From be0f3512aede66565a7286e59101cbaa386ebfbd Mon Sep 17 00:00:00 2001 From: Rahul Sharma Date: Fri, 19 Feb 2021 18:04:53 -0500 Subject: [PATCH 1/4] WIFI-1319: Updating charts to add TLS related properties in ssl.properties. Since these are only relevant to microK8s environment, we only enable them in it. --- .../templates/controller-configmap.yaml | 3 ++- .../charts/nginx-ingress-controller/values.yaml | 2 ++ .../resources/config/logback.xml | 2 +- .../wlan-portal-service/templates/secret.yaml | 13 +++++++++++++ .../wlan-portal-service/templates/statefulset.yaml | 12 ++++++++++-- tip-wlan/charts/wlan-portal-service/values.yaml | 3 +++ tip-wlan/charts/wlan-prov-service/values.yaml | 2 +- tip-wlan/example-values/microk8s-basic/values.yaml | 6 ++++-- 8 files changed, 36 insertions(+), 7 deletions(-) create mode 100644 tip-wlan/charts/wlan-portal-service/templates/secret.yaml diff --git a/tip-wlan/charts/nginx-ingress-controller/templates/controller-configmap.yaml b/tip-wlan/charts/nginx-ingress-controller/templates/controller-configmap.yaml index 4aaab94..4debb6b 100644 --- a/tip-wlan/charts/nginx-ingress-controller/templates/controller-configmap.yaml +++ b/tip-wlan/charts/nginx-ingress-controller/templates/controller-configmap.yaml @@ -7,4 +7,5 @@ metadata: {{- include "common.labels" . | nindent 4 }} data: external-status-address: {{ .Values.controller.config.externalStatusAddress }} - client-max-body-size: {{ .Values.controller.config.clientMaxBodySize }} \ No newline at end of file + client-max-body-size: {{ .Values.controller.config.clientMaxBodySize }} + error-log-level: {{ .Values.controller.config.errorLogLevel }} \ No newline at end of file diff --git a/tip-wlan/charts/nginx-ingress-controller/values.yaml b/tip-wlan/charts/nginx-ingress-controller/values.yaml index 07f9fd5..df14b7c 100644 --- a/tip-wlan/charts/nginx-ingress-controller/values.yaml +++ b/tip-wlan/charts/nginx-ingress-controller/values.yaml @@ -56,6 +56,8 @@ controller: ## Max message size coming from the Client clientMaxBodySize: "20m" + ## Error + errorLogLevel: "error" ## It is recommended to use your own TLS certificates and keys defaultTLS: ## The base64-encoded TLS certificate for the default HTTPS server. If not specified, a pre-generated self-signed certificate is used. diff --git a/tip-wlan/charts/wlan-portal-service/resources/config/logback.xml b/tip-wlan/charts/wlan-portal-service/resources/config/logback.xml index d3fb020..5477e4d 100644 --- a/tip-wlan/charts/wlan-portal-service/resources/config/logback.xml +++ b/tip-wlan/charts/wlan-portal-service/resources/config/logback.xml @@ -7,7 +7,7 @@ - + diff --git a/tip-wlan/charts/wlan-portal-service/templates/secret.yaml b/tip-wlan/charts/wlan-portal-service/templates/secret.yaml new file mode 100644 index 0000000..f755517 --- /dev/null +++ b/tip-wlan/charts/wlan-portal-service/templates/secret.yaml @@ -0,0 +1,13 @@ +{{- if .Values.disableTLSv13.enabled }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "common.fullname" . }}-ssl-config + namespace: {{ include "common.namespace" . }} +type: Opaque +data: + ssl.properties: |- + {{ (.Files.Glob "resources/certs/ssl.properties").AsSecrets | indent 4 }} + sslEnabledProtocols=TLSv1.2,TLSv1.1,TLSv1 + sslCiphers=TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA +{{- end }} \ No newline at end of file diff --git a/tip-wlan/charts/wlan-portal-service/templates/statefulset.yaml b/tip-wlan/charts/wlan-portal-service/templates/statefulset.yaml index 9580827..195c360 100644 --- a/tip-wlan/charts/wlan-portal-service/templates/statefulset.yaml +++ b/tip-wlan/charts/wlan-portal-service/templates/statefulset.yaml @@ -113,9 +113,12 @@ spec: - mountPath: /opt/tip-wlan/certs/server.pkcs12 name: certificates subPath: server.pkcs12 - - mountPath: /app/portal/logback.xml + - mountPath: /app/portal/log name: logback-config - subPath: logback.xml + {{- if .Values.disableTLSv13.enabled }} + - mountPath: /app/portal/certs + name: ssl-config + {{- end }} - mountPath: {{ $file_store_path }} name: file-store-data {{- include "jmxPrometheus.configVolumeMount" . | nindent 10 }} @@ -155,6 +158,11 @@ spec: - name: logback-config configMap: name: {{ include "common.fullname" . }}-log-config + {{- if .Values.disableTLSv13.enabled }} + - name: ssl-config + secret: + secretName: {{ include "common.fullname" . }}-ssl-config + {{- end }} {{- if not .Values.persistence.enabled }} - name: file-store-data emptyDir: {} diff --git a/tip-wlan/charts/wlan-portal-service/values.yaml b/tip-wlan/charts/wlan-portal-service/values.yaml index abb0c78..c7e2d94 100644 --- a/tip-wlan/charts/wlan-portal-service/values.yaml +++ b/tip-wlan/charts/wlan-portal-service/values.yaml @@ -153,3 +153,6 @@ env: # on the PV filestore: internal: "/tmp/filestore" + +disableTLSv13: + enabled: false \ No newline at end of file diff --git a/tip-wlan/charts/wlan-prov-service/values.yaml b/tip-wlan/charts/wlan-prov-service/values.yaml index 4505945..64b843a 100644 --- a/tip-wlan/charts/wlan-prov-service/values.yaml +++ b/tip-wlan/charts/wlan-prov-service/values.yaml @@ -128,7 +128,7 @@ affinity: {} postgresql: url: postgresql - image: postgres:latest + image: postgres:11 env: protocol: https diff --git a/tip-wlan/example-values/microk8s-basic/values.yaml b/tip-wlan/example-values/microk8s-basic/values.yaml index f004cf8..bf2b996 100644 --- a/tip-wlan/example-values/microk8s-basic/values.yaml +++ b/tip-wlan/example-values/microk8s-basic/values.yaml @@ -31,6 +31,8 @@ wlan-cloud-graphql-gw: enabled: true env: portalsvc: tip-wlan-wlan-portal-service:9051 + service: + type: ClusterIP ingress: hosts: - host: wlan-ui-graphql.wlan.local @@ -45,8 +47,6 @@ wlan-cloud-static-portal: enabled: true env: graphql: https://wlan-ui-graphql.wlan.local - service: - type: NodePort ingress: hosts: - host: wlan-ui.wlan.local @@ -67,6 +67,8 @@ wlan-portal-service: type: LoadBalancer annotations: metallb.universe.tf/allow-shared-ip: default + disableTLSv13: + enabled: true wlan-prov-service: enabled: true From 98e29d4f21ee454111c7199b1aafba70787b10a4 Mon Sep 17 00:00:00 2001 From: Rahul Sharma Date: Fri, 19 Feb 2021 18:24:38 -0500 Subject: [PATCH 2/4] WIFI-1319: Adding ssl.properties directly --- .../wlan-portal-service/templates/secret.yaml | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/tip-wlan/charts/wlan-portal-service/templates/secret.yaml b/tip-wlan/charts/wlan-portal-service/templates/secret.yaml index f755517..4e3db5b 100644 --- a/tip-wlan/charts/wlan-portal-service/templates/secret.yaml +++ b/tip-wlan/charts/wlan-portal-service/templates/secret.yaml @@ -7,7 +7,18 @@ metadata: type: Opaque data: ssl.properties: |- - {{ (.Files.Glob "resources/certs/ssl.properties").AsSecrets | indent 4 }} + truststorePass={{ .Values.global.certificatePasswords.sslTruststore }} + truststoreFile=file:///opt/tip-wlan/certs/truststore.jks + truststoreType=JKS + truststoreProvider=SUN + + keyAlias=1 + keystorePass={{ .Values.global.certificatePasswords.sslKeystore }} + keystoreFile=file:///opt/tip-wlan/certs/server.pkcs12 + keystoreType=pkcs12 + keystoreProvider=SunJSSE + + sslProtocol=TLS sslEnabledProtocols=TLSv1.2,TLSv1.1,TLSv1 sslCiphers=TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA {{- end }} \ No newline at end of file From f8161542cf058efd608d3bfdb3c6bc2552fc9be3 Mon Sep 17 00:00:00 2001 From: Rahul Sharma Date: Fri, 19 Feb 2021 18:36:12 -0500 Subject: [PATCH 3/4] Moving Ssl.properties out of Secret and reading it instead as a file --- .../resources/config/ssl.properties | 14 ++++++++++++++ .../wlan-portal-service/templates/secret.yaml | 16 +--------------- 2 files changed, 15 insertions(+), 15 deletions(-) create mode 100644 tip-wlan/charts/wlan-portal-service/resources/config/ssl.properties diff --git a/tip-wlan/charts/wlan-portal-service/resources/config/ssl.properties b/tip-wlan/charts/wlan-portal-service/resources/config/ssl.properties new file mode 100644 index 0000000..deb1fd6 --- /dev/null +++ b/tip-wlan/charts/wlan-portal-service/resources/config/ssl.properties @@ -0,0 +1,14 @@ +truststorePass={{ .Values.global.certificatePasswords.sslTruststore }} +truststoreFile=file:///opt/tip-wlan/certs/truststore.jks +truststoreType=JKS +truststoreProvider=SUN + +keyAlias=1 +keystorePass={{ .Values.global.certificatePasswords.sslKeystore }} +keystoreFile=file:///opt/tip-wlan/certs/server.pkcs12 +keystoreType=pkcs12 +keystoreProvider=SunJSSE + +sslProtocol=TLS +sslEnabledProtocols=TLSv1.2,TLSv1.1,TLSv1 +sslCiphers=TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA diff --git a/tip-wlan/charts/wlan-portal-service/templates/secret.yaml b/tip-wlan/charts/wlan-portal-service/templates/secret.yaml index 4e3db5b..458b018 100644 --- a/tip-wlan/charts/wlan-portal-service/templates/secret.yaml +++ b/tip-wlan/charts/wlan-portal-service/templates/secret.yaml @@ -6,19 +6,5 @@ metadata: namespace: {{ include "common.namespace" . }} type: Opaque data: - ssl.properties: |- - truststorePass={{ .Values.global.certificatePasswords.sslTruststore }} - truststoreFile=file:///opt/tip-wlan/certs/truststore.jks - truststoreType=JKS - truststoreProvider=SUN - - keyAlias=1 - keystorePass={{ .Values.global.certificatePasswords.sslKeystore }} - keystoreFile=file:///opt/tip-wlan/certs/server.pkcs12 - keystoreType=pkcs12 - keystoreProvider=SunJSSE - - sslProtocol=TLS - sslEnabledProtocols=TLSv1.2,TLSv1.1,TLSv1 - sslCiphers=TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_RSA_WITH_AES_128_CBC_SHA + ssl.properties: {{ tpl ( .Files.Get "resources/config/ssl.properties" ) . | b64enc }} {{- end }} \ No newline at end of file From b833901b14b21663c4951d0b34349838c4380c92 Mon Sep 17 00:00:00 2001 From: Rahul Sharma Date: Fri, 19 Feb 2021 22:22:26 -0500 Subject: [PATCH 4/4] WIFI-1319: Renaming tlsv1.3 flag --- tip-wlan/charts/wlan-portal-service/templates/secret.yaml | 2 +- .../charts/wlan-portal-service/templates/statefulset.yaml | 4 ++-- tip-wlan/charts/wlan-portal-service/values.yaml | 4 ++-- tip-wlan/example-values/microk8s-basic/values.yaml | 4 ++-- 4 files changed, 7 insertions(+), 7 deletions(-) diff --git a/tip-wlan/charts/wlan-portal-service/templates/secret.yaml b/tip-wlan/charts/wlan-portal-service/templates/secret.yaml index 458b018..b825360 100644 --- a/tip-wlan/charts/wlan-portal-service/templates/secret.yaml +++ b/tip-wlan/charts/wlan-portal-service/templates/secret.yaml @@ -1,4 +1,4 @@ -{{- if .Values.disableTLSv13.enabled }} +{{- if not .Values.tlsv13.enabled }} apiVersion: v1 kind: Secret metadata: diff --git a/tip-wlan/charts/wlan-portal-service/templates/statefulset.yaml b/tip-wlan/charts/wlan-portal-service/templates/statefulset.yaml index 195c360..3cc20a8 100644 --- a/tip-wlan/charts/wlan-portal-service/templates/statefulset.yaml +++ b/tip-wlan/charts/wlan-portal-service/templates/statefulset.yaml @@ -115,7 +115,7 @@ spec: subPath: server.pkcs12 - mountPath: /app/portal/log name: logback-config - {{- if .Values.disableTLSv13.enabled }} + {{- if not .Values.tlsv13.enabled }} - mountPath: /app/portal/certs name: ssl-config {{- end }} @@ -158,7 +158,7 @@ spec: - name: logback-config configMap: name: {{ include "common.fullname" . }}-log-config - {{- if .Values.disableTLSv13.enabled }} + {{- if not .Values.tlsv13.enabled }} - name: ssl-config secret: secretName: {{ include "common.fullname" . }}-ssl-config diff --git a/tip-wlan/charts/wlan-portal-service/values.yaml b/tip-wlan/charts/wlan-portal-service/values.yaml index c7e2d94..e2be02f 100644 --- a/tip-wlan/charts/wlan-portal-service/values.yaml +++ b/tip-wlan/charts/wlan-portal-service/values.yaml @@ -154,5 +154,5 @@ env: filestore: internal: "/tmp/filestore" -disableTLSv13: - enabled: false \ No newline at end of file +tlsv13: + enabled: true \ No newline at end of file diff --git a/tip-wlan/example-values/microk8s-basic/values.yaml b/tip-wlan/example-values/microk8s-basic/values.yaml index bf2b996..0571842 100644 --- a/tip-wlan/example-values/microk8s-basic/values.yaml +++ b/tip-wlan/example-values/microk8s-basic/values.yaml @@ -67,8 +67,8 @@ wlan-portal-service: type: LoadBalancer annotations: metallb.universe.tf/allow-shared-ip: default - disableTLSv13: - enabled: true + tlsv13: + enabled: false wlan-prov-service: enabled: true