generate nginx server certificate during deployment (#550)
Add a job to generate the nginx server certificate during deployment.
Although not currently done, the same job could (should?) be used to
generate additional certificates and secrets to enable ssl-protected
communication between all services on the openwhisk control plane.
Fixes #305.
diff --git a/helm/openwhisk/Chart.yaml b/helm/openwhisk/Chart.yaml
index 9d93a6e..266e80d 100644
--- a/helm/openwhisk/Chart.yaml
+++ b/helm/openwhisk/Chart.yaml
@@ -18,7 +18,7 @@
apiVersion: v1
description: An open source, distributed serverless platform that executes functions in response to events at any scale
name: openwhisk
-version: 0.1.8
+version: 0.1.9
icon: https://raw.githubusercontent.com/apache/openwhisk/682eb5b62ee6ba8017ab54226c2ace3637f4f1ec/docs/images/whisk_icon_full-color_with_tm_64x64-300dpi.png
keywords:
- Apache OpenWhisk
diff --git a/helm/openwhisk/configMapFiles/genCerts/gencerts.sh b/helm/openwhisk/configMapFiles/genCerts/gencerts.sh
new file mode 100755
index 0000000..8db6236
--- /dev/null
+++ b/helm/openwhisk/configMapFiles/genCerts/gencerts.sh
@@ -0,0 +1,21 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+genssl.sh "*.$WHISK_API_HOST_NAME" server /cert-gen
+
+kubectl create secret tls $NGINX_CERT_SECRET --cert=/cert-gen/openwhisk-server-cert.pem --key=/cert-gen/openwhisk-server-key.pem
+
diff --git a/helm/openwhisk/templates/gen-certs-cm.yaml b/helm/openwhisk/templates/gen-certs-cm.yaml
new file mode 100644
index 0000000..f7840ea
--- /dev/null
+++ b/helm/openwhisk/templates/gen-certs-cm.yaml
@@ -0,0 +1,25 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ name: {{ .Release.Name }}-gen-certs
+ labels:
+{{ include "openwhisk.label_boilerplate" . | indent 4 }}
+data:
+{{ (.Files.Glob "configMapFiles/genCerts/gencerts.sh").AsConfig | indent 2 }}
diff --git a/helm/openwhisk/templates/gen-certs-job.yaml b/helm/openwhisk/templates/gen-certs-job.yaml
new file mode 100644
index 0000000..d8925e1
--- /dev/null
+++ b/helm/openwhisk/templates/gen-certs-job.yaml
@@ -0,0 +1,57 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: {{ .Release.Name }}-gen-certs
+ labels:
+ name: {{ .Release.Name }}-gen-certs
+{{ include "openwhisk.label_boilerplate" . | indent 4 }}
+spec:
+ backoffLimit: 3
+ template:
+ metadata:
+ name: {{ .Release.Name }}-gen-certs
+ labels:
+ name: {{ .Release.Name }}-gen-certs
+{{ include "openwhisk.label_boilerplate" . | indent 8 }}
+ spec:
+ serviceAccountName: {{ .Release.Name }}-init-sa
+ restartPolicy: Never
+ volumes:
+ - name: task-dir
+ configMap:
+ name: {{ .Release.Name }}-gen-certs
+{{ include "openwhisk.docker.imagePullSecrets" . | indent 6 }}
+ containers:
+ - name: gen-certs
+ image: "{{- .Values.docker.registry.name -}}{{- .Values.utility.imageName -}}:{{- .Values.utility.imageTag -}}"
+ imagePullPolicy: {{ .Values.utility.imagePullPolicy | quote }}
+ command: ["/bin/bash", "-c", "set -e; . /task/gencerts.sh"]
+ volumeMounts:
+ - name: task-dir
+ mountPath: "/task/gencerts.sh"
+ subPath: "gencerts.sh"
+ env:
+ - name: "NGINX_CERT_SECRET"
+ value: {{ .Release.Name }}-nginx
+ - name: "WHISK_API_HOST_NAME"
+ valueFrom:
+ configMapKeyRef:
+ name: {{ .Release.Name }}-whisk.config
+ key: whisk_api_host_name
diff --git a/helm/openwhisk/templates/init-role.yaml b/helm/openwhisk/templates/init-role.yaml
new file mode 100644
index 0000000..51db340
--- /dev/null
+++ b/helm/openwhisk/templates/init-role.yaml
@@ -0,0 +1,29 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# A role to allow initialization jobs to create secrets and config maps
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+ name: {{ .Release.Name }}-init-role
+ labels:
+{{ include "openwhisk.label_boilerplate" . | indent 4 }}
+rules:
+- apiGroups: [""]
+ resources: ["secrets", "configmaps"]
+ verbs: ["create"]
+
diff --git a/helm/openwhisk/templates/init-rolebind.yaml b/helm/openwhisk/templates/init-rolebind.yaml
new file mode 100644
index 0000000..2c7469c
--- /dev/null
+++ b/helm/openwhisk/templates/init-rolebind.yaml
@@ -0,0 +1,31 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+ name: {{ .Release.Name }}-init-rb
+ labels:
+{{ include "openwhisk.label_boilerplate" . | indent 4 }}
+subjects:
+- kind: ServiceAccount
+ namespace: {{ .Release.Namespace | quote }}
+ name: {{ .Release.Name }}-init-sa
+roleRef:
+ kind: Role
+ name: {{ .Release.Name }}-init-role
+ apiGroup: rbac.authorization.k8s.io
diff --git a/helm/openwhisk/templates/init-svcact.yaml b/helm/openwhisk/templates/init-svcact.yaml
new file mode 100644
index 0000000..ea2b6b0
--- /dev/null
+++ b/helm/openwhisk/templates/init-svcact.yaml
@@ -0,0 +1,23 @@
+#
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements. See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+ name: {{ .Release.Name }}-init-sa
+ labels:
+{{ include "openwhisk.label_boilerplate" . | indent 4 }}
diff --git a/helm/openwhisk/templates/nginx-secret.yaml b/helm/openwhisk/templates/nginx-secret.yaml
deleted file mode 100644
index 1f2e9ce..0000000
--- a/helm/openwhisk/templates/nginx-secret.yaml
+++ /dev/null
@@ -1,29 +0,0 @@
-#
-# Licensed to the Apache Software Foundation (ASF) under one or more
-# contributor license agreements. See the NOTICE file distributed with
-# this work for additional information regarding copyright ownership.
-# The ASF licenses this file to You under the Apache License, Version 2.0
-# (the "License"); you may not use this file except in compliance with
-# the License. You may obtain a copy of the License at
-#
-# http://www.apache.org/licenses/LICENSE-2.0
-#
-# Unless required by applicable law or agreed to in writing, software
-# distributed under the License is distributed on an "AS IS" BASIS,
-# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-# See the License for the specific language governing permissions and
-# limitations under the License.
-#
-
-{{- if ne .Values.whisk.ingress.type "OpenShift" }}
-apiVersion: v1
-kind: Secret
-metadata:
- name: {{ .Release.Name }}-nginx
- labels:
-{{ include "openwhisk.label_boilerplate" . | indent 4 }}
-type: tls
-data:
- tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURLakNDQWhJQ0NRQ3JWVW52eWpMdHpEQU5CZ2txaGtpRzl3MEJBUVVGQURCWE1Rc3dDUVlEVlFRR0V3SlYKVXpFTE1Ba0dBMVVFQ0F3Q1Rsa3hFVEFQQmdOVkJBY01DRmx2Y210MGIzZHVNUkl3RUFZRFZRUUtEQWxQY0dWdQpWMmhwYzJzeEZEQVNCZ05WQkFNTUN5b3ViRzlqWVd4b2IzTjBNQjRYRFRFNE1UQXdNVEl3TlRBd01sb1hEVEU1Ck1UQXdNVEl3TlRBd01sb3dWekVMTUFrR0ExVUVCaE1DVlZNeEN6QUpCZ05WQkFnTUFrNVpNUkV3RHdZRFZRUUgKREFoWmIzSnJkRzkzYmpFU01CQUdBMVVFQ2d3SlQzQmxibGRvYVhOck1SUXdFZ1lEVlFRRERBc3FMbXh2WTJGcwphRzl6ZERDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVBBRENDQVFvQ2dnRUJBTlY1TmVuR3FnSFhIOXpTCkUxWEJiS2x4M0hrSDlkSlQ0NVNrK1E0UG0yeVQ4RXZ2YWFnTEdEcHRMeXorQmU5a3Uvd1BTSDRETEpNbEcwYkwKcGlaY1VzMGVTWHVLR3pGVUVBZ1FlWDgvZEVjeW5XcWlMSzJYY0lacUFYNi9WWFZLamlZM0ZEM3RFenRoVnUwQgp6dEtUOVZzQ0VBWDc5dlo5WXJaSWk1VEdUaVlEVWxuSmhXT3g0SS8rMWd6UHNEUDExc1BaU2doZHlmUnJGN1BaCndPOUFKWC8vbTc1V3ozMGxZQ3QwK0xDSEFXWmRXL2pyeXJQdCtNNjlzUm8xdTJXNzlVdmpGcFJ2OStObXhKUmEKRTZ2amRTb0VTeDlhMHozUjJYMlA2b2Q0V0hnVGVOZXNRYUVPOThGZStpWnZsUHBOUTMxYmVPRWF2QlAwVmNDNAoyWWdjc3BVQ0F3RUFBVEFOQmdrcWhraUc5dzBCQVFVRkFBT0NBUUVBSFVLQXZYR0JKVzNJS3NZT0RNUzY1cEJoClVkTmpIS1p6c0J4Slh1YzkvUnFwVDNxRWJORW5jUnNOYjlHZWk1aEhodEd1c3YwdHN1c2xpV2t3aVgrMGhnQW4KWTZFUXJqck0zMm9lc1pvWHJWRmlGeWVvRVgvV0ZGVThDL2JZVnlYS2FFVENQcU9wcHFhRGl0TGlPc3FuYlZldwpRcVIySitXdSs3WEhpYm85MWg4VTRHL0MzTU5ZZFVNaFh4RTkrbmtRQ0J5Q2Ftd3AzR1RsV1FkM1gwdFdMYXlGCitBdWF0RCtxb21XRXpLcnRFWjFoaWswQnBzQ2VibU0vTXR1RmR1M0hMVk83c3VnM0hMeUNCdHB4OVNyRjV0ZnMKTlpOM3BGK2s3bklycGJZZ29uakVmVE5SRk5kM0tGZ2RMYm1jUisrVU5DekZOU1lrbVh0dTB1Mm16VVQ1ekE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==
- tls.key: LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBMVhrMTZjYXFBZGNmM05JVFZjRnNxWEhjZVFmMTBsUGpsS1Q1RGcrYmJKUHdTKzlwCnFBc1lPbTB2TFA0RjcyUzcvQTlJZmdNc2t5VWJSc3VtSmx4U3pSNUplNG9iTVZRUUNCQjVmejkwUnpLZGFxSXMKclpkd2htb0JmcjlWZFVxT0pqY1VQZTBUTzJGVzdRSE8wcFAxV3dJUUJmdjI5bjFpdGtpTGxNWk9KZ05TV2NtRgpZN0hnai83V0RNK3dNL1hXdzlsS0NGM0o5R3NYczluQTcwQWxmLytidmxiUGZTVmdLM1Q0c0ljQlpsMWIrT3ZLCnMrMzR6cjJ4R2pXN1pidjFTK01XbEcvMzQyYkVsRm9UcStOMUtnUkxIMXJUUGRIWmZZL3FoM2hZZUJONDE2eEIKb1E3M3dWNzZKbStVK2sxRGZWdDQ0UnE4RS9SVndMalppQnl5bFFJREFRQUJBb0lCQVFDYlp3TE5iWGREb2JTcgpUeThPSmFJUjlEYVkwU2V0OXEzYy92L2pzWTdteXdlS2IvNU5lODRtY21kK2JHb3JyUHlBY1N2SHVFM1J6SmgvCndDN3pEQkNuQzk1WWxlQlgxNmRZQjQ0N0NSbC8zeVBqaGEzYXJUMFlUTUZMNE1PNGdBN2RXUWxlVDJESndJSEUKUmFXbmZGaUg2UWQ3SThMVUM5RTVlN1JKR05lNUtTcGhKNGJxNThXSHpFUVhjOWlxWUx6YzNBY1MzVFJFTnY4ZAp1NUdBV3M3T1VPYzVtbWt0bE5McHRVSXh3WkJBa1c1S0hWV014aThsck1ES3FhdEwyWi95ZENjRGV6dzdJWlBkCjdlelFGdDgwazFJMy9JanhsNWtuUHRuOTNOOWlPazlBOUxGbWhZbm5hQkREMnVGRmZaR2FjOUE1VTZmNEx6NW0KaW5XQnd3bzlBb0dCQVAycnVJQjNIU1YxY2lVY3NOUEFTbzRQbEFHcG5kYVZHdUtzVEQxL1QvR01SNDJqVmJXUAppc1AySGJEdDNXOW5kM2xrM3dTRlZtdElxK3ZWSHpwVzlRNUYvYVJCc2RVL29mdldHWnJsa085Vm8rK2VVQUJXCjNNQjBncUpHYXBGK2VETGRlNklFMklzRUNja0xFQitwZUxVNUsyeFNlQWtCRC84NWQxblhDcG9iQW9HQkFOZHYKQUlJUjR0bWpSZHRqaW1YVk5TUjUzU0d5N0RFSGVtTHMyVHc0MENnNkdXVHpBN1IwVHY5RkpIb1NGdFhZcVp4dwpMUDRhdlY4eUVwMnE1YmZKYUZIR3h1OExRSUdCbURMK3l5ZG11eTZ2Z1RWWEpENEg3WUJINFhsYjBja2F6K2p1CmlucHpVSGFJVnZUT1J5Nnk4TXUzVTM5b1NVN1lmbjJpeTFJYzQ3RVBBb0dBSEg3bjBQYVFmWjY5M2RGbFE4UTgKRzgxQU1SZWV0WFkyZVBRbDlGcVMzbTJGdERGKzlWQlVwRUxIZnhLWloyUldGWHJ4V282bjhKRlBUc1M0SjFPUgpYN01aRlJTVUo0Sm9iZVBWS0lOVlRxMXVKd0svdGVvTURrcUlTalppemtsSXMxNFIvMWRRQS8zR0k2RnNoRUlEClgwZzJ5b3BSRmFIYTdDN0dhMzh1bjdVQ2dZQjJ3Y0wyOEtNcnRCeUxMdGtZLzZvVzNIS3c0Ky9kcXpDbEhjazIKc0Y3Vy9nZ0hwUXJTekJiTUV6SmpkRnRRTU9wMnlVT1VJK3RtY2JUZlkxalVzbHNtVVR4U2c5SmdVYTh6MVU3cAovbkNLOE1aNlAvcERrNTB4ek80WE55MXkvYXZFek5KYlkvdmtDNDVienVaZ2NOWGFoc21wZnpTQ0dVZkpQQmQyCndXUW1zd0tCZ1FDYmZqQ0ZxME0xcVVoZXNXRGdKbm14MHRhdjFHbi9La1dXZTdHWVZpYmowbnVXNlFZUjhleFEKemlpTVcwNkRKREQybjJoOW1ySjZSaW4xZE1EUlM0bmxtek9DcUR3Uk50aHRPcHIxVkRhL1UvUVJNRXIwWWl3SQozT3NwZFZSNUJqSXc5bGJGck0ySWRtK2ZkUXREbmo3bEhabnRONkVudjJuTnIzRHNJQWtQWkE9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=
-{{- end }}
diff --git a/helm/openwhisk/values.yaml b/helm/openwhisk/values.yaml
index fa42716..3b5671b 100644
--- a/helm/openwhisk/values.yaml
+++ b/helm/openwhisk/values.yaml
@@ -129,9 +129,9 @@
includeSystemTests: false
versions:
openwhisk:
- buildDate: "2019-11-08-08:32:33Z"
+ buildDate: "2019-11-20-14:48:00Z"
buildNo: "20191108a"
- gitTag: "d47f4ec91d467295ffcfa894401ddb113984c108"
+ gitTag: "4cb41be6b7ea14c8002c9decda4b20f8d0fdd691"
openwhiskCli:
tag: "1.0.0"
openwhiskCatalog:
@@ -154,7 +154,7 @@
# Images used to run auxillary tasks/jobs
utility:
imageName: "openwhisk/ow-utils"
- imageTag: "d47f4ec"
+ imageTag: "4cb41be"
imagePullPolicy: "IfNotPresent"
# Docker registry
@@ -238,7 +238,7 @@
# Controller configurations
controller:
imageName: "openwhisk/controller"
- imageTag: "d47f4ec"
+ imageTag: "4cb41be"
imagePullPolicy: "IfNotPresent"
replicaCount: 1
restartPolicy: "Always"
@@ -250,7 +250,7 @@
# Invoker configurations
invoker:
imageName: "openwhisk/invoker"
- imageTag: "d47f4ec"
+ imageTag: "4cb41be"
imagePullPolicy: "IfNotPresent"
restartPolicy: "Always"
port: 8080
