Merge pull request #136 from synthesized-io/internal-tls

Enable optional internal TLS

Author: yruchin

charts/governor/templates/_helpers.tpl

@@ -0,0 +1,174 @@
+{{/*
+Envoy sidecar container template
+Usage: {{ include "governor.tlsInternal.sidecar" (dict "componentName" "api" "config" .Values.api "tlsInternal" .Values.envoy "hasHttpPort" true "hasGrpcPort" true) }}
+*/}}
+{{- define "governor.tlsInternal.sidecar" -}}
+- name: envoy-sidecar
+  image: "{{ .tlsInternal.image.repository }}:{{ .tlsInternal.image.tag }}"
+  imagePullPolicy: {{ .tlsInternal.image.pullPolicy }}
+  args:
+    - -c
+    - /etc/envoy/envoy.yaml
+    - --log-level
+    - {{ .tlsInternal.logLevel }}
+  ports:
+    {{- if .hasHttpPort }}
+    - name: https
+      containerPort: {{ .tlsInternal.ports.secureHttp }}
+      protocol: TCP
+    {{- end }}
+    {{- if .hasGrpcPort }}
+    - name: grpcs
+      containerPort: {{ .tlsInternal.ports.secureGrpc }}
+      protocol: TCP
+    {{- end }}
+    - name: admin
+      containerPort: {{ .tlsInternal.ports.admin }}
+      protocol: TCP
+  readinessProbe:
+    httpGet:
+      path: /ready
+      port: {{ .tlsInternal.ports.admin }}
+    initialDelaySeconds: 5
+    periodSeconds: 10
+  livenessProbe:
+    httpGet:
+      path: /ready
+      port: {{ .tlsInternal.ports.admin }}
+    initialDelaySeconds: 10
+    periodSeconds: 15
+  resources:
+    {{- toYaml .tlsInternal.resources | nindent 4 }}
+  volumeMounts:
+    - name: envoy-config
+      mountPath: /etc/envoy
+      readOnly: true
+    - name: tls-certs
+      mountPath: /etc/envoy/certs
+      readOnly: true
+{{- end }}
+
+{{/*
+Envoy init container to wait for certificates
+Usage: {{ include "governor.tlsInternal.initContainer" . }}
+*/}}
+{{- define "governor.tlsInternal.initContainer" -}}
+- name: wait-for-certs
+  image: busybox:1.36
+  command:
+    - /bin/sh
+    - -c
+    - |
+      echo "Waiting for TLS certificates..."
+      while [ ! -f /etc/envoy/certs/tls.crt ] || [ ! -f /etc/envoy/certs/tls.key ]; do
+        echo "Certificates not ready, waiting..."
+        sleep 2
+      done
+      echo "Certificates are ready!"
+  volumeMounts:
+    - name: tls-certs
+      mountPath: /etc/envoy/certs
+      readOnly: true
+{{- end }}
+
+{{/*
+Envoy volumes template
+Usage: {{ include "governor.tlsInternal.volumes" (dict "componentName" "api" "config" .Values.api "tlsInternal" .Values.envoy) }}
+*/}}
+{{- define "governor.tlsInternal.volumes" -}}
+- name: envoy-config
+  configMap:
+    name: {{ .config.name }}-envoy-config
+- name: tls-certs
+  secret:
+    secretName: {{ .config.name }}-tls
+{{- end }}
+
+{{/*
+Envoy HTTP router filter (used in all listeners)
+*/}}
+{{- define "governor.envoy.httpRouter" -}}
+- name: envoy.filters.http.router
+  typed_config:
+    "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+{{- end }}
+
+{{/*
+Envoy downstream TLS context (for inbound TLS termination)
+*/}}
+{{- define "governor.envoy.downstreamTls" -}}
+transport_socket:
+  name: envoy.transport_sockets.tls
+  typed_config:
+    "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
+    common_tls_context:
+      tls_certificates:
+        - certificate_chain:
+            filename: /etc/envoy/certs/tls.crt
+          private_key:
+            filename: /etc/envoy/certs/tls.key
+{{- end }}
+
+{{/*
+Envoy upstream TLS context (for egress with CA validation)
+*/}}
+{{- define "governor.envoy.upstreamTls" -}}
+transport_socket:
+  name: envoy.transport_sockets.tls
+  typed_config:
+    "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+    common_tls_context:
+      validation_context:
+        trusted_ca:
+          filename: /etc/envoy/certs/ca.crt
+{{- end }}
+
+{{/*
+Envoy gRPC egress listener to api (shared by front and agent)
+*/}}
+{{- define "governor.envoy.apiGrpcEgressListener" -}}
+- name: api_grpc_egress
+  address:
+    socket_address:
+      address: 127.0.0.1
+      port_value: {{ .egressGrpcPort }}
+  filter_chains:
+    - filters:
+        - name: envoy.filters.network.http_connection_manager
+          typed_config:
+            "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+            stat_prefix: api_grpc_egress
+            codec_type: HTTP2
+            route_config:
+              name: api_grpc_route
+              virtual_hosts:
+                - name: api_grpc_service
+                  domains: ["*"]
+                  routes:
+                    - match:
+                        prefix: "/"
+                      route:
+                        cluster: api_grpcs
+            http_filters:
+              {{- include "governor.envoy.httpRouter" . | nindent 14 }}
+{{- end }}
+
+{{/*
+Envoy api gRPCS upstream cluster (shared by front and agent)
+*/}}
+{{- define "governor.envoy.apiGrpcsCluster" -}}
+- name: api_grpcs
+  type: STRICT_DNS
+  connect_timeout: 5s
+  http2_protocol_options: {}
+  load_assignment:
+    cluster_name: api_grpcs
+    endpoints:
+      - lb_endpoints:
+          - endpoint:
+              address:
+                socket_address:
+                  address: {{ .apiName }}
+                  port_value: {{ .apiGrpcPort }}
+  {{- include "governor.envoy.upstreamTls" . | nindent 2 }}
+{{- end }}

charts/governor/templates/certificates.yaml

@@ -0,0 +1,76 @@
+{{- if .Values.tlsInternal.enabled }}
+---
+# Certificate for governor-api
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ .Values.api.name }}-cert
+  labels:
+    app: {{ .Values.api.name }}
+spec:
+  secretName: {{ .Values.api.name }}-tls
+  duration: {{ .Values.tlsInternal.certificates.duration }}
+  renewBefore: {{ .Values.tlsInternal.certificates.renewBefore }}
+  privateKey:
+    algorithm: {{ .Values.tlsInternal.certificates.privateKey.algorithm }}
+    size: {{ .Values.tlsInternal.certificates.privateKey.size }}
+  usages:
+    - server auth
+    - client auth
+  dnsNames:
+    - {{ .Values.api.name }}
+    - {{ .Values.api.name }}.{{ .Release.Namespace }}
+    - {{ .Values.api.name }}.{{ .Release.Namespace }}.svc
+    - {{ .Values.api.name }}.{{ .Release.Namespace }}.svc.cluster.local
+  issuerRef:
+    name: {{ .Values.tlsInternal.certificates.issuerRef.name }}
+    kind: {{ .Values.tlsInternal.certificates.issuerRef.kind }}
+---
+# Certificate for governor-front
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ .Values.front.name }}-cert
+  labels:
+    app: {{ .Values.front.name }}
+spec:
+  secretName: {{ .Values.front.name }}-tls
+  duration: {{ .Values.tlsInternal.certificates.duration }}
+  renewBefore: {{ .Values.tlsInternal.certificates.renewBefore }}
+  privateKey:
+    algorithm: {{ .Values.tlsInternal.certificates.privateKey.algorithm }}
+    size: {{ .Values.tlsInternal.certificates.privateKey.size }}
+  usages:
+    - server auth
+    - client auth
+  dnsNames:
+    - {{ .Values.front.name }}
+    - {{ .Values.front.name }}.{{ .Release.Namespace }}
+    - {{ .Values.front.name }}.{{ .Release.Namespace }}.svc
+    - {{ .Values.front.name }}.{{ .Release.Namespace }}.svc.cluster.local
+  issuerRef:
+    name: {{ .Values.tlsInternal.certificates.issuerRef.name }}
+    kind: {{ .Values.tlsInternal.certificates.issuerRef.kind }}
+---
+# Certificate for governor-agent
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ .Values.agent.name }}-cert
+  labels:
+    app: {{ .Values.agent.name }}
+spec:
+  secretName: {{ .Values.agent.name }}-tls
+  duration: {{ .Values.tlsInternal.certificates.duration }}
+  renewBefore: {{ .Values.tlsInternal.certificates.renewBefore }}
+  privateKey:
+    algorithm: {{ .Values.tlsInternal.certificates.privateKey.algorithm }}
+    size: {{ .Values.tlsInternal.certificates.privateKey.size }}
+  usages:
+    - client auth
+  dnsNames:
+    - {{ .Values.agent.name }}
+  issuerRef:
+    name: {{ .Values.tlsInternal.certificates.issuerRef.name }}
+    kind: {{ .Values.tlsInternal.certificates.issuerRef.kind }}
+{{- end }}

charts/governor/templates/configmap-agent.yaml

@@ -4,5 +4,18 @@ metadata:
   name: {{ .Values.agent.name }}-configmap
 data:
 {{- if .Values.agent.container.config }}
+{{- if .Values.tlsInternal.enabled }}
+  # Override API connection to use local Envoy egress
+  AGENT_SERVERHOST: '127.0.0.1'
+  AGENT_SERVERPORT: '{{ .Values.tlsInternal.ports.egressGrpc }}'
+  AGENT_USEPLAINTEXT: "true"
+  # Include other config values except the server connection ones
+  {{- range $key, $value := .Values.agent.container.config }}
+  {{- if and (ne $key "AGENT_SERVERHOST") (ne $key "AGENT_SERVERPORT") (ne $key "AGENT_USEPLAINTEXT") }}
+  {{ $key }}: {{ $value | quote }}
+  {{- end }}
+  {{- end }}
+{{- else }}
 {{ toYaml .Values.agent.container.config | indent 2}}
 {{- end }}
+{{- end }}

charts/governor/templates/configmap-envoy-agent.yaml

@@ -0,0 +1,22 @@
+{{- if .Values.tlsInternal.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Values.agent.name }}-envoy-config
+  labels:
+    app: {{ .Values.agent.name }}
+data:
+  envoy.yaml: |
+    admin:
+      address:
+        socket_address:
+          address: 0.0.0.0
+          port_value: {{ .Values.tlsInternal.ports.admin }}
+
+    static_resources:
+      listeners:
+        {{- include "governor.envoy.apiGrpcEgressListener" (dict "egressGrpcPort" .Values.tlsInternal.ports.egressGrpc) | nindent 8 }}
+
+      clusters:
+        {{- include "governor.envoy.apiGrpcsCluster" (dict "apiName" .Values.api.name "apiGrpcPort" .Values.api.service.grpcPort) | nindent 8 }}
+{{- end }}

charts/governor/templates/configmap-envoy-api.yaml

@@ -0,0 +1,101 @@
+{{- if .Values.tlsInternal.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Values.api.name }}-envoy-config
+  labels:
+    app: {{ .Values.api.name }}
+data:
+  envoy.yaml: |
+    admin:
+      address:
+        socket_address:
+          address: 0.0.0.0
+          port_value: {{ .Values.tlsInternal.ports.admin }}
+
+    static_resources:
+      listeners:
+        # HTTPS inbound listener (for front -> api HTTP calls)
+        - name: https_inbound
+          address:
+            socket_address:
+              address: 0.0.0.0
+              port_value: {{ .Values.tlsInternal.ports.secureHttp }}
+          filter_chains:
+            - filters:
+                - name: envoy.filters.network.http_connection_manager
+                  typed_config:
+                    "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+                    stat_prefix: https_inbound
+                    codec_type: AUTO
+                    route_config:
+                      name: local_route
+                      virtual_hosts:
+                        - name: local_service
+                          domains: ["*"]
+                          routes:
+                            - match:
+                                prefix: "/"
+                              route:
+                                cluster: local_http
+                    http_filters:
+                      {{- include "governor.envoy.httpRouter" . | nindent 22 }}
+              {{- include "governor.envoy.downstreamTls" . | nindent 14 }}
+
+        # gRPCS inbound listener (for agent -> api and front -> api gRPC calls)
+        - name: grpcs_inbound
+          address:
+            socket_address:
+              address: 0.0.0.0
+              port_value: {{ .Values.tlsInternal.ports.secureGrpc }}
+          filter_chains:
+            - filters:
+                - name: envoy.filters.network.http_connection_manager
+                  typed_config:
+                    "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+                    stat_prefix: grpcs_inbound
+                    codec_type: HTTP2
+                    route_config:
+                      name: grpc_route
+                      virtual_hosts:
+                        - name: grpc_service
+                          domains: ["*"]
+                          routes:
+                            - match:
+                                prefix: "/"
+                              route:
+                                cluster: local_grpc
+                    http_filters:
+                      {{- include "governor.envoy.httpRouter" . | nindent 22 }}
+              {{- include "governor.envoy.downstreamTls" . | nindent 14 }}
+
+      clusters:
+        # Local HTTP backend (api container)
+        - name: local_http
+          type: STATIC
+          connect_timeout: 5s
+          load_assignment:
+            cluster_name: local_http
+            endpoints:
+              - lb_endpoints:
+                  - endpoint:
+                      address:
+                        socket_address:
+                          address: 127.0.0.1
+                          port_value: {{ .Values.api.container.port }}
+
+        # Local gRPC backend (api container)
+        - name: local_grpc
+          type: STATIC
+          connect_timeout: 5s
+          http2_protocol_options: {}
+          load_assignment:
+            cluster_name: local_grpc
+            endpoints:
+              - lb_endpoints:
+                  - endpoint:
+                      address:
+                        socket_address:
+                          address: 127.0.0.1
+                          port_value: {{ .Values.api.container.grpcPort }}
+{{- end }}