From 492c392b15d7fab84a6f6bc9f1d90964183c7f38 Mon Sep 17 00:00:00 2001 From: Irfan Habib Date: Thu, 3 Aug 2017 13:15:42 +0100 Subject: [PATCH 1/7] SSL certs handling --- components/app-core/backend/main.go | 19 +++++++++++--- .../backend/repository/interfaces/structs.go | 2 ++ deploy/Dockerfile.all-in-one | 4 +-- deploy/Dockerfile.bk-preflight.dev | 2 +- deploy/Dockerfile.bk.k8s | 11 ++++++++ .../ci/tasks/build-images/generate-certs.yml | 4 +-- .../ci/tasks/stratos-ui/prep-proxy-image.yml | 2 +- deploy/containers/nginx/Dockerfile.k8s | 3 ++- deploy/containers/nginx/conf/nginx.k8s.conf | 4 +-- deploy/containers/nginx/run-nginx.sh | 12 +++++++++ deploy/db/Dockerfile.preflight-job | 1 + deploy/db/scripts/run-preflight-job.sh | 14 +++++++++++ deploy/kubernetes/build.sh | 2 +- .../console/templates/deployment.yaml | 25 ++++++++++++++++--- .../console/templates/pre-install.yaml | 12 +++++++++ deploy/{ci/scripts => tools}/generate_cert.sh | 18 +++++++------ 16 files changed, 110 insertions(+), 25 deletions(-) create mode 100644 deploy/Dockerfile.bk.k8s create mode 100755 deploy/containers/nginx/run-nginx.sh rename deploy/{ci/scripts => tools}/generate_cert.sh (59%) diff --git a/components/app-core/backend/main.go b/components/app-core/backend/main.go index 8eba804a49..fce71c3878 100644 --- a/components/app-core/backend/main.go +++ b/components/app-core/backend/main.go @@ -259,7 +259,7 @@ func initConnPool(dc datastore.DatabaseConfig) (*sql.DB, error) { // If our timeout boundary has been exceeded, bail out if timeout.Sub(time.Now()) < 0 { - return nil, fmt.Errorf("Timeout boundary of %d minutes has been exceeded. Exiting.", TimeoutBoundary) + return nil, fmt.Errorf("timeout boundary of %d minutes has been exceeded. Exiting", TimeoutBoundary) } // Circle back and try again @@ -330,8 +330,8 @@ func loadDatabaseConfig(dc datastore.DatabaseConfig) (datastore.DatabaseConfig, return dc, nil } -func createTempCertFiles(pc interfaces.PortalConfig) (string, string, error) { - log.Debug("createTempCertFiles") +func detectTLSCert(pc interfaces.PortalConfig) (string, string, error) { + log.Debug("detectTLSCert") certFilename := "pproxy.crt" certKeyFilename := "pproxy.key" @@ -345,6 +345,17 @@ func createTempCertFiles(pc interfaces.PortalConfig) (string, string, error) { return devCertsDir + certFilename, devCertsDir + certKeyFilename, nil } + // Check if certificate have been provided as files (as is the case in kubernetes) + if pc.TLSCertPath != "" && pc.TLSCertKeyPath != "" { + log.Infof("Using TLS cert: %s, %s", pc.TLSCertPath, pc.TLSCertKeyPath) + _, errCertMissing := os.Stat(pc.TLSCertPath) + _, errCertKeyMissing := os.Stat(pc.TLSCertKeyPath) + if errCertMissing != nil || errCertKeyMissing != nil { + return "", "", fmt.Errorf("unable to find certificate %s or certificate key %s", pc.TLSCertPath, pc.TLSCertKeyPath) + } + return pc.TLSCertPath, pc.TLSCertKeyPath, nil + } + err := ioutil.WriteFile(certFilename, []byte(pc.TLSCert), 0600) if err != nil { return "", "", err @@ -426,7 +437,7 @@ func start(config interfaces.PortalConfig, p *portalProxy, addSetupMiddleware *s } if config.HTTPS { - certFile, certKeyFile, err := createTempCertFiles(config) + certFile, certKeyFile, err := detectTLSCert(config) if err != nil { return err } diff --git a/components/app-core/backend/repository/interfaces/structs.go