feat(chart): Simplify to enable HTTPS/TLS in Selenium Grid on Kubernetes

[VietND96]

Thanks for contributing to the Docker-Selenium project!
A PR well described will help maintainers to quickly review and merge it

Before submitting your PR, please check our contributing guidelines, applied for this repository.
Avoid large PRs, help reviewers by making them as simple and short as possible.

Description

feat(chart): Simplify to enable HTTPS/TLS in Selenium Grid on Kubernetes

Motivation and Context

Following the support of --https-certificate and --https-private-key to enable HTTPS in Selenium Grid
Take advantage of K8s Secret and Helm Chart features to simplify enabling HTTPS in Selenium Grid on Kubernetes.

---

Configuration of Secure Communication (HTTPS)

Selenium Grid supports secure communication between components. Refer to the instructions and options are able to configure the secure communication. Below is the details on how to enable secure communication in Selenium Grid chart.

Secure Communication

In the chart, there is directory certs contains the default certificate, private key (as PKCS8 format), and Java Keystore (JKS) to teach Java about secure connection (since we are using a non-standard CA) for your trial, local testing purpose. You can generate your own self-signed certificate put them in that default directory by using script cert.sh with adjust needed information. The certificate, private key, truststore are mounted to the components via Secret.

There are multiple ways to configure your certificate, private key, truststore to the components. You can choose one of them or combine them together.

• Use the default directory certs. Rename your own files to be same as the default files and replace them. Give --set tls.enabled=true to enable secure communication.

• Use the default directory certs. Copy your own files to there and adjust the file name under config tls.defaultFile, those will be picked up when installing chart. For example:

  tls:
    enabled: true
    trustStorePassword: "your_truststore_password"
    defaultFile:
      certificate: "certs/your_cert.pem"
      privateKey: "certs/your_private_key.pkcs8"
      trustStore: "certs/your_truststore.jks"

  For some security reasons, you may not able to put private key in your source code or your customization chart package. You can provide files with contents are encoded in Base64 format, just append .base64 to the file name for chart able to know and decode them. For example:

  tls:
    enabled: true
    trustStorePassword: "your_truststore_password"
    defaultFile:
      certificate: "certs/your_cert.pem.base64"
      privateKey: "certs/your_private_key.pkcs8.base64"
      trustStore: "certs/your_truststore.jks.base64"

• Using Helm CLI --set-file to pass your own file to particular config key. For example:

  helm upgrade -i test selenium-grid \
  --set tls.enabled=true \
  --set-file tls.certificate=/path/to/your_cert.pem \
  --set-file tls.privateKey=/path/to/your_private_key.pkcs8 \
  --set-file tls.trustStore=/path/to/your_truststore.jks \
  --set-string tls.trustStorePassword=your_truststore_password

If you start NGINX ingress controller inline with Selenium Grid chart, you can configure the default certificate of NGINX ingress controller to use the same certificate as Selenium Grid. For example:

tls:
  enabled: true

ingress-nginx:
  enabled: true
  controller:
    extraArgs:
      default-ssl-certificate: '$(POD_NAMESPACE)/selenium-tls-secret'

Node Registration

In order to enable secure in the node registration to make sure that the node is one you control and not a rouge node, you can enable and provide a registration secret string to Distributor, Router and
Node servers in config tls.registrationSecret. For example:

tls:
  enabled: true
  registrationSecret:
    enabled: true
    value: "matchThisSecret"

---

You can generate a dummy self-signed certificate specify for your hostname, assign it to spec ingress.tls and NGINX ingress controller default certificate (if it is enabled inline). For example:

tls:
  ingress:
    generateTLS: true

ingress:
  hostname: "your.domain.com"

ingress-nginx:
  enabled: true
  controller:
    extraArgs:
      default-ssl-certificate: '$(POD_NAMESPACE)/selenium-tls-secret'

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist

• I have read the contributing document.
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have added tests to cover my changes.
• All new and existing tests passed.