Support using a custom CA (#655)

azimuth-cloud · Oct 10, 2024 · a7a36e8 · a7a36e8
1 parent 0b0b9fc
commit a7a36e8
Show file tree

Hide file tree

Showing 15 changed files with 232 additions and 60 deletions.
diff --git a/charts/server/templates/configmap-trust-bundle.yaml b/charts/server/templates/configmap-trust-bundle.yaml
@@ -0,0 +1,10 @@
+{{- if .Values.common.trustBundle }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "zenith.componentname" (list . "trust-bundle") }}
+  labels: {{ include "zenith.componentLabels" (list . "trust-bundle") | nindent 4 }}
+data:
+  ca-certificates.crt: |
+    {{- nindent 4 .Values.common.trustBundle }}
+{{- end }}
diff --git a/charts/server/templates/registrar/deployment.yaml b/charts/server/templates/registrar/deployment.yaml
@@ -37,6 +37,11 @@ spec:
             - name: etc-zenith
               mountPath: /etc/zenith
               readOnly: true
+            {{- if .Values.common.trustBundle }}
+            - name: trust-bundle
+              mountPath: /etc/ssl/certs
+              readOnly: true
+            {{- end }}
       {{- with .Values.registrar.nodeSelector }}
       nodeSelector: {{ toYaml . | nindent 8 }}
       {{- end }}
@@ -50,4 +55,9 @@ spec:
         - name: etc-zenith
           secret:
             secretName: {{ include "zenith.componentname" (list . "registrar-conf") }}
+        {{- if .Values.common.trustBundle }}
+        - name: trust-bundle
+          configMap:
+            name: {{ include "zenith.componentname" (list . "trust-bundle") }}
+        {{- end }}
 {{- end }}
diff --git a/charts/server/templates/sshd/deployment.yaml b/charts/server/templates/sshd/deployment.yaml
@@ -46,6 +46,11 @@ spec:
               readOnly: true
             - name: var-run-sshd
               mountPath: /var/run/sshd
+            {{- if .Values.common.trustBundle }}
+            - name: trust-bundle
+              mountPath: /etc/ssl/certs
+              readOnly: true
+            {{- end }}
       {{- with .Values.sshd.nodeSelector }}
       nodeSelector: {{ toYaml . | nindent 8 }}
       {{- end }}
@@ -70,4 +75,9 @@ spec:
             name: {{ include "zenith.componentname" (list . "sshd-conf") }}
         - name: var-run-sshd
           emptyDir: {}
+        {{- if .Values.common.trustBundle }}
+        - name: trust-bundle
+          configMap:
+            name: {{ include "zenith.componentname" (list . "trust-bundle") }}
+        {{- end }}
 {{- end }}
diff --git a/charts/server/templates/sync/configmap.yaml b/charts/server/templates/sync/configmap.yaml
@@ -3,6 +3,9 @@
 {{- $common := deepCopy .Values.common.ingress }}
 {{- $ingress := mergeOverwrite $global $common }}
 kubernetes:
+  {{- if .Values.common.trustBundle }}
+  trustBundleConfigmapName: {{ include "zenith.componentname" (list . "trust-bundle") }}
+  {{- end }}
   targetNamespace: {{ .Values.common.kubernetes.targetNamespace }}
   # By default, we use the same chart version for the service chart
   serviceChartVersion: {{ .Chart.Version }}

diff --git a/charts/server/templates/sync/deployment.yaml b/charts/server/templates/sync/deployment.yaml
@@ -46,6 +46,11 @@ spec:
             - name: etc-zenith
               mountPath: /etc/zenith
               readOnly: true
+            {{- if .Values.common.trustBundle }}
+            - name: trust-bundle
+              mountPath: /etc/ssl/certs
+              readOnly: true
+            {{- end }}
             - name: tmp
               mountPath: /tmp
       {{- with .Values.sync.nodeSelector }}
@@ -61,6 +66,11 @@ spec:
         - name: etc-zenith
           configMap:
             name: {{ include "zenith.componentname" (list . "sync-conf") }}
+        {{- if .Values.common.trustBundle }}
+        - name: trust-bundle
+          configMap:
+            name: {{ include "zenith.componentname" (list . "trust-bundle") }}
+        {{- end }}
         # Mount a writable directory at /tmp
         - name: tmp
           emptyDir: {}

diff --git a/charts/server/templates/sync/role-trust-bundle-reader.yaml b/charts/server/templates/sync/role-trust-bundle-reader.yaml
@@ -0,0 +1,20 @@
+{{- if and .Values.sync.enabled .Values.common.trustBundle }}
+# This role allows the holder to read the trust bundle configmap in the release namespace
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "zenith.componentname" (list . "sync") }}-trust-bundle-reader
+  labels: {{ include "zenith.componentLabels" (list . "sync") | nindent 4 }}
+rules:
+  # We only need access to the named configmap
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    resourceNames:
+      - {{ include "zenith.componentname" (list . "trust-bundle") }}
+    verbs:
+      - list
+      - get
+      - watch
+{{- end }}
diff --git a/charts/server/templates/sync/rolebinding-trust-bundle-reader.yaml b/charts/server/templates/sync/rolebinding-trust-bundle-reader.yaml
@@ -0,0 +1,17 @@
+{{- if and .Values.sync.enabled .Values.common.trustBundle }}
+# This role binding allows the sync service account to access the trust bundle configmap
+# in the release namespace
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "zenith.componentname" (list . "sync") }}-trust-bundle-reader
+  labels: {{ include "zenith.componentLabels" (list . "sync") | nindent 4 }}
+subjects:
+  - kind: ServiceAccount
+    namespace: {{ .Release.Namespace }}
+    name: {{ include "zenith.componentname" (list . "sync") }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "zenith.componentname" (list . "sync") }}-trust-bundle-reader
+{{- end }}
diff --git a/charts/server/values.yaml b/charts/server/values.yaml
@@ -25,6 +25,8 @@ global:
 
 # Common configuration
 common:
+  # A bundle of trusted CAs to use instead of the defaults
+  trustBundle:
   # Ingress configuration
   # This overrides global.ingress, and can be overridden by component-specific settings
   ingress: {}

diff --git a/client/Dockerfile b/client/Dockerfile
@@ -19,6 +19,10 @@ FROM ubuntu:jammy
 # Don't buffer stdout and stderr as it breaks realtime logging
 ENV PYTHONUNBUFFERED 1
 
+# Make requests use the system trust roots
+# By default, this means we use the roots baked into the image
+ENV REQUESTS_CA_BUNDLE /etc/ssl/certs/ca-certificates.crt
+
 # Create the user that will be used to run the client process
 ENV ZENITH_UID 1001
 ENV ZENITH_GID 1001

diff --git a/operator/Dockerfile b/operator/Dockerfile
@@ -23,6 +23,10 @@ FROM ubuntu:jammy
 # Don't buffer stdout and stderr as it breaks realtime logging
 ENV PYTHONUNBUFFERED 1
 
+# Make httpx use the system trust roots
+# By default, this means we use the CAs from the ca-certificates package
+ENV SSL_CERT_FILE /etc/ssl/certs/ca-certificates.crt
+
 # Create the user that will be used to run the app
 ENV ZENITH_UID 1001
 ENV ZENITH_GID 1001

diff --git a/registrar/Dockerfile b/registrar/Dockerfile
@@ -19,6 +19,10 @@ FROM ubuntu:jammy
 # Don't buffer stdout and stderr as it breaks realtime logging
 ENV PYTHONUNBUFFERED 1
 
+# Make httpx use the system trust roots
+# By default, this means we use the CAs from the ca-certificates package
+ENV SSL_CERT_FILE /etc/ssl/certs/ca-certificates.crt
+
 # Create the user that will be used to run the app
 ENV ZENITH_UID 1001
 ENV ZENITH_GID 1001

diff --git a/sshd/Dockerfile b/sshd/Dockerfile
@@ -19,6 +19,11 @@ FROM ubuntu:jammy
 # Don't buffer stdout and stderr as it breaks realtime logging
 ENV PYTHONUNBUFFERED 1
 
+# Make requests and httpx use the system trust roots
+# By default, this means we use the CAs from the ca-certificates package
+ENV SSL_CERT_FILE /etc/ssl/certs/ca-certificates.crt
+ENV REQUESTS_CA_BUNDLE /etc/ssl/certs/ca-certificates.crt
+
 # Create an unprivileged user to accept tunnel requests
 # The user has a home directory, a restricted shell to allow the tunnel script
 # to run and an empty password to allow anonymous SSH

diff --git a/sync/Dockerfile b/sync/Dockerfile
@@ -59,6 +59,10 @@ FROM ubuntu:jammy
 # Don't buffer stdout and stderr as it breaks realtime logging
 ENV PYTHONUNBUFFERED 1
 
+# Make httpx use the system trust roots
+# By default, this means we use the CAs from the ca-certificates package
+ENV SSL_CERT_FILE /etc/ssl/certs/ca-certificates.crt
+
 # Tell Helm to use /tmp for mutable data
 ENV HELM_CACHE_HOME /tmp/helm/cache
 ENV HELM_CONFIG_HOME /tmp/helm/config

diff --git a/sync/zenith/sync/config.py b/sync/zenith/sync/config.py
@@ -212,12 +212,16 @@ class KubernetesConfig(Section):
     #: Default values for releases of the service chart
     service_default_values: t.Dict[str, t.Any] = Field(default_factory = dict)
 
+    #: The name of a configmap containing a trust bundle
+    #: If not given, the default trust will be used
+    trust_bundle_configmap_name: t.Optional[str] = None
+
     #: The label used to indicate a managed resource
     created_by_label: str = "app.kubernetes.io/created-by"
     #: The label used to indicate the corresponding Zenith service for a resource
     service_name_label: str = "zenith.stackhpc.com/service-name"
-    #: The annotation used to record that a secret is a mirror of another secret
-    tls_mirror_annotation: str = "zenith.stackhpc.com/mirrors"
+    #: The annotation used to record that a resource is a mirror of another
+    mirror_annotation: str = "zenith.stackhpc.com/mirrors"
     #: The maximum number of concurrent reconciliations
     reconciliation_max_concurrency: t.Annotated[int, Field(gt = 0)] = 20
     #: The maximum delay between retries when backing off