Certs

.github/dependabot.yml

@@ -5,3 +5,7 @@ updates:
     directory: "/"
     schedule:
       interval: "weekly"
+    groups:
+      github-actions:
+        patterns:
+          - "*"

.github/workflows/build-container.yml

@@ -27,7 +27,7 @@ jobs:
         uses: actions/checkout@v4
       - name: Setup container meta information
         id: meta
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: ${{ github.repository }}-build
           labels: |
@@ -46,17 +46,17 @@ jobs:
             type=raw,value=unstable,enable={{is_default_branch}}
       - name: Login to DockerHub
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
       - run: echo "Build and push ${{ steps.meta.outputs.tags }}"
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
       - name: Build and push
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
           context: .
           push: ${{ github.event_name != 'pull_request' }}

.github/workflows/container.yml

@@ -46,7 +46,7 @@ jobs:
           fi
       - name: "Setup meta information (IS_VERSION_TAG: ${{ env.IS_VERSION_TAG }}, IS_LATEST_TAG: ${{ env.IS_LATEST_TAG }} )"
         id: meta
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: ${{ github.repository }}
           labels: |
@@ -69,7 +69,7 @@ jobs:
             type=ref,event=pr
       - name: Login to DockerHub
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
         with:
           username: ${{ secrets.DOCKERHUB_USERNAME }}
           password: ${{ secrets.DOCKERHUB_TOKEN }}
@@ -85,11 +85,11 @@ jobs:
       - run: mv assets/nasl-cli-aarch64-unknown-linux-gnu assets/linux/arm64/nasl-cli
       - run: mv assets/nasl-cli-x86_64-unknown-linux-gnu assets/linux/amd64/nasl-cli
       - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
       - name: Build and push
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
           context: .
           push: ${{ github.event_name != 'pull_request' && (github.ref_type == 'tag' || github.ref_name == 'main') }}
@@ -102,7 +102,7 @@ jobs:
 
       - name: "Setup meta information debian:oldstable"
         id: old_stable_meta
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: ${{ github.repository }}
           labels: |
@@ -118,7 +118,7 @@ jobs:
             type=raw,value=oldstable-{{branch}}-{{sha}},enable=${{ github.ref_type == 'branch' && github.event_name == 'push' && github.ref_name != 'main' }}
             type=ref,event=pr
       - name: Build and push Container image
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
           context: .
           push: ${{ github.event_name != 'pull_request' && (github.ref_type == 'tag' || github.ref_name == 'main') }}
@@ -129,7 +129,7 @@ jobs:
 
       - name: "Setup meta information debian:testing"
         id: test_meta
-        uses: docker/metadata-action@v4
+        uses: docker/metadata-action@v5
         with:
           images: ${{ github.repository }}
           labels: |
@@ -145,7 +145,7 @@ jobs:
             type=raw,value=testing-{{branch}}-{{sha}},enable=${{ github.ref_type == 'branch' && github.event_name == 'push' && github.ref_name != 'main' }}
             type=ref,event=pr
       - name: Build and push Container image
-        uses: docker/build-push-action@v4
+        uses: docker/build-push-action@v5
         with:
           context: .
           push: ${{ github.event_name != 'pull_request' && (github.ref_type == 'tag' || github.ref_name == 'main') }}

