Use secure connections for all ingresses
Change-Id: I7e7b62b1d97a433237a6ac4c43648c22f0d1ec5b
Signed-off-by: garciadeblas <gerardo.garciadeblas@telefonica.com>
diff --git a/installers/40-deploy-osm.sh b/installers/40-deploy-osm.sh
index 5c0e847..bf3f709 100755
--- a/installers/40-deploy-osm.sh
+++ b/installers/40-deploy-osm.sh
@@ -92,8 +92,14 @@
# OSM_HELM_OPTS="${OSM_HELM_OPTS} --set prometheus.alertmanager.ingress.ingressClassName=${OSM_CLUSTER_INGRESS_CLASS}"
fi
OSM_HELM_OPTS="${OSM_HELM_OPTS} --set grafana.ingress.hosts={grafana.${OSM_BASE_DOMAIN}}"
+OSM_HELM_OPTS="${OSM_HELM_OPTS} --set grafana.ingress.tls[0].secretName=grafana-cert"
+OSM_HELM_OPTS="${OSM_HELM_OPTS} --set grafana.ingress.tls[0].hosts={grafana.${OSM_BASE_DOMAIN}}"
OSM_HELM_OPTS="${OSM_HELM_OPTS} --set prometheus.server.ingress.hosts={prometheus.${OSM_BASE_DOMAIN}}"
-OSM_HELM_OPTS="${OSM_HELM_OPTS} --set airflow.ingress.web.hosts={airflow.${OSM_BASE_DOMAIN}}"
+OSM_HELM_OPTS="${OSM_HELM_OPTS} --set prometheus.server.ingress.tls[0].secretName=prometheus-cert"
+OSM_HELM_OPTS="${OSM_HELM_OPTS} --set prometheus.server.ingress.tls[0].hosts={prometheus.${OSM_BASE_DOMAIN}}"
+OSM_HELM_OPTS="${OSM_HELM_OPTS} --set airflow.ingress.web.hosts[0].name=airflow.${OSM_BASE_DOMAIN}"
+OSM_HELM_OPTS="${OSM_HELM_OPTS} --set airflow.ingress.web.hosts[0].tls.enabled=true"
+OSM_HELM_OPTS="${OSM_HELM_OPTS} --set airflow.ingress.web.hosts[0].tls.secretName=airflow-cert"
# OSM_HELM_OPTS="${OSM_HELM_OPTS} --set prometheus.alertmanager.ingress.hosts={alertmanager.${OSM_BASE_DOMAIN}}"
if [ -z "${OSM_GITOPS_ENABLED}" ]; then
OSM_HELM_OPTS="${OSM_HELM_OPTS} --set global.gitops.enabled=false"
diff --git a/installers/helm/osm/templates/alertmanager/alertmanager-certificate.yaml b/installers/helm/osm/templates/alertmanager/alertmanager-certificate.yaml
new file mode 100644
index 0000000..ff9f430
--- /dev/null
+++ b/installers/helm/osm/templates/alertmanager/alertmanager-certificate.yaml
@@ -0,0 +1,45 @@
+{{- if .Values.alertmanager.enabled -}}
+{{- if .Values.certauth.enabled -}}
+#######################################################################################
+# Copyright ETSI Contributors and Others.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#######################################################################################
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: alertmanager
+ namespace: {{ .Release.Namespace }}
+spec:
+ secretName: alertmanager-cert
+ privateKey:
+ rotationPolicy: Always
+ algorithm: ECDSA
+ size: 256
+ duration: "8760h"
+ renewBefore: "2208h"
+ dnsNames:
+ {{- if .Values.alertmanager.ingress.host }}
+ - {{ .Values.alertmanager.ingress.host }}
+ {{- else }}
+ - "alertmanager.{{ .Values.global.hostname }}"
+ {{- end }}
+ usages:
+ - "client auth"
+ issuerRef:
+ name: ca-issuer
+ kind: Issuer
+ group: cert-manager.io
+{{- end }}
+{{- end }}
diff --git a/installers/helm/osm/templates/alertmanager/alertmanager-ingress.yaml b/installers/helm/osm/templates/alertmanager/alertmanager-ingress.yaml
index 34feb49..3275c78 100644
--- a/installers/helm/osm/templates/alertmanager/alertmanager-ingress.yaml
+++ b/installers/helm/osm/templates/alertmanager/alertmanager-ingress.yaml
@@ -21,6 +21,8 @@
name: alertmanager-ingress
labels:
{{- include "osm.labels" . | nindent 4 }}
+ annotations:
+ nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
ingressClassName: {{ .Values.global.ingressClassName | default "nginx" }}
rules:
@@ -38,4 +40,12 @@
name: alertmanager
port:
number: 9093
+ tls:
+ - hosts:
+ {{- if .Values.alertmanager.ingress.host }}
+ - {{ .Values.alertmanager.ingress.host }}
+ {{- else }}
+ - "alertmanager.{{ .Values.global.hostname }}"
+ {{- end }}
+ secretName: alertmanager-cert
{{- end }}
\ No newline at end of file
diff --git a/installers/helm/osm/templates/certauth_setup/airflow-certificate.yaml b/installers/helm/osm/templates/certauth_setup/airflow-certificate.yaml
new file mode 100644
index 0000000..4d0cd24
--- /dev/null
+++ b/installers/helm/osm/templates/certauth_setup/airflow-certificate.yaml
@@ -0,0 +1,41 @@
+{{- if .Values.airflow.enabled -}}
+{{- if .Values.certauth.enabled -}}
+#######################################################################################
+# Copyright ETSI Contributors and Others.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#######################################################################################
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: airflow
+ namespace: {{ .Release.Namespace }}
+spec:
+ secretName: airflow-cert
+ privateKey:
+ rotationPolicy: Always
+ algorithm: ECDSA
+ size: 256
+ duration: "8760h"
+ renewBefore: "2208h"
+ dnsNames:
+ - "airflow.{{ .Values.global.hostname }}"
+ usages:
+ - "client auth"
+ issuerRef:
+ name: ca-issuer
+ kind: Issuer
+ group: cert-manager.io
+{{- end }}
+{{- end }}
diff --git a/installers/helm/osm/templates/certauth_setup/grafana-certificate.yaml b/installers/helm/osm/templates/certauth_setup/grafana-certificate.yaml
new file mode 100644
index 0000000..2de1c0c
--- /dev/null
+++ b/installers/helm/osm/templates/certauth_setup/grafana-certificate.yaml
@@ -0,0 +1,41 @@
+{{- if .Values.grafana.enabled -}}
+{{- if .Values.certauth.enabled -}}
+#######################################################################################
+# Copyright ETSI Contributors and Others.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#######################################################################################
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: grafana
+ namespace: {{ .Release.Namespace }}
+spec:
+ secretName: grafana-cert
+ privateKey:
+ rotationPolicy: Always
+ algorithm: ECDSA
+ size: 256
+ duration: "8760h"
+ renewBefore: "2208h"
+ dnsNames:
+ - "grafana.{{ .Values.global.hostname }}"
+ usages:
+ - "client auth"
+ issuerRef:
+ name: ca-issuer
+ kind: Issuer
+ group: cert-manager.io
+{{- end }}
+{{- end }}
diff --git a/installers/helm/osm/templates/certauth_setup/prometheus-certificate.yaml b/installers/helm/osm/templates/certauth_setup/prometheus-certificate.yaml
new file mode 100644
index 0000000..3de853e
--- /dev/null
+++ b/installers/helm/osm/templates/certauth_setup/prometheus-certificate.yaml
@@ -0,0 +1,41 @@
+{{- if .Values.prometheus.enabled -}}
+{{- if .Values.certauth.enabled -}}
+#######################################################################################
+# Copyright ETSI Contributors and Others.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#######################################################################################
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: prometheus
+ namespace: {{ .Release.Namespace }}
+spec:
+ secretName: prometheus-cert
+ privateKey:
+ rotationPolicy: Always
+ algorithm: ECDSA
+ size: 256
+ duration: "8760h"
+ renewBefore: "2208h"
+ dnsNames:
+ - "prometheus.{{ .Values.global.hostname }}"
+ usages:
+ - "client auth"
+ issuerRef:
+ name: ca-issuer
+ kind: Issuer
+ group: cert-manager.io
+{{- end }}
+{{- end }}
diff --git a/installers/helm/osm/templates/webhook_translator/webhook-certificate.yaml b/installers/helm/osm/templates/webhook_translator/webhook-certificate.yaml
new file mode 100644
index 0000000..874395d
--- /dev/null
+++ b/installers/helm/osm/templates/webhook_translator/webhook-certificate.yaml
@@ -0,0 +1,45 @@
+{{- if .Values.webhookTranslator.enabled -}}
+{{- if .Values.certauth.enabled -}}
+#######################################################################################
+# Copyright ETSI Contributors and Others.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+# implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#######################################################################################
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: webhook
+ namespace: {{ .Release.Namespace }}
+spec:
+ secretName: webhook-cert
+ privateKey:
+ rotationPolicy: Always
+ algorithm: ECDSA
+ size: 256
+ duration: "8760h"
+ renewBefore: "2208h"
+ dnsNames:
+ {{- if .Values.webhookTranslator.ingress.host }}
+ - {{ .Values.webhookTranslator.ingress.host }}
+ {{- else }}
+ - "webhook.{{ .Values.global.hostname }}"
+ {{- end }}
+ usages:
+ - "client auth"
+ issuerRef:
+ name: ca-issuer
+ kind: Issuer
+ group: cert-manager.io
+{{- end }}
+{{- end }}
diff --git a/installers/helm/osm/templates/webhook_translator/webhook-translator-ingress.yaml b/installers/helm/osm/templates/webhook_translator/webhook-translator-ingress.yaml
index 2ca0df8..4c971f2 100644
--- a/installers/helm/osm/templates/webhook_translator/webhook-translator-ingress.yaml
+++ b/installers/helm/osm/templates/webhook_translator/webhook-translator-ingress.yaml
@@ -21,6 +21,8 @@
name: webhook-ingress
labels:
{{- include "osm.labels" . | nindent 4 }}
+ annotations:
+ nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
ingressClassName: {{ .Values.global.ingressClassName | default "nginx" }}
rules:
@@ -38,4 +40,12 @@
name: webhook-translator
port:
number: 9998
-{{- end }}
\ No newline at end of file
+ tls:
+ - hosts:
+ {{- if .Values.webhookTranslator.ingress.host }}
+ - {{ .Values.webhookTranslator.ingress.host }}
+ {{- else }}
+ - "webhook.{{ .Values.global.hostname }}"
+ {{- end }}
+ secretName: webhook-cert
+{{- end }}
diff --git a/installers/helm/osm/values.yaml b/installers/helm/osm/values.yaml
index bff6865..b579424 100644
--- a/installers/helm/osm/values.yaml
+++ b/installers/helm/osm/values.yaml
@@ -191,6 +191,12 @@
ingressClassName: nginx
# hosts:
# - grafana.<IP_ADDRESS>.nip.io
+ annotations:
+ nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+ # tls:
+ # - secretName: grafana-cert
+ # hosts:
+ # - grafana.<IP_ADDRESS>.nip.io
extraVolumes:
- emptyDir: {}
name: sc-dashboard-volume-k8s
@@ -442,6 +448,12 @@
ingressClassName: nginx
# hosts:
# - prometheus.<IP_ADDRESS>.nip.io
+ annotations:
+ nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+ # tls:
+ # - secretName: prometheus-cert
+ # hosts:
+ # - prometheus.<IP_ADDRESS>.nip.io
sidecarContainers:
prometheus-config-sidecar:
securityContext: