Commit 3fc82618 authored by Sandro Mathys's avatar Sandro Mathys
Browse files

automated sealer keys

parent 9ebe4aa2
......@@ -15,7 +15,7 @@ type: application
# This is the chart version. This version number should be incremented each time you make changes
# to the chart and its templates, including the app version.
# Versions are expected to follow Semantic Versioning (https://semver.org/)
version: 0.1.1
version: 0.2.0
# This is the version number of the application being deployed. This version number should be
# incremented each time you make changes to the application. Versions are not expected to
......
......@@ -88,12 +88,69 @@ app.kubernetes.io/component: apache
{{- end }}
{{/*
Create the name of the service account to use
Create the names of the service accounts to use
*/}}
{{- define "shibboleth-sp.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "shibboleth-sp.fullname" .) .Values.serviceAccount.name }}
{{- .Values.serviceAccount.name | default (include "shibboleth-sp.fullname" .) }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- .Values.serviceAccount.name | default "default" }}
{{- end }}
{{- end }}
{{- define "shibboleth-sp.sealerKeys.serviceAccountName" -}}
{{- if .Values.backend.shibboleth.sessionCache.sealerKeys.serviceAccount.create }}
{{- .Values.backend.shibboleth.sessionCache.sealerKeys.serviceAccount.name | default (print (include "shibboleth-sp.fullname" .) "-sealer-keys-nanny") }}
{{- else }}
{{- .Values.backend.shibboleth.sessionCache.sealerKeys.serviceAccount.name | default "deployer" }}
{{- end }}
{{- end }}
{{/*
Create the names of the images and pull policies to use
*/}}
{{- define "shibboleth-sp.frontend.image.repository" -}}
{{- .Values.frontend.image.repository | default .Values.image.repository -}}
{{- end }}
{{- define "shibboleth-sp.frontend.image.tag" -}}
{{- .Values.frontend.image.tag | default .Values.image.tag -}}
{{- end }}
{{- define "shibboleth-sp.frontend.image" -}}
{{- printf "%s:%s" (include "shibboleth-sp.frontend.image.repository" .) (include "shibboleth-sp.frontend.image.tag" .) }}
{{- end }}
{{- define "shibboleth-sp.frontend.imagePullPolicy" -}}
{{- .Values.frontend.image.pullPolicy | default .Values.image.pullPolicy }}
{{- end }}
{{- define "shibboleth-sp.backend.image.repository" -}}
{{- .Values.backend.image.repository | default .Values.image.repository -}}
{{- end }}
{{- define "shibboleth-sp.backend.image.tag" -}}
{{- .Values.backend.image.tag | default .Values.image.tag -}}
{{- end }}
{{- define "shibboleth-sp.backend.image" -}}
{{- printf "%s:%s" (include "shibboleth-sp.backend.image.repository" .) (include "shibboleth-sp.backend.image.tag" .) }}
{{- end }}
{{- define "shibboleth-sp.backend.imagePullPolicy" -}}
{{- .Values.backend.image.pullPolicy | default .Values.image.pullPolicy }}
{{- end }}
{{- define "shibboleth-sp.sealerKeys.image.repository" -}}
{{- .Values.backend.shibboleth.sessionCache.sealerKeys.image.repository | default (include "shibboleth-sp.backend.image.repository" .) -}}
{{- end }}
{{- define "shibboleth-sp.sealerKeys.image.tag" -}}
{{- .Values.backend.shibboleth.sessionCache.sealerKeys.image.tag | default (include "shibboleth-sp.backend.image.tag" .) -}}
{{- end }}
{{- define "shibboleth-sp.sealerKeys.image" -}}
{{- printf "%s:%s" (include "shibboleth-sp.sealerKeys.image.repository" .) (include "shibboleth-sp.sealerKeys.image.tag" .) }}
{{- end }}
{{- define "shibboleth-sp.sealerKeys.imagePullPolicy" -}}
{{- .Values.backend.shibboleth.sessionCache.sealerKeys.image.pullPolicy | default (include "shibboleth-sp.backend.imagePullPolicy" .) }}
{{- end }}
{{/*
Create the names of the secrets to use
*/}}
{{- define "shibboleth-sp.sealerKeys.secretName" -}}
{{- .Values.backend.shibboleth.sessionCache.sealerKeys.secret | default (print (include "shibboleth-sp.fullname" .) "-sealer-keys") }}
{{- end }}
......@@ -173,9 +173,12 @@ Compile all warnings into a single message, and call fail.
Missing: `persistedAttributes` must be specified.
{{- end -}}
{{- if not .Values.backend.shibboleth.sessionCache.sealerKeysConfigMap }}
backend.shibboleth.sessionCache.sealerKeysConfigMap
Missing: `sealerKeysConfigMap` must be specified.
{{- if not .Values.backend.shibboleth.sessionCache.sealerKeys.manage }}
{{- if not .Values.backend.shibboleth.sessionCache.sealerKeys.secret }}
backend.shibboleth.sessionCache.sealerKeys.manage
backend.shibboleth.sessionCache.sealerKeys.secret
Missing: `secret` must be specified if `manage` is disabled.
{{- end -}}
{{- end -}}
{{- end -}}
......
{{- if .Values.backend.shibboleth.sessionCache.sealerKeys.manage }}
---
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: {{ include "shibboleth-sp.fullname" . }}-rotate-sealer-keys
labels:
{{- include "shibboleth-sp.labels" . | nindent 4 }}
{{- if .Values.podAnnotations }}
annotations:
{{- toYaml .Values.podAnnotations | nindent 4 }}
{{- end }}
spec:
schedule: "{{ .Values.backend.shibboleth.sessionCache.sealerKeys.schedule | default "@daily" }}"
jobTemplate:
spec:
template:
spec:
serviceAccountName: {{ include "shibboleth-sp.sealerKeys.serviceAccountName" . }}
containers:
- name: rotate-sealer-keys
image: "{{ include "shibboleth-sp.sealerKeys.image" . }}"
imagePullPolicy: "{{ include "shibboleth-sp.sealerKeys.imagePullPolicy" . }}"
command:
- bash
- -c
- |
# extract current set of sealer keys
kubectl get secret {{ include "shibboleth-sp.sealerKeys.secretName" . }} -o=jsonpath='{.data.sealer\.keys}' | base64 -d > /dev/shm/sealer.keys
# add/rotate sealer keys
shib-seckeygen -o /dev/shm -f sealer.keys -b 256 -h 14 -u "$(id -u)" -g "$(id -g)"
# replace secret with new sealer keys
kubectl create secret generic {{ include "shibboleth-sp.sealerKeys.secretName" . }} --from-file=/dev/shm/sealer.keys --dry-run=client -o yaml | kubectl replace --save-config -f-
# restart all pods in deployment in order to pick up new secret
kubectl rollout restart {{ include "shibboleth-sp.fullname" . }}
restartPolicy: OnFailure
{{- end -}}
......@@ -55,8 +55,8 @@ spec:
- name: shibboleth-init
securityContext:
{{- toYaml .Values.securityContext | nindent 12 }}
image: "{{ .Values.backend.image.repository | default .Values.image.repository }}:{{ .Values.backend.image.tag | default .Values.image.tag }}"
imagePullPolicy: {{ .Values.backend.image.pullPolicy | default .Values.image.pullPolicy }}
image: "{{ include "shibboleth-sp.backend.image" . }}"
imagePullPolicy: "{{ include "shibboleth-sp.backend.imagePullPolicy" . }}"
command: ["shibd", "-t"]
resources:
{{- toYaml .Values.backend.resources | nindent 12 }}
......@@ -102,8 +102,8 @@ spec:
- name: apache-init
securityContext:
{{- toYaml .Values.frontend.securityContext | nindent 12 }}
image: "{{ .Values.frontend.image.repository | default .Values.image.repository }}:{{ .Values.frontend.image.tag | default .Values.image.tag }}"
imagePullPolicy: {{ .Values.frontend.image.pullPolicy | default .Values.image.pullPolicy }}
image: "{{ include "shibboleth-sp.frontend.image" . }}"
imagePullPolicy: "{{ include "shibboleth-sp.frontend.imagePullPolicy" . }}"
command: ["apachectl", "configtest"]
resources:
{{- toYaml .Values.frontend.resources | nindent 12 }}
......@@ -131,8 +131,8 @@ spec:
- name: shibboleth
securityContext:
{{- toYaml .Values.backend.securityContext | nindent 12 }}
image: "{{ .Values.backend.image.repository | default .Values.image.repository }}:{{ .Values.backend.image.tag | default .Values.image.tag }}"
imagePullPolicy: {{ .Values.backend.image.pullPolicy | default .Values.image.pullPolicy }}
image: "{{ include "shibboleth-sp.backend.image" . }}"
imagePullPolicy: "{{ include "shibboleth-sp.backend.imagePullPolicy" . }}"
env:
- name: SHIBSP_LISTENER_ADDRESS
value: "/dev/shm/shibd.sock"
......@@ -181,8 +181,8 @@ spec:
- name: apache
securityContext:
{{- toYaml .Values.frontend.securityContext | nindent 12 }}
image: "{{ .Values.frontend.image.repository | default .Values.image.repository }}:{{ .Values.frontend.image.tag | default .Values.image.tag }}"
imagePullPolicy: {{ .Values.frontend.image.pullPolicy | default .Values.image.pullPolicy }}
image: "{{ include "shibboleth-sp.frontend.image" . }}"
imagePullPolicy: "{{ include "shibboleth-sp.frontend.imagePullPolicy" . }}"
env:
- name: SHIBSP_LISTENER_ADDRESS
value: "/dev/shm/shibd.sock"
......@@ -249,11 +249,10 @@ spec:
secret:
secretName: {{ tpl .Values.backend.shibboleth.applicationDefaults.credentialResolver.additionalSecretName . }}
{{- end }}
{{- if .Values.backend.shibboleth.sessionCache.enabled }}
- name: {{ include "shibboleth-sp.backend.fullname" . }}-sealer-keys
configMap:
name: {{ tpl .Values.backend.shibboleth.sessionCache.sealerKeysConfigMap . }}
secret:
secretName: {{ include "shibboleth-sp.sealerKeys.secretName" . }}
{{- end }}
- name: {{ include "shibboleth-sp.backend.fullname" . }}-cache
emptyDir: {}
......
{{- if .Values.backend.shibboleth.sessionCache.sealerKeys.manage }}
---
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "shibboleth-sp.fullname" . }}-create-sealer-keys
labels:
{{- include "shibboleth-sp.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": pre-install
"helm.sh/hook-weight": "10"
"helm.sh/hook-delete-policy": hook-succeeded
{{- if .Values.podAnnotations }}
{{- .Values.podAnnotations | toYaml | nindent 4 }}
{{- end }}
spec:
template:
metadata:
name: {{ include "shibboleth-sp.fullname" . }}-create-sealer-keys
labels:
{{- include "shibboleth-sp.selectorLabels" . | nindent 8 }}
spec:
serviceAccountName: {{ include "shibboleth-sp.sealerKeys.serviceAccountName" . }}
containers:
- name: create-sealer-keys
image: "{{ include "shibboleth-sp.sealerKeys.image" . }}"
imagePullPolicy: "{{ include "shibboleth-sp.sealerKeys.imagePullPolicy" . }}"
command:
- bash
- -c
- |
# create first sealer key
shib-seckeygen -o /dev/shm -f sealer.keys -b 256 -h 14 -u "$(id -u)" -g "$(id -g)"
# create secret from sealer key(s)
kubectl create secret generic {{ include "shibboleth-sp.sealerKeys.secretName" . }} --from-file=/dev/shm/sealer.keys
restartPolicy: OnFailure
{{- end -}}
{{- if .Values.backend.shibboleth.sessionCache.sealerKeys.serviceAccount.create }}
---
apiVersion: authorization.openshift.io/v1
kind: RoleBinding
metadata:
name: {{ include "shibboleth-sp.sealerKeys.serviceAccountName" . }}
labels:
{{- include "shibboleth-sp.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": pre-install
"helm.sh/hook-weight": "5"
{{- if .Values.backend.shibboleth.sessionCache.sealerKeys.serviceAccount.annotations }}
{{- .Values.backend.shibboleth.sessionCache.sealerKeys.serviceAccount.annotations | toYaml | nindent 4 }}
{{- end }}
subjects:
- kind: ServiceAccount
name: {{ include "shibboleth-sp.sealerKeys.serviceAccountName" . }}
roleRef:
name: edit
{{- end -}}
{{- if .Values.serviceAccount.create -}}
{{- if .Values.serviceAccount.create }}
---
apiVersion: v1
kind: ServiceAccount
......@@ -12,3 +12,19 @@ metadata:
{{- end }}
automountServiceAccountToken: false
{{- end -}}
{{- if .Values.backend.shibboleth.sessionCache.sealerKeys.serviceAccount.create }}
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "shibboleth-sp.sealerKeys.serviceAccountName" . }}
labels:
{{- include "shibboleth-sp.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": pre-install
"helm.sh/hook-weight": "0"
{{- if .Values.backend.shibboleth.sessionCache.sealerKeys.serviceAccount.annotations }}
{{- .Values.backend.shibboleth.sessionCache.sealerKeys.serviceAccount.annotations | toYaml | nindent 4 }}
{{- end }}
automountServiceAccountToken: true
{{- end -}}
......@@ -147,9 +147,35 @@ backend:
# https://wiki.shibboleth.net/confluence/display/SP3/SessionCache
sessionCache:
enabled: false
sealerKeysConfigMap: ""
persistedAttributes: ""
# https://wiki.shibboleth.net/confluence/display/SP3/VersionedDataSealer
sealerKeys:
# if enabled, sealer keys will be created and rotated in a secret automatically
manage: true
schedule: "" # default: "@daily"
# Overwrites the image for the Job and CronJob. The priority is as follows: this > backend > global.
# This image must include shib-seckeygen and kubectl.
image: {}
# repository: ""
# pullPolicy: ""
# tag: ""
# The global serviceAccount has minimal permissions, but for the sealer keys we need one that can read, create and replace secrets.
serviceAccount:
# Specifies whether a service account and a role binding should be created
create: true
# Annotations to add to the service account and role binding
annotations: {}
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
name: ""
# The name of the secret to use.
# If not set and manage is true, a name is generated using the fullname template
secret: ""
# Configures memcached session storage.
# https://wiki.shibboleth.net/confluence/display/SP3/MemcacheStorageService
memcached:
......
docker build docker --no-cache -t cr.gitlab-int.switch.ch/maps/shibboleth-sp-helm-chart/image/shibboleth-sp:0.1.1
docker push cr.gitlab-int.switch.ch/maps/shibboleth-sp-helm-chart/image/shibboleth-sp:0.1.1
docker build docker --no-cache -t cr.gitlab-int.switch.ch/maps/shibboleth-sp-helm-chart/image/shibboleth-sp:0.2.0
docker push cr.gitlab-int.switch.ch/maps/shibboleth-sp-helm-chart/image/shibboleth-sp:0.2.0
# TODO: authenticate & pull
docker run -it --mount type=bind,source="$(pwd)/ci",target=/etc/shibboleth cr.gitlab-int.switch.ch/maps/shibboleth-sp-helm-chart/image/shibboleth-sp:0.1.0 shib-keygen -f -u _shibd -h shibboleth-sp-helm-chart.zh.shift.switchengines.ch -y 3 -e https://shibboleth-sp-helm-chart.zh.shift.switchengines.ch/shibboleth -o /etc/shibboleth/
docker run -it --mount type=bind,source="$(pwd)/ci",target=/etc/shibboleth cr.gitlab-int.switch.ch/maps/shibboleth-sp-helm-chart/image/shibboleth-sp:0.2.0 shib-keygen -f -u _shibd -h shibboleth-sp-helm-chart.zh.shift.switchengines.ch -y 3 -e https://shibboleth-sp-helm-chart.zh.shift.switchengines.ch/shibboleth -o /etc/shibboleth/
mv ci/sp-key.pem ci/sp-key.pem.vault
ansible-vault encrypt --vault-password-file .vault_password ci/sp-key.pem.vault
ansible-vault view --vault-password-file .vault_password ci/sp-key.pem.vault > ci/sp-key.pem
......@@ -11,5 +11,5 @@ openssl x509 -noout -fingerprint -sha1 -in ci/sp-cert.pem
export HELM_EXPERIMENTAL_OCI=1
# TODO: helm registry login
helm chart save chart cr.gitlab-int.switch.ch/maps/shibboleth-sp-helm-chart/chart/shibboleth-sp:0.1.1
helm chart push cr.gitlab-int.switch.ch/maps/shibboleth-sp-helm-chart/chart/shibboleth-sp:0.1.1
helm chart save chart cr.gitlab-int.switch.ch/maps/shibboleth-sp-helm-chart/chart/shibboleth-sp:0.2.0
helm chart push cr.gitlab-int.switch.ch/maps/shibboleth-sp-helm-chart/chart/shibboleth-sp:0.2.0
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment