Merge pull request #14 from MbolotSuse/certs-no-root

Adding support for custom CAs and fixing bugs

Author: MbolotSuse

README.md

@@ -12,9 +12,49 @@ The CSP adapter also produces a configmap with Cloud provider specific informati
 can be used by rancher to produce a supportconfig (tar which can be given to support).
 
 ## Installation
-NOTE: The CSP adapter requires rancher to be installed before use (rancher provides node metrics and other important features).
 
-TODO
+Full installation steps can be found in the rancher docs.
+
+This chart requires:
+
+- Rancher version 2.6.6 or higher
+- Rancher is installed on an EKS cluster
+- An IAM role has been configured according to the auth section of the readme and these docs
+- Any private certs have been provided as described in these docs
+
+### Certificate Setup
+
+The adapter communicates with rancher to get accurate node counts. This communication requires that the adapter trusts rancher's certificate.
+
+The adapter supports 2 certificate setups: standard and private.
+
+#### Standard Certificate Setup
+
+If rancher is using a certificate provided by a trusted Certificate Authority (i.e. letsEncrypt) no additional setup is needed.
+
+#### Private Certificate Setup
+
+If rancher is using a self-generated certificate or a certificate signed by a private certificate authority, you will need to provide this certificate for the adapter.
+
+First, extract the certificate into a file called `ca-additional.pem`. If you are using the rancher generated certs option, you can use the below command:
+
+```bash
+kubectl get secret tls-rancher -n cattle-system -o jsonpath="{.data.tls\.crt}" | base64 -d  >> ca-additional.pem
+```
+
+Then, create the secret in the adapter namespace:
+
+```bash
+kubectl -n cattle-csp-adapter-system create secret generic tls-ca-additional --from-file=ca-additional.pem
+```
+
+As this certificate is rotated, you will need to replace the cert following the steps above, and then restart the adapter deployment, like below:
+
+```bash
+kubectl rollout restart deploy/rancher-csp-adapter -n cattle-csp-adapter-system
+```
+
+You can also use tools like certmanager's [trust operator](https://cert-manager.io/docs/projects/trust/) to automate this rotation. Keep in mind that this is not a supported option.
 
 ## CSP Background info 
 

charts/rancher-csp-adapter/templates/deployment.yaml

@@ -29,4 +29,18 @@ spec:
         image: '{{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}'
         name: {{ .Chart.Name }}
         imagePullPolicy: "{{ .Values.image.imagePullPolicy }}"
+{{- if .Values.additionalTrustedCAs }}
+        volumeMounts:
+          - mountPath: /etc/ssl/certs/rancher-cert.pem
+            name: tls-ca-volume
+            subPath: ca-additional.pem
+            readOnly: true
+{{- end }}
       serviceAccountName: {{ .Chart.Name }}
+{{- if .Values.additionalTrustedCAs }}
+      volumes:
+        - name: tls-ca-volume
+          secret:
+            defaultMode: 0444
+            secretName: tls-ca-additional
+{{- end }}

charts/rancher-csp-adapter/values.yaml

@@ -11,6 +11,10 @@ global:
 
 tolerations: []
 
+# if rancher is using a privateCA, this certificate must be provided as a secret in the adapter's namespace - see the
+# readme/docs for more details
+#additionalTrustedCAs: true
+
 # at least one csp must be enabled like below
 aws:
   enabled: false

package/Dockerfile

@@ -1,4 +1,14 @@
 FROM registry.suse.com/bci/bci-micro:15.3
-RUN mkdir -p supportconfig/rancher/
+
+ARG user=adapter
+
+RUN echo "$user:x:1000:1000::/home/$user:/bin/bash" >> /etc/passwd && \
+    echo "$user:x:1000:" >> /etc/group && \
+    mkdir /home/$user && \
+    chown -R $user:$user /home/$user
+
 COPY bin/csp-adapter /usr/bin/
+
+USER $user
+
 CMD ["csp-adapter"]

pkg/manager/aws.go

@@ -146,10 +146,10 @@ func (m *AWS) runComplianceCheck(ctx context.Context) error {
 	if currentCheckoutInfo.EntitledLicenses == requiredLicenses {
 		statusMessage = fmt.Sprintf("%s Rancher server has the required amount of licenses", statusPrefix)
 	} else {
-		statusMessage = fmt.Sprintf("%s You have exceeded your licensed node count. At least %d more licens(es) are required in AWS to become compliant.",
+		statusMessage = fmt.Sprintf("%s You have exceeded your licensed node count. At least %d more license(s) are required in AWS to become compliant.",
 			statusPrefix, requiredLicenses-currentCheckoutInfo.EntitledLicenses)
 	}
-	configMessage := fmt.Sprintf("Rancher server required %d licens(es) and was able to check out %d licens(es)", requiredLicenses, currentCheckoutInfo.EntitledLicenses)
+	configMessage := fmt.Sprintf("Rancher server required %d license(s) and was able to check out %d license(s)", requiredLicenses, currentCheckoutInfo.EntitledLicenses)
 
 	return m.updateAdapterOutput(currentCheckoutInfo.EntitledLicenses == requiredLicenses, configMessage, statusMessage)
 }

pkg/metrics/scraper.go

@@ -1,7 +1,6 @@
 package metrics
 
 import (
-	"crypto/tls"
 	"fmt"
 	"net/http"
 	"strings"
@@ -22,14 +21,9 @@ type scraper struct {
 }
 
 func NewScraper(rancherHost string, cfg *rest.Config) Scraper {
-	tr := &http.Transport{
-		TLSClientConfig: &tls.Config{
-			InsecureSkipVerify: true,
-		},
-	}
 	return &scraper{
 		metricsURL: strings.Join([]string{"https://", rancherHost, "/metrics"}, ""),
-		cli:        &http.Client{Transport: tr},
+		cli:        &http.Client{},
 		cfg:        cfg,
 	}
 }