.github/workflows/helm-build-chart.yml

@@ -18,25 +18,27 @@ jobs:
           metrics-enabled: false
       - name: deploy openvasd
         run: |
-          helm uninstall openvasd || true 
-          helm install openvasd charts/openvasd/ --values charts/openvasd/values.yaml
-          kubectl rollout status --watch --timeout 600s deployment/openvasd
+          helm uninstall openvasd --namespace openvasd|| true 
+          helm install --namespace openvasd --create-namespace openvasd charts/openvasd/ --values charts/openvasd/values.yaml
+          kubectl rollout status --watch --timeout 600s deployment/openvasd --namespace openvasd
           sleep 5
       - id: smoketest
-        run: echo "POD_NAME=$(kubectl get pods |grep openvasd | awk '{print $1;}')" >> $GITHUB_OUTPUT
+        run: echo "POD_NAME=$(kubectl get pods --namespace openvasd |grep openvasd | awk '{print $1;}')" >> $GITHUB_OUTPUT
       - name: forward port
         run: |
           echo "POD_NAME: ${{ steps.smoketest.outputs.POD_NAME }}"
           echo "$(kubectl get pods)"
-          kubectl --namespace default port-forward ${{ steps.smoketest.outputs.POD_NAME }} 8080:3000 &
+          kubectl --namespace openvasd port-forward ${{ steps.smoketest.outputs.POD_NAME }} 8080:3000 &
       - name: smoketest
         working-directory: rust/smoketest
         env:
           API_KEY: changeme
-          OPENVASD: http://127.0.0.1:8080
-          SCAN_CONFIG: simple_scan_ssh_only.json
+          OPENVASD_SERVER: https://127.0.0.1:8080
+          SCAN_CONFIG: configs/simple_scan_ssh_only.json
+          CLIENT_KEY: configs/client_sample.key
+          CLIENT_CERT: configs/client_sample.cert
         run: |
-          make build run
+          make build run-with-certs
       - uses: greenbone/actions/helm-build-push@v3
         if: github.event_name == 'workflow_dispatch'
         with:

.gitignore

@@ -10,7 +10,3 @@ testsuiterun.nasl
 assets/
 *.rsa
 *.pem
-rust/nasl-c-lib/include
-rust/nasl-c-lib/bin
-rust/nasl-c-lib/share
-rust/nasl-c-lib/lib

charts/openvasd/README.md

@@ -4,13 +4,13 @@ Contains the helm chart to deploy openvasd.
 
 To install openvasd helm chart from a local path execute
 
-``` 
-helm install openvasd ./openvasd/ -f openvasd/values.yaml
+```
+helm install openvasd ./openvasd/ -f openvasd/values.yaml --namespace openvasd --create-namespace openvasd
 ```
 
 You can also provide override the initial values within `openvasd/values.yaml` by providing an additional `-f` flag.
 
-As an example imagine you want to override the openvas image to your forked one you can create `~/openvasd.yaml` file containing: 
+As an example imagine you want to override the openvas image to your forked one you can create `~/openvasd.yaml` file containing:
 
 ```
 # Contains openvasd
@@ -20,26 +20,62 @@ openvas:
   tag: "edge"
 ```
 
-if you then execute: 
-``` 
+if you then execute:
+```
 helm install openvasd ./openvasd/ -f openvasd/values.yaml -f ~/openvasd.yaml
 ```
 
 it will use `nichtsfrei/openvas-scanner` instead of `greenbone/openvas-scanner`.
 
+## TLS configuration
+
+This chart is provided with server certificate and private key for example purposes and they should not be used in production systems. Certificate and key where created with [this scripts](../../rust/examples/tls/Self-Signed mTLS Method)
+
+If you want to use your own key/cert pair, you have to base64 encode them and replace the ones in [server-private-key.yaml](templates/server-private-key.yaml).
+
+If you want to enable Self-signed mTLS for client authentication replace the certificate in [client-cets.yaml](templates/client-certs). You can add as many certificates as you have authenticated clients.
+
+For encoding the certificates use the following command
+```
+echo -n "$(cat certs.pem)" | base64
+echo -n "$(cat key.pem)" | base64
+```
+
+You can verify that the secrets where mounted with the following command:
+
+`kubectl describe secrets --namespace openvasd`
+
+
+## Accessing the service
+
+Once you installed the containers, run the following commands to rollout the pods and forward the por to access the service
+
+`kubectl rollout status --watch --timeout 600s deployment/openvasd`
+
+Get the pod name
+`export POD_NAME=$(kubectl get pods --namespace default -l "app.kubernetes.io/name=openvasd,app.kubernetes.io/instance=openvasd" -o jsonpath="{.items[0].metadata.name}")`
+
+Forward the port
+`kubectl --namespace default port-forward $POD_NAME 8080:3000`
+
+For testing, you can use the following command:
+
+`curl --verbose --key $CLIENT_KEY --cert $CLIENT_CERT --insecure --request HEAD https://127.0.0.1:8080 -H "X-API-KEY: changeme"`
+
+
 # Design decisions
 
 ## OSPD and Redis via unix socket
 
 Although it is possible to start OSPD with TLS, it is used in unix socket mode to prevent a user to bypass openvasd and interfere with those scans.
 
-Unfortunately the redis instance is shared between ospd and openvas without any clear separation. It is crucial that the redis instance used by them cannot be modified elsewhere. 
+Unfortunately the redis instance is shared between ospd and openvas without any clear separation. It is crucial that the redis instance used by them cannot be modified elsewhere.
 To ensure redis is not used by another container, it is also started in unix socket mode.
 
 ## No scaling
 
-Due to the current architectural limitation replica count and auto-scaling is completely disabled. 
+Due to the current architectural limitation replica count and auto-scaling is completely disabled.
 
-The reason for that is that openvasd requires ospd which has no cluster capabilities nor a database setup that allows sharing via multiple instances. 
+The reason for that is that openvasd requires ospd which has no cluster capabilities nor a database setup that allows sharing via multiple instances.
 
 That means that each replica would have a completely own state and reqires vertical scaling via deployment so that a customer can choose which openvasd to use.

charts/openvasd/templates/client-certs.yaml

@@ -0,0 +1,95 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: client-certs
+  namespace: openvasd
+data:
+  client1.pem: |
+    LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVDVENDQW5HZ0F3SUJBZ0lDQWNnd0RRWUpL
+    b1pJaHZjTkFRRUxCUUF3TERFcU1DZ0dBMVVFQXd3aGNHOXUKZVhSdmQyNGdVbE5CSUd4bGRtVnNJ
+    RElnYVc1MFpYSnRaV1JwWVhSbE1CNFhEVEl6TURZeU9ERXdNRGd3TjFvWApEVEk0TVRJeE9ERXdN
+    RGd3TjFvd0dURVhNQlVHQTFVRUF3d09kR1Z6ZEhObGNuWmxjaTVqYjIwd2dnRWlNQTBHCkNTcUdT
+    SWIzRFFFQkFRVUFBNElCRHdBd2dnRUtBb0lCQVFERkR3cWZMb2RiamNkZGhuVGdHOGxNMmsxakNM
+    b28KUkN4VkV6d2czYStBOUp3L3VZakt2Y0dzWm4yR0lkeXJ3QTIxdVVSSE4xMTJWK3VKODVqV3JR
+    VlkzeDNnNkJqbwpZVkhOZUVRajlja2dUcXBFNHFEclJCamJIZTB4TDJwanlHdjJnbW5xUkxzTkJn
+    QlFoQ3BpdTZGcGFjSFU5T3hRCm8xUHBMbzNrdjhqVytlMkVtMFBDZDVwQmxwbjBoSmw2a2JHbnBz
+    TXpvaWd0RUwxTWNydUtXK0g0ZEQrdlhHSXIKSjk0MXFzL0Nxdk9YbG9sby9vWFd0TTdYSEx0WUt1
+    ODNnWUMzZ2ZDSGNOYktQeFZiNGMrVUlOWWFyWTBCQmVFRQo5aGtDL3BzNG9EUG5TNnk0Y3pMSkNr
