Merge pull request #3107 from uselagoon/tls-verify

images/kubectl-build-deploy-dind/build-deploy-docker-compose.sh

@@ -77,7 +77,7 @@ function featureFlag() {
 }
 
 set +x
-SCC_CHECK=$(kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get pod ${LAGOON_BUILD_NAME} -o json | jq -r '.metadata.annotations."openshift.io/scc" // false')
+SCC_CHECK=$(kubectl -n ${NAMESPACE} get pod ${LAGOON_BUILD_NAME} -o json | jq -r '.metadata.annotations."openshift.io/scc" // false')
 set -x
 
 function patchBuildStep() {
@@ -104,7 +104,7 @@ function patchBuildStep() {
 
   # patch the buildpod with the buildstep
   if [ "${SCC_CHECK}" == false ]; then
-    kubectl patch --insecure-skip-tls-verify -n ${4} pod ${LAGOON_BUILD_NAME} \
+    kubectl patch -n ${4} pod ${LAGOON_BUILD_NAME} \
       -p "{\"metadata\":{\"labels\":{\"lagoon.sh/buildStep\":\"${5}\"}}}"
 
     # tiny sleep to allow patch to complete before logs roll again
@@ -127,21 +127,21 @@ set -x
 
 set +x
 echo "Updating lagoon-yaml configmap with a pre-deploy version of the .lagoon.yml file"
-if kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get configmap lagoon-yaml &> /dev/null; then
+if kubectl -n ${NAMESPACE} get configmap lagoon-yaml &> /dev/null; then
   # replace it
   # if the environment has already been deployed with an existing configmap that had the file in the key `.lagoon.yml`
   # just nuke the entire configmap and replace it with our new key and file
-  LAGOON_YML_CM=$(kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get configmap lagoon-yaml -o json)
+  LAGOON_YML_CM=$(kubectl -n ${NAMESPACE} get configmap lagoon-yaml -o json)
   if [ "$(echo ${LAGOON_YML_CM} | jq -r '.data.".lagoon.yml" // false')" == "false" ]; then
     # if the key doesn't exist, then just update the pre-deploy yaml only
-    kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get configmap lagoon-yaml -o json | jq --arg add "`cat .lagoon.yml`" '.data."pre-deploy" = $add' | kubectl apply -f -
+    kubectl -n ${NAMESPACE} get configmap lagoon-yaml -o json | jq --arg add "`cat .lagoon.yml`" '.data."pre-deploy" = $add' | kubectl apply -f -
   else
     # if the key does exist, then nuke it and put the new key
-    kubectl --insecure-skip-tls-verify -n ${NAMESPACE} create configmap lagoon-yaml --from-file=pre-deploy=.lagoon.yml -o yaml --dry-run=client | kubectl replace -f -
+    kubectl -n ${NAMESPACE} create configmap lagoon-yaml --from-file=pre-deploy=.lagoon.yml -o yaml --dry-run=client | kubectl replace -f -
   fi
  else
   # create it
-  kubectl --insecure-skip-tls-verify -n ${NAMESPACE} create configmap lagoon-yaml --from-file=pre-deploy=.lagoon.yml
+  kubectl -n ${NAMESPACE} create configmap lagoon-yaml --from-file=pre-deploy=.lagoon.yml
 fi
 set -x
 
@@ -334,7 +334,7 @@ do
   if [ "$SERVICE_TYPE" == "mariadb" ]; then
     # if there is already a service existing with the service_name we assume that for this project there has been a
     # mariadb-single deployed (probably from the past where there was no mariadb-shared yet, or mariadb-dbaas) and use that one
-    if kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get service "$SERVICE_NAME" &> /dev/null; then
+    if kubectl -n ${NAMESPACE} get service "$SERVICE_NAME" &> /dev/null; then
       SERVICE_TYPE="mariadb-single"
     elif checkDBaaSHealth; then
       # check if the dbaas operator responds to a health check
@@ -372,7 +372,7 @@ do
   if [ "$SERVICE_TYPE" == "postgres" ]; then
     # if there is already a service existing with the service_name we assume that for this project there has been a
     # postgres-single deployed (probably from the past where there was no postgres-shared yet, or postgres-dbaas) and use that one
-    if kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get service "$SERVICE_NAME" &> /dev/null; then
+    if kubectl -n ${NAMESPACE} get service "$SERVICE_NAME" &> /dev/null; then
       SERVICE_TYPE="postgres-single"
     elif checkDBaaSHealth; then
       # check if the dbaas operator responds to a health check
@@ -410,7 +410,7 @@ do
   if [ "$SERVICE_TYPE" == "mongo" ]; then
     # if there is already a service existing with the service_name we assume that for this project there has been a
     # mongodb-single deployed (probably from the past where there was no mongodb-shared yet, or mongodb-dbaas) and use that one
-    if kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get service "$SERVICE_NAME" &> /dev/null; then
+    if kubectl -n ${NAMESPACE} get service "$SERVICE_NAME" &> /dev/null; then
       SERVICE_TYPE="mongodb-single"
     elif checkDBaaSHealth; then
       # check if the dbaas operator responds to a health check
@@ -499,7 +499,7 @@ set -x
 ##############################################
 
 LAGOON_CACHE_BUILD_ARGS=()
-readarray LAGOON_CACHE_BUILD_ARGS < <(kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get deployments -o yaml -l 'lagoon.sh/service' | yq e '.items[].spec.template.spec.containers[].image | capture("^(?P<image>.+\/.+\/.+\/(?P<name>.+)\@.*)$") | "LAGOON_CACHE_" + .name + "=" + .image' -)
+readarray LAGOON_CACHE_BUILD_ARGS < <(kubectl -n ${NAMESPACE} get deployments -o yaml -l 'lagoon.sh/service' | yq e '.items[].spec.template.spec.containers[].image | capture("^(?P<image>.+\/.+\/.+\/(?P<name>.+)\@.*)$") | "LAGOON_CACHE_" + .name + "=" + .image' -)
 
 
 
@@ -1099,7 +1099,7 @@ if [[ "${CAPABILITIES[@]}" =~ "backup.appuio.ch/v1alpha1/Schedule" ]]; then
       HELM_CUSTOM_BAAS_BACKUP_SECRET_KEY=${BAAS_CUSTOM_BACKUP_SECRET_KEY}
     else
       set +x
-      kubectl --insecure-skip-tls-verify -n ${NAMESPACE} delete secret baas-custom-backup-credentials --ignore-not-found
+      kubectl -n ${NAMESPACE} delete secret baas-custom-backup-credentials --ignore-not-found
       set -x
     fi
   fi
@@ -1116,15 +1116,15 @@ if [[ "${CAPABILITIES[@]}" =~ "backup.appuio.ch/v1alpha1/Schedule" ]]; then
       HELM_CUSTOM_BAAS_RESTORE_SECRET_KEY=${BAAS_CUSTOM_RESTORE_SECRET_KEY}
     else
       set +x
-      kubectl --insecure-skip-tls-verify -n ${NAMESPACE} delete secret baas-custom-restore-credentials --ignore-not-found
+      kubectl -n ${NAMESPACE} delete secret baas-custom-restore-credentials --ignore-not-found
       set -x
     fi
   fi
 
-  if ! kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get secret baas-repo-pw &> /dev/null; then
+  if ! kubectl -n ${NAMESPACE} get secret baas-repo-pw &> /dev/null; then
     # Create baas-repo-pw secret based on the project secret
     set +x
-    kubectl --insecure-skip-tls-verify -n ${NAMESPACE} create secret generic baas-repo-pw --from-literal=repo-pw=$(echo -n "$PROJECT_SECRET-BAAS-REPO-PW" | sha256sum | cut -d " " -f 1)
+    kubectl -n ${NAMESPACE} create secret generic baas-repo-pw --from-literal=repo-pw=$(echo -n "$PROJECT_SECRET-BAAS-REPO-PW" | sha256sum | cut -d " " -f 1)
     set -x
   fi
 
@@ -1239,7 +1239,7 @@ set -x
 
 if [ "$(ls -A $YAML_FOLDER/)" ]; then
   find $YAML_FOLDER -type f -exec cat {} \;
-  kubectl apply --insecure-skip-tls-verify -n ${NAMESPACE} -f $YAML_FOLDER/
+  kubectl apply -n ${NAMESPACE} -f $YAML_FOLDER/
 fi
 
 set +x
@@ -1298,7 +1298,7 @@ if [ ! -z "$LAGOON_PROJECT_VARIABLES" ]; then
   HAS_PROJECT_RUNTIME_VARS=$(echo $LAGOON_PROJECT_VARIABLES | jq -r 'map( select(.scope == "runtime" or .scope == "global") )')
 
   if [ ! "$HAS_PROJECT_RUNTIME_VARS" = "[]" ]; then
-    kubectl patch --insecure-skip-tls-verify \
+    kubectl patch \
       -n ${NAMESPACE} \
       configmap lagoon-env \
       -p "{\"data\":$(echo $LAGOON_PROJECT_VARIABLES | jq -r 'map( select(.scope == "runtime" or .scope == "global") ) | map( { (.name) : .value } ) | add | tostring')}"
@@ -1308,7 +1308,7 @@ if [ ! -z "$LAGOON_ENVIRONMENT_VARIABLES" ]; then
   HAS_ENVIRONMENT_RUNTIME_VARS=$(echo $LAGOON_ENVIRONMENT_VARIABLES | jq -r 'map( select(.scope == "runtime" or .scope == "global") )')
 
   if [ ! "$HAS_ENVIRONMENT_RUNTIME_VARS" = "[]" ]; then
-    kubectl patch --insecure-skip-tls-verify \
+    kubectl patch \
       -n ${NAMESPACE} \
       configmap lagoon-env \
       -p "{\"data\":$(echo $LAGOON_ENVIRONMENT_VARIABLES | jq -r 'map( select(.scope == "runtime" or .scope == "global") ) | map( { (.name) : .value } ) | add | tostring')}"
@@ -1317,7 +1317,7 @@ fi
 set -x
 
 if [ "$BUILD_TYPE" == "pullrequest" ]; then
-  kubectl patch --insecure-skip-tls-verify \
+  kubectl patch \
     -n ${NAMESPACE} \
     configmap lagoon-env \
     -p "{\"data\":{\"LAGOON_PR_HEAD_BRANCH\":\"${PR_HEAD_BRANCH}\", \"LAGOON_PR_BASE_BRANCH\":\"${PR_BASE_BRANCH}\", \"LAGOON_PR_TITLE\":$(echo $PR_TITLE | jq -R)}}"
@@ -1357,7 +1357,7 @@ done
 ### REDEPLOY DEPLOYMENTS IF CONFIG MAP CHANGES
 ##############################################
 
-CONFIG_MAP_SHA=$(kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get configmap lagoon-env -o yaml | shyaml get-value data | sha256sum | awk '{print $1}')
+CONFIG_MAP_SHA=$(kubectl -n ${NAMESPACE} get configmap lagoon-env -o yaml | shyaml get-value data | sha256sum | awk '{print $1}')
 # write the configmap to the values file so when we `exec-kubectl-resources-with-images.sh` the deployments will get the value of the config map
 # which will cause a change in the deployment and trigger a rollout if only the configmap has changed
 yq3 write -i -- /kubectl-build-deploy/values.yaml 'configMapSha' $CONFIG_MAP_SHA
@@ -1580,7 +1580,7 @@ if [ "$(ls -A $YAML_FOLDER/)" ]; then
   fi
 
   find $YAML_FOLDER -type f -exec cat {} \;
-  kubectl apply --insecure-skip-tls-verify -n ${NAMESPACE} -f $YAML_FOLDER/
+  kubectl apply -n ${NAMESPACE} -f $YAML_FOLDER/
 fi
 set -x
 
@@ -1644,7 +1644,7 @@ do
     continue
   else
     #echo "Single cron missing: ${SINGLE_NATIVE_CRONJOB}"
-    kubectl --insecure-skip-tls-verify -n ${NAMESPACE} delete cronjob ${SINGLE_NATIVE_CRONJOB}
+    kubectl -n ${NAMESPACE} delete cronjob ${SINGLE_NATIVE_CRONJOB}
   fi
 done
 
