diff --git a/charts/snyk-broker/Chart.yaml b/charts/snyk-broker/Chart.yaml index 8f95968..f1683a8 100644 --- a/charts/snyk-broker/Chart.yaml +++ b/charts/snyk-broker/Chart.yaml @@ -1,5 +1,5 @@ apiVersion: v2 name: snyk-broker -version: 2.7.0 +version: 2.7.1 description: A Helm chart for Kubernetes type: application diff --git a/charts/snyk-broker/templates/_helpers.tpl b/charts/snyk-broker/templates/_helpers.tpl index c9f7e39..7a7f077 100644 --- a/charts/snyk-broker/templates/_helpers.tpl +++ b/charts/snyk-broker/templates/_helpers.tpl @@ -116,12 +116,22 @@ Create the name of the broker service to use {{- end -}} {{/* -Create TLS secret name +Create a secret name. +Pass a dict of Context ($) and secretName: +include "snyk-broker.genericSecretName" (dict "Context" $ "secretName" "secret-name") */}} -{{- define "tls-secret-name" -}} -{{- if not .Values.disableSuffixes -}} -{{ include "snyk-broker.fullname" .}}-tls-secret +{{- define "snyk-broker.genericSecretName" -}} +{{- if not .Context.Values.disableSuffixes -}} +{{ printf "%s-%s" ( include "snyk-broker.fullname" .Context ) .secretName }} {{- else -}} -tls-secret +{{- printf "snyk-broker-%s" .secretName }} {{- end -}} {{- end -}} + +{{- define "snyk-broker.tlsSecretName" -}} +{{- include "snyk-broker.genericSecretName" (dict "Context" . "secretName" "tls-secret" ) -}} +{{- end }} + +{{- define "snyk-broker.caCertSecretName" -}} +{{- include "snyk-broker.genericSecretName" (dict "Context" . "secretName" "cacert-secret" ) -}} +{{- end }} diff --git a/charts/snyk-broker/templates/broker_deployment.yaml b/charts/snyk-broker/templates/broker_deployment.yaml index c178332..e38ad34 100644 --- a/charts/snyk-broker/templates/broker_deployment.yaml +++ b/charts/snyk-broker/templates/broker_deployment.yaml @@ -428,8 +428,7 @@ spec: - name: HTTPS_KEY value: /home/node/tls-cert/tls.key {{- end }} - - {{- if .Values.tlsRejectUnauthorized }} + {{- if or ( and .Values.tlsRejectUnauthorized (not .Values.caCert ) (not .Values.caCertFile) ) ( and (or .Values.caCert .Values.caCertFile ) .Values.disableCaCertTrust ) }} # Troubleshooting - Set to 0 for SSL inspection testing - name: NODE_TLS_REJECT_UNAUTHORIZED value: "0" @@ -497,13 +496,13 @@ spec: {{- end }} {{- if or (.Values.caCert) (.Values.caCertFile) }} - name: {{ include "snyk-broker.fullname" . }}-cacert-volume - configMap: - name: {{ include "snyk-broker.fullname" . }}-cacert-configmap{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} + secret: + secretName: {{ include "snyk-broker.caCertSecretName" . }} {{- end }} {{- if and (.Values.httpsCert) (.Values.httpsKey) }} - name: {{ include "snyk-broker.fullname" . }}-tls-secret-volume secret: - secretName: {{ include "tls-secret-name" . }} + secretName: {{ include "snyk-broker.tlsSecretName" . }} {{- end }} {{- if .Values.extraVolumes }} {{ tpl (toYaml .Values.extraVolumes | indent 6) . }} diff --git a/charts/snyk-broker/templates/cacert_configmap.yaml b/charts/snyk-broker/templates/cacert_configmap.yaml deleted file mode 100644 index 006558e..0000000 --- a/charts/snyk-broker/templates/cacert_configmap.yaml +++ /dev/null @@ -1,23 +0,0 @@ -{{- if and (.Values.caCert) (not .Values.caCertFile) }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "snyk-broker.fullname" . }}-cacert-configmap{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "snyk-broker.labels" . | nindent 4 }} -data: -{{ (.Files.Glob .Values.caCert).AsConfig | nindent 2 }} -{{- end }} - -{{- if and (.Values.caCertFile) (not .Values.caCert) }} -apiVersion: v1 -kind: ConfigMap -metadata: - name: {{ include "snyk-broker.fullname" . }}-cacert-configmap{{if not .Values.disableSuffixes }}-{{ .Release.Name }}{{ end }} - namespace: {{ .Release.Namespace }} - labels: - {{- include "snyk-broker.labels" . | nindent 4 }} -data: - cacert: {{ .Values.caCertFile | toYaml | nindent 4}} -{{- end }} \ No newline at end of file diff --git a/charts/snyk-broker/templates/secrets.yaml b/charts/snyk-broker/templates/secrets.yaml index e6a9c3d..2ff6dba 100644 --- a/charts/snyk-broker/templates/secrets.yaml +++ b/charts/snyk-broker/templates/secrets.yaml @@ -165,10 +165,26 @@ stringData: apiVersion: v1 kind: Secret metadata: - name: {{ include "tls-secret-name" . }} + name: {{ include "snyk-broker.tlsSecretName" . }} type: kubernetes.io/tls data: tls.crt: {{ (.Files.Get .Values.httpsCert) | b64enc | quote }} tls.key: {{ (.Files.Get .Values.httpsKey) | b64enc | quote }} --- {{- end }} +{{- if or .Values.caCert .Values.caCertFile }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "snyk-broker.caCertSecretName" . }} + namespace: {{ .Release.Namespace }} + labels: + {{- include "snyk-broker.labels" . | nindent 4 }} +data: +{{- if and .Values.caCert (not .Values.caCertFile) }} +{{ (.Files.Glob .Values.caCert).AsSecrets | nindent 2 }} +{{- else if and .Values.caCertFile (not .Values.caCert) }} + cacert: {{ .Values.caCertFile | trim | b64enc | nindent 4}} +{{- end }} +--- +{{- end }} diff --git a/charts/snyk-broker/tests/__snapshot__/broker_deployment_configmap_disablesuffixes_test.yaml.snap b/charts/snyk-broker/tests/__snapshot__/broker_deployment_configmap_disablesuffixes_test.yaml.snap deleted file mode 100644 index 953742d..0000000 --- a/charts/snyk-broker/tests/__snapshot__/broker_deployment_configmap_disablesuffixes_test.yaml.snap +++ /dev/null @@ -1,357 +0,0 @@ -cacert: - 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: snyk-broker - helm.sh/chart: snyk-broker-0.0.0 - name: github-com-broker - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/name: snyk-broker - template: - metadata: - labels: - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/name: snyk-broker - spec: - containers: - - env: - - name: BROKER_SERVER_URL - value: https://broker.test.snyk.io - - name: BROKER_HEALTHCHECK_PATH - value: /healthcheck - - name: BROKER_SYSTEMCHECK_PATH - value: /systemcheck - - name: BROKER_TOKEN - valueFrom: - secretKeyRef: - key: github-com-broker-token-key - name: github-com-broker-token - - name: GITHUB_TOKEN - valueFrom: - secretKeyRef: - key: github-com-token-key - name: github-com-token - - name: PORT - value: "8000" - - name: BROKER_CLIENT_URL - value: http://brokerclient - - name: LOG_LEVEL - value: info - - name: LOG_ENABLE_BODY - value: "false" - - name: CA_CERT - value: /home/node/cacert/tests/dummy_ca_cert.pem - - name: NODE_EXTRA_CA_CERTS - value: /home/node/cacert/tests/dummy_ca_cert.pem - - name: ACCEPT_CODE - value: "true" - - name: ACCEPT_IAC - value: tf,yaml,yml,json,tpl - - name: BROKER_DISPATCHER_BASE_URL - value: https://api.test.snyk.io - image: snyk/broker:github-com - imagePullPolicy: Always - livenessProbe: - failureThreshold: 3 - httpGet: - path: /healthcheck - port: 8000 - scheme: HTTP - initialDelaySeconds: 3 - periodSeconds: 10 - timeoutSeconds: 1 - name: github-com-broker - ports: - - containerPort: 8000 - name: http - readinessProbe: - failureThreshold: 3 - httpGet: - path: /healthcheck - port: 8000 - scheme: HTTP - initialDelaySeconds: 3 - periodSeconds: 10 - timeoutSeconds: 1 - resources: - limits: - cpu: 1 - memory: 256Mi - requests: - cpu: 1 - memory: 256Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - volumeMounts: - - mountPath: /home/node/cacert - name: RELEASE-NAME-snyk-broker-cacert-volume - readOnly: true - securityContext: {} - serviceAccountName: snyk-broker - volumes: - - configMap: - name: RELEASE-NAME-snyk-broker-cacert-configmap - name: RELEASE-NAME-snyk-broker-cacert-volume - 2: | - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: snyk-broker - helm.sh/chart: snyk-broker-0.0.0 - name: github-com-broker-service - namespace: NAMESPACE - spec: - ports: - - port: 8000 - targetPort: 8000 - selector: - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/name: snyk-broker - type: ClusterIP - 3: | - apiVersion: v1 - data: - dummy_ca_cert.pem: |- - -----BEGIN CERTIFICATE----- - MIIDYzCCAksCFAYMPiMLU27bbnNw60gZkdMg4Rr2MA0GCSqGSIb3DQEBCwUAMG4x - CzAJBgNVBAYTAkNIMQswCQYDVQQIDAJBQTELMAkGA1UEBwwCQUExCzAJBgNVBAoM - AkFBMQswCQYDVQQLDAJBQTELMAkGA1UEAwwCQUExHjAcBgkqhkiG9w0BCQEWD2Fu - dG9pbmVAc255ay5pbzAeFw0yMzA4MzEyMTE2NDRaFw0yNDA4MzAyMTE2NDRaMG4x - CzAJBgNVBAYTAkNIMQswCQYDVQQIDAJBQTELMAkGA1UEBwwCQUExCzAJBgNVBAoM - AkFBMQswCQYDVQQLDAJBQTELMAkGA1UEAwwCQUExHjAcBgkqhkiG9w0BCQEWD2Fu - dG9pbmVAc255ay5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPSe - fzWIMgAFuIwP4ScnLoZPb75dKLy8Ao2QtowF6WyntFuNWPJPLbs8sTeRPPbtbDYn - k2rfi15vQWL7HB7uKqTwFdXmf4kZu9SNxH1c7q+KNtYm1hiMBOlhM951N3gcefCE - W8A2rD95ngZlDdnFfBmsWvomg2a8OQjveMA9Nl3aR8qFNsym52yphTAilV+QMmmj - Xc7V/ElQElXN9uoSIbg6eTZ/yNqPDkdEQ+0f033IheHTdjFgnmCY4kFBp/4X6dDj - vUbmfvQ8c3GN11SvyoJgrd0grquiIp3qHRXIfr+U6Z5aAT+G4/paTnuRlMFhpQwV - D0Ur9jto7i/xo0gDArMCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAP7c+rHqEbST8 - Vd25DNmhwb4hEGI2K8+YWixauZJOcRwamLrQree7UHn0EeWW+qZa2ec5G2y2fGb9 - HrB6C3LvDb0rmXWXbWTSM3Mj55ITDIYD3xBe2I5+jlykrxlEsC5QwFXMMbDKFwQj - J7V6gFfjJweX8Ko9kUdXdKmx2/napkPEkU8hoAZ4cMaaqfx6d2hvQL+2flQkjH+A - B3AgJ/FdaW0sb5caSstO1BEg3NgpJjO1YKRkxb1hkrjNRSJ2NfTkCwiTp9yIz25u - 2UANxr7bbnEPd4bkk7OjE6SL+RH3YMCa3sBqtKwY14vs61AoWlS1bE0z8aRRsX49 - owemeenoGQ== - -----END CERTIFICATE----- - kind: ConfigMap - metadata: - labels: - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: snyk-broker - helm.sh/chart: snyk-broker-0.0.0 - name: RELEASE-NAME-snyk-broker-cacert-configmap - namespace: NAMESPACE - 4: | - apiVersion: v1 - data: - github-com-broker-token-key: MTIzNDVhNmItNzhkOS0xZTJmLTNhYmMtNDU2ZGVmNzg5MTIz - kind: Secret - metadata: - name: github-com-broker-token - type: Opaque - 5: | - apiVersion: v1 - data: - snyk-token-key: MTIzNDVhNmItNzhkOS0xZTJmLTNhYmMtNDU2ZGVmNzg5MTIz - kind: Secret - metadata: - name: snyk-token - type: Opaque - 6: | - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: snyk-broker - helm.sh/chart: snyk-broker-0.0.0 - name: snyk-broker - namespace: NAMESPACE -cacertfile: - 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: snyk-broker - helm.sh/chart: snyk-broker-0.0.0 - name: github-com-broker - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/name: snyk-broker - template: - metadata: - labels: - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/name: snyk-broker - spec: - containers: - - env: - - name: BROKER_SERVER_URL - value: https://broker.test.snyk.io - - name: BROKER_HEALTHCHECK_PATH - value: /healthcheck - - name: BROKER_SYSTEMCHECK_PATH - value: /systemcheck - - name: BROKER_TOKEN - valueFrom: - secretKeyRef: - key: github-com-broker-token-key - name: github-com-broker-token - - name: GITHUB_TOKEN - valueFrom: - secretKeyRef: - key: github-com-token-key - name: github-com-token - - name: PORT - value: "8000" - - name: BROKER_CLIENT_URL - value: http://brokerclient - - name: LOG_LEVEL - value: info - - name: LOG_ENABLE_BODY - value: "false" - - name: CA_CERT - value: /home/node/cacert/cacert - - name: NODE_EXTRA_CA_CERTS - value: /home/node/cacert/cacert - - name: ACCEPT_CODE - value: "true" - - name: ACCEPT_IAC - value: tf,yaml,yml,json,tpl - - name: BROKER_DISPATCHER_BASE_URL - value: https://api.test.snyk.io - image: snyk/broker:github-com - imagePullPolicy: Always - livenessProbe: - failureThreshold: 3 - httpGet: - path: /healthcheck - port: 8000 - scheme: HTTP - initialDelaySeconds: 3 - periodSeconds: 10 - timeoutSeconds: 1 - name: github-com-broker - ports: - - containerPort: 8000 - name: http - readinessProbe: - failureThreshold: 3 - httpGet: - path: /healthcheck - port: 8000 - scheme: HTTP - initialDelaySeconds: 3 - periodSeconds: 10 - timeoutSeconds: 1 - resources: - limits: - cpu: 1 - memory: 256Mi - requests: - cpu: 1 - memory: 256Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - volumeMounts: - - mountPath: /home/node/cacert - name: RELEASE-NAME-snyk-broker-cacert-volume - readOnly: true - securityContext: {} - serviceAccountName: snyk-broker - volumes: - - configMap: - name: RELEASE-NAME-snyk-broker-cacert-configmap - name: RELEASE-NAME-snyk-broker-cacert-volume - 2: | - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: snyk-broker - helm.sh/chart: snyk-broker-0.0.0 - name: github-com-broker-service - namespace: NAMESPACE - spec: - ports: - - port: 8000 - targetPort: 8000 - selector: - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/name: snyk-broker - type: ClusterIP - 3: | - apiVersion: v1 - data: - cacert: testValueSetBySetFile - kind: ConfigMap - metadata: - labels: - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: snyk-broker - helm.sh/chart: snyk-broker-0.0.0 - name: RELEASE-NAME-snyk-broker-cacert-configmap - namespace: NAMESPACE - 4: | - apiVersion: v1 - data: - github-com-broker-token-key: MTIzNDVhNmItNzhkOS0xZTJmLTNhYmMtNDU2ZGVmNzg5MTIz - kind: Secret - metadata: - name: github-com-broker-token - type: Opaque - 5: | - apiVersion: v1 - data: - snyk-token-key: MTIzNDVhNmItNzhkOS0xZTJmLTNhYmMtNDU2ZGVmNzg5MTIz - kind: Secret - metadata: - name: snyk-token - type: Opaque - 6: | - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: snyk-broker - helm.sh/chart: snyk-broker-0.0.0 - name: snyk-broker - namespace: NAMESPACE diff --git a/charts/snyk-broker/tests/__snapshot__/broker_deployment_configmap_test.yaml.snap b/charts/snyk-broker/tests/__snapshot__/broker_deployment_configmap_test.yaml.snap deleted file mode 100644 index 18abac9..0000000 --- a/charts/snyk-broker/tests/__snapshot__/broker_deployment_configmap_test.yaml.snap +++ /dev/null @@ -1,357 +0,0 @@ -cacert: - 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: snyk-broker-RELEASE-NAME - helm.sh/chart: snyk-broker-0.0.0 - name: github-com-broker-RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/name: snyk-broker-RELEASE-NAME - template: - metadata: - labels: - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/name: snyk-broker-RELEASE-NAME - spec: - containers: - - env: - - name: BROKER_SERVER_URL - value: https://broker.test.snyk.io - - name: BROKER_HEALTHCHECK_PATH - value: /healthcheck - - name: BROKER_SYSTEMCHECK_PATH - value: /systemcheck - - name: BROKER_TOKEN - valueFrom: - secretKeyRef: - key: github-com-broker-token-key - name: github-com-broker-token-RELEASE-NAME - - name: GITHUB_TOKEN - valueFrom: - secretKeyRef: - key: github-com-token-key - name: github-com-token-RELEASE-NAME - - name: PORT - value: "8000" - - name: BROKER_CLIENT_URL - value: http://brokerclient - - name: LOG_LEVEL - value: info - - name: LOG_ENABLE_BODY - value: "false" - - name: CA_CERT - value: /home/node/cacert/tests/dummy_ca_cert.pem - - name: NODE_EXTRA_CA_CERTS - value: /home/node/cacert/tests/dummy_ca_cert.pem - - name: ACCEPT_CODE - value: "true" - - name: ACCEPT_IAC - value: tf,yaml,yml,json,tpl - - name: BROKER_DISPATCHER_BASE_URL - value: https://api.test.snyk.io - image: snyk/broker:github-com - imagePullPolicy: Always - livenessProbe: - failureThreshold: 3 - httpGet: - path: /healthcheck - port: 8000 - scheme: HTTP - initialDelaySeconds: 3 - periodSeconds: 10 - timeoutSeconds: 1 - name: github-com-broker-RELEASE-NAME - ports: - - containerPort: 8000 - name: http - readinessProbe: - failureThreshold: 3 - httpGet: - path: /healthcheck - port: 8000 - scheme: HTTP - initialDelaySeconds: 3 - periodSeconds: 10 - timeoutSeconds: 1 - resources: - limits: - cpu: 1 - memory: 256Mi - requests: - cpu: 1 - memory: 256Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - volumeMounts: - - mountPath: /home/node/cacert - name: RELEASE-NAME-snyk-broker-cacert-volume - readOnly: true - securityContext: {} - serviceAccountName: snyk-broker-RELEASE-NAME - volumes: - - configMap: - name: RELEASE-NAME-snyk-broker-cacert-configmap-RELEASE-NAME - name: RELEASE-NAME-snyk-broker-cacert-volume - 2: | - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: snyk-broker-RELEASE-NAME - helm.sh/chart: snyk-broker-0.0.0 - name: github-com-broker-service-RELEASE-NAME - namespace: NAMESPACE - spec: - ports: - - port: 8000 - targetPort: 8000 - selector: - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/name: snyk-broker-RELEASE-NAME - type: ClusterIP - 3: | - apiVersion: v1 - data: - dummy_ca_cert.pem: |- - -----BEGIN CERTIFICATE----- - MIIDYzCCAksCFAYMPiMLU27bbnNw60gZkdMg4Rr2MA0GCSqGSIb3DQEBCwUAMG4x - CzAJBgNVBAYTAkNIMQswCQYDVQQIDAJBQTELMAkGA1UEBwwCQUExCzAJBgNVBAoM - AkFBMQswCQYDVQQLDAJBQTELMAkGA1UEAwwCQUExHjAcBgkqhkiG9w0BCQEWD2Fu - dG9pbmVAc255ay5pbzAeFw0yMzA4MzEyMTE2NDRaFw0yNDA4MzAyMTE2NDRaMG4x - CzAJBgNVBAYTAkNIMQswCQYDVQQIDAJBQTELMAkGA1UEBwwCQUExCzAJBgNVBAoM - AkFBMQswCQYDVQQLDAJBQTELMAkGA1UEAwwCQUExHjAcBgkqhkiG9w0BCQEWD2Fu - dG9pbmVAc255ay5pbzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPSe - fzWIMgAFuIwP4ScnLoZPb75dKLy8Ao2QtowF6WyntFuNWPJPLbs8sTeRPPbtbDYn - k2rfi15vQWL7HB7uKqTwFdXmf4kZu9SNxH1c7q+KNtYm1hiMBOlhM951N3gcefCE - W8A2rD95ngZlDdnFfBmsWvomg2a8OQjveMA9Nl3aR8qFNsym52yphTAilV+QMmmj - Xc7V/ElQElXN9uoSIbg6eTZ/yNqPDkdEQ+0f033IheHTdjFgnmCY4kFBp/4X6dDj - vUbmfvQ8c3GN11SvyoJgrd0grquiIp3qHRXIfr+U6Z5aAT+G4/paTnuRlMFhpQwV - D0Ur9jto7i/xo0gDArMCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAP7c+rHqEbST8 - Vd25DNmhwb4hEGI2K8+YWixauZJOcRwamLrQree7UHn0EeWW+qZa2ec5G2y2fGb9 - HrB6C3LvDb0rmXWXbWTSM3Mj55ITDIYD3xBe2I5+jlykrxlEsC5QwFXMMbDKFwQj - J7V6gFfjJweX8Ko9kUdXdKmx2/napkPEkU8hoAZ4cMaaqfx6d2hvQL+2flQkjH+A - B3AgJ/FdaW0sb5caSstO1BEg3NgpJjO1YKRkxb1hkrjNRSJ2NfTkCwiTp9yIz25u - 2UANxr7bbnEPd4bkk7OjE6SL+RH3YMCa3sBqtKwY14vs61AoWlS1bE0z8aRRsX49 - owemeenoGQ== - -----END CERTIFICATE----- - kind: ConfigMap - metadata: - labels: - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: snyk-broker-RELEASE-NAME - helm.sh/chart: snyk-broker-0.0.0 - name: RELEASE-NAME-snyk-broker-cacert-configmap-RELEASE-NAME - namespace: NAMESPACE - 4: | - apiVersion: v1 - data: - github-com-broker-token-key: MTIzNDVhNmItNzhkOS0xZTJmLTNhYmMtNDU2ZGVmNzg5MTIz - kind: Secret - metadata: - name: github-com-broker-token-RELEASE-NAME - type: Opaque - 5: | - apiVersion: v1 - data: - snyk-token-key: MTIzNDVhNmItNzhkOS0xZTJmLTNhYmMtNDU2ZGVmNzg5MTIz - kind: Secret - metadata: - name: snyk-token-RELEASE-NAME - type: Opaque - 6: | - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: snyk-broker-RELEASE-NAME - helm.sh/chart: snyk-broker-0.0.0 - name: snyk-broker-RELEASE-NAME - namespace: NAMESPACE -cacertfile: - 1: | - apiVersion: apps/v1 - kind: Deployment - metadata: - labels: - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: snyk-broker-RELEASE-NAME - helm.sh/chart: snyk-broker-0.0.0 - name: github-com-broker-RELEASE-NAME - namespace: NAMESPACE - spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/name: snyk-broker-RELEASE-NAME - template: - metadata: - labels: - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/name: snyk-broker-RELEASE-NAME - spec: - containers: - - env: - - name: BROKER_SERVER_URL - value: https://broker.test.snyk.io - - name: BROKER_HEALTHCHECK_PATH - value: /healthcheck - - name: BROKER_SYSTEMCHECK_PATH - value: /systemcheck - - name: BROKER_TOKEN - valueFrom: - secretKeyRef: - key: github-com-broker-token-key - name: github-com-broker-token-RELEASE-NAME - - name: GITHUB_TOKEN - valueFrom: - secretKeyRef: - key: github-com-token-key - name: github-com-token-RELEASE-NAME - - name: PORT - value: "8000" - - name: BROKER_CLIENT_URL - value: http://brokerclient - - name: LOG_LEVEL - value: info - - name: LOG_ENABLE_BODY - value: "false" - - name: CA_CERT - value: /home/node/cacert/cacert - - name: NODE_EXTRA_CA_CERTS - value: /home/node/cacert/cacert - - name: ACCEPT_CODE - value: "true" - - name: ACCEPT_IAC - value: tf,yaml,yml,json,tpl - - name: BROKER_DISPATCHER_BASE_URL - value: https://api.test.snyk.io - image: snyk/broker:github-com - imagePullPolicy: Always - livenessProbe: - failureThreshold: 3 - httpGet: - path: /healthcheck - port: 8000 - scheme: HTTP - initialDelaySeconds: 3 - periodSeconds: 10 - timeoutSeconds: 1 - name: github-com-broker-RELEASE-NAME - ports: - - containerPort: 8000 - name: http - readinessProbe: - failureThreshold: 3 - httpGet: - path: /healthcheck - port: 8000 - scheme: HTTP - initialDelaySeconds: 3 - periodSeconds: 10 - timeoutSeconds: 1 - resources: - limits: - cpu: 1 - memory: 256Mi - requests: - cpu: 1 - memory: 256Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - volumeMounts: - - mountPath: /home/node/cacert - name: RELEASE-NAME-snyk-broker-cacert-volume - readOnly: true - securityContext: {} - serviceAccountName: snyk-broker-RELEASE-NAME - volumes: - - configMap: - name: RELEASE-NAME-snyk-broker-cacert-configmap-RELEASE-NAME - name: RELEASE-NAME-snyk-broker-cacert-volume - 2: | - apiVersion: v1 - kind: Service - metadata: - labels: - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: snyk-broker-RELEASE-NAME - helm.sh/chart: snyk-broker-0.0.0 - name: github-com-broker-service-RELEASE-NAME - namespace: NAMESPACE - spec: - ports: - - port: 8000 - targetPort: 8000 - selector: - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/name: snyk-broker-RELEASE-NAME - type: ClusterIP - 3: | - apiVersion: v1 - data: - cacert: testValueSetBySetFile - kind: ConfigMap - metadata: - labels: - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: snyk-broker-RELEASE-NAME - helm.sh/chart: snyk-broker-0.0.0 - name: RELEASE-NAME-snyk-broker-cacert-configmap-RELEASE-NAME - namespace: NAMESPACE - 4: | - apiVersion: v1 - data: - github-com-broker-token-key: MTIzNDVhNmItNzhkOS0xZTJmLTNhYmMtNDU2ZGVmNzg5MTIz - kind: Secret - metadata: - name: github-com-broker-token-RELEASE-NAME - type: Opaque - 5: | - apiVersion: v1 - data: - snyk-token-key: MTIzNDVhNmItNzhkOS0xZTJmLTNhYmMtNDU2ZGVmNzg5MTIz - kind: Secret - metadata: - name: snyk-token-RELEASE-NAME - type: Opaque - 6: | - apiVersion: v1 - kind: ServiceAccount - metadata: - labels: - app.kubernetes.io/instance: RELEASE-NAME - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: snyk-broker-RELEASE-NAME - helm.sh/chart: snyk-broker-0.0.0 - name: snyk-broker-RELEASE-NAME - namespace: NAMESPACE diff --git a/charts/snyk-broker/tests/broker_deployment_ca_test.yaml b/charts/snyk-broker/tests/broker_deployment_ca_test.yaml new file mode 100644 index 0000000..2ab0b38 --- /dev/null +++ b/charts/snyk-broker/tests/broker_deployment_ca_test.yaml @@ -0,0 +1,267 @@ +# yaml-language-server: $schema=https://raw.githubusercontent.com/helm-unittest/helm-unittest/main/schema/helm-testsuite.json +suite: test broker deployment with CA +chart: + version: 0.0.0 +templates: + - broker_deployment.yaml + - secrets.yaml +values: + - ./fixtures/default_values.yaml + +tests: + - it: mounts a CA certificate from file + set: + caCert: tests/dummy_ca_cert.pem + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: CA_CERT + value: "/home/node/cacert/tests/dummy_ca_cert.pem" + template: broker_deployment.yaml + - contains: + path: spec.template.spec.containers[0].env + content: + name: NODE_EXTRA_CA_CERTS + value: "/home/node/cacert/tests/dummy_ca_cert.pem" + template: broker_deployment.yaml + - contains: + path: spec.template.spec.volumes + content: + name: RELEASE-NAME-snyk-broker-cacert-volume + secret: + secretName: RELEASE-NAME-snyk-broker-cacert-secret + template: broker_deployment.yaml + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: RELEASE-NAME-snyk-broker-cacert-volume + mountPath: /home/node/cacert + readOnly: true + template: broker_deployment.yaml + - exists: + path: data["dummy_ca_cert.pem"] + template: secrets.yaml + documentSelector: + path: metadata.name + value: RELEASE-NAME-snyk-broker-cacert-secret + + - it: mounts a CA certificate from file without suffixes + set: + caCert: tests/dummy_ca_cert.pem + disableSuffixes: true + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: CA_CERT + value: "/home/node/cacert/tests/dummy_ca_cert.pem" + template: broker_deployment.yaml + - contains: + path: spec.template.spec.containers[0].env + content: + name: NODE_EXTRA_CA_CERTS + value: "/home/node/cacert/tests/dummy_ca_cert.pem" + template: broker_deployment.yaml + - contains: + path: spec.template.spec.volumes + content: + name: RELEASE-NAME-snyk-broker-cacert-volume + secret: + secretName: snyk-broker-cacert-secret + template: broker_deployment.yaml + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: RELEASE-NAME-snyk-broker-cacert-volume + mountPath: /home/node/cacert + readOnly: true + template: broker_deployment.yaml + - exists: + path: data["dummy_ca_cert.pem"] + template: secrets.yaml + documentSelector: + path: metadata.name + value: snyk-broker-cacert-secret + + - it: mounts a CA certificate from values file + set: + caCertFile: |- + -----BEGIN CERTIFICATE----- + CERTIFICATE GOES HERE + -----END CERTIFICATE----- + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: CA_CERT + value: "/home/node/cacert/cacert" + template: broker_deployment.yaml + - contains: + path: spec.template.spec.containers[0].env + content: + name: NODE_EXTRA_CA_CERTS + value: "/home/node/cacert/cacert" + template: broker_deployment.yaml + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: RELEASE-NAME-snyk-broker-cacert-volume + mountPath: /home/node/cacert + readOnly: true + template: broker_deployment.yaml + - contains: + path: spec.template.spec.volumes + content: + name: RELEASE-NAME-snyk-broker-cacert-volume + secret: + secretName: RELEASE-NAME-snyk-broker-cacert-secret + template: broker_deployment.yaml + - equal: + path: data.cacert + value: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCkNFUlRJRklDQVRFIEdPRVMgSEVSRQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t + template: secrets.yaml + documentSelector: + path: metadata.name + value: RELEASE-NAME-snyk-broker-cacert-secret + + - it: mounts a CA certificate from values file (single line string) + set: + caCertFile: "-----BEGIN CERTIFICATE-----\nCERTIFICATE GOES HERE\n-----END CERTIFICATE-----" + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: CA_CERT + value: "/home/node/cacert/cacert" + template: broker_deployment.yaml + - contains: + path: spec.template.spec.containers[0].env + content: + name: NODE_EXTRA_CA_CERTS + value: "/home/node/cacert/cacert" + template: broker_deployment.yaml + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: RELEASE-NAME-snyk-broker-cacert-volume + mountPath: /home/node/cacert + readOnly: true + template: broker_deployment.yaml + - contains: + path: spec.template.spec.volumes + content: + name: RELEASE-NAME-snyk-broker-cacert-volume + secret: + secretName: RELEASE-NAME-snyk-broker-cacert-secret + template: broker_deployment.yaml + - equal: + path: data.cacert + value: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCkNFUlRJRklDQVRFIEdPRVMgSEVSRQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t + template: secrets.yaml + documentSelector: + path: metadata.name + value: RELEASE-NAME-snyk-broker-cacert-secret + + - it: explicitly disables CA trust + set: + caCertFile: "-----BEGIN CERTIFICATE-----\nCERTIFICATE GOES HERE\n-----END CERTIFICATE-----" + disableCaCertTrust: true + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: CA_CERT + value: "/home/node/cacert/cacert" + template: broker_deployment.yaml + - contains: + path: spec.template.spec.containers[0].env + content: + name: NODE_EXTRA_CA_CERTS + value: "/home/node/cacert/cacert" + template: broker_deployment.yaml + - contains: + path: spec.template.spec.containers[0].env + content: + name: NODE_TLS_REJECT_UNAUTHORIZED + value: "0" + template: broker_deployment.yaml + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: RELEASE-NAME-snyk-broker-cacert-volume + mountPath: /home/node/cacert + readOnly: true + template: broker_deployment.yaml + - contains: + path: spec.template.spec.volumes + content: + name: RELEASE-NAME-snyk-broker-cacert-volume + secret: + secretName: RELEASE-NAME-snyk-broker-cacert-secret + template: broker_deployment.yaml + - equal: + path: data.cacert + value: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCkNFUlRJRklDQVRFIEdPRVMgSEVSRQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t + template: secrets.yaml + documentSelector: + path: metadata.name + value: RELEASE-NAME-snyk-broker-cacert-secret + + + - it: does not disables CA trust if tlsRejectUnauthorized is true + set: + caCertFile: "-----BEGIN CERTIFICATE-----\nCERTIFICATE GOES HERE\n-----END CERTIFICATE-----" + tlsRejectUnauthorized: "0" + asserts: + - contains: + path: spec.template.spec.containers[0].env + content: + name: CA_CERT + value: "/home/node/cacert/cacert" + template: broker_deployment.yaml + - contains: + path: spec.template.spec.containers[0].env + content: + name: NODE_EXTRA_CA_CERTS + value: "/home/node/cacert/cacert" + template: broker_deployment.yaml + - notContains: + path: spec.template.spec.containers[0].env + content: + name: NODE_TLS_REJECT_UNAUTHORIZED + value: "0" + template: broker_deployment.yaml + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: RELEASE-NAME-snyk-broker-cacert-volume + mountPath: /home/node/cacert + readOnly: true + template: broker_deployment.yaml + - contains: + path: spec.template.spec.volumes + content: + name: RELEASE-NAME-snyk-broker-cacert-volume + secret: + secretName: RELEASE-NAME-snyk-broker-cacert-secret + template: broker_deployment.yaml + - equal: + path: data.cacert + value: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCkNFUlRJRklDQVRFIEdPRVMgSEVSRQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t + template: secrets.yaml + documentSelector: + path: metadata.name + value: RELEASE-NAME-snyk-broker-cacert-secret + + - it: handles extra whitespace + set: + caCertFile: "\n \n-----BEGIN CERTIFICATE-----\nCERTIFICATE GOES HERE\n-----END CERTIFICATE-----\n\n\n" + asserts: + - equal: + path: data.cacert + value: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCkNFUlRJRklDQVRFIEdPRVMgSEVSRQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t + template: secrets.yaml + documentSelector: + path: metadata.name + value: RELEASE-NAME-snyk-broker-cacert-secret diff --git a/charts/snyk-broker/tests/broker_deployment_configmap_disablesuffixes_test.yaml b/charts/snyk-broker/tests/broker_deployment_configmap_disablesuffixes_test.yaml deleted file mode 100644 index 0c81319..0000000 --- a/charts/snyk-broker/tests/broker_deployment_configmap_disablesuffixes_test.yaml +++ /dev/null @@ -1,25 +0,0 @@ -suite: test broker deployment (No suffixes) -chart: - version: 0.0.0 -templates: - - broker_deployment.yaml - - broker_service.yaml - - secrets.yaml - - serviceaccount.yaml - - cacert_configmap.yaml - -values: - - ./fixtures/default_values.yaml - - ./fixtures/default_values_disablesuffixes.yaml - -tests: - - it: cacert - set: - caCert: tests/dummy_ca_cert.pem - asserts: - - matchSnapshot: {} - - it: cacertfile - set: - caCertFile: testValueSetBySetFile - asserts: - - matchSnapshot: {} diff --git a/charts/snyk-broker/tests/broker_deployment_configmap_test.yaml b/charts/snyk-broker/tests/broker_deployment_configmap_test.yaml deleted file mode 100644 index c2191a5..0000000 --- a/charts/snyk-broker/tests/broker_deployment_configmap_test.yaml +++ /dev/null @@ -1,23 +0,0 @@ -suite: test broker deployment -chart: - version: 0.0.0 -templates: - - broker_deployment.yaml - - broker_service.yaml - - secrets.yaml - - serviceaccount.yaml - - cacert_configmap.yaml -values: - - ./fixtures/default_values.yaml - -tests: - - it: cacert - set: - caCert: tests/dummy_ca_cert.pem - asserts: - - matchSnapshot: {} - - it: cacertfile - set: - caCertFile: testValueSetBySetFile - asserts: - - matchSnapshot: {} diff --git a/charts/snyk-broker/values.schema.json b/charts/snyk-broker/values.schema.json index 67ea7fd..752746b 100644 --- a/charts/snyk-broker/values.schema.json +++ b/charts/snyk-broker/values.schema.json @@ -262,11 +262,20 @@ "caCertFile": { "type": "string" }, + "disableCaCertTrust": { + "type": "boolean" + }, "tlsRejectUnauthorized":{ - "type": "string", + "type": [ + "string", + "boolean" + ], "enum":[ "", - "0" + "0", + "false", + false, + "disable" ] }, "httpProxy":{ diff --git a/charts/snyk-broker/values.yaml b/charts/snyk-broker/values.yaml index 0121bd3..5ef5d80 100644 --- a/charts/snyk-broker/values.yaml +++ b/charts/snyk-broker/values.yaml @@ -212,11 +212,32 @@ httpsKey: "" ##### HTTPS Inspection ##### -# Not supported by Snyk Container Registry Agent or Snyk Code Agent (use tlsRejectUnauthorized instead). Location of mounted custom certificate. To allow visibility for SSL Inspection. +# Not supported by Snyk Container Registry Agent or Snyk Code Agent (use tlsRejectUnauthorized instead) +# Filename of custom certificate to allow visibility for SSL Inspection (e.g "ca.pem") +# Include any/all certificates required for a full trust chain. +# File must be within the Helm Chart directory. caCert: "" +# Not supported by Snyk Container Registry Agent or Snyk Code Agent (use tlsRejectUnauthorized instead) +# Set caCertFile to read certificate content from the values.yaml file as a multiline string: +# Include any/all certificates required for a full trust chain. +# +# caCertFile: |- +# ----- BEGIN CERTIFICATE ----- +# < certificate data > +# ----- END CERTIFICATE ----- +# ----- BEGIN CERTIFICATE ----- +# < another certificate > +# ----- END CERTIFICATE ----- +# +# or +# +# caCertFile: "----- BEGIN CERTIFICATE -----\n.....\n----- END CERTIFICATE -----" caCertFile: "" +# Set to `true` to disable trust validation when providing your own CA certificate. +disableCaCertTrust: false + # Set to "0" to disable trust validation when using self signed certificates. tlsRejectUnauthorized: ""