diff --git a/components/app-core/backend/main.go b/components/app-core/backend/main.go index 3526f7bbf4..dd5d0a9a79 100644 --- a/components/app-core/backend/main.go +++ b/components/app-core/backend/main.go @@ -260,7 +260,7 @@ func initConnPool(dc datastore.DatabaseConfig) (*sql.DB, error) { // If our timeout boundary has been exceeded, bail out if timeout.Sub(time.Now()) < 0 { - return nil, fmt.Errorf("Timeout boundary of %d minutes has been exceeded. Exiting.", TimeoutBoundary) + return nil, fmt.Errorf("timeout boundary of %d minutes has been exceeded. Exiting", TimeoutBoundary) } // Circle back and try again @@ -340,8 +340,8 @@ func loadDatabaseConfig(dc datastore.DatabaseConfig) (datastore.DatabaseConfig, return dc, nil } -func createTempCertFiles(pc interfaces.PortalConfig) (string, string, error) { - log.Debug("createTempCertFiles") +func detectTLSCert(pc interfaces.PortalConfig) (string, string, error) { + log.Debug("detectTLSCert") certFilename := "pproxy.crt" certKeyFilename := "pproxy.key" @@ -355,6 +355,17 @@ func createTempCertFiles(pc interfaces.PortalConfig) (string, string, error) { return devCertsDir + certFilename, devCertsDir + certKeyFilename, nil } + // Check if certificate have been provided as files (as is the case in kubernetes) + if pc.TLSCertPath != "" && pc.TLSCertKeyPath != "" { + log.Infof("Using TLS cert: %s, %s", pc.TLSCertPath, pc.TLSCertKeyPath) + _, errCertMissing := os.Stat(pc.TLSCertPath) + _, errCertKeyMissing := os.Stat(pc.TLSCertKeyPath) + if errCertMissing != nil || errCertKeyMissing != nil { + return "", "", fmt.Errorf("unable to find certificate %s or certificate key %s", pc.TLSCertPath, pc.TLSCertKeyPath) + } + return pc.TLSCertPath, pc.TLSCertKeyPath, nil + } + err := ioutil.WriteFile(certFilename, []byte(pc.TLSCert), 0600) if err != nil { return "", "", err @@ -436,7 +447,7 @@ func start(config interfaces.PortalConfig, p *portalProxy, addSetupMiddleware *s } if config.HTTPS { - certFile, certKeyFile, err := createTempCertFiles(config) + certFile, certKeyFile, err := detectTLSCert(config) if err != nil { return err } diff --git a/components/app-core/backend/repository/interfaces/structs.go b/components/app-core/backend/repository/interfaces/structs.go index 8293d862ed..c23d8b3e54 100644 --- a/components/app-core/backend/repository/interfaces/structs.go +++ b/components/app-core/backend/repository/interfaces/structs.go @@ -86,6 +86,8 @@ type PortalConfig struct { TLSAddress string `configName:"CONSOLE_PROXY_TLS_ADDRESS"` TLSCert string `configName:"CONSOLE_PROXY_CERT"` TLSCertKey string `configName:"CONSOLE_PROXY_CERT_KEY"` + TLSCertPath string `configName:"CONSOLE_PROXY_CERT_PATH"` + TLSCertKeyPath string `configName:"CONSOLE_PROXY_CERT_KEY_PATH"` CFClient string `configName:"CF_CLIENT"` CFClientSecret string `configName:"CF_CLIENT_SECRET"` AllowedOrigins []string `configName:"ALLOWED_ORIGINS"` diff --git a/deploy/Dockerfile.all-in-one b/deploy/Dockerfile.all-in-one index 105cdd6c66..dd327d0034 100644 --- a/deploy/Dockerfile.all-in-one +++ b/deploy/Dockerfile.all-in-one @@ -4,7 +4,7 @@ COPY *.json ./ COPY gulpfile.js ./ COPY components ./components COPY build ./build/ -COPY deploy/ci/scripts/generate_cert.sh generate_cert.sh +COPY deploy/tools/generate_cert.sh generate_cert.sh COPY deploy/db deploy/db COPY deploy/all-in-one/config.all-in-one.properties config.properties @@ -16,7 +16,7 @@ RUN npm install -g gulp bower \ && npm run build-cf # Generate dev-certs -RUN DEV_CERTS_PATH=/go/dev-certs ./generate_cert.sh \ +RUN CERTS_PATH=/go/dev-certs ./generate_cert.sh \ && chmod +x portal-proxy EXPOSE 443 diff --git a/deploy/Dockerfile.bk-preflight.dev b/deploy/Dockerfile.bk-preflight.dev index 34bd07f0c5..3d9f1d95d4 100644 --- a/deploy/Dockerfile.bk-preflight.dev +++ b/deploy/Dockerfile.bk-preflight.dev @@ -7,7 +7,7 @@ RUN apk update && \ WORKDIR /srv COPY outputs/* /srv/ COPY /deploy/db/scripts/run-preflight-job.sh /run-preflight-job.sh -COPY dev-certs dev-certs +COPY /deploy/tools/generate_cert.sh /generate_cert.sh RUN chmod +x portal-proxy EXPOSE 443 CMD ["sh", "-c", "/run-preflight-job.sh; /srv/portal-proxy"] diff --git a/deploy/Dockerfile.bk.k8s b/deploy/Dockerfile.bk.k8s new file mode 100644 index 0000000000..8b19710fc8 --- /dev/null +++ b/deploy/Dockerfile.bk.k8s @@ -0,0 +1,11 @@ +FROM alpine:latest + +RUN apk update && \ + apk add ca-certificates git &&\ + mkdir -p /srv + +WORKDIR /srv +COPY outputs/* /srv/ +RUN chmod +x portal-proxy +EXPOSE 443 +ENTRYPOINT ["/srv/portal-proxy"] diff --git a/deploy/ci/tasks/build-images/generate-certs.yml b/deploy/ci/tasks/build-images/generate-certs.yml index 8bce9ac033..f386271174 100644 --- a/deploy/ci/tasks/build-images/generate-certs.yml +++ b/deploy/ci/tasks/build-images/generate-certs.yml @@ -17,5 +17,5 @@ run: - | apk update apk add openssl - export DEV_CERTS_PATH=dev-certs-output/dev-certs - ./stratos-ui/deploy/ci/scripts/generate_cert.sh + export CERTS_PATH=dev-certs-output/dev-certs + ./stratos-ui/deploy/tools/generate_cert.sh diff --git a/deploy/ci/tasks/stratos-ui/prep-proxy-image.yml b/deploy/ci/tasks/stratos-ui/prep-proxy-image.yml index b6c06be454..4bf4f2af92 100644 --- a/deploy/ci/tasks/stratos-ui/prep-proxy-image.yml +++ b/deploy/ci/tasks/stratos-ui/prep-proxy-image.yml @@ -21,4 +21,4 @@ run: npm run build-backend cd - cp -r ./stratos-ui/outputs ./portal-proxy-output - sh ./stratos-ui/deploy/ci/scripts/generate_cert.sh + sh ./stratos-ui/deploy/tools/generate_cert.sh diff --git a/deploy/containers/nginx/Dockerfile.k8s b/deploy/containers/nginx/Dockerfile.k8s index 83d87cfc0a..b771dfbc00 100644 --- a/deploy/containers/nginx/Dockerfile.k8s +++ b/deploy/containers/nginx/Dockerfile.k8s @@ -4,5 +4,6 @@ RUN mkdir -p /usr/share/doc/suse COPY ./LICENSE.txt /usr/share/doc/suse/LICENSE.txt COPY ./conf/nginx.k8s.conf /etc/nginx/nginx.conf COPY ./dist/ /usr/share/nginx/html +COPY ./run-nginx.sh/ /run-nginx.sh EXPOSE 80 443 -CMD [ "nginx", "-g", "daemon off;" ] +CMD [ "/run-nginx.sh" ] diff --git a/deploy/containers/nginx/conf/nginx.k8s.conf b/deploy/containers/nginx/conf/nginx.k8s.conf index dae83d2349..2d5d8caad8 100644 --- a/deploy/containers/nginx/conf/nginx.k8s.conf +++ b/deploy/containers/nginx/conf/nginx.k8s.conf @@ -47,8 +47,8 @@ http { server { listen 443 ssl; - ssl_certificate /etc/secrets/console-cert; - ssl_certificate_key /etc/secrets/console-cert-key; + ssl_certificate /ENCRYPTION_KEY_VOLUME/console.crt; + ssl_certificate_key /ENCRYPTION_KEY_VOLUME/console.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; diff --git a/deploy/containers/nginx/run-nginx.sh b/deploy/containers/nginx/run-nginx.sh new file mode 100755 index 0000000000..2fc3c9ca4f --- /dev/null +++ b/deploy/containers/nginx/run-nginx.sh @@ -0,0 +1,12 @@ +#!/bin/bash +sed -i -e 's@ENCRYPTION_KEY_VOLUME@'"${ENCRYPTION_KEY_VOLUME}"'@g' /etc/nginx/nginx.conf +echo "Checking if certificate has been written to the encryption volume!" +while : +do + if [ -f /${ENCRYPTION_KEY_VOLUME}/console.crt ]; then + break; + fi + sleep 1; +done +echo "TLS certificate detected continuing, starting nginx." +nginx -g "daemon off;" \ No newline at end of file diff --git a/deploy/db/Dockerfile.preflight-job b/deploy/db/Dockerfile.preflight-job index 4baf37e077..377c0bd054 100644 --- a/deploy/db/Dockerfile.preflight-job +++ b/deploy/db/Dockerfile.preflight-job @@ -1,4 +1,5 @@ FROM debian:jessie RUN export DEBIAN_FRONTEND=noninteractive && apt-get update && apt-get install -y openssl COPY /deploy/db/scripts/run-preflight-job.sh /run-preflight-job.sh +COPY /deploy/tools/generate_cert.sh /generate_cert.sh CMD ["/run-preflight-job.sh"] diff --git a/deploy/db/scripts/run-preflight-job.sh b/deploy/db/scripts/run-preflight-job.sh index f90c8d8662..12b42ec77c 100755 --- a/deploy/db/scripts/run-preflight-job.sh +++ b/deploy/db/scripts/run-preflight-job.sh @@ -19,4 +19,18 @@ if [ ! -e /$ENCRYPTION_KEY_VOLUME/$ENCRYPTION_KEY_FILENAME ]; then echo "-- Done." fi +# Step 3 - Write out or generate SSL certificate data +if [ "${CONSOLE_CERT:-not-set}" = "not-set" -a "${CONSOLE_CERT_KEY:-not-set}" = "not-set" ]; then + echo "CONSOLE_CERT and CONSOLE_CERT_KEY not set, generating..." + export CERTS_PATH=/$ENCRYPTION_KEY_VOLUME + export DEV_CERTS_DOMAIN=console + /generate_cert.sh + echo "Certificates generated." +else + echo "CONSOLE_CERT and CONSOLE_CERT_KEY have been provided, writing them to the Encryption volume" + echo "$CONSOLE_CERT" > /$ENCRYPTION_KEY_VOLUME/console.crt + echo "$CONSOLE_CERT_KEY" > /$ENCRYPTION_KEY_VOLUME/console.key + echo "Wrote out certificates." +fi + exit 0 diff --git a/deploy/kubernetes/README.md b/deploy/kubernetes/README.md index 9397345036..c8a69956f8 100644 --- a/deploy/kubernetes/README.md +++ b/deploy/kubernetes/README.md @@ -192,3 +192,24 @@ kubectl create -f storageclass.yaml ``` See [Storage Class documentation] ( https://kubernetes.io/docs/tasks/administer-cluster/change-default-storage-class/) for more insformation. + +## Deploying Stratos UI with your own TLS certificates + +By default the console will generate self-signed certificates for demo purposes. To configure Stratos UI to use your provided TLS certificates set the `consoleCert` and `consoleCertKey` overrides. + +``` +consoleCert: | + -----BEGIN CERTIFICATE----- + MIIDXTCCAkWgAwIBAgIJAJooOiQWl1v1MA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV + ... + -----END CERTIFICATE----- +consoleCertKey: | + -----BEGIN PRIVATE KEY----- + MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDV9+ySh0xZzM41 + .... + -----END PRIVATE KEY----- +``` +Assuming the above is stored in a file called `override-ssl.yaml`, install the chart with the override specified. +``` +helm install -f override-ssl.yaml stratos-ui/console --namespace console +``` \ No newline at end of file diff --git a/deploy/kubernetes/build.sh b/deploy/kubernetes/build.sh index 1a126741e8..11c3f2440f 100755 --- a/deploy/kubernetes/build.sh +++ b/deploy/kubernetes/build.sh @@ -191,7 +191,7 @@ function buildProxy { # publish the container image for the portal proxy echo echo "-- Build & publish the runtime container image for the Console Proxy" - buildAndPublishImage stratos-proxy deploy/Dockerfile.bk.dev ${STRATOS_UI_PATH} + buildAndPublishImage stratos-proxy deploy/Dockerfile.bk.k8s ${STRATOS_UI_PATH} # Build merged preflight & proxy image, used when deploying into multi-node k8s cluster without a shared storage backend buildAndPublishImage stratos-proxy-noshared deploy/Dockerfile.bk-preflight.dev ${STRATOS_UI_PATH} } diff --git a/deploy/kubernetes/console/ssl/console.crt b/deploy/kubernetes/console/ssl/console.crt deleted file mode 100644 index 32c31d8fb4..0000000000 --- a/deploy/kubernetes/console/ssl/console.crt +++ /dev/null @@ -1,32 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFfzCCBGegAwIBAgIUXGVzSL3vrRYn4pH+OGQ1Q0p6gn0wDQYJKoZIhvcNAQEL -BQAwgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQH -EwdTZWF0dGxlMSMwIQYDVQQKExpIZXdsZXR0IFBhY2thcmQgRW50ZXJwcmlzZTES -MBAGA1UECxMJSFBFIENsb3VkMRkwFwYDVQQDExBIQ1AgQm9vdHN0cmFwIENBMB4X -DTE3MDQwNTEyMjkwMFoXDTE4MDQwNTEyMjkwMFowgYExCzAJBgNVBAYTAlVTMRMw -EQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdTZWF0dGxlMSMwIQYDVQQKExpI -ZXdsZXR0IFBhY2thcmQgRW50ZXJwcmlzZTESMBAGA1UECxMJSFBFIENsb3VkMRIw -EAYDVQQDEwkqLmhzYy5zdmMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB -AQCuDMxMCWF6vUxzkXhy3fyg/sSDdQTn/W8rVavbPymJqSLoLQCoIZ1MVsFmDXeZ -Wnd896KRweglG2el/CD+Cs+JdHIwVtlw3xpD1bMdjkfNHhIeZTw6j9A9bvoDEjzP -vx3kIFarjBTcy5CZIzZjYdUI/8g81dybvktfYk7TH1j4jnFvzM5Aj4P43A+QXvJU -VrOrL5f1QlqGczyet1lrTRj1Lpa1tolAQ1ql/lYeLAqgS0CdtCQUekMoObhUfhxl -UC1Kdbsn5ziv63yRcUBxEtw2+2dPt0FBWPCyHq6HaAUy4Dq9C6DXYI39cDmnpjQ6 -RI7RowyuJDn0RTUCpczhSav5AgMBAAGjggHkMIIB4DAOBgNVHQ8BAf8EBAMCBaAw -HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYD -VR0OBBYEFJfP8VkZ2TIB8EvINyZgkjWZQUBHMB8GA1UdIwQYMBaAFMMJYx4SgR2R -aRyfh+0rTx4dLcQYMIIBXwYDVR0RBIIBVjCCAVKCCSouaHNjLnN2Y4IVKi5oc2Mu -c3ZjLmNsdXN0ZXIuaGNwggtoc2MtY29uc29sZYITaHNjLWNvbnNvbGUuaHNjLnN2 -Y4IfaHNjLWNvbnNvbGUuaHNjLnN2Yy5jbHVzdGVyLmhjcIINKi5oc2MtY29uc29s -ZYIVKi5oc2MtY29uc29sZS5oc2Muc3ZjgiEqLmhzYy1jb25zb2xlLmhzYy5zdmMu -Y2x1c3Rlci5oY3CCD2hzYy1jb25zb2xlLWludIIXaHNjLWNvbnNvbGUtaW50Lmhz -Yy5zdmOCI2hzYy1jb25zb2xlLWludC5oc2Muc3ZjLmNsdXN0ZXIuaGNwghEqLmhz -Yy1jb25zb2xlLWludIIZKi5oc2MtY29uc29sZS1pbnQuaHNjLnN2Y4IlKi5oc2Mt -Y29uc29sZS1pbnQuaHNjLnN2Yy5jbHVzdGVyLmhjcDANBgkqhkiG9w0BAQsFAAOC -AQEAxt0AIiN26mdTYB8LjG0O/Q22ZMCqnPsu7HGUOVk0g59KW9PU60+8jyre/Lfc -CH09DOnTVPrlmghAqn6o2qAS+vZKHIK+50OvIKO/6SwfvmJlk1H0xAPqm/SWttHq -QIzIQxqzGA+6rqoRW5Kmqdy7xmvh5fY6spVJ0UyITe9zNZeDmB2EWJ7Gq/E/xncz -mlBFR39WXp6Ptr+Tu8ZhUfSzCpGJwElhrAD68EoJ7S1r7n2whZlUACRNAW5kwXYa -gHbKmrIDMdK9t0SksP1MBfNN09/etVUPEFebfz6uNimfpjEq+FHmve/EyrSv/ahm -IWEU0Hvz1P9whtWVZSs7t44/rg== ------END CERTIFICATE----- \ No newline at end of file diff --git a/deploy/kubernetes/console/ssl/console.key b/deploy/kubernetes/console/ssl/console.key deleted file mode 100644 index bdf3c4d28e..0000000000 --- a/deploy/kubernetes/console/ssl/console.key +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEArgzMTAlher1Mc5F4ct38oP7Eg3UE5/1vK1Wr2z8piaki6C0A -qCGdTFbBZg13mVp3fPeikcHoJRtnpfwg/grPiXRyMFbZcN8aQ9WzHY5HzR4SHmU8 -Oo/QPW76AxI8z78d5CBWq4wU3MuQmSM2Y2HVCP/IPNXcm75LX2JO0x9Y+I5xb8zO -QI+D+NwPkF7yVFazqy+X9UJahnM8nrdZa00Y9S6WtbaJQENapf5WHiwKoEtAnbQk -FHpDKDm4VH4cZVAtSnW7J+c4r+t8kXFAcRLcNvtnT7dBQVjwsh6uh2gFMuA6vQug -12CN/XA5p6Y0OkSO0aMMriQ59EU1AqXM4Umr+QIDAQABAoIBAGjm9ctua/5aUdXl -+77f5P/0DeVdhlN9AKARxr8iVprOAmgFl7u+Ztw3/eDQhSE80X/UkXtgb9bNqa71 -Q71aLrQeJyTTc8L/9QilqItL0iLi2PDQ+3ggbdZZKP7o4xYjjpSMmTBUAc8CMmja -PFGyCYCfCcUA8TI9g5g93FyLLEjCMuO2+vmddYmT1ppN+tj2UyI8kapd4dwOw7M8 -uAs3ixmt2PbUSnS2TdVn+WDC7ZeHwguVwVdX+J4sPyYQJvzL7Lzmo1W3diP8gTdE -316pD+8K7oIN8xKgoDUB0iLaKxJ5KmAWHCMR5XFH59Ht0zPjUJb6bC/5Oic8dvxu -8vI+zHECgYEAxzEbs7yMoi3tG42nVh4PYea5xEYUgALCHx0NW9BfFKA6fU4zRFna -ZTlDLX+blZcHlwZo+GpjrVvh+FItc2RKn62hDTfSzbr+EgHTDXALL64+1i2yLhPz -echMoPSjfRNNBtrlWuIigfqtzV8mS070ravbirv4acntVtsZps5vTj8CgYEA37AY -8Bmdu1qEj0gjV9TL65jboZsd6KgIiGDeDQEmpV03lpz1xHCbLtkvg4Ec0hZsyzFc -j0HquM7GJumdLmCIbwr1zxEC15unXJbjm1NPY5VKivuFB1orTGnLXsNY7zgY/b7x -Bhlx8YwzNh2wOZVvbQt5Cnjw7QQP90uEeq6X58cCgYBAio3yUA61YfIo8l4dDkJn -s23PxfFQhRRHJo+0hzC3qy8oeNUtuXuFPuegb2+HKdegvMf4beh8PIBciKwHbqCr -WoQLl2HrnUJDrWmoOfy151ye41GPkpFajWce5AWxOjbEGNsl9o291e7I06LB1gR7 -3WqWak+UX4RSl02Zedwg2wKBgH63fYkWmdo2zv10OkFZVSPj9he4jdrsxdisN15a -lo/7HLB/vmJIAEEr29S9YZxKA9uf3PVyvAtxZ6NHmDlbii6NoO5qjpehn8+90rZ9 -HW4mdpIBJj0iAYFKNWE7fLgXqWCluFhiNcBGUgSIEPquAu9dHnamSKWcNYc8CpKN -MZSlAoGBAMbYWMoKTjSdixCmLJ5MeHTwXvy62LRxvpsKIU2j9ArLytPE57fDwOur -4eySa/9LklGjU0X1z5bZeQgu+do4ch8iXFNyx/AalgZRnFQnt9bVob2MXiR3DCNF -JAZa5VoIJHwjtOcIrT0UI0LN7qQ54GadxfbkLNizgTXwZwEx/bl5 ------END RSA PRIVATE KEY----- \ No newline at end of file diff --git a/deploy/kubernetes/console/templates/deployment.yaml b/deploy/kubernetes/console/templates/deployment.yaml index d6d88e97d3..df79a695d4 100644 --- a/deploy/kubernetes/console/templates/deployment.yaml +++ b/deploy/kubernetes/console/templates/deployment.yaml @@ -9,9 +9,6 @@ metadata: data: stolon: {{ .Values.dbPassword | b64enc }} db-password: {{ .Values.mariadb.mariadbPassword | b64enc }} - console-cert-key: {{ .Files.Get "ssl/console.key" | b64enc }} - console-cert: {{ .Files.Get "ssl/console.crt" | b64enc }} - --- apiVersion: apps/v1beta1 kind: StatefulSet @@ -29,10 +26,16 @@ spec: containers: - image: {{.Values.dockerRegistry}}/{{.Values.dockerOrg}}/{{.Values.images.console}}:{{.Values.consoleVersion}} name: ui + env: + - name: ENCRYPTION_KEY_VOLUME + value: "{{ .Release.Name }}-encryption-key-volume" volumeMounts: - mountPath: /etc/secrets/ name: "{{ .Release.Name }}-secret" readOnly: true + - mountPath: "/{{ .Release.Name }}-encryption-key-volume" + name: "{{ .Release.Name }}-encryption-key-volume" + readOnly: true ports: - containerPort: 80 name: http @@ -136,6 +139,22 @@ spec: value: "{{ .Release.Name }}-encryption-key-volume" - name: ENCRYPTION_KEY_FILENAME value: key + {{- if .Values.noShared }} + {{- if .Values.consoleCert }} + - name: CONSOLE_CERT + value: | +{{ .Values.consoleCert | indent 12 }} + {{- end }} + {{- if .Values.consoleCertKey }} + - name: CONSOLE_CERT_KEY + value: | +{{ .Values.consoleCertKey | indent 12 }} + {{- end }} + {{- end }} + - name: CONSOLE_PROXY_CERT_PATH + value: "/{{ .Release.Name }}-encryption-key-volume/console.crt" + - name: CONSOLE_PROXY_CERT_KEY_PATH + value: "/{{ .Release.Name }}-encryption-key-volume/console.key" - name: HTTP_PROXY {{- if .Values.httpProxy }} value: {{.Values.httpProxy}} @@ -178,3 +197,9 @@ spec: - name: "{{ .Release.Name }}-secret" secret: secretName: "{{ .Release.Name }}-secret" + - name: "{{ .Release.Name }}-encryption-key-volume" + persistentVolumeClaim: + claimName: "{{ .Release.Name }}-encryption-key-volume" + - name: "{{ .Release.Name }}-secret" + secret: + secretName: "{{ .Release.Name }}-secret" diff --git a/deploy/kubernetes/console/templates/pre-install.yaml b/deploy/kubernetes/console/templates/pre-install.yaml index 38c1270740..84a1ce1e8b 100644 --- a/deploy/kubernetes/console/templates/pre-install.yaml +++ b/deploy/kubernetes/console/templates/pre-install.yaml @@ -67,8 +67,20 @@ spec: value: upgrade.lock - name: ENCRYPTION_KEY_VOLUME value: "{{ .Release.Name }}-encryption-key-volume" + - name: CERTS_PATH + value: "{{ .Release.Name }}-encryption-key-volume" - name: ENCRYPTION_KEY_FILENAME value: key + {{- if .Values.consoleCert }} + - name: CONSOLE_CERT + value: | +{{ .Values.consoleCert | indent 12 }} + {{- end }} + {{- if .Values.consoleCertKey }} + - name: CONSOLE_CERT_KEY + value: | +{{ .Values.consoleCertKey | indent 12 }} + {{- end }} image: {{.Values.dockerRegistry}}/{{.Values.dockerOrg}}/{{.Values.images.preflight}}:{{.Values.consoleVersion}} name: "{{ .Release.Name }}-preflight-job" volumeMounts: diff --git a/deploy/kubernetes/console/values.yaml b/deploy/kubernetes/console/values.yaml index 14ccd1c243..1e3cdb2619 100644 --- a/deploy/kubernetes/console/values.yaml +++ b/deploy/kubernetes/console/values.yaml @@ -23,6 +23,16 @@ images: postflight: stratos-postflight-job # Specify which storage class should be used for PVCs #storageClass: default +#consoleCert: | +# -----BEGIN CERTIFICATE----- +# MIIDXTCCAkWgAwIBAgIJAJooOiQWl1v1MA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV +# ... +# -----END CERTIFICATE----- +#consoleCertKey: | +# -----BEGIN PRIVATE KEY----- +# MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkdgEAAoIBAQDV9+ySh0xZzM41 +# ... +# -----END PRIVATE KEYE----- # MariaDB chart configuration mariadb: # Only required for creating the databases diff --git a/deploy/ci/scripts/generate_cert.sh b/deploy/tools/generate_cert.sh similarity index 68% rename from deploy/ci/scripts/generate_cert.sh rename to deploy/tools/generate_cert.sh index 36d3d8aa02..a49e328354 100755 --- a/deploy/ci/scripts/generate_cert.sh +++ b/deploy/tools/generate_cert.sh @@ -1,14 +1,14 @@ #!/bin/sh # Settings -devcerts_path=${DEV_CERTS_PATH:-portal-proxy-output/dev-certs} -domain=pproxy -commonname=192.168.99.100 -country=US -state=Washington -locality=Seattle +devcerts_path=${CERTS_PATH:-portal-proxy-output/dev-certs} +domain=${DEV_CERTS_DOMAIN:-pproxy} +commonname=127.0.0.1 +country=UK +state=Bristol +locality=Bristol organization=SUSE -organizationalunit=HDP +organizationalunit=CAP email=SUSE # Generate a key and cert