --set-file tls.secretFiles.tls\.key=/path/to/your/tls.key \ + --set-file tls.secretFiles.server\.jks=/path/to/your/server.jks ``` - For some security reasons, you may not able to put private key in your source code or your customization chart package. You can provide files with contents are encoded in Base64 format, just append `.base64` to the file name for chart able to know and decode them. For example: + +3. Create your own TLS Secret with your certificate, private key, truststore and pass the Secret name via `tls.nameOverride` when deploying the chart. For example (replace `$RELEASENAME` and `$NAMESPACE` with your values): + + ```bash + # Steps to prepare your self-signed certificate + ./certs/cert.sh -d /path/to/your/ + # Create TLS Secret with your certificate, private key, truststore + kubectl create secret generic -n $NAMESPACE my-external-tls-secret \ + --from-file=tls.crt=/path/to/your/tls.crt \ + --from-file=tls.key=/path/to/your/tls.key \ + --from-file=server.jks=/path/to/your/server.jks + # Deploy chart with your external TLS Secret + helm upgrade -i $RELEASENAME -n $NAMESPACE docker-selenium/selenium-grid \ + --set tls.enabled=true --set tls.nameOverride=my-external-tls-secret + ``` + + In case your external secret contains key file names are different with default, you can instruct server to use them via following values: ```yaml tls: enabled: true - trustStorePassword: "your_truststore_password" - defaultFile: - certificate: "certs/your_cert.pem.base64" - privateKey: "certs/your_private_key.pkcs8.base64" - trustStore: "certs/your_truststore.jks.base64" + nameOverride: my-external-tls-secret + certificateFile: "my-tls.crt" + privateKeyFile: "my-tls.key" + trustStoreFile: "my-server.jks" + trustStorePassword: "mytruststorepassword" ``` -- Using Helm CLI `--set-file` to pass your own file to particular config key. For example: +#### Secure Connection to Selenium Grid components - ```bash - helm upgrade -i test selenium-grid \ +When enabling secure communication between Selenium Grid server components, you need to set the following values: + +```yaml +tls: + enabled: true +``` + +In additional, if the ingress is enabled, and approach SSL Passthrough is used to ensure the request forwards to the backend components via an encrypted connection. +With `ingress.hostname` is set, the default server TLS secret is also used for hosts TLS secretName when `ingress.tls` is empty. Once you specify `ingress.tls`, your specified secret will be used for hosts TLS secretName. + +![SeleniumGrid_TLS_SSL-Passthrough](./images/SeleniumGrid_TLS_SSL-Passthrough.png) + +Moreover, when sub-chart `ingress-nginx` is enabled (deploy Ingress NGINX Controller together), the default server TLS secret can also be assigned via `ingress-nginx.controller.extraArgs.default-ssl-certificate`. +For example (replace `$RELEASENAME` and `$NAMESPACE` with your values): + +```bash +helm upgrade -i $RELEASENAME -n $NAMESPACE docker-selenium/selenium-grid \ --set tls.enabled=true \ - --set-file tls.certificate=/path/to/your_cert\.pem \ - --set-file tls.privateKey=/path/to/your_private_key\.pkcs8 \ - --set-file tls.trustStore=/path/to/your_truststore\.jks \ - --set-string tls.trustStorePassword=your_truststore_password - ``` + --set ingress-nginx.enabled=true \ + --set ingress-nginx.controller.extraArgs.default-ssl-certificate=$NAMESPACE/$RELEASENAME-selenium-tls-secret +``` + +Below is an example of Grid UI accessible via NodePort with secure connection, and using external TLS Secret (replace `$RELEASENAME` and `$NAMESPACE` with your values): + +```bash +helm upgrade -i $RELEASENAME -n $NAMESPACE docker-selenium/selenium-grid \ + --set ingress.enabled=false \ + --set isolateComponents=true \ + --set components.router.serviceType=NodePort \ + --set tls.enabled=true \ + --set tls.nameOverride=my-external-tls-secret +``` -If you start NGINX ingress controller inline with Selenium Grid chart, you can configure the default certificate of NGINX ingress controller to use the same certificate as Selenium Grid. For example: +Grid UI can be accessed via HTTPS address `https://your.host.public.ip:30444`. + +![SeleniumGrid_TLS_WithoutProxy](./images/SeleniumGrid_TLS_WithoutProxy.png) + +#### Secure Connection to the Ingress proxy + +When enabling secure communication via HTTPS/TLS between the client and the Ingress proxy only (SSL Offloading / aka SSL Termination). The proxy will terminate the TLS connection, decrypt incoming HTTPS traffic and send it to the backend components without encryption. The backend Selenium Grid components doesn't need to understand HTTPS. To enable this mode, you need to set the following values: ```yaml tls: - enabled: true + ingress: + enabled: true +``` -ingress-nginx: +![SeleniumGrid_TLS_SSL-Termination](./images/SeleniumGrid_TLS_SSL-Termination.png) + +In additional, a self-signed certificate and private key can be generated runtime during the chart deployment for Ingress TLS by setting these values (replace `$RELEASENAME` with your value): + +```yaml +tls: + ingress: + generateTLS: true + defaultName: "MySelfSignedCert" + defaultDays: 3650 + defaultCN: "www.domain.com" # Common Name + defaultSANList: + - selenium-grid.prod.domain.com # Subject Alternative Name + - selenium-grid.staging.domain.com + defaultIPList: + - 10.87.99.100 # Public IP of the host running K8s or LoadBalancer IP + - 10.87.100.101 + +ingress-ngnix: enabled: true controller: extraArgs: - default-ssl-certificate: '$(POD_NAMESPACE)/selenium-tls-secret' + default-ssl-certificate: $(POD_NAMESPACE)/$RELEASENAME-selenium-tls-secret ``` -#### Node Registration +You can get the `tls.crt` and `tls.key` from the Secret after the chart is deployed. For example (replace `$RELEASENAME` and `$NAMESPACE` with your values): + +```bash +kubectl get secret $RELEASENAME-selenium-tls-secret -n $NAMESPACE -o jsonpath="{.data.tls\.crt}" | base64 -d > ./tls.crt +kubectl get secret $RELEASENAME-selenium-tls-secret -n $NAMESPACE -o jsonpath="{.data.tls\.key}" | base64 -d > ./tls.key +``` + +Below is an example of Grid UI accessible via secure connection to the Ingress proxy with self-signed certificate in external TLS Secret (replace `$RELEASENAME` and `$NAMESPACE` with your values): + +```bash +helm upgrade -i $RELEASENAME -n $NAMESPACE docker-selenium/selenium-grid \ + --set ingress.enabled=true \ + --set ingress.hostname="selenium-grid.prod.domain.com" \ + --set tls.ingress.enabled=true \ + --set tls.nameOverride=my-external-tls-secret \ + --set ingress-nginx.enabled=true \ + --set ingress-nginx.controller.extraArgs.default-ssl-certificate=$NAMESPACE/my-external-tls-secret +``` + +Grid UI can be accessed via HTTPS address `https://selenium-grid.prod.domain.com`. + +### Node Registration To enable secure in the node registration to make sure that the node is one you control and not a rouge node, you can enable and provide a registration secret string to Distributor, Router and -Node servers in config `tls.registrationSecret`. For example: +Node servers in config `registrationSecret`. For example: ```yaml -tls: +registrationSecret: enabled: true - registrationSecret: - enabled: true - value: "matchThisSecret" + value: "matchThisSecret" ``` ### Configuration of tracing observability diff --git a/charts/selenium-grid/certs/cert.sh b/charts/selenium-grid/certs/cert.sh index c38572caa..79adb6bf3 100755 --- a/charts/selenium-grid/certs/cert.sh +++ b/charts/selenium-grid/certs/cert.sh @@ -1,13 +1,39 @@ +#!/bin/bash # README: This script is used to generate a self-signed certificate for enabling HTTPS/TLS in Selenium Grid -CERTNAME=${1:-selenium} -STOREPASS=${2:-changeit} -KEYPASS=${3:-changeit} -ALIAS=${4:-SeleniumHQ} -BASE64_ONLY=1 +# Initialize default values +DIRECTORY_PATH="" +# Parse command-line options +# -d directory_path: Specify the directory path to store the generated certificate files +while getopts "d:" opt; do + case ${opt} in + d ) + DIRECTORY_PATH=$OPTARG + ;; + \? ) + echo "Usage: cmd [-d directory_path]" + exit 1 + ;; + esac +done + +# Shift out the option and argument to leave only the positional parameters +shift $((OPTIND-1)) + +CERTNAME=${CERTNAME:-tls} +STOREPASS=${STOREPASS:-seleniumkeystore} +KEYPASS=${KEYPASS:-seleniumkeystore} +ALIAS=${ALIAS:-SeleniumHQ} +SERVER_KEYSTORE=${SERVER_KEYSTORE:-server.jks} +BASE64_ONLY=${BASE64_ONLY:-0} +if [ -n "${ADD_IP_ADDRESS}" ] && [ "${ADD_IP_ADDRESS}" = "hostname" ]; then + ADD_IP_ADDRESS=",IP:$(hostname -I | awk '{print $1}')" +else + ADD_IP_ADDRESS=${ADD_IP_ADDRESS} +fi # Remove existing files -rm -f ${CERTNAME}.* +rm -f ${CERTNAME}.* ${SERVER_KEYSTORE} # Create JKS (Java Keystore) - this is used to set for JAVA_OPTS -Djavax.net.ssl.trustStore= # The key pass set to JAVA_OPTS -Djavax.net.ssl.trustStorePassword= @@ -17,45 +43,70 @@ keytool -genkeypair \ -keyalg RSA \ -v \ -dname "CN=SeleniumHQ,OU=Software Freedom Conservancy,O=SeleniumHQ,L=Unknown,ST=Unknown,C=Unknown" \ - -ext "SAN:c=DNS:localhost,DNS:selenium-grid.local,DNS:selenium-grid.prod,DNS:selenium.dev" \ + -ext "SAN:c=DNS:localhost,DNS:selenium-grid.local,DNS:selenium-grid.prod,DNS:selenium.dev${ADD_IP_ADDRESS}" \ -validity 3650 \ -storepass ${STOREPASS} \ -keypass ${KEYPASS} \ - -keystore ${CERTNAME}.jks + -keystore ${SERVER_KEYSTORE} -# Base64 encode JKS file (for Kubernetes Secret) -#base64 -i ${CERTNAME}.jks -w 0 > ${CERTNAME}.jks.base64 +if [ ${BASE64_ONLY} -eq 1 ]; then + # Base64 encode JKS file (for Kubernetes Secret) + base64 -i ${SERVER_KEYSTORE} -w 0 > ${SERVER_KEYSTORE}.base64 +fi # Create PKCS12 from JKS -keytool -importkeystore -srckeystore ${CERTNAME}.jks \ +keytool -importkeystore -srckeystore ${SERVER_KEYSTORE} \ -destkeystore ${CERTNAME}.p12 \ -srcstoretype jks \ -storepass ${STOREPASS} -keypass ${KEYPASS} -srcstorepass ${STOREPASS} \ -deststoretype pkcs12 -# Create private key PEM from PKCS12 +# Create private key from PKCS12 openssl pkcs12 -nodes -in ${CERTNAME}.p12 -out ${CERTNAME}.key \ -passin pass:${KEYPASS} # Create private key PKCS8 format (this is used to set for option --https-private-key) openssl pkcs8 -in ${CERTNAME}.key -topk8 -nocrypt -out ${CERTNAME}.pkcs8 -# Base64 encode PKCS8 file (for Kubernetes Secret) -base64 -i ${CERTNAME}.pkcs8 -w 0 > ${CERTNAME}.pkcs8.base64 +# Remove source file PKCS12 (prevent sensitive data leak) +rm -f ${CERTNAME}.p12 + +# Rename PKCS8 file to .key extension (most compatible extension for private key) +mv ${CERTNAME}.pkcs8 ${CERTNAME}.key -# Create certificate PEM from JKS (this is used to set for option --https-certificate) +if [ ${BASE64_ONLY} -eq 1 ]; then + # Base64 encode PKCS8 file (for Kubernetes Secret) + base64 -i ${CERTNAME}.key -w 0 > ${CERTNAME}.key.base64 +fi + +# Create certificate CRT from JKS (this is used to set for option --https-certificate) keytool -exportcert -alias ${ALIAS} \ -storepass ${STOREPASS} -keypass ${KEYPASS} \ - -keystore ${CERTNAME}.jks -rfc -file ${CERTNAME}.pem + -keystore ${SERVER_KEYSTORE} -rfc -file ${CERTNAME}.crt -# Base64 encode Certificate PEM file (for Kubernetes Secret) -#base64 -i ${CERTNAME}.pem -w 0 > ${CERTNAME}.pem.base64 +if [ ${BASE64_ONLY} -eq 1 ]; then + # Base64 encode Certificate CRT file (for Kubernetes Secret) + base64 -i ${CERTNAME}.crt -w 0 > ${CERTNAME}.crt.base64 +fi if [ ${BASE64_ONLY} -eq 1 ]; then - # Remove source files (prevent sensitive data leak) - rm -f ${CERTNAME}.key - rm -f ${CERTNAME}.p12 - rm -f ${CERTNAME}.pkcs8 - # Retain ${CERTNAME}.jks for Java client establishing HTTPS connection - # Retain ${CERTNAME}.pem for client establishing HTTPS connection + rm -rf ${CERTNAME}.key + rm -rf ${SERVER_KEYSTORE} + rm -rf ${CERTNAME}.crt +fi + +if [ -n "${DIRECTORY_PATH}" ]; then + # Create the specified directory if it does not exist + mkdir -p ${DIRECTORY_PATH} + # Move the generated certificate files to the specified directory + if [ ${BASE64_ONLY} -eq 1 ]; then + mv ${SERVER_KEYSTORE}.base64 ${DIRECTORY_PATH}/ + mv ${CERTNAME}.key.base64 ${DIRECTORY_PATH}/ + mv ${CERTNAME}.crt.base64 ${DIRECTORY_PATH}/ + else + mv ${CERTNAME}.key ${DIRECTORY_PATH}/ + mv ${SERVER_KEYSTORE} ${DIRECTORY_PATH}/ + mv ${CERTNAME}.crt ${DIRECTORY_PATH}/ + fi + echo "Self-signed certificate files have been generated and stored in: ${DIRECTORY_PATH}" fi diff --git a/charts/selenium-grid/certs/selenium.jks b/charts/selenium-grid/certs/selenium.jks deleted file mode 100644 index 3c9c531af..000000000 Binary files a/charts/selenium-grid/certs/selenium.jks and /dev/null differ diff --git a/charts/selenium-grid/certs/selenium.pem b/charts/selenium-grid/certs/selenium.pem deleted file mode 100644 index 3818978d4..000000000 --- a/charts/selenium-grid/certs/selenium.pem +++ /dev/null @@ -1,24 +0,0 @@ ------BEGIN CERTIFICATE----- -MIID/zCCAuegAwIBAgIEbybT1DANBgkqhkiG9w0BAQsFADCBhzEQMA4GA1UEBhMH -VW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjETMBEG -A1UEChMKU2VsZW5pdW1IUTElMCMGA1UECxMcU29mdHdhcmUgRnJlZWRvbSBDb25z -ZXJ2YW5jeTETMBEGA1UEAxMKU2VsZW5pdW1IUTAeFw0yNDAzMDExMDQwMTVaFw0z -NDAyMjcxMDQwMTVaMIGHMRAwDgYDVQQGEwdVbmtub3duMRAwDgYDVQQIEwdVbmtu -b3duMRAwDgYDVQQHEwdVbmtub3duMRMwEQYDVQQKEwpTZWxlbml1bUhRMSUwIwYD -VQQLExxTb2Z0d2FyZSBGcmVlZG9tIENvbnNlcnZhbmN5MRMwEQYDVQQDEwpTZWxl -bml1bUhRMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuhrHCWD8ZApZ -JbFGBcf5Gu/WdH0v+PUWvW4ZHoVclFktnYF4Je3DXCDrvDOf5AtBqS7YzCr1uZML -fYLRvMJBxpHtYS+W7XiIUGOXavw3DN2DBysp2uMgMmumD3C9PWk7O+BJ3Ej/CQev -WuMLK/3F6PRhNEYdB6kqAbP3fqN40fu+3w+yUHwprHmo8Uo37QhJejGfFnhdxhTq -vElvrGlSpIidLs7wPOFVqQyTXAR+K7/vhWy1asZE0bZ5fQhDnFPsNFdkoA/dDPga -dGM5U7A4WYQdmVtJ5RSZHUb9jfUQ1LQyuR1FQ5DudstXKtNONqA3yqUPusQpIaYW -PbIimVI4lQIDAQABo3EwbzAdBgNVHQ4EFgQU/S73OMhN3yV4ustP37TY9upJQFYw -TgYDVR0RAQH/BEQwQoIJbG9jYWxob3N0ghNzZWxlbml1bS1ncmlkLmxvY2FsghJz -ZWxlbml1bS1ncmlkLnByb2SCDHNlbGVuaXVtLmRldjANBgkqhkiG9w0BAQsFAAOC -AQEAs8CCz5kQnuWjcFQojkjbMk9L92HBWV89ME+YL4o/TJk56EYW3UurEALgO6MJ -h14vdXOAYO6TERUMNKaSO5CydfbuKp5JpJhpY/qbHKPE/wJYIfMEO2hicYefjEKi -wxy4TE1FrfbmHV+MKmS21u7JTTyoqpqD+dWoURikdwBwm6cvyPx9Hntc2uHMc53D -BQtveBxkr4fMT+dcAommWfY+LHWg2bvEWzTJxELK7D5b63z/AI3MAL5XEznbqoV7 -ibZpC2D8wZ4N2E3tOT7iruMVuGVI98N40ytSuSwrUNjn7CT+htnpn1zVWZx3FpiT -pez6yj8ecncxrGOgp2Ty6r5Quw== ------END CERTIFICATE----- diff --git a/charts/selenium-grid/certs/selenium.pkcs8.base64 b/charts/selenium-grid/certs/selenium.pkcs8.base64 deleted file mode 100644 index 2325100f3..000000000 --- a/charts/selenium-grid/certs/selenium.pkcs8.base64 +++ /dev/null @@ -1 +0,0 @@ -LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQzZHc2NKWVB4a0Nsa2wKc1VZRngva2E3OVowZlMvNDlSYTliaGtlaFZ5VVdTMmRnWGdsN2NOY0lPdThNNS9rQzBHcEx0ak1Ldlc1a3d0OQpndEc4d2tIR2tlMWhMNWJ0ZUloUVk1ZHEvRGNNM1lNSEt5bmE0eUF5YTZZUGNMMDlhVHM3NEVuY1NQOEpCNjlhCjR3c3IvY1hvOUdFMFJoMEhxU29Ccy9kK28zalIrNzdmRDdKUWZDbXNlYWp4U2pmdENFbDZNWjhXZUYzR0ZPcTgKU1crc2FWS2tpSjB1enZBODRWV3BESk5jQkg0cnYrK0ZiTFZxeGtUUnRubDlDRU9jVSt3MFYyU2dEOTBNK0JwMApZemxUc0RoWmhCMlpXMG5sRkprZFJ2Mk45UkRVdERLNUhVVkRrTzUyeTFjcTAwNDJvRGZLcFErNnhDa2hwaFk5CnNpS1pVamlWQWdNQkFBRUNnZ0VBU1ZGaFZvMlNBV3VlUVY0OG91eHNkRE5HdnEvUEpYcVJFZUg5SFd3VzFBN3EKREtKRURsVkVZTmhMWnVMRHZCaS9Mb0xaUUY0d1hvTFN4UWl6em5TTmEwaDBSNVJ6Rm0wazd0NjllWldScm96YQpJUW5kUEhHOGJvREFkRmJMQnhXZEUzTENSbm12bUFRaURtRmlObHVOQzhDelJ0L1VjZjh3SUdtaE9JLzRlbWpSCm5Uekw2aVR6WEJ4QUQ1VVJ4NWdSWnpETHE4S2JpaVc5c0NsUkEvSDhITGNrQmxqbUtVQVpZdnNIbjZ5Qit5WDEKN2dIQ0lqaE9yeTVtSS9vTlpWWDhVOXJOOFhMWU1OTHdvZmxSdUNuZHBwbnN5NHpRVUtSOWlKdUpCNGNubVZWZAprcVFmSTQ1V0Z4dkE2bzNIbGE0TDh6WVRvUmF0T2I3OCtOcFFhdmhkd1FLQmdRRHg3L1h2ZTJwSHVqUWVqY1NOCnlsSXZKV2FIRmhKUHM3WmYvek92cUswOTNabHc5bkpUanI0eHl0U3NGVWdxUVdVY0dTa1VRUVlYWFpjWDZuWGUKNHVKdzRSWVBPc3R2c002NkZ5amx0bFl0a3N5LzhPTUN3T0hRam13RFllWkNxU0o4YXdWTjRzUEpCNGJ5TVQxRAozM2NoOXlFc2RRbmZiMXdCaEl3R0lDR0JVUUtCZ1FERTdBWFprWUpZY1N1QzlEdWRUSHhKbUNVcUpBMEdDdnJPCmlpRjg1V29BczZxa1A1eEt6SmdYM3JDdkk3YkUwQ1pJMlVQTDlRd1J2RitvZGx4N0huSUh5UVEzNmswbGJiMXMKNDAwbUR6M1lYT0xIemliQnNzcGRiRzNmekE2bnhoWnlrd3Y3SmlzT2I5cU10a0ZRVmtxbTNPZVRtaTZoSk9XVgpYODl1RjZNU0JRS0JnRTNJUmh0ZVpFYjNPSFp5UWJVTVRPdlhiR1VWMVlGR1YrWDVHRmJyTmZkajNVY1NGS09FCml1VmJQcENzcnV6VzVYanBKZW5iRmVoQk1LaUJ1cStUNWhWQWFHVXhFK0t1eDJmUXRsZFVEZFRORTRMS0lWSHIKVFM1Tis3QUNzNUxPNmNWeWF0d2xnYWlLQVBxd2xlL1NVbXpiRlJGRDk0NmNNTXBVSU9oL1FBWmhBb0dBSlNwcQpuRHFEUUUvenAxNlRGY2dHdVJrWEFwSVZSeXV4VkdQcm1CZndYcnVLSEQvSkxyRFlqOEMrMWY5R2tuUzZsUXMwCmFYMFJUeE9mZGpzSWoxQWFzMjl6OVYycU84TXZlaXFZTi9PdWQzUm9kTTlxcnlvZ1dXdUtmUytWSUlNWlgzeHoKU1c1VnQvN1NYN1pTTTJobDVJSlN6cC9ONXlvQWpxV3JqNXEwYzBVQ2dZRUFvbDdaMW1UYXhoWng2cWpScis1MAo5T1NnMElBK3YvSHZoM1pPRkRTUE5xdHlESTl1eGo3K0dDb3JTYjExRmJzaU1obXkxT0tGMlRiSnN6YkNPTFhUCjNzelFpVjVWenNyWUVsR3V1d2NqNkpwU3ZCb2VFTmF2NzhVRVlncTNoQW9MSXNmMGlHN3ozME5OYXAwQ25JZ2QKSnFRRGt3K3pNT0JXY3p2S04rbVQ0NDA9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K \ No newline at end of file diff --git a/charts/selenium-grid/certs/server.jks b/charts/selenium-grid/certs/server.jks new file mode 100644 index 000000000..395afe9fc Binary files /dev/null and b/charts/selenium-grid/certs/server.jks differ diff --git a/charts/selenium-grid/certs/tls.crt b/charts/selenium-grid/certs/tls.crt new file mode 100644 index 000000000..58feb852f --- /dev/null +++ b/charts/selenium-grid/certs/tls.crt @@ -0,0 +1,24 @@ +-----BEGIN CERTIFICATE----- +MIIEBDCCAuygAwIBAgIJAODdnzzdFPoKMA0GCSqGSIb3DQEBCwUAMIGHMRAwDgYD +VQQGEwdVbmtub3duMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3du +MRMwEQYDVQQKEwpTZWxlbml1bUhRMSUwIwYDVQQLExxTb2Z0d2FyZSBGcmVlZG9t +IENvbnNlcnZhbmN5MRMwEQYDVQQDEwpTZWxlbml1bUhRMB4XDTI0MDcxNTEwMDQy +MloXDTM0MDcxMzEwMDQyMlowgYcxEDAOBgNVBAYTB1Vua25vd24xEDAOBgNVBAgT +B1Vua25vd24xEDAOBgNVBAcTB1Vua25vd24xEzARBgNVBAoTClNlbGVuaXVtSFEx +JTAjBgNVBAsTHFNvZnR3YXJlIEZyZWVkb20gQ29uc2VydmFuY3kxEzARBgNVBAMT +ClNlbGVuaXVtSFEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDUMWXA +7Ka8y5Wzo/2cA6JkxlxqRtxrAm+YWKzXb4WWB0nX2ZsqWxnNTSDENPlCpLdCNIuG +qTmjucYJGQKvnzeS8N1R594YP3dpkatwYHuHH/J5bABZmHwk45CDj4WZqdpvucop +EM5TRXm+zKEt3b/Up/jVHtP6UvOkuM/uPoB4RKSQjwrb5BHmMQyaupQkVk137zN2 +QTc7r8IZMR4YOYYC+uaMwbLNWJFxdkk8f3CtgUttQWRqwIbqC8KFBWMBbYQpiHsb +9cLfEcbJ5A5LpTRU47n5xaT56HLFMqhGw5W9Bnwbj9RbCRaipPJqtqJikXJWodMe +IpsnzOZ5x9WgqmhDAgMBAAGjcTBvMB0GA1UdDgQWBBRqc4VlFLrOKMyWJDsNYrbT +qKp5tzBOBgNVHREBAf8ERDBCgglsb2NhbGhvc3SCE3NlbGVuaXVtLWdyaWQubG9j +YWyCEnNlbGVuaXVtLWdyaWQucHJvZIIMc2VsZW5pdW0uZGV2MA0GCSqGSIb3DQEB +CwUAA4IBAQAGknPZv+3i+VXXThyq7yDHzuVkSYs3EAcvKZeobesp+aDdjmigE/bO +emOrSjoktnhFrFa58qQmiURPZRTkQfRcKKxwJj8tvNJHxT9X6i4trGCLy+KvPQtp +UKEheiM5p7mnoMeF25SoztPtWXcy4OZ6pDc+2FJ++rpEeoBXlzt9yoc+jy4WGEMh +G7rIpDN5K/4lltENrcChoG/SoUYSVGDFAnpHn5/aM7aUoa9LMmYz8cSVlMOBWnDL +MYI8Fejvw7Ke46aoNe8S+r8ruZwPn1AweZWIfEoPx6sJcD/BvA22Jh+FlTZijzD0 +IadxdSDxTcNg0fYa1+UfEAGX4Ts589Rg +-----END CERTIFICATE----- diff --git a/charts/selenium-grid/certs/tls.key b/charts/selenium-grid/certs/tls.key new file mode 100644 index 000000000..c2cf88afb --- /dev/null +++ b/charts/selenium-grid/certs/tls.key @@ -0,0 +1,28 @@ +-----BEGIN PRIVATE KEY----- +MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDUMWXA7Ka8y5Wz +o/2cA6JkxlxqRtxrAm+YWKzXb4WWB0nX2ZsqWxnNTSDENPlCpLdCNIuGqTmjucYJ +GQKvnzeS8N1R594YP3dpkatwYHuHH/J5bABZmHwk45CDj4WZqdpvucopEM5TRXm+ +zKEt3b/Up/jVHtP6UvOkuM/uPoB4RKSQjwrb5BHmMQyaupQkVk137zN2QTc7r8IZ +MR4YOYYC+uaMwbLNWJFxdkk8f3CtgUttQWRqwIbqC8KFBWMBbYQpiHsb9cLfEcbJ +5A5LpTRU47n5xaT56HLFMqhGw5W9Bnwbj9RbCRaipPJqtqJikXJWodMeIpsnzOZ5 +x9WgqmhDAgMBAAECggEAAoJAuJc4Rge9mxay/X5fyt7yGMZv/d0Ly5XlYvj6AjeG +ISBYYLxlStgcUexp2FRxFj4ozLo4DWLwVsIOFhMysroPdh0FahGxdXTu4fnUV33L +fdZP6r9FE+qTutXnkwvRWVetkxNLOKMb76xt+2zYVX/m6mdMDJmgw0HQs4vXWQJe +8msDQlegojE7PJuJwDxIiGy88OHl5Wnwozwj5NprMDYUu8xrCWWZ4EW5JGTj7mGT +gRkrUj4i3XOhzlb+Cmap1K1jBB8lyj1RCXRHmNjXftXmcOrDcsQMToPG+ZyDOnGl +lBYSEDXCVFxsQhSJSc9WVPBZIOitWEPrWbCn8xHAgQKBgQD6NR4IRxGWMtApq8hZ +r5jxykhihYncnc3BS9chEZjCfnl+gA9+YbN4ra1HBc190lx1sli0XdsVIaktRixw +hL+9DlNTdBDY9gBHIluVSA8tMVBtnxd5Yi28J61dDQ0THEaeXGSjLVXujfF90mRv +pCoGG/3//BfHrPhrGMUlie3iLQKBgQDZGvuYON8Xy67DLOWOKkAf+bEgQ2mZJRxq +s/xCLDA7GNpkaHIF8dpjGH7pufz61k2+8mEvraRSxLptU1nD9jdUWcRcBNHH2PBS +X4vmtOd45cHipQsfkjtluK3E6gYXXK8+x2cVbZHYd0jF5FR7ySWtRUVQExj+98Tw +drgj6HyqLwKBgQD4Dt1de4gWDv6Nsb+KGytY3CFze804KkMpVlVMdbOrb9Rn8/Jo +a9iQ1i8qcLhP+9Sq40xKVZq0kpC1UBMS4qltd9xoqnNhhlK0M330vGI/fdqtM8ME +FrAdEIEx9ZR209u3eQZVOMcvIQ7AnWvxuyHmuK3TskypK/WFyCL8moh7aQKBgQDG +4CLMxHwIjjqe64e0/RsUr2QEC/y1nvsy+4D/FP9xg0i7ZbndnDjTQeMwM4F8Pcem +PN2uEUBP2Yp1Dz9RdUAl8r0fFgMdMKqkqoW7ZsgLRVygQ1O3LftfKRd1JHND/1FB +DuRtCpvpUQvGy2xgoFf1K1ldCsGA/nLXW8k+i393XQKBgAE6O3Mha5cXnsOgvLOW +TketAyamgo0DCJGxCP796tJGL0molsMR07oEVR/qulNSojJJk03EibKe9czTRPmM +MSCL0Ts4/mj5b1nkjZA4OW1vpXiuJN/1AXJapmykQVQQSAUGMTnDBaAtTW4J25Nu +n2W3pwo3jPpXcQWf57AGiNbq +-----END PRIVATE KEY----- diff --git a/charts/selenium-grid/images/SeleniumGrid_TLS_SSL-Passthrough.png b/charts/selenium-grid/images/SeleniumGrid_TLS_SSL-Passthrough.png new file mode 100644 index 000000000..86a369600 Binary files /dev/null and b/charts/selenium-grid/images/SeleniumGrid_TLS_SSL-Passthrough.png differ diff --git a/charts/selenium-grid/images/SeleniumGrid_TLS_SSL-Termination.png b/charts/selenium-grid/images/SeleniumGrid_TLS_SSL-Termination.png new file mode 100644 index 000000000..68822f937 Binary files /dev/null and b/charts/selenium-grid/images/SeleniumGrid_TLS_SSL-Termination.png differ diff --git a/charts/selenium-grid/images/SeleniumGrid_TLS_WithoutProxy.png b/charts/selenium-grid/images/SeleniumGrid_TLS_WithoutProxy.png new file mode 100644 index 000000000..3153e76f1 Binary files /dev/null and b/charts/selenium-grid/images/SeleniumGrid_TLS_WithoutProxy.png differ diff --git a/charts/selenium-grid/templates/_helpers.tpl b/charts/selenium-grid/templates/_helpers.tpl index be74a65ee..df56b7266 100644 --- a/charts/selenium-grid/templates/_helpers.tpl +++ b/charts/selenium-grid/templates/_helpers.tpl @@ -1,16 +1,29 @@ +{{/* +Server secure connection +*/}} +{{- define "seleniumGrid.server.secureConnection" -}} +{{- $.Values.tls.enabled | ternary "true" "" -}} +{{- end -}} + +{{/* +Ingress proxy forward secure connection +*/}} +{{- define "seleniumGrid.ingress.secureConnection" -}} +{{- or $.Values.tls.enabled $.Values.tls.ingress.enabled $.Values.tls.ingress.generateTLS | ternary "true" "" -}} +{{- end -}} {{/* Protocol of server components */}} {{- define "seleniumGrid.server.protocol" -}} -{{- .Values.tls.enabled | ternary "https" "http" -}} +{{- (eq (include "seleniumGrid.server.secureConnection" $) "true") | ternary "https" "http" -}} {{- end -}} {{/* Probe httpGet schema */}} {{- define "seleniumGrid.probe.httpGet.schema" -}} -{{- .Values.tls.enabled | ternary "HTTPS" "HTTP" -}} +{{- (eq (include "seleniumGrid.server.secureConnection" $) "true") | ternary "HTTPS" "HTTP" -}} {{- end -}} {{/* @@ -69,8 +82,8 @@ Get probe settings {{/* Is registration secret enabled */}} -{{- define "seleniumGrid.tls.registrationSecret.enabled" -}} -{{- .Values.tls.registrationSecret.enabled | ternary "true" "" -}} +{{- define "seleniumGrid.registrationSecret.enabled" -}} +{{- .Values.registrationSecret.enabled | ternary "true" "" -}} {{- end -}} {{/* @@ -106,8 +119,11 @@ nginx.ingress.kubernetes.io/client-body-buffer-size: {{ . | quote }} nginx.ingress.kubernetes.io/proxy-buffers-number: {{ . | quote }} {{- end }} {{- end }} + {{- if .websocket }} +nginx.org/websocket-services: {{ include ($.Values.isolateComponents | ternary "seleniumGrid.router.fullname" "seleniumGrid.hub.fullname") $ | quote }} + {{- end }} {{- end }} -{{- if .Values.tls.enabled }} +{{- if eq (include "seleniumGrid.server.secureConnection" $) "true" }} nginx.ingress.kubernetes.io/ssl-passthrough: "true" nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" {{- end }} @@ -285,9 +301,9 @@ template: mountPath: {{ $.Values.nodeConfigMap.extraScriptsDirectory }}/{{ $fileName }} subPath: {{ $fileName }} {{- end }} - {{- if $.Values.tls.enabled }} + {{- if eq (include "seleniumGrid.server.secureConnection" $) "true" }} - name: {{ include "seleniumGrid.tls.fullname" $ | quote }} - mountPath: {{ $.Values.serverConfigMap.certVolumeMountPath }} + mountPath: {{ $.Values.tls.certVolumeMountPath }} readOnly: true {{- end }} {{- if .node.extraVolumeMounts }} @@ -479,7 +495,7 @@ template: emptyDir: medium: Memory sizeLimit: {{ default "1Gi" .node.dshmVolumeSizeLimit }} - {{- if $.Values.tls.enabled }} + {{- if eq (include "seleniumGrid.server.secureConnection" $) "true" }} - name: {{ include "seleniumGrid.tls.fullname" $ | quote }} secret: secretName: {{ include "seleniumGrid.tls.fullname" $ | quote }} @@ -500,14 +516,33 @@ Get the url of the grid. If the external url can be figured out from the ingress {{- $url }} {{- end -}} +{{/* +Get the url of the grid server in the cluster +*/}} +{{- define "seleniumGrid.server.url" -}} +{{- $url := printf "%s://%s%s%s%s" (include "seleniumGrid.server.url.schema" .) (include "seleniumGrid.url.basicAuth" .) (include "seleniumGrid.server.url.host" .) (include "seleniumGrid.server.url.port" .) (include "seleniumGrid.url.subPath" .) -}} +{{- $url }} +{{- end -}} + +{{/* +Graphql Url of the hub or the router +*/}} +{{- define "seleniumGrid.graphqlURL" -}} +{{- printf "%s/graphql" (include "seleniumGrid.server.url" $) -}} +{{- end -}} + {{- define "seleniumGrid.url.schema" -}} {{- $schema := "http" -}} -{{- if .Values.tls.enabled -}} +{{- if or (eq (include "seleniumGrid.server.secureConnection" $) "true") (eq (include "seleniumGrid.ingress.secureConnection" $) "true") -}} + {{- $schema = "https" -}} +{{- end -}} +{{- $schema }} +{{- end -}} + +{{- define "seleniumGrid.server.url.schema" -}} +{{- $schema := "http" -}} +{{- if eq (include "seleniumGrid.server.secureConnection" $) "true" -}} {{- $schema = "https" -}} -{{- else if .Values.ingress.enabled -}} - {{- if .Values.ingress.tls -}} - {{- $schema = "https" -}} - {{- end -}} {{- end -}} {{- $schema }} {{- end -}} @@ -534,6 +569,11 @@ Get the url of the grid. If the external url can be figured out from the ingress {{- $host }} {{- end -}} +{{- define "seleniumGrid.server.url.host" -}} +{{- $host := printf "%s.