automated sealer keys

3fc82618 · Sandro Mathys · 9ebe4aa2 · 3fc82618 · 3fc82618 · 3fc82618
Commit 3fc82618 authored Mar 22, 2021 by Sandro Mathys
--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.1
+version: 0.2.0

 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to

--- a/chart/templates/_helpers.tpl
+++ b/chart/templates/_helpers.tpl
@@ -88,12 +88,69 @@ app.kubernetes.io/component: apache
 {{- end }}

 {{/*
-Create the name of the service account to use
+Create the names of the service accounts to use
 */}}
 {{- define "shibboleth-sp.serviceAccountName" -}}
 {{- if .Values.serviceAccount.create }}
-{{- default (include "shibboleth-sp.fullname" .) .Values.serviceAccount.name }}
+{{- .Values.serviceAccount.name | default (include "shibboleth-sp.fullname" .) }}
 {{- else }}
-{{- default "default" .Values.serviceAccount.name }}
+{{- .Values.serviceAccount.name | default "default" }}
 {{- end }}
 {{- end }}
+
+{{- define "shibboleth-sp.sealerKeys.serviceAccountName" -}}
+{{- if .Values.backend.shibboleth.sessionCache.sealerKeys.serviceAccount.create }}
+{{- .Values.backend.shibboleth.sessionCache.sealerKeys.serviceAccount.name | default (print (include "shibboleth-sp.fullname" .) "-sealer-keys-nanny") }}
+{{- else }}
+{{- .Values.backend.shibboleth.sessionCache.sealerKeys.serviceAccount.name | default "deployer" }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create the names of the images and pull policies to use
+*/}}
+{{- define "shibboleth-sp.frontend.image.repository" -}}
+{{- .Values.frontend.image.repository | default .Values.image.repository -}}
+{{- end }}
+{{- define "shibboleth-sp.frontend.image.tag" -}}
+{{- .Values.frontend.image.tag | default .Values.image.tag -}}
+{{- end }}
+{{- define "shibboleth-sp.frontend.image" -}}
+{{- printf "%s:%s" (include "shibboleth-sp.frontend.image.repository" .) (include "shibboleth-sp.frontend.image.tag" .) }}
+{{- end }}
+{{- define "shibboleth-sp.frontend.imagePullPolicy" -}}
+{{- .Values.frontend.image.pullPolicy | default .Values.image.pullPolicy }}
+{{- end }}
+
+{{- define "shibboleth-sp.backend.image.repository" -}}
+{{- .Values.backend.image.repository | default .Values.image.repository -}}
+{{- end }}
+{{- define "shibboleth-sp.backend.image.tag" -}}
+{{- .Values.backend.image.tag | default .Values.image.tag -}}
+{{- end }}
+{{- define "shibboleth-sp.backend.image" -}}
+{{- printf "%s:%s" (include "shibboleth-sp.backend.image.repository" .) (include "shibboleth-sp.backend.image.tag" .) }}
+{{- end }}
+{{- define "shibboleth-sp.backend.imagePullPolicy" -}}
+{{- .Values.backend.image.pullPolicy | default .Values.image.pullPolicy }}
+{{- end }}
+
+{{- define "shibboleth-sp.sealerKeys.image.repository" -}}
+{{- .Values.backend.shibboleth.sessionCache.sealerKeys.image.repository | default (include "shibboleth-sp.backend.image.repository" .) -}}
+{{- end }}
+{{- define "shibboleth-sp.sealerKeys.image.tag" -}}
+{{- .Values.backend.shibboleth.sessionCache.sealerKeys.image.tag | default (include "shibboleth-sp.backend.image.tag" .) -}}
+{{- end }}
+{{- define "shibboleth-sp.sealerKeys.image" -}}
+{{- printf "%s:%s" (include "shibboleth-sp.sealerKeys.image.repository" .) (include "shibboleth-sp.sealerKeys.image.tag" .) }}
+{{- end }}
+{{- define "shibboleth-sp.sealerKeys.imagePullPolicy" -}}
+{{- .Values.backend.shibboleth.sessionCache.sealerKeys.image.pullPolicy | default (include "shibboleth-sp.backend.imagePullPolicy" .)  }}
+{{- end }}
+
+{{/*
+Create the names of the secrets to use
+*/}}
+{{- define "shibboleth-sp.sealerKeys.secretName" -}}
+{{- .Values.backend.shibboleth.sessionCache.sealerKeys.secret | default (print (include "shibboleth-sp.fullname" .) "-sealer-keys") }}
+{{- end }}
--- a/chart/templates/_validation.tpl
+++ b/chart/templates/_validation.tpl
@@ -173,9 +173,12 @@ Compile all warnings into a single message, and call fail.
    Missing: `persistedAttributes` must be specified.
 {{- end -}}

-{{- if not .Values.backend.shibboleth.sessionCache.sealerKeysConfigMap }}
-  backend.shibboleth.sessionCache.sealerKeysConfigMap
-    Missing: `sealerKeysConfigMap` must be specified.
+{{- if not .Values.backend.shibboleth.sessionCache.sealerKeys.manage }}
+{{- if not .Values.backend.shibboleth.sessionCache.sealerKeys.secret }}
+  backend.shibboleth.sessionCache.sealerKeys.manage
+  backend.shibboleth.sessionCache.sealerKeys.secret
+    Missing: `secret` must be specified if `manage` is disabled.
+{{- end -}}
 {{- end -}}

 {{- end -}}

--- a/chart/templates/cronjob.yaml
+++ b/chart/templates/cronjob.yaml
+{{- if .Values.backend.shibboleth.sessionCache.sealerKeys.manage }}
+---
+apiVersion: batch/v1beta1
+kind: CronJob
+metadata:
+  name: {{ include "shibboleth-sp.fullname" . }}-rotate-sealer-keys
+  labels:
+    {{- include "shibboleth-sp.labels" . | nindent 4 }}
+  {{- if .Values.podAnnotations }}
+  annotations:
+    {{- toYaml .Values.podAnnotations | nindent 4 }}
+  {{- end }}
+spec:
+  schedule: "{{ .Values.backend.shibboleth.sessionCache.sealerKeys.schedule | default "@daily" }}"
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          serviceAccountName: {{ include "shibboleth-sp.sealerKeys.serviceAccountName" . }}
+          containers:
+            - name: rotate-sealer-keys
+              image: "{{ include "shibboleth-sp.sealerKeys.image" . }}"
+              imagePullPolicy: "{{ include "shibboleth-sp.sealerKeys.imagePullPolicy" . }}"
+              command:
+                - bash
+                - -c
+                - |
+                  # extract current set of sealer keys
+                  kubectl get secret {{ include "shibboleth-sp.sealerKeys.secretName" . }} -o=jsonpath='{.data.sealer\.keys}' | base64 -d > /dev/shm/sealer.keys
+                  # add/rotate sealer keys
+                  shib-seckeygen -o /dev/shm -f sealer.keys -b 256 -h 14 -u "$(id -u)" -g "$(id -g)"
+                  # replace secret with new sealer keys
+                  kubectl create secret generic {{ include "shibboleth-sp.sealerKeys.secretName" . }} --from-file=/dev/shm/sealer.keys --dry-run=client -o yaml | kubectl replace --save-config -f-
+                  # restart all pods in deployment in order to pick up new secret
+                  kubectl rollout restart {{ include "shibboleth-sp.fullname" . }}
+          restartPolicy: OnFailure
+{{- end -}}
--- a/chart/templates/deployment.yaml
+++ b/chart/templates/deployment.yaml
@@ -55,8 +55,8 @@ spec:
        - name: shibboleth-init
          securityContext:
            {{- toYaml .Values.securityContext | nindent 12 }}
-          image: "{{ .Values.backend.image.repository | default .Values.image.repository }}:{{ .Values.backend.image.tag | default .Values.image.tag }}"
-          imagePullPolicy: {{ .Values.backend.image.pullPolicy | default .Values.image.pullPolicy }}
+          image: "{{ include "shibboleth-sp.backend.image" . }}"
+          imagePullPolicy: "{{ include "shibboleth-sp.backend.imagePullPolicy" . }}"
          command: ["shibd", "-t"]
          resources:
            {{- toYaml .Values.backend.resources | nindent 12 }}
@@ -102,8 +102,8 @@ spec:
        - name: apache-init
          securityContext:
            {{- toYaml .Values.frontend.securityContext | nindent 12 }}
-          image: "{{ .Values.frontend.image.repository | default .Values.image.repository }}:{{ .Values.frontend.image.tag | default .Values.image.tag }}"
-          imagePullPolicy: {{ .Values.frontend.image.pullPolicy | default .Values.image.pullPolicy }}
+          image: "{{ include "shibboleth-sp.frontend.image" . }}"
+          imagePullPolicy: "{{ include "shibboleth-sp.frontend.imagePullPolicy" . }}"
          command: ["apachectl", "configtest"]
          resources:
            {{- toYaml .Values.frontend.resources | nindent 12 }}
@@ -131,8 +131,8 @@ spec:
        - name: shibboleth
          securityContext:
            {{- toYaml .Values.backend.securityContext | nindent 12 }}
-          image: "{{ .Values.backend.image.repository | default .Values.image.repository }}:{{ .Values.backend.image.tag | default .Values.image.tag }}"
-          imagePullPolicy: {{ .Values.backend.image.pullPolicy | default .Values.image.pullPolicy }}
+          image: "{{ include "shibboleth-sp.backend.image" . }}"
+          imagePullPolicy: "{{ include "shibboleth-sp.backend.imagePullPolicy" . }}"
          env:
            - name: SHIBSP_LISTENER_ADDRESS
              value: "/dev/shm/shibd.sock"
@@ -181,8 +181,8 @@ spec:
        - name: apache
          securityContext:
            {{- toYaml .Values.frontend.securityContext | nindent 12 }}
-          image: "{{ .Values.frontend.image.repository | default .Values.image.repository }}:{{ .Values.frontend.image.tag | default .Values.image.tag }}"
-          imagePullPolicy: {{ .Values.frontend.image.pullPolicy | default .Values.image.pullPolicy }}
+          image: "{{ include "shibboleth-sp.frontend.image" . }}"
+          imagePullPolicy: "{{ include "shibboleth-sp.frontend.imagePullPolicy" . }}"
          env:
            - name: SHIBSP_LISTENER_ADDRESS
              value: "/dev/shm/shibd.sock"
@@ -249,11 +249,10 @@ spec:
          secret:
            secretName: {{ tpl .Values.backend.shibboleth.applicationDefaults.credentialResolver.additionalSecretName . }}
        {{- end }}
-
        {{- if .Values.backend.shibboleth.sessionCache.enabled }}
        - name: {{ include "shibboleth-sp.backend.fullname" . }}-sealer-keys
-          configMap:
-            name: {{ tpl .Values.backend.shibboleth.sessionCache.sealerKeysConfigMap . }}
+          secret:
+            secretName: {{ include "shibboleth-sp.sealerKeys.secretName" . }}
        {{- end }}
        - name: {{ include "shibboleth-sp.backend.fullname" . }}-cache
          emptyDir: {}

--- a/chart/templates/job.yaml
+++ b/chart/templates/job.yaml
+{{- if .Values.backend.shibboleth.sessionCache.sealerKeys.manage }}
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "shibboleth-sp.fullname" . }}-create-sealer-keys
+  labels:
+    {{- include "shibboleth-sp.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-install
+    "helm.sh/hook-weight": "10"
+    "helm.sh/hook-delete-policy": hook-succeeded
+    {{- if .Values.podAnnotations }}
+    {{- .Values.podAnnotations | toYaml | nindent 4 }}
+    {{- end }}
+spec:
+  template:
+    metadata:
+      name: {{ include "shibboleth-sp.fullname" . }}-create-sealer-keys
+      labels:
+        {{- include "shibboleth-sp.selectorLabels" . | nindent 8 }}
+    spec:
+      serviceAccountName: {{ include "shibboleth-sp.sealerKeys.serviceAccountName" . }}
+      containers:
+      - name: create-sealer-keys
+        image: "{{ include "shibboleth-sp.sealerKeys.image" . }}"
+        imagePullPolicy: "{{ include "shibboleth-sp.sealerKeys.imagePullPolicy" . }}"
+        command:
+          - bash
+          - -c
+          - |
+            # create first sealer key
+            shib-seckeygen -o /dev/shm -f sealer.keys -b 256 -h 14 -u "$(id -u)" -g "$(id -g)"
+            # create secret from sealer key(s)
+            kubectl create secret generic {{ include "shibboleth-sp.sealerKeys.secretName" . }} --from-file=/dev/shm/sealer.keys
+      restartPolicy: OnFailure
+{{- end -}}
--- a/chart/templates/rolebinding.yaml
+++ b/chart/templates/rolebinding.yaml
+{{- if .Values.backend.shibboleth.sessionCache.sealerKeys.serviceAccount.create }}
+---
+apiVersion: authorization.openshift.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "shibboleth-sp.sealerKeys.serviceAccountName" . }}
+  labels:
+    {{- include "shibboleth-sp.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-install
+    "helm.sh/hook-weight": "5"
+    {{- if .Values.backend.shibboleth.sessionCache.sealerKeys.serviceAccount.annotations }}
+    {{- .Values.backend.shibboleth.sessionCache.sealerKeys.serviceAccount.annotations | toYaml | nindent 4 }}
+    {{- end }}
+subjects:
+  - kind: ServiceAccount
+    name: {{ include "shibboleth-sp.sealerKeys.serviceAccountName" . }}
+roleRef:
+  name: edit
+{{- end -}}
--- a/chart/templates/serviceaccount.yaml
+++ b/chart/templates/serviceaccount.yaml
-{{- if .Values.serviceAccount.create -}}
+{{- if .Values.serviceAccount.create }}
 ---
 apiVersion: v1
 kind: ServiceAccount
@@ -12,3 +12,19 @@ metadata:
  {{- end }}
 automountServiceAccountToken: false
 {{- end -}}
+{{- if .Values.backend.shibboleth.sessionCache.sealerKeys.serviceAccount.create }}
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "shibboleth-sp.sealerKeys.serviceAccountName" . }}
+  labels:
+    {{- include "shibboleth-sp.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": pre-install
+    "helm.sh/hook-weight": "0"
+    {{- if .Values.backend.shibboleth.sessionCache.sealerKeys.serviceAccount.annotations }}
+    {{- .Values.backend.shibboleth.sessionCache.sealerKeys.serviceAccount.annotations | toYaml | nindent 4 }}
+    {{- end }}
+automountServiceAccountToken: true
+{{- end -}}
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -147,9 +147,35 @@ backend:
    # https://wiki.shibboleth.net/confluence/display/SP3/SessionCache
    sessionCache:
      enabled: false
-      sealerKeysConfigMap: ""
      persistedAttributes: ""

