Skip to content

Commit

Permalink
Merge pull request #155 from warpstreamlabs/bettercerts
Browse files Browse the repository at this point in the history
easy certificates and mtls
  • Loading branch information
rmb938 authored Dec 19, 2024
2 parents 29cda97 + af97641 commit e916ce3
Show file tree
Hide file tree
Showing 8 changed files with 256 additions and 3 deletions.
31 changes: 31 additions & 0 deletions .github/workflows/pr.yml
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,37 @@ jobs:
run: |
kubectl create secret generic external-secret --from-literal=agentkey=${DefaultVirtualClusterAgentKeySecret}
- name: Generate Certificate for TLS testing
run: |
mkdir /tmp/certificates
cd /tmp/certificates
mkdir -p ca/private
chmod 700 ca/private
# Generate CA
openssl req -x509 -nodes -days 3650 -newkey rsa:4096 -keyout ca/private/ca_key.pem -out ca/ca_cert.pem -subj "/C=US/ST=Acme State/L=Acme City/O=Acme Inc./CN=example.com"
# Create server private key and certificate request
mkdir -p server/private
chmod 700 ca/private
openssl genrsa -out server/private/server_key.pem 4096
openssl req -new -key server/private/server_key.pem -out server/server.csr -subj "/C=US/ST=Acme State/L=Acme City/O=Acme Inc./CN=WarpStream Agent" -addext 'subjectAltName = DNS:playground-sts-cert, DNS:playground-sts-cert-kafka, DNS:playground-sts-cert.default.svc.cluster.local, DNS:*.playground-sts-cert-headless.default.svc.cluster.local'
# Create client private key and certificate request
mkdir -p client/private
chmod 700 client/private
openssl genrsa -out client/private/client_key.pem 4096
openssl req -new -key client/private/client_key.pem -out client/client.csr -subj "/C=US/ST=Acme State/L=Acme City/O=Acme Inc./CN=WarpStream Client"
# Generate certificates
openssl x509 -req -days 1460 -in server/server.csr -CA ca/ca_cert.pem -CAkey ca/private/ca_key.pem -CAcreateserial -out server/server_cert.pem -copy_extensions copyall
openssl x509 -req -days 1460 -in client/client.csr -CA ca/ca_cert.pem -CAkey ca/private/ca_key.pem -CAcreateserial -out client/client_cert.pem -copy_extensions copyall
# Create Kubernetes Secrets
kubectl create secret tls ci-certificate --cert=server/server_cert.pem --key=server/private/server_key.pem
kubectl create secret tls ci-certificate-client --cert=client/client_cert.pem --key=client/private/client_key.pem
kubectl create secret generic ci-certificate-ca --from-file=ca.crt=ca/ca_cert.pem
- name: Run chart-testing (install)
if: steps.list-changed.outputs.changed == 'true'
run: ct install --namespace default --target-branch ${{ github.event.repository.default_branch }} --upgrade --skip-missing-values
4 changes: 4 additions & 0 deletions charts/warpstream-agent/CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,10 @@ All notable changes to this project will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [0.13.69] - 2024-12-XX

- Make certificates first class variables so it is easier to configure without having to use volumes and env variables

## [0.13.68] - 2024-12-19

- Update WarpStream Agent to v609.
Expand Down
2 changes: 1 addition & 1 deletion charts/warpstream-agent/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ apiVersion: v2
name: warpstream-agent
description: WarpStream Agent for Kubernetes.
type: application
version: 0.13.68
version: 0.13.69
appVersion: v609
icon: https://avatars.githubusercontent.com/u/132156278
home: https://docs.warpstream.com/warpstream/
Expand Down
46 changes: 46 additions & 0 deletions charts/warpstream-agent/ci/playground-sts-cert-mtls-values.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
# Need override os we have a static release name for certificates while testing
fullnameOverride: "playground-sts-cert"

config:
playground: true

# testing with statefulset
deploymentKind: StatefulSet

certificate:
# Set to true to enable TLS termination on the WarpStream agent
# see TLS documentation for details https://docs.warpstream.com/warpstream/byoc/advanced-agent-deployment-options/protect-data-in-motion-with-tls-encryption#tls-encryption-overview
enableTLS: true

# The Kubernetes TLS secret that contains a certificate and private key
# see https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets
secretName: "ci-certificate"

mtls:
# Set to true to enable mutual TLS on the WarpStream agent, requires enableTLS set to true
# see mTLS documentation for details https://docs.warpstream.com/warpstream/byoc/authentication/mutual-tls-mtls
enabled: true

# The secret key reference for the certificate authority public key
# If not set, the container's root certificate pool will be used for mtls client certificate verification
# It is recommend to always set this to your CA's public key and not rely on the root certificate pool
# see mTLS documentation for details on why using the root certificate pool is not recommended
certificateAuthoritySecretKeyRef:
name: "ci-certificate-ca"
key: "ca.crt"

# overriding resources so it fits on a runner
resources:
requests:
cpu: 1
memory: 4Gi
# we do not need the disk space, but Kubernetes will count some logs that it emits
# about our containers towards our containers ephemeral usage and if we requested
# 0 storage we could end up getting evicted unnecessarily when the node is under disk pressure.
ephemeral-storage: "100Mi"
limits:
memory: 4Gi

extraEnv:
- name: WARPSTREAM_ADVERTISE_HOSTNAME_STRATEGY
value: auto-ip4 # playground mode defaults to local so we need to override it for tests to pass
33 changes: 33 additions & 0 deletions charts/warpstream-agent/ci/playground-sts-cert-values.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
# Need override os we have a static release name for certificates while testing
fullnameOverride: "playground-sts-cert"

config:
playground: true

# testing with statefulset
deploymentKind: StatefulSet

certificate:
# Set to true to enable TLS termination on the WarpStream agent
# see TLS documentation for details https://docs.warpstream.com/warpstream/byoc/advanced-agent-deployment-options/protect-data-in-motion-with-tls-encryption#tls-encryption-overview
enableTLS: true

# The Kubernetes TLS secret that contains a certificate and private key
# see https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets
secretName: "ci-certificate"

# overriding resources so it fits on a runner
resources:
requests:
cpu: 1
memory: 4Gi
# we do not need the disk space, but Kubernetes will count some logs that it emits
# about our containers towards our containers ephemeral usage and if we requested
# 0 storage we could end up getting evicted unnecessarily when the node is under disk pressure.
ephemeral-storage: "100Mi"
limits:
memory: 4Gi

extraEnv:
- name: WARPSTREAM_ADVERTISE_HOSTNAME_STRATEGY
value: auto-ip4 # playground mode defaults to local so we need to override it for tests to pass
41 changes: 39 additions & 2 deletions charts/warpstream-agent/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,19 @@ spec:
{{- range .Values.extraArgs }}
- {{ . }}
{{- end }}
{{- with .Values.certificate }}
{{- if .enableTLS }}
- -kafkaTLS=true
- -tlsServerCertFile=/etc/private/ssl/agent/tls.crt
- -tlsServerPrivateKeyFile=/etc/private/ssl/agent/tls.key
{{- if .mtls.enabled }}
- -requireMTLSAuthentication=true
{{- if .mtls.certificateAuthoritySecretKeyRef.name }}
- -tlsClientCACertFile=/etc/private/ssl/agent-mtls/{{ .mtls.certificateAuthoritySecretKeyRef.key }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
readinessProbe:
httpGet:
path: /v1/status
Expand Down Expand Up @@ -151,13 +164,25 @@ spec:
- name: schema-registry
containerPort: 9094
protocol: TCP
{{- if or (.Values.volumeMounts) (not .Values.config.playground) }}
{{- if or (.Values.volumeMounts) (not .Values.config.playground) (.Values.certificate) }}
volumeMounts:
{{- if not .Values.config.playground }}
- name: agent-key
mountPath: /app/agent-key
readOnly: true
{{- end }}
{{- with .Values.certificate }}
{{- if .enableTLS }}
- name: agent-certs
mountPath: "/etc/private/ssl/agent"
readOnly: true
{{- if .mtls.certificateAuthoritySecretKeyRef.name }}
- name: agent-mtls-certs
mountPath: "/etc/private/ssl/agent-mtls"
readOnly: true
{{- end }}
{{- end }}
{{- end }}
{{- with .Values.volumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
Expand Down Expand Up @@ -186,13 +211,25 @@ spec:
topologySpreadConstraints:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- if or (.Values.volumes) (not .Values.config.playground) }}
{{- if or (.Values.volumes) (not .Values.config.playground) (.Values.certificate) }}
volumes:
{{- if not .Values.config.playground }}
- name: agent-key
secret:
secretName: {{ include "warpstream-agent.agentKey.secretName" . }}
{{- end }}
{{- with .Values.certificate }}
{{- if .enableTLS }}
- name: agent-certs
secret:
secretName: {{ .secretName }}
{{- if .mtls.certificateAuthoritySecretKeyRef.name }}
- name: agent-mtls-certs
secret:
secretName: {{ .mtls.certificateAuthoritySecretKeyRef.name }}
{{- end }}
{{- end }}
{{- end }}
{{- with .Values.volumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
Expand Down
80 changes: 80 additions & 0 deletions charts/warpstream-agent/templates/tests/test-connection.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -16,9 +16,49 @@ spec:
- kcmd
- -bootstrap-host
- '{{ include "warpstream-agent.fullname" . }}'
{{- with .Values.certificate }}
{{- if .enableTLS }}
- -tls
- -tlsServerCACertFile=/etc/private/ssl/agent/ca.crt
{{- end }}
{{- if .mtls.enabled }}
- -tlsClientCertFile=/etc/private/ssl/agent-mtls/tls.crt
- -tlsClientPrivateKeyFile=/etc/private/ssl/agent-mtls/tls.key
{{- end }}
{{- end }}
- -type
- diagnose-connection
{{- if .Values.certificate }}
volumeMounts:
{{- with .Values.certificate }}
{{- if .enableTLS }}
- mountPath: "/etc/private/ssl/agent"
name: agent-ca
readOnly: true
{{- end }}
{{- if .mtls.enabled }}
- mountPath: "/etc/private/ssl/agent-mtls"
name: agent-mtls
readOnly: true
{{- end }}
{{- end }}
{{- end }}
restartPolicy: Never
{{- if .Values.certificate }}
volumes:
{{- with .Values.certificate }}
{{- if .enableTLS }}
- name: agent-ca
secret:
secretName: ci-certificate-ca
{{- end }}
{{- if .mtls.enabled }}
- name: agent-mtls
secret:
secretName: ci-certificate-client
{{- end }}
{{- end }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
Expand All @@ -43,9 +83,49 @@ spec:
- kcmd
- -bootstrap-host
- '{{ include "warpstream-agent.fullname" . }}-kafka'
{{- with .Values.certificate }}
{{- if .enableTLS }}
- -tls
- -tlsServerCACertFile=/etc/private/ssl/agent/ca.crt
{{- end }}
{{- if .mtls.enabled }}
- -tlsClientCertFile=/etc/private/ssl/agent-mtls/tls.crt
- -tlsClientPrivateKeyFile=/etc/private/ssl/agent-mtls/tls.key
{{- end }}
{{- end }}
- -type
- diagnose-connection
{{- if .Values.certificate }}
volumeMounts:
{{- with .Values.certificate }}
{{- if .enableTLS }}
- mountPath: "/etc/private/ssl/agent"
name: agent-ca
readOnly: true
{{- end }}
{{- if .mtls.enabled }}
- mountPath: "/etc/private/ssl/agent-mtls"
name: agent-mtls
readOnly: true
{{- end }}
{{- end }}
{{- end }}
restartPolicy: Never
{{- if .Values.certificate }}
volumes:
{{- with .Values.certificate }}
{{- if .enableTLS }}
- name: agent-ca
secret:
secretName: ci-certificate-ca
{{- end }}
{{- if .mtls.enabled }}
- name: agent-mtls
secret:
secretName: ci-certificate-client
{{- end }}
{{- end }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
Expand Down
22 changes: 22 additions & 0 deletions charts/warpstream-agent/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,28 @@ statefulSetConfig:
# see https://kubernetes.io/docs/concepts/workloads/controllers/statefulset/#update-strategies
type: RollingUpdate

certificate:
# Set to true to enable TLS termination on the WarpStream agent
# see TLS documentation for details https://docs.warpstream.com/warpstream/byoc/advanced-agent-deployment-options/protect-data-in-motion-with-tls-encryption#tls-encryption-overview
enableTLS: false

# The Kubernetes TLS secret that contains a certificate and private key
# see https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets
secretName: ""

mtls:
# Set to true to enable mutual TLS on the WarpStream agent, requires enableTLS set to true
# see mTLS documentation for details https://docs.warpstream.com/warpstream/byoc/authentication/mutual-tls-mtls
enabled: false

# The secret key reference for the certificate authority public key
# If not set, the container's root certificate pool will be used for mtls client certificate verification
# It is recommend to always set this to your CA's public key and not rely on the root certificate pool
# see mTLS documentation for details on why using the root certificate pool is not recommended
certificateAuthoritySecretKeyRef:
name: ""
key: ""

terminationGracePeriodSeconds: 300

serviceAccount:
Expand Down

0 comments on commit e916ce3

Please sign in to comment.