Enabled internal TLS between k8s pods by default

jk464 · jk464 · commit 86aaa90341a5 · 2024-05-20T15:53:06.000+01:00
diff --git a/.github/workflows/e2e.yaml b/.github/workflows/e2e.yaml
@@ -39,6 +39,17 @@ jobs:
         with:
           k3s-channel: ${{ matrix.k3s-channel }}
 
+      - name: Setup cert-manager
+        run: |
+          helm repo add jetstack https://charts.jetstack.io --force-update
+          helm repo update
+          kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.5/cert-manager.crds.yaml
+          helm install \
+            cert-manager jetstack/cert-manager \
+            --namespace cert-manager \
+            --create-namespace \
+            --version v1.14.5
+
       - name: Update stackstorm-ha chart dependencies
         run: |
           set -x
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,6 +2,7 @@
 
 ## Development
 * Updated our tests/unit to support newer versions of `unittests` - for now bumping to `v0.4.4` as `v0.5.0` has a bug that impacts us (see helm-unittest/helm-unittest#329), but testing around the bug shows `v0.5.x` should also "just work" (#414) (by @jk464)
+* Enable the use of TLS between all internal components (aside from Redis), and enable it by default (#401) (by @jk464)
 
 ## v1.1.0
 * Fix syntax with ensure-packs-volumes-are-writable job (#403, #411) (by @skiedude)
diff --git a/Chart.yaml b/Chart.yaml
@@ -33,7 +33,7 @@ dependencies:
     repository: https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami
     condition: rabbitmq.enabled
   - name: mongodb
-    version: 10.0.1
+    version: 13.18.5
     repository: https://raw.githubusercontent.com/bitnami/charts/archive-full-index/bitnami
     condition: mongodb.enabled
   - name: external-dns
diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl
@@ -199,7 +199,7 @@ Reduce duplication of the st2.*.conf volume details
 
 {{- define "stackstorm-ha.init-containers-wait-for-db" -}}
 {{- if index .Values "mongodb" "enabled" }}
-{{- $mongodb_port := (int (index .Values "mongodb" "service" "port")) }}
+{{- $mongodb_port := (int (index .Values "mongodb" "service" "ports" "mongodb")) }}
 - name: wait-for-db
   image: {{ template "stackstorm-ha.utilityImage" . }}
   imagePullPolicy: {{ .Values.image.pullPolicy }}
@@ -422,3 +422,54 @@ Create the custom env list for each deployment
   value: {{ $value | quote }}
   {{- end }}
 {{- end -}}
+
+{{/*
+Generate CA
+*/}}
+{{- define "stackstorm-ha.internal_tls.ca" }}
+data:
+{{- if (default false ((($.Values.secret).ca))) }}
+  tls.crt: "{{ .Values.secret.ca.crt }}"
+  tls.key: "{{ .Values.secret.ca.key }}"
+{{- else }}
+{{- $ca := genCA "StackStorm CA" 365 }}
+  tls.crt: "{{ $ca.Cert | b64enc}}"
+  tls.key: "{{ $ca.Key | b64enc}}"
+{{- end -}}
+{{- end -}}
+
+{{/*
+Set up values for Internal TLS
+*/}}
+{{- define "stackstorm-ha.internal_tls.cert_volume.mount" -}}
+{{- if or .Values.st2.tls.enabled .Values.mongodb.tls.enabled .Values.rabbitmq.tls.enabled }}
+- name: {{ .Values.st2.tls.secretName }}
+  mountPath: {{ .Values.st2.tls.mountPath }}/
+  readOnly: true
+{{- end }}
+{{- end -}}
+{{- define "stackstorm-ha.internal_tls.cert_volume.volume" -}}
+{{- if or .Values.st2.tls.enabled .Values.mongodb.tls.enabled .Values.rabbitmq.tls.enabled }}
+- name: {{ .Values.st2.tls.secretName }}
+  secret:
+    secretName: {{ .Values.st2.tls.secretName }}
+{{- end }}
+{{- end -}}
+
+{{/*
+Define st2web ports
+*/}}
+{{- define "stackstorm-ha.st2web.http_port" -}}
