Skip to content

Commit

Permalink
Usr/rodrigo bassil/traefikv2 (#209)
Browse files Browse the repository at this point in the history
* Updating to traefik v2

* Updating to traefik v2

* Adding TLS Option

* Adding Traefik Nodeport static option

* Adding Traefik Nodeport static script to Makkefile

* Addincondition in install_karavi_auth

* Adding TLSStore manifest

* Setting TLS min version to 1.2

* Updating k3s version to 1.25.5k3s2

* Changing cosnt name to authTLSOptionManifest

* Setting A graded cipherSuites

* Deleting traefik as part of install script

* Updated copyright year.
  • Loading branch information
rodrigobassil authored Feb 22, 2023
1 parent 4e97b0d commit 34615f6
Show file tree
Hide file tree
Showing 8 changed files with 199 additions and 51 deletions.
1 change: 1 addition & 0 deletions Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,7 @@ package:
cp ./deploy/dist/centos7-k3s-selinux.rpm karavi_authorization_${DOCKER_TAG}/
cp ./deploy/dist/centos8-k3s-selinux.rpm karavi_authorization_${DOCKER_TAG}/
cp ./scripts/install_karavi_auth.sh karavi_authorization_${DOCKER_TAG}/
cp ./scripts/traefik_nodeport.sh karavi_authorization_${DOCKER_TAG}/
cp -r ./policies karavi_authorization_${DOCKER_TAG}/
mkdir -p package
tar -czvf package/karavi_authorization_${DOCKER_TAG}.tar.gz karavi_authorization_${DOCKER_TAG}
Expand Down
12 changes: 8 additions & 4 deletions deploy/airgap-prepare.sh
Original file line number Diff line number Diff line change
Expand Up @@ -24,9 +24,11 @@ CERT_MANAGER_IMAGES_TAR=${DIST}/cert-manager-images.tar
CRED_SHIELD_IMAGES_TAR=${DIST}/credential-shield-images.tar
CRED_SHIELD_DEPLOYMENT_MANIFEST=deployment.yaml
CRED_SHIELD_INGRESS_MANIFEST=ingress-traefik.yaml
CRED_SHIELD_TLS_OPTION_MANIFEST=tls-option.yaml
CERT_MANAGER_MANIFEST=cert-manager.yaml
CERT_MANAGER_CONFIG_MANIFEST=self-cert.yaml
CERT_MANIFEST=signed-cert.yaml
TLS_STORE_MANIFEST=tls-store.yaml

KARAVICTL=karavictl
SIDECAR_PROXY=sidecar-proxy
Expand All @@ -45,19 +47,19 @@ fi
# Download k3s
if [[ ! -f $K3S_BINARY ]]
then
curl -kL -o $K3S_BINARY https://github.com/rancher/k3s/releases/download/v1.18.10%2Bk3s1/k3s
curl -kL -o $K3S_BINARY https://github.com/k3s-io/k3s/releases/download/v1.25.5%2Bk3s2/k3s
fi

if [[ ! -f $K3S_IMAGES_TAR ]]
then
# Download k3s images
curl -kL -o $K3S_IMAGES_TAR https://github.com/rancher/k3s/releases/download/v1.18.10%2Bk3s1/k3s-airgap-images-$ARCH.tar
curl -kL -o $K3S_IMAGES_TAR https://github.com/k3s-io/k3s/releases/download/v1.25.5%2Bk3s1/k3s-airgap-images-$ARCH.tar
fi

if [[ ! -f $CERT_MANAGER_MANIFEST ]]
then
# Download cert-manager manifest
curl -kL -o ${DIST}/$CERT_MANAGER_MANIFEST https://github.com/jetstack/cert-manager/releases/download/v1.2.0/cert-manager.yaml
curl -kL -o ${DIST}/$CERT_MANAGER_MANIFEST https://github.com/jetstack/cert-manager/releases/download/v1.10.1/cert-manager.yaml
fi

# Pull all 3rd party images to ensure they exist locally.
Expand All @@ -78,7 +80,7 @@ grep "image: " ${DIST}/$CERT_MANAGER_MANIFEST | awk -F' ' '{ print $2 }' | xargs


# Create the bundle airgap tarfile.
cp $CRED_SHIELD_DEPLOYMENT_MANIFEST $CRED_SHIELD_INGRESS_MANIFEST $CERT_MANAGER_CONFIG_MANIFEST $CERT_MANIFEST $DIST/.
cp $CRED_SHIELD_DEPLOYMENT_MANIFEST $CRED_SHIELD_INGRESS_MANIFEST $CERT_MANAGER_CONFIG_MANIFEST $CERT_MANIFEST $CRED_SHIELD_TLS_OPTION_MANIFEST $TLS_STORE_MANIFEST $DIST/.
cp ../bin/$KARAVICTL $DIST/.

docker save $SIDECAR_PROXY:$SIDECAR_DOCKER_TAG -o $DIST/$SIDECAR_PROXY-$SIDECAR_DOCKER_TAG.tar
Expand All @@ -96,6 +98,8 @@ rm $K3S_INSTALL_SCRIPT \
${DIST}/$CERT_MANIFEST \
${DIST}/$CRED_SHIELD_DEPLOYMENT_MANIFEST \
${DIST}/$CRED_SHIELD_INGRESS_MANIFEST \
${DIST}/$CRED_SHIELD_TLS_OPTION_MANIFEST \
${DIST}/$TLS_STORE_MANIFEST \
${DIST}/$SIDECAR_PROXY-$SIDECAR_DOCKER_TAG.tar \
${DIST}/$KARAVICTL

Expand Down
79 changes: 38 additions & 41 deletions deploy/ingress-traefik.yaml
Original file line number Diff line number Diff line change
@@ -1,53 +1,50 @@
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
annotations:
kubernetes.io/ingress.class: traefik
creationTimestamp: null
name: proxy-server
namespace: karavi
annotations:
kubernetes.io/ingress.class: "traefik"
traefik.protocol: https
traefik.ingress.kubernetes.io/frontend-entry-points: h2c, https
traefik.ingress.kubernetes.io/redirect-entry-point: https
traefik.ingress.kubernetes.io/redirect-permanent: "true"
spec:
entryPoints:
- web
- websecure
routes:
- kind: Rule
match: Host(`temporary.Host.Name`) && PathPrefix(`/`)
middlewares: []
priority: 0
services:
- kind: Service
name: proxy-server
namespace: karavi
port: 8080
tls:
- hosts:
#this hostName will be replaced by the installer configuration
- temporary.Host.Name
secretName: karavi-auth-tls
rules:
- host: "temporary.Host.Name"
http:
paths:
- path: /
pathType: Prefix
backend:
serviceName: proxy-server
servicePort: 8080
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: grpc-services
namespace: karavi
annotations:
ingress.kubernetes.io/protocol: h2c
kubernetes.io/ingress.class: traefik
traefik.protocol: https
traefik.ingress.kubernetes.io/frontend-entry-points: h2c,https
traefik.ingress.kubernetes.io/redirect-entry-point: https
traefik.ingress.kubernetes.io/redirect-permanent: "true"
creationTimestamp: null
name: grpc-services
namespace: karavi
spec:
entryPoints:
- web
- websecure
routes:
- kind: Rule
match: Host(`grpc.tenants.cluster`) && PathPrefix(`/`)
middlewares: []
priority: 0
services:
- kind: Service
name: tenant-service
namespace: karavi
port: 50051
scheme: h2c
tls:
- hosts:
- grpc.tenants.cluster
secretName: karavi-auth-tls
rules:
- host: "grpc.tenants.cluster"
http:
paths:
- path: /
pathType: Prefix
backend:
serviceName: tenant-service
servicePort: grpc
secretName: karavi-auth-tls
8 changes: 5 additions & 3 deletions deploy/install.go
Original file line number Diff line number Diff line change
Expand Up @@ -97,10 +97,12 @@ const (
authImagesTar = "credential-shield-images.tar"
authDeploymentManifest = "deployment.yaml"
authIngressManifest = "ingress-traefik.yaml"
authTLSOptionManifest = "tls-option.yaml"
certManagerManifest = "cert-manager.yaml"
certManagerImagesTar = "cert-manager-images.tar"
selfSignedCertManifest = "self-cert.yaml"
certConfigManifest = "signed-cert.yaml"
tlsStoreManifest = "tls-store.yaml"
bundleTarPath = "dist/karavi-airgap-install.tar.gz"
karavictl = "karavictl"

Expand Down Expand Up @@ -175,7 +177,7 @@ func NewDeploymentProcess(stdout, stderr io.Writer, bundle fs.FS) *DeployProcess
bundleTar: bundle,
stdout: stdout,
stderr: stderr,
manifests: []string{authDeploymentManifest, authIngressManifest, certManagerManifest},
manifests: []string{authDeploymentManifest, authIngressManifest, authTLSOptionManifest, certManagerManifest, tlsStoreManifest},
}
dp.Steps = append(dp.Steps,
dp.CheckRootPermissions,
Expand Down Expand Up @@ -380,8 +382,8 @@ func (dp *DeployProcess) UntarFiles() {
}()

tr := tar.NewReader(gzr)
// Limit the tar reader to 1 GB incase of decompression bomb
lr := io.LimitReader(tr, 1000000000)
// Limit the tar reader to 2 GB incase of decompression bomb
lr := io.LimitReader(tr, 2000000000)

loop:
for {
Expand Down
17 changes: 17 additions & 0 deletions deploy/tls-option.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
name: default
namespace: karavi
spec:
minVersion: VersionTLS12
cipherSuites:
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
- TLS_RSA_WITH_AES_128_CBC_SHA
- TLS_RSA_WITH_AES_128_GCM_SHA256
- TLS_RSA_WITH_AES_256_CBC_SHA
- TLS_RSA_WITH_AES_256_GCM_SHA384
9 changes: 9 additions & 0 deletions deploy/tls-store.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
apiVersion: traefik.containo.us/v1alpha1
kind: TLSStore
metadata:
name: default
namespace: karavi

spec:
defaultCertificate:
secretName: karavi-auth-tls
53 changes: 50 additions & 3 deletions scripts/install_karavi_auth.sh
Original file line number Diff line number Diff line change
Expand Up @@ -19,11 +19,16 @@ function usage() {
echo
echo "Usage: $0 mode options..."
echo "Mode:"
echo " --upgrade Upgrades CSM Authorization when CSM Authorization is already installed"
echo -e "\t--upgrade \t\t\t\t\t\t\t\t Upgrades CSM Authorization when CSM Authorization is already installed"

echo
echo " Optional"
echo " --help Help"
echo -e "\tOptional"
echo ""
echo -e "\t--traefik_web_port web_port --traefik_websecure_port websecure_port \t Sets traefik Nodeport web and websecure"
echo ""
echo -e "\tExample: $0 --traefik_web_port 30001 --traefik_websecure_port 30002"
echo ""
echo -e "\t--help \t\t\t\t\t\t\t\t\t Help"
echo

exit 0
Expand All @@ -32,13 +37,23 @@ function usage() {
UPGRADE=0
RPM_VERSION=1.5-1

K3S=/usr/local/bin/k3s

while getopts ":h-:" optchar; do
case "${optchar}" in
-)
case "${OPTARG}" in
upgrade)
UPGRADE=1
;;
traefik_web_port) val="${!OPTIND}"; OPTIND=$(( $OPTIND + 1 ))
#echo "Parsing option: '--${OPTARG}', value: '${val}'" >&2;
webPort=${val}
;;
traefik_websecure_port) val="${!OPTIND}"; OPTIND=$(( $OPTIND + 1 ))
#echo "Parsing option: '--${OPTARG}', value: '${val}'" >&2;
websecurePort=${val}
;;
help)
usage
exit 0
Expand All @@ -58,7 +73,23 @@ while getopts ":h-:" optchar; do
esac
done


if [ ! -z "$webPort" ] && [ ! -z "$websecurePort" ]
then
STATIC_PORT=1
else
if [ -z "$webPort" ] && [ -z "$websecurePort" ]
then
STATIC_PORT=0
else
echo "Some or all of the parameters are empty";
usage
exit 1
fi
fi

if [ $UPGRADE == 1 ]; then
$K3S kubectl -n kube-system delete helmcharts.helm.cattle.io traefik
rpm -Uvh karavi-authorization-${RPM_VERSION}.x86_64.rpm --nopreun --nopostun
else
if getenforce | grep -q 'Enforcing\|Permissive'; then
Expand Down Expand Up @@ -91,4 +122,20 @@ else
fi

sh ./policies/policy-install.sh


if [ $STATIC_PORT -eq 1 ]
then
while [ $($K3S kubectl get svc -n kube-system | grep traefik | wc -l) -ne 1 ]
do
echo "Waiting for traefik service to be available ..."
sleep 10s
done

if [ $($K3S kubectl get svc -n kube-system | grep traefik | wc -l) -eq 1 ]
then
sh ./traefik_nodeport.sh --traefik_web_port $webPort --traefik_websecure_port $websecurePort
fi
fi

echo "Installation Complete!"
71 changes: 71 additions & 0 deletions scripts/traefik_nodeport.sh
Original file line number Diff line number Diff line change
@@ -0,0 +1,71 @@
#!/bin/bash
# Copyright (c) 2023 Dell Inc., or its subsidiaries. All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.

helpFunction()
{
echo ""
echo "Usage: $0 --traefik_web_port web_port --traefik_websecure_port websecure_port"
echo -e "\t--traefik_web_port Traefik Nodeport web static port"
echo -e "\t--traefik_websecure_port Traefik Nodeport websecure static port"
echo ""
echo "Example: $0 --traefik_web_port 30001 --traefik_websecure_port 30002"
echo ""
exit 1 # Exit script after printing help
}


while getopts ":h-:" optchar; do
case "${optchar}" in
-)
case "${OPTARG}" in
traefik_web_port) val="${!OPTIND}"; OPTIND=$(( $OPTIND + 1 ))
#echo "Parsing option: '--${OPTARG}', value: '${val}'" >&2;
webPort=${val}
;;
traefik_websecure_port) val="${!OPTIND}"; OPTIND=$(( $OPTIND + 1 ))
#echo "Parsing option: '--${OPTARG}', value: '${val}'" >&2;
websecurePort=${val}
;;
help)
helpFunction
exit 0
;;
*)
echo "Unknown option --${OPTARG}"
echo "For help, run $PROG --help"
exit 1
;;
esac
;;
*)
echo "Unknown option -${OPTARG}"
echo "For help, run $PROG --help"
exit 1
;;
esac
done

# Print helpFunction in case parameters are empty
if [ -z "$webPort" ] || [ -z "$websecurePort" ]
then
echo "Some or all of the parameters are empty";
helpFunction
fi

# Begin script in case all parameters are correct
echo "Setting Traefik Nodeport web to $webPort"
k3s kubectl patch svc/traefik -n kube-system --type='json' -p='[{"op": "replace", "path": "/spec/ports/0/nodePort", "value":'$webPort'}]'
echo "Setting Traefik Nodeport websecure to $websecurePort"
k3s kubectl patch svc/traefik -n kube-system --type='json' -p='[{"op": "replace", "path": "/spec/ports/1/nodePort", "value":'$websecurePort'}]'

0 comments on commit 34615f6

Please sign in to comment.