b/components/app-core/backend/repository/interfaces/structs.go index 62ce711d3a..703448e8ce 100644 --- a/components/app-core/backend/repository/interfaces/structs.go +++ b/components/app-core/backend/repository/interfaces/structs.go @@ -86,6 +86,8 @@ type PortalConfig struct { TLSAddress string `configName:"CONSOLE_PROXY_TLS_ADDRESS"` TLSCert string `configName:"CONSOLE_PROXY_CERT"` TLSCertKey string `configName:"CONSOLE_PROXY_CERT_KEY"` + TLSCertPath string `configName:"CONSOLE_PROXY_CERT_PATH"` + TLSCertKeyPath string `configName:"CONSOLE_PROXY_CERT_KEY_PATH"` CFClient string `configName:"CF_CLIENT"` CFClientSecret string `configName:"CF_CLIENT_SECRET"` AllowedOrigins []string `configName:"ALLOWED_ORIGINS"` diff --git a/deploy/Dockerfile.all-in-one b/deploy/Dockerfile.all-in-one index 105cdd6c66..dd327d0034 100644 --- a/deploy/Dockerfile.all-in-one +++ b/deploy/Dockerfile.all-in-one @@ -4,7 +4,7 @@ COPY *.json ./ COPY gulpfile.js ./ COPY components ./components COPY build ./build/ -COPY deploy/ci/scripts/generate_cert.sh generate_cert.sh +COPY deploy/tools/generate_cert.sh generate_cert.sh COPY deploy/db deploy/db COPY deploy/all-in-one/config.all-in-one.properties config.properties @@ -16,7 +16,7 @@ RUN npm install -g gulp bower \ && npm run build-cf # Generate dev-certs -RUN DEV_CERTS_PATH=/go/dev-certs ./generate_cert.sh \ +RUN CERTS_PATH=/go/dev-certs ./generate_cert.sh \ && chmod +x portal-proxy EXPOSE 443 diff --git a/deploy/Dockerfile.bk-preflight.dev b/deploy/Dockerfile.bk-preflight.dev index 34bd07f0c5..3d9f1d95d4 100644 --- a/deploy/Dockerfile.bk-preflight.dev +++ b/deploy/Dockerfile.bk-preflight.dev @@ -7,7 +7,7 @@ RUN apk update && \ WORKDIR /srv COPY outputs/* /srv/ COPY /deploy/db/scripts/run-preflight-job.sh /run-preflight-job.sh -COPY dev-certs dev-certs +COPY /deploy/tools/generate_cert.sh /generate_cert.sh RUN chmod +x portal-proxy EXPOSE 443 CMD ["sh", "-c", "/run-preflight-job.sh; /srv/portal-proxy"] diff --git a/deploy/Dockerfile.bk.k8s b/deploy/Dockerfile.bk.k8s new file mode 100644 index 0000000000..8b19710fc8 --- /dev/null +++ b/deploy/Dockerfile.bk.k8s @@ -0,0 +1,11 @@ +FROM alpine:latest + +RUN apk update && \ + apk add ca-certificates git &&\ + mkdir -p /srv + +WORKDIR /srv +COPY outputs/* /srv/ +RUN chmod +x portal-proxy +EXPOSE 443 +ENTRYPOINT ["/srv/portal-proxy"] diff --git a/deploy/ci/tasks/build-images/generate-certs.yml b/deploy/ci/tasks/build-images/generate-certs.yml index 8bce9ac033..f386271174 100644 --- a/deploy/ci/tasks/build-images/generate-certs.yml +++ b/deploy/ci/tasks/build-images/generate-certs.yml @@ -17,5 +17,5 @@ run: - | apk update apk add openssl - export DEV_CERTS_PATH=dev-certs-output/dev-certs - ./stratos-ui/deploy/ci/scripts/generate_cert.sh + export CERTS_PATH=dev-certs-output/dev-certs + ./stratos-ui/deploy/tools/generate_cert.sh diff --git a/deploy/ci/tasks/stratos-ui/prep-proxy-image.yml b/deploy/ci/tasks/stratos-ui/prep-proxy-image.yml index 44274d3603..82ba302435 100644 --- a/deploy/ci/tasks/stratos-ui/prep-proxy-image.yml +++ b/deploy/ci/tasks/stratos-ui/prep-proxy-image.yml @@ -21,4 +21,4 @@ run: npm run build-backend cd - cp -r ./stratos-ui/outputs ./portal-proxy-output - sh ./stratos-ui/deploy/ci/scripts/generate_cert.sh + sh ./stratos-ui/deploy/tools/generate_cert.sh diff --git a/deploy/containers/nginx/Dockerfile.k8s b/deploy/containers/nginx/Dockerfile.k8s index 83d87cfc0a..b771dfbc00 100644 --- a/deploy/containers/nginx/Dockerfile.k8s +++ b/deploy/containers/nginx/Dockerfile.k8s @@ -4,5 +4,6 @@ RUN mkdir -p /usr/share/doc/suse COPY ./LICENSE.txt /usr/share/doc/suse/LICENSE.txt COPY ./conf/nginx.k8s.conf /etc/nginx/nginx.conf COPY ./dist/ /usr/share/nginx/html +COPY ./run-nginx.sh/ /run-nginx.sh EXPOSE 80 443 -CMD [ "nginx", "-g", "daemon off;" ] +CMD [ "/run-nginx.sh" ] diff --git a/deploy/containers/nginx/conf/nginx.k8s.conf b/deploy/containers/nginx/conf/nginx.k8s.conf index dae83d2349..2d5d8caad8 100644 --- a/deploy/containers/nginx/conf/nginx.k8s.conf +++ b/deploy/containers/nginx/conf/nginx.k8s.conf @@ -47,8 +47,8 @@ http { server { listen 443 ssl; - ssl_certificate /etc/secrets/console-cert; - ssl_certificate_key /etc/secrets/console-cert-key; + ssl_certificate /ENCRYPTION_KEY_VOLUME/console.crt; + ssl_certificate_key /ENCRYPTION_KEY_VOLUME/console.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers HIGH:!aNULL:!MD5; diff --git a/deploy/containers/nginx/run-nginx.sh b/deploy/containers/nginx/run-nginx.sh new file mode 100755 index 0000000000..2fc3c9ca4f --- /dev/null +++ b/deploy/containers/nginx/run-nginx.sh @@ -0,0 +1,12 @@ +#!/bin/bash +sed -i -e 's@ENCRYPTION_KEY_VOLUME@'"${ENCRYPTION_KEY_VOLUME}"'@g' /etc/nginx/nginx.conf +echo "Checking if certificate has been written to the encryption volume!" +while : +do + if [ -f /${ENCRYPTION_KEY_VOLUME}/console.crt ]; then + break; + fi + sleep 1; +done +echo "TLS certificate detected continuing, starting nginx." +nginx -g "daemon off;" \ No newline at end of file diff --git a/deploy/db/Dockerfile.preflight-job b/deploy/db/Dockerfile.preflight-job index 4baf37e077..377c0bd054 100644 --- a/deploy/db/Dockerfile.preflight-job +++ b/deploy/db/Dockerfile.preflight-job @@ -1,4 +1,5 @@ FROM debian:jessie RUN export DEBIAN_FRONTEND=noninteractive && apt-get update && apt-get install -y openssl COPY /deploy/db/scripts/run-preflight-job.sh /run-preflight-job.sh +COPY /deploy/tools/generate_cert.sh /generate_cert.sh CMD ["/run-preflight-job.sh"] diff --git a/deploy/db/scripts/run-preflight-job.sh b/deploy/db/scripts/run-preflight-job.sh index f90c8d8662..12b42ec77c 100755 --- a/deploy/db/scripts/run-preflight-job.sh +++ b/deploy/db/scripts/run-preflight-job.sh @@ -19,4 +19,18 @@ if [ ! -e /$ENCRYPTION_KEY_VOLUME/$ENCRYPTION_KEY_FILENAME ]; then echo "-- Done." fi +# Step 3 - Write out or generate SSL certificate data +if [ "${CONSOLE_CERT:-not-set}" = "not-set" -a "${CONSOLE_CERT_KEY:-not-set}" = "not-set" ]; then + echo "CONSOLE_CERT and CONSOLE_CERT_KEY not set, generating..." + export CERTS_PATH=/$ENCRYPTION_KEY_VOLUME + export DEV_CERTS_DOMAIN=console + /generate_cert.sh + echo "Certificates generated." +else + echo "CONSOLE_CERT and CONSOLE_CERT_KEY have been provided, writing them to the Encryption volume" + echo "$CONSOLE_CERT" > /$ENCRYPTION_KEY_VOLUME/console.crt + echo "$CONSOLE_CERT_KEY" > /$ENCRYPTION_KEY_VOLUME/console.key + echo "Wrote out certificates." +fi + exit 0 diff --git a/deploy/kubernetes/build.sh b/deploy/kubernetes/build.sh index 1a126741e8..11c3f2440f 100755 --- a/deploy/kubernetes/build.sh +++ b/deploy/kubernetes/build.sh @@ -191,7 +191,7 @@ function buildProxy { # publish the container image for the portal proxy echo echo "-- Build & publish the runtime