custom CA pool for authorization endpoint (#833)

plgd-dev · Dec 14, 2022 · 953d400 · 953d400
1 parent 98df2c8
commit 953d400
Show file tree

Hide file tree

Showing 18 changed files with 128 additions and 8 deletions.
diff --git a/charts/plgd-hub/README.md b/charts/plgd-hub/README.md
@@ -249,10 +249,15 @@ global:
 | coapgateway.service.udp.type | string | `nil` | Service type |
 | coapgateway.taskQueue | object | `{"goPoolSize":1600,"maxIdleTime":"10m","size":"2097152"}` | For complete coap-gateway service configuration see [plgd/coap-gateway](https://github.com/plgd-dev/hub/tree/main/coap-gateway) |
 | coapgateway.tolerations | object | `{}` | Toleration definition |
+| extraAuthorizationCAPool | object | `{"fileName":"ca.crt","mountPath":"/certs/extra","name":"authorization-ca-pool"}` | Configuration parameters for authorizationCaPool |
+| extraAuthorizationCAPool.fileName | string | `"ca.crt"` | Name of file for custom auth ca pool |
+| extraAuthorizationCAPool.mountPath | string | `"/certs/extra"` | Mount path for custom auth ca pool |
+| extraAuthorizationCAPool.name | string | `"authorization-ca-pool"` | Name of secret for storing custom auth ca pool |
 | extraDeploy | string | `nil` | Extra deploy. Resolved as template |
-| global | object | `{"audience":"","authority":null,"defaultCommandTimeToLive":"10s","deviceIdClaim":null,"domain":null,"enableWildCartCert":true,"hubId":null,"oauth":{"device":[],"web":{"clientID":null}},"openTelemetryExporter":{"address":null,"enabled":false,"keepAlive":{"permitWithoutStream":true,"time":"10s","timeout":"20s"},"tls":{"caPool":null,"certFile":null,"keyFile":null,"useSystemCAPool":false}},"ownerClaim":"sub"}` | Global config variables |
+| global | object | `{"audience":"","authority":null,"authorizationCAPool":null,"defaultCommandTimeToLive":"10s","deviceIdClaim":null,"domain":null,"enableWildCartCert":true,"hubId":null,"oauth":{"device":[],"web":{"clientID":null}},"openTelemetryExporter":{"address":null,"enabled":false,"keepAlive":{"permitWithoutStream":true,"time":"10s","timeout":"20s"},"tls":{"caPool":null,"certFile":null,"keyFile":null,"useSystemCAPool":false}},"ownerClaim":"sub"}` | Global config variables |
 | global.audience | string | `""` | OAuth audience |
 | global.authority | string | `nil` | OAuth authority |
+| global.authorizationCAPool | string | `nil` | Custom CA certificate for authorization endpoint in PEM format |
 | global.defaultCommandTimeToLive | string | `"10s"` | Global Default command time to live for resource-aggregate and resource-directory |
 | global.deviceIdClaim | string | `nil` | Device ID claim |
 | global.domain | string | `nil` | Global domain |

diff --git a/charts/plgd-hub/templates/_helpers.tpl b/charts/plgd-hub/templates/_helpers.tpl
@@ -97,6 +97,36 @@ If release name contains chart name it will be used as a full name.
   {{- end }}
 {{- end }}
 
