diff --git a/Distributor/start-selenium-grid-distributor.sh b/Distributor/start-selenium-grid-distributor.sh index 63e7e6c8c7..c9af77f711 100755 --- a/Distributor/start-selenium-grid-distributor.sh +++ b/Distributor/start-selenium-grid-distributor.sh @@ -83,6 +83,11 @@ if [ ! -z "$SE_JAVA_SSL_TRUST_STORE" ]; then SE_JAVA_OPTS="$SE_JAVA_OPTS -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION:-true}" fi +if [ ! -z "$SE_REGISTRATION_SECRET" ]; then + echo "Appending Selenium options: --registration-secret ${SE_REGISTRATION_SECRET}" + SE_OPTS="$SE_OPTS --registration-secret ${SE_REGISTRATION_SECRET}" +fi + EXTRA_LIBS="" if [ ! -z "$SE_ENABLE_TRACING" ]; then diff --git a/Hub/start-selenium-grid-hub.sh b/Hub/start-selenium-grid-hub.sh index e0314aa122..682b28e503 100755 --- a/Hub/start-selenium-grid-hub.sh +++ b/Hub/start-selenium-grid-hub.sh @@ -51,6 +51,11 @@ if [ ! -z "$SE_JAVA_SSL_TRUST_STORE" ]; then SE_JAVA_OPTS="$SE_JAVA_OPTS -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION:-true}" fi +if [ ! -z "$SE_REGISTRATION_SECRET" ]; then + echo "Appending Selenium options: --registration-secret ${SE_REGISTRATION_SECRET}" + SE_OPTS="$SE_OPTS --registration-secret ${SE_REGISTRATION_SECRET}" +fi + EXTRA_LIBS="" if [ ! -z "$SE_ENABLE_TRACING" ]; then diff --git a/NodeBase/start-selenium-node.sh b/NodeBase/start-selenium-node.sh index 6f4888653e..65402cbecb 100755 --- a/NodeBase/start-selenium-node.sh +++ b/NodeBase/start-selenium-node.sh @@ -65,6 +65,11 @@ if [ ! -z "$SE_JAVA_SSL_TRUST_STORE" ]; then SE_JAVA_OPTS="$SE_JAVA_OPTS -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION:-true}" fi +if [ ! -z "$SE_REGISTRATION_SECRET" ]; then + echo "Appending Selenium options: --registration-secret ${SE_REGISTRATION_SECRET}" + SE_OPTS="$SE_OPTS --registration-secret ${SE_REGISTRATION_SECRET}" +fi + if [ "$GENERATE_CONFIG" = true ]; then echo "Generating Selenium Config" /opt/bin/generate_config diff --git a/Router/start-selenium-grid-router.sh b/Router/start-selenium-grid-router.sh index 0391769326..6a7c0bc782 100755 --- a/Router/start-selenium-grid-router.sh +++ b/Router/start-selenium-grid-router.sh @@ -83,6 +83,11 @@ if [ ! -z "$SE_JAVA_SSL_TRUST_STORE" ]; then SE_JAVA_OPTS="$SE_JAVA_OPTS -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION:-true}" fi +if [ ! -z "$SE_REGISTRATION_SECRET" ]; then + echo "Appending Selenium options: --registration-secret ${SE_REGISTRATION_SECRET}" + SE_OPTS="$SE_OPTS --registration-secret ${SE_REGISTRATION_SECRET}" +fi + EXTRA_LIBS="" if [ ! -z "$SE_ENABLE_TRACING" ]; then diff --git a/charts/selenium-grid/README.md b/charts/selenium-grid/README.md index 3568d4cd5e..5368ca2ea8 100644 --- a/charts/selenium-grid/README.md +++ b/charts/selenium-grid/README.md @@ -21,6 +21,9 @@ This chart enables the creation of a Selenium Grid Server in Kubernetes. * [Configuration of Nodes](#configuration-of-nodes) * [Container ports and Service ports](#container-ports-and-service-ports) * [Probes](#probes) + * [Configuration of Secure Communication (HTTPS)](#configuration-of-secure-communication-https) + * [Secure Communication](#secure-communication) + * [Node Registration](#node-registration) * [Configuration of Selenium Grid chart](#configuration-of-selenium-grid-chart) * [Configuration of KEDA](#configuration-of-keda) * [Configuration of Ingress NGINX Controller](#configuration-of-ingress-nginx-controller) @@ -228,6 +231,23 @@ nginx.ingress.kubernetes.io/client-body-buffer-size nginx.ingress.kubernetes.io/proxy-buffers-number ``` +You can generate a dummy self-signed certificate specify for your `hostname`, assign it to spec `ingress.tls` and NGINX ingress controller default certificate (if it is enabled inline). For example: + +```yaml +tls: + ingress: + generateTLS: true + +ingress: + hostname: "your.domain.com" + +ingress-nginx: + enabled: true + controller: + extraArgs: + default-ssl-certificate: '$(POD_NAMESPACE)/selenium-tls-secret' +``` + ## Configuration ### Configuration global @@ -342,6 +362,78 @@ edgeNode: periodSeconds: 5 ``` +### Configuration of Secure Communication (HTTPS) + +Selenium Grid supports secure communication between components. Refer to the [instructions](https://github.com/SeleniumHQ/selenium/blob/trunk/java/src/org/openqa/selenium/grid/commands/security.txt) and [options](https://www.selenium.dev/documentation/grid/configuration/cli_options/#server) are able to configure the secure communication. Below is the details on how to enable secure communication in Selenium Grid chart. + +#### Secure Communication + +In the chart, there is directory [certs](./certs) contains the default certificate, private key (as PKCS8 format), and Java Keystore (JKS) to teach Java about secure connection (since we are using a non-standard CA) for your trial, local testing purpose. You can generate your own self-signed certificate put them in that default directory by using script [cert.sh](./certs/cert.sh) with adjust needed information. The certificate, private key, truststore are mounted to the components via `Secret`. + +There are multiple ways to configure your certificate, private key, truststore to the components. You can choose one of them or combine them together. + +- Use the default directory [certs](./certs). Rename your own files to be same as the default files and replace them. Give `--set tls.enabled=true` to enable secure communication. + +- Use the default directory [certs](./certs). Copy your own files to there and adjust the file name under config `tls.defaultFile`, those will be picked up when installing chart. For example: + + ```yaml + tls: + enabled: true + trustStorePassword: "your_truststore_password" + defaultFile: + certificate: "certs/your_cert.pem" + privateKey: "certs/your_private_key.pkcs8" + trustStore: "certs/your_truststore.jks" + ``` + For some security reasons, you may not able to put private key in your source code or your customization chart package. You can provide files with contents are encoded in Base64 format, just append `.base64` to the file name for chart able to know and decode them. For example: + + ```yaml + tls: + enabled: true + trustStorePassword: "your_truststore_password" + defaultFile: + certificate: "certs/your_cert.pem.base64" + privateKey: "certs/your_private_key.pkcs8.base64" + trustStore: "certs/your_truststore.jks.base64" + ``` + +- Using Helm CLI `--set-file` to pass your own file to particular config key. For example: + + ```bash + helm upgrade -i test selenium-grid \ + --set tls.enabled=true \ + --set-file tls.certificate=/path/to/your_cert.pem \ + --set-file tls.privateKey=/path/to/your_private_key.pkcs8 \ + --set-file tls.trustStore=/path/to/your_truststore.jks \ + --set-string tls.trustStorePassword=your_truststore_password + ``` + +If you start NGINX ingress controller inline with Selenium Grid chart, you can configure the default certificate of NGINX ingress controller to use the same certificate as Selenium Grid. For example: + +```yaml +tls: + enabled: true + +ingress-nginx: + enabled: true + controller: + extraArgs: + default-ssl-certificate: '$(POD_NAMESPACE)/selenium-tls-secret' +``` + +#### Node Registration + +In order to enable secure in the node registration to make sure that the node is one you control and not a rouge node, you can enable and provide a registration secret string to Distributor, Router and +Node servers in config `tls.registrationSecret`. For example: + +```yaml +tls: + enabled: true + registrationSecret: + enabled: true + value: "matchThisSecret" +``` + ### Configuration of Selenium Grid chart This table contains the configuration parameters of the chart and their default values: diff --git a/charts/selenium-grid/certs/cert.sh b/charts/selenium-grid/certs/cert.sh index 1544f95794..d170d262a2 100755 --- a/charts/selenium-grid/certs/cert.sh +++ b/charts/selenium-grid/certs/cert.sh @@ -4,6 +4,7 @@ CERTNAME=${1:-selenium} STOREPASS=${2:-changeit} KEYPASS=${3:-changeit} ALIAS=${4:-SeleniumHQ} +BASE64_ONLY=1 # Remove existing files rm -f ${CERTNAME}.* @@ -23,7 +24,7 @@ keytool -genkeypair \ -keystore ${CERTNAME}.jks # Base64 encode JKS file (for Kubernetes Secret) -base64 -i ${CERTNAME}.jks -w 0 > ${CERTNAME}.jks.base64 +#base64 -i ${CERTNAME}.jks -w 0 > ${CERTNAME}.jks.base64 # Create PKCS12 from JKS keytool -importkeystore -srckeystore ${CERTNAME}.jks \ @@ -47,12 +48,14 @@ keytool -exportcert -alias ${ALIAS} \ -storepass ${STOREPASS} -keypass ${KEYPASS} \ -keystore ${CERTNAME}.jks -rfc -file ${CERTNAME}.pem -# Bsae64 encode Certificate PEM file (for Kubernetes Secret) -base64 -i ${CERTNAME}.pem -w 0 > ${CERTNAME}.pem.base64 - -# Remove source files (prevent sensitive data leak) -rm -f ${CERTNAME}.key -rm -f ${CERTNAME}.p12 -rm -f ${CERTNAME}.jks -rm -f ${CERTNAME}.pkcs8 -# Retain ${CERTNAME}.pem for client establishing HTTPS connection +# Base64 encode Certificate PEM file (for Kubernetes Secret) +#base64 -i ${CERTNAME}.pem -w 0 > ${CERTNAME}.pem.base64 + +if [ ${BASE64_ONLY} -eq 1 ]; then + # Remove source files (prevent sensitive data leak) + rm -f ${CERTNAME}.key + rm -f ${CERTNAME}.p12 + rm -f ${CERTNAME}.pkcs8 + # Retain ${CERTNAME}.jks for Java client establishing HTTPS connection + # Retain ${CERTNAME}.pem for client establishing HTTPS connection +fi diff --git a/charts/selenium-grid/certs/selenium.jks b/charts/selenium-grid/certs/selenium.jks new file mode 100644 index 0000000000..f3ea9229b4 Binary files /dev/null and b/charts/selenium-grid/certs/selenium.jks differ diff --git a/charts/selenium-grid/certs/selenium.jks.base64 b/charts/selenium-grid/certs/selenium.jks.base64 deleted file mode 100644 index fbf94d7d8a..0000000000 --- a/charts/selenium-grid/certs/selenium.jks.base64 +++ /dev/null @@ -1 +0,0 @@ -MIIKiwIBAzCCCkQGCSqGSIb3DQEHAaCCCjUEggoxMIIKLTCCBXEGCSqGSIb3DQEHAaCCBWIEggVeMIIFWjCCBVYGCyqGSIb3DQEMCgECoIIE+zCCBPcwKQYKKoZIhvcNAQwBAzAbBBQ3gGmGmsf3bmNI0iexeK+VDuc8FAIDAMNQBIIEyBwkeVFIPKT2eXNZU/Kef8Di4ULge5aBbIXqvtYnX4PIvBjGhXTZSUdhkKzwa/q1tGEQm9bTQGbg/uixaDhALQYoSixUvd4ls3TCLr6exT1O7uMz1Sf4l40AZxHS2wvKluI/uY9LlbiSSKBmiDxPlS4Fxrcl+l+VKoNOvCIYwwq0d1lTLsPkFO1UyrBS0fYrsYtCI0YEmyMvtnut8ZKedXljJUqUG7Z4KPLK/Qsvej9Qc5mBgN75B+MpuPSChlTn0US09NbcpqI1PW3285mW1Uag9PLIbtIchj20x6tnG6H7zs2cRYZlmtAN4L1LbtWSAOlmvZ/GlrHFGVIFwKoJvHPctGQm7PhjsEgpwTH/9ZHrHBQJXh2bXuMJj253nMxdGx1IKSGaWxaGcy4Rt5sY0AIxnLWbz9EdjNpfhAiR0Bu2MTHCJnxb9U80DgFy60sUT4kJL0Vs5rZ/vO7WEUIVlT8hmPzpmtoo+pm+MJc+57VrwFXIrf+w+HrOBVkMu3waCuP9At+51xe7AWt6u+UtBYyygreshe4gJnakHqQ5n7hEA2eNi6VbwGV4BC9ynJr94BfnhEd7yg8fxh6pveupZQyxl1FdyRR3pJQ0qPSnCi2eUkqKVlPlJ0FXVPU4vWiTz0zpY+KeVBZlVAO3riP/FjYJhp0wWkjft42ruGsj6mkqY35vQ2syWzb463m1ainCoeTnpeON/pzlZNQIBtq06dy4Mj4eyNvJFbEMXFuAJiwDMymxyLHhR0wEc49l/gfIIubg7PQ/vFzkygOApjS42vcepMkZssKQ06Ts9XAw7tLcy2KpKphWCCWrdst6Z7UpDpo/lbgJhmYTg1lSBmMIYZIHXsp1W97PVEmvSf3xtqtSMkeJPk1Lgxczx1KH+AyNssxNHfLbfMSkM4JUqsgiDPr/G/XYUl52FLZLHZ+uuMrkIHG01Hy2ACYcW2frVL4J47kfciNEe4j/cDgzSPuWRwHaiZDhBbG9qt6IUD/oa+wMe2yh8alRvCnqP9kLR0qLExoCaIG3i548WbnKP4UcQdBa03ESRyTWq3SoqN1CNGB6qjyvLAJsfPhIf5GAHm8gHZODUKbRkJ7JxRcGNttOVSHFgmsdnWKhFMba6x/gqxvtX7PtiYKaEu25ok/GD463kYuSvjl/HgMGzTF3TDdYsBJP1NnnkmfzJk9s09OGDzjpVY86VfNELwwEnEfPen1ErlooV9zC5HweQ3+ziJPMNg9rTXXiEBFLoIZMqFsak5MRknDqY0kHpo8tj9MbZbChtT/38iojd1t8QCMgBFIO0n3TxDzmtiqhv4tIbpezj2mFwNlzV4JSIX4HW8mK7TQlQ730Ou3IuHaLwzqMQDCifmVwMZSrBJD7b/Kqsx393FcydOYh00bB2l8T4uGC9qnAsRa5tCqCANOR0ATMEMrHa2mjgTnIyHnM2OhMeAxoj85uMksURukIszy0o25+4Q2Z53WE/GQMMj4A7PWl8NrHMueAJmGrdQsg8Ds0GEd0yk4/DquVFD4/xRaanNYdN3z2xsBiMGGTgGWhbYc5wRtPXtUUdUH4OxacozKjOadcLfptKvu2tITTor/BIVldDrFXvI0I5daOWRlGla1B5MAX5gZCYM9/JmN7vjFIMCMGCSqGSIb3DQEJFDEWHhQAcwBlAGwAZQBuAGkAdQBtAGgAcTAhBgkqhkiG9w0BCRUxFAQSVGltZSAxNzA0MTU2NzQ3NDQ3MIIEtAYJKoZIhvcNAQcGoIIEpTCCBKECAQAwggSaBgkqhkiG9w0BBwEwKQYKKoZIhvcNAQwBBjAbBBRX3dOdhMDRZiJVvHeGfmCxXgtVAwIDAMNQgIIEYOp24LHVsdSt6TU7MmXzNu/QD5J6Jad0DwZHI+wmDwAjFZ5RR3G7flUqlKEAV0ZN3XkWVOdPLIJXPfjBcWzl6z2TCKwUvCaBHhpgYRxUw5s42iWcRlfmrA1mI3uCaAX1mE2b0DiGE9gM+Mkeffqr1AEp334q6yQQIAxV1xGvqVBgOwL3k7D5YtMX2SJF8xXkLrNSCAaXaSPQdZr5v+P8ObOn8qPs0ntbjVzqCmrmdodhHn8PZO1qS7ihHATVEoTmSDsbz5Hj+ktb+cV511kIFVSQ9IVHhJGLXcGE9YszMsWbhZsNRXJi3QzRXnTLNEnAN2pXbTWHnmn/Wfyrh8kvdMZX1mK6+xrEIcaX2RULzG0JzjhD+VeNctG/JctjsTRZBX1+how8//kDxXWqV+ccoDxkd7nkz9fdRRPIUXjAgERy9seeMIqRKSW4M1x8WAHwDTN2UiI3q4d3KAeE9PmFL8ww1rSIb2b/KRXclvPES95xLj6B6ha3yYpJKjhX3J+sJrnHAjsZvElKW81ski+m6KrcBKtZE7UxIQwav8KN2m2uV3chF9X/UKNyiwncYKdrcXk+uvFNqII2Sog3Xn4/j9+lAjz5fLk8dfr+VIo/pOtScRr5gpAsz110jwQfDOutvwK1yjjLjtUwweBvk+NwciWmgpRBI5NlIkJgrw0c3wxWDRZsAFHPKh+QvPI/xg5RqE6cmRWUC7beMs1EddyVv6+yju4Qfy/f+ZBkGAfuRE+yiNblLsML6VoqHko0Y1fuktzxqL4Dkrb6O6EJCUfgkenXTqbGyu9aDVIAGfFJUIoy84wCI8Xs+XvvnbZfpdd5sBLEulOJZ3Td1annmycHBxU91FlwSYe1kads7wBXvQmvjXyeEYGY+2PIHygGyx4ozo7+Z2krudW1VoInbblgVQ9//DHLEzojSjuGWOcNUU+vSosh9Csg18QTUpfc9f1WPVcyyNN6uKUixMUqQhCwx4J/a2IESs5PkMvY1FwWnZw5276Nz08GsgZNNwCOreGhxfKaISuTecW1ZLa8QFOqdNv7YidHUBE+VGkGVAHDa3DhYTRNayT09UA66u8d8A1nrg/nKOAnyucLn/yt0S0BfBao0AnBOxc9ebjSuAyX4d2zfApi0oaKhXFp87nz82obnHnTlGvI+VNebtsQofNS403wz/46OJsTKbUdRgkAdpQB/rD+83i7VS5OY6PcAi14YuxG48oIyICmiWsSFFZWxR+j4vMxpmZXSxxb/DylupLy+oQgUv4U5ZE6owVzW971+e/smI4dp7VAokM4A7urfT8t76SMlNNkRs3vlshbXAurmWGWAxLwkznxqmoOuY03P9PQUVWeRsJKicrtAc7GyU/fMF3dshNdcyc5o7MswrLXJQRMm77M1E3NWhDyBR/gc0wHH7Xz2hlvZgE+frLN21BZC3zqU0Ccb5ssIpFHVB9kTIQjUS4ipIklIdZQaqPrqic9018OdOQSrysEsOSDuDQwPjAhMAkGBSsOAwIaBQAEFNlUbB5eTYyk906jf0Vf6V8ijD0IBBT5s0mdWFKMmgiVQKSsRwvuIT83jAIDAYag \ No newline at end of file diff --git a/charts/selenium-grid/certs/selenium.pem b/charts/selenium-grid/certs/selenium.pem index 138c1c7723..b870d2900b 100644 --- a/charts/selenium-grid/certs/selenium.pem +++ b/charts/selenium-grid/certs/selenium.pem @@ -1,23 +1,23 @@ -----BEGIN CERTIFICATE----- -MIID3TCCAsWgAwIBAgIEBJE7TDANBgkqhkiG9w0BAQsFADCBhzEQMA4GA1UEBhMH -VW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjETMBEG -A1UEChMKU2VsZW5pdW1IUTElMCMGA1UECxMcU29mdHdhcmUgRnJlZWRvbSBDb25z -ZXJ2YW5jeTETMBEGA1UEAxMKU2VsZW5pdW1IUTAeFw0yNDAxMDIwMDUyMjdaFw0z -MzEyMzAwMDUyMjdaMIGHMRAwDgYDVQQGEwdVbmtub3duMRAwDgYDVQQIEwdVbmtu -b3duMRAwDgYDVQQHEwdVbmtub3duMRMwEQYDVQQKEwpTZWxlbml1bUhRMSUwIwYD -VQQLExxTb2Z0d2FyZSBGcmVlZG9tIENvbnNlcnZhbmN5MRMwEQYDVQQDEwpTZWxl -bml1bUhRMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnX4ITZb0DyET -xqilk1I/WhC5qrUjo6n23uM9/jkqH8BfvLCw47kWy0IzIbCjJPs3d/epP87aArvN -O7CFkbXoP8TYjAFPVE5Zhd65qmfbPHVhY0b1HdyOxkpHtahJetIFdkeY1ZzjV8zD -0RhqM3px9OsabqH1yx6Nte1C4C/fTzNwYQWZNLkYK+t1wGh2aeyQi166mDRyVauk -xZHoXKhgFK36EoWepBCpl/SWJ7BSP6Zw35vT2AzRCD2KdtOj+6syqAJBUGCisjDk -CipaSJQeFb4xcFkJB+zS2jQQMPPRq7vaW8Y4GppNbQ7MJ9WoCJdlnBCyTfGi9BMM -oP+XaqLeGwIDAQABo08wTTAdBgNVHQ4EFgQUcCyjX3qxVW3HUSjWcbDtZEyKoZsw -LAYDVR0RAQH/BCIwIIIJbG9jYWxob3N0ghNzZWxlbml1bS1ncmlkLmxvY2FsMA0G -CSqGSIb3DQEBCwUAA4IBAQCY30LusrLFc0xzBBijtx/sQZJTPrHZcj301Z8Hl4ik -VjDiwD+Jso1Aw7tZbq+kK52MHrT0bDGZeauJDpGTVRsEktxd/FwOiL8dlbpycb77 -YUGad3pEQsLtKZbA+HCj8whjtaiQdbakrSDvE7/ZGCXdzzIH/dNmoAB5jFf8m7ZB -rH1QU5mkEXXgYIrgRzC56TB5gVKu9KcW2NOwZXqUEx7nvocyekHLgzcmsX6LmbZn -S0liXPlc7yOOhFGA3EOGZCJ47/KEvQyt31lEcWiiqC25nw+1F6JDvkGdIts6I5JX -vuOjs9JGcW55dK6fxgNk7n+N8G8qaLgyHOYR3ceXB4os +MIID4jCCAsqgAwIBAgIJAJcK6V/XPo7CMA0GCSqGSIb3DQEBCwUAMIGHMRAwDgYD +VQQGEwdVbmtub3duMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3du +MRMwEQYDVQQKEwpTZWxlbml1bUhRMSUwIwYDVQQLExxTb2Z0d2FyZSBGcmVlZG9t +IENvbnNlcnZhbmN5MRMwEQYDVQQDEwpTZWxlbml1bUhRMB4XDTI0MDEwNDA2MzMx +MloXDTM0MDEwMTA2MzMxMlowgYcxEDAOBgNVBAYTB1Vua25vd24xEDAOBgNVBAgT +B1Vua25vd24xEDAOBgNVBAcTB1Vua25vd24xEzARBgNVBAoTClNlbGVuaXVtSFEx +JTAjBgNVBAsTHFNvZnR3YXJlIEZyZWVkb20gQ29uc2VydmFuY3kxEzARBgNVBAMT +ClNlbGVuaXVtSFEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCekj09 +xvrD4+nkKmZf10h3TntIFqKI75x35Z2GxwHE2Kqt3eNwbqUrni2zRbYIalddnawW +bOqc2pgEnLtM7VRoCgxlYzARaevfI2uY+EBI4QjgzSTZstuWksPqSmHrLOo4q75w +OSYFUtfaa+6l7ijnVQLKWo4wCnGssk9UBJWvNU9ZMdTzEqLvIMr2Hi0LmKXs9k/F +bIM+XIAAynf8aG4awq0s/eZTirmEqbhmi2udwMNMV60IaC8ZNo53k4VJ+lQWOOwB +/Q1CHRWotjvD4WFt2XI9cCAjbDMpkZONaaCIA70XjTG+5DiGDOUAlap6LFlBrUh4 +3YHQHvXEIKZe2tVDAgMBAAGjTzBNMB0GA1UdDgQWBBRpoVLPxMaU/3QI5x3KUl0x +wL4bVjAsBgNVHREBAf8EIjAggglsb2NhbGhvc3SCE3NlbGVuaXVtLWdyaWQubG9j +YWwwDQYJKoZIhvcNAQELBQADggEBAByNMqeuoiSG1BxnoUGKYiPEurKl8wdsJH8+ +doL5loA7PUnUFY8Vpd4IRHf/RMgTCkSGyLDI/y9lLNLkwkyzt+Wlnfh6sPVXT6DL +cHMrPYavBXZFNStvawS4BztSpcOPOGq6Y2W0gkcVUun8dpS2Dx/w5CW56HzmbPVu +iL9ZW3D6rSm/Qz4cay3rN9MA7WPzTLA3g1YizQLhkvk9JIwNphO16X28qEMIoD2Q +vCGFDdS3xtxmRBj3x/4nGU19WTqECG7eOS4+1Xp5faYietKZVkfhl5rue53wv6lu +v+QNozSyg5nW3YcydA3SeRuf2/kwkvyP61zey4HMHThR+vPKz9U= -----END CERTIFICATE----- diff --git a/charts/selenium-grid/certs/selenium.pem.base64 b/charts/selenium-grid/certs/selenium.pem.base64 deleted file mode 100644 index 854537f2ca..0000000000 --- a/charts/selenium-grid/certs/selenium.pem.base64 +++ /dev/null @@ -1 +0,0 @@ -LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQzVENDQXNXZ0F3SUJBZ0lFQkpFN1REQU5CZ2txaGtpRzl3MEJBUXNGQURDQmh6RVFNQTRHQTFVRUJoTUgNClZXNXJibTkzYmpFUU1BNEdBMVVFQ0JNSFZXNXJibTkzYmpFUU1BNEdBMVVFQnhNSFZXNXJibTkzYmpFVE1CRUcNCkExVUVDaE1LVTJWc1pXNXBkVzFJVVRFbE1DTUdBMVVFQ3hNY1UyOW1kSGRoY21VZ1JuSmxaV1J2YlNCRGIyNXoNClpYSjJZVzVqZVRFVE1CRUdBMVVFQXhNS1UyVnNaVzVwZFcxSVVUQWVGdzB5TkRBeE1ESXdNRFV5TWpkYUZ3MHoNCk16RXlNekF3TURVeU1qZGFNSUdITVJBd0RnWURWUVFHRXdkVmJtdHViM2R1TVJBd0RnWURWUVFJRXdkVmJtdHUNCmIzZHVNUkF3RGdZRFZRUUhFd2RWYm10dWIzZHVNUk13RVFZRFZRUUtFd3BUWld4bGJtbDFiVWhSTVNVd0l3WUQNClZRUUxFeHhUYjJaMGQyRnlaU0JHY21WbFpHOXRJRU52Ym5ObGNuWmhibU41TVJNd0VRWURWUVFERXdwVFpXeGwNCmJtbDFiVWhSTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFuWDRJVFpiMER5RVQNCnhxaWxrMUkvV2hDNXFyVWpvNm4yM3VNOS9qa3FIOEJmdkxDdzQ3a1d5MEl6SWJDakpQczNkL2VwUDg3YUFydk4NCk83Q0ZrYlhvUDhUWWpBRlBWRTVaaGQ2NXFtZmJQSFZoWTBiMUhkeU94a3BIdGFoSmV0SUZka2VZMVp6alY4ekQNCjBSaHFNM3B4OU9zYWJxSDF5eDZOdGUxQzRDL2ZUek53WVFXWk5Ma1lLK3Qxd0doMmFleVFpMTY2bURSeVZhdWsNCnhaSG9YS2hnRkszNkVvV2VwQkNwbC9TV0o3QlNQNlp3MzV2VDJBelJDRDJLZHRPais2c3lxQUpCVUdDaXNqRGsNCkNpcGFTSlFlRmI0eGNGa0pCK3pTMmpRUU1QUFJxN3ZhVzhZNEdwcE5iUTdNSjlXb0NKZGxuQkN5VGZHaTlCTU0NCm9QK1hhcUxlR3dJREFRQUJvMDh3VFRBZEJnTlZIUTRFRmdRVWNDeWpYM3F4VlczSFVTaldjYkR0WkV5S29ac3cNCkxBWURWUjBSQVFIL0JDSXdJSUlKYkc5allXeG9iM04wZ2hOelpXeGxibWwxYlMxbmNtbGtMbXh2WTJGc01BMEcNCkNTcUdTSWIzRFFFQkN3VUFBNElCQVFDWTMwTHVzckxGYzB4ekJCaWp0eC9zUVpKVFBySFpjajMwMVo4SGw0aWsNClZqRGl3RCtKc28xQXc3dFpicStrSzUyTUhyVDBiREdaZWF1SkRwR1RWUnNFa3R4ZC9Gd09pTDhkbGJweWNiNzcNCllVR2FkM3BFUXNMdEtaYkErSENqOHdoanRhaVFkYmFrclNEdkU3L1pHQ1hkenpJSC9kTm1vQUI1akZmOG03WkINCnJIMVFVNW1rRVhYZ1lJcmdSekM1NlRCNWdWS3U5S2NXMk5Pd1pYcVVFeDdudm9jeWVrSExnemNtc1g2TG1iWm4NClMwbGlYUGxjN3lPT2hGR0EzRU9HWkNKNDcvS0V2UXl0MzFsRWNXaWlxQzI1bncrMUY2SkR2a0dkSXRzNkk1SlgNCnZ1T2pzOUpHY1c1NWRLNmZ4Z05rN24rTjhHOHFhTGd5SE9ZUjNjZVhCNG9zCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K \ No newline at end of file diff --git a/charts/selenium-grid/certs/selenium.pkcs8.base64 b/charts/selenium-grid/certs/selenium.pkcs8.base64 index 227134266a..f661b989dd 100644 --- a/charts/selenium-grid/certs/selenium.pkcs8.base64 +++ b/charts/selenium-grid/certs/selenium.pkcs8.base64 @@ -1 +1 @@ -LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2RmZ2hObHZRUElSUEcKcUtXVFVqOWFFTG1xdFNPanFmYmU0ejMrT1NvZndGKzhzTERqdVJiTFFqTWhzS01rK3pkMzk2ay96dG9DdTgwNwpzSVdSdGVnL3hOaU1BVTlVVGxtRjNybXFaOXM4ZFdGalJ2VWQzSTdHU2tlMXFFbDYwZ1YyUjVqVm5PTlh6TVBSCkdHb3plbkgwNnhwdW9mWExIbzIxN1VMZ0w5OVBNM0JoQlprMHVSZ3I2M1hBYUhacDdKQ0xYcnFZTkhKVnE2VEYKa2VoY3FHQVVyZm9TaFo2a0VLbVg5Slluc0ZJL3BuRGZtOVBZRE5FSVBZcDIwNlA3cXpLb0FrRlFZS0t5TU9RSwpLbHBJbEI0VnZqRndXUWtIN05MYU5CQXc4OUdydTlwYnhqZ2FtazF0RHN3bjFhZ0lsMldjRUxKTjhhTDBFd3lnCi81ZHFvdDRiQWdNQkFBRUNnZ0VBS3F0bTNINjFpUlBSSTlXMVpvQzJJVlMrdVAxeXRuanFKZUV6ZnBsR1RHdjIKaEV6cTRBZlpvU0JDY2pKRlFWTys1NFgyR1ErV0NYK1FUMGU0S0k0OGFtcU9zUC81MmtHUUI3RWNaSXJXM3o1KwpNRU9kVFlYZ09PRVBKS3gvbkFNaTc3VGVONkhXQm9lMzFnTGpZeWNka05uUnczK2w5RzVHdnErVm10L2RoTHRnCi9NUk5IUFduQ2YvOHBPUmpvcVNuK1hkdjNkeURPMFJ3ZGxKcmVJQ3huRWpGSkJvdk41K3BNTWtxZm0wMDcrTkYKMC9iVnVsUFpGcGVJdUh5dnBjeXlIaG1YOFIrZFdvbHdaL2NJdXFNZSs5Qno3VUhYa2U5bXNWNU0zRzhMZk1yTApicDdBdWlpbUIySjExeFFLM2ZOSmg0b1lXWlY5OFRxamtyaXR5Vy9yQVFLQmdRRHBwOUtjT2JMVGpqN2ttVXErClpkVmw4UE5hREFZQnpOVWRuTjA1Q1RLL01NelkvZU85dlFTd2xOQ1lQdW0xN3BzVStSRDRrU01vL2x3Y3JlakgKSHR4RHhoR3I0MDRqUWgwSWpXNmZTNlZqUFZ4RFQxOStNSG0vRzg4TW0wUGlsZjd6SkJ5SUNCUkc3bG83aFdYVQpaVS92dk1TZldtVkVoeDNSemxxM0p0azh1d0tCZ1FDc2phT21TSTAzcFNDdGROZGFYMi9FdWVxRmphemxRMW1BCmZMQzh4MkFIZU4yMHd6WUxVbklZZm5iUk9HeGRmMW5TOFpzSm9LQWlmdkZwM09pcldHUStYcjVEOUxoU3A0UTMKREVpY0hERXpaR285RGlZTlduMzN3eXE4Q0tCT2FyWW5DZGRCeXYzNlJLNTk3VkxuMmZvL042ZHRDWndQNVluegphQzR1dVZwK0lRS0JnQ0RQbTBpcTVZekZ0ZGsrR1h2aEt2VlV2NmVPZHExOENSVk9lTlpRajFxL3pKUlFHdElECklBeDM2VTduenNQb2pNaUdMVGJxa3Fob0I2RlRYcFBQcHBpeDBMdDFnUHg4aFQwMU55cVJZZGtzdmE4S0QxdlcKRE5La1lnL2dJY2xJelBOeHg3dm1mb3B6WUNKcG1pSVlWQUJUWHIwTjRaaWM3TGdRcFRhQTh4S1BBb0dBZmRlKwpwaUw3ZXIyZkcyRy9QVldrK2VCdFBZR1p1b3BuMStFWU5GVmpuNDl5Z2Nac3Y4MGRFT2dLVjRQQzVGMWdjUXRyCmVwWCtzNm5JL3QveGdDVXkxcG5hUVUxVXNGTWpoZElia2w2dE0wSGtpU3FzYmNpMVhlQ2taZ1lVZzV3bnhFalYKQ0ZLMjc3THZYeitaMnlXSjhGanliZjg0SmcvTmtBdEd3eVRDN29FQ2dZRUFtaElPTlR4OUw5ZVloS2FNaERkZwpkN0xxQlhGOGMxdlRMTkZVM2NubnQ3UW9TcUUzaWozZktPQ0h4cW9IaGN2NXIvZnZtNVhxemhLcVI2VUNLME1NClYyR1RhUFVJSno3NFFCMk9nWkh2NllkS2tFOGdmR01KeGQ5SXZpV08wVEdxTXJaUDB4aDJXY21rV3llQ0xBOFgKYW14YUVFa2JiaDRnUkZtUTJtQWV2ME09Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K \ No newline at end of file +LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2VrajA5eHZyRDQrbmsKS21aZjEwaDNUbnRJRnFLSTc1eDM1WjJHeHdIRTJLcXQzZU53YnFVcm5pMnpSYllJYWxkZG5hd1diT3FjMnBnRQpuTHRNN1ZSb0NneGxZekFSYWV2ZkkydVkrRUJJNFFqZ3pTVFpzdHVXa3NQcVNtSHJMT280cTc1d09TWUZVdGZhCmErNmw3aWpuVlFMS1dvNHdDbkdzc2s5VUJKV3ZOVTlaTWRUekVxTHZJTXIySGkwTG1LWHM5ay9GYklNK1hJQUEKeW5mOGFHNGF3cTBzL2VaVGlybUVxYmhtaTJ1ZHdNTk1WNjBJYUM4Wk5vNTNrNFZKK2xRV09Pd0IvUTFDSFJXbwp0anZENFdGdDJYSTljQ0FqYkRNcGtaT05hYUNJQTcwWGpURys1RGlHRE9VQWxhcDZMRmxCclVoNDNZSFFIdlhFCklLWmUydFZEQWdNQkFBRUNnZ0VBSmpSNXlONmVJSUJUSkFRTE1tQStOM0NUUjJVY3QvMXpKM2dOSWlIa2pUYmUKdUpGVGNRMVhnbERVRmZOZnpsdEF2Vzkxdk5sMUZXR2RhczhRV1pKODJheENIRk52aTJLSHovVkt3VXBld3JCbApZVFJNQXArVFJJNEw0ZkVWOG9HWjFSbWNBcEhpVlRvR2c3dXBmaFVKaWVMemp5bU9SSWpmcG9vM2pyaWtEOWhZCnMzTTJXaHNHdDBwZ1FwZVEreHNTeXRxNjFhT21xdnpLZUE5OUVxZE9keUJ2QkxSMDZyN0FDdlpmeTJvUVpHYXAKUEJ3ZHZIWmNQdXZlUGxVNUpDQWhEcWhlbFIyTHd2dzVhN3FLbjBvTkRFTG5zVnFWblJ3Q0ErUUhjYVBTbG40Nwp0SzI2YUxVdUZLSFg0QW5idDZaNWNMTWdNUzR2bGV3R0h0OG9JUXVCa1FLQmdRQzE1N2NWRkhPc3poUkh6LzBBCkhIVGNqcXB4ditzSUFNVnNCWUlJTVozKzI3MjlVeGFoMllPN1crZjEzVTJlakVsMk1qaW5jTnF1QWVpSmEveWYKTklqcFJtbFJVaWRScUpUUHNQdVJJcEZOWmNCNjh0MnpudFNMa0NkUDJDVTBZaFRpdklVY1RYOEJDRWZ6VDdwSwpjTyt3cTArc0FpRFhoS3pRSUJGaW9sNVZsd0tCZ1FEZktWM0w4V2ZLemFvODFhYndJQkd4M0dnK3BNNElnaTNWCldwMW40TVRuY05mRUJwZ251bVhDa00zSEMvT0VaUnRoYTU0QXdFOWwxUy9vN2RUWEZNNXRWQVQwNXpjNDZuL04KdkFCNUhuYnplS1hDTk5lakI4S1JZNjlvR0U2Ulptb0kxczhvd3ZQUHpCeGE4anN5V3p6M0VoZXY2Z2xHUXBGTwpyVmhWN0h0ck5RS0JnRmpjZEJ5UkhCMExvdTZkMVJzTHk2Nis1dGFnaVdFa2Qwell0L2ZtdlNiMkU0OThHbTlBClFkRHlDYk9hdzBNemh1TjlqeDJFek43NlFhMTRHalZ2eFg0bmptVlNlN0N4YU5pNHZYdmQ1aHRvSElvelFFaHgKeTZUTjY5WmVZWFpnZjVGdnhKclo1TFFOWnBDZW53T2tmZ0xRL1IrcS9uNHA2djNVM0lsUmhrSExBb0dCQU11SgpzVEVYNXpERDBHZFgvc0M0bnlyMyttUlljRXEyWVJOZGFIK2NORHRiWXBBNTY0RWdzenQ0VXhjZXdXYVp5UlZiCjBHcWkvRWZHMzhHMVdoRXB1dlZnVW4wRWZndDlaai9CSHpWWklla0N1enljY2FrU3BOVnlkRU9mRjlucDdRQk8KMi9jemlLaVlZNnhYanNKcEVQdlFGcWF0OFBPU04zSHBETTZodUJlWkFvR0FSZE9IRzlVWXA3M25DQ3d4VHJjKwpnNk91eXI5aXFacVBsalFDK1V4MmtySC9HMTkrSE96RHJLWWFSRElqQk4wTHRyeXJpcVZFQWJWZjZQNHNnNVpCCitjVS9pbDZLb1k2ditQa2tydnZJRVUyVUZHRnpmcnNVZklFQURrdHR5OEdIcTFja0tobjAxWGlNNDJnaGZaSEsKK0lYRExZYzRCMDZ5dFY1bmFZYU9US1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K \ No newline at end of file diff --git a/charts/selenium-grid/templates/_helpers.tpl b/charts/selenium-grid/templates/_helpers.tpl index 8afc9bf4fe..e033bdac4a 100644 --- a/charts/selenium-grid/templates/_helpers.tpl +++ b/charts/selenium-grid/templates/_helpers.tpl @@ -173,6 +173,33 @@ Secret TLS fullname {{- default "selenium-tls-secret" .Values.tls.nameOverride | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/* +Is registration secret enabled +*/}} +{{- define "seleniumGrid.tls.registrationSecret.enabled" -}} +{{- and .Values.tls.enabled .Values.tls.registrationSecret.enabled | ternary "true" "" -}} +{{- end -}} + +{{/* +Get default certificate file name in chart +*/}} +{{- define "seleniumGrid.tls.getDefaultFile" -}} +{{- $value := index . 0 -}} +{{- $global := index . 1 -}} +{{- $content := $global.Files.Get $value -}} +{{- if (contains "base64" (lower $value)) -}} + {{- $content = $content | b64dec -}} +{{- end -}} +{{- $content -}} +{{- end -}} + +{{/* +Common secrets cross components +*/}} +{{- define "seleniumGrid.common.secrets" -}} +{{- default "selenium-secrets" .Values.secrets.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + {{- define "seleniumGrid.ingress.nginx.annotations.default" -}} {{- with .Values.ingress.nginx }} {{- with .proxyTimeout }} @@ -311,6 +338,8 @@ template: name: {{ .Values.loggingConfigMap.name }} - configMapRef: name: {{ .Values.serverConfigMap.name }} + - secretRef: + name: {{ include "seleniumGrid.common.secrets" $ | quote }} {{- with .node.extraEnvFrom }} {{- tpl (toYaml .) $ | nindent 10 }} {{- end }} diff --git a/charts/selenium-grid/templates/distributor-deployment.yaml b/charts/selenium-grid/templates/distributor-deployment.yaml index 117b9e4be7..52578d6c79 100644 --- a/charts/selenium-grid/templates/distributor-deployment.yaml +++ b/charts/selenium-grid/templates/distributor-deployment.yaml @@ -51,6 +51,8 @@ spec: name: {{ .Values.loggingConfigMap.name }} - configMapRef: name: {{ .Values.serverConfigMap.name }} + - secretRef: + name: {{ include "seleniumGrid.common.secrets" $ | quote }} {{- with .Values.components.extraEnvFrom }} {{- toYaml . | nindent 12 }} {{- end }} diff --git a/charts/selenium-grid/templates/event-bus-deployment.yaml b/charts/selenium-grid/templates/event-bus-deployment.yaml index 203a3127ae..ef29a6908c 100644 --- a/charts/selenium-grid/templates/event-bus-deployment.yaml +++ b/charts/selenium-grid/templates/event-bus-deployment.yaml @@ -47,6 +47,8 @@ spec: name: {{ .Values.loggingConfigMap.name }} - configMapRef: name: {{ .Values.serverConfigMap.name }} + - secretRef: + name: {{ include "seleniumGrid.common.secrets" $ | quote }} {{- with .Values.components.extraEnvFrom }} {{- toYaml . | nindent 12 }} {{- end }} diff --git a/charts/selenium-grid/templates/hub-deployment.yaml b/charts/selenium-grid/templates/hub-deployment.yaml index b2d2f4e25d..e952215a41 100644 --- a/charts/selenium-grid/templates/hub-deployment.yaml +++ b/charts/selenium-grid/templates/hub-deployment.yaml @@ -95,12 +95,6 @@ spec: - name: SE_SUB_PATH value: {{ . | quote }} {{- end }} - {{- if eq .Values.basicAuth.enabled true}} - - name: ROUTER_USERNAME - value: {{ .Values.basicAuth.username }} - - name: ROUTER_PASSWORD - value: {{ .Values.basicAuth.password }} - {{- end }} {{- with .Values.hub.extraEnvironmentVariables }} {{- tpl (toYaml .) $ | nindent 12 }} {{- end }} @@ -109,6 +103,8 @@ spec: name: {{ .Values.loggingConfigMap.name }} - configMapRef: name: {{ .Values.serverConfigMap.name }} + - secretRef: + name: {{ include "seleniumGrid.common.secrets" $ | quote }} {{- with .Values.hub.extraEnvFrom }} {{- toYaml . | nindent 12 }} {{- end }} diff --git a/charts/selenium-grid/templates/ingress.yaml b/charts/selenium-grid/templates/ingress.yaml index 907c510e4c..2f8195b6ea 100644 --- a/charts/selenium-grid/templates/ingress.yaml +++ b/charts/selenium-grid/templates/ingress.yaml @@ -32,12 +32,13 @@ spec: {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} ingressClassName: {{ .Values.ingress.className }} {{- end }} + {{- if and (or .Values.tls.enabled .Values.tls.ingress.generateTLS) .Values.ingress.hostname (not .Values.ingress.tls) }} tls: - {{- if and .Values.tls.enabled (and .Values.ingress.enabled (not .Values.ingress.tls)) }} - hosts: - - {{ default .Values.tls.defaultCN .Values.ingress.hostname | quote }} + - {{ .Values.ingress.hostname | quote }} secretName: {{ include "seleniumGrid.tls.fullname" . | quote }} {{- else if .Values.ingress.tls }} + tls: {{- range .Values.ingress.tls }} - hosts: {{- range .hosts }} diff --git a/charts/selenium-grid/templates/router-deployment.yaml b/charts/selenium-grid/templates/router-deployment.yaml index 532dfe5d29..a57e2682c6 100644 --- a/charts/selenium-grid/templates/router-deployment.yaml +++ b/charts/selenium-grid/templates/router-deployment.yaml @@ -49,12 +49,6 @@ spec: - name: SE_SUB_PATH value: {{ . | quote }} {{- end }} - {{- if eq .Values.basicAuth.enabled true}} - - name: ROUTER_USERNAME - value: {{ .Values.basicAuth.username }} - - name: ROUTER_PASSWORD - value: {{ .Values.basicAuth.password }} - {{- end }} {{- with .Values.components.extraEnvironmentVariables }} {{- tpl (toYaml .) $ | nindent 12 }} {{- end }} @@ -63,6 +57,8 @@ spec: name: {{ .Values.loggingConfigMap.name }} - configMapRef: name: {{ .Values.serverConfigMap.name }} + - secretRef: + name: {{ include "seleniumGrid.common.secrets" $ | quote }} {{- with .Values.components.extraEnvFrom }} {{- toYaml . | nindent 12 }} {{- end }} diff --git a/charts/selenium-grid/templates/secrets.yaml b/charts/selenium-grid/templates/secrets.yaml new file mode 100644 index 0000000000..06881d15a6 --- /dev/null +++ b/charts/selenium-grid/templates/secrets.yaml @@ -0,0 +1,33 @@ +{{- if .Values.secrets.create }} +apiVersion: v1 +kind: Secret +metadata: +{{- with .Values.secrets.annotations }} + annotations: {{- toYaml . | nindent 4 }} +{{- end }} + name: {{ include "seleniumGrid.common.secrets" . }} + labels: + {{- include "seleniumGrid.commonLabels" . | nindent 4 }} + {{- with .Values.customLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} +type: Opaque +data: +{{- range $name, $value := .Values.secrets.env }} +{{- if not (empty $value) }} + {{- $_ := set $ "name" $name }} + {{- $_ := set $ "value" $value }} + {{ $name }}: {{ tpl ($value) $ | b64enc }} +{{- end }} +{{- end }} +{{- if eq .Values.basicAuth.enabled true }} + ROUTER_USERNAME: {{ .Values.basicAuth.username | b64enc }} + ROUTER_PASSWORD: {{ .Values.basicAuth.password | b64enc }} +{{- end }} +{{- if .Values.tls.enabled }} + SE_JAVA_SSL_TRUST_STORE_PASSWORD: {{ .Values.tls.trustStorePassword | b64enc }} +{{- end }} +{{- if (include "seleniumGrid.tls.registrationSecret.enabled" $) }} + SE_REGISTRATION_SECRET: {{ .Values.tls.registrationSecret.value | b64enc }} +{{- end }} +{{- end }} diff --git a/charts/selenium-grid/templates/server-configmap.yaml b/charts/selenium-grid/templates/server-configmap.yaml index f0bb39a394..3e4e4b766c 100644 --- a/charts/selenium-grid/templates/server-configmap.yaml +++ b/charts/selenium-grid/templates/server-configmap.yaml @@ -16,6 +16,5 @@ data: SE_HTTPS_CERTIFICATE: {{ printf "%s/%s" .Values.serverConfigMap.certVolumeMountPath .Values.serverConfigMap.certificateFile | quote }} SE_HTTPS_PRIVATE_KEY: {{ printf "%s/%s" .Values.serverConfigMap.certVolumeMountPath .Values.serverConfigMap.privateKeyFile | quote }} SE_JAVA_SSL_TRUST_STORE: {{ printf "%s/%s" .Values.serverConfigMap.certVolumeMountPath .Values.serverConfigMap.trustStoreFile | quote }} - SE_JAVA_SSL_TRUST_STORE_PASSWORD: {{ .Values.serverConfigMap.trustStorePassword | quote }} SE_JAVA_DISABLE_HOSTNAME_VERIFICATION: {{ .Values.serverConfigMap.disableHostnameVerification | quote }} {{- end }} diff --git a/charts/selenium-grid/templates/session-map-deployment.yaml b/charts/selenium-grid/templates/session-map-deployment.yaml index 2b04917583..27d120540c 100644 --- a/charts/selenium-grid/templates/session-map-deployment.yaml +++ b/charts/selenium-grid/templates/session-map-deployment.yaml @@ -40,6 +40,8 @@ spec: name: {{ .Values.loggingConfigMap.name }} - configMapRef: name: {{ .Values.serverConfigMap.name }} + - secretRef: + name: {{ include "seleniumGrid.common.secrets" $ | quote }} - configMapRef: name: {{ .Values.busConfigMap.name }} {{- with .Values.components.extraEnvFrom }} diff --git a/charts/selenium-grid/templates/session-queuer-deployment.yaml b/charts/selenium-grid/templates/session-queuer-deployment.yaml index c6cf9e58dd..546090e43c 100644 --- a/charts/selenium-grid/templates/session-queuer-deployment.yaml +++ b/charts/selenium-grid/templates/session-queuer-deployment.yaml @@ -40,6 +40,8 @@ spec: name: {{ .Values.loggingConfigMap.name }} - configMapRef: name: {{ .Values.serverConfigMap.name }} + - secretRef: + name: {{ include "seleniumGrid.common.secrets" $ | quote }} {{- with .Values.components.extraEnvFrom }} {{- toYaml . | nindent 12 }} {{- end }} diff --git a/charts/selenium-grid/templates/tls-cert-secret.yaml b/charts/selenium-grid/templates/tls-cert-secret.yaml index f025b514be..000a1e5a79 100644 --- a/charts/selenium-grid/templates/tls-cert-secret.yaml +++ b/charts/selenium-grid/templates/tls-cert-secret.yaml @@ -1,4 +1,3 @@ -{{- if .Values.tls.enabled }} apiVersion: v1 kind: Secret metadata: @@ -12,18 +11,19 @@ metadata: {{- end }} type: Opaque data: -{{- if .Values.tls.generateTLS }} - {{- $name := default "SeleniumHQ" .Values.tls.defaultName -}} - {{- $days := default 365 (.Values.tls.defaultDays | int) -}} - {{- $cn := ternary .Values.tls.defaultCN .Values.ingress.hostname (empty .Values.ingress.hostname) -}} - {{- $server := genSelfSignedCert $cn ( default nil .Values.tls.defaultIPList ) ( default nil .Values.tls.defaultSANList ) $days }} +{{- if and .Values.ingress.enabled .Values.tls.ingress.generateTLS (not .Values.tls.enabled) }} + {{- $name := default "SeleniumHQ" .Values.tls.ingress.defaultName -}} + {{- $days := default 365 (.Values.tls.ingress.defaultDays | int) -}} + {{- $cn := ternary .Values.tls.ingress.defaultCN .Values.ingress.hostname (empty .Values.ingress.hostname) -}} + {{- $server := genSelfSignedCert $cn ( default nil .Values.tls.ingress.defaultIPList ) ( default nil .Values.tls.ingress.defaultSANList ) $days }} tls.crt: {{ $server.Cert | b64enc }} tls.key: {{ $server.Key | b64enc }} -{{- else }} - tls.crt: {{ default (.Files.Get (printf "certs/%s.base64" .Values.serverConfigMap.certificateFile) | b64dec) .Values.tls.certificate | b64enc }} - tls.key: {{ default (.Files.Get (printf "certs/%s.base64" .Values.serverConfigMap.privateKeyFile) | b64dec) .Values.tls.privateKey | b64enc }} +{{- else if and .Values.ingress.enabled .Values.tls.enabled }} + tls.crt: {{ default (include "seleniumGrid.tls.getDefaultFile" (list .Values.tls.defaultFile.certificate $)) .Values.tls.certificate | b64enc }} + tls.key: {{ default (include "seleniumGrid.tls.getDefaultFile" (list .Values.tls.defaultFile.privateKey $)) .Values.tls.privateKey | b64enc }} {{- end }} - {{ .Values.serverConfigMap.privateKeyFile }}: {{ default (.Files.Get (printf "certs/%s.base64" .Values.serverConfigMap.privateKeyFile) | b64dec) .Values.tls.privateKey | b64enc }} - {{ .Values.serverConfigMap.certificateFile }}: {{ default (.Files.Get (printf "certs/%s.base64" .Values.serverConfigMap.certificateFile) | b64dec) .Values.tls.certificate | b64enc }} - {{ .Values.serverConfigMap.trustStoreFile }}: {{ default (.Files.Get (printf "certs/%s.base64" .Values.serverConfigMap.trustStoreFile) | b64dec) .Values.tls.trustStore | b64enc }} +{{- if .Values.tls.enabled }} + {{ .Values.serverConfigMap.privateKeyFile }}: {{ default (include "seleniumGrid.tls.getDefaultFile" (list .Values.tls.defaultFile.privateKey $)) .Values.tls.privateKey | b64enc }} + {{ .Values.serverConfigMap.certificateFile }}: {{ default (include "seleniumGrid.tls.getDefaultFile" (list .Values.tls.defaultFile.certificate $)) .Values.tls.certificate | b64enc }} + {{ .Values.serverConfigMap.trustStoreFile }}: {{ default (include "seleniumGrid.tls.getDefaultFile" (list .Values.tls.defaultFile.trustStore $)) .Values.tls.trustStore | b64enc }} {{- end }} diff --git a/charts/selenium-grid/values.yaml b/charts/selenium-grid/values.yaml index 540f70000a..fa29d28b9f 100644 --- a/charts/selenium-grid/values.yaml +++ b/charts/selenium-grid/values.yaml @@ -19,19 +19,28 @@ global: tls: enabled: false - generateTLS: false - defaultName: "SeleniumHQ" - defaultDays: 3650 - defaultCN: "www.selenium.dev" - # or *.domain.com - defaultSANList: [] - # - domain.com - # - production.domain.com - defaultIPList: [] - # - 10.10.10.10 + ingress: + generateTLS: false + defaultName: "SeleniumHQ" + defaultDays: 3650 + defaultCN: "www.selenium.dev" + # or *.domain.com + defaultSANList: [] + # - domain.com + # - production.domain.com + defaultIPList: [] + # - 10.10.10.10 + defaultFile: + certificate: "certs/selenium.pem" + privateKey: "certs/selenium.pkcs8.base64" + trustStore: "certs/selenium.jks" certificate: privateKey: trustStore: + trustStorePassword: "changeit" + registrationSecret: + enabled: false + value: "HappyTesting" # Basic auth settings for Selenium Grid basicAuth: @@ -112,13 +121,19 @@ serverConfigMap: certificateFile: selenium.pem privateKeyFile: selenium.pkcs8 trustStoreFile: selenium.jks - # Trust store password - trustStorePassword: changeit # Disable verification the hostname included in the server's TLS/SSL certificates matches the hostnames provided disableHostnameVerification: true # Custom annotations for configmap annotations: {} +# Secrets for all components. Components environment variables contain sensitive data should be stored in secrets. +secrets: + create: true + name: selenium-secrets + env: + SE_VNC_PASSWORD: "secret" + annotations: {} + # Configuration for isolated components (applied only if `isolateComponents: true`) components: diff --git a/tests/charts/ci/tls-values.yaml b/tests/charts/ci/tls-values.yaml index fb42db2ea6..0f7439251a 100644 --- a/tests/charts/ci/tls-values.yaml +++ b/tests/charts/ci/tls-values.yaml @@ -1,6 +1,9 @@ tls: enabled: true generateTLS: false + registrationSecret: + enabled: true + value: "HappyTestOps" ingress-nginx: controller: diff --git a/tests/charts/refValues/simplex-minikube.yaml b/tests/charts/refValues/simplex-minikube.yaml index 08376c866a..a67b0bbf2a 100644 --- a/tests/charts/refValues/simplex-minikube.yaml +++ b/tests/charts/refValues/simplex-minikube.yaml @@ -14,6 +14,11 @@ global: # nodesImageTag: latest # videoImageTag: latest +tls: +# enabled: true + ingress: + generateTLS: true + ingress: enabled: true annotations: @@ -23,10 +28,6 @@ ingress: nginx.ingress.kubernetes.io/app-root: &gridAppRoot "/selenium" ingressClassName: nginx hostname: "" -# tls: -# - secretName: '{{ include "seleniumGrid.tls.fullname" . }}' -# hosts: -# - *.domain.com paths: - path: /selenium(/|$)(.*) pathType: ImplementationSpecific @@ -42,7 +43,8 @@ basicAuth: isolateComponents: true autoscaling: - enabled: true +# enabled: true + enableWithExistingKEDA: true scalingType: job annotations: helm.sh/hook: post-install,post-upgrade,post-rollback diff --git a/tests/charts/templates/test.py b/tests/charts/templates/test.py index 695a846ed7..a40cbd22db 100644 --- a/tests/charts/templates/test.py +++ b/tests/charts/templates/test.py @@ -84,8 +84,9 @@ def test_log_level_set_to_logging_config_map(self): logger.info(f"Assert logging ConfigMap is set to envFrom in resource {doc['metadata']['name']}") list_env_from = doc['spec']['template']['spec']['containers'][0]['envFrom'] for env in list_env_from: - if env['configMapRef']['name'] == 'selenium-logging-config': - is_present = True + if env.get('configMapRef') is not None: + if env['configMapRef']['name'] == 'selenium-logging-config': + is_present = True self.assertTrue(is_present, "envFrom doesn't contain logging ConfigMap") count += 1 self.assertEqual(count, len(resources_name), "Logging ConfigMap is not present in expected resources")