+{{- if ne (default 0 ((($.Values.st2web.securityContext).runAsUser) | int)) 0 -}}
+8080
+{{- else -}}
+80
+{{- end -}}
+{{- end -}}
+{{- define "stackstorm-ha.st2web.https_port" -}}
+{{- if ne (default 0 ((($.Values.st2web.securityContext).runAsUser) | int)) 0 -}}
+8443
+{{- else -}}
+443
+{{- end -}}
+{{- end -}}
diff --git a/templates/ca.yaml b/templates/ca.yaml
@@ -0,0 +1,19 @@
+{{- if not ( .Values.st2.tls.certificate_issuer.existing ) -}}
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ .Values.st2.tls.certificate_issuer.name }}
+  namespace: "{{ $.Release.Namespace }}"
+spec:
+  ca:
+    secretName: {{ .Values.st2.tls.certificate_issuer.name }}-tls
+---
+apiVersion: v1
+{{- include "stackstorm-ha.internal_tls.ca" .  }}
+kind: Secret
+metadata:
+  name: {{ .Values.st2.tls.certificate_issuer.name }}-tls
+  namespace: "{{ $.Release.Namespace }}"
+type: kubernetes.io/tls
+{{- end -}}
diff --git a/templates/certificate.yaml b/templates/certificate.yaml
@@ -0,0 +1,29 @@
+{{- if or .Values.st2.tls.enabled .Values.mongodb.tls.enabled .Values.rabbitmq.tls.enabled }}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ .Values.st2.tls.secretName }}
+  namespace: "{{ $.Release.Namespace }}"
+  labels:
+    app: stackstorm
+    heritage: {{.Release.Service | quote}}
+    release: {{.Release.Name | quote}}
+    chart: {{ replace "+" "_" .Chart.Version | printf "%s-%s" .Chart.Name }}
+spec:
+  secretName: {{ .Values.st2.tls.secretName }}
+  dnsNames:
+    - "*.{{ $.Release.Namespace }}.svc.{{ $.Values.clusterDomain }}"
+{{ include "stackstorm-ha.mongodb-nodes" $ | splitList "," | toYaml | indent 4 }}
+  ipAddresses:
+    - "127.0.0.1"
+  renewBefore: 360h # 15d
+  privateKey:
+    rotationPolicy: Always
+    algorithm: RSA
+    size: 3072
+  issuerRef:
+    name: {{ .Values.st2.tls.certificate_issuer.name }}
+    kind: Issuer
+    group: cert-manager.io
+{{- end -}}
diff --git a/templates/configmaps_st2-conf.yaml b/templates/configmaps_st2-conf.yaml
@@ -11,19 +11,49 @@ data:
   # The order of merging: st2.conf < st2.docker.conf < st2.user.conf
   st2.docker.conf: |
     [auth]
+    {{- if .Values.rabbitmq.tls.enabled }}
+    api_url = https://{{ .Release.Name }}-st2api:9111/
+    {{- else }}
     api_url = http://{{ .Release.Name }}-st2api:9101/
+    {{- end -}}
+    {{- if and .Values.st2.tls.enabled .Values.st2auth.tls.enabled }}
+    use_ssl = True
+    key = {{ .Values.st2.tls.mountPath }}/tls.key
+    cert = {{ .Values.st2.tls.mountPath }}/tls.crt
+    debug = False
+    enable = True
+    {{- else }}
+    use_ssl = False
+    {{- end }}
+
     [system_user]
     user = {{ .Values.st2.system_user.user }}
     ssh_key_file = {{ tpl .Values.st2.system_user.ssh_key_file . }}
     {{- if index .Values "redis" "enabled" }}
+
     [coordination]
     url = redis://{{ template "stackstorm-ha.redis-password" $ }}{{ template "stackstorm-ha.redis-nodes" $ }}
     {{- end }}
     {{- if index .Values "rabbitmq" "enabled" }}
+
     [messaging]
+    {{- if .Values.rabbitmq.tls.enabled }}
+    url = amqp://{{ required "rabbitmq.auth.username is required!" (index .Values "rabbitmq" "auth" "username") }}:{{ required "rabbitmq.auth.password is required!" (index .Values "rabbitmq" "auth" "password") }}@{{ .Release.Name }}-rabbitmq:5671{{ required "rabbitmq.ingress.path is required!" (index .Values "rabbitmq" "ingress" "path") }}
+    {{- else }}
     url = amqp://{{ required "rabbitmq.auth.username is required!" (index .Values "rabbitmq" "auth" "username") }}:{{ required "rabbitmq.auth.password is required!" (index .Values "rabbitmq" "auth" "password") }}@{{ .Release.Name }}-rabbitmq:5672{{ required "rabbitmq.ingress.path is required!" (index .Values "rabbitmq" "ingress" "path") }}
+    {{- end -}}
     {{- end }}
     {{- if index .Values "mongodb" "enabled" }}
+    {{- if .Values.rabbitmq.tls.enabled }}
+    ssl = True
+    ssl_ca_certs = {{ .Values.st2.tls.mountPath }}/ca.crt
+    ssl_cert_reqs = optional
+    ssl_certfile = {{ .Values.st2.tls.mountPath }}/tls.crt
+    ssl_keyfile = {{ .Values.st2.tls.mountPath }}/tls.key
+    {{- else }}
+    ssl = False
+    {{- end }}
+
     [database]
     {{- if index .Values "mongodb" "auth" "enabled" }}
     host = mongodb://{{ template "stackstorm-ha.mongodb-nodes" $ }}/{{ required "mongodb.auth.database is required!" (index .Values "mongodb" "auth" "database") }}?authSource={{ required "mongodb.auth.database is required!" (index .Values "mongodb" "auth" "database") }}&replicaSet={{ index .Values "mongodb" "replicaSetName" }}
@@ -36,10 +66,21 @@ data:
     port = {{ index .Values "mongodb" "service" "port" }}
     {{- end }}
     {{- if ne "disable" (default "" .Values.st2.datastore_crypto_key) }}
+    {{- if .Values.mongodb.tls.enabled }}
+    ssl = True
+    ssl_ca_certs = {{ .Values.st2.tls.mountPath }}/ca.crt
+    ssl_cert_reqs = optional
+    ssl_certfile = {{ .Values.st2.tls.mountPath }}/tls.crt
+    ssl_keyfile = {{ .Values.st2.tls.mountPath }}/tls.key
+    {{- else }}
+    ssl = False
+    {{- end }}
+
     [keyvalue]
     encryption_key_path = /etc/st2/keys/datastore_key.json
     {{- end }}
     {{- if .Values.st2.rbac.enabled }}
+
     [rbac]
     enable = True
     backend = default
diff --git a/templates/configmaps_st2-urls.yaml b/templates/configmaps_st2-urls.yaml
@@ -7,6 +7,18 @@ metadata:
     description: StackStorm service URLs, used across entire st2 cluster
   labels: {{- include "stackstorm-ha.labels" (list $ "st2") | nindent 4 }}
 data:
+  {{- if and .Values.st2.tls.enabled .Values.st2auth.tls.enabled }}
+  ST2_AUTH_URL: https://{{ .Release.Name }}-st2auth:9100/
+  {{- else }}
   ST2_AUTH_URL: http://{{ .Release.Name }}-st2auth:9100/
+  {{- end }}
+  {{- if and .Values.st2.tls.enabled .Values.st2api.tls.enabled }}
+  ST2_API_URL: https://{{ .Release.Name }}-st2api:9111/
+  {{- else }}
   ST2_API_URL: http://{{ .Release.Name }}-st2api:9101/
+  {{- end }}
+  {{- if and .Values.st2.tls.enabled .Values.st2stream.tls.enabled }}
+  ST2_STREAM_URL: https://{{ .Release.Name }}-st2stream:9112/
+  {{- else }}
   ST2_STREAM_URL: http://{{ .Release.Name }}-st2stream:9102/
+  {{- end }}
diff --git a/templates/deployments.yaml b/templates/deployments.yaml
diff --git a/templates/jobs.yaml b/templates/jobs.yaml
diff --git a/templates/services.yaml b/templates/services.yaml
diff --git a/values.yaml b/values.yaml

-Original file line number
+Diff line change
         {{- end }}
         {{- end }}
         volumeMounts:
 +        {{- include "stackstorm-ha.internal_tls.cert_volume.mount" . | nindent 8  }}
         {{- include "stackstorm-ha.st2-config-volume-mounts" . | nindent 8 }}
         - name: st2-rbac-roles-vol
           mountPath: /opt/stackstorm/rbac/roles/
         # TODO: Find out default resource limits for this specific service (#5)
         #resources:
       volumes:
 +        {{- include "stackstorm-ha.internal_tls.cert_volume.volume" . | nindent 8  }}
         {{- include "stackstorm-ha.st2-config-volume" . | nindent 8 }}
         - name: st2-rbac-roles-vol
           configMap:
           - 'sh'
           - '-c'
           - >
 +            {{- if and .Values.st2.tls.enabled .Values.st2api.tls.enabled }}
 +            until nc -z -w 2 {{ .Release.Name }}-st2api 9111 && echo st2api ready;
 +            {{- else }}
             until nc -z -w 2 {{ .Release.Name }}-st2api 9101 && echo st2api ready;
 +            {{- end }}
               do sleep 2;
             done
       # Sidecar container for generating st2client config with st2 username & password pair and sharing produced file with the main container
             name: {{ . }}
         {{- end }}
         volumeMounts:
 +        {{- include "stackstorm-ha.internal_tls.cert_volume.mount" . | nindent 8  }}
         - name: st2client-config-vol
           mountPath: /root/.st2/
         # `st2 login` doesn't exit on failure correctly, use old methods instead. See bug: https://github.com/StackStorm/st2/issues/4338
             name: {{ . }}
         {{- end }}
         volumeMounts:
 +        {{- include "stackstorm-ha.internal_tls.cert_volume.mount" . | nindent 8  }}
         - name: st2client-config-vol
           mountPath: /root/.st2/
         - name: st2-apikeys-vol
         # TODO: Find out default resource limits for this specific service (#5)
         #resources:
       volumes:
 +        {{- include "stackstorm-ha.internal_tls.cert_volume.volume" . | nindent 8  }}
         - name: st2client-config-vol
           emptyDir:
             medium: Memory
             name: {{ . }}
         {{- end }}
         volumeMounts:
 +        {{- include "stackstorm-ha.internal_tls.cert_volume.mount" . | nindent 8  }}
         - name: st2client-config-vol
           mountPath: /root/.st2/
         # `st2 login` doesn't exit on failure correctly, use old methods instead. See bug: https://github.com/StackStorm/st2/issues/4338
             name: {{ . }}
         {{- end }}
         volumeMounts:
 +        {{- include "stackstorm-ha.internal_tls.cert_volume.mount" . | nindent 8  }}
         {{- include "stackstorm-ha.st2-config-volume-mounts" . | nindent 8 }}
         - name: st2client-config-vol
           mountPath: /root/.st2/
         # TODO: Find out default resource limits for this specific service (#5)
         #resources:
       volumes:
 +        {{- include "stackstorm-ha.internal_tls.cert_volume.volume" . | nindent 8  }}
         {{- include "stackstorm-ha.st2-config-volume" . | nindent 8 }}
         - name: st2client-config-vol
           emptyDir:
         {{- end }}
         command: {{- toYaml $.Values.jobs.preRegisterContentCommand | nindent 8 }}
         volumeMounts:
 +        {{- include "stackstorm-ha.internal_tls.cert_volume.mount" . | nindent 8  }}
         {{- include "stackstorm-ha.overrides-config-mounts" . | nindent 8 }}
         {{- include "stackstorm-ha.st2-config-volume-mounts" . | nindent 8 }}
         {{- include "stackstorm-ha.pack-configs-volume-mount" . | nindent 8 }}
         {{- end }}
         {{- end }}
         volumeMounts:
 +        {{- include "stackstorm-ha.internal_tls.cert_volume.mount" . | nindent 8  }}
         {{- include "stackstorm-ha.overrides-config-mounts" . | nindent 8 }}
         {{- include "stackstorm-ha.st2-config-volume-mounts" . | nindent 8 }}
         {{- include "stackstorm-ha.packs-volume-mounts-for-register-job" . | nindent 8 }}
         # TODO: Find out default resource limits for this specific service (#5)
         #resources:
       volumes:
 +        {{- include "stackstorm-ha.internal_tls.cert_volume.volume" . | nindent 8  }}
         {{- include "stackstorm-ha.overrides-configs" . | nindent 8 }}
         {{- include "stackstorm-ha.st2-config-volume" . | nindent 8 }}
         {{- include "stackstorm-ha.packs-volumes" . | nindent 8 }}
             echo DONE
         volumeMounts:
 +        {{- include "stackstorm-ha.internal_tls.cert_volume.mount" . | nindent 8  }}
         {{- include "stackstorm-ha.packs-volume-mounts" $ | nindent 8 }}
         {{/* do not include the pack-configs-volume-mount helper here */}}
         - name: st2-pack-configs-vol
         # TODO: Find out default resource limits for this specific job (#5)
         #resources:
       volumes:
 +        {{- include "stackstorm-ha.internal_tls.cert_volume.volume" . | nindent 8  }}
         {{- include "stackstorm-ha.packs-volumes" $ | nindent 8 }}
         {{- if $.Values.st2.packs.volumes.configs }}
           {{/* do not include the pack-configs-volume helper here */}}
             name: {{ . }}
         {{- end }}
         volumeMounts:
 +        {{- include "stackstorm-ha.internal_tls.cert_volume.mount" . | nindent 8  }}
         - name: st2client-config-vol
           mountPath: /root/.st2/
         # `st2 login` doesn't exit on failure correctly, use old methods instead. See bug: https://github.com/StackStorm/st2/issues/4338
         volumeMounts:
         - name: st2client-config-vol
           mountPath: /root/.st2/
 +        {{- include "stackstorm-ha.internal_tls.cert_volume.mount" . | nindent 8  }}
         {{- include "stackstorm-ha.overrides-config-mounts" $ | nindent 8 }}
         {{- include "stackstorm-ha.st2-config-volume-mounts" $ | nindent 8 }}
         {{- include "stackstorm-ha.packs-volume-mounts-for-register-job" $ | nindent 8 }}
         - name: st2client-config-vol
           emptyDir:
             medium: Memory
 +        {{- include "stackstorm-ha.internal_tls.cert_volume.volume" . | nindent 8  }}
         {{- include "stackstorm-ha.overrides-configs" $ | nindent 8 }}
         {{- include "stackstorm-ha.st2-config-volume" $ | nindent 8 }}
         {{- include "stackstorm-ha.packs-volumes" $ | nindent 8 }}
-Original file line number
+Diff line change
   {{- end }}
   ports:
   - protocol: TCP
 +    {{- if and .Values.st2.tls.enabled .Values.st2api.tls.enabled }}
 +    port: 9111
 +    {{- else }}
     port: 9101
 +    {{- end }}
 ---
 kind: Service
   {{- end }}
   ports:
   - protocol: TCP
 +    {{- if and .Values.st2.tls.enabled .Values.st2stream.tls.enabled }}
 +    port: 9112
 +    {{- else }}
     port: 9102
 +    {{- end }}
 ---
 kind: Service
   {{- end }}
   {{- end }}
   ports:
 -  - protocol: TCP
 -    port: {{ eq (get .Values.st2web.env "ST2WEB_HTTPS" | toString) "1" | ternary 443 80 }}
 +  {{- $https_port := include "stackstorm-ha.st2web.https_port" . }}
 +  {{- $http_port := include "stackstorm-ha.st2web.http_port" . }}
 +  - name: st2web
 +    protocol: TCP
 +    port: {{ if and .Values.st2.tls.enabled .Values.st2web.tls.enabled -}}{{ $https_port }}{{- else -}}{{ $http_port }}{{- end }}
 +    targetPort: {{ if and .Values.st2.tls.enabled .Values.st2web.tls.enabled -}}{{ $https_port }}{{- else -}}{{ $http_port }}{{- end }}
 {{ if .Values.st2chatops.enabled -}}
 ---
-Original file line number
+Diff line change
     [api]
     allow_origin = '*'
     # fixes no replicaset found bug;
++
     [database]
     # Connection and server selection timeout (in ms).
     connection_timeout = 5000
+-
   #Override Definitions can be added here.