+      # https://wiki.shibboleth.net/confluence/display/SP3/VersionedDataSealer
+      sealerKeys:
+        # if enabled, sealer keys will be created and rotated in a secret automatically
+        manage: true
+        schedule: "" # default: "@daily"
+
+        # Overwrites the image for the Job and CronJob. The priority is as follows: this > backend > global.
+        # This image must include shib-seckeygen and kubectl.
+        image: {}
+        # repository: ""
+        # pullPolicy: ""
+        # tag: ""
+
+        # The global serviceAccount has minimal permissions, but for the sealer keys we need one that can read, create and replace secrets.
+        serviceAccount:
+          # Specifies whether a service account and a role binding should be created
+          create: true
+          # Annotations to add to the service account and role binding
+          annotations: {}
+          # The name of the service account to use.
+          # If not set and create is true, a name is generated using the fullname template
+          name: ""
+
+        # The name of the secret to use.
+        # If not set and manage is true, a name is generated using the fullname template
+        secret: ""
+
    # Configures memcached session storage.
    # https://wiki.shibboleth.net/confluence/display/SP3/MemcacheStorageService
    memcached:

--- a/docker/kubernetes-archive-keyring.gpg
+++ b/docker/kubernetes-archive-keyring.gpg
--- a/notes-sma.txt
+++ b/notes-sma.txt
-docker build docker --no-cache -t cr.gitlab-int.switch.ch/maps/shibboleth-sp-helm-chart/image/shibboleth-sp:0.1.1
-docker push cr.gitlab-int.switch.ch/maps/shibboleth-sp-helm-chart/image/shibboleth-sp:0.1.1
+docker build docker --no-cache -t cr.gitlab-int.switch.ch/maps/shibboleth-sp-helm-chart/image/shibboleth-sp:0.2.0
+docker push cr.gitlab-int.switch.ch/maps/shibboleth-sp-helm-chart/image/shibboleth-sp:0.2.0

 # TODO: authenticate & pull
-docker run -it --mount type=bind,source="$(pwd)/ci",target=/etc/shibboleth cr.gitlab-int.switch.ch/maps/shibboleth-sp-helm-chart/image/shibboleth-sp:0.1.0 shib-keygen -f -u _shibd -h shibboleth-sp-helm-chart.zh.shift.switchengines.ch -y 3 -e https://shibboleth-sp-helm-chart.zh.shift.switchengines.ch/shibboleth -o /etc/shibboleth/
+docker run -it --mount type=bind,source="$(pwd)/ci",target=/etc/shibboleth cr.gitlab-int.switch.ch/maps/shibboleth-sp-helm-chart/image/shibboleth-sp:0.2.0 shib-keygen -f -u _shibd -h shibboleth-sp-helm-chart.zh.shift.switchengines.ch -y 3 -e https://shibboleth-sp-helm-chart.zh.shift.switchengines.ch/shibboleth -o /etc/shibboleth/
 mv ci/sp-key.pem ci/sp-key.pem.vault
 ansible-vault encrypt --vault-password-file .vault_password ci/sp-key.pem.vault
 ansible-vault view --vault-password-file .vault_password ci/sp-key.pem.vault > ci/sp-key.pem
@@ -11,5 +11,5 @@ openssl x509 -noout -fingerprint -sha1 -in ci/sp-cert.pem

 export HELM_EXPERIMENTAL_OCI=1
 # TODO: helm registry login
-helm chart save chart cr.gitlab-int.switch.ch/maps/shibboleth-sp-helm-chart/chart/shibboleth-sp:0.1.1
-helm chart push cr.gitlab-int.switch.ch/maps/shibboleth-sp-helm-chart/chart/shibboleth-sp:0.1.1
+helm chart save chart cr.gitlab-int.switch.ch/maps/shibboleth-sp-helm-chart/chart/shibboleth-sp:0.2.0
+helm chart push cr.gitlab-int.switch.ch/maps/shibboleth-sp-helm-chart/chart/shibboleth-sp:0.2.0