feat: cert manager install and configuring rest components for TLS

Signed-off-by: John Zakrzewski <[email protected]>

configure tls for REST

Signed-off-by: John Zakrzewski <[email protected]>

update script to include DNS names

Signed-off-by: John Zakrzewski <[email protected]>

disable tls in values.yaml, remove cert-manager

Signed-off-by: John Zakrzewski <[email protected]>

adding readme

Signed-off-by: John Zakrzewski <[email protected]>

feat: cert-manager-install

Signed-off-by: John Zakrzewski <[email protected]>

feat: configure callhome for tls with restapi

Signed-off-by: John Zakrzewski <[email protected]>

chore: configuring cert ingestion for csi-node daemonset

chore: add certificate job, clean up to enable tls successfully

Author: John Zakrzewski

call-home/src/bin/callhome/main.rs

@@ -52,6 +52,10 @@ struct CliArgs {
     /// The endpoint to fetch events stats.
     #[clap(long, short)]
     aggregator_url: Option<Url>,
+
+    /// The path to the TLS CA certificate
+    #[clap(long, short)]
+    tls_client_ca_path: Option<String>,
 }
 impl CliArgs {
     fn args() -> Self {
@@ -107,12 +111,42 @@ async fn run(logs: Arc<Mutex<VecDeque<LogEntry>>>) -> anyhow::Result<()> {
             anyhow::anyhow!("failed to generate metrics receiver client: {:?}", error)
         })?;
 
+    let ca_certificate_path = args.tls_client_ca_path;
+    let cert = match ca_certificate_path {
+        Some(path) => {
+            let cert = std::fs::read(path).map_err(|error| {
+                anyhow::anyhow!("Failed to read certificate file, Error: '{:?}'", error)
+            })?;
+            Some(cert)
+        }
+        None => None,
+    };
+
     // Generate Mayastor REST client.
-    let config = Configuration::builder()
-        .with_timeout(Duration::from_secs(30))
-        .with_tracing(true)
-        .build_url(endpoint)
-        .map_err(|error| anyhow::anyhow!("failed to create openapi configuration: {:?}", error))?;
+    let config = match (endpoint.scheme(), cert.as_deref()) {
+        ("https", Some(cert)) => Configuration::builder()
+            .with_timeout(Duration::from_secs(30))
+            .with_tracing(true)
+            .with_certificate(cert)
+            .build_url(endpoint)
+            .map_err(|error| {
+                anyhow::anyhow!("failed to create openapi configuration: {:?}", error)
+            })?,
+        ("https", None) => {
+            anyhow::bail!("HTTPS endpoint requires a CA certificate path");
+        }
+        (_, Some(_path)) => {
+            anyhow::bail!("TLS certificate is only supported for HTTPS connection")
+        }
+        _ => Configuration::builder()
+            .with_timeout(Duration::from_secs(30))
+            .with_tracing(true)
+            .build_url(endpoint)
+            .map_err(|error| {
+                anyhow::anyhow!("failed to create openapi configuration: {:?}", error)
+            })?,
+    };
+
     let client = openapi::clients::tower::ApiClient::new(config);
 
     loop {

chart/Chart.yaml

@@ -48,6 +48,11 @@ dependencies:
     version: 4.2.0
     repository: https://openebs.github.io/dynamic-localpv-provisioner
     condition: localpv-provisioner.enabled
+  - name: cert-manager
+    version: v1.12.10
+    repository: https://charts.jetstack.io
+    alias: cert-manager
+    condition: cert-manager.enabled
 annotations:
   helm.sh/images: |
     - name: bats

chart/README.md

@@ -56,6 +56,7 @@ This removes all the Kubernetes components associated with the chart and deletes
 |------------|------|---------|
 |  | crds | 0.0.0 |
 | https://charts.bitnami.com/bitnami | etcd | 8.6.0 |
+| https://charts.jetstack.io | cert-manager(cert-manager) | v1.17.0 |
 | https://grafana.github.io/helm-charts | loki-stack | 2.9.11 |
 | https://jaegertracing.github.io/helm-charts | jaeger-operator | 2.50.1 |
 | https://nats-io.github.io/k8s/helm/charts/ | nats | 0.19.14 |
@@ -119,6 +120,7 @@ This removes all the Kubernetes components associated with the chart and deletes
 | base.​logging.​format | Valid values for format are pretty, json and compact | `"pretty"` |
 | base.​logging.​silenceLevel | Silence specific module components | `nil` |
 | base.​metrics.​enabled | Enable the metrics exporter | `true` |
+| cert-manager.​enabled | Enable cert-manager only if tls is enabled | `true` |
 | crds.​csi.​volumeSnapshots.​enabled | Install Volume Snapshot CRDs | `true` |
 | crds.​enabled | Disables the installation of all CRDs if set to false | `true` |
 | csi.​controller.​logLevel | Log level for the csi controller | `"info"` |

chart/templates/hooks/wait-for-cert-manager.yaml

@@ -0,0 +1,112 @@
+{{- if .Values.tls.enabled }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: cert-manager-job-sa
+  namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cert-manager-job-role
+  namespace: {{ .Release.Namespace }}
+rules:
+  - apiGroups: ["cert-manager.io"]
+    resources: ["issuers", "certificates"]
+    verbs: ["create", "update", "patch", "delete", "get", "list", "watch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cert-manager-job-rolebinding
+  namespace: {{ .Release.Namespace }}
+subjects:
+  - kind: ServiceAccount
+    name: cert-manager-job-sa
+    namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role
+  name: cert-manager-job-role
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: create-certificates
+  namespace: {{ .Release.Namespace }}
+  annotations:
+    "helm.sh/hook": post-install,post-upgrade
+    "helm.sh/hook-delete-policy": hook-succeeded,hook-failed
+spec:
+  template:
+    spec:
+      serviceAccountName: cert-manager-job-sa
+      containers:
+        - name: create-certificates
+          image: bitnami/kubectl:latest
+          command:
+            - /bin/sh
+            - -c
+            - |
+              echo "Waiting for cert-manager-webhook to be available..."
+              kubectl wait --for=condition=Available=True Deployment/{{ .Release.Namespace }}-cert-manager-webhook -n {{ .Release.Namespace }} --timeout=120s
+              echo "Creating selfsigned-issuer..."
+              kubectl apply -f - <<EOF
+              apiVersion: cert-manager.io/v1
+              kind: Issuer
+              metadata:
+                name: selfsigned-issuer
+                namespace: {{ .Release.Namespace }}
+              spec:
+                selfSigned: {}
+              EOF
+              echo "Creating root-ca certificate..."
+              kubectl apply -f - <<EOF
+              apiVersion: cert-manager.io/v1
+              kind: Certificate
+              metadata:
+                name: root-ca
+                namespace: {{ .Release.Namespace }}
+              spec:
+                isCA: true
+                duration: 175200h # 20 years
+                commonName: root-ca
+                secretName: ca-root-cert
+                issuerRef:
+                  name: selfsigned-issuer
+                  kind: Issuer
+                  group: cert-manager.io
+              EOF
+              echo "Creating ca-issuer..."
+              kubectl apply -f - <<EOF
+              apiVersion: cert-manager.io/v1
+              kind: Issuer
+              metadata:
+                name: ca-issuer
+                namespace: {{ .Release.Namespace }}
+              spec:
+                ca:
+                  secretName: ca-root-cert
+              EOF
+              echo "Creating rest-api-server certificate..."
+              kubectl apply -f - <<EOF
+              apiVersion: cert-manager.io/v1
+              kind: Certificate
+              metadata:
+                name: rest-api-server
+                namespace: {{ .Release.Namespace }}
+              spec:
+                duration: 175200h
+                isCA: false
+                dnsNames:
+                  - {{ .Release.Name }}-api-rest.{{ .Release.Namespace }}.svc
+                  - {{ .Release.Name }}-api-rest.{{ .Release.Namespace }}.svc.cluster.local
+                  - {{ .Release.Name }}-api-rest
+                issuerRef:
+                  name: ca-issuer
+                  kind: Issuer
+                secretName: api-rest-tls
+              EOF
+      restartPolicy: OnFailure
+{{- end }}

chart/templates/mayastor/apis/api-rest-deployment.yaml

@@ -45,7 +45,6 @@ spec:
           image: "{{ .Values.image.registry }}/{{ .Values.image.repo }}/{{ include "image_prefix" . }}-api-rest:{{ default .Values.image.tag .Values.image.repoTags.controlPlane }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           args:
-            - "--dummy-certificates"
             - "--no-auth"
             - "--http=[::]:8081"
             - "--request-timeout={{ .Values.base.default_req_timeout }}"{{ if .Values.base.jaeger.enabled }}
@@ -56,6 +55,22 @@ spec:
             {{- if .Values.apis.rest.healthProbes.readiness.enabled }}
             - "--core-health-freq={{ .Values.apis.rest.healthProbes.readiness.agentCoreProbeFreq }}"
             {{- end }}
+          {{- if not .Values.tls.enabled }}
+            - "--dummy-certificates"
+          {{- else }}
+            - --cert-file=/etc/tls/tls.crt
+            - --key-file=/etc/tls/tls.key
+            # - --tls-client-ca-path=/etc/client_cert/ca.crt # CA cert for client verification with core-agent
+          volumeMounts:
+            - name: certs
+              mountPath: /etc/tls
+              readOnly: true
+            # - name: ca-cert
+            #   mountPath: /etc/client_cert/ca.crt
+            #   subPath: ca.crt
+            #   readOnly: true
+
+          {{- end }}
           ports:
             - containerPort: 8080
             - containerPort: 8081
@@ -86,3 +101,13 @@ spec:
             periodSeconds: {{ .Values.apis.rest.healthProbes.liveness.periodSeconds }}
             timeoutSeconds: {{ .Values.apis.rest.healthProbes.liveness.timeoutSeconds }}
           {{- end }}
+      {{- if .Values.tls.enabled }}
+      volumes:
+        - name: certs
+          secret:
+            secretName: api-rest-tls
+        # - name: ca-cert
+        #   secret:
+        #     defaultMode: 420
+        #     secretName: agent-core-server-cert
+      {{- end }}

chart/templates/mayastor/csi/csi-controller-deployment.yaml

@@ -118,14 +118,20 @@ spec:
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           args:
             - "--csi-socket=/var/lib/csi/sockets/pluginproxy/csi.sock"
-            - "--rest-endpoint=http://{{ .Release.Name }}-api-rest:8081"{{ if .Values.base.jaeger.enabled }}
+            {{ if .Values.base.jaeger.enabled }}
             - "--jaeger={{ include "jaeger_url" . }}"{{ end }}
             {{- range $key, $val := .Values.csi.node.topology.segments }}
             - "--node-selector={{ $key }}={{ $val }}"
             {{- end }}
             - "--ansi-colors={{ .Values.base.logging.color }}"
             - "--fmt-style={{ include "logFormat" . }}"
             - "--create-volume-limit={{ .Values.csi.controller.maxCreateVolume }}"
+            {{- if .Values.tls.enabled }}
+            - "--rest-endpoint=https://{{ .Release.Name }}-api-rest:8080"
+            - "--tls-client-ca-path=/etc/client_cert/ca.crt" # CA cert for client verification with rest
+            {{- else }}
+            - "--rest-endpoint=http://{{ .Release.Name }}-api-rest:8081"
+            {{- end }}
           env:
             - name: RUST_LOG
               value: {{ .Values.csi.controller.logLevel }}
@@ -136,6 +142,18 @@ spec:
           volumeMounts:
             - name: socket-dir
               mountPath: /var/lib/csi/sockets/pluginproxy/
+            {{- if .Values.tls.enabled }}
+            - name: ca-cert
+              mountPath: /etc/client_cert/ca.crt
+              subPath: ca.crt
+              readOnly: true
+            {{- end }}
       volumes:
         - name: socket-dir
           emptyDir:
+        {{- if .Values.tls.enabled }}
+        - name: ca-cert
+          secret:
+            defaultMode: 420
+            secretName: api-rest-tls
+        {{- end }}

chart/templates/mayastor/csi/csi-node-daemonset.yaml

@@ -87,8 +87,7 @@ spec:
         {{- end }}
         args:
         - "--csi-socket={{ default .Values.csi.node.pluginMountPath .Values.csi.node.pluginMounthPath }}/{{ .Values.csi.node.socketPath }}"
-        - "--node-name=$(MY_NODE_NAME)"
-        - "--rest-endpoint=http://{{ .Release.Name }}-api-rest:8081"{{ if .Values.csi.node.restClient.enabled }}
+        - "--node-name=$(MY_NODE_NAME)"{{ if .Values.csi.node.restClient.enabled }}
         - "--enable-rest"{{ end }}
         - "--enable-registration"
         - "--grpc-ip=$(MY_POD_IP)"
@@ -107,6 +106,14 @@ spec:
         {{- end }}
         - "--fmt-style={{ include "logFormat" . }}"
         - "--ansi-colors={{ .Values.base.logging.color }}"
+        {{- if .Values.tls.enabled }}
+        - "--endpoint=https://{{ .Release.Name }}-api-rest:8080"
+        - "--tls-client-ca-path=/etc/client_cert/ca.crt" # CA cert for client verification with rest
+        {{- else }}
+        - "--endpoint=http://{{ .Release.Name }}-api-rest:8081"
+        {{- end }}
+        command:
+        - csi-node
         volumeMounts:
         - name: device
           mountPath: /dev
@@ -119,6 +126,12 @@ spec:
         - name: kubelet-dir
           mountPath: {{ .Values.csi.node.kubeletDir }}
           mountPropagation: "Bidirectional"
+        {{- if .Values.tls.enabled }}
+        - name: ca-cert
+          mountPath: /etc/client_cert/ca.crt
+          subPath: ca.crt
+          readOnly: true
+        {{- end }}
         resources:
           limits:
             cpu: {{ .Values.csi.node.resources.limits.cpu | quote }}
@@ -174,3 +187,9 @@ spec:
         hostPath:
           path: {{ .Values.csi.node.kubeletDir }}
           type: Directory
+      {{- if .Values.tls.enabled }}
+      - name: ca-cert
+        secret:
+          defaultMode: 420
+          secretName: api-rest-tls
+      {{- end }}

chart/templates/mayastor/obs/obs-callhome-deployment.yaml

@@ -37,19 +37,31 @@ spec:
         - name: obs-callhome
           image: "{{ .Values.image.registry }}/{{ .Values.image.repo }}/{{ include "image_prefix" . }}-obs-callhome:{{ default .Values.image.tag .Values.image.repoTags.extensions }}"
           args:
-            - "-e http://{{ .Release.Name }}-api-rest:8081"
             - "-n {{ .Release.Namespace }}"{{ if .Values.eventing.enabled }}
             - "--aggregator-url=http://{{ .Release.Name }}-obs-callhome-stats:9090/stats"{{ end }}
             {{ if .Values.obs.callhome.sendReport }}
             - "--send-report"
             {{ end }}
+            {{- if .Values.tls.enabled }}
+            - "--endpoint=https://{{ .Release.Name }}-api-rest:8080"
+            - "--tls-client-ca-path=/etc/client_cert/ca.crt" # CA cert for client verification with rest
+            {{- else }}
+            - "--endpoint=http://{{ .Release.Name }}-api-rest:8081"
+            {{- end }}
           env:
             - name: RUST_LOG
               value: {{ .Values.obs.callhome.logLevel }}
           {{- if .Values.obs.callhome.productName }}
             - name: CALLHOME_PRODUCT_NAME
               value: {{ .Values.obs.callhome.productName | quote }}
           {{- end }}
+          {{- if .Values.tls.enabled }}
+          volumeMounts:
+            - name: ca-cert
+              mountPath: /etc/client_cert/ca.crt
+              subPath: ca.crt
+              readOnly: true
+          {{- end }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           resources:
             limits:
@@ -83,4 +95,11 @@ spec:
               cpu: {{ .Values.obs.stats.resources.requests.cpu | quote }}
               memory: {{ .Values.obs.stats.resources.requests.memory | quote }}
         {{- end }}
+      volumes:
+        {{- if .Values.tls.enabled }}
+        - name: ca-cert
+          secret:
+            defaultMode: 420
+            secretName: api-rest-tls
+        {{- end }}
 {{- end }}