From affbe07d28729cae9e83df36a2a5dc9980ecf1ca Mon Sep 17 00:00:00 2001 From: Viet Nguyen Duc Date: Fri, 29 Dec 2023 01:31:41 +0530 Subject: [PATCH] feat(chart): Simplify to enable HTTPS/TLS in Selenium Grid on Kubernetes Signed-off-by: Viet Nguyen Duc --- .github/workflows/helm-chart-test.yml | 8 +- .../start-selenium-grid-distributor.sh | 24 ++++++ EventBus/start-selenium-grid-eventbus.sh | 24 ++++++ Hub/start-selenium-grid-hub.sh | 24 ++++++ Makefile | 4 + NodeBase/start-selenium-node.sh | 28 ++++++- NodeDocker/start-selenium-grid-docker.sh | 24 ++++++ Router/start-selenium-grid-router.sh | 24 ++++++ .../start-selenium-grid-session-queue.sh | 24 ++++++ Sessions/start-selenium-grid-sessions.sh | 24 ++++++ Standalone/start-selenium-standalone.sh | 24 ++++++ .../start-selenium-grid-docker.sh | 24 ++++++ charts/selenium-grid/certs/cert.sh | 58 ++++++++++++++ .../selenium-grid/certs/selenium.jks.base64 | 1 + charts/selenium-grid/certs/selenium.pem | 23 ++++++ .../selenium-grid/certs/selenium.pem.base64 | 1 + .../selenium-grid/certs/selenium.pkcs8.base64 | 1 + charts/selenium-grid/templates/_helpers.tpl | 79 ++++++++++++++++--- .../templates/distributor-deployment.yaml | 14 ++++ .../templates/event-bus-deployment.yaml | 14 ++++ .../templates/hub-deployment.yaml | 22 ++++-- charts/selenium-grid/templates/ingress.yaml | 8 +- .../templates/router-deployment.yaml | 20 ++++- .../templates/server-configmap.yaml | 21 +++++ .../templates/session-map-deployment.yaml | 14 ++++ .../templates/session-queuer-deployment.yaml | 14 ++++ .../templates/tls-cert-secret.yaml | 29 +++++++ charts/selenium-grid/values.yaml | 30 +++++++ tests/SeleniumTests/__init__.py | 7 +- tests/SmokeTests/__init__.py | 5 +- tests/bootstrap.sh | 4 + .../ci/DeploymentAutoScaling-values.yaml | 3 +- tests/charts/ci/JobAutoscaling-values.yaml | 20 +---- tests/charts/ci/auth-ingress-values.yaml | 4 +- tests/charts/ci/tls-values.yaml | 8 ++ tests/charts/make/chart_test.sh | 13 ++- tests/charts/refValues/sample-aws.yaml | 2 +- tests/charts/refValues/simplex-minikube.yaml | 9 ++- tests/charts/templates/render/dummy.yaml | 8 +- tests/charts/templates/test.py | 2 +- 40 files changed, 637 insertions(+), 53 deletions(-) create mode 100755 charts/selenium-grid/certs/cert.sh create mode 100644 charts/selenium-grid/certs/selenium.jks.base64 create mode 100644 charts/selenium-grid/certs/selenium.pem create mode 100644 charts/selenium-grid/certs/selenium.pem.base64 create mode 100644 charts/selenium-grid/certs/selenium.pkcs8.base64 create mode 100644 charts/selenium-grid/templates/server-configmap.yaml create mode 100644 charts/selenium-grid/templates/tls-cert-secret.yaml create mode 100644 tests/charts/ci/tls-values.yaml diff --git a/.github/workflows/helm-chart-test.yml b/.github/workflows/helm-chart-test.yml index 674031795..42408e0e3 100644 --- a/.github/workflows/helm-chart-test.yml +++ b/.github/workflows/helm-chart-test.yml @@ -13,8 +13,9 @@ jobs: name: Test Helm charts runs-on: ubuntu-latest strategy: + fail-fast: false matrix: - test-strategy: [chart_test, chart_test_parallel_autoscaling] + test-strategy: [chart_test, chart_test_parallel_autoscaling, chart_test_https_tls] steps: - uses: actions/checkout@v4 - name: Output Docker info @@ -24,6 +25,11 @@ jobs: with: python-version: '3.11' check-latest: true + - name: Install CA certificates + run: | + sudo apt install openssl -y + sudo apt install ca-certificates -y + sudo update-ca-certificates --fresh - name: Get branch name (only for push to branch) if: github.event_name == 'push' run: echo "BRANCH=$(echo ${PUSH_BRANCH##*/})" >> $GITHUB_ENV diff --git a/Distributor/start-selenium-grid-distributor.sh b/Distributor/start-selenium-grid-distributor.sh index b0782c3c3..63e7e6c8c 100755 --- a/Distributor/start-selenium-grid-distributor.sh +++ b/Distributor/start-selenium-grid-distributor.sh @@ -59,6 +59,30 @@ if [ ! -z "$SE_LOG_LEVEL" ]; then SE_OPTS="$SE_OPTS --log-level ${SE_LOG_LEVEL}" fi +if [ ! -z "$SE_EXTERNAL_URL" ]; then + echo "Appending Selenium options: --external-url ${SE_EXTERNAL_URL}" + SE_OPTS="$SE_OPTS --external-url ${SE_EXTERNAL_URL}" +fi + +if [ ! -z "$SE_HTTPS_CERTIFICATE" ]; then + echo "Appending Selenium options: --https-certificate ${SE_HTTPS_CERTIFICATE}" + SE_OPTS="$SE_OPTS --https-certificate ${SE_HTTPS_CERTIFICATE}" +fi + +if [ ! -z "$SE_HTTPS_PRIVATE_KEY" ]; then + echo "Appending Selenium options: --https-private-key ${SE_HTTPS_PRIVATE_KEY}" + SE_OPTS="$SE_OPTS --https-private-key ${SE_HTTPS_PRIVATE_KEY}" +fi + +if [ ! -z "$SE_JAVA_SSL_TRUST_STORE" ]; then + echo "Appending Java options: -Djavax.net.ssl.trustStore=${SE_JAVA_SSL_TRUST_STORE}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStore=${SE_JAVA_SSL_TRUST_STORE}" + echo "Appending Java options: -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" + echo "Appending Java options: -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION:-true}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION:-true}" +fi + EXTRA_LIBS="" if [ ! -z "$SE_ENABLE_TRACING" ]; then diff --git a/EventBus/start-selenium-grid-eventbus.sh b/EventBus/start-selenium-grid-eventbus.sh index a8af2c040..25c43f10c 100755 --- a/EventBus/start-selenium-grid-eventbus.sh +++ b/EventBus/start-selenium-grid-eventbus.sh @@ -24,6 +24,30 @@ if [ ! -z "$SE_LOG_LEVEL" ]; then SE_OPTS="$SE_OPTS --log-level ${SE_LOG_LEVEL}" fi +if [ ! -z "$SE_EXTERNAL_URL" ]; then + echo "Appending Selenium options: --external-url ${SE_EXTERNAL_URL}" + SE_OPTS="$SE_OPTS --external-url ${SE_EXTERNAL_URL}" +fi + +if [ ! -z "$SE_HTTPS_CERTIFICATE" ]; then + echo "Appending Selenium options: --https-certificate ${SE_HTTPS_CERTIFICATE}" + SE_OPTS="$SE_OPTS --https-certificate ${SE_HTTPS_CERTIFICATE}" +fi + +if [ ! -z "$SE_HTTPS_PRIVATE_KEY" ]; then + echo "Appending Selenium options: --https-private-key ${SE_HTTPS_PRIVATE_KEY}" + SE_OPTS="$SE_OPTS --https-private-key ${SE_HTTPS_PRIVATE_KEY}" +fi + +if [ ! -z "$SE_JAVA_SSL_TRUST_STORE" ]; then + echo "Appending Java options: -Djavax.net.ssl.trustStore=${SE_JAVA_SSL_TRUST_STORE}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStore=${SE_JAVA_SSL_TRUST_STORE}" + echo "Appending Java options: -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" + echo "Appending Java options: -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION:-true}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION:-true}" +fi + EXTRA_LIBS="" if [ ! -z "$SE_ENABLE_TRACING" ]; then diff --git a/Hub/start-selenium-grid-hub.sh b/Hub/start-selenium-grid-hub.sh index e25fe16d4..e0314aa12 100755 --- a/Hub/start-selenium-grid-hub.sh +++ b/Hub/start-selenium-grid-hub.sh @@ -27,6 +27,30 @@ if [ ! -z "$SE_LOG_LEVEL" ]; then SE_OPTS="$SE_OPTS --log-level ${SE_LOG_LEVEL}" fi +if [ ! -z "$SE_EXTERNAL_URL" ]; then + echo "Appending Selenium options: --external-url ${SE_EXTERNAL_URL}" + SE_OPTS="$SE_OPTS --external-url ${SE_EXTERNAL_URL}" +fi + +if [ ! -z "$SE_HTTPS_CERTIFICATE" ]; then + echo "Appending Selenium options: --https-certificate ${SE_HTTPS_CERTIFICATE}" + SE_OPTS="$SE_OPTS --https-certificate ${SE_HTTPS_CERTIFICATE}" +fi + +if [ ! -z "$SE_HTTPS_PRIVATE_KEY" ]; then + echo "Appending Selenium options: --https-private-key ${SE_HTTPS_PRIVATE_KEY}" + SE_OPTS="$SE_OPTS --https-private-key ${SE_HTTPS_PRIVATE_KEY}" +fi + +if [ ! -z "$SE_JAVA_SSL_TRUST_STORE" ]; then + echo "Appending Java options: -Djavax.net.ssl.trustStore=${SE_JAVA_SSL_TRUST_STORE}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStore=${SE_JAVA_SSL_TRUST_STORE}" + echo "Appending Java options: -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" + echo "Appending Java options: -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION:-true}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION:-true}" +fi + EXTRA_LIBS="" if [ ! -z "$SE_ENABLE_TRACING" ]; then diff --git a/Makefile b/Makefile index f9e55dd2c..39a4723ec 100644 --- a/Makefile +++ b/Makefile @@ -397,6 +397,10 @@ chart_test_edge: chart_test_parallel_autoscaling: VERSION=$(TAG_VERSION) NAMESPACE=$(NAMESPACE) ./tests/charts/make/chart_test.sh JobAutoscaling +chart_test_https_tls: + VERSION=$(TAG_VERSION) NAMESPACE=$(NAMESPACE) SELENIUM_GRID_PROTOCOL=https SELENIUM_GRID_PORT=443 \ + ./tests/charts/make/chart_test.sh JobAutoscaling + .PHONY: \ all \ base \ diff --git a/NodeBase/start-selenium-node.sh b/NodeBase/start-selenium-node.sh index 21cd7b946..6f4888653 100755 --- a/NodeBase/start-selenium-node.sh +++ b/NodeBase/start-selenium-node.sh @@ -32,8 +32,8 @@ if [ ! -z "$SE_OPTS" ]; then fi if [ ! -z "$SE_NODE_SESSION_TIMEOUT" ]; then - SE_OPTS="$SE_OPTS --session-timeout $SE_NODE_SESSION_TIMEOUT" - echo "Appending Selenium node session timeout via SE_OPTS: ${SE_OPTS}" + echo "Appending Selenium options: --session-timeout ${SE_NODE_SESSION_TIMEOUT}" + SE_OPTS="$SE_OPTS --session-timeout ${SE_NODE_SESSION_TIMEOUT}" fi if [ ! -z "$SE_LOG_LEVEL" ]; then @@ -41,6 +41,30 @@ if [ ! -z "$SE_LOG_LEVEL" ]; then SE_OPTS="$SE_OPTS --log-level ${SE_LOG_LEVEL}" fi +if [ ! -z "$SE_EXTERNAL_URL" ]; then + echo "Appending Selenium options: --external-url ${SE_EXTERNAL_URL}" + SE_OPTS="$SE_OPTS --external-url ${SE_EXTERNAL_URL}" +fi + +if [ ! -z "$SE_HTTPS_CERTIFICATE" ]; then + echo "Appending Selenium options: --https-certificate ${SE_HTTPS_CERTIFICATE}" + SE_OPTS="$SE_OPTS --https-certificate ${SE_HTTPS_CERTIFICATE}" +fi + +if [ ! -z "$SE_HTTPS_PRIVATE_KEY" ]; then + echo "Appending Selenium options: --https-private-key ${SE_HTTPS_PRIVATE_KEY}" + SE_OPTS="$SE_OPTS --https-private-key ${SE_HTTPS_PRIVATE_KEY}" +fi + +if [ ! -z "$SE_JAVA_SSL_TRUST_STORE" ]; then + echo "Appending Java options: -Djavax.net.ssl.trustStore=${SE_JAVA_SSL_TRUST_STORE}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStore=${SE_JAVA_SSL_TRUST_STORE}" + echo "Appending Java options: -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" + echo "Appending Java options: -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION:-true}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION:-true}" +fi + if [ "$GENERATE_CONFIG" = true ]; then echo "Generating Selenium Config" /opt/bin/generate_config diff --git a/NodeDocker/start-selenium-grid-docker.sh b/NodeDocker/start-selenium-grid-docker.sh index a811780e7..935fbee46 100755 --- a/NodeDocker/start-selenium-grid-docker.sh +++ b/NodeDocker/start-selenium-grid-docker.sh @@ -34,6 +34,30 @@ if [ ! -z "$SE_LOG_LEVEL" ]; then SE_OPTS="$SE_OPTS --log-level ${SE_LOG_LEVEL}" fi +if [ ! -z "$SE_EXTERNAL_URL" ]; then + echo "Appending Selenium options: --external-url ${SE_EXTERNAL_URL}" + SE_OPTS="$SE_OPTS --external-url ${SE_EXTERNAL_URL}" +fi + +if [ ! -z "$SE_HTTPS_CERTIFICATE" ]; then + echo "Appending Selenium options: --https-certificate ${SE_HTTPS_CERTIFICATE}" + SE_OPTS="$SE_OPTS --https-certificate ${SE_HTTPS_CERTIFICATE}" +fi + +if [ ! -z "$SE_HTTPS_PRIVATE_KEY" ]; then + echo "Appending Selenium options: --https-private-key ${SE_HTTPS_PRIVATE_KEY}" + SE_OPTS="$SE_OPTS --https-private-key ${SE_HTTPS_PRIVATE_KEY}" +fi + +if [ ! -z "$SE_JAVA_SSL_TRUST_STORE" ]; then + echo "Appending Java options: -Djavax.net.ssl.trustStore=${SE_JAVA_SSL_TRUST_STORE}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStore=${SE_JAVA_SSL_TRUST_STORE}" + echo "Appending Java options: -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" + echo "Appending Java options: -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION:-true}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION:-true}" +fi + EXTRA_LIBS="" if [ ! -z "$SE_ENABLE_TRACING" ]; then diff --git a/Router/start-selenium-grid-router.sh b/Router/start-selenium-grid-router.sh index bb848a1c7..039176932 100755 --- a/Router/start-selenium-grid-router.sh +++ b/Router/start-selenium-grid-router.sh @@ -59,6 +59,30 @@ if [ ! -z "$SE_LOG_LEVEL" ]; then SE_OPTS="$SE_OPTS --log-level ${SE_LOG_LEVEL}" fi +if [ ! -z "$SE_EXTERNAL_URL" ]; then + echo "Appending Selenium options: --external-url ${SE_EXTERNAL_URL}" + SE_OPTS="$SE_OPTS --external-url ${SE_EXTERNAL_URL}" +fi + +if [ ! -z "$SE_HTTPS_CERTIFICATE" ]; then + echo "Appending Selenium options: --https-certificate ${SE_HTTPS_CERTIFICATE}" + SE_OPTS="$SE_OPTS --https-certificate ${SE_HTTPS_CERTIFICATE}" +fi + +if [ ! -z "$SE_HTTPS_PRIVATE_KEY" ]; then + echo "Appending Selenium options: --https-private-key ${SE_HTTPS_PRIVATE_KEY}" + SE_OPTS="$SE_OPTS --https-private-key ${SE_HTTPS_PRIVATE_KEY}" +fi + +if [ ! -z "$SE_JAVA_SSL_TRUST_STORE" ]; then + echo "Appending Java options: -Djavax.net.ssl.trustStore=${SE_JAVA_SSL_TRUST_STORE}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStore=${SE_JAVA_SSL_TRUST_STORE}" + echo "Appending Java options: -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" + echo "Appending Java options: -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION:-true}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION:-true}" +fi + EXTRA_LIBS="" if [ ! -z "$SE_ENABLE_TRACING" ]; then diff --git a/SessionQueue/start-selenium-grid-session-queue.sh b/SessionQueue/start-selenium-grid-session-queue.sh index 11074afb9..ac6f5a763 100755 --- a/SessionQueue/start-selenium-grid-session-queue.sh +++ b/SessionQueue/start-selenium-grid-session-queue.sh @@ -24,6 +24,30 @@ if [ ! -z "$SE_LOG_LEVEL" ]; then SE_OPTS="$SE_OPTS --log-level ${SE_LOG_LEVEL}" fi +if [ ! -z "$SE_EXTERNAL_URL" ]; then + echo "Appending Selenium options: --external-url ${SE_EXTERNAL_URL}" + SE_OPTS="$SE_OPTS --external-url ${SE_EXTERNAL_URL}" +fi + +if [ ! -z "$SE_HTTPS_CERTIFICATE" ]; then + echo "Appending Selenium options: --https-certificate ${SE_HTTPS_CERTIFICATE}" + SE_OPTS="$SE_OPTS --https-certificate ${SE_HTTPS_CERTIFICATE}" +fi + +if [ ! -z "$SE_HTTPS_PRIVATE_KEY" ]; then + echo "Appending Selenium options: --https-private-key ${SE_HTTPS_PRIVATE_KEY}" + SE_OPTS="$SE_OPTS --https-private-key ${SE_HTTPS_PRIVATE_KEY}" +fi + +if [ ! -z "$SE_JAVA_SSL_TRUST_STORE" ]; then + echo "Appending Java options: -Djavax.net.ssl.trustStore=${SE_JAVA_SSL_TRUST_STORE}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStore=${SE_JAVA_SSL_TRUST_STORE}" + echo "Appending Java options: -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" + echo "Appending Java options: -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION:-true}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION:-true}" +fi + EXTRA_LIBS="" if [ ! -z "$SE_ENABLE_TRACING" ]; then diff --git a/Sessions/start-selenium-grid-sessions.sh b/Sessions/start-selenium-grid-sessions.sh index 4d34a1a5b..3a6112388 100755 --- a/Sessions/start-selenium-grid-sessions.sh +++ b/Sessions/start-selenium-grid-sessions.sh @@ -39,6 +39,30 @@ if [ ! -z "$SE_LOG_LEVEL" ]; then SE_OPTS="$SE_OPTS --log-level ${SE_LOG_LEVEL}" fi +if [ ! -z "$SE_EXTERNAL_URL" ]; then + echo "Appending Selenium options: --external-url ${SE_EXTERNAL_URL}" + SE_OPTS="$SE_OPTS --external-url ${SE_EXTERNAL_URL}" +fi + +if [ ! -z "$SE_HTTPS_CERTIFICATE" ]; then + echo "Appending Selenium options: --https-certificate ${SE_HTTPS_CERTIFICATE}" + SE_OPTS="$SE_OPTS --https-certificate ${SE_HTTPS_CERTIFICATE}" +fi + +if [ ! -z "$SE_HTTPS_PRIVATE_KEY" ]; then + echo "Appending Selenium options: --https-private-key ${SE_HTTPS_PRIVATE_KEY}" + SE_OPTS="$SE_OPTS --https-private-key ${SE_HTTPS_PRIVATE_KEY}" +fi + +if [ ! -z "$SE_JAVA_SSL_TRUST_STORE" ]; then + echo "Appending Java options: -Djavax.net.ssl.trustStore=${SE_JAVA_SSL_TRUST_STORE}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStore=${SE_JAVA_SSL_TRUST_STORE}" + echo "Appending Java options: -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" + echo "Appending Java options: -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION:-true}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION:-true}" +fi + EXTRA_LIBS="" if [ ! -z "$SE_ENABLE_TRACING" ]; then diff --git a/Standalone/start-selenium-standalone.sh b/Standalone/start-selenium-standalone.sh index 955cb15f4..9f8c50baa 100755 --- a/Standalone/start-selenium-standalone.sh +++ b/Standalone/start-selenium-standalone.sh @@ -16,6 +16,30 @@ if [ ! -z "$SE_LOG_LEVEL" ]; then SE_OPTS="$SE_OPTS --log-level ${SE_LOG_LEVEL}" fi +if [ ! -z "$SE_EXTERNAL_URL" ]; then + echo "Appending Selenium options: --external-url ${SE_EXTERNAL_URL}" + SE_OPTS="$SE_OPTS --external-url ${SE_EXTERNAL_URL}" +fi + +if [ ! -z "$SE_HTTPS_CERTIFICATE" ]; then + echo "Appending Selenium options: --https-certificate ${SE_HTTPS_CERTIFICATE}" + SE_OPTS="$SE_OPTS --https-certificate ${SE_HTTPS_CERTIFICATE}" +fi + +if [ ! -z "$SE_HTTPS_PRIVATE_KEY" ]; then + echo "Appending Selenium options: --https-private-key ${SE_HTTPS_PRIVATE_KEY}" + SE_OPTS="$SE_OPTS --https-private-key ${SE_HTTPS_PRIVATE_KEY}" +fi + +if [ ! -z "$SE_JAVA_SSL_TRUST_STORE" ]; then + echo "Appending Java options: -Djavax.net.ssl.trustStore=${SE_JAVA_SSL_TRUST_STORE}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStore=${SE_JAVA_SSL_TRUST_STORE}" + echo "Appending Java options: -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" + echo "Appending Java options: -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION:-true}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION:-true}" +fi + /opt/bin/generate_config echo "Selenium Grid Standalone configuration: " diff --git a/StandaloneDocker/start-selenium-grid-docker.sh b/StandaloneDocker/start-selenium-grid-docker.sh index 8571abc7a..cf75e5279 100755 --- a/StandaloneDocker/start-selenium-grid-docker.sh +++ b/StandaloneDocker/start-selenium-grid-docker.sh @@ -19,6 +19,30 @@ if [ ! -z "$SE_LOG_LEVEL" ]; then SE_OPTS="$SE_OPTS --log-level ${SE_LOG_LEVEL}" fi +if [ ! -z "$SE_EXTERNAL_URL" ]; then + echo "Appending Selenium options: --external-url ${SE_EXTERNAL_URL}" + SE_OPTS="$SE_OPTS --external-url ${SE_EXTERNAL_URL}" +fi + +if [ ! -z "$SE_HTTPS_CERTIFICATE" ]; then + echo "Appending Selenium options: --https-certificate ${SE_HTTPS_CERTIFICATE}" + SE_OPTS="$SE_OPTS --https-certificate ${SE_HTTPS_CERTIFICATE}" +fi + +if [ ! -z "$SE_HTTPS_PRIVATE_KEY" ]; then + echo "Appending Selenium options: --https-private-key ${SE_HTTPS_PRIVATE_KEY}" + SE_OPTS="$SE_OPTS --https-private-key ${SE_HTTPS_PRIVATE_KEY}" +fi + +if [ ! -z "$SE_JAVA_SSL_TRUST_STORE" ]; then + echo "Appending Java options: -Djavax.net.ssl.trustStore=${SE_JAVA_SSL_TRUST_STORE}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStore=${SE_JAVA_SSL_TRUST_STORE}" + echo "Appending Java options: -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" + echo "Appending Java options: -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION:-true}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION:-true}" +fi + EXTRA_LIBS="" if [ ! -z "$SE_ENABLE_TRACING" ]; then diff --git a/charts/selenium-grid/certs/cert.sh b/charts/selenium-grid/certs/cert.sh new file mode 100755 index 000000000..1544f9579 --- /dev/null +++ b/charts/selenium-grid/certs/cert.sh @@ -0,0 +1,58 @@ +# README: This script is used to generate a self-signed certificate for enabling HTTPS/TLS in Selenium Grid + +CERTNAME=${1:-selenium} +STOREPASS=${2:-changeit} +KEYPASS=${3:-changeit} +ALIAS=${4:-SeleniumHQ} + +# Remove existing files +rm -f ${CERTNAME}.* + +# Create JKS (Java Keystore) - this is used to set for JAVA_OPTS -Djavax.net.ssl.trustStore= +# The key pass set to JAVA_OPTS -Djavax.net.ssl.trustStorePassword= +# Dummy cert without correct SAN, DNS, to skip hostname verification by JAVA_OPTS -Djdk.internal.httpclient.disableHostnameVerification=true +keytool -genkeypair \ + -alias ${ALIAS} \ + -keyalg RSA \ + -v \ + -dname "CN=SeleniumHQ,OU=Software Freedom Conservancy,O=SeleniumHQ,L=Unknown,ST=Unknown,C=Unknown" \ + -ext "SAN:c=DNS:localhost,DNS:selenium-grid.local" \ + -validity 3650 \ + -storepass ${STOREPASS} \ + -keypass ${KEYPASS} \ + -keystore ${CERTNAME}.jks + +# Base64 encode JKS file (for Kubernetes Secret) +base64 -i ${CERTNAME}.jks -w 0 > ${CERTNAME}.jks.base64 + +# Create PKCS12 from JKS +keytool -importkeystore -srckeystore ${CERTNAME}.jks \ + -destkeystore ${CERTNAME}.p12 \ + -srcstoretype jks \ + -storepass ${STOREPASS} -keypass ${KEYPASS} -srcstorepass ${STOREPASS} \ + -deststoretype pkcs12 + +# Create private key PEM from PKCS12 +openssl pkcs12 -nodes -in ${CERTNAME}.p12 -out ${CERTNAME}.key \ + -passin pass:${KEYPASS} + +# Create private key PKCS8 format (this is used to set for option --https-private-key) +openssl pkcs8 -in ${CERTNAME}.key -topk8 -nocrypt -out ${CERTNAME}.pkcs8 + +# Base64 encode PKCS8 file (for Kubernetes Secret) +base64 -i ${CERTNAME}.pkcs8 -w 0 > ${CERTNAME}.pkcs8.base64 + +# Create certificate PEM from JKS (this is used to set for option --https-certificate) +keytool -exportcert -alias ${ALIAS} \ + -storepass ${STOREPASS} -keypass ${KEYPASS} \ + -keystore ${CERTNAME}.jks -rfc -file ${CERTNAME}.pem + +# Bsae64 encode Certificate PEM file (for Kubernetes Secret) +base64 -i ${CERTNAME}.pem -w 0 > ${CERTNAME}.pem.base64 + +# Remove source files (prevent sensitive data leak) +rm -f ${CERTNAME}.key +rm -f ${CERTNAME}.p12 +rm -f ${CERTNAME}.jks +rm -f ${CERTNAME}.pkcs8 +# Retain ${CERTNAME}.pem for client establishing HTTPS connection diff --git a/charts/selenium-grid/certs/selenium.jks.base64 b/charts/selenium-grid/certs/selenium.jks.base64 new file mode 100644 index 000000000..fbf94d7d8 --- /dev/null +++ b/charts/selenium-grid/certs/selenium.jks.base64 @@ -0,0 +1 @@ +MIIKiwIBAzCCCkQGCSqGSIb3DQEHAaCCCjUEggoxMIIKLTCCBXEGCSqGSIb3DQEHAaCCBWIEggVeMIIFWjCCBVYGCyqGSIb3DQEMCgECoIIE+zCCBPcwKQYKKoZIhvcNAQwBAzAbBBQ3gGmGmsf3bmNI0iexeK+VDuc8FAIDAMNQBIIEyBwkeVFIPKT2eXNZU/Kef8Di4ULge5aBbIXqvtYnX4PIvBjGhXTZSUdhkKzwa/q1tGEQm9bTQGbg/uixaDhALQYoSixUvd4ls3TCLr6exT1O7uMz1Sf4l40AZxHS2wvKluI/uY9LlbiSSKBmiDxPlS4Fxrcl+l+VKoNOvCIYwwq0d1lTLsPkFO1UyrBS0fYrsYtCI0YEmyMvtnut8ZKedXljJUqUG7Z4KPLK/Qsvej9Qc5mBgN75B+MpuPSChlTn0US09NbcpqI1PW3285mW1Uag9PLIbtIchj20x6tnG6H7zs2cRYZlmtAN4L1LbtWSAOlmvZ/GlrHFGVIFwKoJvHPctGQm7PhjsEgpwTH/9ZHrHBQJXh2bXuMJj253nMxdGx1IKSGaWxaGcy4Rt5sY0AIxnLWbz9EdjNpfhAiR0Bu2MTHCJnxb9U80DgFy60sUT4kJL0Vs5rZ/vO7WEUIVlT8hmPzpmtoo+pm+MJc+57VrwFXIrf+w+HrOBVkMu3waCuP9At+51xe7AWt6u+UtBYyygreshe4gJnakHqQ5n7hEA2eNi6VbwGV4BC9ynJr94BfnhEd7yg8fxh6pveupZQyxl1FdyRR3pJQ0qPSnCi2eUkqKVlPlJ0FXVPU4vWiTz0zpY+KeVBZlVAO3riP/FjYJhp0wWkjft42ruGsj6mkqY35vQ2syWzb463m1ainCoeTnpeON/pzlZNQIBtq06dy4Mj4eyNvJFbEMXFuAJiwDMymxyLHhR0wEc49l/gfIIubg7PQ/vFzkygOApjS42vcepMkZssKQ06Ts9XAw7tLcy2KpKphWCCWrdst6Z7UpDpo/lbgJhmYTg1lSBmMIYZIHXsp1W97PVEmvSf3xtqtSMkeJPk1Lgxczx1KH+AyNssxNHfLbfMSkM4JUqsgiDPr/G/XYUl52FLZLHZ+uuMrkIHG01Hy2ACYcW2frVL4J47kfciNEe4j/cDgzSPuWRwHaiZDhBbG9qt6IUD/oa+wMe2yh8alRvCnqP9kLR0qLExoCaIG3i548WbnKP4UcQdBa03ESRyTWq3SoqN1CNGB6qjyvLAJsfPhIf5GAHm8gHZODUKbRkJ7JxRcGNttOVSHFgmsdnWKhFMba6x/gqxvtX7PtiYKaEu25ok/GD463kYuSvjl/HgMGzTF3TDdYsBJP1NnnkmfzJk9s09OGDzjpVY86VfNELwwEnEfPen1ErlooV9zC5HweQ3+ziJPMNg9rTXXiEBFLoIZMqFsak5MRknDqY0kHpo8tj9MbZbChtT/38iojd1t8QCMgBFIO0n3TxDzmtiqhv4tIbpezj2mFwNlzV4JSIX4HW8mK7TQlQ730Ou3IuHaLwzqMQDCifmVwMZSrBJD7b/Kqsx393FcydOYh00bB2l8T4uGC9qnAsRa5tCqCANOR0ATMEMrHa2mjgTnIyHnM2OhMeAxoj85uMksURukIszy0o25+4Q2Z53WE/GQMMj4A7PWl8NrHMueAJmGrdQsg8Ds0GEd0yk4/DquVFD4/xRaanNYdN3z2xsBiMGGTgGWhbYc5wRtPXtUUdUH4OxacozKjOadcLfptKvu2tITTor/BIVldDrFXvI0I5daOWRlGla1B5MAX5gZCYM9/JmN7vjFIMCMGCSqGSIb3DQEJFDEWHhQAcwBlAGwAZQBuAGkAdQBtAGgAcTAhBgkqhkiG9w0BCRUxFAQSVGltZSAxNzA0MTU2NzQ3NDQ3MIIEtAYJKoZIhvcNAQcGoIIEpTCCBKECAQAwggSaBgkqhkiG9w0BBwEwKQYKKoZIhvcNAQwBBjAbBBRX3dOdhMDRZiJVvHeGfmCxXgtVAwIDAMNQgIIEYOp24LHVsdSt6TU7MmXzNu/QD5J6Jad0DwZHI+wmDwAjFZ5RR3G7flUqlKEAV0ZN3XkWVOdPLIJXPfjBcWzl6z2TCKwUvCaBHhpgYRxUw5s42iWcRlfmrA1mI3uCaAX1mE2b0DiGE9gM+Mkeffqr1AEp334q6yQQIAxV1xGvqVBgOwL3k7D5YtMX2SJF8xXkLrNSCAaXaSPQdZr5v+P8ObOn8qPs0ntbjVzqCmrmdodhHn8PZO1qS7ihHATVEoTmSDsbz5Hj+ktb+cV511kIFVSQ9IVHhJGLXcGE9YszMsWbhZsNRXJi3QzRXnTLNEnAN2pXbTWHnmn/Wfyrh8kvdMZX1mK6+xrEIcaX2RULzG0JzjhD+VeNctG/JctjsTRZBX1+how8//kDxXWqV+ccoDxkd7nkz9fdRRPIUXjAgERy9seeMIqRKSW4M1x8WAHwDTN2UiI3q4d3KAeE9PmFL8ww1rSIb2b/KRXclvPES95xLj6B6ha3yYpJKjhX3J+sJrnHAjsZvElKW81ski+m6KrcBKtZE7UxIQwav8KN2m2uV3chF9X/UKNyiwncYKdrcXk+uvFNqII2Sog3Xn4/j9+lAjz5fLk8dfr+VIo/pOtScRr5gpAsz110jwQfDOutvwK1yjjLjtUwweBvk+NwciWmgpRBI5NlIkJgrw0c3wxWDRZsAFHPKh+QvPI/xg5RqE6cmRWUC7beMs1EddyVv6+yju4Qfy/f+ZBkGAfuRE+yiNblLsML6VoqHko0Y1fuktzxqL4Dkrb6O6EJCUfgkenXTqbGyu9aDVIAGfFJUIoy84wCI8Xs+XvvnbZfpdd5sBLEulOJZ3Td1annmycHBxU91FlwSYe1kads7wBXvQmvjXyeEYGY+2PIHygGyx4ozo7+Z2krudW1VoInbblgVQ9//DHLEzojSjuGWOcNUU+vSosh9Csg18QTUpfc9f1WPVcyyNN6uKUixMUqQhCwx4J/a2IESs5PkMvY1FwWnZw5276Nz08GsgZNNwCOreGhxfKaISuTecW1ZLa8QFOqdNv7YidHUBE+VGkGVAHDa3DhYTRNayT09UA66u8d8A1nrg/nKOAnyucLn/yt0S0BfBao0AnBOxc9ebjSuAyX4d2zfApi0oaKhXFp87nz82obnHnTlGvI+VNebtsQofNS403wz/46OJsTKbUdRgkAdpQB/rD+83i7VS5OY6PcAi14YuxG48oIyICmiWsSFFZWxR+j4vMxpmZXSxxb/DylupLy+oQgUv4U5ZE6owVzW971+e/smI4dp7VAokM4A7urfT8t76SMlNNkRs3vlshbXAurmWGWAxLwkznxqmoOuY03P9PQUVWeRsJKicrtAc7GyU/fMF3dshNdcyc5o7MswrLXJQRMm77M1E3NWhDyBR/gc0wHH7Xz2hlvZgE+frLN21BZC3zqU0Ccb5ssIpFHVB9kTIQjUS4ipIklIdZQaqPrqic9018OdOQSrysEsOSDuDQwPjAhMAkGBSsOAwIaBQAEFNlUbB5eTYyk906jf0Vf6V8ijD0IBBT5s0mdWFKMmgiVQKSsRwvuIT83jAIDAYag \ No newline at end of file diff --git a/charts/selenium-grid/certs/selenium.pem b/charts/selenium-grid/certs/selenium.pem new file mode 100644 index 000000000..138c1c772 --- /dev/null +++ b/charts/selenium-grid/certs/selenium.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID3TCCAsWgAwIBAgIEBJE7TDANBgkqhkiG9w0BAQsFADCBhzEQMA4GA1UEBhMH +VW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjETMBEG +A1UEChMKU2VsZW5pdW1IUTElMCMGA1UECxMcU29mdHdhcmUgRnJlZWRvbSBDb25z +ZXJ2YW5jeTETMBEGA1UEAxMKU2VsZW5pdW1IUTAeFw0yNDAxMDIwMDUyMjdaFw0z +MzEyMzAwMDUyMjdaMIGHMRAwDgYDVQQGEwdVbmtub3duMRAwDgYDVQQIEwdVbmtu +b3duMRAwDgYDVQQHEwdVbmtub3duMRMwEQYDVQQKEwpTZWxlbml1bUhRMSUwIwYD +VQQLExxTb2Z0d2FyZSBGcmVlZG9tIENvbnNlcnZhbmN5MRMwEQYDVQQDEwpTZWxl +bml1bUhRMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnX4ITZb0DyET +xqilk1I/WhC5qrUjo6n23uM9/jkqH8BfvLCw47kWy0IzIbCjJPs3d/epP87aArvN +O7CFkbXoP8TYjAFPVE5Zhd65qmfbPHVhY0b1HdyOxkpHtahJetIFdkeY1ZzjV8zD +0RhqM3px9OsabqH1yx6Nte1C4C/fTzNwYQWZNLkYK+t1wGh2aeyQi166mDRyVauk +xZHoXKhgFK36EoWepBCpl/SWJ7BSP6Zw35vT2AzRCD2KdtOj+6syqAJBUGCisjDk +CipaSJQeFb4xcFkJB+zS2jQQMPPRq7vaW8Y4GppNbQ7MJ9WoCJdlnBCyTfGi9BMM +oP+XaqLeGwIDAQABo08wTTAdBgNVHQ4EFgQUcCyjX3qxVW3HUSjWcbDtZEyKoZsw +LAYDVR0RAQH/BCIwIIIJbG9jYWxob3N0ghNzZWxlbml1bS1ncmlkLmxvY2FsMA0G +CSqGSIb3DQEBCwUAA4IBAQCY30LusrLFc0xzBBijtx/sQZJTPrHZcj301Z8Hl4ik +VjDiwD+Jso1Aw7tZbq+kK52MHrT0bDGZeauJDpGTVRsEktxd/FwOiL8dlbpycb77 +YUGad3pEQsLtKZbA+HCj8whjtaiQdbakrSDvE7/ZGCXdzzIH/dNmoAB5jFf8m7ZB +rH1QU5mkEXXgYIrgRzC56TB5gVKu9KcW2NOwZXqUEx7nvocyekHLgzcmsX6LmbZn +S0liXPlc7yOOhFGA3EOGZCJ47/KEvQyt31lEcWiiqC25nw+1F6JDvkGdIts6I5JX +vuOjs9JGcW55dK6fxgNk7n+N8G8qaLgyHOYR3ceXB4os +-----END CERTIFICATE----- diff --git a/charts/selenium-grid/certs/selenium.pem.base64 b/charts/selenium-grid/certs/selenium.pem.base64 new file mode 100644 index 000000000..854537f2c --- /dev/null +++ b/charts/selenium-grid/certs/selenium.pem.base64 @@ -0,0 +1 @@ +LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQzVENDQXNXZ0F3SUJBZ0lFQkpFN1REQU5CZ2txaGtpRzl3MEJBUXNGQURDQmh6RVFNQTRHQTFVRUJoTUgNClZXNXJibTkzYmpFUU1BNEdBMVVFQ0JNSFZXNXJibTkzYmpFUU1BNEdBMVVFQnhNSFZXNXJibTkzYmpFVE1CRUcNCkExVUVDaE1LVTJWc1pXNXBkVzFJVVRFbE1DTUdBMVVFQ3hNY1UyOW1kSGRoY21VZ1JuSmxaV1J2YlNCRGIyNXoNClpYSjJZVzVqZVRFVE1CRUdBMVVFQXhNS1UyVnNaVzVwZFcxSVVUQWVGdzB5TkRBeE1ESXdNRFV5TWpkYUZ3MHoNCk16RXlNekF3TURVeU1qZGFNSUdITVJBd0RnWURWUVFHRXdkVmJtdHViM2R1TVJBd0RnWURWUVFJRXdkVmJtdHUNCmIzZHVNUkF3RGdZRFZRUUhFd2RWYm10dWIzZHVNUk13RVFZRFZRUUtFd3BUWld4bGJtbDFiVWhSTVNVd0l3WUQNClZRUUxFeHhUYjJaMGQyRnlaU0JHY21WbFpHOXRJRU52Ym5ObGNuWmhibU41TVJNd0VRWURWUVFERXdwVFpXeGwNCmJtbDFiVWhSTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFuWDRJVFpiMER5RVQNCnhxaWxrMUkvV2hDNXFyVWpvNm4yM3VNOS9qa3FIOEJmdkxDdzQ3a1d5MEl6SWJDakpQczNkL2VwUDg3YUFydk4NCk83Q0ZrYlhvUDhUWWpBRlBWRTVaaGQ2NXFtZmJQSFZoWTBiMUhkeU94a3BIdGFoSmV0SUZka2VZMVp6alY4ekQNCjBSaHFNM3B4OU9zYWJxSDF5eDZOdGUxQzRDL2ZUek53WVFXWk5Ma1lLK3Qxd0doMmFleVFpMTY2bURSeVZhdWsNCnhaSG9YS2hnRkszNkVvV2VwQkNwbC9TV0o3QlNQNlp3MzV2VDJBelJDRDJLZHRPais2c3lxQUpCVUdDaXNqRGsNCkNpcGFTSlFlRmI0eGNGa0pCK3pTMmpRUU1QUFJxN3ZhVzhZNEdwcE5iUTdNSjlXb0NKZGxuQkN5VGZHaTlCTU0NCm9QK1hhcUxlR3dJREFRQUJvMDh3VFRBZEJnTlZIUTRFRmdRVWNDeWpYM3F4VlczSFVTaldjYkR0WkV5S29ac3cNCkxBWURWUjBSQVFIL0JDSXdJSUlKYkc5allXeG9iM04wZ2hOelpXeGxibWwxYlMxbmNtbGtMbXh2WTJGc01BMEcNCkNTcUdTSWIzRFFFQkN3VUFBNElCQVFDWTMwTHVzckxGYzB4ekJCaWp0eC9zUVpKVFBySFpjajMwMVo4SGw0aWsNClZqRGl3RCtKc28xQXc3dFpicStrSzUyTUhyVDBiREdaZWF1SkRwR1RWUnNFa3R4ZC9Gd09pTDhkbGJweWNiNzcNCllVR2FkM3BFUXNMdEtaYkErSENqOHdoanRhaVFkYmFrclNEdkU3L1pHQ1hkenpJSC9kTm1vQUI1akZmOG03WkINCnJIMVFVNW1rRVhYZ1lJcmdSekM1NlRCNWdWS3U5S2NXMk5Pd1pYcVVFeDdudm9jeWVrSExnemNtc1g2TG1iWm4NClMwbGlYUGxjN3lPT2hGR0EzRU9HWkNKNDcvS0V2UXl0MzFsRWNXaWlxQzI1bncrMUY2SkR2a0dkSXRzNkk1SlgNCnZ1T2pzOUpHY1c1NWRLNmZ4Z05rN24rTjhHOHFhTGd5SE9ZUjNjZVhCNG9zCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K \ No newline at end of file diff --git a/charts/selenium-grid/certs/selenium.pkcs8.base64 b/charts/selenium-grid/certs/selenium.pkcs8.base64 new file mode 100644 index 000000000..227134266 --- /dev/null +++ b/charts/selenium-grid/certs/selenium.pkcs8.base64 @@ -0,0 +1 @@ +LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2RmZ2hObHZRUElSUEcKcUtXVFVqOWFFTG1xdFNPanFmYmU0ejMrT1NvZndGKzhzTERqdVJiTFFqTWhzS01rK3pkMzk2ay96dG9DdTgwNwpzSVdSdGVnL3hOaU1BVTlVVGxtRjNybXFaOXM4ZFdGalJ2VWQzSTdHU2tlMXFFbDYwZ1YyUjVqVm5PTlh6TVBSCkdHb3plbkgwNnhwdW9mWExIbzIxN1VMZ0w5OVBNM0JoQlprMHVSZ3I2M1hBYUhacDdKQ0xYcnFZTkhKVnE2VEYKa2VoY3FHQVVyZm9TaFo2a0VLbVg5Slluc0ZJL3BuRGZtOVBZRE5FSVBZcDIwNlA3cXpLb0FrRlFZS0t5TU9RSwpLbHBJbEI0VnZqRndXUWtIN05MYU5CQXc4OUdydTlwYnhqZ2FtazF0RHN3bjFhZ0lsMldjRUxKTjhhTDBFd3lnCi81ZHFvdDRiQWdNQkFBRUNnZ0VBS3F0bTNINjFpUlBSSTlXMVpvQzJJVlMrdVAxeXRuanFKZUV6ZnBsR1RHdjIKaEV6cTRBZlpvU0JDY2pKRlFWTys1NFgyR1ErV0NYK1FUMGU0S0k0OGFtcU9zUC81MmtHUUI3RWNaSXJXM3o1KwpNRU9kVFlYZ09PRVBKS3gvbkFNaTc3VGVONkhXQm9lMzFnTGpZeWNka05uUnczK2w5RzVHdnErVm10L2RoTHRnCi9NUk5IUFduQ2YvOHBPUmpvcVNuK1hkdjNkeURPMFJ3ZGxKcmVJQ3huRWpGSkJvdk41K3BNTWtxZm0wMDcrTkYKMC9iVnVsUFpGcGVJdUh5dnBjeXlIaG1YOFIrZFdvbHdaL2NJdXFNZSs5Qno3VUhYa2U5bXNWNU0zRzhMZk1yTApicDdBdWlpbUIySjExeFFLM2ZOSmg0b1lXWlY5OFRxamtyaXR5Vy9yQVFLQmdRRHBwOUtjT2JMVGpqN2ttVXErClpkVmw4UE5hREFZQnpOVWRuTjA1Q1RLL01NelkvZU85dlFTd2xOQ1lQdW0xN3BzVStSRDRrU01vL2x3Y3JlakgKSHR4RHhoR3I0MDRqUWgwSWpXNmZTNlZqUFZ4RFQxOStNSG0vRzg4TW0wUGlsZjd6SkJ5SUNCUkc3bG83aFdYVQpaVS92dk1TZldtVkVoeDNSemxxM0p0azh1d0tCZ1FDc2phT21TSTAzcFNDdGROZGFYMi9FdWVxRmphemxRMW1BCmZMQzh4MkFIZU4yMHd6WUxVbklZZm5iUk9HeGRmMW5TOFpzSm9LQWlmdkZwM09pcldHUStYcjVEOUxoU3A0UTMKREVpY0hERXpaR285RGlZTlduMzN3eXE4Q0tCT2FyWW5DZGRCeXYzNlJLNTk3VkxuMmZvL042ZHRDWndQNVluegphQzR1dVZwK0lRS0JnQ0RQbTBpcTVZekZ0ZGsrR1h2aEt2VlV2NmVPZHExOENSVk9lTlpRajFxL3pKUlFHdElECklBeDM2VTduenNQb2pNaUdMVGJxa3Fob0I2RlRYcFBQcHBpeDBMdDFnUHg4aFQwMU55cVJZZGtzdmE4S0QxdlcKRE5La1lnL2dJY2xJelBOeHg3dm1mb3B6WUNKcG1pSVlWQUJUWHIwTjRaaWM3TGdRcFRhQTh4S1BBb0dBZmRlKwpwaUw3ZXIyZkcyRy9QVldrK2VCdFBZR1p1b3BuMStFWU5GVmpuNDl5Z2Nac3Y4MGRFT2dLVjRQQzVGMWdjUXRyCmVwWCtzNm5JL3QveGdDVXkxcG5hUVUxVXNGTWpoZElia2w2dE0wSGtpU3FzYmNpMVhlQ2taZ1lVZzV3bnhFalYKQ0ZLMjc3THZYeitaMnlXSjhGanliZjg0SmcvTmtBdEd3eVRDN29FQ2dZRUFtaElPTlR4OUw5ZVloS2FNaERkZwpkN0xxQlhGOGMxdlRMTkZVM2NubnQ3UW9TcUUzaWozZktPQ0h4cW9IaGN2NXIvZnZtNVhxemhLcVI2VUNLME1NClYyR1RhUFVJSno3NFFCMk9nWkh2NllkS2tFOGdmR01KeGQ5SXZpV08wVEdxTXJaUDB4aDJXY21rV3llQ0xBOFgKYW14YUVFa2JiaDRnUkZtUTJtQWV2ME09Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K \ No newline at end of file diff --git a/charts/selenium-grid/templates/_helpers.tpl b/charts/selenium-grid/templates/_helpers.tpl index baa2bc3be..8afc9bf4f 100644 --- a/charts/selenium-grid/templates/_helpers.tpl +++ b/charts/selenium-grid/templates/_helpers.tpl @@ -1,3 +1,33 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "seleniumGrid.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +*/}} +{{- define "seleniumGrid.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "seleniumGrid.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + {{/* Common labels */}} @@ -6,7 +36,7 @@ app.kubernetes.io/managed-by: {{ .Release.Service | lower }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/version: {{ .Chart.AppVersion }} app.kubernetes.io/component: {{ printf "selenium-grid-%s" .Chart.AppVersion }} -helm.sh/chart: {{ printf "%s-%s" .Chart.Name (.Chart.Version | replace "+" "_") }} +helm.sh/chart: {{ include "seleniumGrid.chart" . }} {{- end -}} {{/* @@ -72,7 +102,6 @@ Edge node fullname {{- default "selenium-edge-node" .Values.edgeNode.nameOverride | trunc 63 | trimSuffix "-" -}} {{- end -}} - {{/* Ingress fullname */}} @@ -80,11 +109,18 @@ Ingress fullname {{- default "selenium-ingress" .Values.ingress.nameOverride | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/* +Protocol of server components +*/}} +{{- define "seleniumGrid.server.protocol" -}} +{{- .Values.tls.enabled | ternary "https" "http" -}} +{{- end -}} + {{/* Probe httpGet schema */}} {{- define "seleniumGrid.probe.httpGet.schema" -}} -{{- "HTTP" -}} +{{- .Values.tls.enabled | ternary "HTTPS" "HTTP" -}} {{- end -}} {{/* @@ -130,6 +166,13 @@ Get probe settings {{- $settings | toYaml -}} {{- end -}} +{{/* +Secret TLS fullname +*/}} +{{- define "seleniumGrid.tls.fullname" -}} +{{- default "selenium-tls-secret" .Values.tls.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + {{- define "seleniumGrid.ingress.nginx.annotations.default" -}} {{- with .Values.ingress.nginx }} {{- with .proxyTimeout }} @@ -151,6 +194,10 @@ nginx.ingress.kubernetes.io/proxy-buffers-number: {{ . | quote }} {{- end }} {{- end }} {{- end }} +{{- if .Values.tls.enabled }} +nginx.ingress.kubernetes.io/ssl-passthrough: "true" +nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" +{{- end }} {{- end -}} {{/* @@ -262,6 +309,8 @@ template: name: {{ .Values.nodeConfigMap.name }} - configMapRef: name: {{ .Values.loggingConfigMap.name }} + - configMapRef: + name: {{ .Values.serverConfigMap.name }} {{- with .node.extraEnvFrom }} {{- tpl (toYaml .) $ | nindent 10 }} {{- end }} @@ -285,6 +334,11 @@ template: - name: {{ .Values.nodeConfigMap.scriptVolumeMountName }} mountPath: /opt/selenium/{{ .Values.nodeConfigMap.preStopScript }} subPath: {{ .Values.nodeConfigMap.preStopScript }} + {{- if .Values.tls.enabled }} + - name: {{ include "seleniumGrid.tls.fullname" $ | quote }} + mountPath: {{ .Values.serverConfigMap.certVolumeMountPath }} + readOnly: true + {{- end }} {{- if .node.extraVolumeMounts }} {{- tpl (toYaml .node.extraVolumeMounts) $ | nindent 10 }} {{- end }} @@ -302,7 +356,7 @@ template: {{- include "seleniumGrid.probe.fromUserDefine" . | nindent 10 }} {{- else }} httpGet: - scheme: {{ default (include "seleniumGrid.probe.httpGet.schema" .) .schema }} + scheme: {{ default (include "seleniumGrid.probe.httpGet.schema" $) .schema }} path: {{ .path }} port: {{ default ($.node.port) .port }} {{- end }} @@ -318,7 +372,7 @@ template: {{- include "seleniumGrid.probe.fromUserDefine" . | nindent 12 }} {{- else }} httpGet: - scheme: {{ default (include "seleniumGrid.probe.httpGet.schema" .) .schema }} + scheme: {{ default (include "seleniumGrid.probe.httpGet.schema" $) .schema }} path: {{ .path }} port: {{ default ($.node.port) .port }} {{- end }} @@ -334,7 +388,7 @@ template: {{- include "seleniumGrid.probe.fromUserDefine" . | nindent 10 }} {{- else }} httpGet: - scheme: {{ default (include "seleniumGrid.probe.httpGet.schema" .) .schema }} + scheme: {{ default (include "seleniumGrid.probe.httpGet.schema" $) .schema }} path: {{ .path }} port: {{ default ($.node.port) .port }} {{- end }} @@ -438,6 +492,11 @@ template: emptyDir: medium: Memory sizeLimit: {{ default "1Gi" .node.dshmVolumeSizeLimit }} + {{- if .Values.tls.enabled }} + - name: {{ include "seleniumGrid.tls.fullname" $ | quote }} + secret: + secretName: {{ include "seleniumGrid.tls.fullname" $ | quote }} + {{- end }} {{- if .node.extraVolumes }} {{ tpl (toYaml .node.extraVolumes) $ | nindent 6 }} {{- end }} @@ -456,7 +515,9 @@ Get the url of the grid. If the external url can be figured out from the ingress {{- define "seleniumGrid.url.schema" -}} {{- $schema := "http" -}} -{{- if .Values.ingress.enabled -}} +{{- if .Values.tls.enabled -}} + {{- $schema = "https" -}} +{{- else if .Values.ingress.enabled -}} {{- if .Values.ingress.tls -}} {{- $schema = "https" -}} {{- end -}} @@ -522,14 +583,14 @@ Get the url of the grid. If the external url can be figured out from the ingress Graphql Url of the hub or the router */}} {{- define "seleniumGrid.graphqlURL" -}} -{{- printf "http://%s%s%s/graphql" (include "seleniumGrid.url.basicAuth" .) (printf "%s.%s" (include ($.Values.isolateComponents | ternary "seleniumGrid.router.fullname" "seleniumGrid.hub.fullname") $) (.Release.Namespace)) (printf ":%s" ($.Values.isolateComponents | ternary ($.Values.components.router.port | toString) ($.Values.hub.port | toString))) -}} +{{- printf "%s://%s%s%s/graphql" (include "seleniumGrid.server.protocol" .) (include "seleniumGrid.url.basicAuth" .) (printf "%s.%s" (include ($.Values.isolateComponents | ternary "seleniumGrid.router.fullname" "seleniumGrid.hub.fullname") $) (.Release.Namespace)) (printf ":%s" ($.Values.isolateComponents | ternary ($.Values.components.router.port | toString) ($.Values.hub.port | toString))) -}} {{- end -}} {{/* Graphql unsafeSsl of the hub or the router */}} {{- define "seleniumGrid.graphqlURL.unsafeSsl" -}} -{{- $unsafeSsl := printf "%s" (ternary "false" "true" (contains (include "seleniumGrid.graphqlURL" .) "https")) -}} +{{- $unsafeSsl := printf "%s" (ternary "true" "false" .Values.serverConfigMap.disableHostnameVerification) -}} {{- $unsafeSsl }} {{- end -}} diff --git a/charts/selenium-grid/templates/distributor-deployment.yaml b/charts/selenium-grid/templates/distributor-deployment.yaml index 990e519fb..117b9e4be 100644 --- a/charts/selenium-grid/templates/distributor-deployment.yaml +++ b/charts/selenium-grid/templates/distributor-deployment.yaml @@ -49,9 +49,17 @@ spec: name: {{ .Values.busConfigMap.name }} - configMapRef: name: {{ .Values.loggingConfigMap.name }} + - configMapRef: + name: {{ .Values.serverConfigMap.name }} {{- with .Values.components.extraEnvFrom }} {{- toYaml . | nindent 12 }} {{- end }} + volumeMounts: + {{- if .Values.tls.enabled }} + - name: {{ include "seleniumGrid.tls.fullname" . | quote }} + mountPath: {{ .Values.serverConfigMap.certVolumeMountPath | quote }} + readOnly: true + {{- end }} ports: - containerPort: {{ .Values.components.distributor.port }} protocol: TCP @@ -78,4 +86,10 @@ spec: {{- with .Values.components.distributor.priorityClassName }} priorityClassName: {{ . }} {{- end }} + volumes: + {{- if .Values.tls.enabled }} + - name: {{ include "seleniumGrid.tls.fullname" . | quote }} + secret: + secretName: {{ include "seleniumGrid.tls.fullname" . | quote }} + {{- end }} {{- end }} diff --git a/charts/selenium-grid/templates/event-bus-deployment.yaml b/charts/selenium-grid/templates/event-bus-deployment.yaml index 498570c9b..203a3127a 100644 --- a/charts/selenium-grid/templates/event-bus-deployment.yaml +++ b/charts/selenium-grid/templates/event-bus-deployment.yaml @@ -45,9 +45,17 @@ spec: envFrom: - configMapRef: name: {{ .Values.loggingConfigMap.name }} + - configMapRef: + name: {{ .Values.serverConfigMap.name }} {{- with .Values.components.extraEnvFrom }} {{- toYaml . | nindent 12 }} {{- end }} + volumeMounts: + {{- if .Values.tls.enabled }} + - name: {{ include "seleniumGrid.tls.fullname" . | quote }} + mountPath: {{ .Values.serverConfigMap.certVolumeMountPath | quote }} + readOnly: true + {{- end }} {{- with .Values.components.eventBus.resources }} resources: {{- toYaml . | nindent 12 }} {{- end }} @@ -71,4 +79,10 @@ spec: {{- with .Values.components.eventBus.priorityClassName }} priorityClassName: {{ . }} {{- end }} + volumes: + {{- if .Values.tls.enabled }} + - name: {{ include "seleniumGrid.tls.fullname" . | quote }} + secret: + secretName: {{ include "seleniumGrid.tls.fullname" . | quote }} + {{- end }} {{- end }} diff --git a/charts/selenium-grid/templates/hub-deployment.yaml b/charts/selenium-grid/templates/hub-deployment.yaml index 71473b209..b2d2f4e25 100644 --- a/charts/selenium-grid/templates/hub-deployment.yaml +++ b/charts/selenium-grid/templates/hub-deployment.yaml @@ -49,7 +49,7 @@ spec: {{- include "seleniumGrid.probe.fromUserDefine" . | nindent 10 }} {{- else }} httpGet: - scheme: {{ default (include "seleniumGrid.probe.httpGet.schema" .) .schema }} + scheme: {{ default (include "seleniumGrid.probe.httpGet.schema" $) .schema }} path: {{ .path }} port: {{ default ($.Values.hub.port) .port }} {{- end }} @@ -65,7 +65,7 @@ spec: {{- include "seleniumGrid.probe.fromUserDefine" . | nindent 10 }} {{- else }} httpGet: - scheme: {{ default (include "seleniumGrid.probe.httpGet.schema" .) .schema }} + scheme: {{ default (include "seleniumGrid.probe.httpGet.schema" $) .schema }} path: {{ .path }} port: {{ default ($.Values.hub.port) .port }} {{- end }} @@ -81,7 +81,7 @@ spec: {{- include "seleniumGrid.probe.fromUserDefine" . | nindent 10 }} {{- else }} httpGet: - scheme: {{ default (include "seleniumGrid.probe.httpGet.schema" .) .schema }} + scheme: {{ default (include "seleniumGrid.probe.httpGet.schema" $) .schema }} path: {{ .path }} port: {{ default ($.Values.hub.port) .port }} {{- end }} @@ -107,11 +107,18 @@ spec: envFrom: - configMapRef: name: {{ .Values.loggingConfigMap.name }} + - configMapRef: + name: {{ .Values.serverConfigMap.name }} {{- with .Values.hub.extraEnvFrom }} {{- toYaml . | nindent 12 }} {{- end }} - {{- with .Values.hub.extraVolumeMounts }} volumeMounts: + {{- if .Values.tls.enabled }} + - name: {{ include "seleniumGrid.tls.fullname" . | quote }} + mountPath: {{ .Values.serverConfigMap.certVolumeMountPath | quote }} + readOnly: true + {{- end }} + {{- with .Values.hub.extraVolumeMounts }} {{- tpl (toYaml .) $ | nindent 12 }} {{- end }} {{- with .Values.hub.resources }} @@ -137,8 +144,13 @@ spec: {{- with .Values.hub.priorityClassName }} priorityClassName: {{ . }} {{- end }} - {{- with .Values.hub.extraVolumes }} volumes: + {{- if .Values.tls.enabled }} + - name: {{ include "seleniumGrid.tls.fullname" . | quote }} + secret: + secretName: {{ include "seleniumGrid.tls.fullname" . | quote }} + {{- end }} + {{- with .Values.hub.extraVolumes }} {{- tpl (toYaml .) $ | nindent 8 }} {{- end }} {{- end }} diff --git a/charts/selenium-grid/templates/ingress.yaml b/charts/selenium-grid/templates/ingress.yaml index 215cfbace..907c510e4 100644 --- a/charts/selenium-grid/templates/ingress.yaml +++ b/charts/selenium-grid/templates/ingress.yaml @@ -32,14 +32,18 @@ spec: {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} ingressClassName: {{ .Values.ingress.className }} {{- end }} - {{- if .Values.ingress.tls }} tls: + {{- if and .Values.tls.enabled (and .Values.ingress.enabled (not .Values.ingress.tls)) }} + - hosts: + - {{ default .Values.tls.defaultCN .Values.ingress.hostname | quote }} + secretName: {{ include "seleniumGrid.tls.fullname" . | quote }} + {{- else if .Values.ingress.tls }} {{- range .Values.ingress.tls }} - hosts: {{- range .hosts }} - {{ . | quote }} {{- end }} - secretName: {{ .secretName }} + secretName: {{ tpl (.secretName) $ | quote }} {{- end }} {{- end }} rules: diff --git a/charts/selenium-grid/templates/router-deployment.yaml b/charts/selenium-grid/templates/router-deployment.yaml index e02829d46..532dfe5d2 100644 --- a/charts/selenium-grid/templates/router-deployment.yaml +++ b/charts/selenium-grid/templates/router-deployment.yaml @@ -61,9 +61,17 @@ spec: envFrom: - configMapRef: name: {{ .Values.loggingConfigMap.name }} + - configMapRef: + name: {{ .Values.serverConfigMap.name }} {{- with .Values.components.extraEnvFrom }} {{- toYaml . | nindent 12 }} {{- end }} + volumeMounts: + {{- if .Values.tls.enabled }} + - name: {{ include "seleniumGrid.tls.fullname" . | quote }} + mountPath: {{ .Values.serverConfigMap.certVolumeMountPath | quote }} + readOnly: true + {{- end }} ports: - containerPort: {{ .Values.components.router.port }} protocol: TCP @@ -74,7 +82,7 @@ spec: {{- include "seleniumGrid.probe.fromUserDefine" . | nindent 10 }} {{- else }} httpGet: - scheme: {{ default (include "seleniumGrid.probe.httpGet.schema" .) .schema }} + scheme: {{ default (include "seleniumGrid.probe.httpGet.schema" $) .schema }} path: {{ .path }} port: {{ default ($.Values.components.router.port) .port }} {{- end }} @@ -90,7 +98,7 @@ spec: {{- include "seleniumGrid.probe.fromUserDefine" . | nindent 10 }} {{- else }} httpGet: - scheme: {{ default (include "seleniumGrid.probe.httpGet.schema" .) .schema }} + scheme: {{ default (include "seleniumGrid.probe.httpGet.schema" $) .schema }} path: {{ .path }} port: {{ default ($.Values.components.router.port) .port }} {{- end }} @@ -107,7 +115,7 @@ spec: {{- include "seleniumGrid.probe.fromUserDefine" . | nindent 10 }} {{- else }} httpGet: - scheme: {{ default (include "seleniumGrid.probe.httpGet.schema" .) .schema }} + scheme: {{ default (include "seleniumGrid.probe.httpGet.schema" $) .schema }} path: {{ .path }} port: {{ default ($.Values.components.router.port) .port }} {{- end }} @@ -139,4 +147,10 @@ spec: {{- with .Values.components.router.priorityClassName }} priorityClassName: {{ . }} {{- end }} + volumes: + {{- if .Values.tls.enabled }} + - name: {{ include "seleniumGrid.tls.fullname" . | quote }} + secret: + secretName: {{ include "seleniumGrid.tls.fullname" . | quote }} + {{- end }} {{- end }} diff --git a/charts/selenium-grid/templates/server-configmap.yaml b/charts/selenium-grid/templates/server-configmap.yaml new file mode 100644 index 000000000..f0bb39a39 --- /dev/null +++ b/charts/selenium-grid/templates/server-configmap.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Values.serverConfigMap.name }} + namespace: {{ .Release.Namespace }} +{{- with .Values.busConfigMap.annotations }} + annotations: {{- toYaml . | nindent 4 }} +{{- end }} + labels: + {{- include "seleniumGrid.commonLabels" . | nindent 4 }} + {{- with .Values.customLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} +data: +{{- if .Values.tls.enabled }} + SE_HTTPS_CERTIFICATE: {{ printf "%s/%s" .Values.serverConfigMap.certVolumeMountPath .Values.serverConfigMap.certificateFile | quote }} + SE_HTTPS_PRIVATE_KEY: {{ printf "%s/%s" .Values.serverConfigMap.certVolumeMountPath .Values.serverConfigMap.privateKeyFile | quote }} + SE_JAVA_SSL_TRUST_STORE: {{ printf "%s/%s" .Values.serverConfigMap.certVolumeMountPath .Values.serverConfigMap.trustStoreFile | quote }} + SE_JAVA_SSL_TRUST_STORE_PASSWORD: {{ .Values.serverConfigMap.trustStorePassword | quote }} + SE_JAVA_DISABLE_HOSTNAME_VERIFICATION: {{ .Values.serverConfigMap.disableHostnameVerification | quote }} +{{- end }} diff --git a/charts/selenium-grid/templates/session-map-deployment.yaml b/charts/selenium-grid/templates/session-map-deployment.yaml index 2edd701e2..2b0491758 100644 --- a/charts/selenium-grid/templates/session-map-deployment.yaml +++ b/charts/selenium-grid/templates/session-map-deployment.yaml @@ -38,11 +38,19 @@ spec: envFrom: - configMapRef: name: {{ .Values.loggingConfigMap.name }} + - configMapRef: + name: {{ .Values.serverConfigMap.name }} - configMapRef: name: {{ .Values.busConfigMap.name }} {{- with .Values.components.extraEnvFrom }} {{- toYaml . | nindent 12 }} {{- end }} + volumeMounts: + {{- if .Values.tls.enabled }} + - name: {{ include "seleniumGrid.tls.fullname" . | quote }} + mountPath: {{ .Values.serverConfigMap.certVolumeMountPath | quote }} + readOnly: true + {{- end }} ports: - containerPort: {{ .Values.components.sessionMap.port }} protocol: TCP @@ -69,4 +77,10 @@ spec: {{- with .Values.components.sessionMap.priorityClassName }} priorityClassName: {{ . }} {{- end }} + volumes: + {{- if .Values.tls.enabled }} + - name: {{ include "seleniumGrid.tls.fullname" . | quote }} + secret: + secretName: {{ include "seleniumGrid.tls.fullname" . | quote }} + {{- end }} {{- end }} diff --git a/charts/selenium-grid/templates/session-queuer-deployment.yaml b/charts/selenium-grid/templates/session-queuer-deployment.yaml index 379285038..c6cf9e58d 100644 --- a/charts/selenium-grid/templates/session-queuer-deployment.yaml +++ b/charts/selenium-grid/templates/session-queuer-deployment.yaml @@ -38,9 +38,17 @@ spec: envFrom: - configMapRef: name: {{ .Values.loggingConfigMap.name }} + - configMapRef: + name: {{ .Values.serverConfigMap.name }} {{- with .Values.components.extraEnvFrom }} {{- toYaml . | nindent 12 }} {{- end }} + volumeMounts: + {{- if .Values.tls.enabled }} + - name: {{ include "seleniumGrid.tls.fullname" . | quote }} + mountPath: {{ .Values.serverConfigMap.certVolumeMountPath | quote }} + readOnly: true + {{- end }} ports: - containerPort: {{ .Values.components.sessionQueue.port }} protocol: TCP @@ -67,4 +75,10 @@ spec: {{- with .Values.components.sessionQueue.priorityClassName }} priorityClassName: {{ . }} {{- end }} + volumes: + {{- if .Values.tls.enabled }} + - name: {{ include "seleniumGrid.tls.fullname" . | quote }} + secret: + secretName: {{ include "seleniumGrid.tls.fullname" . | quote }} + {{- end }} {{- end }} diff --git a/charts/selenium-grid/templates/tls-cert-secret.yaml b/charts/selenium-grid/templates/tls-cert-secret.yaml new file mode 100644 index 000000000..f025b514b --- /dev/null +++ b/charts/selenium-grid/templates/tls-cert-secret.yaml @@ -0,0 +1,29 @@ +{{- if .Values.tls.enabled }} +apiVersion: v1 +kind: Secret +metadata: + annotations: + "restartOnUpdate": "true" + name: {{ include "seleniumGrid.tls.fullname" . }} + labels: + {{- include "seleniumGrid.commonLabels" . | nindent 4 }} + {{- with .Values.customLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} +type: Opaque +data: +{{- if .Values.tls.generateTLS }} + {{- $name := default "SeleniumHQ" .Values.tls.defaultName -}} + {{- $days := default 365 (.Values.tls.defaultDays | int) -}} + {{- $cn := ternary .Values.tls.defaultCN .Values.ingress.hostname (empty .Values.ingress.hostname) -}} + {{- $server := genSelfSignedCert $cn ( default nil .Values.tls.defaultIPList ) ( default nil .Values.tls.defaultSANList ) $days }} + tls.crt: {{ $server.Cert | b64enc }} + tls.key: {{ $server.Key | b64enc }} +{{- else }} + tls.crt: {{ default (.Files.Get (printf "certs/%s.base64" .Values.serverConfigMap.certificateFile) | b64dec) .Values.tls.certificate | b64enc }} + tls.key: {{ default (.Files.Get (printf "certs/%s.base64" .Values.serverConfigMap.privateKeyFile) | b64dec) .Values.tls.privateKey | b64enc }} +{{- end }} + {{ .Values.serverConfigMap.privateKeyFile }}: {{ default (.Files.Get (printf "certs/%s.base64" .Values.serverConfigMap.privateKeyFile) | b64dec) .Values.tls.privateKey | b64enc }} + {{ .Values.serverConfigMap.certificateFile }}: {{ default (.Files.Get (printf "certs/%s.base64" .Values.serverConfigMap.certificateFile) | b64dec) .Values.tls.certificate | b64enc }} + {{ .Values.serverConfigMap.trustStoreFile }}: {{ default (.Files.Get (printf "certs/%s.base64" .Values.serverConfigMap.trustStoreFile) | b64dec) .Values.tls.trustStore | b64enc }} +{{- end }} diff --git a/charts/selenium-grid/values.yaml b/charts/selenium-grid/values.yaml index f4a094c16..540f70000 100644 --- a/charts/selenium-grid/values.yaml +++ b/charts/selenium-grid/values.yaml @@ -17,6 +17,22 @@ global: # Log level for all components. Possible values describe here: https://www.selenium.dev/documentation/grid/configuration/cli_options/#logging logLevel: INFO +tls: + enabled: false + generateTLS: false + defaultName: "SeleniumHQ" + defaultDays: 3650 + defaultCN: "www.selenium.dev" + # or *.domain.com + defaultSANList: [] + # - domain.com + # - production.domain.com + defaultIPList: [] + # - 10.10.10.10 + certificate: + privateKey: + trustStore: + # Basic auth settings for Selenium Grid basicAuth: # Enable or disable basic auth @@ -89,6 +105,20 @@ loggingConfigMap: # Custom annotations for configmap annotations: {} +# ConfigMap that contains common environment variables for Server (https://www.selenium.dev/documentation/grid/configuration/cli_options/#server) +serverConfigMap: + name: selenium-server-config + certVolumeMountPath: /etc/ssl/certs/selenium + certificateFile: selenium.pem + privateKeyFile: selenium.pkcs8 + trustStoreFile: selenium.jks + # Trust store password + trustStorePassword: changeit + # Disable verification the hostname included in the server's TLS/SSL certificates matches the hostnames provided + disableHostnameVerification: true + # Custom annotations for configmap + annotations: {} + # Configuration for isolated components (applied only if `isolateComponents: true`) components: diff --git a/tests/SeleniumTests/__init__.py b/tests/SeleniumTests/__init__.py index 4ca352683..0938d6939 100644 --- a/tests/SeleniumTests/__init__.py +++ b/tests/SeleniumTests/__init__.py @@ -10,6 +10,7 @@ from selenium.webdriver.edge.options import Options as EdgeOptions from selenium.webdriver.chrome.options import Options as ChromeOptions +SELENIUM_GRID_PROTOCOL = os.environ.get('SELENIUM_GRID_PROTOCOL', 'http') SELENIUM_GRID_HOST = os.environ.get('SELENIUM_GRID_HOST', 'localhost') SELENIUM_GRID_PORT = os.environ.get('SELENIUM_GRID_PORT', '4444') WEB_DRIVER_WAIT_TIMEOUT = int(os.environ.get('WEB_DRIVER_WAIT_TIMEOUT', 60)) @@ -95,7 +96,7 @@ def setUp(self): options.add_argument('disable-features=DownloadBubble,DownloadBubbleV2') self.driver = webdriver.Remote( options=options, - command_executor="http://%s:%s" % (SELENIUM_GRID_HOST,SELENIUM_GRID_PORT) + command_executor="%s://%s:%s" % (SELENIUM_GRID_PROTOCOL,SELENIUM_GRID_HOST,SELENIUM_GRID_PORT) ) class EdgeTests(SeleniumGenericTests): @@ -105,7 +106,7 @@ def setUp(self): options.add_argument('disable-features=DownloadBubble,DownloadBubbleV2') self.driver = webdriver.Remote( options=options, - command_executor="http://%s:%s" % (SELENIUM_GRID_HOST,SELENIUM_GRID_PORT) + command_executor="%s://%s:%s" % (SELENIUM_GRID_PROTOCOL,SELENIUM_GRID_HOST,SELENIUM_GRID_PORT) ) @@ -119,7 +120,7 @@ def setUp(self): options.enable_downloads = True self.driver = webdriver.Remote( options=options, - command_executor="http://%s:%s" % (SELENIUM_GRID_HOST,SELENIUM_GRID_PORT) + command_executor="%s://%s:%s" % (SELENIUM_GRID_PROTOCOL,SELENIUM_GRID_HOST,SELENIUM_GRID_PORT) ) def test_title_and_maximize_window(self): diff --git a/tests/SmokeTests/__init__.py b/tests/SmokeTests/__init__.py index a2f74c7fa..2cd737017 100644 --- a/tests/SmokeTests/__init__.py +++ b/tests/SmokeTests/__init__.py @@ -2,12 +2,13 @@ import unittest import time import json - +from ssl import _create_unverified_context try: from urllib2 import urlopen except ImportError: from urllib.request import urlopen +SELENIUM_GRID_PROTOCOL = os.environ.get('SELENIUM_GRID_PROTOCOL', 'http') SELENIUM_GRID_HOST = os.environ.get('SELENIUM_GRID_HOST', 'localhost') SELENIUM_GRID_PORT = os.environ.get('SELENIUM_GRID_PORT', '4444') SELENIUM_GRID_AUTOSCALING = os.environ.get('SELENIUM_GRID_AUTOSCALING', 'false') @@ -28,7 +29,7 @@ def smoke_test_container(self, port): while current_attempts < max_attempts: current_attempts = current_attempts + 1 try: - response = urlopen('http://%s:%s/status' % (SELENIUM_GRID_HOST, port)) + response = urlopen('%s://%s:%s/status' % (SELENIUM_GRID_PROTOCOL, SELENIUM_GRID_HOST, port), context=_create_unverified_context()) status_json = json.loads(response.read()) if not auto_scaling or (auto_scaling and auto_scaling_min_replica > 0): self.assertTrue(status_json['value']['ready'], "Container is not ready on port %s" % port) diff --git a/tests/bootstrap.sh b/tests/bootstrap.sh index 7ce7b8cf4..3d02bf550 100755 --- a/tests/bootstrap.sh +++ b/tests/bootstrap.sh @@ -11,6 +11,10 @@ python -m pip install selenium==4.16.0 \ docker===6.1.3 \ | grep -v 'Requirement already satisfied' +if [ "${SELENIUM_GRID_PROTOCOL}" = "https" ]; then + export REQUESTS_CA_BUNDLE="${CHART_CERT_PATH}" +fi + python test.py $1 ret_code=$? diff --git a/tests/charts/ci/DeploymentAutoScaling-values.yaml b/tests/charts/ci/DeploymentAutoScaling-values.yaml index b9e5b120e..08dcf1cb0 100644 --- a/tests/charts/ci/DeploymentAutoScaling-values.yaml +++ b/tests/charts/ci/DeploymentAutoScaling-values.yaml @@ -35,14 +35,13 @@ chromeNode: extraEnvironmentVariables: &extraEnvironmentVariables - name: SE_OPTS value: "--enable-managed-downloads true" - - name: SE_DRAIN_AFTER_SESSION_COUNT - value: "0" readinessProbe: enabled: &readinessProbe true livenessProbe: enabled: &livenessProbe true # Configuration for edge nodes edgeNode: + port: 8888 # (test): user is able to define extra container ports ports: - containerPort: 5900 diff --git a/tests/charts/ci/JobAutoscaling-values.yaml b/tests/charts/ci/JobAutoscaling-values.yaml index d8fc0bc79..35742e41a 100644 --- a/tests/charts/ci/JobAutoscaling-values.yaml +++ b/tests/charts/ci/JobAutoscaling-values.yaml @@ -11,7 +11,7 @@ autoscaling: # Configuration for chrome nodes chromeNode: nameOverride: my-chrome-name - extraEnvironmentVariables: + extraEnvironmentVariables: &extraEnvironmentVariables - name: SE_OPTS value: "--enable-managed-downloads true" readinessProbe: @@ -21,9 +21,7 @@ chromeNode: # Configuration for edge nodes edgeNode: nameOverride: my-edge-name - extraEnvironmentVariables: - - name: SE_OPTS - value: "--enable-managed-downloads true" + extraEnvironmentVariables: *extraEnvironmentVariables readinessProbe: enabled: *readinessProbe livenessProbe: @@ -31,20 +29,8 @@ edgeNode: # Configuration for firefox nodes firefoxNode: nameOverride: my-firefox-name - extraEnvironmentVariables: - - name: SE_OPTS - value: "--enable-managed-downloads true" + extraEnvironmentVariables: *extraEnvironmentVariables readinessProbe: enabled: *readinessProbe livenessProbe: enabled: *livenessProbe - -ingress: - paths: - - path: /selenium(/|$)(.*) - pathType: ImplementationSpecific - backend: - service: - name: '{{ template "seleniumGrid.hub.fullname" $ }}' - port: - number: 4444 diff --git a/tests/charts/ci/auth-ingress-values.yaml b/tests/charts/ci/auth-ingress-values.yaml index 38bc87e1b..4ccd0a6f2 100644 --- a/tests/charts/ci/auth-ingress-values.yaml +++ b/tests/charts/ci/auth-ingress-values.yaml @@ -1,5 +1,7 @@ global: K8S_PUBLIC_IP: localhost + seleniumGrid: + logLevel: INFO ingress: annotations: @@ -17,7 +19,7 @@ ingress: pathType: ImplementationSpecific backend: service: - name: '{{ template "seleniumGrid.router.fullname" $ }}' + name: '{{ ternary (include "seleniumGrid.router.fullname" $ ) (include "seleniumGrid.hub.fullname" $ ) $.Values.isolateComponents }}' port: number: 4444 diff --git a/tests/charts/ci/tls-values.yaml b/tests/charts/ci/tls-values.yaml new file mode 100644 index 000000000..fb42db2ea --- /dev/null +++ b/tests/charts/ci/tls-values.yaml @@ -0,0 +1,8 @@ +tls: + enabled: true + generateTLS: false + +ingress-nginx: + controller: + extraArgs: + default-ssl-certificate: '$(POD_NAMESPACE)/selenium-tls-secret' diff --git a/tests/charts/make/chart_test.sh b/tests/charts/make/chart_test.sh index 194bb6056..617d3ef6e 100755 --- a/tests/charts/make/chart_test.sh +++ b/tests/charts/make/chart_test.sh @@ -11,6 +11,7 @@ INGRESS_NAMESPACE=${INGRESS_NAMESPACE:-"ingress-nginx"} SUB_PATH=${SUB_PATH:-"/selenium"} CHART_PATH=${CHART_PATH:-"charts/selenium-grid"} TEST_VALUES_PATH=${TEST_VALUES_PATH:-"tests/charts/ci"} +SELENIUM_GRID_PROTOCOL=${SELENIUM_GRID_PROTOCOL:-"http"} SELENIUM_GRID_HOST=${SELENIUM_GRID_HOST:-"localhost"} SELENIUM_GRID_PORT=${SELENIUM_GRID_PORT:-"80"} MATRIX_BROWSER=${1:-"NodeChrome"} @@ -20,6 +21,8 @@ WAIT_TIMEOUT=${WAIT_TIMEOUT:-"90s"} HUB_CHECKS_INTERVAL=${HUB_CHECKS_INTERVAL:-45} WEB_DRIVER_WAIT_TIMEOUT=${WEB_DRIVER_WAIT_TIMEOUT:-120} SKIP_CLEANUP=${SKIP_CLEANUP:-"false"} # For debugging purposes, retain the cluster after the test run +CHART_CERT_PATH=${CHART_CERT_PATH:-"${CHART_PATH}/certs/selenium.pem"} +SSL_CERT_DIR=${SSL_CERT_DIR:-"/etc/ssl/certs"} cleanup() { if [ "${SKIP_CLEANUP}" = "false" ]; then @@ -49,11 +52,17 @@ if [ "${SELENIUM_GRID_AUTOSCALING}" = "true" ]; then --set autoscaling.scaledOptions.minReplicaCount=${SELENIUM_GRID_AUTOSCALING_MIN_REPLICA}" fi +HELM_COMMAND_SET_TLS="" +if [ "${SELENIUM_GRID_PROTOCOL}" = "https" ]; then + HELM_COMMAND_SET_TLS="--values ${TEST_VALUES_PATH}/tls-values.yaml" +fi + HELM_COMMAND_ARGS="${RELEASE_NAME} \ --values ${TEST_VALUES_PATH}/auth-ingress-values.yaml \ --values ${TEST_VALUES_PATH}/tracing-values.yaml \ ---values ${TEST_VALUES_PATH}/${MATRIX_BROWSER}-values.yaml \ ${HELM_COMMAND_SET_AUTOSCALING} \ +${HELM_COMMAND_SET_TLS} \ +--values ${TEST_VALUES_PATH}/${MATRIX_BROWSER}-values.yaml \ --set global.seleniumGrid.imageTag=${VERSION} --set global.seleniumGrid.imageRegistry=${NAMESPACE} \ --set global.seleniumGrid.nodesImageTag=${VERSION} \ ${CHART_PATH} --namespace ${SELENIUM_NAMESPACE} --create-namespace" @@ -65,6 +74,8 @@ echo "Deploy Selenium Grid Chart" helm upgrade --install ${HELM_COMMAND_ARGS} echo "Run Tests" +export CHART_CERT_PATH=$(readlink -f ${CHART_CERT_PATH}) +export SELENIUM_GRID_PROTOCOL=${SELENIUM_GRID_PROTOCOL} export SELENIUM_GRID_HOST=${SELENIUM_GRID_HOST} export SELENIUM_GRID_PORT=${SELENIUM_GRID_PORT}""${SUB_PATH} export SELENIUM_GRID_AUTOSCALING=${SELENIUM_GRID_AUTOSCALING} diff --git a/tests/charts/refValues/sample-aws.yaml b/tests/charts/refValues/sample-aws.yaml index 06172f0e3..097eb4277 100644 --- a/tests/charts/refValues/sample-aws.yaml +++ b/tests/charts/refValues/sample-aws.yaml @@ -22,7 +22,7 @@ ingress: pathType: ImplementationSpecific backend: service: - name: '{{ template "seleniumGrid.router.fullname" $ }}' + name: '{{ ternary (include "seleniumGrid.router.fullname" $ ) (include "seleniumGrid.hub.fullname" $ ) $.Values.isolateComponents }}' port: number: 4444 diff --git a/tests/charts/refValues/simplex-minikube.yaml b/tests/charts/refValues/simplex-minikube.yaml index 5239714c7..08376c866 100644 --- a/tests/charts/refValues/simplex-minikube.yaml +++ b/tests/charts/refValues/simplex-minikube.yaml @@ -23,12 +23,16 @@ ingress: nginx.ingress.kubernetes.io/app-root: &gridAppRoot "/selenium" ingressClassName: nginx hostname: "" +# tls: +# - secretName: '{{ include "seleniumGrid.tls.fullname" . }}' +# hosts: +# - *.domain.com paths: - path: /selenium(/|$)(.*) pathType: ImplementationSpecific backend: service: - name: '{{ template "seleniumGrid.router.fullname" $ }}' + name: '{{ ternary (include "seleniumGrid.router.fullname" $ ) (include "seleniumGrid.hub.fullname" $ ) $.Values.isolateComponents }}' port: number: 4444 @@ -82,6 +86,9 @@ videoRecorder: ingress-nginx: enabled: true controller: + # Set controller default certificate use the same with Selenium Grid + extraArgs: + default-ssl-certificate: '$(POD_NAMESPACE)/selenium-tls-secret' hostNetwork: true kind: DaemonSet service: diff --git a/tests/charts/templates/render/dummy.yaml b/tests/charts/templates/render/dummy.yaml index 42864d78f..b5b2ef971 100644 --- a/tests/charts/templates/render/dummy.yaml +++ b/tests/charts/templates/render/dummy.yaml @@ -18,6 +18,10 @@ basicAuth: username: sysadmin password: strongPassword +tls: + enabled: true + generateTLS: false + ingress: nginx: proxyTimeout: 360 # Set different proxy timout @@ -39,14 +43,14 @@ ingress: pathType: ImplementationSpecific backend: service: - name: '{{ template "seleniumGrid.router.fullname" $ }}' + name: '{{ ternary (include "seleniumGrid.router.fullname" $ ) (include "seleniumGrid.hub.fullname" $ ) $.Values.isolateComponents }}' port: number: 4444 - path: /(/?)(session/.*/se/vnc) pathType: ImplementationSpecific backend: service: - name: '{{ template "seleniumGrid.router.fullname" $ }}' + name: '{{ ternary (include "seleniumGrid.router.fullname" $ ) (include "seleniumGrid.hub.fullname" $ ) $.Values.isolateComponents }}' port: number: 4444 diff --git a/tests/charts/templates/test.py b/tests/charts/templates/test.py index 8587b42d7..695a846ed 100644 --- a/tests/charts/templates/test.py +++ b/tests/charts/templates/test.py @@ -51,7 +51,7 @@ def test_sub_path_append_to_node_grid_url(self): for doc in LIST_OF_DOCUMENTS: if doc['metadata']['name'] in resources_name and doc['kind'] == 'ConfigMap': logger.info(f"Assert subPath is appended to node grid url") - self.assertTrue(doc['data']['SE_NODE_GRID_URL'] == 'http://sysadmin:strongPassword@10.10.10.10:8081/selenium') + self.assertTrue(doc['data']['SE_NODE_GRID_URL'] == 'https://sysadmin:strongPassword@10.10.10.10:8443/selenium') count += 1 self.assertEqual(count, len(resources_name), "No node config resources found")