git commit -m "fix: configure PuppetDB HTTPS connections and add Puppetboard SSL support (#50)
- Update PuppetDB connections from HTTP (8080) to HTTPS (8081) - Add automatic certificate generation for Puppetboard using Puppet CA - Implement initContainers for proper certificate provisioning before app start - Add dedicated PVC for Puppetboard certificates with RWX access - Configure SSL verification and client authentication for secure PuppetDB access Reviewed-on: #50
This commit was merged in pull request #50.
This commit is contained in:
@@ -11,7 +11,10 @@ metadata:
|
|||||||
namespace: puppet
|
namespace: puppet
|
||||||
data:
|
data:
|
||||||
PUPPETDB_HOST: "puppetdb"
|
PUPPETDB_HOST: "puppetdb"
|
||||||
PUPPETDB_PORT: "8080"
|
PUPPETDB_PORT: "8081"
|
||||||
|
PUPPETDB_SSL_VERIFY: "/opt/puppetboard/ssl/ca.pem"
|
||||||
|
PUPPETDB_KEY: "/opt/puppetboard/ssl/puppetboard.key"
|
||||||
|
PUPPETDB_CERT: "/opt/puppetboard/ssl/puppetboard.pem"
|
||||||
LOGLEVEL: "info"
|
LOGLEVEL: "info"
|
||||||
PUPPETDB_TIMEOUT: "20"
|
PUPPETDB_TIMEOUT: "20"
|
||||||
UNRESPONSIVE_HOURS: "3"
|
UNRESPONSIVE_HOURS: "3"
|
||||||
|
|||||||
@@ -12,7 +12,7 @@ metadata:
|
|||||||
data:
|
data:
|
||||||
OPENVOXSERVER_PORT: "8140"
|
OPENVOXSERVER_PORT: "8140"
|
||||||
DNS_ALT_NAMES: "puppetserver-compiler-0,puppetserver-compiler-1,puppetserver-compiler-2,puppetserver-compiler-3,puppetserver-compiler-4,puppet,puppet.k8s.syd1.au.unkin.net"
|
DNS_ALT_NAMES: "puppetserver-compiler-0,puppetserver-compiler-1,puppetserver-compiler-2,puppetserver-compiler-3,puppetserver-compiler-4,puppet,puppet.k8s.syd1.au.unkin.net"
|
||||||
OPENVOXDB_SERVER_URLS: "http://puppetdb:8080"
|
OPENVOXDB_SERVER_URLS: "https://puppetdb:8081"
|
||||||
CA_ENABLED: "false"
|
CA_ENABLED: "false"
|
||||||
CA_HOSTNAME: "puppetca"
|
CA_HOSTNAME: "puppetca"
|
||||||
CA_PORT: "8140"
|
CA_PORT: "8140"
|
||||||
|
|||||||
@@ -13,6 +13,6 @@ data:
|
|||||||
OPENVOXSERVER_HOSTNAME: "puppet"
|
OPENVOXSERVER_HOSTNAME: "puppet"
|
||||||
OPENVOXSERVER_PORT: "8140"
|
OPENVOXSERVER_PORT: "8140"
|
||||||
DNS_ALT_NAMES: "puppet,puppetserver-agents-to-puppet,puppetca,puppet-headless,puppetca.k8s.syd1.au.unkin.net,puppet.k8s.syd1.au.unkin.net"
|
DNS_ALT_NAMES: "puppet,puppetserver-agents-to-puppet,puppetca,puppet-headless,puppetca.k8s.syd1.au.unkin.net,puppet.k8s.syd1.au.unkin.net"
|
||||||
OPENVOXDB_SERVER_URLS: "http://puppetdb:8080"
|
OPENVOXDB_SERVER_URLS: "https://puppetdb:8081"
|
||||||
CA_ALLOW_SUBJECT_ALT_NAMES: "true"
|
CA_ALLOW_SUBJECT_ALT_NAMES: "true"
|
||||||
PUPPETSERVER_JAVA_ARGS: "-Xms1024m -Xmx3072m -Dcom.sun.management.jmxremote.port=31000 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false"
|
PUPPETSERVER_JAVA_ARGS: "-Xms1024m -Xmx3072m -Dcom.sun.management.jmxremote.port=31000 -Dcom.sun.management.jmxremote.authenticate=false -Dcom.sun.management.jmxremote.ssl=false"
|
||||||
|
|||||||
@@ -29,6 +29,110 @@ spec:
|
|||||||
app.kubernetes.io/version: 8.8.0
|
app.kubernetes.io/version: 8.8.0
|
||||||
spec:
|
spec:
|
||||||
enableServiceLinks: false
|
enableServiceLinks: false
|
||||||
|
initContainers:
|
||||||
|
- name: wait-puppetserver
|
||||||
|
image: curlimages/curl:8.11.1
|
||||||
|
imagePullPolicy: IfNotPresent
|
||||||
|
command:
|
||||||
|
- sh
|
||||||
|
- -c
|
||||||
|
- |
|
||||||
|
echo 'Waiting for puppetserver to become ready...'
