Feature: Configuring rest components for TLS #622
Conversation
Signed-off-by: John Zakrzewski <Jozakrzewski@microsoft.com>
Signed-off-by: John Zakrzewski <Jozakrzewski@microsoft.com>
Signed-off-by: John Zakrzewski <Jozakrzewski@microsoft.com>
Signed-off-by: John Zakrzewski <Jozakrzewski@microsoft.com>
Johnaius
force-pushed
the
tls
branch
2 times, most recently
from
9b6796d to
e81716c
Compare
Signed-off-by: John Zakrzewski <Jozakrzewski@microsoft.com>
Signed-off-by: John Zakrzewski <Jozakrzewski@microsoft.com>
| @@ -0,0 +1,4163 @@ | |||
| # Source: cert-manager/templates/templates.out | |||
There was a problem hiding this comment.
Do we need to apply the CRDs? Are they not installed via cert-manager itself?
Handling CRDs via helm has been painful in the past
There was a problem hiding this comment.
Do you remember what the pain points were and why? I'll look into it, cert-manager installs fine without any certificate or issuer etc. resources being created. But when attempting to deploy with certs in the chart I was seeing errors where these resources were attempting to be created before the CRDs were installed.
There was a problem hiding this comment.
I think mostly to do with updates of the CRD. CC @niladrih and @Abhinandan-Purkait
But when attempting to deploy with certs in the chart I was seeing errors where these resources were attempting to be created before the CRDs were installed.
Yeah, makes sense..
What were the resources being created? Is it something we can configure to be done by the pods rather than via helm?
There was a problem hiding this comment.
I'm trying to create issuer and certificate resources. We will create a root cert file and seperate files for each cert. I created a new branch here where i'm working on getting cert-manager installed as a subchart as well as certificates. You can see the server-root-cert and rest api cert here
| NAMESPACE="openebs" | ||
| APP_NAME="api-rest" |
There was a problem hiding this comment.
This would have to be configurable?
There was a problem hiding this comment.
for clarification, I created this cert file for testing purposes only until we get cert-manager installed... The plan is to not rely on this script and to use cert-manager to create all the certs. I am open to discuss and direction on this.
There was a problem hiding this comment.
Fair enough, though might be worth keeping for devel
| # Create a self-signed root CA | ||
| echo "Creating a self-signed root CA" | ||
| openssl genrsa -out "${CERT_DIR}/ca.key" 4096 | ||
| openssl req -x509 -new -nodes -key "${CERT_DIR}/ca.key" -sha256 -days 3650 -out "${CERT_DIR}/ca.crt" -subj "/CN=api-rest-ca" -addext "subjectAltName=DNS:${NAMESPACE}-${APP_NAME}-${NAMESPACE}.svc.cluster.local,DNS:${NAMESPACE}-${APP_NAME},DNS:${NAMESPACE}-${APP_NAME}-${NAMESPACE}.svc" |
There was a problem hiding this comment.
cluster.local needs to be configurable?
| echo "Creating a TLS certificate for the API REST" | ||
| openssl genrsa -out "${CERT_DIR}/server.key" 4096 | ||
| openssl req -new -key "${CERT_DIR}/server.key" -out "${CERT_DIR}/server.csr" -subj "/CN=${NAMESPACE}-${APP_NAME}" -addext "subjectAltName=DNS:${NAMESPACE}-${APP_NAME}-${NAMESPACE}.svc.cluster.local,DNS:${NAMESPACE}-${APP_NAME},DNS:${NAMESPACE}-${APP_NAME}-${NAMESPACE}.svc" | ||
| openssl x509 -req -in "${CERT_DIR}/server.csr" -CA "${CERT_DIR}/ca.crt" -CAkey "${CERT_DIR}/ca.key" -CAcreateserial -out "${CERT_DIR}/server.crt" -days 3650 -sha256 -extfile <(printf "subjectAltName=DNS:${NAMESPACE}-${APP_NAME}-${NAMESPACE}.svc.cluster.local,DNS:${NAMESPACE}-${APP_NAME},DNS:${NAMESPACE}-${APP_NAME}-${NAMESPACE}.svc") |
There was a problem hiding this comment.
Should the time period be configurable?
| version: v1.17.0 | ||
| repository: https://charts.jetstack.io | ||
| alias: cert-manager | ||
| condition: base.cert-manager.enabled |
There was a problem hiding this comment.
Not sure why we had used base for jaeger, but seems since then we've used the actual name, eg: loki-stack.
So maybe let's use the actual name?
| condition: base.cert-manager.enabled | |
| condition: cert-manager.enabled |
| @@ -0,0 +1,4163 @@ | |||
| # Source: cert-manager/templates/templates.out | |||
There was a problem hiding this comment.
I think mostly to do with updates of the CRD. CC @niladrih and @Abhinandan-Purkait
But when attempting to deploy with certs in the chart I was seeing errors where these resources were attempting to be created before the CRDs were installed.
Yeah, makes sense..
What were the resources being created? Is it something we can configure to be done by the pods rather than via helm?
| 1. Push images from [rest_tls][rest_tls] branch on control plane. | ||
| - ```./scripts/release.sh --registry <registry url> --alias-tag <tag> --image rest operators.diskpool csi.controller``` | ||
| 1. Enable TLS in values.yaml [here][enableTls]. | ||
| 1. With cluster in current context, run certs.sh from scripts dir. This will create certs and ultimately a kubernetes secret containing those certs. |
There was a problem hiding this comment.
If someone intends to use CA certificates instead of self signed, can we have a provision to create Secrets with that?
There was a problem hiding this comment.
I think we will use self-signed certs as default. If user's want to use their own cert-manager install they will need to make sure that mayastor cert-manager is disabled. We should document how to configure in this case
Signed-off-by: John Zakrzewski <Jozakrzewski@microsoft.com>
I just added configurations for callhome. Not sure how I can get the certs to the kubectl plugin on first glance, I see this but where are the args being passed in? |
|
Looks like csi-node will need to be configured as well |
That's using a separate crate as it's going via the apiserver. |
This pull request introduces the configuration of certificates for TLS in REST
before enabling TLS, changes to control plane will have to be pulled in as well. I will link PR here
Description
REST API Component:
CSI and Diskpool Operator:
Added support for reading CA certificate and configuring TLS for HTTPS endpoints.
Introduced new command-line arguments for specifying the CA certificate file path.
Values.yaml:
Added enable TLS switch. And configured components to only load tls info when enabled.
Certs/Secrets :
Introduced a script to create certificates and a Kubernetes Secret for testing purposes.
Further discussion needed on how certificate deployment will be handled (e.g., using cert-manager or manual setup).
Motivation and Context
These changes enhance the security of the REST API, CSI, and Diskpool Operator components by enabling TLS communication, ensuring secure data transmission
How Has This Been Tested?
I have deployed these changes along with the changes I implemented in the control plane to an AKS cluster. I need some direction on how to appropriately test.
Types of changes
Checklist: