From e1d497b3904f9efe2fb7a5db54836a056efb15e6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moritz=20R=C3=B6hrich?= Date: Tue, 8 Aug 2023 14:46:10 +0200 Subject: [PATCH 1/3] Fix and test self-signed issuer MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Fix the name of the self-signed issuer in the annotation of the ingress. - Add test ensuring the certificates and ingresses and annotations are created as expeced - Fix broken tests for COSI RBAC resources Fixes: aquarist-labs/s3gw#655 Signed-off-by: Moritz Röhrich --- charts/s3gw/templates/_helpers.tpl | 11 +++ charts/s3gw/templates/certificate.yaml | 7 +- charts/s3gw/templates/ingress-traefik.yaml | 4 +- charts/s3gw/templates/tls-issuer.yaml | 27 +++--- charts/s3gw/tests/certmanager_test.yaml | 97 ++++++++++++++++++++++ charts/s3gw/tests/cosi_test.yaml | 14 ++-- 6 files changed, 135 insertions(+), 25 deletions(-) create mode 100644 charts/s3gw/tests/certmanager_test.yaml diff --git a/charts/s3gw/templates/_helpers.tpl b/charts/s3gw/templates/_helpers.tpl index b6dc68a..a7baa69 100644 --- a/charts/s3gw/templates/_helpers.tpl +++ b/charts/s3gw/templates/_helpers.tpl @@ -239,3 +239,14 @@ COSI endpoint {{- $endpoint := default $defaultendpoint .Values.cosi.driver.endpoint }} {{- $endpoint }} {{- end }} + + +{{- define "s3gw.tlsIssuerName" -}} +{{- if eq .Values.tlsIssuer "s3gw-issuer" }} +{{- printf "%s-%s-self-signed-issuer" .Release.Name .Release.Namespace }} +{{- else if eq .Values.tlsIssuer "s3gw-letsencrypt-issuer" }} +{{- printf "%s-%s-letsencrypt-issuer" .Release.Name .Release.Namespace }} +{{- else }} +{{- printf "%s-%s-%s-issuer" .Release.Name .Release.Namespace .Values.tlsIssuer }} +{{- end }} +{{- end }} diff --git a/charts/s3gw/templates/certificate.yaml b/charts/s3gw/templates/certificate.yaml index aa0f796..7ec4d95 100644 --- a/charts/s3gw/templates/certificate.yaml +++ b/charts/s3gw/templates/certificate.yaml @@ -1,6 +1,8 @@ {{- if .Values.useCertManager }} --- # s3gw-ca root certificate +# This is the root certificate that will be used by the private ca issuer to +# issue a certificate for the cluster-internal connection apiVersion: cert-manager.io/v1 kind: Certificate metadata: @@ -13,13 +15,14 @@ spec: isCA: true issuerRef: kind: ClusterIssuer - name: {{ .Release.Name }}-{{ .Release.Namespace }}-self-signed-issuer + name: {{ .Release.Name }}-{{ .Release.Namespace }}-private-issuer privateKey: algorithm: ECDSA size: 256 secretName: {{ .Release.Name }}-{{ .Release.Namespace }}-ca-root --- # s3gw internal service certificate (private domain) +# This is the certificate that is requested for the cluster internal connection apiVersion: cert-manager.io/v1 kind: Certificate metadata: @@ -33,6 +36,6 @@ spec: - '*.{{ include "s3gw.serviceName" . }}.{{ .Release.Namespace }}.{{ .Values.privateDomain }}' issuerRef: kind: ClusterIssuer - name: {{ .Release.Name }}-{{ .Release.Namespace }}-issuer + name: {{ .Release.Name }}-{{ .Release.Namespace }}-private-issuer secretName: {{ .Release.Name }}-{{ .Release.Namespace }}-cluster-ip-tls {{- end }} diff --git a/charts/s3gw/templates/ingress-traefik.yaml b/charts/s3gw/templates/ingress-traefik.yaml index fff133c..ed9520c 100644 --- a/charts/s3gw/templates/ingress-traefik.yaml +++ b/charts/s3gw/templates/ingress-traefik.yaml @@ -12,7 +12,7 @@ metadata: traefik.ingress.kubernetes.io/router.tls: "true" traefik.ingress.kubernetes.io/router.middlewares: '{{ .Release.Namespace }}-{{ include "s3gw.CORSMiddlewareName" . }}@kubernetescrd' - cert-manager.io/cluster-issuer: {{ default .Values.tlsIssuer .Values.customTlsIssuer | quote }} + cert-manager.io/cluster-issuer: {{ include "s3gw.tlsIssuerName" . | quote }} spec: tls: - hosts: @@ -88,7 +88,7 @@ metadata: traefik.ingress.kubernetes.io/router.tls: "true" traefik.ingress.kubernetes.io/router.middlewares: '{{ .Release.Namespace }}-{{ include "s3gw.CORSMiddlewareName" . }}@kubernetescrd' - cert-manager.io/cluster-issuer: {{ default .Values.tlsIssuer .Values.customTlsIssuer | quote }} + cert-manager.io/cluster-issuer: {{ include "s3gw.tlsIssuerName" . | quote }} spec: tls: - hosts: diff --git a/charts/s3gw/templates/tls-issuer.yaml b/charts/s3gw/templates/tls-issuer.yaml index e9ae249..fc9d3d5 100644 --- a/charts/s3gw/templates/tls-issuer.yaml +++ b/charts/s3gw/templates/tls-issuer.yaml @@ -1,36 +1,33 @@ {{- if .Values.useCertManager }} -{{- if eq .Values.tlsIssuer "s3gw-issuer" }} ---- -# Self-signed issuer -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: {{ .Release.Name }}-{{ .Release.Namespace }}-self-signed-issuer - labels: -{{ include "s3gw.labels" . | indent 4}} -spec: - selfSigned: {} --- # Private s3gw-ca issuer +# This issuer is needed in all cases to issue a certificate for the +# cluster-internal connection apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: - name: {{ .Release.Name }}-{{ .Release.Namespace }}-issuer + name: {{ .Release.Name }}-{{ .Release.Namespace }}-private-issuer labels: {{ include "s3gw.labels" . | indent 4}} spec: ca: secretName: {{ .Release.Name }}-{{ .Release.Namespace }}-ca-root -{{- else if eq .Values.tlsIssuer "s3gw-letsencrypt-issuer" }} --- -# Let's encrypt production issuer +# This issuer is either using self-signed certificates or requesting +# certificates from Letsencrypt. This is used to issue certificates for the +# ingress, both for the S3 endpoint at the ingres as well as the UI. apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: - name: {{ .Release.Name }}-{{ .Release.Namespace }}-letsencrypt-issuer + name: {{ include "s3gw.tlsIssuerName" . | quote }} labels: {{ include "s3gw.labels" . | indent 4}} spec: +{{- if eq .Values.tlsIssuer "s3gw-issuer" }} + # Self-signed issuer + selfSigned: {} +{{- else if eq .Values.tlsIssuer "s3gw-letsencrypt-issuer" }} + # Let's encrypt production issuer acme: email: {{ .Values.email }} preferredChain: "" diff --git a/charts/s3gw/tests/certmanager_test.yaml b/charts/s3gw/tests/certmanager_test.yaml new file mode 100644 index 0000000..f04a545 --- /dev/null +++ b/charts/s3gw/tests/certmanager_test.yaml @@ -0,0 +1,97 @@ +--- +suite: Certificate Manager +templates: + - ingress-traefik.yaml + - tls-issuer.yaml + - certificate.yaml +release: + name: s3gw-release + namespace: s3gw-system +set: + ingress.enabled: true + useCertManager: true + certManagerNamespace: "cert-manager-system" +tests: + + - it: Certificates + asserts: + + - hasDocuments: + count: 2 + template: certificate.yaml + + - containsDocument: + kind: Certificate + apiVersion: cert-manager.io/v1 + name: s3gw-release-s3gw-system-ca-cert + namespace: cert-manager-system + documentIndex: 0 + template: certificate.yaml + + - containsDocument: + kind: Certificate + apiVersion: cert-manager.io/v1 + name: s3gw-release-s3gw-system-cluster-ip-cert + namespace: s3gw-system + documentIndex: 1 + template: certificate.yaml + + - it: Self Signed Issuer + set: + tlsIssuer: "s3gw-issuer" + asserts: + + - hasDocuments: + count: 2 + template: tls-issuer.yaml + + - containsDocument: + kind: ClusterIssuer + apiVersion: cert-manager.io/v1 + name: s3gw-release-s3gw-system-private-issuer + documentIndex: 0 + template: tls-issuer.yaml + + - containsDocument: + kind: ClusterIssuer + apiVersion: cert-manager.io/v1 + name: s3gw-release-s3gw-system-self-signed-issuer + documentIndex: 1 + template: tls-issuer.yaml + + - isSubset: + path: metadata.annotations + content: + cert-manager.io/cluster-issuer: s3gw-release-s3gw-system-self-signed-issuer + documentIndex: 0 + template: ingress-traefik.yaml + + - it: Letsencrypt Issuer + set: + tlsIssuer: "s3gw-letsencrypt-issuer" + asserts: + + - hasDocuments: + count: 2 + template: tls-issuer.yaml + + - containsDocument: + kind: ClusterIssuer + apiVersion: cert-manager.io/v1 + name: s3gw-release-s3gw-system-private-issuer + documentIndex: 0 + template: tls-issuer.yaml + + - containsDocument: + kind: ClusterIssuer + apiVersion: cert-manager.io/v1 + name: s3gw-release-s3gw-system-letsencrypt-issuer + documentIndex: 1 + template: tls-issuer.yaml + + - isSubset: + path: metadata.annotations + content: + cert-manager.io/cluster-issuer: s3gw-release-s3gw-system-letsencrypt-issuer + documentIndex: 0 + template: ingress-traefik.yaml diff --git a/charts/s3gw/tests/cosi_test.yaml b/charts/s3gw/tests/cosi_test.yaml index 44dc1ac..ae7c835 100644 --- a/charts/s3gw/tests/cosi_test.yaml +++ b/charts/s3gw/tests/cosi_test.yaml @@ -91,25 +91,27 @@ tests: count: 2 template: cosi-rbac.yaml + - isKind: + of: ClusterRole + documentIndex: 0 + template: cosi-rbac.yaml + - containsDocument: kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 name: s3gw-name-s3gw-namespace-objectstorage-provisioner-role + documentIndex: 0 template: cosi-rbac.yaml - isKind: - of: ClusterRole - documentIndex: 0 + of: ClusterRoleBinding + documentIndex: 1 template: cosi-rbac.yaml - containsDocument: kind: ClusterRoleBinding apiVersion: rbac.authorization.k8s.io/v1 name: s3gw-name-s3gw-namespace-objectstorage-provisioner-role-binding - template: cosi-rbac.yaml - - - isKind: - of: ClusterRoleBinding documentIndex: 1 template: cosi-rbac.yaml From d88dc5a84ef6ff069d751dd721ef8dfd442141e5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moritz=20R=C3=B6hrich?= Date: Thu, 17 Aug 2023 10:37:21 +0200 Subject: [PATCH 2/3] Add custom TLS issuer MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add an override option for a custom TLS issuer that is not the letsencrypt issuer or the self-signed issuer. Signed-off-by: Moritz Röhrich --- charts/s3gw/templates/_helpers.tpl | 4 +++- charts/s3gw/templates/tls-issuer.yaml | 2 +- charts/s3gw/tests/certmanager_test.yaml | 17 +++++++++++++++++ charts/s3gw/values.yaml | 4 ++++ 4 files changed, 25 insertions(+), 2 deletions(-) diff --git a/charts/s3gw/templates/_helpers.tpl b/charts/s3gw/templates/_helpers.tpl index a7baa69..2ba295b 100644 --- a/charts/s3gw/templates/_helpers.tpl +++ b/charts/s3gw/templates/_helpers.tpl @@ -242,7 +242,9 @@ COSI endpoint {{- define "s3gw.tlsIssuerName" -}} -{{- if eq .Values.tlsIssuer "s3gw-issuer" }} +{{- if .Values.customTlsIssuer }} +{{- printf "%s" .Values.customTlsIssuer }} +{{- else if eq .Values.tlsIssuer "s3gw-issuer" }} {{- printf "%s-%s-self-signed-issuer" .Release.Name .Release.Namespace }} {{- else if eq .Values.tlsIssuer "s3gw-letsencrypt-issuer" }} {{- printf "%s-%s-letsencrypt-issuer" .Release.Name .Release.Namespace }} diff --git a/charts/s3gw/templates/tls-issuer.yaml b/charts/s3gw/templates/tls-issuer.yaml index fc9d3d5..0e5c342 100644 --- a/charts/s3gw/templates/tls-issuer.yaml +++ b/charts/s3gw/templates/tls-issuer.yaml @@ -1,4 +1,4 @@ -{{- if .Values.useCertManager }} +{{- if and .Values.useCertManager (empty .Values.customTlsIssuer) }} --- # Private s3gw-ca issuer # This issuer is needed in all cases to issue a certificate for the diff --git a/charts/s3gw/tests/certmanager_test.yaml b/charts/s3gw/tests/certmanager_test.yaml index f04a545..28b4e20 100644 --- a/charts/s3gw/tests/certmanager_test.yaml +++ b/charts/s3gw/tests/certmanager_test.yaml @@ -36,6 +36,23 @@ tests: documentIndex: 1 template: certificate.yaml + - it: Custom TLS Issuer + set: + tlsIssuer: "s3gw-issuer" + customTlsIssuer: "my-tls-issuer" + asserts: + + - hasDocuments: + count: 0 + template: tls-issuer.yaml + + - isSubset: + path: metadata.annotations + content: + cert-manager.io/cluster-issuer: my-tls-issuer + documentIndex: 0 + template: ingress-traefik.yaml + - it: Self Signed Issuer set: tlsIssuer: "s3gw-issuer" diff --git a/charts/s3gw/values.yaml b/charts/s3gw/values.yaml index d8fdd0a..4a6bb95 100644 --- a/charts/s3gw/values.yaml +++ b/charts/s3gw/values.yaml @@ -11,6 +11,10 @@ certManagerNamespace: cert-manager # The name of the predefined TLS issuer to use (s3gw-issuer, # s3gw-letsencrypt-issuer). tlsIssuer: "s3gw-issuer" +# The customTlsIssuer overrides any other TLS issuer. It is otherwise completely +# independent from the provided config, but can be used for any configuration +# not possible with the letsencrypt issuer or the self-signed issuer +# customTlsIssuer: "" # The email address you are planning to use for getting notifications # about your certificates. Fill this if you are using the # 's3gw-letsencrypt-issuer'. From 6e3e1c54210989e6409dc7d42d6ff9492401b79f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Moritz=20R=C3=B6hrich?= Date: Thu, 17 Aug 2023 17:41:19 +0200 Subject: [PATCH 3/3] custom tls issuer: fix private issuer MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fix cluster-internal private issuer if a custom TLS issuer is specified. Signed-off-by: Moritz Röhrich --- charts/s3gw/templates/tls-issuer.yaml | 4 +++- charts/s3gw/tests/certmanager_test.yaml | 9 ++++++++- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/charts/s3gw/templates/tls-issuer.yaml b/charts/s3gw/templates/tls-issuer.yaml index 0e5c342..89d5816 100644 --- a/charts/s3gw/templates/tls-issuer.yaml +++ b/charts/s3gw/templates/tls-issuer.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.useCertManager (empty .Values.customTlsIssuer) }} +{{- if .Values.useCertManager }} --- # Private s3gw-ca issuer # This issuer is needed in all cases to issue a certificate for the @@ -12,6 +12,7 @@ metadata: spec: ca: secretName: {{ .Release.Name }}-{{ .Release.Namespace }}-ca-root +{{- if empty .Values.customTlsIssuer }} --- # This issuer is either using self-signed certificates or requesting # certificates from Letsencrypt. This is used to issue certificates for the @@ -44,3 +45,4 @@ spec: traefik.ingress.kubernetes.io/router.tls: "true" {{- end }} {{- end }} +{{- end }} diff --git a/charts/s3gw/tests/certmanager_test.yaml b/charts/s3gw/tests/certmanager_test.yaml index 28b4e20..bb173da 100644 --- a/charts/s3gw/tests/certmanager_test.yaml +++ b/charts/s3gw/tests/certmanager_test.yaml @@ -43,7 +43,14 @@ tests: asserts: - hasDocuments: - count: 0 + count: 1 + template: tls-issuer.yaml + + - containsDocument: + kind: ClusterIssuer + apiVersion: cert-manager.io/v1 + name: s3gw-release-s3gw-system-private-issuer + documentIndex: 0 template: tls-issuer.yaml - isSubset: