diff --git a/charts/kubescape-operator/templates/storage/apiservice.yaml b/charts/kubescape-operator/templates/storage/apiservice.yaml index f6098764..9ac9641b 100644 --- a/charts/kubescape-operator/templates/storage/apiservice.yaml +++ b/charts/kubescape-operator/templates/storage/apiservice.yaml @@ -7,7 +7,8 @@ metadata: labels: {{- include "kubescape-operator.labels" (dict "Chart" .Chart "Release" .Release "Values" .Values "app" .Values.storage.name "tier" .Values.global.namespaceTier) | nindent 4 }} spec: - insecureSkipTLSVerify: true + insecureSkipTLSVerify: false + caBundle: {{ .Values.global.kubescapeCa | b64enc }} group: "spdx.softwarecomposition.kubescape.io" groupPriorityMinimum: 1000 versionPriority: 15 diff --git a/charts/kubescape-operator/templates/storage/deployment.yaml b/charts/kubescape-operator/templates/storage/deployment.yaml index 68c94ed0..b519180a 100644 --- a/charts/kubescape-operator/templates/storage/deployment.yaml +++ b/charts/kubescape-operator/templates/storage/deployment.yaml @@ -49,6 +49,12 @@ spec: tcpSocket: port: 8443 env: + - name: TLS_SERVER_CERT_FILE + value: "/etc/tls/tls.crt" + - name: TLS_SERVER_KEY_FILE + value: "/etc/tls/tls.key" + - name: TLS_CLIENT_CA_FILE + value: "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt" - name: "CLEANUP_INTERVAL" value: "{{ .Values.storage.cleanupInterval }}" - name: GOMEMLIMIT @@ -78,6 +84,9 @@ spec: - name: {{ .Values.global.cloudConfig }} mountPath: /etc/config readOnly: true + - name: "tls" + mountPath: "/etc/tls" + readOnly: true resources: {{ toYaml .Values.storage.resources | indent 12 }} nodeSelector: @@ -116,4 +125,7 @@ spec: - key: "services" path: "services.json" {{- end }} + - name: "tls" + secret: + secretName: {{ .Values.storage.name }} {{- end }} diff --git a/charts/kubescape-operator/templates/storage/tlscertkey.yaml b/charts/kubescape-operator/templates/storage/tlscertkey.yaml new file mode 100644 index 00000000..f2336a74 --- /dev/null +++ b/charts/kubescape-operator/templates/storage/tlscertkey.yaml @@ -0,0 +1,27 @@ +{{- if .Values.unittest -}} +{{- $ca := "mock-ca" -}} +{{- $_ := set .Values.global "kubescapeCa" $ca -}} +{{- $cert := "mock-cert" -}} +{{- $_ := set .Values.global "kubescapeStorageCert" $cert -}} +{{- $_ := set .Values.global "kubescapeStorageKey" $cert -}} +{{- else -}} +{{- $ca := genCA "kubescape-cluster-ca" 3650 }} +{{- $_ := set .Values.global "kubescapeCa" $ca.Cert -}} +{{- $cn := .Values.storage.name }} +{{- $dns1 := printf "%s.%s" $cn .Values.ksNamespace }} +{{- $dns2 := printf "%s.%s.svc" $cn .Values.ksNamespace }} +{{- $dns3 := printf "%s.%s.svc.cluster.local" $cn .Values.ksNamespace }} +{{- $cert := genSignedCert $cn nil (list $dns1 $dns2 $dns3) 3650 $ca }} +{{- $_ := set .Values.global "kubescapeStorageCert" $cert.Cert -}} +{{- $_ := set .Values.global "kubescapeStorageKey" $cert.Key -}} +{{- end -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.storage.name }} + namespace: {{ .Values.ksNamespace }} +type: Opaque +data: + tls.crt: {{ .Values.global.kubescapeStorageCert | b64enc }} + tls.key: {{ .Values.global.kubescapeStorageKey | b64enc }} + ca.crt: {{ .Values.global.kubescapeCa | b64enc }} \ No newline at end of file diff --git a/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap b/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap index fcf67e75..7aa452c1 100644 --- a/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap +++ b/charts/kubescape-operator/tests/__snapshot__/snapshot_test.yaml.snap @@ -4772,9 +4772,10 @@ all capabilities: tier: ks-control-plane name: v1beta1.spdx.softwarecomposition.kubescape.io spec: + caBundle: bW9jay1jYQ== group: spdx.softwarecomposition.kubescape.io groupPriorityMinimum: 1000 - insecureSkipTLSVerify: true + insecureSkipTLSVerify: false service: name: storage namespace: kubescape @@ -4979,6 +4980,12 @@ all capabilities: affinity: null containers: - env: + - name: TLS_SERVER_CERT_FILE + value: /etc/tls/tls.crt + - name: TLS_SERVER_KEY_FILE + value: /etc/tls/tls.key + - name: TLS_CLIENT_CA_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - name: CLEANUP_INTERVAL value: 6h - name: GOMEMLIMIT @@ -5025,6 +5032,9 @@ all capabilities: - mountPath: /etc/config name: ks-cloud-config readOnly: true + - mountPath: /etc/tls + name: tls + readOnly: true imagePullSecrets: - name: foo nodeSelector: null @@ -5045,6 +5055,9 @@ all capabilities: path: services.json name: ks-cloud-config name: ks-cloud-config + - name: tls + secret: + secretName: storage 103: | apiVersion: networking.k8s.io/v1 kind: NetworkPolicy @@ -5217,6 +5230,17 @@ all capabilities: name: storage namespace: kubescape 109: | + apiVersion: v1 + data: + ca.crt: bW9jay1jYQ== + tls.crt: bW9jay1jZXJ0 + tls.key: bW9jay1jZXJ0 + kind: Secret + metadata: + name: storage + namespace: kubescape + type: Opaque + 110: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -5356,7 +5380,7 @@ all capabilities: - get - watch - list - 110: | + 111: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -5379,7 +5403,7 @@ all capabilities: - kind: ServiceAccount name: synchronizer namespace: kubescape - 111: | + 112: | apiVersion: v1 data: config.json: | @@ -5596,7 +5620,7 @@ all capabilities: tier: ks-control-plane name: synchronizer namespace: kubescape - 112: | + 113: | apiVersion: apps/v1 kind: Deployment metadata: @@ -5749,7 +5773,7 @@ all capabilities: path: config.json name: synchronizer name: config - 113: | + 114: | apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -5811,7 +5835,7 @@ all capabilities: policyTypes: - Ingress - Egress - 114: | + 115: | apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: @@ -5835,7 +5859,7 @@ all capabilities: - kind: ServiceAccount name: synchronizer namespace: kubescape - 115: | + 116: | apiVersion: v1 kind: Service metadata: @@ -5859,7 +5883,7 @@ all capabilities: selector: app: synchronizer type: ClusterIP - 116: | + 117: | apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount @@ -9717,9 +9741,10 @@ default capabilities: tier: ks-control-plane name: v1beta1.spdx.softwarecomposition.kubescape.io spec: + caBundle: bW9jay1jYQ== group: spdx.softwarecomposition.kubescape.io groupPriorityMinimum: 1000 - insecureSkipTLSVerify: true + insecureSkipTLSVerify: false service: name: storage namespace: kubescape @@ -9924,6 +9949,12 @@ default capabilities: affinity: null containers: - env: + - name: TLS_SERVER_CERT_FILE + value: /etc/tls/tls.crt + - name: TLS_SERVER_KEY_FILE + value: /etc/tls/tls.key + - name: TLS_CLIENT_CA_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - name: CLEANUP_INTERVAL value: 6h - name: GOMEMLIMIT @@ -9970,6 +10001,9 @@ default capabilities: - mountPath: /etc/config name: ks-cloud-config readOnly: true + - mountPath: /etc/tls + name: tls + readOnly: true nodeSelector: null securityContext: fsGroup: 65532 @@ -9988,6 +10022,9 @@ default capabilities: path: services.json name: ks-cloud-config name: ks-cloud-config + - name: tls + secret: + secretName: storage 79: | apiVersion: networking.k8s.io/v1 kind: NetworkPolicy @@ -10125,6 +10162,17 @@ default capabilities: name: storage namespace: kubescape 84: | + apiVersion: v1 + data: + ca.crt: bW9jay1jYQ== + tls.crt: bW9jay1jZXJ0 + tls.key: bW9jay1jZXJ0 + kind: Secret + metadata: + name: storage + namespace: kubescape + type: Opaque + 85: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -10264,7 +10312,7 @@ default capabilities: - get - watch - list - 85: | + 86: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -10287,7 +10335,7 @@ default capabilities: - kind: ServiceAccount name: synchronizer namespace: kubescape - 86: | + 87: | apiVersion: v1 data: config.json: | @@ -10504,7 +10552,7 @@ default capabilities: tier: ks-control-plane name: synchronizer namespace: kubescape - 87: | + 88: | apiVersion: apps/v1 kind: Deployment metadata: @@ -10645,7 +10693,7 @@ default capabilities: path: config.json name: synchronizer name: config - 88: | + 89: | apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: @@ -10701,7 +10749,7 @@ default capabilities: policyTypes: - Ingress - Egress - 89: | + 90: | apiVersion: v1 kind: Service metadata: @@ -10725,7 +10773,7 @@ default capabilities: selector: app: synchronizer type: ClusterIP - 90: | + 91: | apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount @@ -13846,9 +13894,10 @@ disable otel: tier: ks-control-plane name: v1beta1.spdx.softwarecomposition.kubescape.io spec: + caBundle: bW9jay1jYQ== group: spdx.softwarecomposition.kubescape.io groupPriorityMinimum: 1000 - insecureSkipTLSVerify: true + insecureSkipTLSVerify: false service: name: storage namespace: kubescape @@ -14053,6 +14102,12 @@ disable otel: affinity: null containers: - env: + - name: TLS_SERVER_CERT_FILE + value: /etc/tls/tls.crt + - name: TLS_SERVER_KEY_FILE + value: /etc/tls/tls.key + - name: TLS_CLIENT_CA_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - name: CLEANUP_INTERVAL value: 6h - name: GOMEMLIMIT @@ -14099,6 +14154,9 @@ disable otel: - mountPath: /etc/config name: ks-cloud-config readOnly: true + - mountPath: /etc/tls + name: tls + readOnly: true nodeSelector: null securityContext: fsGroup: 65532 @@ -14117,6 +14175,9 @@ disable otel: path: services.json name: ks-cloud-config name: ks-cloud-config + - name: tls + secret: + secretName: storage 64: | apiVersion: v1 kind: PersistentVolumeClaim @@ -14206,6 +14267,17 @@ disable otel: name: storage namespace: kubescape 68: | + apiVersion: v1 + data: + ca.crt: bW9jay1jYQ== + tls.crt: bW9jay1jZXJ0 + tls.key: bW9jay1jZXJ0 + kind: Secret + metadata: + name: storage + namespace: kubescape + type: Opaque + 69: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: @@ -14345,7 +14417,7 @@ disable otel: - get - watch - list - 69: | + 70: | apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: @@ -14368,7 +14440,7 @@ disable otel: - kind: ServiceAccount name: synchronizer namespace: kubescape - 70: | + 71: | apiVersion: v1 data: config.json: | @@ -14585,7 +14657,7 @@ disable otel: tier: ks-control-plane name: synchronizer namespace: kubescape - 71: | + 72: | apiVersion: apps/v1 kind: Deployment metadata: @@ -14719,7 +14791,7 @@ disable otel: path: config.json name: synchronizer name: config - 72: | + 73: | apiVersion: v1 kind: Service metadata: @@ -14743,7 +14815,7 @@ disable otel: selector: app: synchronizer type: ClusterIP - 73: | + 74: | apiVersion: v1 automountServiceAccountToken: false kind: ServiceAccount @@ -17019,9 +17091,10 @@ minimal capabilities: tier: ks-control-plane name: v1beta1.spdx.softwarecomposition.kubescape.io spec: + caBundle: bW9jay1jYQ== group: spdx.softwarecomposition.kubescape.io groupPriorityMinimum: 1000 - insecureSkipTLSVerify: true + insecureSkipTLSVerify: false service: name: storage namespace: kubescape @@ -17226,6 +17299,12 @@ minimal capabilities: affinity: null containers: - env: + - name: TLS_SERVER_CERT_FILE + value: /etc/tls/tls.crt + - name: TLS_SERVER_KEY_FILE + value: /etc/tls/tls.key + - name: TLS_CLIENT_CA_FILE + value: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt - name: CLEANUP_INTERVAL value: 6h - name: GOMEMLIMIT @@ -17272,6 +17351,9 @@ minimal capabilities: - mountPath: /etc/config name: ks-cloud-config readOnly: true + - mountPath: /etc/tls + name: tls + readOnly: true nodeSelector: null securityContext: fsGroup: 65532 @@ -17288,6 +17370,9 @@ minimal capabilities: path: clusterData.json name: ks-cloud-config name: ks-cloud-config + - name: tls + secret: + secretName: storage 49: | apiVersion: v1 kind: PersistentVolumeClaim @@ -17376,6 +17461,17 @@ minimal capabilities: tier: ks-control-plane name: storage namespace: kubescape + 53: | + apiVersion: v1 + data: + ca.crt: bW9jay1jYQ== + tls.crt: bW9jay1jZXJ0 + tls.key: bW9jay1jZXJ0 + kind: Secret + metadata: + name: storage + namespace: kubescape + type: Opaque with multiple private registry credentials: 1: | apiVersion: v1 diff --git a/charts/kubescape-operator/tests/snapshot_test.yaml b/charts/kubescape-operator/tests/snapshot_test.yaml index 02798b91..4547fdee 100644 --- a/charts/kubescape-operator/tests/snapshot_test.yaml +++ b/charts/kubescape-operator/tests/snapshot_test.yaml @@ -73,6 +73,7 @@ tests: apiVersions: - batch/v1 set: + unittest: true account: 9e6c0c2c-6bd0-4919-815b-55030de7c9a0 accessKey: f304d73b-d43c-412b-82ea-e4c859493ce6 clusterName: kind-kind