From 4784e0941246559ca7a403a3964c9164e0052cc2 Mon Sep 17 00:00:00 2001 From: Kuruyia <8174691+Kuruyia@users.noreply.github.com> Date: Tue, 21 Nov 2023 17:04:31 +0100 Subject: [PATCH] feat: add value for supplying an existing secret containing the JWT server keypair --- README.md | 1 + templates/_helpers.tpl | 10 ++++- templates/deployment.yaml | 8 ++-- templates/job-create-jwt.yaml | 6 +-- templates/rbac.yaml | 4 +- templates/secret-jwt.yaml | 2 +- tests/auto_jwt_keys_creation_install.yaml | 11 +++++- tests/deployment_jwt_secret_test.yaml | 46 +++++++++++++++++++++++ tests/secret_jwt_test.yaml | 35 +++++++++++++++++ tests/values-test.yaml | 2 + values.yaml | 2 + 11 files changed, 115 insertions(+), 12 deletions(-) create mode 100644 tests/deployment_jwt_secret_test.yaml create mode 100644 tests/secret_jwt_test.yaml diff --git a/README.md b/README.md index 722531e..9d7f868 100644 --- a/README.md +++ b/README.md @@ -143,6 +143,7 @@ chart and deletes the release. | jobCreateGpgKeys.extraPodLabels | object | `{}` | | | jobCreateJwtKeys.extraPodLabels | object | `{}` | | | jwtCreateKeysForced | bool | `false` | Forces overwrite JWT keys | +| jwtExistingSecret | string | `""` | Name of the existing secret for the JWT server keypair. The secret must contain the `jwt.key` and `jwt.pem` keys. | | jwtPath | string | `"/etc/passbolt/jwt"` | Configure passbolt jwt directory | | jwtServerPrivate | string | `""` | JWT server private key in base64 | | jwtServerPublic | string | `""` | JWT server public key in base64 | diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index f21f291..cc91c9c 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -97,7 +97,7 @@ Show error message if the user didn't set the needed values during upgrade {{- $message = printf "%s\n%s" $message (printf " export FINGERPRINT=$(kubectl exec deploy/%s -c %s -- grep PASSBOLT_GPG_SERVER_KEY_FINGERPRINT /etc/environment | awk -F= '{gsub(/\"/, \"\"); print $2}')" $dpName $containerName) -}} {{- $arguments = printf "%s %s" $arguments (printf "--set %s=$%s --set %s=$%s --set %s=$%s" "gpgServerKeyPrivate" "PRIVATE_KEY" "gpgServerKeyPublic" "PUBLIC_KEY" "passboltEnv.secret.PASSBOLT_GPG_SERVER_KEY_FINGERPRINT" "FINGERPRINT" ) -}} {{- end }} -{{ if and $.Release.IsUpgrade .Values.passboltEnv.plain.PASSBOLT_PLUGINS_JWT_AUTHENTICATION_ENABLED ( not .Values.jwtCreateKeysForced ) (or ( not $.Values.jwtServerPublic ) ( not $.Values.jwtServerPrivate )) }} +{{ if and $.Release.IsUpgrade .Values.passboltEnv.plain.PASSBOLT_PLUGINS_JWT_AUTHENTICATION_ENABLED ( not .Values.jwtCreateKeysForced ) ( not .Values.jwtExistingSecret ) (or ( not $.Values.jwtServerPublic ) ( not $.Values.jwtServerPrivate )) }} {{- if eq $header "" }} {{- $header = printf "JWT" -}} {{- else }} @@ -222,3 +222,11 @@ imagePullSecrets: {{- printf "%s-sec-gpg" .name -}} {{- end }} {{- end }} + +{{- define "passbolt.jwt.secretName" -}} +{{- if .Values.jwtExistingSecret -}} + {{- printf "%s" .Values.jwtExistingSecret -}} +{{- else }} + {{- printf "%s-sec-jwt" .name -}} +{{- end }} +{{- end }} diff --git a/templates/deployment.yaml b/templates/deployment.yaml index 8d74714..7a52c00 100644 --- a/templates/deployment.yaml +++ b/templates/deployment.yaml @@ -29,7 +29,7 @@ spec: checksum/sec-gpg: {{ include (print $.Template.BasePath "/secret-gpg.yaml") . | sha256sum }} {{- end }} checksum/cm-env: {{ include (print $.Template.BasePath "/configmap-env.yaml") . | sha256sum }} - {{- if .Values.passboltEnv.plain.PASSBOLT_PLUGINS_JWT_AUTHENTICATION_ENABLED }} + {{- if and .Values.passboltEnv.plain.PASSBOLT_PLUGINS_JWT_AUTHENTICATION_ENABLED ( not .Values.jwtExistingSecret ) }} checksum/sec-jwt: {{ include (print $.Template.BasePath "/secret-jwt.yaml") . | sha256sum }} {{- end }} {{- if .Values.app.cache.redis.sentinelProxy.enabled }} @@ -151,7 +151,7 @@ spec: readOnly: true {{- end }} {{- if .Values.passboltEnv.plain.PASSBOLT_PLUGINS_JWT_AUTHENTICATION_ENABLED }} - - name: {{ $fullName }}-sec-jwt + - name: {{ include "passbolt.jwt.secretName" ( dict "name" $Name "Values" $.Values ) }} mountPath: {{ quote .Values.jwtPath }} readOnly: true {{- end }} @@ -205,9 +205,9 @@ spec: path: subscription_key.txt {{- end }} {{- if .Values.passboltEnv.plain.PASSBOLT_PLUGINS_JWT_AUTHENTICATION_ENABLED }} - - name: {{ $fullName }}-sec-jwt + - name: {{ include "passbolt.jwt.secretName" ( dict "name" $Name "Values" $.Values ) }} secret: - secretName: {{ $Name }}-sec-jwt + secretName: {{ include "passbolt.jwt.secretName" ( dict "name" $Name "Values" $.Values ) }} {{- end }} {{- if .Values.app.cache.redis.sentinelProxy.enabled }} - name: {{ $fullName }}-sec-redis-proxy diff --git a/templates/job-create-jwt.yaml b/templates/job-create-jwt.yaml index e35b5f7..92df6d2 100644 --- a/templates/job-create-jwt.yaml +++ b/templates/job-create-jwt.yaml @@ -1,4 +1,4 @@ -{{- if and .Values.passboltEnv.plain.PASSBOLT_PLUGINS_JWT_AUTHENTICATION_ENABLED (or ( not .Values.jwtServerPrivate ) ( not .Values.jwtServerPublic )) }} +{{- if and .Values.passboltEnv.plain.PASSBOLT_PLUGINS_JWT_AUTHENTICATION_ENABLED ( not .Values.jwtExistingSecret ) (or ( not .Values.jwtServerPrivate ) ( not .Values.jwtServerPublic )) }} {{- $type := "job" -}} {{- $action := "create-jwt-keys" -}} {{- $Name := include "passbolt-library.fullname" . -}} @@ -48,8 +48,8 @@ spec: kubectlDownload=${KUBECTL_DOWNLOAD_CMD:-'curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"'} eval $kubectlDownload chmod +x kubectl - ./kubectl patch secret {{ $Name }}-sec-jwt --type='json' -p='[{"op": "replace", "path" : "/data/jwt.key", "value" : '"${PUBLIC_JWT_KEY}"'}]' - ./kubectl patch secret {{ $Name }}-sec-jwt --type='json' -p='[{"op": "replace", "path" : "/data/jwt.pem", "value" : '"${PUBLIC_JWT_KEY}"'}]' + ./kubectl patch secret {{ include "passbolt.jwt.secretName" ( dict "name" $Name "Values" $.Values ) }} --type='json' -p='[{"op": "replace", "path" : "/data/jwt.key", "value" : '"${PUBLIC_JWT_KEY}"'}]' + ./kubectl patch secret {{ include "passbolt.jwt.secretName" ( dict "name" $Name "Values" $.Values ) }} --type='json' -p='[{"op": "replace", "path" : "/data/jwt.pem", "value" : '"${PUBLIC_JWT_KEY}"'}]' touch /tmp/pod/success echo "Success" env: diff --git a/templates/rbac.yaml b/templates/rbac.yaml index 40396a8..60a8056 100644 --- a/templates/rbac.yaml +++ b/templates/rbac.yaml @@ -19,7 +19,7 @@ rules: - {{ $Name }}-cm-env - {{ $Name }}-sec-env - {{ include "passbolt.gpg.secretName" ( dict "name" $Name "Values" $.Values ) }} - - {{ $Name }}-sec-jwt + - {{ include "passbolt.jwt.secretName" ( dict "name" $Name "Values" $.Values ) }} - {{ $Name }}-sec-tls - {{ $Name }}-sec-tls-ing - {{ $Name }}-sec-subscription @@ -113,7 +113,7 @@ rules: resources: [ "configmaps", "secrets" ] resourceNames: - {{ $Name }}-cm-env - - {{ $Name }}-sec-jwt + - {{ include "passbolt.jwt.secretName" ( dict "name" $Name "Values" $.Values ) }} - {{ $Name }}-sec-env - {{ $Name }}-sec-redis-proxy verbs: ["get", "patch"] diff --git a/templates/secret-jwt.yaml b/templates/secret-jwt.yaml index 3a26c4f..06845f3 100644 --- a/templates/secret-jwt.yaml +++ b/templates/secret-jwt.yaml @@ -1,4 +1,4 @@ -{{- if .Values.passboltEnv.plain.PASSBOLT_PLUGINS_JWT_AUTHENTICATION_ENABLED }} +{{- if and .Values.passboltEnv.plain.PASSBOLT_PLUGINS_JWT_AUTHENTICATION_ENABLED ( not .Values.jwtExistingSecret ) }} {{- $type := "sec" -}} {{- $action := "jwt" -}} {{- $Name := include "passbolt-library.fullname" . -}} diff --git a/tests/auto_jwt_keys_creation_install.yaml b/tests/auto_jwt_keys_creation_install.yaml index 6aecf18..05d4591 100644 --- a/tests/auto_jwt_keys_creation_install.yaml +++ b/tests/auto_jwt_keys_creation_install.yaml @@ -17,7 +17,7 @@ tests: kind: Job name: test-passbolt-job-create-jwt-keys - - it: should not create a gpg job + - it: should not create a gpg job if key values are supplied templates: - job-create-jwt.yaml set: @@ -38,6 +38,15 @@ tests: - hasDocuments: count: 0 + - it: should not create a gpg job if an existing secret is supplied + templates: + - job-create-jwt.yaml + set: + jwtExistingSecret: "my-jwt-secret" + asserts: + - hasDocuments: + count: 0 + - it: should be executed only on pre-install templates: - job-create-jwt.yaml diff --git a/tests/deployment_jwt_secret_test.yaml b/tests/deployment_jwt_secret_test.yaml new file mode 100644 index 0000000..46413e6 --- /dev/null +++ b/tests/deployment_jwt_secret_test.yaml @@ -0,0 +1,46 @@ +--- +suite: deployment jwt secret +release: + name: test +values: + - values-test.yaml +tests: + - it: should contain a volumes and volumeMounts section for jwt secret + templates: + - deployment.yaml + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: test-passbolt-sec-jwt + count: 1 + any: true + - contains: + path: spec.template.spec.volumes + content: + name: test-passbolt-sec-jwt + secret: + secretName: test-passbolt-sec-jwt + count: 1 + any: true + + - it: should use the existing jwt secret if supplied + templates: + - deployment.yaml + set: + jwtExistingSecret: "my-jwt-secret" + asserts: + - contains: + path: spec.template.spec.containers[0].volumeMounts + content: + name: my-jwt-secret + count: 1 + any: true + - contains: + path: spec.template.spec.volumes + content: + name: my-jwt-secret + secret: + secretName: my-jwt-secret + count: 1 + any: true diff --git a/tests/secret_jwt_test.yaml b/tests/secret_jwt_test.yaml new file mode 100644 index 0000000..569a9bd --- /dev/null +++ b/tests/secret_jwt_test.yaml @@ -0,0 +1,35 @@ +--- +suite: secret jwt +release: + name: test +values: + - values-test.yaml +tests: + - it: should create a jwt secret + templates: + - secret-jwt.yaml + set: + jwtExistingSecret: "" + asserts: + - containsDocument: + apiVersion: v1 + kind: Secret + name: test-passbolt-sec-jwt + + - it: should not create a jwt secret when an existing secret is supplied + templates: + - secret-jwt.yaml + set: + jwtExistingSecret: "my-jwt-secret" + asserts: + - hasDocuments: + count: 0 + + - it: should not create a jwt secret when jwt authentication is disabled + templates: + - secret-jwt.yaml + set: + passboltEnv.plain.PASSBOLT_PLUGINS_JWT_AUTHENTICATION_ENABLED: false + asserts: + - hasDocuments: + count: 0 diff --git a/tests/values-test.yaml b/tests/values-test.yaml index 0e84f17..40d7ca6 100644 --- a/tests/values-test.yaml +++ b/tests/values-test.yaml @@ -104,6 +104,8 @@ gpgServerKeyPublic: "" # -- Name of the existing secret for the GPG server keypair. The secret must contain the `serverkey.asc` and `serverkey_private.asc` keys. gpgExistingSecret: "" +# -- Name of the existing secret for the JWT server keypair. The secret must contain the `jwt.key` and `jwt.pem` keys. +jwtExistingSecret: "" # -- Configure passbolt jwt directory jwtPath: /etc/passbolt/jwt # -- JWT server private key in base64 diff --git a/values.yaml b/values.yaml index 1eb4410..12f914f 100644 --- a/values.yaml +++ b/values.yaml @@ -174,6 +174,8 @@ gpgServerKeyPublic: "" # -- Name of the existing secret for the GPG server keypair. The secret must contain the `serverkey.asc` and `serverkey_private.asc` keys. gpgExistingSecret: "" +# -- Name of the existing secret for the JWT server keypair. The secret must contain the `jwt.key` and `jwt.pem` keys. +jwtExistingSecret: "" # -- Configure passbolt jwt directory jwtPath: /etc/passbolt/jwt # -- JWT server private key in base64