Skip to content

Commit

Permalink
Support user-provided client certs for Vault (#578)
Browse files Browse the repository at this point in the history 
* start vault user certs

* updates

* add cert authority

* fix deployment

* remove storage-service from all deployments

* add certs to sample

* support v1

* remove vault cert manifests

* remove todo

* fix formatting

* fix crd deploy check

* add test for v1

* add tests

* add fail test

* bad vautl ca

* add more error tests

* add test for ingress certs

* add openshift test

* add type meta to v1

* refactor storage service deployment

* refactor self-signed cert
  • Loading branch information
@atye
atye authored Jun 3, 2024
1 parent 695150a commit 94b569f
Show file tree
Hide file tree
Showing 15 changed files with 1,249 additions and 225 deletions.
4 changes: 4 additions & 0 deletions api/v1/types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -451,6 +451,10 @@ type ContainerTemplate struct {
// PrivateKey is a private key used for a certificate/private-key pair
// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Private key for certificate/private-key pair"
PrivateKey string `json:"privateKey,omitempty" yaml:"privateKey,omitempty"`

// CertificateAuthority is a certificate authority used to validate a certificate
// +operator-sdk:csv:customresourcedefinitions:type=spec,displayName="Certificate authority for validating a certificate"
CertificateAuthority string `json:"certificateAuthority,omitempty" yaml:"certificateAuthority,omitempty"`
}

// SnapshotClass struct
Expand Down
30 changes: 30 additions & 0 deletions deploy/crds/storage.dell.com.crds.all.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -76,6 +76,9 @@ spec:
certificate:
description: Certificate is a certificate used for a certificate/private-key pair
type: string
certificateAuthority:
description: CertificateAuthority is a certificate authority used to validate a certificate
type: string
commander:
description: Commander is the image tag for the Container
type: string
Expand Down Expand Up @@ -402,6 +405,9 @@ spec:
certificate:
description: Certificate is a certificate used for a certificate/private-key pair
type: string
certificateAuthority:
description: CertificateAuthority is a certificate authority used to validate a certificate
type: string
commander:
description: Commander is the image tag for the Container
type: string
Expand Down Expand Up @@ -717,6 +723,9 @@ spec:
certificate:
description: Certificate is a certificate used for a certificate/private-key pair
type: string
certificateAuthority:
description: CertificateAuthority is a certificate authority used to validate a certificate
type: string
commander:
description: Commander is the image tag for the Container
type: string
Expand Down Expand Up @@ -1122,6 +1131,9 @@ spec:
certificate:
description: Certificate is a certificate used for a certificate/private-key pair
type: string
certificateAuthority:
description: CertificateAuthority is a certificate authority used to validate a certificate
type: string
commander:
description: Commander is the image tag for the Container
type: string
Expand Down Expand Up @@ -1437,6 +1449,9 @@ spec:
certificate:
description: Certificate is a certificate used for a certificate/private-key pair
type: string
certificateAuthority:
description: CertificateAuthority is a certificate authority used to validate a certificate
type: string
commander:
description: Commander is the image tag for the Container
type: string
Expand Down Expand Up @@ -1771,6 +1786,9 @@ spec:
certificate:
description: Certificate is a certificate used for a certificate/private-key pair
type: string
certificateAuthority:
description: CertificateAuthority is a certificate authority used to validate a certificate
type: string
commander:
description: Commander is the image tag for the Container
type: string
Expand Down Expand Up @@ -2084,6 +2102,9 @@ spec:
certificate:
description: Certificate is a certificate used for a certificate/private-key pair
type: string
certificateAuthority:
description: CertificateAuthority is a certificate authority used to validate a certificate
type: string
commander:
description: Commander is the image tag for the Container
type: string
Expand Down Expand Up @@ -2402,6 +2423,9 @@ spec:
certificate:
description: Certificate is a certificate used for a certificate/private-key pair
type: string
certificateAuthority:
description: CertificateAuthority is a certificate authority used to validate a certificate
type: string
commander:
description: Commander is the image tag for the Container
type: string
Expand Down Expand Up @@ -2741,6 +2765,9 @@ spec:
certificate:
description: Certificate is a certificate used for a certificate/private-key pair
type: string
certificateAuthority:
description: CertificateAuthority is a certificate authority used to validate a certificate
type: string
commander:
description: Commander is the image tag for the Container
type: string
Expand Down Expand Up @@ -3065,6 +3092,9 @@ spec:
certificate:
description: Certificate is a certificate used for a certificate/private-key pair
type: string
certificateAuthority:
description: CertificateAuthority is a certificate authority used to validate a certificate
type: string
commander:
description: Commander is the image tag for the Container
type: string
Expand Down
47 changes: 0 additions & 47 deletions operatorconfig/moduleconfig/authorization/v1.10.0/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -242,53 +242,6 @@ roleRef:
name: storage-service
apiGroup: rbac.authorization.k8s.io
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: storage-service
namespace: <NAMESPACE>
labels:
app: storage-service
spec:
replicas: 1
selector:
matchLabels:
app: storage-service
template:
metadata:
labels:
csm: <NAME>
app: storage-service
spec:
serviceAccountName: storage-service
containers:
- name: storage-service
image: <AUTHORIZATION_STORAGE_SERVICE_IMAGE>
imagePullPolicy: Always
ports:
- containerPort: 50051
name: grpc
env:
- name: NAMESPACE
value: <NAMESPACE>
volumeMounts:
- name: storage-volume
mountPath: /etc/karavi-authorization/storage
- name: config-volume
mountPath: /etc/karavi-authorization/config
- name: csm-config-params
mountPath: /etc/karavi-authorization/csm-config-params
volumes:
- name: storage-volume
secret:
secretName: karavi-storage-secret
- name: config-volume
secret:
secretName: karavi-config-secret
- name: csm-config-params
configMap:
name: csm-config-params
---
apiVersion: v1
kind: Service
metadata:
Expand Down
47 changes: 0 additions & 47 deletions operatorconfig/moduleconfig/authorization/v1.9.0/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -242,53 +242,6 @@ roleRef:
name: storage-service
apiGroup: rbac.authorization.k8s.io
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: storage-service
namespace: <NAMESPACE>
labels:
app: storage-service
spec:
replicas: 1
selector:
matchLabels:
app: storage-service
template:
metadata:
labels:
csm: <NAME>
app: storage-service
spec:
serviceAccountName: storage-service
containers:
- name: storage-service
image: <AUTHORIZATION_STORAGE_SERVICE_IMAGE>
imagePullPolicy: Always
ports:
- containerPort: 50051
name: grpc
env:
- name: NAMESPACE
value: <NAMESPACE>
volumeMounts:
- name: storage-volume
mountPath: /etc/karavi-authorization/storage
- name: config-volume
mountPath: /etc/karavi-authorization/config
- name: csm-config-params
mountPath: /etc/karavi-authorization/csm-config-params
volumes:
- name: storage-volume
secret:
secretName: karavi-storage-secret
- name: config-volume
secret:
secretName: karavi-config-secret
- name: csm-config-params
configMap:
name: csm-config-params
---
apiVersion: v1
kind: Service
metadata:
Expand Down
47 changes: 0 additions & 47 deletions operatorconfig/moduleconfig/authorization/v1.9.1/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -242,53 +242,6 @@ roleRef:
name: storage-service
apiGroup: rbac.authorization.k8s.io
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: storage-service
namespace: <NAMESPACE>
labels:
app: storage-service
spec:
replicas: 1
selector:
matchLabels:
app: storage-service
template:
metadata:
labels:
app: storage-service
csm: <NAME>
spec:
serviceAccountName: storage-service
containers:
- name: storage-service
image: <AUTHORIZATION_STORAGE_SERVICE_IMAGE>
imagePullPolicy: Always
ports:
- containerPort: 50051
name: grpc
env:
- name: NAMESPACE
value: <NAMESPACE>
volumeMounts:
- name: storage-volume
mountPath: /etc/karavi-authorization/storage
- name: config-volume
mountPath: /etc/karavi-authorization/config
- name: csm-config-params
mountPath: /etc/karavi-authorization/csm-config-params
volumes:
- name: storage-volume
secret:
secretName: karavi-storage-secret
- name: config-volume
secret:
secretName: karavi-config-secret
- name: csm-config-params
configMap:
name: csm-config-params
---
apiVersion: v1
kind: Service
metadata:
Expand Down
64 changes: 0 additions & 64 deletions operatorconfig/moduleconfig/authorization/v2.0.0-alpha/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -317,70 +317,6 @@ subjects:
name: storage-service
namespace: <NAMESPACE>
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: storage-service
namespace: <NAMESPACE>
labels:
app: storage-service
spec:
replicas: <AUTHORIZATION_STORAGE_SERVICE_REPLICAS>
selector:
matchLabels:
app: storage-service
template:
metadata:
labels:
csm: <NAME>
app: storage-service
spec:
serviceAccountName: storage-service
containers:
- name: storage-service
image: <AUTHORIZATION_STORAGE_SERVICE_IMAGE>
imagePullPolicy: Always
env:
- name: NAMESPACE
value: <NAMESPACE>
- name: SENTINELS
value: <AUTHORIZATION_REDIS_SENTINEL_VALUES>
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: redis-csm-secret
key: password
args:
- "--redis-sentinel=$(SENTINELS)"
- "--redis-password=$(REDIS_PASSWORD)"
- "--vault-address=<AUTHORIZATION_VAULT_ADDRESS>"
- "--vault-kv-engine-path=<AUTHORIZATION_KV_ENGINE_PATH>"
- "--vault-skip-certificate-validation=<AUTHORIZATION_SKIP_CERTIFICATE_VALIDATION>"
- "--vault-role=<AUTHORIZATION_VAULT_ROLE>"
- "--leader-election=<AUTHORIZATION_LEADER_ELECTION_ENABLED>"
ports:
- containerPort: 50051
name: grpc
volumeMounts:
- name: config-volume
mountPath: /etc/karavi-authorization/config
- name: csm-config-params
mountPath: /etc/karavi-authorization/csm-config-params
- name: vault-client-certificate
mountPath: /etc/vault
volumes:
- name: config-volume
secret:
secretName: karavi-config-secret
- name: csm-config-params
configMap:
name: csm-config-params
- name: vault-client-certificate
projected:
sources:
- secret:
name: storage-service-selfsigned-tls
---
apiVersion: v1
kind: Service
metadata:
Expand Down
Loading

0 comments on commit 94b569f

Please sign in to comment.