Skip to content

Commit

Permalink
feat: using certificate auth
Browse files Browse the repository at this point in the history
  • Loading branch information
@ansgarschulte
ansgarschulte committed Aug 23, 2023
1 parent 84132cb commit d74670d
Show file tree
Hide file tree
Showing 11 changed files with 421 additions and 58 deletions.
24 changes: 24 additions & 0 deletions CONTRIBUTING.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,30 @@ Changing the Helm chart without bumping the version will result in the following
Error: error creating GitHub release steadybit-extension-azure-1.0.0: POST https://api.github.com/repos/steadybit/extension-azure/releases: 422 Validation Failed [{Resource:Release Field:tag_name Code:already_exists Message:}]
```

## Generate self signed certificate for testing purposes

```sh
# install new OpenSSL
brew install openssl

# generate private key and enter pass phrase
openssl genrsa -des3 -out private_key.pem 2048

# create certificate signing request, enter "*.example.com" as a "Common Name", leave "challenge password" blank
openssl req -new -sha256 -key private_key.pem -out server.csr

# generate self-signed certificate for 1 year
openssl req -x509 -sha256 -days 365 -key private_key.pem -in server.csr -out server.pem

# validate the certificate
openssl req -in server.csr -text -noout | grep -i "Signature.*SHA256" && echo "All is well" || echo "This certificate doesn't work in 2017! You must update OpenSSL to generate a widely-compatible certificate"

# reformat to pkcs12 because azure lib needs that
openssl pkcs12 -certpbe PBE-SHA1-3DES -keypbe PBE-SHA1-3DES -export -macalg sha1 -out cert.p12 -in server.pem -inkey private_key.pem

# use the cert.p12 in the config as STEADYBIT_EXTENSION_AZURE_CERTIFICATE_LOCATION
```

## Contributor License Agreement (CLA)

In order to accept your pull request, we need you to submit a CLA. You only need to do this once. If you are submitting a pull request for the first time, just submit a Pull Request and our CLA Bot will give you instructions on how to sign the CLA before merging your Pull Request.
Expand Down
17 changes: 10 additions & 7 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,18 +8,21 @@ Learn about the capabilities of this extension in our [Reliability Hub](https://

## Configuration

| Environment Variable | Helm value | Meaning | Required | Default |
|-------------------------|------------|-----------------------|----------|---------|
| `AZURE_CLIENT_ID` | | Azure Client Id | yes | |
| `AZURE_CLIENT_SECRET` | | Azure Client Secret | yes | |
| `AZURE_SUBSCRIPTION_ID` | | Azure Subscription ID | yes | |
| `AZURE_TENANT_ID` | | Azure Tenant ID | yes | |
| Environment Variable | Helm value | Meaning | Required | Default |
|--------------------------------------------------|------------|--------------------------------------------------------------|----------|---------|
| `AZURE_CLIENT_ID` | | Azure Client Id | true | |
| `AZURE_TENANT_ID` | | Azure Tenant ID | true | |
| `AZURE_CLIENT_SECRET` | | Azure Client Secret | false | |
| `AZURE_SUBSCRIPTION_ID` | | Azure Subscription ID | false | |
| `STEADYBIT_EXTENSION_AZURE_CERTIFICATE_LOCATION` | | Location of a certificate used to authenticate to azure | false | |
| `STEADYBIT_EXTENSION_AZURE_CERTIFICATE_PASSWORD` | | Passphrase for the certificate used to authenticate to azure | false | |


The extension supports all environment variables provided by [steadybit/extension-kit](https://github.com/steadybit/extension-kit#environment-variables).

The obtain the needed azure keys, please refer to this documentation: https://github.com/Azure-Samples/azure-sdk-for-go-samples/tree/main and
The obtain the needed azure keys, please refer to this documentation:
https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal#get-tenant-and-app-id-values-for-signing-in

## Installation

### Using Docker
Expand Down
2 changes: 1 addition & 1 deletion chartTesting.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,4 +5,4 @@ chart-dirs:
- charts
chart-repos:
- steadybit=https://steadybit.github.io/helm-charts
helm-extra-args: --timeout 600s
#helm-extra-args: --timeout 600s
2 changes: 1 addition & 1 deletion charts/steadybit-extension-azure/Chart.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
apiVersion: v2
name: steadybit-extension-azure
description: Steadybit scaffold extension Helm chart for Kubernetes.
version: 1.0.0
version: 1.0.1
appVersion: latest
home: https://www.steadybit.com/
icon: https://steadybit-website-assets.s3.amazonaws.com/logo-symbol-transparent.png
Expand Down
12 changes: 12 additions & 0 deletions charts/steadybit-extension-azure/templates/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,18 @@ spec:
memory: {{ .Values.resources.limits.memory }}
cpu: {{ .Values.resources.limits.cpu }}
env:
- name: AZURE_CLIENT_ID
value: {{ .Values.azure.clientID | quote }}
- name: AZURE_TENANT_ID
value: {{ .Values.azure.tenantID | quote }}
- name: AZURE_CLIENT_SECRET
value: {{ .Values.azure.clientSecret | quote }}
- name: AZURE_SUBSCRIPTION_ID
value: {{ .Values.azure.subscriptionID | quote }}
- name: STEADYBIT_EXTENSION_AZURE_CERTIFICATE_LOCATION
value: {{ .Values.azure.certificatePath | quote }}
- name: STEADYBIT_EXTENSION_AZURE_CERTIFICATE_PASSWORD
value: {{ .Values.azure.certificatePassword | quote }}
{{- include "extensionlib.deployment.env" (list .) | nindent 12 }}
{{- with .Values.extraEnv }}
{{- toYaml . | nindent 12 }}
Expand Down
222 changes: 222 additions & 0 deletions charts/steadybit-extension-azure/tests/__snapshot__/deployment_test.yaml.snap
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,18 @@ manifest should match snapshot using podAnnotations and Labels:
spec:
containers:
- env:
- name: AZURE_CLIENT_ID
value: ""
- name: AZURE_TENANT_ID
value: ""
- name: AZURE_CLIENT_SECRET
value: ""
- name: AZURE_SUBSCRIPTION_ID
value: ""
- name: STEADYBIT_EXTENSION_AZURE_CERTIFICATE_LOCATION
value: ""
- name: STEADYBIT_EXTENSION_AZURE_CERTIFICATE_PASSWORD
value: ""
- name: STEADYBIT_LOG_LEVEL
value: INFO
- name: STEADYBIT_LOG_FORMAT
Expand Down Expand Up @@ -80,6 +92,18 @@ manifest should match snapshot with TLS:
spec:
containers:
- env:
- name: AZURE_CLIENT_ID
value: ""
- name: AZURE_TENANT_ID
value: ""
- name: AZURE_CLIENT_SECRET
value: ""
- name: AZURE_SUBSCRIPTION_ID
value: ""
- name: STEADYBIT_EXTENSION_AZURE_CERTIFICATE_LOCATION
value: ""
- name: STEADYBIT_EXTENSION_AZURE_CERTIFICATE_PASSWORD
value: ""
- name: STEADYBIT_LOG_LEVEL
value: INFO
- name: STEADYBIT_LOG_FORMAT
Expand Down Expand Up @@ -125,6 +149,144 @@ manifest should match snapshot with TLS:
secret:
optional: false
secretName: server-cert
manifest should match snapshot with azure certificates vars:
1: |
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
steadybit.com/discovery-disabled: "true"
name: RELEASE-NAME-steadybit-extension-azure
namespace: NAMESPACE
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: steadybit-extension-azure
template:
metadata:
annotations: null
labels:
app.kubernetes.io/name: steadybit-extension-azure
steadybit.com/discovery-disabled: "true"
spec:
containers:
- env:
- name: AZURE_CLIENT_ID
value: ""
- name: AZURE_TENANT_ID
value: ""
- name: AZURE_CLIENT_SECRET
value: ""
- name: AZURE_SUBSCRIPTION_ID
value: ""
- name: STEADYBIT_EXTENSION_AZURE_CERTIFICATE_LOCATION
value: /tmp/certificatePath
- name: STEADYBIT_EXTENSION_AZURE_CERTIFICATE_PASSWORD
value: certificatePassword
- name: STEADYBIT_LOG_LEVEL
value: INFO
- name: STEADYBIT_LOG_FORMAT
value: text
image: ghcr.io/steadybit/extension-azure:latest
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /health/liveness
port: 8081
name: extension
readinessProbe:
httpGet:
path: /health/readiness
port: 8081
resources:
limits:
cpu: 200m
memory: 128Mi
requests:
cpu: 50m
memory: 32Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 10000
runAsNonRoot: true
runAsUser: 10000
volumeMounts: null
serviceAccountName: steadybit-extension-azure
volumes: null
manifest should match snapshot with azure secrets vars:
1: |
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
steadybit.com/discovery-disabled: "true"
name: RELEASE-NAME-steadybit-extension-azure
namespace: NAMESPACE
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: steadybit-extension-azure
template:
metadata:
annotations: null
labels:
app.kubernetes.io/name: steadybit-extension-azure
steadybit.com/discovery-disabled: "true"
spec:
containers:
- env:
- name: AZURE_CLIENT_ID
value: clientId
- name: AZURE_TENANT_ID
value: tenantId
- name: AZURE_CLIENT_SECRET
value: clientSecret
- name: AZURE_SUBSCRIPTION_ID
value: subscriptionId
- name: STEADYBIT_EXTENSION_AZURE_CERTIFICATE_LOCATION
value: ""
- name: STEADYBIT_EXTENSION_AZURE_CERTIFICATE_PASSWORD
value: ""
- name: STEADYBIT_LOG_LEVEL
value: INFO
- name: STEADYBIT_LOG_FORMAT
value: text
image: ghcr.io/steadybit/extension-azure:latest
imagePullPolicy: Always
livenessProbe:
httpGet:
path: /health/liveness
port: 8081
name: extension
readinessProbe:
httpGet:
path: /health/readiness
port: 8081
resources:
limits:
cpu: 200m
memory: 128Mi
requests:
cpu: 50m
memory: 32Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 10000
runAsNonRoot: true
runAsUser: 10000
volumeMounts: null
serviceAccountName: steadybit-extension-azure
volumes: null
manifest should match snapshot with extra env vars:
1: |
apiVersion: apps/v1
Expand All @@ -148,6 +310,18 @@ manifest should match snapshot with extra env vars:
spec:
containers:
- env:
- name: AZURE_CLIENT_ID
value: ""
- name: AZURE_TENANT_ID
value: ""
- name: AZURE_CLIENT_SECRET
value: ""
- name: AZURE_SUBSCRIPTION_ID
value: ""
- name: STEADYBIT_EXTENSION_AZURE_CERTIFICATE_LOCATION
value: ""
- name: STEADYBIT_EXTENSION_AZURE_CERTIFICATE_PASSWORD
value: ""
- name: STEADYBIT_LOG_LEVEL
value: INFO
- name: STEADYBIT_LOG_FORMAT
Expand Down Expand Up @@ -214,6 +388,18 @@ manifest should match snapshot with extra labels:
spec:
containers:
- env:
- name: AZURE_CLIENT_ID
value: ""
- name: AZURE_TENANT_ID
value: ""
- name: AZURE_CLIENT_SECRET
value: ""
- name: AZURE_SUBSCRIPTION_ID
value: ""
- name: STEADYBIT_EXTENSION_AZURE_CERTIFICATE_LOCATION
value: ""
- name: STEADYBIT_EXTENSION_AZURE_CERTIFICATE_PASSWORD
value: ""
- name: STEADYBIT_LOG_LEVEL
value: INFO
- name: STEADYBIT_LOG_FORMAT
Expand Down Expand Up @@ -271,6 +457,18 @@ manifest should match snapshot with mutual TLS:
spec:
containers:
- env:
- name: AZURE_CLIENT_ID
value: ""
- name: AZURE_TENANT_ID
value: ""
- name: AZURE_CLIENT_SECRET
value: ""
- name: AZURE_SUBSCRIPTION_ID
value: ""
- name: STEADYBIT_EXTENSION_AZURE_CERTIFICATE_LOCATION
value: ""
- name: STEADYBIT_EXTENSION_AZURE_CERTIFICATE_PASSWORD
value: ""
- name: STEADYBIT_LOG_LEVEL
value: INFO
- name: STEADYBIT_LOG_FORMAT
Expand Down Expand Up @@ -348,6 +546,18 @@ manifest should match snapshot with mutual TLS using containerPaths:
spec:
containers:
- env:
- name: AZURE_CLIENT_ID
value: ""
- name: AZURE_TENANT_ID
value: ""
- name: AZURE_CLIENT_SECRET
value: ""
- name: AZURE_SUBSCRIPTION_ID
value: ""
- name: STEADYBIT_EXTENSION_AZURE_CERTIFICATE_LOCATION
value: ""
- name: STEADYBIT_EXTENSION_AZURE_CERTIFICATE_PASSWORD
value: ""
- name: STEADYBIT_LOG_LEVEL
value: INFO
- name: STEADYBIT_LOG_FORMAT
Expand Down Expand Up @@ -411,6 +621,18 @@ manifest should match snapshot without TLS:
spec:
containers:
- env:
- name: AZURE_CLIENT_ID
value: ""
- name: AZURE_TENANT_ID
value: ""
- name: AZURE_CLIENT_SECRET
value: ""
- name: AZURE_SUBSCRIPTION_ID
value: ""
- name: STEADYBIT_EXTENSION_AZURE_CERTIFICATE_LOCATION
value: ""
- name: STEADYBIT_EXTENSION_AZURE_CERTIFICATE_PASSWORD
value: ""
- name: STEADYBIT_LOG_LEVEL
value: INFO
- name: STEADYBIT_LOG_FORMAT
Expand Down
16 changes: 16 additions & 0 deletions charts/steadybit-extension-azure/tests/deployment_test.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,3 +66,19 @@ tests:
tags.datadoghq.com/service: steadybit-extension
asserts:
- matchSnapshot: {}
- it: manifest should match snapshot with azure secrets vars
set:
azure:
subscriptionID: "subscriptionId"
clientID: "clientId"
clientSecret: "clientSecret"
tenantID: "tenantId"
asserts:
- matchSnapshot: { }
- it: manifest should match snapshot with azure certificates vars
set:
azure:
certificatePath: "/tmp/certificatePath"
certificatePassword: "certificatePassword"
asserts:
- matchSnapshot: { }
Loading

0 comments on commit d74670d

Please sign in to comment.