Skip to content

Commit

Permalink
Add keystore config for routes that host HTTP servers over TLS (#17)
Browse files Browse the repository at this point in the history
Co-authored-by: Josh Hunziker <joshua.hunziker@octo.us>
  • Loading branch information
jhunzik and Josh Hunziker authored Jun 17, 2024
1 parent c6dbf6d commit d1b1a53
Show file tree
Hide file tree
Showing 11 changed files with 326 additions and 95 deletions.
2 changes: 1 addition & 1 deletion operator/controller/integrationroute-controller.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ spec:
spec:
containers:
- name: webhook
image: ghcr.io/octoconsulting/keip/route-webhook:0.5.0
image: ghcr.io/octoconsulting/keip/route-webhook:0.6.0
ports:
- containerPort: 7080
name: webhook-http
Expand Down
52 changes: 38 additions & 14 deletions operator/crd/crd.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -89,22 +89,46 @@ spec:
- claimName
- mountPath
tls:
description: "Configure client TLS connections using a JKS or PKCS12 truststore. A JKS truststore should have its password set to 'changeit', while a PKCS12 truststore should have an empty password."
description: "Configure server and client TLS connections."
type: object
properties:
configMapName:
type: string
key:
type: string
type:
type: string
enum:
- jks
- pkcs12
required:
- configMapName
- key
- type
truststore:
description: "Configure client TLS connections using a JKS or PKCS12 truststore. A JKS truststore should have its password set to 'changeit', while a PKCS12 truststore should have an empty password."
type: object
properties:
configMapName:
type: string
key:
type: string
type:
type: string
enum:
- jks
- pkcs12
required:
- configMapName
- key
- type
keystore:
description: "Configure HTTP server TLS connections using a JKS or PKCS12 keystore. The keystore password should be stored in a secret and referenced in the route Custom Resource. The format of the secret should be `password=<password>`."
type: object
properties:
secretName:
type: string
key:
type: string
type:
type: string
enum:
- jks
- pkcs12
passwordSecretRef:
type: string
required:
- secretName
- key
- type
- passwordSecretRef
required:
- routeConfigMap
required:
Expand Down
20 changes: 18 additions & 2 deletions operator/example/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,9 +8,18 @@ Prerequisites:
- Metacontroller
- Keip CRDs and controller
- Access to a `keip-integration` image
- Cert-Manager

Run example:

Running the example:
1. Install Cert-Manager:
```shell
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.15.0/cert-manager.yaml
```
2. Create JKS password secret:
```shell
kubectl create secret generic --from-literal=password=password jks-password
```
3. Run example:
```shell
kubectl apply -k example
```
Expand All @@ -24,6 +33,8 @@ This should result in the creation of the following resources:
- ConfigMap `testroute-props`: Contains the application's configurable properties.
- Secret `testroute-secret`: Confidential information that will be mounted as volume in the running
pod.
- Self-Signed Certificate `certificate.cert-manager.io/selfsigned-cert`: A certificate resource that creates the `test-keystore` secret using the `jks-password` secret
- Cluster Issuer `clusterissuer.cert-manager.io/test-selfsigned`: A self-signed cluster issuer used to sign certificates.

Check for the running `testroute` pod:

Expand All @@ -43,6 +54,11 @@ GenericMessage [payload=Hello. I have a secret to share: (pass123), headers={id=

```

Port-forward the pod and verify `https://localhost:8443` returns the default Spring whitelabel error page.
```shell
kubectl port-forward testroute-74d574bf85-tbv9m 8443:8443
```

Clean up

```shell
Expand Down
35 changes: 35 additions & 0 deletions operator/example/cert.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: test-selfsigned
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: selfsigned-cert
namespace: default
spec:
secretName: test-keystore
dnsNames:
- test
issuerRef:
group: cert-manager.io
kind: ClusterIssuer
name: test-selfsigned
keystores:
jks:
create: true
passwordSecretRef:
name: jks-password
key: password
subject:
countries:
- US
localities:
- A Park
organizationalUnits:
- Parks and Recreation
provinces:
- FL
1 change: 1 addition & 0 deletions operator/example/kustomization.yaml
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
resources:
- testroute.yaml
- cert.yaml

generatorOptions:
disableNameSuffixHash: true
Expand Down
6 changes: 6 additions & 0 deletions operator/example/testroute.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -11,3 +11,9 @@ spec:
# group: abc
secretSources:
- testroute-secret
tls:
keystore:
secretName: test-keystore
type: jks
key: keystore.jks
passwordSecretRef: jks-password
4 changes: 2 additions & 2 deletions operator/webhook/Makefile
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
VERSION ?= 0.5.0
VERSION ?= 0.6.0
HOST_PORT ?= 7080

IMG_REGISTRY := ghcr.io/octoconsulting
Expand Down Expand Up @@ -27,7 +27,7 @@ start-dev-server:

.PHONY: test
test:
cd test && mkdir -p $(TEST_COVERAGE_DIR) && coverage run --data-file=$(TEST_COVERAGE_FILE) -m pytest
cd test && mkdir -p $(TEST_COVERAGE_DIR) && coverage run --data-file=$(TEST_COVERAGE_FILE) -m pytest -vv

.PHONY: report-test-coverage
report-test-coverage: test
Expand Down
Loading

0 comments on commit d1b1a53

Please sign in to comment.