diff --git a/deployment/security-server/images/admin-service/entrypoint.sh b/deployment/security-server/images/admin-service/entrypoint.sh index 0df1ab0c8c..adf18c9eea 100644 --- a/deployment/security-server/images/admin-service/entrypoint.sh +++ b/deployment/security-server/images/admin-service/entrypoint.sh @@ -16,6 +16,17 @@ if [[ "${DEBUG:-false}" == "true" ]]; then DEBUG_OPTS="$DEBUG_AGENT $JMX_OPTS" fi +for cert in /usr/local/share/ca-certificates/*.crt; do + alias_name=$(basename "$cert" .crt) + keytool -importcert \ + -trustcacerts \ + -file "$cert" \ + -alias "$alias_name" \ + -keystore "$JAVA_HOME/lib/security/cacerts" \ + -storepass changeit \ + -noprompt +done + exec java \ $DEBUG_OPTS \ -Dspring.profiles.include=containerized \ diff --git a/deployment/security-server/images/base-images/baseline/Dockerfile b/deployment/security-server/images/base-images/baseline/Dockerfile index 92cdfb083b..b668317b8b 100644 --- a/deployment/security-server/images/base-images/baseline/Dockerfile +++ b/deployment/security-server/images/base-images/baseline/Dockerfile @@ -20,6 +20,10 @@ RUN mkdir /var/log/xroad && \ chown -R xroad:xroad /var/cache/xroad && \ chown -R xroad:xroad /etc/xroad +# Add the capability to add trusted certificates during runtime +RUN chgrp xroad "$JAVA_HOME/lib/security/cacerts" && \ + chmod g+w "$JAVA_HOME/lib/security/cacerts" + # Copy license files from build context COPY --from=build /LICENSE.txt /opt/app/LICENSE.txt COPY --from=build /3RD-PARTY-NOTICES.txt /opt/app/3RD-PARTY-NOTICES.txt \ No newline at end of file diff --git a/deployment/security-server/images/quarkus/entrypoint.sh b/deployment/security-server/images/quarkus/entrypoint.sh index c3b39ca49b..fb6309bdeb 100644 --- a/deployment/security-server/images/quarkus/entrypoint.sh +++ b/deployment/security-server/images/quarkus/entrypoint.sh @@ -17,6 +17,18 @@ if [ "${DEBUG:-false}" = "true" ]; then DEBUG_OPTS="$DEBUG_AGENT $JMX_OPTS" fi +for cert in /usr/local/share/ca-certificates/*.crt; do + alias_name=$(basename "$cert" .crt) + keytool -importcert \ + -trustcacerts \ + -file "$cert" \ + -alias "$alias_name" \ + -keystore "$JAVA_HOME/lib/security/cacerts" \ + -storepass changeit \ + -noprompt +done + + exec java \ -Djava.util.logging.manager=org.jboss.logmanager.LogManager \ -Djava.library.path=/usr/share/xroad/lib \ diff --git a/deployment/security-server/k8s/charts/openbao-init/scripts/_common.sh b/deployment/security-server/k8s/charts/openbao-init/scripts/_common.sh index 572a88fcab..1b62852053 100755 --- a/deployment/security-server/k8s/charts/openbao-init/scripts/_common.sh +++ b/deployment/security-server/k8s/charts/openbao-init/scripts/_common.sh @@ -13,7 +13,7 @@ bao_api() { echo "[BAO] $description..." >&2 - local response=$(curl -s -w "\nHTTP_STATUS:%{http_code}" \ + local response=$(curl -s -k -w "\nHTTP_STATUS:%{http_code}" \ --connect-timeout 5 \ --retry 3 \ --retry-delay 2 \ diff --git a/deployment/security-server/k8s/charts/openbao-init/templates/job.yaml b/deployment/security-server/k8s/charts/openbao-init/templates/job.yaml index dbf72219bd..d780dc3fa7 100644 --- a/deployment/security-server/k8s/charts/openbao-init/templates/job.yaml +++ b/deployment/security-server/k8s/charts/openbao-init/templates/job.yaml @@ -12,7 +12,7 @@ spec: - name: wait-for-openbao image: {{ .Values.image }} imagePullPolicy: IfNotPresent - command: [ 'sh', '-c', 'until curl -s $OPENBAO_ADDR/v1/sys/health; do echo waiting for openbao; sleep 5; done' ] + command: [ 'sh', '-c', 'until curl -s -k $OPENBAO_ADDR/v1/sys/health; do echo waiting for openbao; sleep 5; done' ] env: - name: OPENBAO_ADDR value: {{ .Values.openbao.addr }} diff --git a/deployment/security-server/k8s/charts/openbao-init/templates/unseal-sidecar.yaml b/deployment/security-server/k8s/charts/openbao-init/templates/unseal-sidecar.yaml index 30d96b57a2..eea172fdef 100644 --- a/deployment/security-server/k8s/charts/openbao-init/templates/unseal-sidecar.yaml +++ b/deployment/security-server/k8s/charts/openbao-init/templates/unseal-sidecar.yaml @@ -22,7 +22,7 @@ spec: args: - | while true; do - if curl -s $OPENBAO_ADDR/v1/sys/health; then + if curl -s -k $OPENBAO_ADDR/v1/sys/health; then /scripts/unseal.sh fi sleep 5 diff --git a/deployment/security-server/k8s/charts/openbao-init/values.yaml b/deployment/security-server/k8s/charts/openbao-init/values.yaml index 412e4dd9f7..77546174ee 100644 --- a/deployment/security-server/k8s/charts/openbao-init/values.yaml +++ b/deployment/security-server/k8s/charts/openbao-init/values.yaml @@ -4,6 +4,6 @@ serviceAccount: image: "dwdraju/alpine-curl-jq" openbao: - addr: "http://openbao:8200" + addr: "https://openbao:8200" threshold: 3 shares: 5 diff --git a/deployment/security-server/k8s/charts/security-server/values.yaml b/deployment/security-server/k8s/charts/security-server/values.yaml index 5b7e513cfa..937cc1daa8 100644 --- a/deployment/security-server/k8s/charts/security-server/values.yaml +++ b/deployment/security-server/k8s/charts/security-server/values.yaml @@ -52,7 +52,6 @@ services: env: XROAD_HOST: "configuration-client.ss.svc.cluster.local" XROAD_SECRET_STORE_HOST: "openbao.ss.svc.cluster.local" - XROAD_SECRET_STORE_SCHEME: "http" XROAD_CONFIGURATION_CLIENT_UPDATE_INTERVAL: "60" XROAD_DB_SERVERCONF_HIBERNATE_CONNECTION_URL: "jdbc:postgresql://db-serverconf.ss.svc.cluster.local:5432/serverconf" XROAD_DB_SERVERCONF_HIBERNATE_CONNECTION_USERNAME: "serverconf" @@ -91,7 +90,6 @@ services: env: XROAD_HOST: "signer.ss.svc.cluster.local" XROAD_SECRET_STORE_HOST: "openbao.ss.svc.cluster.local" - XROAD_SECRET_STORE_SCHEME: "http" XROAD_COMMON_RPC_CHANNEL_CONFIGURATION_CLIENT_HOST: "configuration-client.ss.svc.cluster.local" XROAD_DB_SERVERCONF_HIBERNATE_CONNECTION_URL: "jdbc:postgresql://db-serverconf.ss.svc.cluster.local:5432/serverconf" XROAD_DB_SERVERCONF_HIBERNATE_CONNECTION_USERNAME: "serverconf" @@ -132,7 +130,6 @@ services: env: XROAD_HOST: "proxy.ss.svc.cluster.local" XROAD_SECRET_STORE_HOST: "openbao.ss.svc.cluster.local" - XROAD_SECRET_STORE_SCHEME: "http" XROAD_COMMON_RPC_CHANNEL_CONFIGURATION_CLIENT_HOST: "configuration-client.ss.svc.cluster.local" XROAD_COMMON_RPC_CHANNEL_SIGNER_HOST: "signer.ss.svc.cluster.local" XROAD_OP_MONITOR_HOST: "op-monitor.ss.svc.cluster.local" @@ -174,7 +171,6 @@ services: DEBUG_PORT: "9999" XROAD_HOST: "proxy-ui-api.ss.svc.cluster.local" XROAD_SECRET_STORE_HOST: "openbao.ss.svc.cluster.local" - XROAD_SECRET_STORE_SCHEME: "http" XROAD_COMMON_RPC_CHANNEL_CONFIGURATION_CLIENT_HOST: "configuration-client.ss.svc.cluster.local" XROAD_COMMON_RPC_CHANNEL_SIGNER_HOST: "signer.ss.svc.cluster.local" XROAD_COMMON_RPC_CHANNEL_PROXY_HOST: "proxy.ss.svc.cluster.local" @@ -224,7 +220,6 @@ services: DEBUG_PORT: "9999" XROAD_HOST: "monitor.ss.svc.cluster.local" XROAD_SECRET_STORE_HOST: "openbao.ss.svc.cluster.local" - XROAD_SECRET_STORE_SCHEME: "http" XROAD_COMMON_RPC_CHANNEL_CONFIGURATION_CLIENT_HOST: "configuration-client.ss.svc.cluster.local" XROAD_COMMON_RPC_CHANNEL_SIGNER_HOST: "signer.ss.svc.cluster.local" XROAD_COMMON_RPC_CHANNEL_PROXY_HOST: "proxy.ss.svc.cluster.local" @@ -265,7 +260,6 @@ services: XROAD_OP_MONITOR_LISTEN_ADDRESS: 0.0.0.0 XROAD_OP_MONITOR_SCHEME: https XROAD_SECRET_STORE_HOST: "openbao.ss.svc.cluster.local" - XROAD_SECRET_STORE_SCHEME: "http" XROAD_COMMON_RPC_CHANNEL_CONFIGURATION_CLIENT_HOST: "configuration-client.ss.svc.cluster.local" XROAD_DB_OP_MONITOR_HIBERNATE_CONNECTION_URL: "jdbc:postgresql://db-opmonitor.ss.svc.cluster.local:5432/op-monitor" XROAD_DB_OP_MONITOR_HIBERNATE_CONNECTION_USERNAME: "opmonitor" @@ -306,7 +300,6 @@ services: env: XROAD_HOST: "backup-manager.ss.svc.cluster.local" XROAD_SECRET_STORE_HOST: "openbao.ss.svc.cluster.local" - XROAD_SECRET_STORE_SCHEME: "http" XROAD_SERVERCONF_DB_HOST: "db-serverconf.ss.svc.cluster.local" XROAD_SERVERCONF_DB_PORT: "5432" XROAD_SERVERCONF_DB_NAME: "serverconf" diff --git a/development/docker/security-server/compose.yaml b/development/docker/security-server/compose.yaml index 0afd98ef40..ba37b7adf3 100644 --- a/development/docker/security-server/compose.yaml +++ b/development/docker/security-server/compose.yaml @@ -144,6 +144,7 @@ services: - XROAD_HOST=configuration-client - XROAD_SECRET_STORE_HOST=openbao - XROAD_SECRET_STORE_TOKEN=${XROAD_SECRET_STORE_TOKEN} + - XROAD_SECRET_STORE_SCHEME=http - XROAD_DB_SERVERCONF_HIBERNATE_CONNECTION_URL=jdbc:postgresql://db-serverconf:5432/serverconf - XROAD_DB_SERVERCONF_HIBERNATE_CONNECTION_DRIVER_CLASS=org.postgresql.Driver - XROAD_DB_SERVERCONF_HIBERNATE_CONNECTION_USERNAME=serverconf @@ -177,6 +178,7 @@ services: - XROAD_HOST=monitor - XROAD_SECRET_STORE_HOST=openbao - XROAD_SECRET_STORE_TOKEN=${XROAD_SECRET_STORE_TOKEN} + - XROAD_SECRET_STORE_SCHEME=http - XROAD_COMMON_RPC_CHANNEL_CONFIGURATION_CLIENT_HOST=configuration-client - XROAD_COMMON_RPC_CHANNEL_SIGNER_HOST=signer - XROAD_COMMON_RPC_CHANNEL_PROXY_HOST=proxy @@ -205,6 +207,7 @@ services: - XROAD_HOST=signer - XROAD_SECRET_STORE_HOST=openbao - XROAD_SECRET_STORE_TOKEN=${XROAD_SECRET_STORE_TOKEN} + - XROAD_SECRET_STORE_SCHEME=http - XROAD_COMMON_RPC_CHANNEL_CONFIGURATION_CLIENT_HOST=configuration-client - XROAD_DB_SERVERCONF_HIBERNATE_CONNECTION_URL=jdbc:postgresql://db-serverconf:5432/serverconf - XROAD_DB_SERVERCONF_HIBERNATE_CONNECTION_DRIVER_CLASS=org.postgresql.Driver @@ -237,6 +240,7 @@ services: - XROAD_HOST=proxy - XROAD_SECRET_STORE_HOST=openbao - XROAD_SECRET_STORE_TOKEN=${XROAD_SECRET_STORE_TOKEN} + - XROAD_SECRET_STORE_SCHEME=http - XROAD_COMMON_RPC_CHANNEL_CONFIGURATION_CLIENT_HOST=configuration-client - XROAD_COMMON_RPC_CHANNEL_SIGNER_HOST=signer - XROAD_COMMON_RPC_CHANNEL_ENV_MONITOR_HOST=monitor @@ -322,6 +326,7 @@ services: - XROAD_HOST=backup-manager - XROAD_SECRET_STORE_HOST=openbao - XROAD_SECRET_STORE_TOKEN=${XROAD_SECRET_STORE_TOKEN} + - XROAD_SECRET_STORE_SCHEME=http - XROAD_SERVERCONF_DB_PASSWORD=secret - XROAD_SERVERCONF_DB_ADMIN_PASSWORD=admin_secret healthcheck: diff --git a/development/k8s/terraform/environments/dev/main.tf b/development/k8s/terraform/environments/dev/main.tf index 3fd68b9bdd..79a795753e 100644 --- a/development/k8s/terraform/environments/dev/main.tf +++ b/development/k8s/terraform/environments/dev/main.tf @@ -1,6 +1,6 @@ provider "helm" { kubernetes = { - config_path = var.kubeconfig_path + config_path = pathexpand(var.kubeconfig_path) } } @@ -25,10 +25,12 @@ module "openbao" { ] namespace = var.security_server_namespace - openbao_db_user_password="secret" openbao_init_chart_repo = null openbao_init_chart = "${path.module}/../../../../../deployment/security-server/k8s/charts/openbao-init" openbao_init_chart_version = null + + openbao_db_override_values = yamldecode(file("${path.module}/override-values/openbao-db-values.yaml")) + openbao_override_values = yamldecode(file("${path.module}/override-values/openbao-values.yaml")) } module "cs_service_bridge" { @@ -136,11 +138,12 @@ module "security-server" { ] namespace = var.security_server_namespace + security_server_chart_repo = null + security_server_chart = "${path.module}/../../../../../deployment/security-server/k8s/charts/security-server" + security_server_chart_version = null + serverconf_db_override_values = yamldecode(file("${path.module}/override-values/serverconf-db-values.yaml")) messagelog_db_override_values = yamldecode(file("${path.module}/override-values/messagelog-db-values.yaml")) opmonitor_db_override_values = yamldecode(file("${path.module}/override-values/opmonitor-db-values.yaml")) security_server_override_values = yamldecode(file("${path.module}/override-values/security-server-values.yaml")) - security_server_chart_repo = null - security_server_chart = "${path.module}/../../../../../deployment/security-server/k8s/charts/security-server" - security_server_chart_version = null } \ No newline at end of file diff --git a/development/k8s/terraform/environments/dev/override-values/openbao-db-values.yaml b/development/k8s/terraform/environments/dev/override-values/openbao-db-values.yaml new file mode 100644 index 0000000000..40ecea67bb --- /dev/null +++ b/development/k8s/terraform/environments/dev/override-values/openbao-db-values.yaml @@ -0,0 +1,14 @@ +fullnameOverride: db-openbao +image: + repository: bitnamilegacy/postgresql + tag: "16.6.0" +auth: + database: openbao + username: openbao + password: secret +primary: + resources: + requests: + memory: 64Mi + limits: + memory: 256Mi diff --git a/development/k8s/terraform/environments/dev/override-values/openbao-values.yaml b/development/k8s/terraform/environments/dev/override-values/openbao-values.yaml new file mode 100644 index 0000000000..eb2b5092e5 --- /dev/null +++ b/development/k8s/terraform/environments/dev/override-values/openbao-values.yaml @@ -0,0 +1,31 @@ +global: + tlsDisable: false +server: + ha: + enabled: true + config: | + ui = true + listener "tcp" { + address = "[::]:8200" + cluster_address = "[::]:8201" + tls_cert_file = "/openbao/userconfig/server-tls/tls.crt" + tls_key_file = "/openbao/userconfig/server-tls/tls.key" + } + storage "postgresql" { + ha_enabled = "true" + } + service_registration "kubernetes" {} + extraSecretEnvironmentVars: + - envName: BAO_PG_PASSWORD + secretName: db-openbao + secretKey: password + extraEnvironmentVars: + BAO_PG_CONNECTION_URL: postgres://openbao:$(BAO_PG_PASSWORD)@db-openbao.ss.svc.cluster.local:5432/openbao + volumes: + - name: userconfig-openbao-server-tls + secret: + secretName: openbao-server-tls + volumeMounts: + - mountPath: /openbao/userconfig/server-tls + name: userconfig-openbao-server-tls + readOnly: true diff --git a/development/k8s/terraform/environments/dev/override-values/security-server-values.yaml b/development/k8s/terraform/environments/dev/override-values/security-server-values.yaml index 81026449be..90079451bd 100644 --- a/development/k8s/terraform/environments/dev/override-values/security-server-values.yaml +++ b/development/k8s/terraform/environments/dev/override-values/security-server-values.yaml @@ -16,22 +16,99 @@ services: image: localhost:5555/ss-configuration-client:latest env: XROAD_CONFIGURATION_CLIENT_UPDATE_INTERVAL: "10" + volumes: + - name: userconfig-openbao-server-tls + secret: + secretName: openbao-server-tls + items: + - key: tls.crt # just the TLS certificate of OpenBao is needed in order to trust it + path: openbao.crt + volumeMounts: + - mountPath: /usr/local/share/ca-certificates/ + name: userconfig-openbao-server-tls + readOnly: true signer: image: localhost:5555/ss-signer:latest + volumes: + - name: userconfig-openbao-server-tls + secret: + secretName: openbao-server-tls + items: + - key: tls.crt # just the TLS certificate of OpenBao is needed in order to trust it + path: openbao.crt + volumeMounts: + - mountPath: /usr/local/share/ca-certificates/ + name: userconfig-openbao-server-tls + readOnly: true proxy: image: localhost:5555/ss-proxy:latest env: XROAD_PROXY_ADDON_OP_MONITOR_ENABLED: "true" + volumes: + - name: userconfig-openbao-server-tls + secret: + secretName: openbao-server-tls + items: + - key: tls.crt # just the TLS certificate of OpenBao is needed in order to trust it + path: openbao.crt + volumeMounts: + - mountPath: /usr/local/share/ca-certificates/ + name: userconfig-openbao-server-tls + readOnly: true proxy-ui-api: image: localhost:5555/ss-proxy-ui-api:latest + volumes: + - name: userconfig-openbao-server-tls + secret: + secretName: openbao-server-tls + items: + - key: tls.crt # just the TLS certificate of OpenBao is needed in order to trust it + path: openbao.crt + volumeMounts: + - mountPath: /usr/local/share/ca-certificates/ + name: userconfig-openbao-server-tls + readOnly: true monitor: image: localhost:5555/ss-monitor:latest + volumes: + - name: userconfig-openbao-server-tls + secret: + secretName: openbao-server-tls + items: + - key: tls.crt # just the TLS certificate of OpenBao is needed in order to trust it + path: openbao.crt + volumeMounts: + - mountPath: /usr/local/share/ca-certificates/ + name: userconfig-openbao-server-tls + readOnly: true op-monitor: image: localhost:5555/ss-op-monitor:latest enabled: true + volumes: + - name: userconfig-openbao-server-tls + secret: + secretName: openbao-server-tls + items: + - key: tls.crt # just the TLS certificate of OpenBao is needed in order to trust it + path: openbao.crt + volumeMounts: + - mountPath: /usr/local/share/ca-certificates/ + name: userconfig-openbao-server-tls + readOnly: true backup-manager: image: localhost:5555/ss-backup-manager:latest env: SERVERCONF_INIT_IMAGE: localhost:5555/ss-db-serverconf-init:latest SERVERCONF_INITIALIZED_WITH_PROXY_UI_SUPERUSER: "true" PROXY_UI_SUPERUSER: xrd + volumes: + - name: userconfig-openbao-server-tls + secret: + secretName: openbao-server-tls + items: + - key: tls.crt # just the TLS certificate of OpenBao is needed in order to trust it + path: openbao.crt + volumeMounts: + - mountPath: /usr/local/share/ca-certificates/ + name: userconfig-openbao-server-tls + readOnly: true diff --git a/development/k8s/terraform/environments/test/main.tf b/development/k8s/terraform/environments/test/main.tf index 6bdc373be3..0b33a6b225 100644 --- a/development/k8s/terraform/environments/test/main.tf +++ b/development/k8s/terraform/environments/test/main.tf @@ -1,6 +1,6 @@ provider "helm" { kubernetes = { - config_path = var.kubeconfig_path + config_path = pathexpand(var.kubeconfig_path) } } @@ -19,7 +19,8 @@ module "openbao" { ] namespace = var.security_server_namespace - openbao_db_user_password="secret" + openbao_db_override_values = yamldecode(file("${path.module}/override-values/openbao-db-values.yaml")) + openbao_override_values = yamldecode(file("${path.module}/override-values/openbao-values.yaml")) } module "cs_service_bridge" { @@ -85,7 +86,7 @@ module "ss0_service_bridge" { name = "xrd-ss0" namespace = var.security_server_namespace - external_host = "host.security_server_namespace.internal" + external_host = "host.docker.internal" ports = [ { name = "proxy" diff --git a/development/k8s/terraform/environments/test/override-values/openbao-db-values.yaml b/development/k8s/terraform/environments/test/override-values/openbao-db-values.yaml new file mode 100644 index 0000000000..962d8bdc2b --- /dev/null +++ b/development/k8s/terraform/environments/test/override-values/openbao-db-values.yaml @@ -0,0 +1,14 @@ +fullnameOverride: db-openbao +image: + repository: bitnamilegacy/postgresql + tag: "16.6.0" +auth: + database: openbao + username: openbao + password: secret +primary: + resources: + requests: + memory: 64Mi + limits: + memory: 256Mi \ No newline at end of file diff --git a/development/k8s/terraform/environments/test/override-values/openbao-values.yaml b/development/k8s/terraform/environments/test/override-values/openbao-values.yaml new file mode 100644 index 0000000000..2bb26d467d --- /dev/null +++ b/development/k8s/terraform/environments/test/override-values/openbao-values.yaml @@ -0,0 +1,31 @@ +global: + tlsDisable: false +server: + ha: + enabled: true + config: | + ui = true + listener "tcp" { + address = "[::]:8200" + cluster_address = "[::]:8201" + tls_cert_file = "/openbao/userconfig/server-tls/tls.crt" + tls_key_file = "/openbao/userconfig/server-tls/tls.key" + } + storage "postgresql" { + ha_enabled = "true" + } + service_registration "kubernetes" {} + extraSecretEnvironmentVars: + - envName: BAO_PG_PASSWORD + secretName: db-openbao + secretKey: password + extraEnvironmentVars: + BAO_PG_CONNECTION_URL: postgres://openbao:$(BAO_PG_PASSWORD)@db-openbao.ss.svc.cluster.local:5432/openbao + volumes: + - name: userconfig-openbao-server-tls + secret: + secretName: openbao-server-tls + volumeMounts: + - mountPath: /openbao/userconfig/server-tls + name: userconfig-openbao-server-tls + readOnly: true diff --git a/development/k8s/terraform/environments/test/override-values/security-server-values.yaml b/development/k8s/terraform/environments/test/override-values/security-server-values.yaml index 76667be2d4..6c44bd66f4 100644 --- a/development/k8s/terraform/environments/test/override-values/security-server-values.yaml +++ b/development/k8s/terraform/environments/test/override-values/security-server-values.yaml @@ -9,12 +9,96 @@ init: dbUsername: opmonitor services: + configuration-client: + env: + XROAD_CONFIGURATION_CLIENT_UPDATE_INTERVAL: "10" + volumes: + - name: userconfig-openbao-server-tls + secret: + secretName: openbao-server-tls + items: + - key: tls.crt # just the TLS certificate of OpenBao is needed in order to trust it + path: openbao.crt + volumeMounts: + - mountPath: /usr/local/share/ca-certificates/ + name: userconfig-openbao-server-tls + readOnly: true + signer: + volumes: + - name: userconfig-openbao-server-tls + secret: + secretName: openbao-server-tls + items: + - key: tls.crt # just the TLS certificate of OpenBao is needed in order to trust it + path: openbao.crt + volumeMounts: + - mountPath: /usr/local/share/ca-certificates/ + name: userconfig-openbao-server-tls + readOnly: true proxy: env: XROAD_PROXY_ADDON_OP_MONITOR_ENABLED: "true" + volumes: + - name: userconfig-openbao-server-tls + secret: + secretName: openbao-server-tls + items: + - key: tls.crt # just the TLS certificate of OpenBao is needed in order to trust it + path: openbao.crt + volumeMounts: + - mountPath: /usr/local/share/ca-certificates/ + name: userconfig-openbao-server-tls + readOnly: true + proxy-ui-api: + volumes: + - name: userconfig-openbao-server-tls + secret: + secretName: openbao-server-tls + items: + - key: tls.crt # just the TLS certificate of OpenBao is needed in order to trust it + path: openbao.crt + volumeMounts: + - mountPath: /usr/local/share/ca-certificates/ + name: userconfig-openbao-server-tls + readOnly: true + monitor: + image: localhost:5555/ss-monitor:latest + volumes: + - name: userconfig-openbao-server-tls + secret: + secretName: openbao-server-tls + items: + - key: tls.crt # just the TLS certificate of OpenBao is needed in order to trust it + path: openbao.crt + volumeMounts: + - mountPath: /usr/local/share/ca-certificates/ + name: userconfig-openbao-server-tls + readOnly: true op-monitor: enabled: true + volumes: + - name: userconfig-openbao-server-tls + secret: + secretName: openbao-server-tls + items: + - key: tls.crt # just the TLS certificate of OpenBao is needed in order to trust it + path: openbao.crt + volumeMounts: + - mountPath: /usr/local/share/ca-certificates/ + name: userconfig-openbao-server-tls + readOnly: true backup-manager: env: SERVERCONF_INITIALIZED_WITH_PROXY_UI_SUPERUSER: "true" PROXY_UI_SUPERUSER: xrd + volumes: + - name: userconfig-openbao-server-tls + secret: + secretName: openbao-server-tls + items: + - key: tls.crt # just the TLS certificate of OpenBao is needed in order to trust it + path: openbao.crt + volumeMounts: + - mountPath: /usr/local/share/ca-certificates/ + name: userconfig-openbao-server-tls + readOnly: true diff --git a/development/k8s/terraform/modules/openbao/main.tf b/development/k8s/terraform/modules/openbao/main.tf index c683212824..cc461cbcbb 100644 --- a/development/k8s/terraform/modules/openbao/main.tf +++ b/development/k8s/terraform/modules/openbao/main.tf @@ -7,30 +7,51 @@ resource "helm_release" "postgresql_openbao" { chart = "postgresql" version = "18.0.12" - values = [ - yamlencode({ - fullnameOverride = "db-openbao" - image = { - repository = "bitnamilegacy/postgresql" - tag = "16.6.0" - } - auth = { - database = "openbao" - username = var.openbao_db_user - password = var.openbao_db_user_password - } - primary = { - resources = { - requests = { - memory = "64Mi" - } - limits = { - memory = "256Mi" - } - } - } - }) + values = [yamlencode(var.openbao_db_override_values)] +} + +resource "tls_private_key" "openbao_server" { + algorithm = "ECDSA" + ecdsa_curve = "P384" +} + +resource "tls_self_signed_cert" "openbao_server" { + private_key_pem = tls_private_key.openbao_server.private_key_pem + + subject { + common_name = "openbao" + } + + dns_names = [ + "localhost", + "openbao.ss.svc.cluster.local" ] + + validity_period_hours = 43800 # 5 years + + allowed_uses = [ + "key_encipherment", + "digital_signature", + "server_auth", + ] +} + +resource "null_resource" "openbao_server_tls_secret" { + provisioner "local-exec" { + command = <