%s" (include ($.Values.isolateComponents | ternary "seleniumGrid.router.fullname" "seleniumGrid.hub.fullname") $ ) (.Release.Namespace) -}} +{{- $host }} +{{- end -}} + {{- define "seleniumGrid.url.port" -}} {{- $port := ":4444" -}} {{- if .Values.ingress.enabled -}} @@ -558,6 +598,16 @@ Get the url of the grid. If the external url can be figured out from the ingress {{- $port }} {{- end -}} +{{- define "seleniumGrid.server.url.port" -}} +{{- $port := ":4444" -}} +{{- if .Values.isolateComponents -}} + {{- $port = printf ":%s" (.Values.components.router.port | toString) -}} +{{- else -}} + {{- $port = printf ":%s" (.Values.hub.port | toString) -}} +{{- end -}} +{{- $port }} +{{- end -}} + {{- define "seleniumGrid.url.subPath" -}} {{- $subPath := "" -}} {{- if $.Values.isolateComponents -}} @@ -568,18 +618,11 @@ Get the url of the grid. If the external url can be figured out from the ingress {{- $subPath }} {{- end -}} -{{/* -Graphql Url of the hub or the router -*/}} -{{- define "seleniumGrid.graphqlURL" -}} -{{- printf "%s://%s%s%s/graphql" (include "seleniumGrid.server.protocol" .) (include "seleniumGrid.url.basicAuth" .) (printf "%s.%s" (include ($.Values.isolateComponents | ternary "seleniumGrid.router.fullname" "seleniumGrid.hub.fullname") $) (.Release.Namespace)) (printf ":%s" ($.Values.isolateComponents | ternary ($.Values.components.router.port | toString) ($.Values.hub.port | toString))) -}} -{{- end -}} - {{/* Graphql unsafeSsl of the hub or the router */}} {{- define "seleniumGrid.graphqlURL.unsafeSsl" -}} -{{- $unsafeSsl := printf "%s" (ternary "true" "false" .Values.serverConfigMap.disableHostnameVerification) -}} +{{- $unsafeSsl := printf "%s" (ternary "true" "false" .Values.tls.disableHostnameVerification) -}} {{- $unsafeSsl }} {{- end -}} diff --git a/charts/selenium-grid/templates/distributor-deployment.yaml b/charts/selenium-grid/templates/distributor-deployment.yaml index f727581b1..5f22ac6fe 100644 --- a/charts/selenium-grid/templates/distributor-deployment.yaml +++ b/charts/selenium-grid/templates/distributor-deployment.yaml @@ -83,9 +83,9 @@ spec: mountPath: {{ $.Values.distributorConfigMap.extraScriptsDirectory }}/{{ $fileName }} subPath: {{ $fileName }} {{- end }} - {{- if .Values.tls.enabled }} + {{- if eq (include "seleniumGrid.server.secureConnection" $) "true" }} - name: {{ include "seleniumGrid.tls.fullname" . | quote }} - mountPath: {{ .Values.serverConfigMap.certVolumeMountPath | quote }} + mountPath: {{ .Values.tls.certVolumeMountPath | quote }} readOnly: true {{- end }} ports: @@ -170,7 +170,7 @@ spec: configMap: name: {{ template "seleniumGrid.distributor.configmap.fullname" $ }} defaultMode: {{ $.Values.distributorConfigMap.defaultMode }} - {{- if .Values.tls.enabled }} + {{- if eq (include "seleniumGrid.server.secureConnection" $) "true" }} - name: {{ include "seleniumGrid.tls.fullname" . | quote }} secret: secretName: {{ include "seleniumGrid.tls.fullname" . | quote }} diff --git a/charts/selenium-grid/templates/event-bus-deployment.yaml b/charts/selenium-grid/templates/event-bus-deployment.yaml index 7946577d0..f48998843 100644 --- a/charts/selenium-grid/templates/event-bus-deployment.yaml +++ b/charts/selenium-grid/templates/event-bus-deployment.yaml @@ -64,9 +64,9 @@ spec: {{- toYaml . | nindent 12 }} {{- end }} volumeMounts: - {{- if .Values.tls.enabled }} + {{- if eq (include "seleniumGrid.server.secureConnection" $) "true" }} - name: {{ include "seleniumGrid.tls.fullname" . | quote }} - mountPath: {{ .Values.serverConfigMap.certVolumeMountPath | quote }} + mountPath: {{ .Values.tls.certVolumeMountPath | quote }} readOnly: true {{- end }} {{- with .Values.components.eventBus.resources }} @@ -93,7 +93,7 @@ spec: priorityClassName: {{ . }} {{- end }} volumes: - {{- if .Values.tls.enabled }} + {{- if eq (include "seleniumGrid.server.secureConnection" $) "true" }} - name: {{ include "seleniumGrid.tls.fullname" . | quote }} secret: secretName: {{ include "seleniumGrid.tls.fullname" . | quote }} diff --git a/charts/selenium-grid/templates/hub-deployment.yaml b/charts/selenium-grid/templates/hub-deployment.yaml index 0a231e8a2..dc4363a84 100644 --- a/charts/selenium-grid/templates/hub-deployment.yaml +++ b/charts/selenium-grid/templates/hub-deployment.yaml @@ -28,6 +28,7 @@ spec: checksum/server-configmap: {{ include (print $.Template.BasePath "/server-configmap.yaml") . | sha256sum }} checksum/distributor-configmap: {{ include (print $.Template.BasePath "/distributor-configmap.yaml") . | sha256sum }} checksum/secrets: {{ include (print $.Template.BasePath "/secrets.yaml") . | sha256sum }} + checksum/tls-cert-secret: {{ include (print $.Template.BasePath "/tls-cert-secret.yaml") . | sha256sum }} {{- with .Values.hub.annotations }} {{- toYaml . | nindent 8 }} {{- end }} @@ -141,9 +142,9 @@ spec: mountPath: {{ $.Values.distributorConfigMap.extraScriptsDirectory }}/{{ $fileName }} subPath: {{ $fileName }} {{- end }} - {{- if .Values.tls.enabled }} + {{- if eq (include "seleniumGrid.server.secureConnection" $) "true" }} - name: {{ include "seleniumGrid.tls.fullname" . | quote }} - mountPath: {{ .Values.serverConfigMap.certVolumeMountPath | quote }} + mountPath: {{ .Values.tls.certVolumeMountPath | quote }} readOnly: true {{- end }} {{- with .Values.hub.extraVolumeMounts }} @@ -177,7 +178,7 @@ spec: configMap: name: {{ template "seleniumGrid.distributor.configmap.fullname" $ }} defaultMode: {{ $.Values.distributorConfigMap.defaultMode }} - {{- if .Values.tls.enabled }} + {{- if eq (include "seleniumGrid.server.secureConnection" $) "true" }} - name: {{ include "seleniumGrid.tls.fullname" . | quote }} secret: secretName: {{ include "seleniumGrid.tls.fullname" . | quote }} diff --git a/charts/selenium-grid/templates/ingress.yaml b/charts/selenium-grid/templates/ingress.yaml index 9f40cb929..c45c86fd0 100644 --- a/charts/selenium-grid/templates/ingress.yaml +++ b/charts/selenium-grid/templates/ingress.yaml @@ -32,7 +32,7 @@ spec: {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} ingressClassName: {{ .Values.ingress.className }} {{- end }} - {{- if and (or .Values.tls.enabled .Values.tls.ingress.generateTLS) (tpl .Values.ingress.hostname $) (not .Values.ingress.tls) }} + {{- if and (eq (include "seleniumGrid.ingress.secureConnection" $) "true") (tpl .Values.ingress.hostname $) (not .Values.ingress.tls) }} tls: - hosts: - {{ tpl .Values.ingress.hostname $ | quote }} diff --git a/charts/selenium-grid/templates/node-configmap.yaml b/charts/selenium-grid/templates/node-configmap.yaml index 43f5c13dc..24709c623 100644 --- a/charts/selenium-grid/templates/node-configmap.yaml +++ b/charts/selenium-grid/templates/node-configmap.yaml @@ -24,8 +24,8 @@ data: SE_BASIC_AUTH: '{{ template "seleniumGrid.url.basicAuth" $ }}' SE_SUB_PATH: '{{ template "seleniumGrid.url.subPath" $ }}' SE_DRAIN_AFTER_SESSION_COUNT: '{{- and (eq (include "seleniumGrid.useKEDA" .) "true") (eq .Values.autoscaling.scalingType "job") | ternary "1" "0" -}}' - SE_NODE_GRID_URL: '{{ include "seleniumGrid.url" .}}' - SE_NODE_GRID_GRAPHQL_URL: '{{ include "seleniumGrid.graphqlURL" . }}' + SE_NODE_GRID_URL: '{{ include "seleniumGrid.url" $ }}' + SE_NODE_GRID_GRAPHQL_URL: '{{ include "seleniumGrid.graphqlURL" $ }}' {{- if $.Values.nodeConfigMap.leftoversCleanup.enabled }} SE_ENABLE_BROWSER_LEFTOVERS_CLEANUP: 'true' {{- with $.Values.nodeConfigMap.leftoversCleanup.jobIntervalInSecs }} diff --git a/charts/selenium-grid/templates/router-deployment.yaml b/charts/selenium-grid/templates/router-deployment.yaml index 0c76bbfc7..d1587cb5e 100644 --- a/charts/selenium-grid/templates/router-deployment.yaml +++ b/charts/selenium-grid/templates/router-deployment.yaml @@ -83,9 +83,9 @@ spec: mountPath: {{ $.Values.routerConfigMap.extraScriptsDirectory }}/{{ $fileName }} subPath: {{ $fileName }} {{- end }} - {{- if .Values.tls.enabled }} + {{- if eq (include "seleniumGrid.server.secureConnection" $) "true" }} - name: {{ include "seleniumGrid.tls.fullname" . | quote }} - mountPath: {{ .Values.serverConfigMap.certVolumeMountPath | quote }} + mountPath: {{ .Values.tls.certVolumeMountPath | quote }} readOnly: true {{- end }} ports: @@ -170,7 +170,7 @@ spec: configMap: name: {{ template "seleniumGrid.router.configmap.fullname" $ }} defaultMode: {{ $.Values.routerConfigMap.defaultMode }} - {{- if .Values.tls.enabled }} + {{- if eq (include "seleniumGrid.server.secureConnection" $) "true" }} - name: {{ include "seleniumGrid.tls.fullname" . | quote }} secret: secretName: {{ include "seleniumGrid.tls.fullname" . | quote }} diff --git a/charts/selenium-grid/templates/secrets.yaml b/charts/selenium-grid/templates/secrets.yaml index 87c57d8ff..f3f8038a1 100644 --- a/charts/selenium-grid/templates/secrets.yaml +++ b/charts/selenium-grid/templates/secrets.yaml @@ -24,11 +24,11 @@ data: ROUTER_USERNAME: {{ .Values.basicAuth.username | b64enc }} ROUTER_PASSWORD: {{ .Values.basicAuth.password | b64enc }} {{- end }} -{{- if .Values.tls.enabled }} - SE_JAVA_SSL_TRUST_STORE_PASSWORD: {{ .Values.tls.trustStorePassword | b64enc }} +{{- with $.Values.tls.trustStorePassword }} + SE_JAVA_SSL_TRUST_STORE_PASSWORD: {{ . | b64enc }} {{- end }} -{{- if (include "seleniumGrid.tls.registrationSecret.enabled" $) }} - SE_REGISTRATION_SECRET: {{ .Values.tls.registrationSecret.value | b64enc }} +{{- if (include "seleniumGrid.registrationSecret.enabled" $) }} + SE_REGISTRATION_SECRET: {{ .Values.registrationSecret.value | b64enc }} {{- end }} {{- if .Values.videoRecorder.uploader.secrets }} {{- range $name, $value := .Values.videoRecorder.uploader.secrets }} diff --git a/charts/selenium-grid/templates/server-configmap.yaml b/charts/selenium-grid/templates/server-configmap.yaml index e7eda96ed..5c2489a83 100644 --- a/charts/selenium-grid/templates/server-configmap.yaml +++ b/charts/selenium-grid/templates/server-configmap.yaml @@ -13,12 +13,12 @@ metadata: {{- end }} data: SE_SERVER_PROTOCOL: {{ include "seleniumGrid.server.protocol" . | quote }} +{{- if eq (include "seleniumGrid.server.secureConnection" $) "true" }} + SE_HTTPS_CERTIFICATE: {{ printf "%s/%s" .Values.tls.certVolumeMountPath .Values.tls.certificateFile | quote }} + SE_HTTPS_PRIVATE_KEY: {{ printf "%s/%s" .Values.tls.certVolumeMountPath .Values.tls.privateKeyFile | quote }} + SE_JAVA_SSL_TRUST_STORE: {{ printf "%s/%s" .Values.tls.certVolumeMountPath .Values.tls.trustStoreFile | quote }} + SE_JAVA_DISABLE_HOSTNAME_VERIFICATION: {{ .Values.tls.disableHostnameVerification | quote }} +{{- end }} {{- range $key, $value := .Values.serverConfigMap.env }} {{ $key }}: {{ $value | quote }} {{- end }} -{{- if .Values.tls.enabled }} - SE_HTTPS_CERTIFICATE: {{ printf "%s/%s" .Values.serverConfigMap.certVolumeMountPath .Values.serverConfigMap.certificateFile | quote }} - SE_HTTPS_PRIVATE_KEY: {{ printf "%s/%s" .Values.serverConfigMap.certVolumeMountPath .Values.serverConfigMap.privateKeyFile | quote }} - SE_JAVA_SSL_TRUST_STORE: {{ printf "%s/%s" .Values.serverConfigMap.certVolumeMountPath .Values.serverConfigMap.trustStoreFile | quote }} - SE_JAVA_DISABLE_HOSTNAME_VERIFICATION: {{ .Values.serverConfigMap.disableHostnameVerification | quote }} -{{- end }} diff --git a/charts/selenium-grid/templates/session-map-deployment.yaml b/charts/selenium-grid/templates/session-map-deployment.yaml index 3b77d760e..7ad705ade 100644 --- a/charts/selenium-grid/templates/session-map-deployment.yaml +++ b/charts/selenium-grid/templates/session-map-deployment.yaml @@ -60,9 +60,9 @@ spec: {{- toYaml . | nindent 12 }} {{- end }} volumeMounts: - {{- if .Values.tls.enabled }} + {{- if eq (include "seleniumGrid.server.secureConnection" $) "true" }} - name: {{ include "seleniumGrid.tls.fullname" . | quote }} - mountPath: {{ .Values.serverConfigMap.certVolumeMountPath | quote }} + mountPath: {{ .Values.tls.certVolumeMountPath | quote }} readOnly: true {{- end }} ports: @@ -92,7 +92,7 @@ spec: priorityClassName: {{ . }} {{- end }} volumes: - {{- if .Values.tls.enabled }} + {{- if eq (include "seleniumGrid.server.secureConnection" $) "true" }} - name: {{ include "seleniumGrid.tls.fullname" . | quote }} secret: secretName: {{ include "seleniumGrid.tls.fullname" . | quote }} diff --git a/charts/selenium-grid/templates/session-queuer-deployment.yaml b/charts/selenium-grid/templates/session-queuer-deployment.yaml index 4fcce05ac..999dc95f5 100644 --- a/charts/selenium-grid/templates/session-queuer-deployment.yaml +++ b/charts/selenium-grid/templates/session-queuer-deployment.yaml @@ -57,9 +57,9 @@ spec: {{- toYaml . | nindent 12 }} {{- end }} volumeMounts: - {{- if .Values.tls.enabled }} + {{- if eq (include "seleniumGrid.server.secureConnection" $) "true" }} - name: {{ include "seleniumGrid.tls.fullname" . | quote }} - mountPath: {{ .Values.serverConfigMap.certVolumeMountPath | quote }} + mountPath: {{ .Values.tls.certVolumeMountPath | quote }} readOnly: true {{- end }} ports: @@ -89,7 +89,7 @@ spec: priorityClassName: {{ . }} {{- end }} volumes: - {{- if .Values.tls.enabled }} + {{- if eq (include "seleniumGrid.server.secureConnection" $) "true" }} - name: {{ include "seleniumGrid.tls.fullname" . | quote }} secret: secretName: {{ include "seleniumGrid.tls.fullname" . | quote }} diff --git a/charts/selenium-grid/templates/tls-cert-secret.yaml b/charts/selenium-grid/templates/tls-cert-secret.yaml index 1ed202e1f..038fb19e2 100644 --- a/charts/selenium-grid/templates/tls-cert-secret.yaml +++ b/charts/selenium-grid/templates/tls-cert-secret.yaml @@ -1,3 +1,4 @@ +{{- if and (not $.Values.tls.nameOverride) (or (eq (include "seleniumGrid.ingress.secureConnection" $) "true") (eq (include "seleniumGrid.server.secureConnection" $) "true")) }} apiVersion: v1 kind: Secret metadata: @@ -9,21 +10,31 @@ metadata: {{- with .Values.customLabels }} {{- toYaml . | nindent 4 }} {{- end }} -type: Opaque +type: kubernetes.io/tls data: -{{- if and .Values.ingress.enabled .Values.tls.ingress.generateTLS (not .Values.tls.enabled) }} +{{- if and (eq (include "seleniumGrid.ingress.secureConnection" $) "true") $.Values.tls.ingress.generateTLS }} {{- $name := default "SeleniumHQ" .Values.tls.ingress.defaultName -}} {{- $days := default 365 (.Values.tls.ingress.defaultDays | int) -}} {{- $cn := ternary .Values.tls.ingress.defaultCN (tpl .Values.ingress.hostname $) (empty .Values.ingress.hostname) -}} {{- $server := genSelfSignedCert $cn ( default nil .Values.tls.ingress.defaultIPList ) ( default nil .Values.tls.ingress.defaultSANList ) $days }} tls.crt: {{ $server.Cert | b64enc }} tls.key: {{ $server.Key | b64enc }} -{{- else if and .Values.ingress.enabled .Values.tls.enabled }} - tls.crt: {{ default (include "seleniumGrid.tls.getDefaultFile" (list .Values.tls.defaultFile.certificate $)) .Values.tls.certificate | b64enc }} - tls.key: {{ default (include "seleniumGrid.tls.getDefaultFile" (list .Values.tls.defaultFile.privateKey $)) .Values.tls.privateKey | b64enc }} +{{- else if or (eq (include "seleniumGrid.ingress.secureConnection" $) "true") (eq (include "seleniumGrid.server.secureConnection" $) "true") }} +{{- $fileProceeded := list -}} +{{- range $path, $_ := .Files.Glob $.Values.tls.secretFilesImportFrom }} + {{- $fileName := base $path -}} + {{- $value := index $.Values.tls.secretFiles $fileName -}} + {{- if empty $value }} +{{- $fileName | nindent 2 -}}: {{- toYaml ($.Files.Get $path | b64enc) | indent 4 }} + {{- else }} +{{- $fileName | nindent 2 -}}: {{- toYaml ($value | b64enc) | indent 4 }} + {{- end }} + {{- $fileProceeded = append $fileProceeded $fileName -}} +{{- end }} +{{- range $fileName, $value := .Values.tls.secretFiles }} + {{- if not (has $fileName $fileProceeded) }} +{{- $fileName | nindent 2 -}}: {{- toYaml (default "" $value | b64enc) | indent 4 }} + {{- end }} +{{- end }} {{- end }} -{{- if .Values.tls.enabled }} - {{ .Values.serverConfigMap.privateKeyFile }}: {{ default (include "seleniumGrid.tls.getDefaultFile" (list .Values.tls.defaultFile.privateKey $)) .Values.tls.privateKey | b64enc }} - {{ .Values.serverConfigMap.certificateFile }}: {{ default (include "seleniumGrid.tls.getDefaultFile" (list .Values.tls.defaultFile.certificate $)) .Values.tls.certificate | b64enc }} - {{ .Values.serverConfigMap.trustStoreFile }}: {{ default (include "seleniumGrid.tls.getDefaultFile" (list .Values.tls.defaultFile.trustStore $)) .Values.tls.trustStore | b64enc }} {{- end }} diff --git a/charts/selenium-grid/values.yaml b/charts/selenium-grid/values.yaml index 97a574a73..ec3b39ea5 100644 --- a/charts/selenium-grid/values.yaml +++ b/charts/selenium-grid/values.yaml @@ -29,29 +29,37 @@ global: stdoutProbeLog: false tls: + # Name of external secret containing the TLS certificate and key + # nameOverride: enabled: false ingress: + enabled: false generateTLS: false defaultName: "SeleniumHQ" defaultDays: 3650 defaultCN: "www.selenium.dev" # or *.domain.com defaultSANList: [] - # - domain.com + # - staging.domain.com # - production.domain.com defaultIPList: [] # - 10.10.10.10 - defaultFile: - certificate: "certs/selenium.pem" - privateKey: "certs/selenium.pkcs8.base64" - trustStore: "certs/selenium.jks" - certificate: - privateKey: - trustStore: - trustStorePassword: "changeit" - registrationSecret: - enabled: false - value: "HappyTesting" + secretFiles: + tls.crt: "" + tls.key: "" + server.jks: "" + secretFilesImportFrom: "certs/**" + certVolumeMountPath: /etc/ssl/certs/selenium + certificateFile: tls.crt + privateKeyFile: tls.key + trustStoreFile: server.jks + trustStorePassword: "seleniumkeystore" + # Disable verification the hostname included in the server's TLS/SSL certificates matches the hostnames provided + disableHostnameVerification: true + +registrationSecret: + enabled: false + value: "HappyTesting" # Basic auth settings for Selenium Grid basicAuth: @@ -108,6 +116,7 @@ ingress: className: "" # Refer to list nginx annotations: https://github.com/kubernetes/ingress-nginx/blob/main/docs/user-guide/nginx-configuration/annotations.md#annotations nginx: + websocket: true proxyTimeout: 3600 proxyBuffer: size: 512M @@ -236,12 +245,6 @@ loggingConfigMap: # ConfigMap that contains common environment variables for Server (https://www.selenium.dev/documentation/grid/configuration/cli_options/#server) serverConfigMap: # nameOverride: - certVolumeMountPath: /etc/ssl/certs/selenium - certificateFile: selenium.pem - privateKeyFile: selenium.pkcs8 - trustStoreFile: selenium.jks - # Disable verification the hostname included in the server's TLS/SSL certificates matches the hostnames provided - disableHostnameVerification: true env: SE_JAVA_OPTS: "-XX:+UseZGC" # Custom annotations for configmap diff --git a/tests/charts/ci/base-recorder-values.yaml b/tests/charts/ci/base-recorder-values.yaml index 9ffa5d657..b9d11c36d 100644 --- a/tests/charts/ci/base-recorder-values.yaml +++ b/tests/charts/ci/base-recorder-values.yaml @@ -39,8 +39,3 @@ videoRecorder: RCLONE_CONFIG_GS_SECRET_ACCESS_KEY: "${GS_SECRET_ACCESS_KEY}" RCLONE_CONFIG_GS_ENDPOINT: "https://storage.googleapis.com" RCLONE_CONFIG_GS_NO_CHECK_BUCKET: "true" - -ingress-nginx: - controller: - extraArgs: - default-ssl-certificate: '$(POD_NAMESPACE)/${SELENIUM_TLS_SECRET_NAME}' diff --git a/tests/charts/ci/base-tls-values.yaml b/tests/charts/ci/base-tls-values.yaml index 4a572bb9f..45c6cc3ae 100644 --- a/tests/charts/ci/base-tls-values.yaml +++ b/tests/charts/ci/base-tls-values.yaml @@ -1,9 +1,6 @@ -tls: +registrationSecret: enabled: true - generateTLS: false - registrationSecret: - enabled: true - value: "HappyTestOps" + value: "HappyTestOps" monitoring: enabled: false diff --git a/tests/charts/make/chart_cluster_setup.sh b/tests/charts/make/chart_cluster_setup.sh index d2b806770..1a55f60f5 100755 --- a/tests/charts/make/chart_cluster_setup.sh +++ b/tests/charts/make/chart_cluster_setup.sh @@ -38,17 +38,6 @@ on_failure() { # Trap ERR signal and call on_failure function trap 'on_failure' ERR -# Limit the number of resources to avoid host OOM -CPUs=$(grep -c ^processor /proc/cpuinfo) -if [ "${CPUs}" -gt 1 ]; then - CPUs=$((CPUs-1)) -fi - -MEMORY=$(free -m | awk '/^Mem:/{print $7}') -if [ "${MEMORY}" = "" ]; then - MEMORY=$(free -m | awk '/^Mem:/{print $2}') -fi - if [ "${CLUSTER}" = "kind" ]; then echo "Start Kind cluster" kind create cluster --image kindest/node:${KUBERNETES_VERSION} --wait ${WAIT_TIMEOUT} --name ${CLUSTER_NAME} --config tests/charts/config/kind-cluster.yaml @@ -56,7 +45,7 @@ elif [ "${CLUSTER}" = "minikube" ]; then echo "Start Minikube cluster" sudo chmod 777 /tmp export CHANGE_MINIKUBE_NONE_USER=true - sudo -SE minikube start --vm-driver=none --cpus ${CPUs} --memory ${MEMORY} \ + sudo -SE minikube start --vm-driver=none \ --kubernetes-version=${KUBERNETES_VERSION} --network-plugin=cni --cni=${CNI} --container-runtime=${CONTAINER_RUNTIME} --wait=all sudo chown -R $USER $HOME/.kube $HOME/.minikube fi diff --git a/tests/charts/make/chart_test.sh b/tests/charts/make/chart_test.sh index 76efcb8aa..f2d94bf74 100755 --- a/tests/charts/make/chart_test.sh +++ b/tests/charts/make/chart_test.sh @@ -23,7 +23,7 @@ HUB_CHECKS_MAX_ATTEMPTS=${HUB_CHECKS_MAX_ATTEMPTS:-6} WEB_DRIVER_WAIT_TIMEOUT=${WEB_DRIVER_WAIT_TIMEOUT:-120} AUTOSCALING_POLL_INTERVAL=${AUTOSCALING_POLL_INTERVAL:-20} SKIP_CLEANUP=${SKIP_CLEANUP:-"true"} # For debugging purposes, retain the cluster after the test run -CHART_CERT_PATH=${CHART_CERT_PATH:-"${CHART_PATH}/certs/selenium.pem"} +CHART_CERT_PATH=${CHART_CERT_PATH:-"${CHART_PATH}/certs/tls.crt"} SSL_CERT_DIR=${SSL_CERT_DIR:-"/etc/ssl/certs"} VIDEO_TAG=${VIDEO_TAG:-"latest"} CHART_ENABLE_TRACING=${CHART_ENABLE_TRACING:-"false"} @@ -39,6 +39,12 @@ TEST_UPGRADE_CHART=${TEST_UPGRADE_CHART:-"false"} TEST_PV_CLAIM_NAME=${TEST_PV_CLAIM_NAME:-"selenium-grid-pvc-local"} LIMIT_RESOURCES=${LIMIT_RESOURCES:-"true"} TEST_PLATFORMS=${PLATFORMS:-"linux/amd64"} +if [ "${RELEASE_NAME}" = "selenium" ]; then + SELENIUM_TLS_SECRET_NAME="selenium-tls-secret" +else + SELENIUM_TLS_SECRET_NAME="${RELEASE_NAME}-selenium-tls-secret" +fi +EXTERNAL_TLS_SECRET_NAME=${EXTERNAL_TLS_SECRET_NAME:-"external-tls-secret"} cleanup() { # Get the list of pods @@ -83,11 +89,6 @@ export RELEASE_NAME=${RELEASE_NAME} export SELENIUM_NAMESPACE=${SELENIUM_NAMESPACE} export TEST_PV_CLAIM_NAME=${TEST_PV_CLAIM_NAME} export HOST_PATH=$(realpath ./tests/videos) -if [ "${RELEASE_NAME}" = "selenium" ]; then - export SELENIUM_TLS_SECRET_NAME="selenium-tls-secret" -else - export SELENIUM_TLS_SECRET_NAME="${RELEASE_NAME}-selenium-tls-secret" -fi RECORDER_VALUES_FILE=${TEST_VALUES_PATH}/base-recorder-values.yaml envsubst < ${RECORDER_VALUES_FILE} > ./tests/tests/base-recorder-values.yaml RECORDER_VALUES_FILE=./tests/tests/base-recorder-values.yaml @@ -173,6 +174,59 @@ if [ "${TEST_PLATFORMS}" != "linux/amd64" ]; then " fi +if [ "${SERVICE_TYPE_NODEPORT}" = "true" ]; then + HELM_COMMAND_SET_IMAGES="${HELM_COMMAND_SET_IMAGES} \ + --set ingress.enabled=false \ + --set hub.serviceType=NodePort \ + --set components.router.serviceType=NodePort \ + " +fi + +if [ "${SECURE_INGRESS_ONLY_GENERATE}" = "true" ]; then + HELM_COMMAND_SET_IMAGES="${HELM_COMMAND_SET_IMAGES} \ + --set tls.ingress.generateTLS=true \ + --set tls.ingress.defaultCN=${SELENIUM_GRID_HOST} \ + --set tls.ingress.defaultSANList[0]=${SELENIUM_GRID_HOST} \ + --set tls.ingress.defaultIPList[0]=$(hostname -I | awk '{print $1}') \ + " + kubectl get secret ${SELENIUM_TLS_SECRET_NAME} -n ${SELENIUM_NAMESPACE} -o jsonpath="{.data.tls\.crt}" | base64 -d > ./tests/tests/tls.crt + CHART_CERT_PATH="./tests/tests/tls.crt" +fi + +if [ "${SECURE_INGRESS_ONLY_DEFAULT}" = "true" ]; then + HELM_COMMAND_SET_IMAGES="${HELM_COMMAND_SET_IMAGES} \ + --set tls.ingress.enabled=true \ + " +fi + +if [ "${SECURE_CONNECTION_SERVER}" = "true" ]; then + HELM_COMMAND_SET_IMAGES="${HELM_COMMAND_SET_IMAGES} \ + --set tls.enabled=true \ + " +fi + +if [ "${SECURE_USE_EXTERNAL_CERT}" = "true" ]; then + HELM_COMMAND_SET_IMAGES="${HELM_COMMAND_SET_IMAGES} \ + --set tls.nameOverride=${EXTERNAL_TLS_SECRET_NAME} \ + " + cert_dir="./tests/tests" + ADD_IP_ADDRESS=hostname ./${CHART_PATH}/certs/cert.sh -d ${cert_dir} + kubectl delete secret -n ${SELENIUM_NAMESPACE} ${EXTERNAL_TLS_SECRET_NAME} --ignore-not-found=true + kubectl create secret generic -n ${SELENIUM_NAMESPACE} ${EXTERNAL_TLS_SECRET_NAME} --from-file=tls.crt=${cert_dir}/tls.crt \ + --from-file=tls.key=${cert_dir}/tls.key --from-file=server.jks=${cert_dir}/server.jks + CHART_CERT_PATH="./tests/tests/tls.crt" +fi + +if [ "${SECURE_USE_EXTERNAL_CERT}" = "true" ]; then + HELM_COMMAND_SET_IMAGES="${HELM_COMMAND_SET_IMAGES} \ + --set ingress-nginx.controller.extraArgs.default-ssl-certificate=${SELENIUM_NAMESPACE}/${EXTERNAL_TLS_SECRET_NAME} \ + " +else + HELM_COMMAND_SET_IMAGES="${HELM_COMMAND_SET_IMAGES} \ + --set ingress-nginx.controller.extraArgs.default-ssl-certificate=${SELENIUM_NAMESPACE}/${SELENIUM_TLS_SECRET_NAME} \ + " +fi + if [ "${SELENIUM_GRID_AUTOSCALING}" = "true" ]; then HELM_COMMAND_SET_AUTOSCALING=" \ --set autoscaling.scaledOptions.minReplicaCount=${SELENIUM_GRID_AUTOSCALING_MIN_REPLICA} \ @@ -229,6 +283,11 @@ if [ "${TEST_UPGRADE_CHART}" = "true" ]; then exit 0 fi +if [ "${SECURE_INGRESS_ONLY_GENERATE}" = "true" ]; then + kubectl get secret ${SELENIUM_TLS_SECRET_NAME} -n ${SELENIUM_NAMESPACE} -o jsonpath="{.data.tls\.crt}" | base64 -d > ./tests/tests/tls.crt + CHART_CERT_PATH="./tests/tests/tls.crt" +fi + echo "Run Tests" export CHART_CERT_PATH=$(readlink -f ${CHART_CERT_PATH}) export SELENIUM_GRID_PROTOCOL=${SELENIUM_GRID_PROTOCOL} diff --git a/tests/customCACert/bootstrap.sh b/tests/customCACert/bootstrap.sh index cd83a37de..67f6983cc 100755 --- a/tests/customCACert/bootstrap.sh +++ b/tests/customCACert/bootstrap.sh @@ -13,7 +13,7 @@ trap 'on_failure' ERR NAMESPACE=${NAME:-"selenium"} VERSION=${VERSION:-$TAG_VERSION} -CERT_FILE=${CERT_FILE:-"./charts/selenium-grid/certs/*.pem"} +CERT_FILE=${CERT_FILE:-"./charts/selenium-grid/certs/*.crt"} CERT_SCRIPT=${CERT_SCRIPT:-"./tests/customCACert/cert-script.sh"} COMMON_BUILD_ARGS="--build-arg NAMESPACE=${NAMESPACE} --build-arg VERSION=${VERSION} --build-arg CERT_FILE=${CERT_FILE} --build-arg CERT_SCRIPT=${CERT_SCRIPT}" @@ -22,7 +22,7 @@ docker build ${COMMON_BUILD_ARGS} --build-arg BASE=node-chrome -t ${NAMESPACE}/n docker build ${COMMON_BUILD_ARGS} --build-arg BASE=node-firefox -t ${NAMESPACE}/node-firefox:${VERSION} -f ./tests/customCACert/Dockerfile . docker build ${COMMON_BUILD_ARGS} --build-arg BASE=node-edge -t ${NAMESPACE}/node-edge:${VERSION} -f ./tests/customCACert/Dockerfile . -list_cert_files=($(find ./charts/selenium-grid/certs/ -name "*.pem")) +list_cert_files=($(find ./charts/selenium-grid/certs/ -name "*.crt")) for cert_file_path in "${list_cert_files[@]}"; do cert_file_name="$(basename ${cert_file_path})" cert_name="${cert_file_name%.*}"