+{{- define "plgd-hub.authorizationCaCertificateConfig" }}
+  {{- $ := index . 0 }}
+  {{- $certDefinition := index . 1 }}
+  {{- $certPath := index . 2 }}
+  {{- $caPool := list (printf "%s/%s" $.Values.extraAuthorizationCAPool.mountPath $.Values.extraAuthorizationCAPool.fileName | quote) (printf "%s/ca.crt" $certPath | quote) }}
+  {{- if $certDefinition.caPool }}
+  caPool:{{- printf " " }}{{- printf "%s" $certDefinition.caPool | quote }}
+  {{- else if $.Values.certmanager.enabled }}
+  {{- if $.Values.global.authorizationCAPool }}
+  caPool:
+    {{- range $caPool }}
+    - {{ printf "%s" . }}
+    {{- end }}
+  {{- else }}
+  caPool:{{- printf " " }}{{- printf "%s/ca.crt" $certPath | quote  }}
+  {{- end }}
+  {{- end }}
+  {{- if $certDefinition.keyFile }}
+  keyFile:{{- printf " " }}{{- printf "%s" $certDefinition.keyFile | quote }}
+  {{- else if $.Values.certmanager.enabled }}
+  keyFile:{{- printf " " }}{{- printf "%s/tls.key" $certPath  | quote  }}
+  {{- end }}
+  {{- if $certDefinition.certFile }}
+  certFile:{{- printf " " }}{{- printf "%s" $certDefinition.certFile | quote }}
+  {{- else if $.Values.certmanager.enabled }}
+  certFile:{{- printf " " }}{{- printf "%s/tls.crt" $certPath | quote }}
+  {{- end }}
+{{- end }}
+
+
 {{- define "plgd-hub.authorizationConfig" }}
   {{- $ := index . 0 }}
   {{- $authoriztion := index . 1 }}

diff --git a/charts/plgd-hub/templates/certificate-authority/config.yaml b/charts/plgd-hub/templates/certificate-authority/config.yaml
@@ -46,7 +46,7 @@ data:
             timeout: {{ .apis.grpc.authorization.http.timeout }}
             tls:
               {{- $grpcTls := .apis.grpc.authorization.http.tls }}
-              {{- include "plgd-hub.certificateConfig" (list $ $grpcTls $cert ) | indent 12 }}
+              {{- include "plgd-hub.authorizationCaCertificateConfig" (list $ $grpcTls $cert ) | indent 12 }}
               useSystemCAPool: {{ .apis.grpc.authorization.http.tls.useSystemCAPool }}
       http:
         address: {{  .apis.http.address | default (printf "0.0.0.0:%v" .httpPort) | quote }}

diff --git a/charts/plgd-hub/templates/certificate-authority/deployment.yaml b/charts/plgd-hub/templates/certificate-authority/deployment.yaml
@@ -92,6 +92,10 @@ spec:
             - name: {{ .Values.certificateauthority.ca.volume.name }}
               mountPath: {{ .Values.certificateauthority.ca.volume.mountPath }}
             {{- end }}
+            {{- if .Values.global.authorizationCAPool }}
+            - name: {{ .Values.extraAuthorizationCAPool.name }}
+              mountPath: {{ .Values.extraAuthorizationCAPool.mountPath }}
+            {{- end }}
             {{- with .Values.certificateauthority.extraVolumeMounts }}
             {{- toYaml . | nindent 12 }}
             {{- end }}
@@ -112,6 +116,11 @@ spec:
           secret:
             secretName: {{ .Values.certificateauthority.ca.secret.name | default $.Values.certmanager.default.ca.secret.name }}
         {{- end }}
+        {{- if .Values.global.authorizationCAPool }}
+        - name: {{ .Values.extraAuthorizationCAPool.name }}
+          secret:
+            secretName: {{ .Values.extraAuthorizationCAPool.name }}
+        {{- end }}
         {{- with .Values.certificateauthority.extraVolumes }}
         {{- toYaml . | nindent 8 }}
         {{- end }}

diff --git a/charts/plgd-hub/templates/certs/authorization-ca-pool.yaml b/charts/plgd-hub/templates/certs/authorization-ca-pool.yaml
@@ -0,0 +1,11 @@
+{{- if .Values.global.authorizationCAPool }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.extraAuthorizationCAPool.name }}
+  namespace: {{ $.Release.Namespace }}
+  labels:
+    {{- include "plgd-hub.labels" $ | nindent 4 }}
+data:
+  {{ .Values.extraAuthorizationCAPool.fileName }}: {{ .Values.global.authorizationCAPool | b64enc }}
+{{- end }}
diff --git a/charts/plgd-hub/templates/coap-gateway/config.yaml b/charts/plgd-hub/templates/coap-gateway/config.yaml
@@ -91,7 +91,7 @@ data:
                 timeout: {{ $http.timeout | default "10s" }}
                 tls:
                   {{- $providerTls := $http.tls }}
-                  {{- include "plgd-hub.certificateConfig" (list $ $providerTls $coapGatewayCertPath) | indent 16 }}
+                  {{- include "plgd-hub.authorizationCaCertificateConfig" (list $ $providerTls $coapGatewayCertPath) | indent 16 }}
                   useSystemCAPool: {{ $providerTls.useSystemCAPool | default true }}
           {{- end }}
     clients:

diff --git a/charts/plgd-hub/templates/coap-gateway/deployment.yaml b/charts/plgd-hub/templates/coap-gateway/deployment.yaml
@@ -91,6 +91,10 @@ spec:
             - name: service-crt
               mountPath: {{ $rdServiceCert }}
             {{- end }}
+            {{- if .Values.global.authorizationCAPool }}
+            - name: {{ .Values.extraAuthorizationCAPool.name }}
+              mountPath: {{ .Values.extraAuthorizationCAPool.mountPath }}
+            {{- end }}
             {{- with .Values.coapgateway.extraVolumeMounts }}
             {{- toYaml . | nindent 12 }}
             {{- end }}
@@ -116,6 +120,11 @@ spec:
           secret:
             secretName: {{ include "plgd-hub.coapgateway.serviceCertName" . }}
         {{- end }}
+        {{- if .Values.global.authorizationCAPool }}
+        - name: {{ .Values.extraAuthorizationCAPool.name }}
+          secret:
+            secretName: {{ .Values.extraAuthorizationCAPool.name }}
+        {{- end }}
         {{- with .Values.coapgateway.extraVolumes }}
         {{- toYaml . | nindent 8 }}
         {{- end }}

diff --git a/charts/plgd-hub/templates/grpc-gateway/config.yaml b/charts/plgd-hub/templates/grpc-gateway/config.yaml
@@ -48,7 +48,7 @@ data:
             timeout: {{ .apis.grpc.authorization.http.timeout }}
             tls:
               {{- $grpcTls := .apis.grpc.authorization.http.tls }}
-              {{- include "plgd-hub.certificateConfig" (list $ $grpcTls $grpcGatewayCertPath ) | indent 12 }}
+              {{- include "plgd-hub.authorizationCaCertificateConfig" (list $ $grpcTls $grpcGatewayCertPath ) | indent 12 }}
               useSystemCAPool: {{ .apis.grpc.authorization.http.tls.useSystemCAPool }}
     clients:
       eventBus:

diff --git a/charts/plgd-hub/templates/grpc-gateway/deployment.yaml b/charts/plgd-hub/templates/grpc-gateway/deployment.yaml
@@ -84,6 +84,10 @@ spec:
             - name: service-crt
               mountPath: {{ $cert }}
             {{- end }}
+            {{- if .Values.global.authorizationCAPool }}
+            - name: {{ .Values.extraAuthorizationCAPool.name }}
+              mountPath: {{ .Values.extraAuthorizationCAPool.mountPath }}
+            {{- end }}
             {{- with .Values.grpcgateway.extraVolumeMounts }}
             {{- toYaml . | nindent 12 }}
             {{- end }}
@@ -99,6 +103,11 @@ spec:
           secret:
             secretName: {{ include "plgd-hub.grpcgateway.serviceCertName" . }}
         {{- end }}
+        {{- if .Values.global.authorizationCAPool }}
+        - name: {{ .Values.extraAuthorizationCAPool.name }}
+          secret:
+            secretName: {{ .Values.extraAuthorizationCAPool.name }}
+        {{- end }}
         {{- with .Values.grpcgateway.extraVolumes }}
         {{- toYaml . | nindent 8 }}
         {{- end }}

diff --git a/charts/plgd-hub/templates/http-gateway/config.yaml b/charts/plgd-hub/templates/http-gateway/config.yaml
@@ -45,7 +45,7 @@ data:
             timeout: {{ .apis.http.authorization.http.timeout }}
             tls:
               {{- $httpTls := .apis.http.authorization.http.tls }}
-              {{- include "plgd-hub.certificateConfig" (list $ $httpTls $httpGatewayCertPath ) | indent 12 }}
+              {{- include "plgd-hub.authorizationCaCertificateConfig" (list $ $httpTls $httpGatewayCertPath ) | indent 12 }}
               useSystemCAPool: {{ .apis.http.authorization.http.tls.useSystemCAPool }}
     clients:
       grpcGateway:

diff --git a/charts/plgd-hub/templates/http-gateway/deployment.yaml b/charts/plgd-hub/templates/http-gateway/deployment.yaml
@@ -84,6 +84,10 @@ spec:
             - name: service-crt
               mountPath: {{ $rdServiceCert }}
             {{- end }}
+            {{- if .Values.global.authorizationCAPool }}
+            - name: {{ .Values.extraAuthorizationCAPool.name }}
+              mountPath: {{ .Values.extraAuthorizationCAPool.mountPath }}
+            {{- end }}
             {{- with .Values.httpgateway.extraVolumeMounts }}
             {{- toYaml . | nindent 12 }}
             {{- end }}
@@ -99,6 +103,11 @@ spec:
           secret:
             secretName: {{ include "plgd-hub.httpgateway.serviceCertName" . }}
         {{- end }}
+        {{- if .Values.global.authorizationCAPool }}
+        - name: {{ .Values.extraAuthorizationCAPool.name }}
+          secret:
+            secretName: {{ .Values.extraAuthorizationCAPool.name }}
+        {{- end }}
         {{- with .Values.httpgateway.extraVolumes }}
         {{- toYaml . | nindent 8 }}
         {{- end }}

diff --git a/charts/plgd-hub/templates/identity-store/config.yaml b/charts/plgd-hub/templates/identity-store/config.yaml
@@ -43,7 +43,7 @@ data:
             timeout: {{ .apis.grpc.authorization.http.timeout }}
             tls:
               {{- $httpTls := .apis.grpc.authorization.http.tls }}
-              {{- include "plgd-hub.certificateConfig" (list $ $httpTls $identityStoreCertPath ) | indent 12 }}
+              {{- include "plgd-hub.authorizationCaCertificateConfig" (list $ $httpTls $identityStoreCertPath ) | indent 12 }}
               useSystemCAPool: {{ .apis.grpc.authorization.http.tls.useSystemCAPool }}
     clients:
       eventBus:

diff --git a/charts/plgd-hub/templates/identity-store/deployment.yaml b/charts/plgd-hub/templates/identity-store/deployment.yaml
@@ -84,6 +84,10 @@ spec:
             - name: service-crt
               mountPath: {{ $cert }}
             {{- end }}
+            {{- if .Values.global.authorizationCAPool }}
+            - name: {{ .Values.extraAuthorizationCAPool.name }}
+              mountPath: {{ .Values.extraAuthorizationCAPool.mountPath }}
+            {{- end }}
             {{- with .Values.identitystore.extraVolumeMounts }}
             {{- toYaml . | nindent 12 }}
             {{- end }}
@@ -99,6 +103,11 @@ spec:
         - name: {{ .Values.identitystore.config.volume }}
           configMap:
             name: {{ include "plgd-hub.identitystore.configName" . }}
+        {{- if .Values.global.authorizationCAPool }}
+        - name: {{ .Values.extraAuthorizationCAPool.name }}
+          secret:
+            secretName: {{ .Values.extraAuthorizationCAPool.name }}
+        {{- end }}
         {{- with .Values.identitystore.extraVolumes }}
         {{- toYaml . | nindent 8 }}
         {{- end }}

diff --git a/charts/plgd-hub/templates/resource-aggregate/config.yaml b/charts/plgd-hub/templates/resource-aggregate/config.yaml
@@ -44,7 +44,7 @@ data:
             timeout: {{ .apis.grpc.authorization.http.timeout }}
             tls:
               {{- $grpcTls := .apis.grpc.authorization.http.tls }}
-              {{- include "plgd-hub.certificateConfig" (list $ $grpcTls $resourceAggregateCertPath) | indent 12 }}
+              {{- include "plgd-hub.authorizationCaCertificateConfig" (list $ $grpcTls $resourceAggregateCertPath) | indent 12 }}
               useSystemCAPool: {{ .apis.grpc.authorization.http.tls.useSystemCAPool }}
     clients:
       eventBus:

diff --git a/charts/plgd-hub/templates/resource-aggregate/deployment.yaml b/charts/plgd-hub/templates/resource-aggregate/deployment.yaml
@@ -84,6 +84,10 @@ spec:
             - name: service-crt
               mountPath: {{ $rdServiceCert }}
             {{- end }}
+            {{- if .Values.global.authorizationCAPool }}
+            - name: {{ .Values.extraAuthorizationCAPool.name }}
+              mountPath: {{ .Values.extraAuthorizationCAPool.mountPath }}
+            {{- end }}
             {{- with .Values.resourceaggregate.extraVolumeMounts }}
             {{- toYaml . | nindent 12 }}
             {{- end }}
@@ -99,6 +103,11 @@ spec:
           secret:
             secretName: {{ include "plgd-hub.resourceaggregate.serviceCertName" . }}
         {{- end }}
+        {{- if .Values.global.authorizationCAPool }}
+        - name: {{ .Values.extraAuthorizationCAPool.name }}
+          secret:
+            secretName: {{ .Values.extraAuthorizationCAPool.name }}
+        {{- end }}
         {{- with .Values.resourceaggregate.extraVolumes }}
         {{- toYaml . | nindent 8 }}
         {{- end }}

diff --git a/charts/plgd-hub/templates/resource-directory/config.yaml b/charts/plgd-hub/templates/resource-directory/config.yaml
@@ -44,7 +44,7 @@ data:
             timeout: {{ .apis.grpc.authorization.http.timeout }}
             tls:
               {{- $grpcTls := .apis.grpc.authorization.http.tls }}
-              {{- include "plgd-hub.certificateConfig" (list $ $grpcTls $resourceDirectoryCertPath ) | indent 12 }}
+              {{- include "plgd-hub.authorizationCaCertificateConfig" (list $ $grpcTls $resourceDirectoryCertPath ) | indent 12 }}
               useSystemCAPool: {{ .apis.grpc.authorization.http.tls.useSystemCAPool }}
     clients:
       eventBus:

diff --git a/charts/plgd-hub/templates/resource-directory/deployment.yaml b/charts/plgd-hub/templates/resource-directory/deployment.yaml
@@ -84,6 +84,10 @@ spec:
             - name: service-crt
               mountPath: {{ $rdServiceCert }}
             {{- end }}
+            {{- if .Values.global.authorizationCAPool }}
+            - name: {{ .Values.extraAuthorizationCAPool.name }}
+              mountPath: {{ .Values.extraAuthorizationCAPool.mountPath }}
+            {{- end }}
             {{- with .Values.resourcedirectory.extraVolumeMounts }}
             {{- toYaml . | nindent 12 }}
             {{- end }}
@@ -99,6 +103,11 @@ spec:
           secret:
             secretName: {{ include "plgd-hub.resourcedirectory.serviceCertName" . }}
         {{- end }}
+        {{- if .Values.global.authorizationCAPool }}
+        - name: {{ .Values.extraAuthorizationCAPool.name }}
+          secret:
+            secretName: {{ .Values.extraAuthorizationCAPool.name }}
+        {{- end }}
         {{- with .Values.resourcedirectory.extraVolumes }}
         {{- toYaml . | nindent 8 }}
         {{- end }}

diff --git a/charts/plgd-hub/values.yaml b/charts/plgd-hub/values.yaml
@@ -27,6 +27,8 @@ global:
 #       useInUi: true
    web:
     clientID:
+  # -- Custom CA certificate for authorization endpoint in PEM format
+  authorizationCAPool:
   # -- Global Open Telemetry exporter configuration
   openTelemetryExporter:
       # -- Enable OTLP gRPC exporter
@@ -284,6 +286,15 @@ certmanager:
         # -- Certificate key size
         size:
 
+# -- Configuration parameters for authorizationCaPool
+extraAuthorizationCAPool:
+  # -- Name of secret for storing custom auth ca pool
+  name: authorization-ca-pool
+  # -- Mount path for custom auth ca pool
+  mountPath: /certs/extra
+  # -- Name of file for custom auth ca pool
+  fileName: ca.crt
+
 
 
 resourcedirectory: