Skip to content

Commit

Permalink
Make it possible to get certificates from multiple secrets
Browse files Browse the repository at this point in the history
  • Loading branch information
Yevhen Ivantsov committed Aug 7, 2024
1 parent 38b11f1 commit 620bf31
Show file tree
Hide file tree
Showing 24 changed files with 448 additions and 49 deletions.
85 changes: 58 additions & 27 deletions docs/docs/userguide/CONFIGURATION.md
Original file line number Diff line number Diff line change
Expand Up @@ -523,38 +523,69 @@ readinessProbe:

## :material-certificate: Self Signed Certificates

To add self signed certificates to the default Java truststore, follow the below steps.
There are 2 ways to add self-signed certificates to the default Java truststore: from a single or multiple secrets.

* Create a [Kubernetes secret](https://kubernetes.io/docs/concepts/configuration/secret/){.external} containing base64-encoded certificate(s). Here's an example [kubectl command](https://kubernetes.io/docs/tasks/configmap-secret/managing-secret-using-kubectl/#use-source-files){.external} to create a secret from 2 local files:

```shell
kubectl create secret generic dev-certificates \
--from-file=stg.crt=./stg.crt \
--from-file=dev.crt=./dev.crt -n $namespace
```

The resulting secret will have the following data:

```yaml
data:
stg.crt: base64encodedstgcrt
dev.crt: base64encodeddevcrt
```

!!!info "You can have as many keys (certificates) in the secret as required. All keys will be mounted as files to `/tmp/crt` in the container and imported into Java truststore. In the example above, certificates will be mounted as `/tmp/crt/stg.crt` and `/tmp/crt/dev.crt`. File extension in the secret keys does not matter as long as the file is a valid certificate."

* Provide the secret name in Helm values:
=== "From a single secret"
* Create a [Kubernetes secret](https://kubernetes.io/docs/concepts/configuration/secret/){.external} containing base64-encoded certificate(s). Here's an example [kubectl command](https://kubernetes.io/docs/tasks/configmap-secret/managing-secret-using-kubectl/#use-source-files){.external} to create a secret from 2 local files:

```shell
kubectl create secret generic dev-certificates \
--from-file=stg.crt=./stg.crt \
--from-file=dev.crt=./dev.crt -n $namespace
```

The resulting secret will have the following data:

```yaml
data:
stg.crt: base64encodedstgcrt
dev.crt: base64encodeddevcrt
```

!!!info "You can have as many keys (certificates) in the secret as required. All keys will be mounted as files to `/tmp/crt` in the container and imported into Java truststore. In the example above, certificates will be mounted as `/tmp/crt/stg.crt` and `/tmp/crt/dev.crt`. File extension in the secret keys does not matter as long as the file is a valid certificate."

* Provide the secret name in Helm values:

```yaml
jira:
additionalCertificates:
secretName: dev-certificates
```
=== "From multiple secrets"
* Create 2 [Kubernetes secrets](https://kubernetes.io/docs/concepts/configuration/secret/){.external} containing base64-encoded certificate(s). Here's an example [kubectl command](https://kubernetes.io/docs/tasks/configmap-secret/managing-secret-using-kubectl/#use-source-files){.external} to create 2 secrets from local files (the first one with 2 certificates/keys and the second one with just one):

```shell
kubectl create secret generic dev-certificates \
--from-file=stg.crt=./stg.crt \
--from-file=dev.crt=./dev.crt -n $namespace
```yaml
jira:
additionalCertificates:
secretName: dev-certificates
```
kubectl create secret generic root-ca \
--from-file=ca.crt=./ca.crt -n $namespace
```
!!!info "You can have as many keys (certificates) in the secrets, however, you will need to list the keys you'd like to get mounted. All keys will be mounted as files to `/tmp/crt` in the container and imported into Java truststore."

* Provide the list of secrets and their keys in Helm values:

```yaml
jira:
additionalCertificates:
secretList:
- name: dev-certificates
keys:
- stg.crt
- dev.crt
- name: root-ca
keys:
- ca.crt
```
To allow having identical keys in different secrets, filenames will have the following format: `<secret-name>-<key>`, so
files will get mounted as `/tmp/crt/dev-certificates-stg.crt`, `/tmp/crt/dev-certificates-dev.crt` and `/tmp/crt/root-ca-ca.crt`
and imported to Java truststore with the same aliases.

The product Helm chart will add additional `volumeMounts` and `volumes` to the pod(s), as well as an extra init container that will:

* copy the default Java cacerts to a runtime volume shared between the init container and the main container at `/var/ssl`
* run [keytool -import](https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html){.external} to import all certificates in `/tmp/crt` mounted from `dev-certificates` secret to `/var/ssl/cacerts`
* run [keytool -import](https://docs.oracle.com/javase/8/docs/technotes/tools/unix/keytool.html){.external} to import all certificates in `/tmp/crt` mounted from secret(s) to `/var/ssl/cacerts`

`-Djavax.net.ssl.trustStore=/var/ssl/cacerts` system property will be automatically added to `JVM_SUPPORT_RECOMMENDED_ARGS` environment variable.

Expand Down Expand Up @@ -583,4 +614,4 @@ Helm values are mounted to be included to the [support.zip](https://confluence.a

Analytics json is a subset of `values.yaml` and contains selected Helm values that are sent as an analytics event and written to analytics logs, if analytics is enabled in the product. Analytics values are purely informational and contain information on how Helm charts are used.

You can find the complete list of analytics values in `_helpers.tpl`, `<product>.analyticsJson`.
You can find the complete list of analytics values in `_helpers.tpl`, `<product>.analyticsJson`.
4 changes: 3 additions & 1 deletion src/main/charts/bamboo/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,9 @@ Kubernetes: `>=1.21.x-0`
| bamboo.accessLog.localHomeSubPath | string | `"log"` | The subdirectory within the local-home volume where access logs should be stored. |
| bamboo.accessLog.mountPath | string | `"/opt/atlassian/bamboo/logs"` | The path within the Bamboo container where the local-home volume should be mounted in order to capture access logs. |
| bamboo.additionalBundledPlugins | list | `[]` | Specifies a list of additional Bamboo plugins that should be added to the Bamboo container. Note plugins installed via this method will appear as bundled plugins rather than user plugins. These should be specified in the same manner as the 'additionalLibraries' property. Additional details: https://atlassian.github.io/data-center-helm-charts/examples/external_libraries/EXTERNAL_LIBS/ NOTE: only .jar files can be loaded using this approach. OBR's can be extracted (unzipped) to access the associated .jar An alternative to this method is to install the plugins via "Manage Apps" in the product system administration UI. |
| bamboo.additionalCertificates | object | `{"customCmd":null,"initContainer":{"resources":{}},"secretName":null}` | Certificates to be added to Java truststore. Provide reference to a secret that contains the certificates |
| bamboo.additionalCertificates | object | `{"customCmd":null,"initContainer":{"resources":{}},"secretList":null,"secretName":null}` | Certificates to be added to Java truststore. Provide reference to a secret that contains the certificates |
| bamboo.additionalCertificates.secretList | string | `nil` | A list of secrets with a list of keys holding certificates to be added to Java truststore. It is mandatory to define which keys from secret data need to be mounted as files to the init container |
| bamboo.additionalCertificates.secretName | string | `nil` | Name of the Kubernetes secret with certificates in its data. All secret keys in the secret data will be treated as certificates to be added to Java truststore. When defined takes precedence over secretList. |
| bamboo.additionalEnvironmentVariables | list | `[]` | Defines any additional environment variables to be passed to the Bamboo container. See https://hub.docker.com/r/atlassian/bamboo for supported variables. |
| bamboo.additionalJvmArgs | list | `[]` | Specifies a list of additional arguments that can be passed to the Bamboo JVM, e.g. system properties. |
| bamboo.additionalLibraries | list | `[]` | Specifies a list of additional Java libraries that should be added to the Bamboo container. Each item in the list should specify the name of the volume that contains the library, as well as the name of the library file within that volume's root directory. Optionally, a subDirectory field can be included to specify which directory in the volume contains the library file. Additional details: https://atlassian.github.io/data-center-helm-charts/examples/external_libraries/EXTERNAL_LIBS/ |
Expand Down
10 changes: 9 additions & 1 deletion src/main/charts/bamboo/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -285,12 +285,20 @@ For each additional plugin declared, generate a volume mount that injects that l
{{- with .Values.volumes.additional }}
{{- toYaml . | nindent 0 }}
{{- end }}
{{- if .Values.bamboo.additionalCertificates.secretName }}
{{- if or .Values.bamboo.additionalCertificates.secretName .Values.bamboo.additionalCertificates.secretList }}
- name: keystore
emptyDir: {}
{{- if .Values.bamboo.additionalCertificates.secretName }}
- name: certs
secret:
secretName: {{ .Values.bamboo.additionalCertificates.secretName }}
{{- else }}
{{- range .Values.bamboo.additionalCertificates.secretList }}
- name: {{ .name }}
secret:
secretName: {{ .name }}
{{- end }}
{{- end }}
{{- end }}
{{- if or .Values.atlassianAnalyticsAndSupport.analytics.enabled .Values.atlassianAnalyticsAndSupport.helmValues.enabled }}
- name: helm-values
Expand Down
13 changes: 12 additions & 1 deletion src/main/charts/bamboo/templates/statefulset.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -74,15 +74,26 @@ spec:
command: ["sh", "-c", {{ include "bamboo.sharedHome.permissionFix.command" . | quote }}]
{{- end }}
{{- include "common.jmx.initContainer" . | nindent 8 }}
{{- if .Values.bamboo.additionalCertificates.secretName }}
{{- if or .Values.bamboo.additionalCertificates.secretName .Values.bamboo.additionalCertificates.secretList }}
- name: import-certs
image: {{ include "bamboo.image" . | quote }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
volumeMounts:
- name: keystore
mountPath: /var/ssl
{{- if.Values.bamboo.additionalCertificates.secretName }}
- name: certs
mountPath: /tmp/crt
{{- else }}
{{- range .Values.bamboo.additionalCertificates.secretList }}
{{- $secretName := .name }}
{{- range .keys }}
- name: {{ $secretName }}
mountPath: /tmp/crt/{{$secretName}}-{{ . }}
subPath: {{ . }}
{{- end }}
{{- end }}
{{- end }}
command: ["/bin/bash"]
args: ["-c", {{ include "bamboo.addCrtToKeystoreCmd" . }}]
resources:
Expand Down
14 changes: 14 additions & 0 deletions src/main/charts/bamboo/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -971,7 +971,21 @@ bamboo:
# -- Certificates to be added to Java truststore. Provide reference to a secret that contains the certificates
#
additionalCertificates:
# -- Name of the Kubernetes secret with certificates in its data. All secret keys in the secret data
# will be treated as certificates to be added to Java truststore. When defined takes precedence over secretList.
#
secretName:
# -- A list of secrets with a list of keys holding certificates to be added to Java truststore. It is mandatory to define which keys
# from secret data need to be mounted as files to the init container
#
secretList:
#- name: self-signed-ca
# keys:
# - ca.crt
# - intermediate.crt
#- name: stg-intermediate
# keys:
# - stg.crt
customCmd:
initContainer:
resources: {}
Expand Down
8 changes: 6 additions & 2 deletions src/main/charts/bitbucket/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,9 @@ Kubernetes: `>=1.21.x-0`
| atlassianAnalyticsAndSupport.analytics.enabled | bool | `true` | Mount ConfigMap with selected Helm chart values as a JSON which DC products will read and send analytics events to Atlassian data pipelines |
| atlassianAnalyticsAndSupport.helmValues.enabled | bool | `true` | Mount ConfigMap with selected Helm chart values as a YAML file which can be optionally including to support.zip |
| bitbucket.additionalBundledPlugins | list | `[]` | Specifies a list of additional Bitbucket plugins that should be added to the Bitbucket container. Note plugins installed via this method will appear as bundled plugins rather than user plugins. These should be specified in the same manner as the 'additionalLibraries' property. Additional details: https://atlassian.github.io/data-center-helm-charts/examples/external_libraries/EXTERNAL_LIBS/ NOTE: only .jar files can be loaded using this approach. OBR's can be extracted (unzipped) to access the associated .jar An alternative to this method is to install the plugins via "Manage Apps" in the product system administration UI. |
| bitbucket.additionalCertificates | object | `{"customCmd":null,"initContainer":{"resources":{}},"secretName":null}` | Certificates to be added to Java truststore. Provide reference to a secret that contains the certificates |
| bitbucket.additionalCertificates | object | `{"customCmd":null,"initContainer":{"resources":{}},"secretList":null,"secretName":null}` | Certificates to be added to Java truststore. Provide reference to a secret that contains the certificates |
| bitbucket.additionalCertificates.secretList | string | `nil` | A list of secrets with a list of keys holding certificates to be added to Java truststore. It is mandatory to define which keys from secret data need to be mounted as files to the init container |
| bitbucket.additionalCertificates.secretName | string | `nil` | Name of the Kubernetes secret with certificates in its data. All secret keys in the secret data will be treated as certificates to be added to Java truststore. When defined takes precedence over secretList. |
| bitbucket.additionalEnvironmentVariables | list | `[]` | Defines any additional environment variables to be passed to the Bitbucket container. See https://hub.docker.com/r/atlassian/bitbucket for supported variables. |
| bitbucket.additionalJvmArgs | list | `[]` | Specifies a list of additional arguments that can be passed to the Bitbucket JVM, e.g. system properties. |
| bitbucket.additionalLibraries | list | `[]` | Specifies a list of additional Java libraries that should be added to the Bitbucket container. Each item in the list should specify the name of the volume that contains the library, as well as the name of the library file within that volume's root directory. Optionally, a subDirectory field can be included to specify which directory in the volume contains the library file. Additional details: https://atlassian.github.io/data-center-helm-charts/examples/external_libraries/EXTERNAL_LIBS/ |
Expand Down Expand Up @@ -64,7 +66,9 @@ Kubernetes: `>=1.21.x-0`
| bitbucket.livenessProbe.initialDelaySeconds | int | `60` | Time to wait before starting the first probe |
| bitbucket.livenessProbe.periodSeconds | int | `5` | How often (in seconds) the Bitbucket container liveness probe will run |
| bitbucket.livenessProbe.timeoutSeconds | int | `1` | Number of seconds after which the probe times out |
| bitbucket.mesh.additionalCertificates | object | `{"customCmd":null,"initContainer":{"resources":{}},"secretName":null}` | Certificates to be added to Java truststore. Provide reference to a secret that contains the certificates |
| bitbucket.mesh.additionalCertificates | object | `{"customCmd":null,"initContainer":{"resources":{}},"secretList":null,"secretName":null}` | Certificates to be added to Java truststore. Provide reference to a secret that contains the certificates |
| bitbucket.mesh.additionalCertificates.secretList | string | `nil` | A list of secrets with a list of keys holding certificates to be added to Java truststore. It is mandatory to define which keys from secret data need to be mounted as files to the init container |
| bitbucket.mesh.additionalCertificates.secretName | string | `nil` | Name of the Kubernetes secret with certificates in its data. All secret keys in the secret data will be treated as certificates to be added to Java truststore. When defined takes precedence over secretList. |
| bitbucket.mesh.additionalEnvironmentVariables | object | `{}` | Defines any additional environment variables to be passed to the Bitbucket mesh containers. |
| bitbucket.mesh.additionalFiles | string | `nil` | Additional existing ConfigMaps and Secrets not managed by Helm that should be mounted into service container |
| bitbucket.mesh.additionalInitContainers | object | `{}` | Additional initContainer definitions that will be added to all Bitbucket pods |
Expand Down
10 changes: 9 additions & 1 deletion src/main/charts/bitbucket/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -315,12 +315,20 @@ Define additional hosts here to allow template overrides when used as a sub char
{{- with .Values.volumes.additional }}
{{- toYaml . | nindent 0 }}
{{- end }}
{{- if .Values.bitbucket.additionalCertificates.secretName }}
{{- if or .Values.bitbucket.additionalCertificates.secretName .Values.bitbucket.additionalCertificates.secretList }}
- name: keystore
emptyDir: {}
{{- if .Values.bitbucket.additionalCertificates.secretName }}
- name: certs
secret:
secretName: {{ .Values.bitbucket.additionalCertificates.secretName }}
{{- else }}
{{- range .Values.bitbucket.additionalCertificates.secretList }}
- name: {{ .name }}
secret:
secretName: {{ .name }}
{{- end }}
{{- end }}
{{- end }}
{{- if or .Values.atlassianAnalyticsAndSupport.analytics.enabled .Values.atlassianAnalyticsAndSupport.helmValues.enabled }}
- name: helm-values
Expand Down
23 changes: 21 additions & 2 deletions src/main/charts/bitbucket/templates/statefulset-mesh.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -63,15 +63,26 @@ spec:
{{- end }}
{{- end }}
{{- end }}
{{- if .Values.bitbucket.mesh.additionalCertificates.secretName }}
{{- if or .Values.bitbucket.mesh.additionalCertificates.secretName .Values.bitbucket.mesh.additionalCertificates.secretList }}
- name: import-certs
image: {{ .Values.bitbucket.mesh.image.repository }}:{{ .Values.bitbucket.mesh.image.tag }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
volumeMounts:
- name: keystore
mountPath: /var/ssl
{{- if.Values.bitbucket.mesh.additionalCertificates.secretName }}
- name: certs
mountPath: /tmp/crt
{{- else }}
{{- range .Values.bitbucket.mesh.additionalCertificates.secretList }}
{{- $secretName := .name }}
{{- range .keys }}
- name: {{ $secretName }}
mountPath: /tmp/crt/{{$secretName}}-{{ . }}
subPath: {{ . }}
{{- end }}
{{- end }}
{{- end }}
command: ["/bin/bash"]
args: ["-c", {{ include "bitbucketMesh.addCrtToKeystoreCmd" . }}]
resources:
Expand Down Expand Up @@ -183,12 +194,20 @@ spec:
- key: {{ .key }}
path: {{ .key }}
{{ end }}
{{- if .Values.bitbucket.mesh.additionalCertificates.secretName }}
{{- if or .Values.bitbucket.mesh.additionalCertificates.secretName .Values.bitbucket.mesh.additionalCertificates.secretList }}
- name: keystore
emptyDir: {}
{{- if .Values.bitbucket.mesh.additionalCertificates.secretName }}
- name: certs
secret:
secretName: {{ .Values.bitbucket.mesh.additionalCertificates.secretName }}
{{- else }}
{{- range .Values.bitbucket.mesh.additionalCertificates.secretList }}
- name: {{ .name }}
secret:
secretName: {{ .name }}
{{- end }}
{{- end }}
{{- end }}
{{ include "common.jmx.config.volume" . | nindent 8 }}
{{ include "bitbucket.mesh.volumeClaimTemplates" . | nindent 2 }}
Expand Down
Loading

0 comments on commit 620bf31

Please sign in to comment.