container image for the Console Proxy" - buildAndPublishImage stratos-proxy deploy/Dockerfile.bk.dev ${STRATOS_UI_PATH} + buildAndPublishImage stratos-proxy deploy/Dockerfile.bk.k8s ${STRATOS_UI_PATH} # Build merged preflight & proxy image, used when deploying into multi-node k8s cluster without a shared storage backend buildAndPublishImage stratos-proxy-noshared deploy/Dockerfile.bk-preflight.dev ${STRATOS_UI_PATH} } diff --git a/deploy/kubernetes/console/templates/deployment.yaml b/deploy/kubernetes/console/templates/deployment.yaml index 5005a5c049..41ca2df129 100644 --- a/deploy/kubernetes/console/templates/deployment.yaml +++ b/deploy/kubernetes/console/templates/deployment.yaml @@ -28,9 +28,6 @@ metadata: data: stolon: {{ .Values.dbPassword | b64enc }} pgsql-password: {{ .Values.dbPassword | b64enc }} - console-cert-key: {{ .Files.Get "ssl/console.key" | b64enc }} - console-cert: {{ .Files.Get "ssl/console.crt" | b64enc }} - --- apiVersion: apps/v1beta1 kind: StatefulSet @@ -48,10 +45,16 @@ spec: containers: - image: {{.Values.dockerRegistry}}/{{.Values.dockerOrg}}/{{.Values.images.console}}:{{.Values.consoleVersion}} name: ui + env: + - name: ENCRYPTION_KEY_VOLUME + value: "{{ .Release.Name }}-encryption-key-volume" volumeMounts: - mountPath: /etc/secrets/ name: "{{ .Release.Name }}-secret" readOnly: true + - mountPath: "/{{ .Release.Name }}-encryption-key-volume" + name: "{{ .Release.Name }}-encryption-key-volume" + readOnly: true ports: - containerPort: 80 name: http @@ -158,6 +161,22 @@ spec: value: "{{ .Release.Name }}-encryption-key-volume" - name: ENCRYPTION_KEY_FILENAME value: key + {{- if .Values.noShared }} + {{- if .Values.consoleCert }} + - name: CONSOLE_CERT + value: | +{{ .Values.consoleCert | indent 12 }} + {{- end }} + {{- if .Values.consoleCertKey }} + - name: CONSOLE_CERT_KEY + value: | +{{ .Values.consoleCertKey | indent 12 }} + {{- end }} + {{- end }} + - name: CONSOLE_PROXY_CERT_PATH + value: "/{{ .Release.Name }}-encryption-key-volume/console.crt" + - name: CONSOLE_PROXY_CERT_KEY_PATH + value: "/{{ .Release.Name }}-encryption-key-volume/console.key" - name: HTTP_PROXY {{- if .Values.httpProxy }} value: {{.Values.httpProxy}} diff --git a/deploy/kubernetes/console/templates/pre-install.yaml b/deploy/kubernetes/console/templates/pre-install.yaml index 38c1270740..84a1ce1e8b 100644 --- a/deploy/kubernetes/console/templates/pre-install.yaml +++ b/deploy/kubernetes/console/templates/pre-install.yaml @@ -67,8 +67,20 @@ spec: value: upgrade.lock - name: ENCRYPTION_KEY_VOLUME value: "{{ .Release.Name }}-encryption-key-volume" + - name: CERTS_PATH + value: "{{ .Release.Name }}-encryption-key-volume" - name: ENCRYPTION_KEY_FILENAME value: key + {{- if .Values.consoleCert }} + - name: CONSOLE_CERT + value: | +{{ .Values.consoleCert | indent 12 }} + {{- end }} + {{- if .Values.consoleCertKey }} + - name: CONSOLE_CERT_KEY + value: | +{{ .Values.consoleCertKey | indent 12 }} + {{- end }} image: {{.Values.dockerRegistry}}/{{.Values.dockerOrg}}/{{.Values.images.preflight}}:{{.Values.consoleVersion}} name: "{{ .Release.Name }}-preflight-job" volumeMounts: diff --git a/deploy/ci/scripts/generate_cert.sh b/deploy/tools/generate_cert.sh similarity index 59% rename from deploy/ci/scripts/generate_cert.sh rename to deploy/tools/generate_cert.sh index 36d3d8aa02..596e6c85e3 100755 --- a/deploy/ci/scripts/generate_cert.sh +++ b/deploy/tools/generate_cert.sh @@ -1,18 +1,20 @@ #!/bin/sh # Settings -devcerts_path=${DEV_CERTS_PATH:-portal-proxy-output/dev-certs} -domain=pproxy -commonname=192.168.99.100 -country=US -state=Washington -locality=Seattle +devcerts_path=${CERTS_PATH:-portal-proxy-output/dev-certs} +domain=${DEV_CERTS_DOMAIN:-pproxy} +commonname=127.0.0.1 +country=UK +state=Bristol +locality=Bristol organization=SUSE -organizationalunit=HDP +organizationalunit=CAP email=SUSE # Generate a key and cert echo "Generating key and cert for $domain" -mkdir -p ${devcerts_path} +if [ ! -d ${devcerts_path} ]; then + mkdir -p ${devcerts_path} +fi openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ${devcerts_path}/$domain.key -out ${devcerts_path}/$domain.crt \ -subj "/C=$country/ST=$state/L=$locality/O=$organization/OU=$organizationalunit/CN=$commonname/emailAddress=$email" From 158781b01ee9ea5aa72c7c6b2b135ec6c204fc92 Mon Sep 17 00:00:00 2001 From: Irfan Habib Date: Thu, 3 Aug 2017 13:16:32 +0100 Subject: [PATCH 2/7] Remove checked in certificates --- deploy/kubernetes/console/ssl/console.crt | 32 ----------------------- deploy/kubernetes/console/ssl/console.key | 27 ------------------- 2 files changed, 59 deletions(-) delete mode 100644 deploy/kubernetes/console/ssl/console.crt delete mode 100644 deploy/kubernetes/console/ssl/console.key diff --git a/deploy/kubernetes/console/ssl/console.crt b/deploy/kubernetes/console/ssl/console.crt deleted file mode 100644 index 32c31d8fb4..0000000000 --- a/deploy/kubernetes/console/ssl/console.crt +++ /dev/null @@ -1,32 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFfzCCBGegAwIBAgIUXGVzSL3vrRYn4pH+OGQ1Q0p6gn0wDQYJKoZIhvcNAQEL -BQAwgYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQH -EwdTZWF0dGxlMSMwIQYDVQQKExpIZXdsZXR0IFBhY2thcmQgRW50ZXJwcmlzZTES -MBAGA1UECxMJSFBFIENsb3VkMRkwFwYDVQQDExBIQ1AgQm9vdHN0cmFwIENBMB4X -DTE3MDQwNTEyMjkwMFoXDTE4MDQwNTEyMjkwMFowgYExCzAJBgNVBAYTAlVTMRMw -EQYDVQQIEwpXYXNoaW5ndG9uMRAwDgYDVQQHEwdTZWF0dGxlMSMwIQYDVQQKExpI -ZXdsZXR0IFBhY2thcmQgRW50ZXJwcmlzZTESMBAGA1UECxMJSFBFIENsb3VkMRIw -EAYDVQQDEwkqLmhzYy5zdmMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB -AQCuDMxMCWF6vUxzkXhy3fyg/sSDdQTn/W8rVavbPymJqSLoLQCoIZ1MVsFmDXeZ -Wnd896KRweglG2el/CD+Cs+JdHIwVtlw3xpD1bMdjkfNHhIeZTw6j9A9bvoDEjzP -vx3kIFarjBTcy5CZIzZjYdUI/8g81dybvktfYk7TH1j4jnFvzM5Aj4P43A+QXvJU -VrOrL5f1QlqGczyet1lrTRj1Lpa1tolAQ1ql/lYeLAqgS0CdtCQUekMoObhUfhxl -UC1Kdbsn5ziv63yRcUBxEtw2+2dPt0FBWPCyHq6HaAUy4Dq9C6DXYI39cDmnpjQ6 -RI7RowyuJDn0RTUCpczhSav5AgMBAAGjggHkMIIB4DAOBgNVHQ8BAf8EBAMCBaAw -HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwHQYD -VR0OBBYEFJfP8VkZ2TIB8EvINyZgkjWZQUBHMB8GA1UdIwQYMBaAFMMJYx4SgR2R -aRyfh+0rTx4dLcQYMIIBXwYDVR0RBIIBVjCCAVKCCSouaHNjLnN2Y4IVKi5oc2Mu -c3ZjLmNsdXN0ZXIuaGNwggtoc2MtY29uc29sZYITaHNjLWNvbnNvbGUuaHNjLnN2 -Y4IfaHNjLWNvbnNvbGUuaHNjLnN2Yy5jbHVzdGVyLmhjcIINKi5oc2MtY29uc29s -ZYIVKi5oc2MtY29uc29sZS5oc2Muc3ZjgiEqLmhzYy1jb25zb2xlLmhzYy5zdmMu -Y2x1c3Rlci5oY3CCD2hzYy1jb25zb2xlLWludIIXaHNjLWNvbnNvbGUtaW50Lmhz -Yy5zdmOCI2hzYy1jb25zb2xlLWludC5oc2Muc3ZjLmNsdXN0ZXIuaGNwghEqLmhz -Yy1jb25zb2xlLWludIIZKi5oc2MtY29uc29sZS1pbnQuaHNjLnN2Y4IlKi5oc2Mt -Y29uc29sZS1pbnQuaHNjLnN2Yy5jbHVzdGVyLmhjcDANBgkqhkiG9w0BAQsFAAOC -AQEAxt0AIiN26mdTYB8LjG0O/Q22ZMCqnPsu7HGUOVk0g59KW9PU60+8jyre/Lfc -CH09DOnTVPrlmghAqn6o2qAS+vZKHIK+50OvIKO/6SwfvmJlk1H0xAPqm/SWttHq -QIzIQxqzGA+6rqoRW5Kmqdy7xmvh5fY6spVJ0UyITe9zNZeDmB2EWJ7Gq/E/xncz -mlBFR39WXp6Ptr+Tu8ZhUfSzCpGJwElhrAD68EoJ7S1r7n2whZlUACRNAW5kwXYa -gHbKmrIDMdK9t0SksP1MBfNN09/etVUPEFebfz6uNimfpjEq+FHmve/EyrSv/ahm -IWEU0Hvz1P9whtWVZSs7t44/rg== ------END CERTIFICATE----- \ No newline at end of file diff --git a/deploy/kubernetes/console/ssl/console.key b/deploy/kubernetes/console/ssl/console.key deleted file mode 100644 index bdf3c4d28e..0000000000 --- a/deploy/kubernetes/console/ssl/console.key +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEowIBAAKCAQEArgzMTAlher1Mc5F4ct38oP7Eg3UE5/1vK1Wr2z8piaki6C0A -qCGdTFbBZg13mVp3fPeikcHoJRtnpfwg/grPiXRyMFbZcN8aQ9WzHY5HzR4SHmU8 -Oo/QPW76AxI8z78d5CBWq4wU3MuQmSM2Y2HVCP/IPNXcm75LX2JO0x9Y+I5xb8zO -QI+D+NwPkF7yVFazqy+X9UJahnM8nrdZa00Y9S6WtbaJQENapf5WHiwKoEtAnbQk -FHpDKDm4VH4cZVAtSnW7J+c4r+t8kXFAcRLcNvtnT7dBQVjwsh6uh2gFMuA6vQug -12CN/XA5p6Y0OkSO0aMMriQ59EU1AqXM4Umr+QIDAQABAoIBAGjm9ctua/5aUdXl -+77f5P/0DeVdhlN9AKARxr8iVprOAmgFl7u+Ztw3/eDQhSE80X/UkXtgb9bNqa71 -Q71aLrQeJyTTc8L/9QilqItL0iLi2PDQ+3ggbdZZKP7o4xYjjpSMmTBUAc8CMmja -PFGyCYCfCcUA8TI9g5g93FyLLEjCMuO2+vmddYmT1ppN+tj2UyI8kapd4dwOw7M8 -uAs3ixmt2PbUSnS2TdVn+WDC7ZeHwguVwVdX+J4sPyYQJvzL7Lzmo1W3diP8gTdE -316pD+8K7oIN8xKgoDUB0iLaKxJ5KmAWHCMR5XFH59Ht0zPjUJb6bC/5Oic8dvxu -8vI+zHECgYEAxzEbs7yMoi3tG42nVh4PYea5xEYUgALCHx0NW9BfFKA6fU4zRFna -ZTlDLX+blZcHlwZo+GpjrVvh+FItc2RKn62hDTfSzbr+EgHTDXALL64+1i2yLhPz -echMoPSjfRNNBtrlWuIigfqtzV8mS070ravbirv4acntVtsZps5vTj8CgYEA37AY -8Bmdu1qEj0gjV9TL65jboZsd6KgIiGDeDQEmpV03lpz1xHCbLtkvg4Ec0hZsyzFc -j0HquM7GJumdLmCIbwr1zxEC15unXJbjm1NPY5VKivuFB1orTGnLXsNY7zgY/b7x -Bhlx8YwzNh2wOZVvbQt5Cnjw7QQP90uEeq6X58cCgYBAio3yUA61YfIo8l4dDkJn -s23PxfFQhRRHJo+0hzC3qy8oeNUtuXuFPuegb2+HKdegvMf4beh8PIBciKwHbqCr -WoQLl2HrnUJDrWmoOfy151ye41GPkpFajWce5AWxOjbEGNsl9o291e7I06LB1gR7 -3WqWak+UX4RSl02Zedwg2wKBgH63fYkWmdo2zv10OkFZVSPj9he4jdrsxdisN15a -lo/7HLB/vmJIAEEr29S9YZxKA9uf3PVyvAtxZ6NHmDlbii6NoO5qjpehn8+90rZ9 -HW4mdpIBJj0iAYFKNWE7fLgXqWCluFhiNcBGUgSIEPquAu9dHnamSKWcNYc8CpKN -MZSlAoGBAMbYWMoKTjSdixCmLJ5MeHTwXvy62LRxvpsKIU2j9ArLytPE57fDwOur -4eySa/9LklGjU0X1z5bZeQgu+do4ch8iXFNyx/AalgZRnFQnt9bVob2MXiR3DCNF -JAZa5VoIJHwjtOcIrT0UI0LN7qQ54GadxfbkLNizgTXwZwEx/bl5 ------END RSA PRIVATE KEY----- \ No newline at end of file From a7e4f990396d739aad9614ab186a72b3ad14414a Mon Sep 17 00:00:00 2001 From: Irfan Habib Date: Thu, 3 Aug 2017 13:24:26 +0100 Subject: [PATCH 3/7] Add documentation --- deploy/kubernetes/README.md | 21 +++++++++++++++++++++ deploy/kubernetes/console/values.yaml | 12 +++++++++++- 2 files changed, 32 insertions(+), 1 deletion(-) diff --git a/deploy/kubernetes/README.md b/deploy/kubernetes/README.md index 7a9169284c..2f6721a4d3 100644 --- a/deploy/kubernetes/README.md +++ b/deploy/kubernetes/README.md @@ -175,3 +175,24 @@ kubectl create -f storageclass.yaml ``` See [Storage Class documentation] ( https://kubernetes.io/docs/tasks/administer-cluster/change-default-storage-class/) for more insformation. + +## Deploying Stratos UI with your own TLS certificates + +By default the console will generate self-signed certificates for demo purposes. To configure Stratos UI to use your provided TLS certificates set the `consoleCert` and `consoleCertKey` overrides. + +``` +consoleCert: | + -----BEGIN CERTIFICATE----- + MIIDXTCCAkWgAwIBAgIJAJooOiQWl1v1MA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV + ... + -----END CERTIFICATE----- +consoleCertKey: | + -----BEGIN PRIVATE KEY----- + MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDV9+ySh0xZzM41 + .... + -----END PRIVATE KEY----- +``` +Assuming the above is stored in a file called `override-ssl.yaml`, install the chart with the override specified. +``` +helm install -f override-ssl.yaml stratos-ui/console --namespace console +``` \ No newline at end of file diff --git a/deploy/kubernetes/console/values.yaml b/deploy/kubernetes/console/values.yaml index 177e017eaa..3484b51d32 100644 --- a/deploy/kubernetes/console/values.yaml +++ b/deploy/kubernetes/console/values.yaml @@ -21,4 +21,14 @@ images: preflight: stratos-preflight-job postflight: stratos-postflight-job # Specify which storage class should be used for PVCs -#storageClass: default \ No newline at end of file +#storageClass: default +#consoleCert: | +# -----BEGIN CERTIFICATE----- +# MIIDXTCCAkWgAwIBAgIJAJooOiQWl1v1MA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV +# ... +# -----END CERTIFICATE----- +#consoleCertKey: | +# -----BEGIN PRIVATE KEY----- +# MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDV9+ySh0xZzM41 +# ... +# -----END PRIVATE KEYE----- \ No newline at end of file From 80b05124526be3da3280ef53b742ba1b60566700 Mon Sep 17 00:00:00 2001 From: Irfan Habib Date: Mon, 18 Sep 2017 11:03:38 +0100 Subject: [PATCH 4/7] Resolve merge conflict --- .../console/templates/deployment.yaml | 69 +++++++++---------- 1 file changed, 33 insertions(+), 36 deletions(-) diff --git a/deploy/kubernetes/console/templates/deployment.yaml b/deploy/kubernetes/console/templates/deployment.yaml index c1b0d430f1..df79a695d4 100644 --- a/deploy/kubernetes/console/templates/deployment.yaml +++ b/deploy/kubernetes/console/templates/deployment.yaml @@ -8,7 +8,7 @@ metadata: app: "{{ .Release.Name }}" data: stolon: {{ .Values.dbPassword | b64enc }} - pgsql-password: {{ .Values.dbPassword | b64enc }} + db-password: {{ .Values.mariadb.mariadbPassword | b64enc }} --- apiVersion: apps/v1beta1 kind: StatefulSet @@ -47,24 +47,22 @@ spec: - image: {{.Values.dockerRegistry}}/{{.Values.dockerOrg}}/{{.Values.images.postflight}}:{{.Values.consoleVersion}} name: "{{ .Release.Name }}-postflight" env: - - name: PGSQL_HOST - value: "{{ .Release.Name }}-postgres-int" - - name: PGSQL_PORT - value: "5432" - - name: POSTGRES_USER - value: postgres - - name: POSTGRES_PASSWORD_FILE - value: /etc/secrets/stolon - - name: PGSQL_DATABASE - value: console-db - - name: PGSQL_USER - value: console - - name: PGSQL_PASSWORDFILE - value: /etc/secrets/pgsql-password - - name: PGSQL_SSL_MODE - value: disable - - name: PGCONNECT_TIMEOUT - value: "10" + - name: DB_HOST + value: "{{ .Release.Name }}-mariadb" + - name: DB_PORT + value: "3306" + - name: DB_ADMIN_USER + value: "{{ .Values.mariadb.adminUser }}" + - name: DB_ADMIN_PASSWORD + value: "{{ .Values.mariadb.mariadbRootPassword }}" + - name: DATABASE_PROVIDER + value: "{{ .Values.dbProvider }}" + - name: DB_PASSWORD + value: "{{ .Values.mariadb.mariadbPassword }}" + - name: DB_USER + value: "{{ .Values.mariadb.mariadbUser }}" + - name: DB_DATABASE_NAME + value: "{{ .Values.mariadb.mariadbDatabase }}" - name: DO_NOT_QUIT value: "true" - name: UPGRADE_VOLUME @@ -105,23 +103,22 @@ spec: name: proxy {{- end }} env: - - name: PGSQL_USER - value: console - - name: PGSQL_PASSWORD - valueFrom: - secretKeyRef: - name: "{{ .Release.Name }}-secret" - key: pgsql-password - - name: PGSQL_DATABASE - value: console-db - - name: PGSQL_HOST - value: "{{ .Release.Name }}-postgres-int" - - name: PGSQL_PORT - value: "5432" - - name: PGSQL_CONNECT_TIMEOUT_IN_SECS - value: "5" - - name: PGSQL_SSL_MODE - value: disable + - name: DB_USER + value: "{{ .Values.mariadb.mariadbUser }}" + - name: DB_PASSWORD + value: "{{ .Values.mariadb.mariadbPassword }}" + - name: DB_DATABASE_NAME + value: "{{ .Values.mariadb.mariadbDatabase }}" + - name: DB_HOST + value: "{{ .Release.Name }}-mariadb" + - name: DB_PORT + value: "3306" + - name: DATABASE_PROVIDER + value: "{{ .Values.dbProvider }}" + - name: DB_ADMIN_USER + value: "{{ .Values.mariadb.adminUser }}" + - name: DB_ADMIN_PASSWORD + value: "{{ .Values.mariadb.mariadbRootPassword }}" - name: HTTP_CONNECTION_TIMEOUT_IN_SECS value: "10" - name: HTTP_CLIENT_TIMEOUT_IN_SECS From 85643f051437f55932044a438f239bdbc6b13cf1 Mon Sep 17 00:00:00 2001 From: Irfan Habib Date: Mon, 18 Sep 2017 13:45:54 +0100 Subject: [PATCH 5/7] Update generate_cert.sh --- deploy/tools/generate_cert.sh | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/deploy/tools/generate_cert.sh b/deploy/tools/generate_cert.sh index 596e6c85e3..f30eecbc1c 100755 --- a/deploy/tools/generate_cert.sh +++ b/deploy/tools/generate_cert.sh @@ -13,8 +13,7 @@ email=SUSE # Generate a key and cert echo "Generating key and cert for $domain" -if [ ! -d ${devcerts_path} ]; then - mkdir -p ${devcerts_path} -fi +mkdir -p ${devcerts_path} + openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ${devcerts_path}/$domain.key -out ${devcerts_path}/$domain.crt \ -subj "/C=$country/ST=$state/L=$locality/O=$organization/OU=$organizationalunit/CN=$commonname/emailAddress=$email" From 162ba8e550045c18b30c07321bcf1408381be1a1 Mon Sep 17 00:00:00 2001 From: Irfan Habib Date: Mon, 18 Sep 2017 13:46:07 +0100 Subject: [PATCH 6/7] Update generate_cert.sh --- deploy/tools/generate_cert.sh | 1 - 1 file changed, 1 deletion(-) diff --git a/deploy/tools/generate_cert.sh b/deploy/tools/generate_cert.sh index f30eecbc1c..a49e328354 100755 --- a/deploy/tools/generate_cert.sh +++ b/deploy/tools/generate_cert.sh @@ -14,6 +14,5 @@ email=SUSE # Generate a key and cert echo "Generating key and cert for $domain" mkdir -p ${devcerts_path} - openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout ${devcerts_path}/$domain.key -out ${devcerts_path}/$domain.crt \ -subj "/C=$country/ST=$state/L=$locality/O=$organization/OU=$organizationalunit/CN=$commonname/emailAddress=$email" From c161cea95696441ff70647f3d331eb68da0634ba Mon Sep 17 00:00:00 2001 From: Irfan Habib Date: Mon, 18 Sep 2017 14:04:47 +0100 Subject: [PATCH 7/7] Update values.yaml --- deploy/kubernetes/console/values.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/kubernetes/console/values.yaml b/deploy/kubernetes/console/values.yaml index 28ea0aa31e..1e3cdb2619 100644 --- a/deploy/kubernetes/console/values.yaml +++ b/deploy/kubernetes/console/values.yaml @@ -30,7 +30,7 @@ images: # -----END CERTIFICATE----- #consoleCertKey: | # -----BEGIN PRIVATE KEY----- -# MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDV9+ySh0xZzM41 +# MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkdgEAAoIBAQDV9+ySh0xZzM41 # ... # -----END PRIVATE KEYE----- # MariaDB chart configuration