From d58de09b6d3f5d5c5d33f2f83c33a2b9f34864a5 Mon Sep 17 00:00:00 2001 From: declan-fitzpatrick Date: Fri, 28 Jun 2024 15:46:46 +0200 Subject: [PATCH 1/2] allow external tls secret reference --- charts/selenium-grid/templates/_nameHelpers.tpl | 4 ++++ charts/selenium-grid/templates/tls-cert-secret.yaml | 2 ++ 2 files changed, 6 insertions(+) diff --git a/charts/selenium-grid/templates/_nameHelpers.tpl b/charts/selenium-grid/templates/_nameHelpers.tpl index fd9916a9a2..d36daf369f 100644 --- a/charts/selenium-grid/templates/_nameHelpers.tpl +++ b/charts/selenium-grid/templates/_nameHelpers.tpl @@ -144,7 +144,11 @@ Common secrets cross components Secret TLS fullname */}} {{- define "seleniumGrid.tls.fullname" -}} +{{- if .Values.tls.externalSecretName }} +{{- tpl ( .Values.tls.externalSecretName ) $ | trunc 63 | trimSuffix "-" -}} +{{- else }} {{- tpl (default (include "seleniumGrid.component.name" (list "selenium-tls-secret" $)) .Values.tls.nameOverride) $ | trunc 63 | trimSuffix "-" -}} +{{- end }} {{- end -}} {{/* diff --git a/charts/selenium-grid/templates/tls-cert-secret.yaml b/charts/selenium-grid/templates/tls-cert-secret.yaml index 1ed202e1f8..a97a4fea8b 100644 --- a/charts/selenium-grid/templates/tls-cert-secret.yaml +++ b/charts/selenium-grid/templates/tls-cert-secret.yaml @@ -1,3 +1,4 @@ +{{- if not .Values.tls.externalSecretName }} apiVersion: v1 kind: Secret metadata: @@ -27,3 +28,4 @@ data: {{ .Values.serverConfigMap.certificateFile }}: {{ default (include "seleniumGrid.tls.getDefaultFile" (list .Values.tls.defaultFile.certificate $)) .Values.tls.certificate | b64enc }} {{ .Values.serverConfigMap.trustStoreFile }}: {{ default (include "seleniumGrid.tls.getDefaultFile" (list .Values.tls.defaultFile.trustStore $)) .Values.tls.trustStore | b64enc }} {{- end }} +{{- end }} \ No newline at end of file From f90e1ae12730e549caeb719ece42ffe5026f5000 Mon Sep 17 00:00:00 2001 From: declan-fitzpatrick Date: Fri, 28 Jun 2024 16:10:58 +0200 Subject: [PATCH 2/2] update readme with external tls secret reference --- charts/selenium-grid/README.md | 24 ++++++++++++++++++++++-- charts/selenium-grid/values.yaml | 1 + 2 files changed, 23 insertions(+), 2 deletions(-) diff --git a/charts/selenium-grid/README.md b/charts/selenium-grid/README.md index 60809aea79..65c58e42d0 100644 --- a/charts/selenium-grid/README.md +++ b/charts/selenium-grid/README.md @@ -606,9 +606,9 @@ Selenium Grid supports secure communication between components. Refer to the [in #### Secure Communication -In the chart, there is directory [certs](./certs) contains the default certificate, private key (as PKCS8 format), and Java Keystore (JKS) to teach Java about secure connection (since we are using a non-standard CA) for your trial, local testing purpose. You can generate your own self-signed certificate put them in that default directory by using script [cert.sh](./certs/cert.sh) with adjust needed information. The certificate, private key, truststore are mounted to the components via `Secret`. +In the chart, there is directory [certs](./certs) contains the default certificate, private key (as PKCS8 format), and Java Keystore (JKS) to teach Java about secure connection (since we are using a non-standard CA) for your trial, local testing purpose. You can generate your own self-signed certificate put them in that default directory by using script [cert.sh](./certs/cert.sh) with adjust needed information. The certificate, private key, truststore are mounted to the components via `Secret`. -There are multiple ways to configure your certificate, private key, truststore to the components. You can choose one of them or combine them. +There are multiple ways to configure your certificate, private key, truststore to the components. You can choose one of them or combine them. - Use the default directory [certs](./certs). Rename your own files to be same as the default files and replace them. Give `--set tls.enabled=true` to enable secure communication. @@ -646,6 +646,25 @@ There are multiple ways to configure your certificate, private key, truststore t --set-string tls.trustStorePassword=your_truststore_password ``` +- Creating the secret yourself and passing the name as a reference into the chart. For example: + + Run the certificate generator and create a secret, replacing `SECRET_NAME` and `NAMESPACE`: + + ```shell + ./cert.sh + + base64 -d selenium.pkcs8.base64 > selenium.pkcs8 + + kubectl -n NAMESPACE create secret generic SECRET_NAME --from-file=selenium.pem --from-file=selenium.jks --from-file=selenium.pkcs8 + ``` + + Update the external secret name: + ```yaml + tls: + enabled: true + externalSecretName: "SECRET_NAME" + ``` + If you start NGINX ingress controller inline with Selenium Grid chart, you can configure the default certificate of NGINX ingress controller to use the same certificate as Selenium Grid. For example: ```yaml @@ -659,6 +678,7 @@ ingress-nginx: default-ssl-certificate: '$(POD_NAMESPACE)/selenium-tls-secret' ``` + #### Node Registration To enable secure in the node registration to make sure that the node is one you control and not a rouge node, you can enable and provide a registration secret string to Distributor, Router and diff --git a/charts/selenium-grid/values.yaml b/charts/selenium-grid/values.yaml index 97a574a738..4a606153c1 100644 --- a/charts/selenium-grid/values.yaml +++ b/charts/selenium-grid/values.yaml @@ -52,6 +52,7 @@ tls: registrationSecret: enabled: false value: "HappyTesting" + externalSecretName: # Basic auth settings for Selenium Grid basicAuth: