From 676d65b128e7c9c1625232c6f266978cafb01502 Mon Sep 17 00:00:00 2001 From: wgrzelak Date: Tue, 7 May 2019 14:35:14 +0200 Subject: [PATCH] Use TLS_CERTIFICATE in Nginx app. (#520) --- k8s/nginx/README.md | 39 +++++++++++++++---- .../chart/nginx/templates/application.yaml | 2 +- .../chart/nginx/templates/nginx-secrets.yaml | 10 ++--- k8s/nginx/chart/nginx/values.yaml | 3 ++ k8s/nginx/schema.yaml | 8 ++++ 5 files changed, 49 insertions(+), 13 deletions(-) diff --git a/k8s/nginx/README.md b/k8s/nginx/README.md index 9ae4a0270a..ed1e3808ed 100644 --- a/k8s/nginx/README.md +++ b/k8s/nginx/README.md @@ -180,6 +180,28 @@ for i in "IMAGE_NGINX" "IMAGE_NGINX_INIT" "IMAGE_METRICS_EXPORTER"; do done ``` +#### Create TLS certificate for Nginx + +1. If you already have a certificate that you want to use, copy your + certificate and key pair to the `/tmp/tls.crt`, and `/tmp/tls.key` files, + then skip to the next step. + + To create a new certificate, run the following command: + + ```shell + openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ + -keyout /tmp/tls.key \ + -out /tmp/tls.crt \ + -subj "/CN=nginx/O=nginx" + ``` + +1. Set `TLS_CERTIFICATE_KEY` and `TLS_CERTIFICATE_CRT` variables: + + ```shell + export TLS_CERTIFICATE_KEY="$(cat /tmp/tls.key | base64)" + export TLS_CERTIFICATE_CRT="$(cat /tmp/tls.crt | base64)" + ``` + #### Create a namespace in your Kubernetes cluster If you use a different namespace than `default`, run the command below to create @@ -196,13 +218,16 @@ expanded manifest file for future updates to the application. ```shell helm template chart/nginx \ - --name $APP_INSTANCE_NAME \ - --namespace $NAMESPACE \ - --set nginx.replicas=$REPLICAS \ - --set nginx.initImage=$IMAGE_NGINX_INIT \ - --set nginx.image=$IMAGE_NGINX \ - --set metrics.image=$IMAGE_METRICS_EXPORTER \ - --set metrics.enabled=$METRICS_EXPORTER_ENABLED > "${APP_INSTANCE_NAME}_manifest.yaml" + --name "$APP_INSTANCE_NAME" \ + --namespace "$NAMESPACE" \ + --set "nginx.replicas=$REPLICAS" \ + --set "nginx.initImage=$IMAGE_NGINX_INIT" \ + --set "nginx.image=$IMAGE_NGINX" \ + --set "metrics.image=$IMAGE_METRICS_EXPORTER" \ + --set "metrics.enabled=$METRICS_EXPORTER_ENABLED" \ + --set "tls.base64EncodedPrivateKey=$TLS_CERTIFICATE_KEY" \ + --set "tls.base64EncodedCertificate=$TLS_CERTIFICATE_CRT" \ + > "${APP_INSTANCE_NAME}_manifest.yaml" ``` #### Apply the manifest to your Kubernetes cluster diff --git a/k8s/nginx/chart/nginx/templates/application.yaml b/k8s/nginx/chart/nginx/templates/application.yaml index 7c4c3a9d31..4add5de3f7 100644 --- a/k8s/nginx/chart/nginx/templates/application.yaml +++ b/k8s/nginx/chart/nginx/templates/application.yaml @@ -43,7 +43,7 @@ spec: url: https://www.nginx.com/resources/wiki/start/ notes: |- # Configuring the web content of NGINX server - + Follow this instructions to upload web content to your Web Server: 1. Navigate to a folder where directory containing your website is located diff --git a/k8s/nginx/chart/nginx/templates/nginx-secrets.yaml b/k8s/nginx/chart/nginx/templates/nginx-secrets.yaml index e625543ae9..57c73d6e6a 100644 --- a/k8s/nginx/chart/nginx/templates/nginx-secrets.yaml +++ b/k8s/nginx/chart/nginx/templates/nginx-secrets.yaml @@ -2,11 +2,11 @@ apiVersion: v1 kind: Secret metadata: name: {{ .Release.Name }}-nginx-secret - labels: + labels: app.kubernetes.io/name: {{ .Release.Name }} app.kubernetes.io/component: nginx-server data: - # this certificate was created on 7/16/2018 and will be valid for the next 365 days; it's a self-signed certificate for temporary use only - https1.cert: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVrRENDQTNpZ0F3SUJBZ0lKQU9IZnlsZzUyUVVtTUEwR0NTcUdTSWIzRFFFQkN3VUFNSUhjTVFzd0NRWUQKVlFRR0V3SlZVekVUTUJFR0ExVUVDQXdLUTJGc2FXWnZjbTVwWVRFV01CUUdBMVVFQnd3TlRXOTFiblJoYVc0ZwpWbWxsZHpFck1Da0dBMVVFQ2d3aVYyVmlJRk5sY25abGNpQXRJRlJsYlhCdmNtRnllU0JEWlhKMGFXWnBZMkYwClpURXJNQ2tHQTFVRUN3d2lWMlZpSUZObGNuWmxjaUF0SUZSbGJYQnZjbUZ5ZVNCRFpYSjBhV1pwWTJGMFpURWUKTUJ3R0ExVUVBd3dWZDNkM0xuZGxZaTEwWlcxd2IzSmhjbmt1WTI5dE1TWXdKQVlKS29aSWh2Y05BUWtCRmhkaApaRzFwYmtCM1pXSXRkR1Z0Y0c5eVlYSjVMbU52YlRBZUZ3MHhPREEzTVRZeE1ESXhOVGhhRncweE9UQTNNVFl4Ck1ESXhOVGhhTUlIY01Rc3dDUVlEVlFRR0V3SlZVekVUTUJFR0ExVUVDQXdLUTJGc2FXWnZjbTVwWVRFV01CUUcKQTFVRUJ3d05UVzkxYm5SaGFXNGdWbWxsZHpFck1Da0dBMVVFQ2d3aVYyVmlJRk5sY25abGNpQXRJRlJsYlhCdgpjbUZ5ZVNCRFpYSjBhV1pwWTJGMFpURXJNQ2tHQTFVRUN3d2lWMlZpSUZObGNuWmxjaUF0SUZSbGJYQnZjbUZ5CmVTQkRaWEowYVdacFkyRjBaVEVlTUJ3R0ExVUVBd3dWZDNkM0xuZGxZaTEwWlcxd2IzSmhjbmt1WTI5dE1TWXcKSkFZSktvWklodmNOQVFrQkZoZGhaRzFwYmtCM1pXSXRkR1Z0Y0c5eVlYSjVMbU52YlRDQ0FTSXdEUVlKS29aSQpodmNOQVFFQkJRQURnZ0VQQURDQ0FRb0NnZ0VCQU9aVmxKeE5sMEFXc3FCSTAxOERIeHhLSHZ3ZzZtZlhnUG51CmRXcFZGc2RLdk1rZTRrR2RjM2xoekxmcGpEbGpwQm1TczFQVGlsUGV6Zm5sczFIYlQvTExuRjdZem1zMjhWM0EKZk9lT0NzNnFsL3BoMkhsVmZFbFJUeU90NVVZMEhib1NyNEpRTGt0dHhVZXJtT2lkQ1p3ZmRrYkUxUElWUkIzMwpHT1N4d2hqMm56WUtyWUNoTEY3YzNJRlRYb1J5bm9aanpSandxaEtDclhnUnprbkEwZGtiSUpsZHlROGNxQmt0CkZqalV0WmV5L09nb3FhYjhrdVVDMXlQaDA2TkNYbmozUUZ6N0NhL296MHhSWC9QcGhuVVFHeUNyMHFmT0hvd0wKTElqR0hHVHByc3lDUG5nYnVrcTYwejZiRG5Za0ZNdC9JVUh0ekNKNFM5MmwxYlJFNVlrQ0F3RUFBYU5UTUZFdwpIUVlEVlIwT0JCWUVGQkg0OGtRSklVNVUvSkNnRnpyYWlpMHBoR1RHTUI4R0ExVWRJd1FZTUJhQUZCSDQ4a1FKCklVNVUvSkNnRnpyYWlpMHBoR1RHTUE4R0ExVWRFd0VCL3dRRk1BTUJBZjh3RFFZSktvWklodmNOQVFFTEJRQUQKZ2dFQkFHVjZwaExUSkJEMUxzOEc3bWl4NWxUQUI1dmJHTm1md0huYkxZUHNCRFc4R0xuMW1NaVBEbkNLRkowcAphaW1KY01sUGFFbjVSVlRab2lab1hrNlpGaHNtOVlvQlIyOWlqRDlheTZlbktoRmpBSUg5bUh2Zk8xeFN0Sm1HCnIzSi9TNWlWc3VYMThoYi9aYVBJZ1BSNEo4ZG9qclBoaVFxVXNvY1M2dlAwM0ZHRDFhSFpvMityS0Naeko4aDYKTGlSelhCYzhYa2hCU0VUejgrU3FOVjliTnBuclVwTzJpR3JibVNYdFhNbUxnaWJDcVpVczZZZVpQTnl3MG1SYwpDZmRkb2cwY3B3YkFWbUlTTncvcW84Y3NXT1c2NkRiQnpyOXBCVlBiZllGRTZ5V3loTEUxYytZcG13c2lnNFI2CnVhc2dmZEc0aDRGMmN3SnVaRXN1QmU1MTFYND0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= - # this is a private key for the certificate that was created on 7/16/2018 and will be valid for the next 365 days; - https1.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRRG1WWlNjVFpkQUZyS2cKU05OZkF4OGNTaDc4SU9wbjE0RDU3blZxVlJiSFNyekpIdUpCblhONVljeTM2WXc1WTZRWmtyTlQwNHBUM3MzNQo1Yk5SMjAveXk1eGUyTTVyTnZGZHdIem5qZ3JPcXBmNllkaDVWWHhKVVU4anJlVkdOQjI2RXErQ1VDNUxiY1ZICnE1am9uUW1jSDNaR3hOVHlGVVFkOXhqa3NjSVk5cDgyQ3EyQW9TeGUzTnlCVTE2RWNwNkdZODBZOEtvU2dxMTQKRWM1SndOSFpHeUNaWGNrUEhLZ1pMUlk0MUxXWHN2em9LS21tL0pMbEF0Y2o0ZE9qUWw1NDkwQmMrd212Nk05TQpVVi96NllaMUVCc2dxOUtuemg2TUN5eUl4aHhrNmE3TWdqNTRHN3BLdXRNK213NTJKQlRMZnlGQjdjd2llRXZkCnBkVzBST1dKQWdNQkFBRUNnZ0VBT2NoMGJMWEdZT3lReVVjYng3VW53OWdRWjkzMkVERHZDVVE2TG4vRUpDRHEKdFdYTEN2enQ4Q0NKMUFXQ0NRK25Ka2M0TjZwVkJHOWJxdnBsL3Y0TzAzRWkvR1JWZkc0ZkpRN2FCdGtLZXdndQo4a0JEcDBTNzFrVFFucm5NVDgxWk84bmVQOG5QbzFxWmFENXpNTC9jbms4Q1JBU3pDendzaDN2cXdjeWFUZHB1CjVWL3REd0NkdEQ4b3dHZi94anc2M2hkRitMZkZmYnd4NG11cXppV2oyYnJrdWJHZmU0NUxsU2w1ckxrdE14L28KYTd5blZOckVJZ05IQm1JczZmWEJJVWs1dEdTaG1tQkd0dXNnYm9BUXBQNDF6bjNOTnZHQlR6VU5BQlgvL2hrVgp4bXRkdGFBSWpULzFPeG5MZll4TG1GeUx3S1hFZFhpajdGM293Nll2SlFLQmdRRCtRZlZldFJHRm1XUHJNQk5iClhCN0xaOXlwSXJrc0JNRkVYbDhxbExGSWdkN3lvQU1OQmVxc081UmNoMkdsMWJtTHJGZ2FqOHJkOWU2U0U5L0QKUnFmNzdiZHk3MmZBOVRSOThJK2hVTTR6eTcrQXVGUGxxS3dkRkQ3NzFMM1JtUEtXNys5eVA1a0IrSzgydUI0bgpHTTNzWkd0MVJPTHNrZnV6bDBTbGRRL1pTd0tCZ1FEbjZhZFBCNk55VUwxMFRsT2MrbVMzcWJLZyt1aFh0ZUR1CmpHSktYVi9aMGhQTUhpaVFBNi9IUnByNFdOcVA0cWZucThDUkQyaEFaNzhvdHB6aFNmeEsvQkhtV09oWS9ESjQKby80TGlCMWdRUG9jUGVkS2ZPTWdkVmp1aG16bzNzb0VnOGxQSis2RG05dlZKOUVkLzA3Q2EwZGRmaTNJREhuRgpObFFuVk9ucit3S0JnRXVZRnJqU3d1UGl5Q2Rid3RXTjNRWUMya05iTkl6VzJSTlhyNW04WGIwK0I2aEJWTWJoCmRIVkN2WWlKSThvbmNpUUoyS1FGRG43UnFOMjdsUEs5SmlLcitiZnRYLzZwcUxLcy9EY3REREd3S1Q2L0R3cWcKREpRVXVla3J4a2Z6M21Scjc5Z2Erb1h3aHorUW5ENXBqSWYxRDFIdGFqNkY1THp2ZzVSaDZwVmpBb0dCQUtrcAphZnpmbVgxOUgzU0MzY0tYY25mMXRISndFcUpIN0xhVWQrMitobmdnSUlpM1J1Y2xpVVpXWGh2ZzFDdzRMRGwwCnNwWWRJdkkzdXR3N3Q5c3RXSFpwdjdUQ0RWazdQS1Y3R1lmWDFYV3NiOFBCODhBRnNMYXdZaG82dTU1eFEvSmYKSHF3NmVHUlBmOTdQbUYzRktQSHZ4cktQbzExVW5FNFovdkJobysrWkFvR0FOWXh3a0JYaUg0T2RQSUswZ1hBNQp0amNxVkRXSEdvRHV4cUxaNVVsUUVoQk9PSUx0ODNxZ1o1RzJaekNvWkhUNHZaQU82MUJJZ0p5MUhkZTF5U1pvCndXUXB6dCs2RDVxemgySE9WcWpFcjFyL1VnNlhoRzFWaDZWOG0xZkNFNWhKVWR2TVh4WXVwdlA3YVJxbDVGbjIKMTdiR0E3MmhVZHVzS0hpU3dqQjYzWGc9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K + https1.cert: | +{{ .Values.tls.base64EncodedCertificate | indent 4 }} + https1.key: | +{{ .Values.tls.base64EncodedPrivateKey | indent 4 }} diff --git a/k8s/nginx/chart/nginx/values.yaml b/k8s/nginx/chart/nginx/values.yaml index 6e811f406a..ca609c1ba7 100644 --- a/k8s/nginx/chart/nginx/values.yaml +++ b/k8s/nginx/chart/nginx/values.yaml @@ -2,6 +2,9 @@ nginx: image: null initImage: null replicas: null +tls: + base64EncodedPrivateKey: null + base64EncodedCertificate: null metrics: image: null enabled: false diff --git a/k8s/nginx/schema.yaml b/k8s/nginx/schema.yaml index 2c45f6b05a..39505edceb 100644 --- a/k8s/nginx/schema.yaml +++ b/k8s/nginx/schema.yaml @@ -24,6 +24,14 @@ properties: description: The number of Pods run within NGINX solution default: 3 minimum: 1 + certificate: + type: string + x-google-marketplace: + type: TLS_CERTIFICATE + tlsCertificate: + generatedProperties: + base64EncodedPrivateKey: tls.base64EncodedPrivateKey + base64EncodedCertificate: tls.base64EncodedCertificate metrics.image: type: string default: $REGISTRY/prometheus-to-sd:$TAG