Merge pull request #496 from kubescape/feature/setting-up-storage-mtl…

…s-securely Adding the generation of keys and certificates for the storage service
kubescape · Sep 16, 2024 · 893ff19 · 893ff19
2 parents 1699fd5 + 2575fd8
commit 893ff19
Show file tree

Hide file tree

Showing 5 changed files with 160 additions and 23 deletions.
diff --git a/charts/kubescape-operator/templates/storage/apiservice.yaml b/charts/kubescape-operator/templates/storage/apiservice.yaml
@@ -7,7 +7,8 @@ metadata:
   labels:
     {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.storage.name "tier" .Values.global.namespaceTier) | nindent 4 }}
 spec:
-  insecureSkipTLSVerify: true
+  insecureSkipTLSVerify: false
+  caBundle: {{ .Values.global.kubescapeCa | b64enc }}
   group: "spdx.softwarecomposition.kubescape.io"
   groupPriorityMinimum: 1000
   versionPriority: 15

diff --git a/charts/kubescape-operator/templates/storage/deployment.yaml b/charts/kubescape-operator/templates/storage/deployment.yaml
@@ -49,6 +49,12 @@ spec:
           tcpSocket:
             port: 8443
         env:
+          - name: TLS_SERVER_CERT_FILE
+            value: "/etc/tls/tls.crt"
+          - name: TLS_SERVER_KEY_FILE
+            value: "/etc/tls/tls.key"
+          - name: TLS_CLIENT_CA_FILE
+            value: "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
           - name: "CLEANUP_INTERVAL"
             value: "{{ .Values.storage.cleanupInterval }}"
           - name: GOMEMLIMIT
@@ -78,6 +84,9 @@ spec:
           - name: {{ .Values.global.cloudConfig }}
             mountPath: /etc/config
             readOnly: true
+          - name: "tls"
+            mountPath: "/etc/tls"
+            readOnly: true
         resources:
 {{ toYaml .Values.storage.resources | indent 12 }}
       nodeSelector:
@@ -116,4 +125,7 @@ spec:
             - key: "services"
               path: "services.json"
             {{- end }}
+        - name: "tls"
+          secret:
+            secretName: {{ .Values.storage.name }}
 {{- end }}
diff --git a/charts/kubescape-operator/templates/storage/tlscertkey.yaml b/charts/kubescape-operator/templates/storage/tlscertkey.yaml
@@ -0,0 +1,27 @@
+{{- if .Values.unittest -}}
+{{- $ca := "mock-ca" -}}
+{{- $_ := set .Values.global "kubescapeCa" $ca -}}
+{{- $cert := "mock-cert" -}}
+{{- $_ := set .Values.global "kubescapeStorageCert" $cert -}}
+{{- $_ := set .Values.global "kubescapeStorageKey" $cert -}}
+{{- else -}}
+{{- $ca := genCA "kubescape-cluster-ca" 3650 }}
+{{- $_ := set .Values.global "kubescapeCa" $ca.Cert -}}
+{{- $cn := .Values.storage.name  }}
+{{- $dns1 := printf "%s.%s" $cn .Values.ksNamespace }}
+{{- $dns2 := printf "%s.%s.svc" $cn .Values.ksNamespace }}
+{{- $dns3 := printf "%s.%s.svc.cluster.local" $cn .Values.ksNamespace }}
+{{- $cert := genSignedCert $cn nil (list $dns1 $dns2 $dns3) 3650 $ca }}
+{{- $_ := set .Values.global "kubescapeStorageCert" $cert.Cert -}}
+{{- $_ := set .Values.global "kubescapeStorageKey" $cert.Key -}}
+{{- end -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.storage.name }}
+  namespace: {{ .Values.ksNamespace }}
+type: Opaque
+data:
+  tls.crt: {{ .Values.global.kubescapeStorageCert | b64enc }}
+  tls.key: {{ .Values.global.kubescapeStorageKey | b64enc }}
+  ca.crt: {{ .Values.global.kubescapeCa | b64enc }}