@@ -1696,12 +1696,12 @@ set -x
 
 set +x
 echo "Updating lagoon-yaml configmap with a post-deploy version of the .lagoon.yml file"
-if kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get configmap lagoon-yaml &> /dev/null; then
+if kubectl -n ${NAMESPACE} get configmap lagoon-yaml &> /dev/null; then
   # replace it, no need to check if the key is different, as that will happen in the pre-deploy phase
-  kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get configmap lagoon-yaml -o json | jq --arg add "`cat .lagoon.yml`" '.data."post-deploy" = $add' | kubectl apply -f -
+  kubectl -n ${NAMESPACE} get configmap lagoon-yaml -o json | jq --arg add "`cat .lagoon.yml`" '.data."post-deploy" = $add' | kubectl apply -f -
  else
   # create it
-  kubectl --insecure-skip-tls-verify -n ${NAMESPACE} create configmap lagoon-yaml --from-file=post-deploy=.lagoon.yml
+  kubectl -n ${NAMESPACE} create configmap lagoon-yaml --from-file=post-deploy=.lagoon.yml
 fi
 set -x
 

images/kubectl-build-deploy-dind/build-deploy.sh

@@ -54,14 +54,14 @@ set +x # reduce noise in build logs
 DEPLOYER_TOKEN=$(cat /var/run/secrets/lagoon/deployer/token)
 
 kubectl config set-credentials lagoon/kubernetes.default.svc --token="${DEPLOYER_TOKEN}"
-kubectl config set-cluster kubernetes.default.svc --insecure-skip-tls-verify=true --server=https://kubernetes.default.svc
+kubectl config set-cluster kubernetes.default.svc --server=https://kubernetes.default.svc --certificate-authority=/run/secrets/kubernetes.io/serviceaccount/ca.crt
 kubectl config set-context default/lagoon/kubernetes.default.svc --user=lagoon/kubernetes.default.svc --namespace="${NAMESPACE}" --cluster=kubernetes.default.svc
 kubectl config use-context default/lagoon/kubernetes.default.svc
 
 if [ ! -z ${INTERNAL_REGISTRY_URL} ] && [ ! -z ${INTERNAL_REGISTRY_USERNAME} ] && [ ! -z ${INTERNAL_REGISTRY_PASSWORD} ] ; then
   echo "docker login -u '${INTERNAL_REGISTRY_USERNAME}' -p '${INTERNAL_REGISTRY_PASSWORD}' ${INTERNAL_REGISTRY_URL}" | /bin/bash
   # create lagoon-internal-registry-secret if it does not exist yet
-  if ! kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get secret lagoon-internal-registry-secret &> /dev/null; then
+  if ! kubectl -n ${NAMESPACE} get secret lagoon-internal-registry-secret &> /dev/null; then
     kubectl create secret docker-registry lagoon-internal-registry-secret --docker-server=${INTERNAL_REGISTRY_URL} --docker-username=${INTERNAL_REGISTRY_USERNAME} --docker-password=${INTERNAL_REGISTRY_PASSWORD} --dry-run -o yaml | kubectl apply -f -
   fi
   REGISTRY_SECRETS+=("lagoon-internal-registry-secret")

images/kubectl-build-deploy-dind/scripts/exec-generate-insights-configmap.sh

@@ -18,20 +18,20 @@ processImageInspect() {
 
   set -x
   # If lagoon-insights-image-inpsect-[IMAGE] configmap already exists then we need to update, else create new
-  if kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get configmap $IMAGE_INSPECT_CONFIGMAP &> /dev/null; then
-      kubectl --insecure-skip-tls-verify \
+  if kubectl -n ${NAMESPACE} get configmap $IMAGE_INSPECT_CONFIGMAP &> /dev/null; then
+      kubectl \
           -n ${NAMESPACE} \
           create configmap $IMAGE_INSPECT_CONFIGMAP \
           --from-file=${IMAGE_INSPECT_OUTPUT_FILE} \
           -o json \
           --dry-run=client | kubectl replace -f -
   else
-      kubectl --insecure-skip-tls-verify \
+      kubectl \
           -n ${NAMESPACE} \
           create configmap ${IMAGE_INSPECT_CONFIGMAP} \
           --from-file=${IMAGE_INSPECT_OUTPUT_FILE}
   fi
-  kubectl --insecure-skip-tls-verify \
+  kubectl \
       -n ${NAMESPACE} \
       label configmap ${IMAGE_INSPECT_CONFIGMAP} \
       lagoon.sh/insightsProcessed- \
@@ -64,21 +64,21 @@ processSbom() {
 
     set -x
     # If lagoon-insights-sbom-[IMAGE] configmap already exists then we need to update, else create new
-    if kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get configmap $SBOM_CONFIGMAP &> /dev/null; then
-        kubectl --insecure-skip-tls-verify \
+    if kubectl -n ${NAMESPACE} get configmap $SBOM_CONFIGMAP &> /dev/null; then
+        kubectl \
             -n ${NAMESPACE} \
             create configmap $SBOM_CONFIGMAP \
             --from-file=${SBOM_OUTPUT_FILE} \
             -o json \
             --dry-run=client | kubectl replace -f -
     else
         # Create configmap and add label (#have to add label separately: https://github.com/kubernetes/kubernetes/issues/60295)
-        kubectl --insecure-skip-tls-verify \
+        kubectl \
             -n ${NAMESPACE} \
             create configmap ${SBOM_CONFIGMAP} \
             --from-file=${SBOM_OUTPUT_FILE}
     fi
-    kubectl --insecure-skip-tls-verify \
+    kubectl \
         -n ${NAMESPACE} \
         label configmap ${SBOM_CONFIGMAP} \
         lagoon.sh/insightsProcessed- \

images/kubectl-build-deploy-dind/scripts/exec-kubectl-mariadb-dbaas.sh

@@ -5,7 +5,7 @@
 OPERATOR_COUNTER=1
 OPERATOR_TIMEOUT=180
 # use the secret name from the consumer to prevent credential clash
-until kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get mariadbconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.consumer.database
+until kubectl -n ${NAMESPACE} get mariadbconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.consumer.database
 do
 if [ $OPERATOR_COUNTER -lt $OPERATOR_TIMEOUT ]; then
     let SERVICE_BROKER_COUNTER=SERVICE_BROKER_COUNTER+1
@@ -18,26 +18,26 @@ fi
 done
 set +x
 # Grab the details from the consumer spec
-DB_HOST=$(kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get mariadbconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.consumer.services.primary)
-DB_USER=$(kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get mariadbconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.consumer.username)
-DB_PASSWORD=$(kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get mariadbconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.consumer.password)
-DB_NAME=$(kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get mariadbconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.consumer.database)
-DB_PORT=$(kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get mariadbconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.provider.port)
+DB_HOST=$(kubectl -n ${NAMESPACE} get mariadbconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.consumer.services.primary)
+DB_USER=$(kubectl -n ${NAMESPACE} get mariadbconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.consumer.username)
+DB_PASSWORD=$(kubectl -n ${NAMESPACE} get mariadbconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.consumer.password)
+DB_NAME=$(kubectl -n ${NAMESPACE} get mariadbconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.consumer.database)
+DB_PORT=$(kubectl -n ${NAMESPACE} get mariadbconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.provider.port)
 
 # Add credentials to our configmap, prefixed with the name of the servicename of this servicebroker
-kubectl patch --insecure-skip-tls-verify \
+kubectl patch \
     -n ${NAMESPACE} \
     configmap lagoon-env \
     -p "{\"data\":{\"${SERVICE_NAME_UPPERCASE}_HOST\":\"${DB_HOST}\", \"${SERVICE_NAME_UPPERCASE}_USERNAME\":\"${DB_USER}\", \"${SERVICE_NAME_UPPERCASE}_PASSWORD\":\"${DB_PASSWORD}\", \"${SERVICE_NAME_UPPERCASE}_DATABASE\":\"${DB_NAME}\", \"${SERVICE_NAME_UPPERCASE}_PORT\":\"${DB_PORT}\"}}"
 
 # only add the DB_READREPLICA_HOSTS variable if it exists in the consumer spec
 # since the operator can support multiple replica hosts being defined, we should comma seperate them here
-if DB_READREPLICA_HOSTS=$(kubectl --insecure-skip-tls-verify -n ${NAMESPACE} get mariadbconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.consumer.services.replicas); then
+if DB_READREPLICA_HOSTS=$(kubectl -n ${NAMESPACE} get mariadbconsumer/${SERVICE_NAME} -o yaml | shyaml get-value spec.consumer.services.replicas); then
     DB_READREPLICA_HOSTS=$(echo $DB_READREPLICA_HOSTS | cut -c 3- | rev | cut -c 1- | rev | sed 's/^\|$//g' | paste -sd, -)
-    kubectl patch --insecure-skip-tls-verify \
+    kubectl patch \
         -n ${NAMESPACE} \
         configmap lagoon-env \
         -p "{\"data\":{\"${SERVICE_NAME_UPPERCASE}_READREPLICA_HOSTS\":\"${DB_READREPLICA_HOSTS}\"}}"
 fi
 
-set -x
+set -x