   #https://docs.stackstorm.com/latest/packs.html#overriding-pack-defaults
   overrides: {}
       #  roles:
       #    - "admin"
 +  # Controls configuring TLS between internal inter-pod communications
 +  tls:
 +    enabled: true
 +    secretName: "internal-tls"
 +    mountPath: "/etc/ssl/internal"
 +    certificate_issuer:
 +      existing: false
 +      name: stackstorm-issuer
++
 ##
 ## Default SecurityContext for pods and containers.
 ## Overrides available for st2web, st2actionrunner, st2sensorcontainer, st2client pods, and custom packs images.
   # see: https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks/
   postStartScript: ""
   preStopSleep: "10"
 +  # Use TLS on HTTP connections to st2web (i.e. between pod and ingress)
 +  tls:
 +    enabled: true
 # https://docs.stackstorm.com/reference/ha.html#st2auth
 # Multiple st2auth processes can be behind a load balancer in an active-active configuration.
   ## Note that Helm templating is supported in 'mount' and 'volume'
   extra_volumes: []
     # see examples under st2actionrunner.extra_volumes
 +  # Use TLS on HTTP connections to st2auth (i.e. between pod and ingress, and inter-pod)
 +  tls:
 +    enabled: true
 # https://docs.stackstorm.com/reference/ha.html#st2api
 # Multiple st2api process can be behind a load balancer in an active-active configuration.
   ## Note that Helm templating is supported in 'mount' and 'volume'
   extra_volumes: []
     # see examples under st2actionrunner.extra_volumes
 +  # Use TLS on HTTP connections to st2api (i.e. between pod and ingress, and inter-pod)
 +  tls:
 +    enabled: true
 # https://docs.stackstorm.com/reference/ha.html#st2stream
 # Multiple st2stream process can be behind a load balancer in an active-active configuration.
   ## Note that Helm templating is supported in 'mount' and 'volume'
   extra_volumes: []
     # see examples under st2actionrunner.extra_volumes
 +  # Use TLS on HTTP connections to st2stream (i.e. between pod and ingress, and inter-pod)
 +  tls:
 +    enabled: true
 # https://docs.stackstorm.com/reference/ha.html#st2rulesengine
 # Multiple st2rulesengine processes can run in active-active with only connections to MongoDB and RabbitMQ. All these will share the TriggerInstance load and naturally pick up more work if one or more of the processes becomes unavailable.
   arbiter:
     enabled: false
   resources: {}
 +  tls:
 +    enabled: true
 +    replicaset:
 +      existingSecrets:
 +        - internal-tls
 +        - internal-tls
 +        - internal-tls
 ##
 ## RabbitMQ configuration (3rd party chart dependency)
     forceBoot: true
   # Authentication Details
   auth:
 +    tls:
 +      enabled: true
 +      existingSecret: "internal-tls"
 +    # Fail over to username admin if LDAP is down:
     username: admin
     # TODO: Use default random 10 character password, but need to fetch this string for use by downstream services
     password: 9jS+w1u07NbHtZke1m+jW4Cj
   # As RabbitMQ enabled prometheus operator monitoring by default, disable it for non-prometheus users
   metrics:
     enabled: false
+-
 +  tls:
 +    enabled: true
 +    existingSecret: "internal-tls"
 ##
 ## Redis HA configuration (3rd party chart dependency)
 ##
   usePassword: false
   metrics:
     enabled: false
 +  # tls:
 +  #   enabled: true
 +  #   authClients: false
 +  #   certificatesSecret: internal-tls
 +  #   certFilename: tls.crt
 +  #   certKeyFilename: tls.key
 +  #   certCAFilename: ca.crt
 ##
 ## Settings to be applied to all stackstorm-ha pods
   aws:
     zoneType: "public"
   domainFilters: []
++
 +##
 +## Image details for ghostunnel
 +##
 +ghostunnel:
 +  image:
 +    name: ghostunnel
 +    repository: ghostunnel
 +    tag: v1.6.0
 +    pullPolicy: IfNotPresent