+    NjZYRnZ6VFg0Skg4MTZMa2FxM0Q5ejN0aFdaaFBIN1lTVEFnTUJBQUdqCmdjY3dnY1F3REFZRFZS
+    MFRBUUgvQkFJd0FEQUxCZ05WSFE4RUJBTUNCc0F3SFFZRFZSME9CQllFRk50QXBzNWYKRllWYUxV
+    MEt0WUtqa0xEWUdrak9NRUlHQTFVZEl3UTdNRG1BRkxmSThwVGxkY081bFZ5VVNIQTlSdUtFb1dP
+    dQpvUjZrSERBYU1SZ3dGZ1lEVlFRRERBOXdiMjU1ZEc5M2JpQlNVMEVnUTBHQ0FYc3dSQVlEVlIw
+    UkJEMHdPNElWCmJHOWpZV3hvYjNOMExteHZZMkZzWkc5dFlXbHVnaGRzYjJOaGJHaHZjM1EwTG14
+    dlkyRnNaRzl0WVdsdU5JSUoKYkc5allXeG9iM04wTUEwR0NTcUdTSWIzRFFFQkN3VUFBNElCZ1FB
+    RGVGUDYxTmhPa1FlMHhkTUtVWVFNaFc0MwpVVGtoNWU0N2pBUEJtMmsrWTBLcUY0ZUFwSEp5a3Fq
+    N0hhT0prMFBNckhRUDl6YksvSzVMV3B6cjkvbnpkd0dECmR2VWNXWElyMVVYK2VrS3VYa1hGTTMr
+    cHVSTkZMQ3RjbXAzS1MySm0xMlZDclBEZE03cmQ4cU92d1c1Q0pqSEcKSjRxdyt1Y1gxeDVZeStI
+    ZUZzQytFK2JQTjlycXdRSGFHdnBzOUI5emJVVVhRL1duRjlwa0JGb2VjVnYwWjVWKwpjWlVIb241
+    QjJWKzdqVUFSY1dtSm94Wm9EaFNnMW9zQ1pVL1NpSGF0R2dIQ2lKVmUzTDlpVGhDY0x5eGovRnlT
+    CmpDdG5hbXB0ZTRBYmVSM0t4VDVJZjZDZHlTeGNDeEdqcmhFeXBQUVR0cmQ1eGgzRS9oUXFZN2Yx
+    cXFsR29PYVgKY2FaQWw1Q1dmVGIyWGVUbTd3WmxvOHhuVGZpSXh5Mkx2UldUZ2FHODZBSjJUNktG
+    enNuRlhCVjFkTFJUV3ArMApSWkVDRm5adHBKdU1hU1ZIL0JtY0dlMlp3Z3MrNE9wWDZ1TTFnZTVX
+    NnAxenVpeU5qZU9BY0x6ZXR4QUFBQUlPCmsyQnA5Y3RoQmwzR1JicnJCWnVBM25MK2EwcUt6SjRX
+    Qm9ad3M3UT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQotLS0tLUJFR0lOIENFUlRJRklDQVRF
+    LS0tLS0KTUlJRW56Q0NBb2VnQXdJQkFnSUJlekFOQmdrcWhraUc5dzBCQVFzRkFEQWFNUmd3RmdZ
+    RFZRUUREQTl3YjI1NQpkRzkzYmlCU1UwRWdRMEV3SGhjTk1qTXdOakk0TVRBd09EQTNXaGNOTXpN
+    d05qSTFNVEF3T0RBM1dqQXNNU293CktBWURWUVFERENGd2IyNTVkRzkzYmlCU1UwRWdiR1YyWld3
+    Z01pQnBiblJsY20xbFpHbGhkR1V3Z2dHaU1BMEcKQ1NxR1NJYjNEUUVCQVFVQUE0SUJqd0F3Z2dH
+    S0FvSUJnUUNqZUZiOWM2US9UK1NpMEU5aFBiNXdJU0RDZ3VjTwpVZVgxcUdIdlIvYUJKeW9OZ0xi
+    cURWbkhPcXYzSWhjWnExSHFmcXNvSzFib3huVFVqNVhDUjF5OTdobnIvTmkyCmxWWUUwdlEzeWxL
+    NHV4L3FKcGZwSkprdTF0dzk4Y2lKWXhxU2s5VENaWGdiMnFPeGxtVUxIZmY4VnExaEtLVEMKVDRO
+    dEptWStTNzk3Vkh1b2VoVVphZGtTdFNjdmI0MU5KZ1JZOTdwK0lYbzhNT3UwVEx6TEQrVWJpMGdI
+    NTNadgpzeFA2dWRtUjhQVk1wblVBSmVqNDZBbDBsN1dJZG16dmczaDBGNlNFTkQ2QW50WEJsUkdw
