feat(chart): Simplify to enable node registration secret

Signed-off-by: Viet Nguyen Duc <[email protected]>

Distributor/start-selenium-grid-distributor.sh

@@ -83,6 +83,11 @@ if [ ! -z "$SE_JAVA_SSL_TRUST_STORE" ]; then
   SE_JAVA_OPTS="$SE_JAVA_OPTS -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION:-true}"
 fi
 
+if [ ! -z "$SE_REGISTRATION_SECRET" ]; then
+  echo "Appending Selenium options: --registration-secret ${SE_REGISTRATION_SECRET}"
+  SE_OPTS="$SE_OPTS --registration-secret ${SE_REGISTRATION_SECRET}"
+fi
+
 EXTRA_LIBS=""
 
 if [ ! -z "$SE_ENABLE_TRACING" ]; then

Hub/start-selenium-grid-hub.sh

@@ -51,6 +51,11 @@ if [ ! -z "$SE_JAVA_SSL_TRUST_STORE" ]; then
   SE_JAVA_OPTS="$SE_JAVA_OPTS -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION:-true}"
 fi
 
+if [ ! -z "$SE_REGISTRATION_SECRET" ]; then
+  echo "Appending Selenium options: --registration-secret ${SE_REGISTRATION_SECRET}"
+  SE_OPTS="$SE_OPTS --registration-secret ${SE_REGISTRATION_SECRET}"
+fi
+
 EXTRA_LIBS=""
 
 if [ ! -z "$SE_ENABLE_TRACING" ]; then

NodeBase/start-selenium-node.sh

@@ -65,6 +65,11 @@ if [ ! -z "$SE_JAVA_SSL_TRUST_STORE" ]; then
   SE_JAVA_OPTS="$SE_JAVA_OPTS -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION:-true}"
 fi
 
+if [ ! -z "$SE_REGISTRATION_SECRET" ]; then
+  echo "Appending Selenium options: --registration-secret ${SE_REGISTRATION_SECRET}"
+  SE_OPTS="$SE_OPTS --registration-secret ${SE_REGISTRATION_SECRET}"
+fi
+
 if [ "$GENERATE_CONFIG" = true ]; then
   echo "Generating Selenium Config"
   /opt/bin/generate_config

Router/start-selenium-grid-router.sh

@@ -83,6 +83,11 @@ if [ ! -z "$SE_JAVA_SSL_TRUST_STORE" ]; then
   SE_JAVA_OPTS="$SE_JAVA_OPTS -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION:-true}"
 fi
 
+if [ ! -z "$SE_REGISTRATION_SECRET" ]; then
+  echo "Appending Selenium options: --registration-secret ${SE_REGISTRATION_SECRET}"
+  SE_OPTS="$SE_OPTS --registration-secret ${SE_REGISTRATION_SECRET}"
+fi
+
 EXTRA_LIBS=""
 
 if [ ! -z "$SE_ENABLE_TRACING" ]; then

charts/selenium-grid/README.md

@@ -21,6 +21,9 @@ This chart enables the creation of a Selenium Grid Server in Kubernetes.
     * [Configuration of Nodes](#configuration-of-nodes)
       * [Container ports and Service ports](#container-ports-and-service-ports)
       * [Probes](#probes)
+    * [Configuration of Secure Communication (HTTPS)](#configuration-of-secure-communication-https)
+      * [Secure Communication](#secure-communication)
+      * [Node Registration](#node-registration)
     * [Configuration of Selenium Grid chart](#configuration-of-selenium-grid-chart)
     * [Configuration of KEDA](#configuration-of-keda)
     * [Configuration of Ingress NGINX Controller](#configuration-of-ingress-nginx-controller)
@@ -228,6 +231,23 @@ nginx.ingress.kubernetes.io/client-body-buffer-size
 nginx.ingress.kubernetes.io/proxy-buffers-number
 ```
 
+You can generate a dummy self-signed certificate specify for your `hostname`, assign it to spec `ingress.tls` and NGINX ingress controller default certificate (if it is enabled inline). For example:
+
+```yaml
+tls:
+  ingress:
+    generateTLS: true
+
+ingress:
+  hostname: "your.domain.com"
+
+ingress-nginx:
+  enabled: true
+  controller:
+    extraArgs:
+      default-ssl-certificate: '$(POD_NAMESPACE)/selenium-tls-secret'
+```
+
 ## Configuration
 
 ### Configuration global
@@ -342,6 +362,78 @@ edgeNode:
     periodSeconds: 5
 ```
 
+### Configuration of Secure Communication (HTTPS)
+
+Selenium Grid supports secure communication between components. Refer to the [instructions](https://github.com/SeleniumHQ/selenium/blob/trunk/java/src/org/openqa/selenium/grid/commands/security.txt) and [options](https://www.selenium.dev/documentation/grid/configuration/cli_options/#server) are able to configure the secure communication. Below is the details on how to enable secure communication in Selenium Grid chart.
+
+#### Secure Communication
+
+In the chart, there is directory [certs](./certs) contains the default certificate, private key (as PKCS8 format), and Java Keystore (JKS) to teach Java about secure connection (since we are using a non-standard CA) for your trial, local testing purpose. You can generate your own self-signed certificate put them in that default directory by using script [cert.sh](./certs/cert.sh) with adjust needed information. The certificate, private key, truststore are mounted to the components via `Secret`.
+
+There are multiple ways to configure your certificate, private key, truststore to the components. You can choose one of them or combine them together.
+
+- Use the default directory [certs](./certs). Rename your own files to be same as the default files and replace them. Give `--set tls.enabled=true` to enable secure communication.
+
+- Use the default directory [certs](./certs). Copy your own files to there and adjust the file name under config `tls.defaultFile`, those will be picked up when installing chart. For example:
+
+    ```yaml
+    tls:
+      enabled: true
+      trustStorePassword: "your_truststore_password"
+      defaultFile:
+        certificate: "certs/your_cert.pem"
+        privateKey: "certs/your_private_key.pkcs8"
+        trustStore: "certs/your_truststore.jks"
+    ```
+    For some security reasons, you may not able to put private key in your source code or your customization chart package. You can provide files with contents are encoded in Base64 format, just append `.base64` to the file name for chart able to know and decode them. For example:
+
+    ```yaml
+    tls:
+      enabled: true
+      trustStorePassword: "your_truststore_password"
+      defaultFile:
+        certificate: "certs/your_cert.pem.base64"
+        privateKey: "certs/your_private_key.pkcs8.base64"
+        trustStore: "certs/your_truststore.jks.base64"
+    ```
+
+- Using Helm CLI `--set-file` to pass your own file to particular config key. For example:
+
+    ```bash
+    helm upgrade -i test selenium-grid \
+    --set tls.enabled=true \
+    --set-file tls.certificate=/path/to/your_cert.pem \
+    --set-file tls.privateKey=/path/to/your_private_key.pkcs8 \
+    --set-file tls.trustStore=/path/to/your_truststore.jks \
+    --set-string tls.trustStorePassword=your_truststore_password
+    ```
+
+If you start NGINX ingress controller inline with Selenium Grid chart, you can configure the default certificate of NGINX ingress controller to use the same certificate as Selenium Grid. For example:
+
+```yaml
+tls:
+  enabled: true
+
+ingress-nginx:
+  enabled: true
+  controller:
+    extraArgs:
+      default-ssl-certificate: '$(POD_NAMESPACE)/selenium-tls-secret'
+```
+
+#### Node Registration
+
+In order to enable secure in the node registration to make sure that the node is one you control and not a rouge node, you can enable and provide a registration secret string to Distributor, Router and
+Node servers in config `tls.registrationSecret`. For example:
+
+```yaml
+tls:
+  enabled: true
+  registrationSecret:
+    enabled: true
+    value: "matchThisSecret"
+```
+
 ### Configuration of Selenium Grid chart
 This table contains the configuration parameters of the chart and their default values:
 

charts/selenium-grid/certs/cert.sh

@@ -4,6 +4,7 @@ CERTNAME=${1:-selenium}
 STOREPASS=${2:-changeit}
 KEYPASS=${3:-changeit}
 ALIAS=${4:-SeleniumHQ}
+BASE64_ONLY=1
 
 # Remove existing files
 rm -f ${CERTNAME}.*
@@ -23,7 +24,7 @@ keytool -genkeypair \
     -keystore ${CERTNAME}.jks
 
 # Base64 encode JKS file (for Kubernetes Secret)
-base64 -i ${CERTNAME}.jks -w 0 > ${CERTNAME}.jks.base64
+#base64 -i ${CERTNAME}.jks -w 0 > ${CERTNAME}.jks.base64
 
 # Create PKCS12 from JKS
 keytool -importkeystore -srckeystore ${CERTNAME}.jks \
@@ -47,12 +48,14 @@ keytool -exportcert -alias ${ALIAS} \
     -storepass ${STOREPASS} -keypass ${KEYPASS} \
     -keystore ${CERTNAME}.jks -rfc -file ${CERTNAME}.pem
 
-# Bsae64 encode Certificate PEM file (for Kubernetes Secret)
-base64 -i ${CERTNAME}.pem -w 0 > ${CERTNAME}.pem.base64
-
-# Remove source files (prevent sensitive data leak)
-rm -f ${CERTNAME}.key
-rm -f ${CERTNAME}.p12
-rm -f ${CERTNAME}.jks
-rm -f ${CERTNAME}.pkcs8
-# Retain ${CERTNAME}.pem for client establishing HTTPS connection
+# Base64 encode Certificate PEM file (for Kubernetes Secret)
+#base64 -i ${CERTNAME}.pem -w 0 > ${CERTNAME}.pem.base64
+
+if [ ${BASE64_ONLY} -eq 1 ]; then
+  # Remove source files (prevent sensitive data leak)
+  rm -f ${CERTNAME}.key
+  rm -f ${CERTNAME}.p12
+  rm -f ${CERTNAME}.pkcs8
+  # Retain ${CERTNAME}.jks for Java client establishing HTTPS connection
+  # Retain ${CERTNAME}.pem for client establishing HTTPS connection
+fi

charts/selenium-grid/certs/selenium.pem

@@ -1,23 +1,23 @@
 -----BEGIN CERTIFICATE-----
-MIID3TCCAsWgAwIBAgIEBJE7TDANBgkqhkiG9w0BAQsFADCBhzEQMA4GA1UEBhMH
-VW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjETMBEG
-A1UEChMKU2VsZW5pdW1IUTElMCMGA1UECxMcU29mdHdhcmUgRnJlZWRvbSBDb25z
-ZXJ2YW5jeTETMBEGA1UEAxMKU2VsZW5pdW1IUTAeFw0yNDAxMDIwMDUyMjdaFw0z
-MzEyMzAwMDUyMjdaMIGHMRAwDgYDVQQGEwdVbmtub3duMRAwDgYDVQQIEwdVbmtu
-b3duMRAwDgYDVQQHEwdVbmtub3duMRMwEQYDVQQKEwpTZWxlbml1bUhRMSUwIwYD
-VQQLExxTb2Z0d2FyZSBGcmVlZG9tIENvbnNlcnZhbmN5MRMwEQYDVQQDEwpTZWxl
-bml1bUhRMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnX4ITZb0DyET
-xqilk1I/WhC5qrUjo6n23uM9/jkqH8BfvLCw47kWy0IzIbCjJPs3d/epP87aArvN
-O7CFkbXoP8TYjAFPVE5Zhd65qmfbPHVhY0b1HdyOxkpHtahJetIFdkeY1ZzjV8zD
-0RhqM3px9OsabqH1yx6Nte1C4C/fTzNwYQWZNLkYK+t1wGh2aeyQi166mDRyVauk
-xZHoXKhgFK36EoWepBCpl/SWJ7BSP6Zw35vT2AzRCD2KdtOj+6syqAJBUGCisjDk
-CipaSJQeFb4xcFkJB+zS2jQQMPPRq7vaW8Y4GppNbQ7MJ9WoCJdlnBCyTfGi9BMM
-oP+XaqLeGwIDAQABo08wTTAdBgNVHQ4EFgQUcCyjX3qxVW3HUSjWcbDtZEyKoZsw
-LAYDVR0RAQH/BCIwIIIJbG9jYWxob3N0ghNzZWxlbml1bS1ncmlkLmxvY2FsMA0G
-CSqGSIb3DQEBCwUAA4IBAQCY30LusrLFc0xzBBijtx/sQZJTPrHZcj301Z8Hl4ik
-VjDiwD+Jso1Aw7tZbq+kK52MHrT0bDGZeauJDpGTVRsEktxd/FwOiL8dlbpycb77
-YUGad3pEQsLtKZbA+HCj8whjtaiQdbakrSDvE7/ZGCXdzzIH/dNmoAB5jFf8m7ZB
-rH1QU5mkEXXgYIrgRzC56TB5gVKu9KcW2NOwZXqUEx7nvocyekHLgzcmsX6LmbZn
-S0liXPlc7yOOhFGA3EOGZCJ47/KEvQyt31lEcWiiqC25nw+1F6JDvkGdIts6I5JX
-vuOjs9JGcW55dK6fxgNk7n+N8G8qaLgyHOYR3ceXB4os
+MIID4jCCAsqgAwIBAgIJAJcK6V/XPo7CMA0GCSqGSIb3DQEBCwUAMIGHMRAwDgYD
+VQQGEwdVbmtub3duMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3du
+MRMwEQYDVQQKEwpTZWxlbml1bUhRMSUwIwYDVQQLExxTb2Z0d2FyZSBGcmVlZG9t
+IENvbnNlcnZhbmN5MRMwEQYDVQQDEwpTZWxlbml1bUhRMB4XDTI0MDEwNDA2MzMx
+MloXDTM0MDEwMTA2MzMxMlowgYcxEDAOBgNVBAYTB1Vua25vd24xEDAOBgNVBAgT
+B1Vua25vd24xEDAOBgNVBAcTB1Vua25vd24xEzARBgNVBAoTClNlbGVuaXVtSFEx
+JTAjBgNVBAsTHFNvZnR3YXJlIEZyZWVkb20gQ29uc2VydmFuY3kxEzARBgNVBAMT
+ClNlbGVuaXVtSFEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCekj09
+xvrD4+nkKmZf10h3TntIFqKI75x35Z2GxwHE2Kqt3eNwbqUrni2zRbYIalddnawW
+bOqc2pgEnLtM7VRoCgxlYzARaevfI2uY+EBI4QjgzSTZstuWksPqSmHrLOo4q75w
+OSYFUtfaa+6l7ijnVQLKWo4wCnGssk9UBJWvNU9ZMdTzEqLvIMr2Hi0LmKXs9k/F
+bIM+XIAAynf8aG4awq0s/eZTirmEqbhmi2udwMNMV60IaC8ZNo53k4VJ+lQWOOwB
+/Q1CHRWotjvD4WFt2XI9cCAjbDMpkZONaaCIA70XjTG+5DiGDOUAlap6LFlBrUh4
+3YHQHvXEIKZe2tVDAgMBAAGjTzBNMB0GA1UdDgQWBBRpoVLPxMaU/3QI5x3KUl0x
+wL4bVjAsBgNVHREBAf8EIjAggglsb2NhbGhvc3SCE3NlbGVuaXVtLWdyaWQubG9j
+YWwwDQYJKoZIhvcNAQELBQADggEBAByNMqeuoiSG1BxnoUGKYiPEurKl8wdsJH8+
+doL5loA7PUnUFY8Vpd4IRHf/RMgTCkSGyLDI/y9lLNLkwkyzt+Wlnfh6sPVXT6DL
+cHMrPYavBXZFNStvawS4BztSpcOPOGq6Y2W0gkcVUun8dpS2Dx/w5CW56HzmbPVu
+iL9ZW3D6rSm/Qz4cay3rN9MA7WPzTLA3g1YizQLhkvk9JIwNphO16X28qEMIoD2Q
+vCGFDdS3xtxmRBj3x/4nGU19WTqECG7eOS4+1Xp5faYietKZVkfhl5rue53wv6lu
+v+QNozSyg5nW3YcydA3SeRuf2/kwkvyP61zey4HMHThR+vPKz9U=
 -----END CERTIFICATE-----