-
Notifications
You must be signed in to change notification settings - Fork 321
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
33 changed files
with
1,048 additions
and
116 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
71 changes: 71 additions & 0 deletions
71
charts/consul/templates/gossip-encryption-autogenerate-job.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,71 @@ | ||
{{- if .Values.global.gossipEncryption.autoGenerate }} | ||
{{- if (or .Values.global.gossipEncryption.secretName .Values.global.gossipEncryption.secretKey) }} | ||
{{ fail "If global.gossipEncryption.autoGenerate is true, global.gossipEncryption.secretName and global.gossipEncryption.secretKey must not be set." }} | ||
{{ end }} | ||
# automatically generate encryption key for gossip protocol and save it in Kubernetes secret | ||
apiVersion: batch/v1 | ||
kind: Job | ||
metadata: | ||
name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate | ||
namespace: {{ .Release.Namespace }} | ||
labels: | ||
app: {{ template "consul.name" . }} | ||
chart: {{ template "consul.chart" . }} | ||
heritage: {{ .Release.Service }} | ||
release: {{ .Release.Name }} | ||
annotations: | ||
"helm.sh/hook": pre-install,pre-upgrade | ||
"helm.sh/hook-weight": "1" | ||
"helm.sh/hook-delete-policy": hook-succeeded,before-hook-creation | ||
spec: | ||
template: | ||
metadata: | ||
name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate | ||
labels: | ||
app: {{ template "consul.name" . }} | ||
chart: {{ template "consul.chart" . }} | ||
release: {{ .Release.Name }} | ||
component: gossip-encryption-autogeneneration | ||
annotations: | ||
"consul.hashicorp.com/connect-inject": "false" | ||
spec: | ||
restartPolicy: Never | ||
serviceAccountName: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate | ||
securityContext: | ||
runAsNonRoot: true | ||
runAsGroup: 1000 | ||
runAsUser: 100 | ||
fsGroup: 1000 | ||
containers: | ||
- name: gossip-encryption-autogen | ||
image: "{{ .Values.global.image }}" | ||
env: | ||
- name: NAMESPACE | ||
valueFrom: | ||
fieldRef: | ||
fieldPath: metadata.namespace | ||
# We're using POST requests below to create secrets via Kubernetes API. | ||
# Note that in the subsequent runs of the job, POST requests will | ||
# return a 409 because these secrets would already exist; | ||
# we are ignoring these response codes. | ||
command: | ||
- "/bin/sh" | ||
- "-ec" | ||
- | | ||
secretName={{ template "consul.fullname" . }}-gossip-encryption-key | ||
secretKey=key | ||
keyValue=$(consul keygen | base64) | ||
curl -s -X POST --cacert /var/run/secrets/kubernetes.io/serviceaccount/ca.crt \ | ||
https://${KUBERNETES_SERVICE_HOST}:${KUBERNETES_SERVICE_PORT}/api/v1/namespaces/${NAMESPACE}/secrets \ | ||
-H "Authorization: Bearer $( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" \ | ||
-H "Content-Type: application/json" \ | ||
-H "Accept: application/json" \ | ||
-d "{ \"kind\": \"Secret\", \"apiVersion\": \"v1\", \"metadata\": { \"name\": \"${secretName}\", \"namespace\": \"${NAMESPACE}\" }, \"type\": \"Opaque\", \"data\": { \"${secretKey}\": \"${keyValue}\" }}" > /dev/null | ||
resources: | ||
requests: | ||
memory: "50Mi" | ||
cpu: "50m" | ||
limits: | ||
memory: "50Mi" | ||
cpu: "50m" | ||
{{- end }} |
39 changes: 39 additions & 0 deletions
39
charts/consul/templates/gossip-encryption-autogenerate-podsecuritypolicy.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
{{- if .Values.global.gossipEncryption.autoGenerate }} | ||
--- | ||
apiVersion: policy/v1beta1 | ||
kind: PodSecurityPolicy | ||
metadata: | ||
name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate | ||
namespace: {{ .Release.Namespace }} | ||
labels: | ||
app: {{ template "consul.name" . }} | ||
chart: {{ template "consul.chart" . }} | ||
heritage: {{ .Release.Service }} | ||
release: {{ .Release.Name }} | ||
annotations: | ||
"helm.sh/hook": pre-install,pre-upgrade | ||
"helm.sh/hook-delete-policy": before-hook-creation | ||
spec: | ||
privileged: false | ||
# Required to prevent escalations to root. | ||
allowPrivilegeEscalation: false | ||
# This is redundant with non-root + disallow privilege escalation, | ||
# but we can provide it for defense in depth. | ||
requiredDropCapabilities: | ||
- ALL | ||
# Allow core volume types. | ||
volumes: | ||
- 'secret' | ||
hostNetwork: false | ||
hostIPC: false | ||
hostPID: false | ||
runAsUser: | ||
rule: 'RunAsAny' | ||
seLinux: | ||
rule: 'RunAsAny' | ||
supplementalGroups: | ||
rule: 'RunAsAny' | ||
fsGroup: | ||
rule: 'RunAsAny' | ||
readOnlyRootFilesystem: false | ||
{{- end }} |
30 changes: 30 additions & 0 deletions
30
charts/consul/templates/gossip-encryption-autogenerate-role.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
{{- if .Values.global.gossipEncryption.autoGenerate }} | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: Role | ||
metadata: | ||
name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate | ||
namespace: {{ .Release.Namespace }} | ||
labels: | ||
app: {{ template "consul.name" . }} | ||
chart: {{ template "consul.chart" . }} | ||
heritage: {{ .Release.Service }} | ||
release: {{ .Release.Name }} | ||
annotations: | ||
"helm.sh/hook": pre-install,pre-upgrade | ||
"helm.sh/hook-delete-policy": before-hook-creation | ||
rules: | ||
- apiGroups: [""] | ||
resources: | ||
- secrets | ||
verbs: | ||
- create | ||
{{- if .Values.global.enablePodSecurityPolicies }} | ||
- apiGroups: ["policy"] | ||
resources: | ||
- podsecuritypolicies | ||
verbs: | ||
- use | ||
resourceNames: | ||
- {{ template "consul.fullname" . }}-gossip-encryption-autogenerate | ||
{{- end }} | ||
{{- end }} |
22 changes: 22 additions & 0 deletions
22
charts/consul/templates/gossip-encryption-autogenerate-rolebinding.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
{{- if .Values.global.gossipEncryption.autoGenerate }} | ||
apiVersion: rbac.authorization.k8s.io/v1 | ||
kind: RoleBinding | ||
metadata: | ||
name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate | ||
namespace: {{ .Release.Namespace }} | ||
labels: | ||
app: {{ template "consul.name" . }} | ||
chart: {{ template "consul.chart" . }} | ||
heritage: {{ .Release.Service }} | ||
release: {{ .Release.Name }} | ||
annotations: | ||
"helm.sh/hook": pre-install,pre-upgrade | ||
"helm.sh/hook-delete-policy": before-hook-creation | ||
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: Role | ||
name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate | ||
subjects: | ||
- kind: ServiceAccount | ||
name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate | ||
{{- end }} |
21 changes: 21 additions & 0 deletions
21
charts/consul/templates/gossip-encryption-autogenerate-serviceaccount.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,21 @@ | ||
{{- if .Values.global.gossipEncryption.autoGenerate }} | ||
apiVersion: v1 | ||
kind: ServiceAccount | ||
metadata: | ||
name: {{ template "consul.fullname" . }}-gossip-encryption-autogenerate | ||
namespace: {{ .Release.Namespace }} | ||
labels: | ||
app: {{ template "consul.name" . }} | ||
chart: {{ template "consul.chart" . }} | ||
heritage: {{ .Release.Service }} | ||
release: {{ .Release.Name }} | ||
annotations: | ||
"helm.sh/hook": pre-install,pre-upgrade | ||
"helm.sh/hook-delete-policy": before-hook-creation | ||
{{- with .Values.global.imagePullSecrets }} | ||
imagePullSecrets: | ||
{{- range . }} | ||
- name: {{ .name }} | ||
{{- end }} | ||
{{- end }} | ||
{{- end }} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.