+    ejIzSk44OXlDaVhyClNEd3VsWGxEVmJMUy9EeHNYUklmYkNObGpFVGdOTVhjYmc0NkkzcHN2K0w4
+    T2t6TVNNT01sWkM4QkpJd3VDVlIKN1lFSno5ODdReGxNb1Q3ajBVM3V1YTZFUy9RSVVidXdnelhT
+    OUpoZTNsUlVnczBEU2l4UnFwSnYyQ052VXhsdwpvd09BYUt0bU1BY3FRWndWeVZEa1MvUjZ2MXBp
+    SENXQXRtQmNBY0tXOVljWEJZbTVlK1pJNkFYeVBHYm5kSVA3Ck83UjJNQnZaN2QxdUs3K0htTmY5
+    NzRKRkhaakI5Y2dSV3dzQ0F3RUFBYU5lTUZ3d0hRWURWUjBPQkJZRUZMZkkKOHBUbGRjTzVsVnlV
+    U0hBOVJ1S0VvV091TUNBR0ExVWRKUUVCL3dRV01CUUdDQ3NHQVFVRkJ3TUJCZ2dyQmdFRgpCUWNE
+    QWpBTUJnTlZIUk1FQlRBREFRSC9NQXNHQTFVZER3UUVBd0lCL2pBTkJna3Foa2lHOXcwQkFRc0ZB
+    QU9DCkFnRUFLejI2S1EwQ1ROcjA4SXN3OEQzczliT1cyMzVlLzM3Wk1qVksyQWhBQTc1RVZVSGk5
+    VERrYnpjcFZsU08KTzJlcHV5alFHSUdUU0hpS3k5K2g2cTR5dTVXOXJIRDl4NjN4MzA4dmY5eW5C
+    M1VZKzFSUmczSDJ0cTFYblNtUgpZaXZka1o2SHdsWWdPMTVFa2YvaDNKd0cvSDRrVGtRbktZWlha
+    N29LNGdLQmVvUklIWTRQMkNVdlRNS2owQzE2CmVaSzZMck9JZ2E2dmlnUVpNMndzKzJZaXdSZzJp
+    NU05akZnZUNnc0tWUGhMZXN4STA5SkZ5dEhZZVN0VXZyZ3AKODNkR3QvZkEvcU9MdmxmOEZzTXV1
+    YWUzSWZxU3dNY2h5cnVYR0l4OURVdjJ5YVlpV1Z6L2FjdDRxRFd6MmJMbgpVaEhOT3pqclg0V2lx
+    VTdyQ3VjZmNGb3FUdVBMVFVDa202YkNrY3VXY01yWkxNTHg5SnRrNmVMMm5rSFowbU5PCkVkK1lt
+    akpYZ3ZxSzBqQTVwZnN1L25vc1dUMWMxNFkwSFBkdFNjaFVNOENoK3BZdksreFUzNTJKZDF6MVBB
+    QU4KajU1OGk3R3NxOENFclZiQkNrSlNDWEhwY0dLc0g4YnZFRlllSkhFZU1xRmNhaDdwTkV0eXE1
+    Yi9uQWxHQ2lSagp2emVZcDRPR3d4NlhsdWhlREt4RWowYmhYK1BqaUNJRXVnVys1MXRJWXZ1Ui9B
+    eU1aMm1mL1JlR2ZGbFR6VG1wCi9DSW5MOGtDTjlsb3cwNzhPSVZhVVVqUXI2ZjIrWC9xbDFGd0o2
+    WmQ3NXBwc3ZrNWZ2VHVUdkQ4UFhETVQ2SDIKV0hJRENHSGJoSmYydVoxMGdjY2JxNW10S1ZJdXJQ
+    Si9KZ0Y2NzVZa1ZxWE0zOE09Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KLS0tLS1CRUdJTiBD
+    RVJUSUZJQ0FURS0tLS0tCk1JSUZGVENDQXYyZ0F3SUJBZ0lVSFNhNkV1NS9ITjUxR2FUY3E4V25p
+    VFpNczY4d0RRWUpLb1pJaHZjTkFRRUwKQlFBd0dqRVlNQllHQTFVRUF3d1BjRzl1ZVhSdmQyNGdV
+    bE5CSUVOQk1CNFhEVEl6TURZeU9ERXdNRGd3TjFvWApEVE16TURZeU5URXdNRGd3TjFvd0dqRVlN
+    QllHQTFVRUF3d1BjRzl1ZVhSdmQyNGdVbE5CSUVOQk1JSUNJakFOCkJna3Foa2lHOXcwQkFRRUZB
+    QU9DQWc4QU1JSUNDZ0tDQWdFQXZRZTQwajQ4NE1qWXhkdXVlN0c4TlRWd2lyN3AKOG10RDB4L0pD
+    dVBoL3lkcE1WbFlCUkNhTGF1K2F2eHNUMnpSbDgxNy9IZGdCUysxUEVRTjhteTVZZklOd0oxdwpl
+    WnVWQ1Z3Wlk5NlBNNmVPanBYaEpabGFPQzFabnB4TlBSaVU2alU5cWU1amQ0TUl6RzJaYWhMcDVo
+    YzkrK1lZCm01SVNsVWFCdStPQXN1cHJCdlNsTysyWkdoTENyZ0pHQ1ByNkp0NEJvTzVtaHpUc0xL
+    czA1ZENqSmlkcGZBejgKSTFiQjBzRXR2Tm1TRHB2YjViWFNzd041YlZ6bGJGYmR5RTBCYm5FNVBi
+    WUdMT1RxT0tTY0kzeERuTmFSOFd0VQpNMEVwaURBODlIN013eldObnZ3U1B6OFdxMEpsQWpqdjdy
+    TWU0RDFUblNlY0NCbmlCdEZkSlVhTFUrMTRJTzUvCk9TVTZ1SlVVUDE1blZjQnNXQSttbFNLVE92
+    aUIwTkJEY1dyR1E4b1JZSnhuMktlMkV0YmlJby9rZ2JNOTQ3N2sKVjZlQTF6TC9CcDRKTFhBOTVo
+    MmowZ1k1ckNneGo1ZFhvS1VKUytBYk9nRzFKbW5udjBXVVZNdmxDejZJWFA4YQo0RDR1R0ZWVFN2
+    Z0VuWFBvTU01R2xSUSt1YksvRXZnc2d0MG42QVZwM3d0U2RHSmRWaFlpTXBNQUl4Ry80V0lhCnhZ
+    MDU0bnVVeEFoRGtZaC9VZDRVK2dUcEJCT3dmWldlZWJKQk1haXFsNTZRdURSMlNRUE9BZXBCMHJq
+    T01pLysKMkFWUHhMMUREb0F1RVJkTnhPTWdqc1p1RkVmVHRUZXRwYTgrQXJHWFlNMXM0K0lZRXJQ
+    SDZVUW9GNlNvQytvTQpIbGRiYjdmUTBOQ2ZRcmtDQXdFQUFhTlRNRkV3SFFZRFZSME9CQllFRkt2
+    Q21RS0gyYzVKRHd6MnZKOGlzbWtrCmR0bUxNQjhHQTFVZEl3UVlNQmFBRkt2Q21RS0gyYzVKRHd6
+    MnZKOGlzbWtrZHRtTE1BOEdBMVVkRXdFQi93UUYKTUFNQkFmOHdEUVlKS29aSWh2Y05BUUVMQlFB
+    RGdnSUJBQ3R3QXY5VHU2U2FOKzFmVXNZUUlQRmkrSzlvdTljSAplWk13SmxhY3BDQzRkdzJTcjZ0
+    SkRBc1ZkbXZ6YTFPZVF3S3NtRU1JL0hlc2VvREZST0kvUzFIK2EzNEFBWjFYCk5mcm8vNjh5eEhH
+    VWdIcGs3blo2eTNIbFNObU91aGs2MDJCZUVoNE1kMDM0cmcxUElHQzAwNFc3SnozSXEzemsKRG4v
+    WTZ4bFI1QXFMNU56QUtrZUZYTjJBWHpMVkE4NlRSVHV5NHVWS0FFQmt1b05KbnNwR0hFU2tCUmtN
+    dHNPUApnMHVkQ1JMTCt1SGVxTWszeUs0U1BvWDdpVTlTeVBpNUJFc2ZEaVZTVmRlNFljYk9wYWdV
+    MVVCckhnWmN6YkpzCktnNXNNQURpTkM5ZkV5amh1TWxNMVhlMXFYbjE2UEdUVnN1YXRVMEd4TjAr
+    dGJiZFJBNzdmSnovZHRYZ09jUjcKbXAxVU1vUEtkTnJHMTdmbzU1WDBUMmF1ZUxkRDB3TWJHMzRL
+    RVNIeE9tNWYvRFBFWnNPNExxRk1mdUkvOEdMRApYaTVjd2c5U25RSmYyNGZIS0pvQVhndVlCTzZB
+    QVlkL2trM0ROVWZZOUd4Y2dPM3lGS0cwNk9mcnA2aVBqUjA3CitmRDZrZzJEU1ZOd0pnS2lCakVw
+    TXN1azlubzdNWVJsdXFPLzdwYmpnWDJLRER6MzgxNlpWWFlOWFV5dVRSejEKVk5FNXhuTVdMUTht
+    Q0tSMlVtODhuN05VaW9QclJGS3ZScDNVa1BQeE4reFpyTzhqTUE3aHNGcm84cGxWZnZ4ZQpJa05N
+    b2U4VUFKYXZHSXlvR000UmszZXl6eXY2dm9ScEcwdjBLeC9ZVGhGeGU2ZUNmYUhSRTB2ZlFid0dR
+    VEZoCkhsdmhIa01wL1NCVwotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t
+

charts/openvasd/templates/deployment.yaml

@@ -42,6 +42,12 @@ spec:
         emptyDir: {}
       - name: ospd-logs
         emptyDir: {}
+      - name: server-private-key
+        secret:
+          secretName: server-private-key
+      - name: client-certs
+        secret:
+          secretName: client-certs
       initContainers:
       - name: nasl
         image: "{{ .Values.vulnerabilitytests.repository }}:{{ .Values.vulnerabilitytests.tag }}"
@@ -140,6 +146,12 @@ spec:
           mountPath: /etc/openvas
         - name: ospd-socket
           mountPath: /run/ospd/
+        - mountPath: "/etc/openvasd/tls/"
+          name: server-private-key
+          readOnly: true
+        - mountPath: "/etc/openvasd/clientcerts"
+          name: client-certs
+          readOnly: true
         securityContext:
           capabilities:
             add:
@@ -156,7 +168,13 @@ spec:
           - name: OPENVASD_LOG
             value: {{ .Values.openvasd.loglevel | default "INFO" }} 
           - name: API_KEY
-            value: {{ .Values.openvasd.apikey }} 
+            value: {{ .Values.openvasd.apikey }}
+          - name: TLS_CERTS
+            value: "/etc/openvasd/tls/certs.pem"
+          - name: TLS_KEY
+            value: "/etc/openvasd/tls/key.pem"
+          - name: TLS_CLIENT_CERTS
+            value: "/etc/openvasd/clientcerts/"
       - name: ospd
         image: "{{ .Values.ospd.repository }}:{{ .Values.ospd.tag }}"
         imagePullPolicy: Always