Skip to content

Commit

Permalink
Add certificate check in the preflights (#573)
Browse files Browse the repository at this point in the history 
* Add certificate check in the preflights

* Add workspace postgres ssl ca

* Add debug

* Fix access mode

* Change image for tenant requirements checker

* Try fix

* Undo change for debug

* Add cert validators dynamically

* Add new check
  • Loading branch information
@moicalcob
moicalcob authored Jul 1, 2024
1 parent 90d0814 commit 34f9b4b
Show file tree
Hide file tree
Showing 3 changed files with 68 additions and 21 deletions.
65 changes: 59 additions & 6 deletions chart/templates/_commonChecks.tpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -49,39 +49,49 @@ Return common collectors for preflights and support-bundle
FILE_PATH=$(env | grep ${PREFIX}__FILE_PATH | awk -F= '{print $2}')
FILE_CONTENT_VAR="${PREFIX}__FILE_CONTENT"
FILE_CONTENT=$(eval "echo \$$FILE_CONTENT_VAR")
printf "%s" "$FILE_CONTENT" > "$FILE_PATH"
echo "$FILE_CONTENT" | base64 -d > "$FILE_PATH"
done
env:
{{- if not .Values.commonBackendServiceAccount.enableGCPWorkloadIdentity }}
- name: DEFAULT_SERVICE_ACCOUNT_KEY__FILE_CONTENT
value: {{ .Values.cartoSecrets.defaultGoogleServiceAccount.value | quote }}
value: {{ .Values.cartoSecrets.defaultGoogleServiceAccount.value | b64enc | quote }}
- name: DEFAULT_SERVICE_ACCOUNT_KEY__FILE_PATH
value: {{ include "carto.google.secretMountAbsolutePath" . }}
{{- if ( include "carto.googleCloudStorageServiceAccountKey.used" . ) }}
- name: STORAGE_SERVICE_ACCOUNT_KEY__FILE_CONTENT
value: {{ .Values.appSecrets.googleCloudStorageServiceAccountKey.value | quote }}
value: {{ .Values.appSecrets.googleCloudStorageServiceAccountKey.value | b64enc | quote }}
- name: STORAGE_SERVICE_ACCOUNT_KEY__FILE_PATH
value: {{ include "carto.googleCloudStorageServiceAccountKey.secretMountAbsolutePath" . }}
{{- end }}
{{- end }}
{{- if and .Values.externalPostgresql.sslEnabled .Values.externalPostgresql.sslCA }}
- name: POSTGRES_SSL_CA__FILE_CONTENT
value: {{ .Values.externalPostgresql.sslCA | quote }}
value: {{ .Values.externalPostgresql.sslCA | b64enc | quote }}
- name: POSTGRES_SSL_CA__FILE_PATH
value: {{ include "carto.postgresql.configMapMountAbsolutePath" . }}
{{- end }}
{{- if and .Values.externalRedis.tlsEnabled .Values.externalRedis.tlsCA }}
- name: REDIS_TLS_CA__FILE_CONTENT
value: {{ .Values.externalRedis.tlsCA | quote }}
value: {{ .Values.externalRedis.tlsCA | b64enc | quote }}
- name: REDIS_TLS_CA__FILE_PATH
value: {{ include "carto.redis.configMapMountAbsolutePath" . }}
{{- end }}
{{- if and .Values.externalProxy.enabled .Values.externalProxy.sslCA }}
- name: PROXY_SSL_CA__FILE_CONTENT
value: {{ .Values.externalProxy.sslCA | quote }}
value: {{ .Values.externalProxy.sslCA | b64enc | quote }}
- name: PROXY_SSL_CA__FILE_PATH
value: {{ include "carto.proxy.configMapMountAbsolutePath" . }}
{{- end }}
{{- if and .Values.router.tlsCertificates.certificateValueBase64 .Values.router.tlsCertificates.privateKeyValueBase64 }}
- name: ROUTER_SSL_CERT__FILE_CONTENT
value: {{ .Values.router.tlsCertificates.certificateValueBase64 | quote }}
- name: ROUTER_SSL_CERT__FILE_PATH
value: "/etc/ssl/certs/cert.crt"
- name: ROUTER_SSL_CERT_KEY__FILE_CONTENT
value: {{ .Values.router.tlsCertificates.privateKeyValueBase64 | quote }}
- name: ROUTER_SSL_CERT_KEY__FILE_PATH
value: "/etc/ssl/certs/cert.key"
{{- end }}
volumeMounts:
- name: gcp-default-service-account-key
mountPath: {{ include "carto.google.secretMountDir" . }}
Expand All @@ -106,6 +116,11 @@ Return common collectors for preflights and support-bundle
mountPath: {{ include "carto.proxy.configMapMountDir" . }}
readOnly: false
{{- end }}
{{- if and .Values.router.tlsCertificates.certificateValueBase64 .Values.router.tlsCertificates.privateKeyValueBase64 }}
- name: router-tls-cert-and-key
mountPath: /etc/ssl/certs/
readOnly: false
{{- end }}
containers:
- name: run-tenants-requirements-check
image: {{ template "carto.tenantRequirementsChecker.image" . }}
Expand Down Expand Up @@ -145,6 +160,11 @@ Return common collectors for preflights and support-bundle
mountPath: {{ include "carto.proxy.configMapMountDir" . }}
readOnly: true
{{- end }}
{{- if and .Values.router.tlsCertificates.certificateValueBase64 .Values.router.tlsCertificates.privateKeyValueBase64 }}
- name: router-tls-cert-and-key
mountPath: /etc/ssl/certs/
readOnly: true
{{- end }}
volumes:
- name: gcp-default-service-account-key
emptyDir:
Expand All @@ -169,6 +189,11 @@ Return common collectors for preflights and support-bundle
emptyDir:
sizeLimit: 1Mi
{{- end }}
{{- if and .Values.router.tlsCertificates.certificateValueBase64 .Values.router.tlsCertificates.privateKeyValueBase64 }}
- name: router-tls-cert-and-key
emptyDir:
sizeLimit: 1Mi
{{- end }}
- registryImages:
namespace: {{ .Release.Namespace | quote }}
{{/*
Expand Down Expand Up @@ -207,6 +232,22 @@ Return common analyzers for preflights and support-bundle
"PubSubValidator" (list "Check_publish_and_listen_to_topic")
}}
{{/*
We push conditionally new analyzers for the certs provided if they're provided for: Postgres, Redis and Router SSL
*/}}
{{- $certChecks := list }}
{{- if and .Values.router.tlsCertificates.certificateValueBase64 .Values.router.tlsCertificates.privateKeyValueBase64 }}
{{- $certChecks = append $certChecks "Check_Router_certificate" }}
{{- end }}
{{- if and .Values.externalPostgresql.sslEnabled .Values.externalPostgresql.sslCA }}
{{- $certChecks = append $certChecks "Check_Postgres_certificate" }}
{{- end }}
{{- if and .Values.externalRedis.tlsEnabled .Values.externalRedis.tlsCA }}
{{- $certChecks = append $certChecks "Check_Redis_certificate" }}
{{- end }}
{{- if gt (len $certChecks) 0 }}
{{- $_ := set $preflightsDict "CertificatesValidator" $certChecks -}}
{{- end }}
{{/*
We just need to add the RedisValidator to the preflightsDict if the externalRedis is enabled
*/}}
{{- if not .Values.internalRedis.enabled }}
Expand Down Expand Up @@ -358,6 +399,12 @@ Return customer values to use in preflights and support-bundle
value: {{ include "carto.postgresql.databaseName" . }}
- name: WORKSPACE_POSTGRES_USER
value: {{ include "carto.postgresql.user" . }}
- name: WORKSPACE_POSTGRES_SSL_ENABLED
value: {{ .Values.externalPostgresql.sslEnabled | quote }}
{{- if and .Values.externalPostgresql.sslEnabled .Values.externalPostgresql.sslCA }}
- name: WORKSPACE_POSTGRES_SSL_CA
value: {{ include "carto.postgresql.configMapMountAbsolutePath" . }}
{{- end }}
- name: WORKSPACE_TENANT_ID
value: {{ .Values.cartoConfigValues.selfHostedTenantId | quote }}
{{- if not .Values.commonBackendServiceAccount.enableGCPWorkloadIdentity }}
Expand Down Expand Up @@ -435,6 +482,12 @@ Return customer values to use in preflights and support-bundle
value: {{ include "carto.proxy.configMapMountAbsolutePath" . | quote }}
{{- end }}
{{- end }}
{{- if and .Values.router.tlsCertificates.certificateValueBase64 .Values.router.tlsCertificates.privateKeyValueBase64 }}
- name: ROUTER_SSL_CERT
value: "/etc/ssl/certs/cert.crt"
- name: ROUTER_SSL_CERT_KEY
value: "/etc/ssl/certs/cert.key"
{{- end }}
{{- end -}}
{{/*
Expand Down
14 changes: 1 addition & 13 deletions manifests/kots-config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -348,18 +348,6 @@ spec:
- name: accessToCartoModeK8sCustom
title: |-
Custom
- name: accessToCartoModeK8sNotFullySupported
hidden: true
when: *when_is_k8s_NOT_fully_implemented_platform
title: *accessToCartoModeK8sTitle
help_text: *accessToCartoModeK8sHelpText
type: select_one
default: accessToCartoModeK8sCustom
required: true
items:
- name: accessToCartoModeK8sCustom
title: |-
Custom
- name: accessToCartoModeK8sDefaultLabel
type: label
when: '{{repl (ConfigOptionEquals "accessToCartoModeK8s" "accessToCartoModeK8sDefault") }}'
Expand All @@ -381,7 +369,7 @@ spec:
- name: TLSTerminationLayer
title: TLS Termination
type: select_one
when: '{{repl or (ConfigOptionEquals "accessToCartoModeK8s" "accessToCartoModeK8sCustom") (ConfigOptionEquals "accessToCartoModeK8sNotFullySupported" "accessToCartoModeK8sCustom") (ConfigOptionEquals "isEmbeddedCluster" "true") }}'
when: '{{repl or (ConfigOptionEquals "accessToCartoModeK8s" "accessToCartoModeK8sCustom") (ConfigOptionEquals "isK8sNotFullyImplementedPlatform" "true") (ConfigOptionEquals "isEmbeddedCluster" "true") }}'
help_text: |-
TLS termination is required and it can be achieved within the CARTO application itself or through a load balancer (recommended).
items:
Expand Down
10 changes: 8 additions & 2 deletions manifests/kots-helm.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -139,8 +139,7 @@ spec:
staticIP:
enabled: repl{{ if ConfigOptionEquals "accessToCartoGCPStaticIPName" ""}}falserepl{{ else }}truerepl{{ end }}
value: '{{repl ConfigOption "accessToCartoGCPStaticIPName" }}'



accountsWww:
image:
registry: '{{repl HasLocalRegistry | ternary LocalRegistryHost "registry.self-hosted.carto.com/proxy/carto/gcr.io/carto-onprem-artifacts" }}'
Expand Down Expand Up @@ -213,6 +212,13 @@ spec:
# Optional Values
## Values from Advanced Configuration
optionalValues:
- when: 'true'
recursiveMerge: true
values:
tenantRequirementsChecker:
image:
tag: 'feature_sc_402060_add_a_preflight_check_to_ensure_that_the'

## Specify service account if workload identity is disabled
- when: '{{repl ConfigOptionEquals "enableGoogleWorkloadIdentity" "0" }}'
recursiveMerge: true
Expand Down

0 comments on commit 34f9b4b

Please sign in to comment.