From ff90fdf4160f9f0ea21485da04eaf11fc48cbcb7 Mon Sep 17 00:00:00 2001 From: Ben Date: Wed, 4 Sep 2024 16:58:26 +0300 Subject: [PATCH] Adding the generation of keys and certificates Signed-off-by: Ben --- .../templates/storage/apiservice.yaml | 3 ++- .../templates/storage/deployment.yaml | 12 ++++++++++++ .../templates/storage/tlscertkey.yaml | 19 +++++++++++++++++++ 3 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 charts/kubescape-operator/templates/storage/tlscertkey.yaml diff --git a/charts/kubescape-operator/templates/storage/apiservice.yaml b/charts/kubescape-operator/templates/storage/apiservice.yaml index f6098764..9ac9641b 100644 --- a/charts/kubescape-operator/templates/storage/apiservice.yaml +++ b/charts/kubescape-operator/templates/storage/apiservice.yaml @@ -7,7 +7,8 @@ metadata: labels: {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.storage.name "tier" .Values.global.namespaceTier) | nindent 4 }} spec: - insecureSkipTLSVerify: true + insecureSkipTLSVerify: false + caBundle: {{ .Values.global.kubescapeCa | b64enc }} group: "spdx.softwarecomposition.kubescape.io" groupPriorityMinimum: 1000 versionPriority: 15 diff --git a/charts/kubescape-operator/templates/storage/deployment.yaml b/charts/kubescape-operator/templates/storage/deployment.yaml index 68c94ed0..b519180a 100644 --- a/charts/kubescape-operator/templates/storage/deployment.yaml +++ b/charts/kubescape-operator/templates/storage/deployment.yaml @@ -49,6 +49,12 @@ spec: tcpSocket: port: 8443 env: + - name: TLS_SERVER_CERT_FILE + value: "/etc/tls/tls.crt" + - name: TLS_SERVER_KEY_FILE + value: "/etc/tls/tls.key" + - name: TLS_CLIENT_CA_FILE + value: "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" - name: "CLEANUP_INTERVAL" value: "{{ .Values.storage.cleanupInterval }}" - name: GOMEMLIMIT @@ -78,6 +84,9 @@ spec: - name: {{ .Values.global.cloudConfig }} mountPath: /etc/config readOnly: true + - name: "tls" + mountPath: "/etc/tls" + readOnly: true resources: {{ toYaml .Values.storage.resources | indent 12 }} nodeSelector: @@ -116,4 +125,7 @@ spec: - key: "services" path: "services.json" {{- end }} + - name: "tls" + secret: + secretName: {{ .Values.storage.name }} {{- end }} diff --git a/charts/kubescape-operator/templates/storage/tlscertkey.yaml b/charts/kubescape-operator/templates/storage/tlscertkey.yaml new file mode 100644 index 00000000..88139149 --- /dev/null +++ b/charts/kubescape-operator/templates/storage/tlscertkey.yaml @@ -0,0 +1,19 @@ +{{- $ca := genCA "kubescape-cluster-ca" 3650 }} +{{- $_ := set .Values.global "kubescapeCa" $ca.Cert -}} +{{- $cn := .Values.storage.name }} +{{- $dns1 := printf "%s.%s" $cn .Values.ksNamespace }} +{{- $dns2 := printf "%s.%s.svc" $cn .Values.ksNamespace }} +{{- $dns3 := printf "%s.%s.svc.cluster.local" $cn .Values.ksNamespace }} + +{{- $cert := genSignedCert $cn nil (list $dns1 $dns2 $dns3) 3650 $ca }} + +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.storage.name }} + namespace: {{ .Values.ksNamespace }} +type: Opaque +data: + tls.crt: {{ $cert.Cert | b64enc }} + tls.key: {{ $cert.Key | b64enc }} + ca.crt: {{ $ca.Cert | b64enc }} \ No newline at end of file