From bcce8234428b9818399342ae9a3f684106488644 Mon Sep 17 00:00:00 2001 From: Tigran Mkrtchyan Date: Tue, 15 Aug 2023 21:05:04 +0200 Subject: [PATCH] certificate auto-generation --- templates/cert-pvc.yaml | 25 +++++++++++++++++++++++++ templates/configmap.yaml | 18 ++++++++++++++++-- templates/door-svc.yaml | 3 +++ templates/door.yaml | 24 ++++++++++++++++++++---- templates/pool-svc.yaml | 3 +++ templates/pool.yaml | 29 ++++++++++++++++++++++------- values.yaml | 4 +++- 7 files changed, 92 insertions(+), 14 deletions(-) create mode 100644 templates/cert-pvc.yaml diff --git a/templates/cert-pvc.yaml b/templates/cert-pvc.yaml new file mode 100644 index 0000000..0fa7dea --- /dev/null +++ b/templates/cert-pvc.yaml @@ -0,0 +1,25 @@ +{{- range .Values.dcache.pools }} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ $.Release.Name }}-pool-{{ . }}-certs-store +spec: + resources: + requests: + storage: 1Mi + accessModes: + - ReadWriteOnce +--- +{{ end }} + +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ $.Release.Name }}-door-certs-store +spec: + resources: + requests: + storage: 1Mi + accessModes: + - ReadWriteOnce + diff --git a/templates/configmap.yaml b/templates/configmap.yaml index d850f5e..774740f 100644 --- a/templates/configmap.yaml +++ b/templates/configmap.yaml @@ -40,11 +40,20 @@ data: [{{ $.Release.Name }}-door-svc/httpd] [{{ $.Release.Name }}-door-svc/webdav] + webdav.cell.name=webdav-plain webdav.net.port=8080 webdav.authz.anonymous-operations=FULL webdav.redirect.on-write=false webdav.redirect.on-read=true + [{{ $.Release.Name }}-door-svc/webdav] + webdav.cell.name=webdav-tls + webdav.net.port=8083 + webdav.authn.protocol=https + webdav.authz.anonymous-operations=READONLY + webdav.redirect.on-write=false + webdav.redirect.on-read=true + [{{ $.Release.Name }}-door-svc/frontend] frontend.authn.protocol=http frontend.authz.anonymous-operations=FULL @@ -68,6 +77,9 @@ data: pool.mover.xrootd.port.max={{ $.Values.mover.xrootd }} pool.mover.http.port.min={{ $.Values.mover.http }} pool.mover.http.port.max={{ $.Values.mover.http }} + pool.mover.https.port.min={{ $.Values.mover.https }} + pool.mover.https.port.max={{ $.Values.mover.https }} + {{- end }} @@ -85,8 +97,10 @@ data: dcache.enable.kafka = true dcache.layout=dcache-k8s dcache.authn.vomsdir=/mnt - webdav.redirect.allow-https=false - pool.enable.encrypted-transfers=false + #webdav.redirect.allow-https=false + #pool.enable.encrypted-transfers=false + dcache.authn.hostcert.key=/opt/dcache/etc/certs/hostkey.pem + dcache.authn.hostcert.cert=/opt/dcache/etc/certs/hostcert.pem 00-init.sh: |- export JAVA=/usr/bin/java diff --git a/templates/door-svc.yaml b/templates/door-svc.yaml index 0f499ab..cfacc0d 100644 --- a/templates/door-svc.yaml +++ b/templates/door-svc.yaml @@ -17,6 +17,9 @@ spec: - name: webdav-door port: {{ $.Values.door.ports.webdav }} targetPort: 8080 + - name: webdavs-door + port: {{ $.Values.door.ports.webdavs }} + targetPort: 8083 - name: cell-tunnel port: {{ $.Values.cell.tunnel }} targetPort: 11111 \ No newline at end of file diff --git a/templates/door.yaml b/templates/door.yaml index 5079cfc..ccd6f4f 100644 --- a/templates/door.yaml +++ b/templates/door.yaml @@ -18,9 +18,6 @@ spec: image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} command: ["/run.sh", "{{ $.Release.Name }}-door-svc" ] - env: - - name: AUTOCA_URL - value: https://ci.dcache.org/ca readinessProbe: tcpSocket: port: 2049 @@ -48,7 +45,26 @@ spec: mountPath: /opt/dcache/etc/exports subPath: exports readOnly: true - volumes: + - name: certs + mountPath: /opt/dcache/etc/certs + readOnly: true + initContainers: + - securityContext: + runAsUser: 0 + runAsGroup: 0 + name: init-host-certs + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + env: + - name: AUTOCA_URL + value: https://ci.dcache.org/ca + command: ['sh', '-c', "curl --silent https://raw.githubusercontent.com/kofemann/autoca/v1.0-py3/pyclient/autoca-client -o /tmp/autoca-client; chmod a+x /tmp/autoca-client; cd /opt/dcache/var/tmp/; /tmp/autoca-client -n ${AUTOCA_URL} {{ $.Release.Name }}-door-svc; chown dcache:dcache *.pem"] + volumeMounts: + - mountPath: /opt/dcache/var/tmp/ + name: certs + volumes: + - name: certs + persistentVolumeClaim: + claimName: {{ $.Release.Name }}-door-certs-store - name: dcache-config configMap: name: {{ $.Release.Name }}-configmap diff --git a/templates/pool-svc.yaml b/templates/pool-svc.yaml index c7effbe..ea64e99 100644 --- a/templates/pool-svc.yaml +++ b/templates/pool-svc.yaml @@ -19,5 +19,8 @@ spec: - name: http-mover port: {{ $.Values.mover.http }} targetPort: {{ $.Values.mover.http }} + - name: https-mover + port: {{ $.Values.mover.https }} + targetPort: {{ $.Values.mover.https }} --- {{- end }} diff --git a/templates/pool.yaml b/templates/pool.yaml index c6a1e39..e019ccd 100644 --- a/templates/pool.yaml +++ b/templates/pool.yaml @@ -1,4 +1,4 @@ -{{- range .Values.dcache.pools }} +{{- range .Values.dcache.pools }} apiVersion: apps/v1 kind: StatefulSet metadata: @@ -19,9 +19,6 @@ spec: image: "{{ $.Values.image.repository }}:{{ $.Values.image.tag | default $.Chart.AppVersion }}" imagePullPolicy: {{ $.Values.image.pullPolicy }} command: ["/run.sh", "{{ $.Release.Name }}-pool-{{ . }}-svc"] - env: - - name: AUTOCA_URL - value: https://ci.dcache.org/ca volumeMounts: - name: dcache-config mountPath: /opt/dcache/etc/dcache.conf @@ -31,11 +28,29 @@ spec: mountPath: /opt/dcache/etc/layouts/dcache-k8s.conf subPath: dcache.conf readOnly: true + - name: certs-store-{{ . }} + mountPath: /opt/dcache/etc/certs + readOnly: true initContainers: - - name: wait-for-core - image: busybox:1.28 - command: ['sh', '-c', "until nc -z -v {{ $.Release.Name }}-door-svc.$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace).svc.cluster.local {{ $.Values.cell.tunnel }}; do echo waiting for core to start; sleep 2; done"] + - securityContext: + runAsUser: 0 + runAsGroup: 0 + name: init-host-certs + image: "{{ $.Values.image.repository }}:{{ $.Values.image.tag | default $.Chart.AppVersion }}" + env: + - name: AUTOCA_URL + value: https://ci.dcache.org/ca + command: ['sh', '-c', "curl --silent https://raw.githubusercontent.com/kofemann/autoca/v1.0-py3/pyclient/autoca-client -o /tmp/autoca-client; chmod a+x /tmp/autoca-client; cd /opt/dcache/var/tmp/; /tmp/autoca-client -n ${AUTOCA_URL} {{ $.Release.Name }}-pool-{{ . }}-svc; chown dcache:dcache *.pem"] + volumeMounts: + - mountPath: /opt/dcache/var/tmp/ + name: certs-store-{{ . }} + - name: wait-for-core + image: busybox:1.28 + command: ['sh', '-c', "until nc -z -v {{ $.Release.Name }}-door-svc.$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace).svc.cluster.local {{ $.Values.cell.tunnel }}; do echo waiting for core to start; sleep 2; done"] volumes: + - name: certs-store-{{ . }} + persistentVolumeClaim: + claimName: {{ $.Release.Name }}-pool-{{ . }}-certs-store - name: dcache-config configMap: name: {{ $.Release.Name }}-configmap diff --git a/values.yaml b/values.yaml index 8b621a4..18e8aba 100644 --- a/values.yaml +++ b/values.yaml @@ -23,8 +23,10 @@ door: nfs: 2049 xrootd: 1094 webdav: 8080 + webdavs: 8083 mover: nfs: 32049 xrootd: 31094 - http: 38080 \ No newline at end of file + http: 38080 + https: 38083 \ No newline at end of file