|
||||||
|
until printf "." && curl --silent --fail --insecure 'https://puppetca:8140/status/v1/simple' | grep -q '^running$'; do
|
||||||
|
sleep 2;
|
||||||
|
done;
|
||||||
|
echo 'Puppetserver OK ✓'
|
||||||
|
resources:
|
||||||
|
limits:
|
||||||
|
cpu: 20m
|
||||||
|
memory: 32Mi
|
||||||
|
requests:
|
||||||
|
cpu: 20m
|
||||||
|
memory: 32Mi
|
||||||
|
- name: cert-generator
|
||||||
|
image: git.unkin.net/unkin/almalinux9-base:20260308
|
||||||
|
imagePullPolicy: IfNotPresent
|
||||||
|
command:
|
||||||
|
- sh
|
||||||
|
- -c
|
||||||
|
- |
|
||||||
|
set -e
|
||||||
|
|
||||||
|
# Set the hostname for the certificate
|
||||||
|
HOSTNAME="puppetboard"
|
||||||
|
CERT_DIR="/opt/puppetboard/ssl"
|
||||||
|
|
||||||
|
# Create certificate directory
|
||||||
|
mkdir -p ${CERT_DIR}
|
||||||
|
|
||||||
|
# Check if certificates already exist
|
||||||
|
if [ -f "${CERT_DIR}/${HOSTNAME}.pem" ] && [ -f "${CERT_DIR}/${HOSTNAME}.key" ] && [ -f "${CERT_DIR}/ca.pem" ]; then
|
||||||
|
echo "Certificates already exist for ${HOSTNAME}, skipping generation"
|
||||||
|
exit 0
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Request certificate from Puppet CA for Puppetboard
|
||||||
|
echo "Requesting certificate for ${HOSTNAME} from puppetca service"
|
||||||
|
|
||||||
|
# Generate private key
|
||||||
|
openssl genrsa -out ${CERT_DIR}/${HOSTNAME}.key 2048
|
||||||
|
|
||||||
|
# Create certificate signing request (CSR)
|
||||||
|
openssl req -new -key ${CERT_DIR}/${HOSTNAME}.key \
|
||||||
|
-out /tmp/${HOSTNAME}.csr \
|
||||||
|
-subj "/CN=${HOSTNAME}"
|
||||||
|
|
||||||
|
# Submit CSR to Puppet CA
|
||||||
|
echo "Submitting certificate request to Puppet CA..."
|
||||||
|
curl -X PUT \
|
||||||
|
--insecure \
|
||||||
|
--data-binary @/tmp/${HOSTNAME}.csr \
|
||||||
|
-H "Content-Type: text/plain" \
|
||||||
|
https://puppetca:8140/puppet-ca/v1/certificate_request/${HOSTNAME}
|
||||||
|
|
||||||
|
# Wait for certificate to be signed (poll the CA)
|
||||||
|
echo "Waiting for certificate to be signed..."
|
||||||
|
for i in {1..30}; do
|
||||||
|
if curl --insecure -f -s https://puppetca:8140/puppet-ca/v1/certificate/${HOSTNAME} > ${CERT_DIR}/${HOSTNAME}.pem; then
|
||||||
|
echo "Certificate received for ${HOSTNAME}"
|
||||||
|
break
|
||||||
|
fi
|
||||||
|
echo "Attempt $i: Certificate not ready yet, waiting 10 seconds..."
|
||||||
|
sleep 10
|
||||||
|
done
|
||||||
|
|
||||||
|
# Verify we got the certificate
|
||||||
|
if [ ! -f "${CERT_DIR}/${HOSTNAME}.pem" ] || [ ! -s "${CERT_DIR}/${HOSTNAME}.pem" ]; then
|
||||||
|
echo "Failed to obtain certificate for ${HOSTNAME}"
|
||||||
|
exit 1
|
||||||
|
fi
|
||||||
|
|
||||||
|
# Get CA certificate
|
||||||
|
curl --insecure -f https://puppetca:8140/puppet-ca/v1/certificate/ca > ${CERT_DIR}/ca.pem
|
||||||
|
|
||||||
|
# Set appropriate permissions
|
||||||
|
chmod 644 ${CERT_DIR}/${HOSTNAME}.pem
|
||||||
|
chmod 600 ${CERT_DIR}/${HOSTNAME}.key
|
||||||
|
chmod 644 ${CERT_DIR}/ca.pem
|
||||||
|
|
||||||
|
# Change ownership to puppetboard user (1000:1000)
|
||||||
|
chown -R 1000:1000 ${CERT_DIR}
|
||||||
|
|
||||||
|
echo "Certificate generation completed for ${HOSTNAME}"
|
||||||
|
volumeMounts:
|
||||||
|
- name: puppetboard-certs
|
||||||
|
mountPath: /opt/puppetboard/ssl
|
||||||
|
resources:
|
||||||
|
limits:
|
||||||
|
cpu: 100m
|
||||||
|
memory: 128Mi
|
||||||
|
requests:
|
||||||
|
cpu: 50m
|
||||||
|
memory: 64Mi
|
||||||
|
securityContext:
|
||||||
|
runAsUser: 0
|
||||||
|
runAsGroup: 0
|
||||||
|
allowPrivilegeEscalation: true
|
||||||
containers:
|
containers:
|
||||||
- name: puppetboard
|
- name: puppetboard
|
||||||
image: ghcr.io/voxpupuli/puppetboard:7.0.1
|
image: ghcr.io/voxpupuli/puppetboard:7.0.1
|
||||||
@@ -56,3 +160,11 @@ spec:
|
|||||||
capabilities:
|
capabilities:
|
||||||
drop:
|
drop:
|
||||||
- all
|
- all
|
||||||
|
volumeMounts:
|
||||||
|
- name: puppetboard-certs
|
||||||
|
mountPath: /opt/puppetboard/ssl
|
||||||
|
readOnly: true
|
||||||
|
volumes:
|
||||||
|
- name: puppetboard-certs
|
||||||
|
persistentVolumeClaim:
|
||||||
|
claimName: puppetboard-certs
|
||||||
|
|||||||
@@ -88,3 +88,21 @@ spec:
|
|||||||
requests:
|
requests:
|
||||||
storage: 1Gi
|
storage: 1Gi
|
||||||
storageClassName: cephrbd-fast-delete
|
storageClassName: cephrbd-fast-delete
|
||||||
|
---
|
||||||
|
apiVersion: v1
|
||||||
|
kind: PersistentVolumeClaim
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
app.kubernetes.io/component: puppetboard
|
||||||
|
app.kubernetes.io/instance: puppetserver
|
||||||
|
app.kubernetes.io/name: puppetserver
|
||||||
|
app.kubernetes.io/version: 8.8.0
|
||||||
|
name: puppetboard-certs
|
||||||
|
namespace: puppet
|
||||||
|
spec:
|
||||||
|
accessModes:
|
||||||
|
- ReadWriteMany
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
storage: 1Gi
|
||||||
|
storageClassName: cephfs-raid6-delete
|
||||||
|
|||||||
@@ -52,7 +52,7 @@ spec:
|
|||||||
- name: DNS_ALT_NAMES
|
- name: DNS_ALT_NAMES
|
||||||
value: puppetserver-compiler-0,puppetserver-compiler-1,puppetserver-compiler-2,puppetserver-compiler-3,puppetserver-compiler-4,puppet-headless,puppet,puppet.k8s.syd1.au.unkin.net
|
value: puppetserver-compiler-0,puppetserver-compiler-1,puppetserver-compiler-2,puppetserver-compiler-3,puppetserver-compiler-4,puppet-headless,puppet,puppet.k8s.syd1.au.unkin.net
|
||||||
- name: OPENVOXDB_SERVER_URLS
|
- name: OPENVOXDB_SERVER_URLS
|
||||||
value: http://puppetdb:8080
|
value: https://puppetdb:8081
|
||||||
- name: CA_ENABLED
|
- name: CA_ENABLED
|
||||||
value: "false"
|
value: "false"
|
||||||
- name: CA_HOSTNAME
|
- name: CA_HOSTNAME
|
||||||
|
|||||||
Reference in New Issue
Block a user