From 8a954833240cc7ee45acb260b9c2865634f8f334 Mon Sep 17 00:00:00 2001 From: Steven Martin Date: Mon, 24 Jun 2024 06:26:29 -0400 Subject: [PATCH] [v16] allow setting TLS material in event-handler helm chart (#43340) * allow setting TLS material in event-handler * fix image for test for event-handler helm --------- Co-authored-by: Steven Martin Co-authored-by: Steven Martin --- .../.lint/existing-tls-secret-with-ca.yaml | 2 + .../event-handler/templates/deployment.yaml | 14 +++++ .../__snapshot__/deployment_test.yaml.snap | 57 +++++++++++++++++++ .../event-handler/tests/deployment_test.yaml | 24 ++++++++ .../chart/event-handler/values.schema.json | 14 +++++ examples/chart/event-handler/values.yaml | 15 +++++ 6 files changed, 126 insertions(+) create mode 100644 examples/chart/event-handler/.lint/existing-tls-secret-with-ca.yaml diff --git a/examples/chart/event-handler/.lint/existing-tls-secret-with-ca.yaml b/examples/chart/event-handler/.lint/existing-tls-secret-with-ca.yaml new file mode 100644 index 0000000000000..a767c9076f74a --- /dev/null +++ b/examples/chart/event-handler/.lint/existing-tls-secret-with-ca.yaml @@ -0,0 +1,2 @@ +tls: + existingCASecretName: "helm-lint-existing-tls-secret-ca" diff --git a/examples/chart/event-handler/templates/deployment.yaml b/examples/chart/event-handler/templates/deployment.yaml index 9be52491e22e0..2cc2b8bc705cf 100644 --- a/examples/chart/event-handler/templates/deployment.yaml +++ b/examples/chart/event-handler/templates/deployment.yaml @@ -42,6 +42,10 @@ spec: env: - name: "TELEPORT_PLUGIN_FAIL_FAST" value: "true" + {{- if .Values.tls.existingCASecretName }} + - name: SSL_CERT_FILE + value: /etc/teleport-tls-ca/ca.pem + {{- end }} ports: - name: http containerPort: 80 @@ -63,6 +67,11 @@ spec: - name: certificate mountPath: /var/lib/teleport/plugins/event-handler/client.key subPath: {{ .Values.fluentd.certificate.keyPath }} + {{- if .Values.tls.existingCASecretName }} + - mountPath: /etc/teleport-tls-ca + name: "teleport-tls-ca" + readOnly: true + {{- end }} {{- if or .Values.persistentVolumeClaim.enabled .Values.persistentVolumeClaim.existingClaim }} - name: "{{ .Values.persistentVolumeClaim.volumeName }}" mountPath: "{{ .Values.eventHandler.storagePath }}" @@ -95,6 +104,11 @@ spec: secret: secretName: "{{ .Values.fluentd.certificate.secretName }}" defaultMode: 0600 + {{- if .Values.tls.existingCASecretName }} + - name: "teleport-tls-ca" + secret: + secretName: {{ .Values.tls.existingCASecretName }} + {{- end }} {{- if .Values.persistentVolumeClaim.enabled }} - name: "{{ .Values.persistentVolumeClaim.volumeName }}" persistentVolumeClaim: diff --git a/examples/chart/event-handler/tests/__snapshot__/deployment_test.yaml.snap b/examples/chart/event-handler/tests/__snapshot__/deployment_test.yaml.snap index 354144a9f947c..782a76a6df637 100644 --- a/examples/chart/event-handler/tests/__snapshot__/deployment_test.yaml.snap +++ b/examples/chart/event-handler/tests/__snapshot__/deployment_test.yaml.snap @@ -69,3 +69,60 @@ should match the snapshot: secret: defaultMode: 384 secretName: "" +should mount tls.existingCASecretName and set environment when set in values: + 1: | + containers: + - command: + - /usr/local/bin/teleport-event-handler + - start + - --config + - /etc/teleport-event-handler.toml + env: + - name: TELEPORT_PLUGIN_FAIL_FAST + value: "true" + - name: SSL_CERT_FILE + value: /etc/teleport-tls-ca/ca.pem + image: public.ecr.aws/gravitational/teleport-plugin-event-handler:16.0.2 + imagePullPolicy: IfNotPresent + name: teleport-plugin-event-handler + ports: + - containerPort: 80 + name: http + protocol: TCP + resources: {} + securityContext: {} + volumeMounts: + - mountPath: /etc/teleport-event-handler.toml + name: config + subPath: teleport-event-handler.toml + - mountPath: /var/lib/teleport/plugins/event-handler/teleport-identity + name: teleport-identity + - mountPath: /var/lib/teleport/plugins/event-handler/ca.crt + name: certificate + subPath: ca.crt + - mountPath: /var/lib/teleport/plugins/event-handler/client.crt + name: certificate + subPath: client.crt + - mountPath: /var/lib/teleport/plugins/event-handler/client.key + name: certificate + subPath: client.key + - mountPath: /etc/teleport-tls-ca + name: teleport-tls-ca + readOnly: true + securityContext: {} + volumes: + - configMap: + defaultMode: 384 + name: RELEASE-NAME-teleport-plugin-event-handler + name: config + - name: teleport-identity + secret: + defaultMode: 384 + secretName: "" + - name: certificate + secret: + defaultMode: 384 + secretName: "" + - name: teleport-tls-ca + secret: + secretName: helm-lint-existing-tls-secret-ca diff --git a/examples/chart/event-handler/tests/deployment_test.yaml b/examples/chart/event-handler/tests/deployment_test.yaml index f1c65ec1c5e97..aa5103c328e58 100644 --- a/examples/chart/event-handler/tests/deployment_test.yaml +++ b/examples/chart/event-handler/tests/deployment_test.yaml @@ -18,3 +18,27 @@ tests: - equal: path: spec.strategy.type value: Recreate + - it: should mount tls.existingCASecretName and set environment when set in values + template: deployment.yaml + values: + - ../.lint/existing-tls-secret-with-ca.yaml + asserts: + - contains: + path: spec.template.spec.volumes + content: + name: teleport-tls-ca + secret: + secretName: helm-lint-existing-tls-secret-ca + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + mountPath: /etc/teleport-tls-ca + name: teleport-tls-ca + readOnly: true + - contains: + path: spec.template.spec.containers[0].env + content: + name: SSL_CERT_FILE + value: /etc/teleport-tls-ca/ca.pem + - matchSnapshot: + path: spec.template.spec diff --git a/examples/chart/event-handler/values.schema.json b/examples/chart/event-handler/values.schema.json index 9fb62af0ae9ac..eebf8e8fe3c8b 100644 --- a/examples/chart/event-handler/values.schema.json +++ b/examples/chart/event-handler/values.schema.json @@ -225,6 +225,20 @@ "default": {}, "additionalProperties": true }, + "tls": { + "$id": "#/properties/tls", + "type": "object", + "required": [ + "existingCASecretName" + ], + "properties": { + "existingCASecretName": { + "$id": "#/properties/tls/properties/existingCASecretName", + "type": "string", + "default": "" + } + } + }, "tolerations": { "$id": "#/properties/tolerations", "type": "array", diff --git a/examples/chart/event-handler/values.yaml b/examples/chart/event-handler/values.yaml index 527483da3b7f9..3708b7acd04ec 100644 --- a/examples/chart/event-handler/values.yaml +++ b/examples/chart/event-handler/values.yaml @@ -60,6 +60,21 @@ resources: {} nodeSelector: {} +# tls -- contains settings for mounting your own TLS material in the event-handler pod. +# The event-handler does not expose a TLS server, so this is only used to trust CAs. +tls: + # tls.existingCASecretName(string) -- sets the `SSL_CERT_FILE` environment + # variable to load a trusted CA or bundle in PEM format into Teleport pods. + # The injected CA will be used to validate TLS communications with the Proxy + # Service. + # + # You must create a secret containing the CA certs in the same namespace as Teleport using a command like: + # + # $ kubectl create secret generic my-root-ca --from-file=ca.pem=/path/to/root-ca.pem + # + # The key containing the root CA in the secret must be `ca.pem`. + existingCASecretName: "" + tolerations: [] affinity: {}