From 00b1ad4fc8f4711479db583a1df83efd2cc3f37a Mon Sep 17 00:00:00 2001 From: alvneiayu Date: Thu, 17 Jun 2021 12:09:10 +0200 Subject: [PATCH] [bitnami/solr] Add support for autogenerated certs (#6645) * [bitnami/solr] Add support for autogenerated certs * Include changes requested * Move resources from tls.image.resources to tls.resources * Delete tls.image dependency to use solr default one * Delete solr.tls.image helper function * Include tls resources to use them in the initContainer init-certs * Include truststore and keystore keys and an auto generate secret to use it * Remove unneeded check in solr.tlsPasswordsSecret helper function --- bitnami/solr/Chart.yaml | 2 +- bitnami/solr/README.md | 6 ++ bitnami/solr/templates/_helpers.tpl | 33 +++++++++ bitnami/solr/templates/secret.yaml | 26 ++++++- bitnami/solr/templates/statefulset.yaml | 78 ++++++++++++++++++-- bitnami/solr/templates/tls-auto-secrets.yaml | 25 +++++++ bitnami/solr/values.yaml | 23 ++++++ 7 files changed, 184 insertions(+), 9 deletions(-) create mode 100644 bitnami/solr/templates/tls-auto-secrets.yaml diff --git a/bitnami/solr/Chart.yaml b/bitnami/solr/Chart.yaml index fcd6265f4e..9784d93856 100644 --- a/bitnami/solr/Chart.yaml +++ b/bitnami/solr/Chart.yaml @@ -27,4 +27,4 @@ name: solr sources: - https://github.com/bitnami/bitnami-docker-solr - https://lucene.apache.org/solr/ -version: 0.3.5 +version: 0.4.0 diff --git a/bitnami/solr/README.md b/bitnami/solr/README.md index c6ebeaf60b..01fc10ac5c 100644 --- a/bitnami/solr/README.md +++ b/bitnami/solr/README.md @@ -158,8 +158,14 @@ The following tables lists the configurable parameters of the solr chart and the | Parameter | Description | Default | | -------------------------------------- | ------------------------------------------------------------ | ---------------------------------- | | `tls.enabled` | Enable the TLS/SSL configuration | `false` | +| `tls.autoGenerated` | Generate automatically self-signed TLS certificates | `false` | | `tls.certificatesSecretName` | Set the name of the secret that contains the certificates. It should contains two keys called "keystore.p12" and "truststore.12" | `nil` | | `tls.passwordsSecretName` | Set the name of the secret that contains the passwords for the certificate files. It should contains two keys called "tls-keystore-password" and "tls-truststore-password". | `nil` | +| `tls.keystorePassword` | Password to access KeyStore if needed | `nil` | +| `tls.truststorePassword` | Password to access TrustStore if needed | `nil` | +| `tls.resources.limits` | The resources limits for the TLS init container | `{}` | +| `tls.resources.requests` | The requested resources for the TLS init container | `{}` | + ### Solr Traffic Exposure Parameters diff --git a/bitnami/solr/templates/_helpers.tpl b/bitnami/solr/templates/_helpers.tpl index eb5ad55caa..02be1f60c8 100644 --- a/bitnami/solr/templates/_helpers.tpl +++ b/bitnami/solr/templates/_helpers.tpl @@ -82,3 +82,36 @@ Return the proper Storage Class {{- printf "%s-%s" .Release.Name "zookeeper" -}}:{{- .Values.zookeeper.port -}} {{- end -}} {{- end -}} + +{{/* +Return true if a TLS secret object should be created +*/}} +{{- define "solr.createTlsSecret" -}} +{{- if and .Values.tls.enabled .Values.tls.autoGenerated }} + {{- true -}} +{{- end -}} +{{- end -}} + +{{/* +Return the Solr TLS credentials secret +*/}} +{{- define "solr.tlsSecretName" -}} +{{- $secretName := .Values.tls.certificatesSecretName -}} +{{- if $secretName -}} + {{- printf "%s" (tpl $secretName $) -}} +{{- else -}} + {{- printf "%s-crt" (include "common.names.fullname" .) -}} +{{- end -}} +{{- end -}} + +{{/* +Return true if a TLS credentials secret object should be created +*/}} +{{- define "solr.tlsPasswordsSecret" -}} +{{- $secretName := .Values.tls.passwordsSecretName -}} +{{- if $secretName -}} + {{- printf "%s" (tpl $secretName $) -}} +{{- else -}} + {{- printf "%s-tls-pass" (include "common.names.fullname" .) -}} +{{- end -}} +{{- end -}} diff --git a/bitnami/solr/templates/secret.yaml b/bitnami/solr/templates/secret.yaml index cff23133b3..a7e2a75a3f 100644 --- a/bitnami/solr/templates/secret.yaml +++ b/bitnami/solr/templates/secret.yaml @@ -18,4 +18,28 @@ data: {{ else }} solr-password: {{ randAlphaNum 10 | b64enc | quote }} {{ end }} -{{- end }} \ No newline at end of file +--- +{{- end }} +{{- if and .Values.tls.enabled (not .Values.tls.passwordsSecretName) (or .Values.tls.keystorePassword .Values.tls.truststorePassword .Values.tls.autoGenerated) -}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ printf "%s-tls-pass" (include "common.names.fullname" .) }} + namespace: {{ .Release.Namespace | quote }} + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: Opaque +data: + {{- if or .Values.tls.keystorePassword .Values.tls.autoGenerated }} + tls-keystore-password: {{ (.Values.tls.keystorePassword | default (randAlphaNum 10)) | b64enc | quote }} + {{- end }} + {{- if or .Values.tls.truststorePassword .Values.tls.autoGenerated }} + tls-truststore-password: {{ (.Values.tls.truststorePassword | default (randAlphaNum 10))| b64enc | quote }} + {{- end }} +--- +{{- end }} diff --git a/bitnami/solr/templates/statefulset.yaml b/bitnami/solr/templates/statefulset.yaml index debbdfee09..4226a337e8 100644 --- a/bitnami/solr/templates/statefulset.yaml +++ b/bitnami/solr/templates/statefulset.yaml @@ -84,6 +84,61 @@ spec: {{- if .Values.initContainers }} {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }} {{- end }} + {{- if .Values.tls.enabled}} + {{- $fullname := include "solr.fullname" . }} + - name: init-certs + image: {{ include "solr.image" . }} + imagePullPolicy: {{ .Values.image.pullPolicy | quote }} + {{- if .Values.containerSecurityContext.enabled }} + securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }} + {{- end }} + command: + - /bin/bash + - -ec + - |- + if [[ -f "/certs/ca.crt" ]] && [[ -f "/certs/tls.key" ]] && [[ -f "/certs/tls.crt" ]]; then + openssl pkcs12 -export -in "/certs/tls.crt" \ + -inkey "/certs/tls.key" -out "/tmp/keystore.p12" \ + -passin pass:"/certs/tls.key" -passout pass:"${SOLR_SSL_KEY_STORE_PASSWORD}" + + keytool -importkeystore -srckeystore "/tmp/keystore.p12" \ + -srcstoretype PKCS12 \ + -srcstorepass "${SOLR_SSL_KEY_STORE_PASSWORD}" \ + -deststorepass "${SOLR_SSL_KEY_STORE_PASSWORD}" \ + -destkeystore "/opt/bitnami/solr/certs/keystore.p12" + + rm "/tmp/keystore.p12" + + keytool -import -file "/certs/ca.crt" -keystore "/opt/bitnami/solr/certs/truststore.p12" -storepass "${SOLR_SSL_TRUST_STORE_PASSWORD}" -noprompt + else + cp "/certs/keystore.p12" "/opt/bitnami/solr/certs/keystore.p12" + cp "/certs/truststore.p12" "/opt/bitnami/solr/certs/truststore.p12" + fi + env: + - name: MY_POD_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.name + - name: SOLR_SSL_KEY_STORE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "solr.tlsPasswordsSecret" . }} + key: tls-keystore-password + - name: SOLR_SSL_TRUST_STORE_PASSWORD + valueFrom: + secretKeyRef: + name: {{ include "solr.tlsPasswordsSecret" . }} + key: tls-truststore-password + {{- if .Values.resources }} + resources: {{- include "common.tplvalues.render" (dict "value" .Values.tls.resources "context" $) | nindent 12 }} + {{- end }} + volumeMounts: + - name: certs + mountPath: '/certs' + - name: certs-shared + mountPath: '/opt/bitnami/solr/certs' + {{- end }} containers: - name: solr image: {{ include "solr.image" . }} @@ -162,19 +217,25 @@ spec: {{- if .Values.tls.enabled }} - name: SOLR_SSL_ENABLED value: "yes" + {{- if (include "solr.createTlsSecret" .) }} + - name: SOLR_SSL_KEY_STORE_TYPE + value: "JKS" + - name: SOLR_SSL_TRUST_STORE_TYPE + value: "JKS" + {{- end }} - name: SOLR_SSL_KEY_STORE value: /opt/bitnami/solr/certs/keystore.p12 - name: SOLR_SSL_KEY_STORE_PASSWORD valueFrom: secretKeyRef: - name: {{ .Values.tls.passwordsSecretName | quote }} + name: {{ include "solr.tlsPasswordsSecret" . }} key: tls-keystore-password - name: SOLR_SSL_TRUST_STORE value: /opt/bitnami/solr/certs/truststore.p12 - name: SOLR_SSL_TRUST_STORE_PASSWORD valueFrom: secretKeyRef: - name: {{ .Values.tls.passwordsSecretName | quote }} + name: {{ include "solr.tlsPasswordsSecret" . }} key: tls-truststore-password - name: SOLR_SSL_CHECK_PEER_NAME value: "false" @@ -236,10 +297,11 @@ spec: volumeMounts: - name: data mountPath: {{ .Values.persistence.mountPath }} - {{- if .Values.tls.certificatesSecretName }} - - name: certs + {{- if .Values.tls.enabled }} + - name: certs-shared mountPath: '/opt/bitnami/solr/certs' - readOnly: true + - name: certs + mountPath: '/certs' {{- end }} {{- if .Values.extraVolumeMounts }} @@ -260,10 +322,12 @@ spec: - name: data emptyDir: {} {{- end }} - {{- if .Values.tls.certificatesSecretName }} + {{- if .Values.tls.enabled }} - name: certs secret: - secretName: {{ .Values.tls.certificatesSecretName }} + secretName: {{ include "solr.tlsSecretName" . }} + - name: certs-shared + emptyDir: {} {{- end }} {{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }} volumeClaimTemplates: diff --git a/bitnami/solr/templates/tls-auto-secrets.yaml b/bitnami/solr/templates/tls-auto-secrets.yaml new file mode 100644 index 0000000000..360fce14be --- /dev/null +++ b/bitnami/solr/templates/tls-auto-secrets.yaml @@ -0,0 +1,25 @@ +{{- if (include "solr.createTlsSecret" .) }} +{{- $ca := genCA "solr-ca" 365 }} +{{- $releaseNamespace := .Release.Namespace }} +{{- $clusterDomain := .Values.clusterDomain }} +{{- $serviceName := include "common.names.fullname" . }} +{{- $headlessServiceName := printf "%s-headless" (include "common.names.fullname" .) }} +{{- $altNames := list (printf "*.%s.%s.svc.%s" $serviceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $serviceName $releaseNamespace $clusterDomain) (printf "*.%s.%s.svc.%s" $headlessServiceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $headlessServiceName $releaseNamespace $clusterDomain) $serviceName }} +{{- $crt := genSignedCert $serviceName nil $altNames 365 $ca }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.names.fullname" . }}-crt + labels: {{- include "common.labels.standard" . | nindent 4 }} + {{- if .Values.commonLabels }} + {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }} + {{- end }} + {{- if .Values.commonAnnotations }} + annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }} + {{- end }} +type: kubernetes.io/tls +data: + ca.crt: {{ $ca.Cert | b64enc | quote }} + tls.crt: {{ $crt.Cert | b64enc | quote }} + tls.key: {{ $crt.Key | b64enc | quote }} +{{- end }} diff --git a/bitnami/solr/values.yaml b/bitnami/solr/values.yaml index 665d073861..afbdfecb04 100644 --- a/bitnami/solr/values.yaml +++ b/bitnami/solr/values.yaml @@ -147,6 +147,9 @@ authentication: tls: ## Enable TLS traffic enabled: false + ## Create self-signed TLS certificates. Currently only supports PEM certificates. + ## + autoGenerated: false ## Name of the secret that contains the certificates ## It should contains two keys called "keystore.p12" and "trustore.p12" with the files in JKS or P12 format. ## certificatesSecretName: cert-files @@ -157,6 +160,26 @@ tls: ## passwordsSecretName: my-passwords # passwordsSecretName: + ## Keystore and Truststore Password + ## + keystorePassword: '' + truststorePassword: '' + + resources: + ## We usually recommend not to specify default resources and to leave this as a conscious + ## choice for the user. This also increases chances charts run on environments with little + ## resources, such as Minikube. If you do want to specify resources, uncomment the following + ## lines, adjust them as necessary, and remove the curly braces after 'resources:'. + ## + limits: {} + ## cpu: 100m + ## memory: 128Mi + ## + requests: {} + ## cpu: 100m + ## memory: 128Mi + ## + ## Container Command (set to default if not set). ## command: []