added setting up test cluster and priming certificates

external-secrets · Jun 17, 2024 · 86ce26a · 86ce26a
1 parent ffac062
commit 86ce26a
Show file tree

Hide file tree

Showing 12 changed files with 157 additions and 11 deletions.
diff --git a/.gitignore b/.gitignore
@@ -22,3 +22,4 @@ go.work
 go.work.sum
 bin/
 dist/
+hack/cert-manager.yaml
diff --git a/Makefile b/Makefile
@@ -20,6 +20,8 @@ $(LOCALBIN):
 	mkdir -p $(LOCALBIN)
 
 GOLANGCI_LINT ?= $(LOCALBIN)/golangci-lint
+MKCERT ?= $(LOCALBIN)/mkcert
+UNAME ?= $(shell uname|tr '[:upper:]' '[:lower:]')
 
 # Get the currently used golang install path (in GOPATH/bin, unless GOBIN is set)
 ifeq (,$(shell go env GOBIN))
@@ -32,9 +34,16 @@ endif
 # List the GOOS and GOARCH to build
 GO_LDFLAGS_STATIC="-s -w $(CTIMEVAR) -extldflags -static"
 GOLANGCI_LINT_VERSION ?= v1.57.2
+MKCERT_VERSION ?= v1.4.4
 
 .DEFAULT_GOAL := help
 
+.PHONY: mkcert
+mkcert: $(MKCERT)
+$(MKCERT): $(LOCALBIN)
+	curl -L "https://github.com/FiloSottile/mkcert/releases/download/$(MKCERT_VERSION)/mkcert-$(MKCERT_VERSION)-$(UNAME)-amd64" -o $(LOCALBIN)/mkcert
+	chmod +x $(LOCALBIN)/mkcert
+
 ##@ Build
 
 build: ## Builds binaries
@@ -55,6 +64,10 @@ clean: ## Runs go clean
 test: ## Test the project
 	go test ./... -coverprofile cover.out
 
+.PHONY: prime-test-cluster
+prime-test-cluster: mkcert
+	./hack/prime_test_cluster.sh
+
 ##@ Docker
 
 IMG ?= ghcr.io/external-secrets/bitwarden-sdk-server

diff --git a/Tiltfile b/Tiltfile
@@ -6,9 +6,7 @@ kubectl_cmd = "kubectl"
 if str(local("command -v " + kubectl_cmd + " || true", quiet = True)) == "":
     fail("Required command '" + kubectl_cmd + "' not found in PATH")
 
-load('ext://namespace', 'namespace_yaml')
-k8s_yaml(namespace_yaml('external-secrets'), allow_duplicates=True)
-install = helm('deploy', namespace = 'external-secrets', set = 'image.tls.enabled=False')
+install = helm('deploy/charts/bitwarden-sdk-server')
 
 # Apply the updated yaml to the cluster.
 k8s_yaml(install, allow_duplicates = True)

diff --git a/cmd/root.go b/cmd/root.go
@@ -44,8 +44,8 @@ func init() {
 	// Server Configs
 	flag.BoolVar(&rootArgs.server.Debug, "debug", false, "--debug")
 	flag.BoolVar(&rootArgs.server.Insecure, "insecure", false, "--insecure")
-	flag.StringVar(&rootArgs.server.KeyFile, "key-file", "", "--key-file /certs/key.pem")
-	flag.StringVar(&rootArgs.server.CertFile, "cert-file", "", "--cert-file /certs/cert.pem")
+	flag.StringVar(&rootArgs.server.KeyFile, "key-file", "/certs/key.pem", "--key-file /certs/key.pem")
+	flag.StringVar(&rootArgs.server.CertFile, "cert-file", "/certs/cert.pem", "--cert-file /certs/cert.pem")
 	flag.StringVar(&rootArgs.server.Addr, "hostname", ":9998", "--hostname :9998")
 }
 

diff --git a/deploy/charts/bitwarden-sdk-server/templates/deployment.yaml b/deploy/charts/bitwarden-sdk-server/templates/deployment.yaml
@@ -47,10 +47,12 @@ spec:
             httpGet:
               path: /live
               port: http
+              scheme: HTTPS
           readinessProbe:
             httpGet:
               path: /ready
               port: http
+              scheme: HTTPS
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
       {{- with .Values.nodeSelector }}

diff --git a/deploy/charts/bitwarden-sdk-server/templates/service.yaml b/deploy/charts/bitwarden-sdk-server/templates/service.yaml
@@ -9,7 +9,6 @@ spec:
   ports:
     - port: {{ .Values.service.port }}
       targetPort: http
-      protocol: TCP
       name: http
   selector:
     {{- include "bitwarden-sdk-server.selectorLabels" . | nindent 4 }}
diff --git a/hack/bitwarden-certificate.yaml b/hack/bitwarden-certificate.yaml
@@ -0,0 +1,21 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: bitwarden-tls-certs
+  namespace: default
+spec:
+  secretName: bitwarden-tls-certs
+  dnsNames:
+    - bitwarden-sdk-server.default.svc.cluster.local
+    - localhost
+  ipAddresses:
+    - 127.0.0.1
+    - ::1
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS8
+    size: 2048
+  issuerRef:
+    name: bitwarden-certificate-issuer
+    kind: ClusterIssuer
+    group: cert-manager.io
diff --git a/hack/cluster_issuer.yaml b/hack/cluster_issuer.yaml
@@ -0,0 +1,42 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: bitwarden-bootstrap-issuer
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: bitwarden-bootstrap-certificate
+  namespace: cert-manager
+spec:
+  # this is discouraged but required by ios
+  commonName: cert-manager-bitwarden-tls
+  isCA: true
+  secretName: bitwarden-tls-certs
+  subject:
+    organizations:
+      - external-secrets.io
+  dnsNames:
+    - bitwarden-sdk-server.default.svc.cluster.local
+    - localhost
+  ipAddresses:
+    - 127.0.0.1
+    - ::1
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS8
+    size: 2048
+  issuerRef:
+    name: bitwarden-bootstrap-issuer
+    kind: ClusterIssuer
+    group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: bitwarden-certificate-issuer
+spec:
+  ca:
+    secretName: bitwarden-tls-certs
diff --git a/hack/prime_test_cluster.sh b/hack/prime_test_cluster.sh
@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+
+# cleanup
+rm -fr hack/rootCA.pem
+
+CERT_MANAGER_VERSION=${CERT_MANAGER_VERSION:-v1.14.1}
+
+if [ ! -e 'hack/cert-manager.yaml' ]; then
+  echo "fetching cert-manager manifest for version ${CERT_MANAGER_VERSION}"
+  curl -L https://github.com/cert-manager/cert-manager/releases/download/"${CERT_MANAGER_VERSION}"/cert-manager.yaml -o hack/cert-manager.yaml
+fi
+
+kind create cluster --name=e2e-test-cluster
+
+echo -n 'installing cert-manager'
+kubectl apply -f hack/cert-manager.yaml
+kubectl wait --for=condition=Available=True Deployment/cert-manager -n cert-manager --timeout=60s
+kubectl wait --for=condition=Available=True Deployment/cert-manager-webhook -n cert-manager --timeout=60s
+kubectl wait --for=condition=Available=True Deployment/cert-manager-cainjector -n cert-manager --timeout=60s
+echo 'done'
+
+echo -n 'applying root certificate issuer'
+kubectl apply -f hack/cluster_issuer.yaml
+echo 'done'
+
+echo -n 'waiting for root certificate to be generated...'
+kubectl wait --for=condition=Ready=true Certificate/bitwarden-bootstrap-certificate -n cert-manager --timeout=60s
+echo 'done'
+
+kubectl get secret bitwarden-tls-certs -n cert-manager -o jsonpath="{.data['tls\.crt']}" | base64 -d > hack/rootCA.pem
+echo -n 'installing root certificate into local trust store...'
+CAROOT=hack ./bin/mkcert -install
+rootCAPath="./hack/rootCA.pem"
+
+if [ -e '/etc/ssl/certs/ca-certificates.crt' ]; then
+  echo "updating root certificate"
+  sudo cat "${rootCAPath}" | sudo tee -a /etc/ssl/certs/ca-certificates.crt || echo "failed to append to ca-certificates. Ignoring the failure"
+fi
+
+echo 'done'
+
+echo -n 'applying certificate request for bitwarden-sdk-server...'
+kubectl apply -f hack/bitwarden-certificate.yaml
+echo 'done'
diff --git a/hack/rootCA.pem b/hack/rootCA.pem
@@ -0,0 +1,22 @@
+-----BEGIN CERTIFICATE-----
+MIIDszCCApugAwIBAgIRAMGiIBGuNGKQ6WoBh4Pgh8gwDQYJKoZIhvcNAQELBQAw
+QzEcMBoGA1UEChMTZXh0ZXJuYWwtc2VjcmV0cy5pbzEjMCEGA1UEAxMaY2VydC1t
+YW5hZ2VyLWJpdHdhcmRlbi10bHMwHhcNMjQwNjE3MTUyNzQ2WhcNMjQwOTE1MTUy
+NzQ2WjBDMRwwGgYDVQQKExNleHRlcm5hbC1zZWNyZXRzLmlvMSMwIQYDVQQDExpj
+ZXJ0LW1hbmFnZXItYml0d2FyZGVuLXRsczCCASIwDQYJKoZIhvcNAQEBBQADggEP
+ADCCAQoCggEBAKY2TajHugsYOYx//BIciEiREv0y3Lg3fqEZ6kZTy+57ezZExSY7
+uC64gNCG+kxefIxQK1NQwmr+9kl79X0Q/pgOXWqCY5NRpD4DJqsA/x2h2STiudzC
+oz1zBeInSM0efDup/vcJrMz2YoPcYDRD1udI2FdN00pJ6OpT3bkcLWJvggwK8l+Y
+yr+nKc6Hxn7xvwFwIehN5F3/Fgn6vpIrLByTahtFMdRnMjqNxKZeC3ZxWt1ihJRl
+fy77se8ZWVe9XfJgk+Mp/k+OJ1335Fvk9Jo+l+dHjihCSavUt82aDdc41Q2q3rFW
+YSmUhRJZG2vddY/SUUljuhMVLG5i/5aMl2UCAwEAAaOBoTCBnjAOBgNVHQ8BAf8E
+BAMCAqQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUYWIK8nHS0w3Q11svWlbp
+nwH4crowXAYDVR0RBFUwU4IuYml0d2FyZGVuLXNkay1zZXJ2ZXIuZGVmYXVsdC5z
+dmMuY2x1c3Rlci5sb2NhbIIJbG9jYWxob3N0hwR/AAABhxAAAAAAAAAAAAAAAAAA
+AAABMA0GCSqGSIb3DQEBCwUAA4IBAQA/lO/q2O+OjJinSnebh9ph+lWxXm4/2bSN
+L1nCiJsTF5B41Gqi5CpyDd/OEpLZ0YnV/r+CLLoCTR9m87HJACi+GQU9k4EKq4qx
+VfMesusMqQjxnIHtUZgruNJ5q7yXDNuJiq1Hsl/SOY5EV1XQwRag2VrxjGwNdqwD
+pv/edqGyYf2+KoM2ZjqvBsHfZhHdDrdHwdbH4LTfKC9OHj0TSPAT/ZOSnyO21u/a
+bJ4ecxOfskY4TS05hS23ue6JqQkMEncKhXwpEH3/msD9Rx1F7Qi7g7xOr7SWA+fw
+Po/3R8gLLrdbjCorvkw7fZs24iYuBsGn9UOULzb2ggYGgXYyJLcP
+-----END CERTIFICATE-----
diff --git a/pkg/server/server.go b/pkg/server/server.go
@@ -57,18 +57,22 @@ func (s *Server) Run(_ context.Context) error {
 	r := chi.NewRouter()
 	r.Use(middleware.Logger)
 	r.Use(middleware.Recoverer)
-	r.Use(bitwarden.Warden)
 	r.Get("/ready", func(w http.ResponseWriter, r *http.Request) {
 		_, _ = w.Write([]byte("ready"))
 	})
 	r.Get("/live", func(w http.ResponseWriter, r *http.Request) {
 		_, _ = w.Write([]byte("live"))
 	})
 
+	warden := chi.NewRouter()
+	warden.Use(bitwarden.Warden)
+
 	// The header will always contain the right credentials.
-	r.Get(api+"/secret", s.getSecretHandler)
-	r.Delete(api+"/secret", s.deleteSecretHandler)
-	r.Post(api+"/secret", s.createSecretHandler)
+	warden.Get("/secret", s.getSecretHandler)
+	warden.Delete("/secret", s.deleteSecretHandler)
+	warden.Post("/secret", s.createSecretHandler)
+
+	r.Mount(api, warden)
 
 	srv := &http.Server{Addr: s.Addr, Handler: r, ReadTimeout: 5 * time.Second}
 	s.server = srv

diff --git a/tilt.dockerfile b/tilt.dockerfile
@@ -4,4 +4,4 @@ COPY ./bin/bitwarden-sdk-server /bitwarden-sdk-server
 
 ENV CGO_ENABLED=1
 ENV BW_SECRETS_MANAGER_STATE_PATH='/state'
-ENTRYPOINT ["/bitwarden-sdk-server", "serve", "--insecure"]
+ENTRYPOINT ["/bitwarden-sdk-server", "serve"]
-Original file line number
+Diff line change
@@ Expand Up / @@ -22,3 +22,4 @@ go.work @@
     go.work.sum
     bin/
     dist/
+    hack/cert-manager.yaml