From ae4f2eb924d62c7d5e21010e099f8bd48bb99a5f Mon Sep 17 00:00:00 2001 From: garciadeblas Date: Thu, 15 Jan 2026 11:31:20 +0100 Subject: [PATCH] Use secure connections for all ingresses Change-Id: I7e7b62b1d97a433237a6ac4c43648c22f0d1ec5b Signed-off-by: garciadeblas --- installers/40-deploy-osm.sh | 8 +++- .../alertmanager-certificate.yaml | 45 +++++++++++++++++++ .../alertmanager/alertmanager-ingress.yaml | 10 +++++ .../certauth_setup/airflow-certificate.yaml | 41 +++++++++++++++++ .../certauth_setup/grafana-certificate.yaml | 41 +++++++++++++++++ .../prometheus-certificate.yaml | 41 +++++++++++++++++ .../webhook-certificate.yaml | 45 +++++++++++++++++++ .../webhook-translator-ingress.yaml | 12 ++++- installers/helm/osm/values.yaml | 12 +++++ 9 files changed, 253 insertions(+), 2 deletions(-) create mode 100644 installers/helm/osm/templates/alertmanager/alertmanager-certificate.yaml create mode 100644 installers/helm/osm/templates/certauth_setup/airflow-certificate.yaml create mode 100644 installers/helm/osm/templates/certauth_setup/grafana-certificate.yaml create mode 100644 installers/helm/osm/templates/certauth_setup/prometheus-certificate.yaml create mode 100644 installers/helm/osm/templates/webhook_translator/webhook-certificate.yaml diff --git a/installers/40-deploy-osm.sh b/installers/40-deploy-osm.sh index 5c0e84764..bf3f70920 100755 --- a/installers/40-deploy-osm.sh +++ b/installers/40-deploy-osm.sh @@ -92,8 +92,14 @@ if [ -n "${OSM_CLUSTER_INGRESS_CLASS}" ]; then # OSM_HELM_OPTS="${OSM_HELM_OPTS} --set prometheus.alertmanager.ingress.ingressClassName=${OSM_CLUSTER_INGRESS_CLASS}" fi OSM_HELM_OPTS="${OSM_HELM_OPTS} --set grafana.ingress.hosts={grafana.${OSM_BASE_DOMAIN}}" +OSM_HELM_OPTS="${OSM_HELM_OPTS} --set grafana.ingress.tls[0].secretName=grafana-cert" +OSM_HELM_OPTS="${OSM_HELM_OPTS} --set grafana.ingress.tls[0].hosts={grafana.${OSM_BASE_DOMAIN}}" OSM_HELM_OPTS="${OSM_HELM_OPTS} --set prometheus.server.ingress.hosts={prometheus.${OSM_BASE_DOMAIN}}" -OSM_HELM_OPTS="${OSM_HELM_OPTS} --set airflow.ingress.web.hosts={airflow.${OSM_BASE_DOMAIN}}" +OSM_HELM_OPTS="${OSM_HELM_OPTS} --set prometheus.server.ingress.tls[0].secretName=prometheus-cert" +OSM_HELM_OPTS="${OSM_HELM_OPTS} --set prometheus.server.ingress.tls[0].hosts={prometheus.${OSM_BASE_DOMAIN}}" +OSM_HELM_OPTS="${OSM_HELM_OPTS} --set airflow.ingress.web.hosts[0].name=airflow.${OSM_BASE_DOMAIN}" +OSM_HELM_OPTS="${OSM_HELM_OPTS} --set airflow.ingress.web.hosts[0].tls.enabled=true" +OSM_HELM_OPTS="${OSM_HELM_OPTS} --set airflow.ingress.web.hosts[0].tls.secretName=airflow-cert" # OSM_HELM_OPTS="${OSM_HELM_OPTS} --set prometheus.alertmanager.ingress.hosts={alertmanager.${OSM_BASE_DOMAIN}}" if [ -z "${OSM_GITOPS_ENABLED}" ]; then OSM_HELM_OPTS="${OSM_HELM_OPTS} --set global.gitops.enabled=false" diff --git a/installers/helm/osm/templates/alertmanager/alertmanager-certificate.yaml b/installers/helm/osm/templates/alertmanager/alertmanager-certificate.yaml new file mode 100644 index 000000000..ff9f43023 --- /dev/null +++ b/installers/helm/osm/templates/alertmanager/alertmanager-certificate.yaml @@ -0,0 +1,45 @@ +{{- if .Values.alertmanager.enabled -}} +{{- if .Values.certauth.enabled -}} +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: alertmanager + namespace: {{ .Release.Namespace }} +spec: + secretName: alertmanager-cert + privateKey: + rotationPolicy: Always + algorithm: ECDSA + size: 256 + duration: "8760h" + renewBefore: "2208h" + dnsNames: + {{- if .Values.alertmanager.ingress.host }} + - {{ .Values.alertmanager.ingress.host }} + {{- else }} + - "alertmanager.{{ .Values.global.hostname }}" + {{- end }} + usages: + - "client auth" + issuerRef: + name: ca-issuer + kind: Issuer + group: cert-manager.io +{{- end }} +{{- end }} diff --git a/installers/helm/osm/templates/alertmanager/alertmanager-ingress.yaml b/installers/helm/osm/templates/alertmanager/alertmanager-ingress.yaml index 34feb4951..3275c7874 100644 --- a/installers/helm/osm/templates/alertmanager/alertmanager-ingress.yaml +++ b/installers/helm/osm/templates/alertmanager/alertmanager-ingress.yaml @@ -21,6 +21,8 @@ metadata: name: alertmanager-ingress labels: {{- include "osm.labels" . | nindent 4 }} + annotations: + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" spec: ingressClassName: {{ .Values.global.ingressClassName | default "nginx" }} rules: @@ -38,4 +40,12 @@ spec: name: alertmanager port: number: 9093 + tls: + - hosts: + {{- if .Values.alertmanager.ingress.host }} + - {{ .Values.alertmanager.ingress.host }} + {{- else }} + - "alertmanager.{{ .Values.global.hostname }}" + {{- end }} + secretName: alertmanager-cert {{- end }} \ No newline at end of file diff --git a/installers/helm/osm/templates/certauth_setup/airflow-certificate.yaml b/installers/helm/osm/templates/certauth_setup/airflow-certificate.yaml new file mode 100644 index 000000000..4d0cd2468 --- /dev/null +++ b/installers/helm/osm/templates/certauth_setup/airflow-certificate.yaml @@ -0,0 +1,41 @@ +{{- if .Values.airflow.enabled -}} +{{- if .Values.certauth.enabled -}} +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: airflow + namespace: {{ .Release.Namespace }} +spec: + secretName: airflow-cert + privateKey: + rotationPolicy: Always + algorithm: ECDSA + size: 256 + duration: "8760h" + renewBefore: "2208h" + dnsNames: + - "airflow.{{ .Values.global.hostname }}" + usages: + - "client auth" + issuerRef: + name: ca-issuer + kind: Issuer + group: cert-manager.io +{{- end }} +{{- end }} diff --git a/installers/helm/osm/templates/certauth_setup/grafana-certificate.yaml b/installers/helm/osm/templates/certauth_setup/grafana-certificate.yaml new file mode 100644 index 000000000..2de1c0ce9 --- /dev/null +++ b/installers/helm/osm/templates/certauth_setup/grafana-certificate.yaml @@ -0,0 +1,41 @@ +{{- if .Values.grafana.enabled -}} +{{- if .Values.certauth.enabled -}} +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: grafana + namespace: {{ .Release.Namespace }} +spec: + secretName: grafana-cert + privateKey: + rotationPolicy: Always + algorithm: ECDSA + size: 256 + duration: "8760h" + renewBefore: "2208h" + dnsNames: + - "grafana.{{ .Values.global.hostname }}" + usages: + - "client auth" + issuerRef: + name: ca-issuer + kind: Issuer + group: cert-manager.io +{{- end }} +{{- end }} diff --git a/installers/helm/osm/templates/certauth_setup/prometheus-certificate.yaml b/installers/helm/osm/templates/certauth_setup/prometheus-certificate.yaml new file mode 100644 index 000000000..3de853e63 --- /dev/null +++ b/installers/helm/osm/templates/certauth_setup/prometheus-certificate.yaml @@ -0,0 +1,41 @@ +{{- if .Values.prometheus.enabled -}} +{{- if .Values.certauth.enabled -}} +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: prometheus + namespace: {{ .Release.Namespace }} +spec: + secretName: prometheus-cert + privateKey: + rotationPolicy: Always + algorithm: ECDSA + size: 256 + duration: "8760h" + renewBefore: "2208h" + dnsNames: + - "prometheus.{{ .Values.global.hostname }}" + usages: + - "client auth" + issuerRef: + name: ca-issuer + kind: Issuer + group: cert-manager.io +{{- end }} +{{- end }} diff --git a/installers/helm/osm/templates/webhook_translator/webhook-certificate.yaml b/installers/helm/osm/templates/webhook_translator/webhook-certificate.yaml new file mode 100644 index 000000000..874395d49 --- /dev/null +++ b/installers/helm/osm/templates/webhook_translator/webhook-certificate.yaml @@ -0,0 +1,45 @@ +{{- if .Values.webhookTranslator.enabled -}} +{{- if .Values.certauth.enabled -}} +####################################################################################### +# Copyright ETSI Contributors and Others. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or +# implied. +# See the License for the specific language governing permissions and +# limitations under the License. +####################################################################################### +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: webhook + namespace: {{ .Release.Namespace }} +spec: + secretName: webhook-cert + privateKey: + rotationPolicy: Always + algorithm: ECDSA + size: 256 + duration: "8760h" + renewBefore: "2208h" + dnsNames: + {{- if .Values.webhookTranslator.ingress.host }} + - {{ .Values.webhookTranslator.ingress.host }} + {{- else }} + - "webhook.{{ .Values.global.hostname }}" + {{- end }} + usages: + - "client auth" + issuerRef: + name: ca-issuer + kind: Issuer + group: cert-manager.io +{{- end }} +{{- end }} diff --git a/installers/helm/osm/templates/webhook_translator/webhook-translator-ingress.yaml b/installers/helm/osm/templates/webhook_translator/webhook-translator-ingress.yaml index 2ca0df81d..4c971f27f 100644 --- a/installers/helm/osm/templates/webhook_translator/webhook-translator-ingress.yaml +++ b/installers/helm/osm/templates/webhook_translator/webhook-translator-ingress.yaml @@ -21,6 +21,8 @@ metadata: name: webhook-ingress labels: {{- include "osm.labels" . | nindent 4 }} + annotations: + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" spec: ingressClassName: {{ .Values.global.ingressClassName | default "nginx" }} rules: @@ -38,4 +40,12 @@ spec: name: webhook-translator port: number: 9998 -{{- end }} \ No newline at end of file + tls: + - hosts: + {{- if .Values.webhookTranslator.ingress.host }} + - {{ .Values.webhookTranslator.ingress.host }} + {{- else }} + - "webhook.{{ .Values.global.hostname }}" + {{- end }} + secretName: webhook-cert +{{- end }} diff --git a/installers/helm/osm/values.yaml b/installers/helm/osm/values.yaml index bff6865ed..b579424b1 100644 --- a/installers/helm/osm/values.yaml +++ b/installers/helm/osm/values.yaml @@ -191,6 +191,12 @@ grafana: ingressClassName: nginx # hosts: # - grafana..nip.io + annotations: + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + # tls: + # - secretName: grafana-cert + # hosts: + # - grafana..nip.io extraVolumes: - emptyDir: {} name: sc-dashboard-volume-k8s @@ -442,6 +448,12 @@ prometheus: ingressClassName: nginx # hosts: # - prometheus..nip.io + annotations: + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + # tls: + # - secretName: prometheus-cert + # hosts: + # - prometheus..nip.io sidecarContainers: prometheus-config-sidecar: securityContext: -- 2.25.1