Fix worker and admin ca (#7807)

* Fix Worker and Admin CA in helm chart * Fix Worker and Admin CA in helm chart - add security.toml modification * Fix Worker and Admin CA in helm chart - fix security.toml modification error * Fix Worker and Admin CA in helm chart - fix errors in volume mounts * Fix Worker and Admin CA in helm chart - address review comments - Remove worker-cert from admin pod (principle of least privilege) - Remove admin-cert from worker pod (principle of least privilege) - Remove overly broad namespace wildcards from admin-cert dnsNames - Remove overly broad namespace wildcards from worker-cert dnsNames --------- Co-authored-by: chrislu <chris.lu@gmail.com>
2025-12-17 21:51:45 +01:00
parent df0ea18084
commit 22271358c6
5 changed files with 106 additions and 0 deletions
--- a/k8s/charts/seaweedfs/templates/admin/admin-statefulset.yaml
+++ b/k8s/charts/seaweedfs/templates/admin/admin-statefulset.yaml
@@ -203,6 +203,9 @@ spec:
            - name: client-cert
              readOnly: true
              mountPath: /usr/local/share/ca-certificates/client/
+            - name: admin-cert
+              readOnly: true
+              mountPath: /usr/local/share/ca-certificates/admin/
            {{- end }}
            {{ tpl .Values.admin.extraVolumeMounts . | nindent 12 | trim }}
          ports:
@@ -298,6 +301,9 @@ spec:
        - name: client-cert
          secret:
            secretName: {{ template "seaweedfs.name" . }}-client-cert
+        - name: admin-cert
+          secret:
+            secretName: {{ template "seaweedfs.name" . }}-admin-cert
        {{- end }}
        {{ tpl .Values.admin.extraVolumes . | indent 8 | trim }}
      {{- if .Values.admin.nodeSelector }}
--- a/k8s/charts/seaweedfs/templates/cert/admin-cert.yaml
+++ b/k8s/charts/seaweedfs/templates/cert/admin-cert.yaml
@@ -0,0 +1,43 @@
+{{- if and .Values.global.enableSecurity (not .Values.certificates.externalCertificates.enabled)}}
+apiVersion: cert-manager.io/v1{{ if .Values.global.certificates.alphacrds }}alpha1{{ end }}
+kind: Certificate
+metadata:
+  name: {{ template "seaweedfs.name" . }}-admin-cert
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ template "seaweedfs.name" . }}
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: admin
+  {{- if .Values.admin.annotations }}
+  annotations:
+    {{- toYaml .Values.admin.annotations | nindent 4 }}
+  {{- end }}
+spec:
+  secretName: {{ template "seaweedfs.name" . }}-admin-cert
+  issuerRef:
+    name: {{ template "seaweedfs.name" . }}-ca-issuer
+    kind: Issuer
+  commonName: {{ .Values.certificates.commonName }}
+  subject:
+    organizations:
+    - "SeaweedFS CA"
+  dnsNames:
+    - '*.{{ template "seaweedfs.name" . }}-admin'
+    - '*.{{ template "seaweedfs.name" . }}-admin.{{ .Release.Namespace }}'
+    - '*.{{ template "seaweedfs.name" . }}-admin.{{ .Release.Namespace }}.svc'
+    - '*.{{ template "seaweedfs.name" . }}-admin.{{ .Release.Namespace }}.svc.cluster.local'
+{{- if .Values.certificates.ipAddresses }}
+  ipAddresses:
+    {{- range .Values.certificates.ipAddresses }}
+    - {{ . }}
+    {{- end }}
+{{- end }}
+  privateKey:
+    algorithm: {{ .Values.certificates.keyAlgorithm }}
+    size: {{ .Values.certificates.keySize }}
+  duration: {{ .Values.certificates.duration }}
+  renewBefore: {{ .Values.certificates.renewBefore }}
+{{- end }}
+
--- a/k8s/charts/seaweedfs/templates/cert/worker-cert.yaml
+++ b/k8s/charts/seaweedfs/templates/cert/worker-cert.yaml
@@ -0,0 +1,43 @@
+{{- if and .Values.global.enableSecurity (not .Values.certificates.externalCertificates.enabled)}}
+apiVersion: cert-manager.io/v1{{ if .Values.global.certificates.alphacrds }}alpha1{{ end }}
+kind: Certificate
+metadata:
+  name: {{ template "seaweedfs.name" . }}-worker-cert
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ template "seaweedfs.name" . }}
+    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: worker
+  {{- if .Values.worker.annotations }}
+  annotations:
+    {{- toYaml .Values.worker.annotations | nindent 4 }}
+  {{- end }}
+spec:
+  secretName: {{ template "seaweedfs.name" . }}-worker-cert
+  issuerRef:
+    name: {{ template "seaweedfs.name" . }}-ca-issuer
+    kind: Issuer
+  commonName: {{ .Values.certificates.commonName }}
+  subject:
+    organizations:
+    - "SeaweedFS CA"
+  dnsNames:
+    - '*.{{ template "seaweedfs.name" . }}-worker'
+    - '*.{{ template "seaweedfs.name" . }}-worker.{{ .Release.Namespace }}'
+    - '*.{{ template "seaweedfs.name" . }}-worker.{{ .Release.Namespace }}.svc'
+    - '*.{{ template "seaweedfs.name" . }}-worker.{{ .Release.Namespace }}.svc.cluster.local'
+{{- if .Values.certificates.ipAddresses }}
+  ipAddresses:
+    {{- range .Values.certificates.ipAddresses }}
+    - {{ . }}
+    {{- end }}
+{{- end }}
+  privateKey:
+    algorithm: {{ .Values.certificates.keyAlgorithm }}
+    size: {{ .Values.certificates.keySize }}
+  duration: {{ .Values.certificates.duration }}
+  renewBefore: {{ .Values.certificates.renewBefore }}
+{{- end }}
+
--- a/k8s/charts/seaweedfs/templates/shared/security-configmap.yaml
+++ b/k8s/charts/seaweedfs/templates/shared/security-configmap.yaml
@@ -65,6 +65,14 @@ data:
    cert = "/usr/local/share/ca-certificates/filer/tls.crt"
    key  = "/usr/local/share/ca-certificates/filer/tls.key"

+    [grpc.admin]
+    cert = "/usr/local/share/ca-certificates/admin/tls.crt"
+    key  = "/usr/local/share/ca-certificates/admin/tls.key"
+
+    [grpc.worker]
+    cert = "/usr/local/share/ca-certificates/worker/tls.crt"
+    key  = "/usr/local/share/ca-certificates/worker/tls.key"
+
    # use this for any place needs a grpc client
    # i.e., "weed backup|benchmark|filer.copy|filer.replicate|mount|s3|upload"
    [grpc.client]
--- a/k8s/charts/seaweedfs/templates/worker/worker-deployment.yaml
+++ b/k8s/charts/seaweedfs/templates/worker/worker-deployment.yaml
@@ -171,6 +171,9 @@ spec:
            - name: client-cert
              readOnly: true
              mountPath: /usr/local/share/ca-certificates/client/
+            - name: worker-cert
+              readOnly: true
+              mountPath: /usr/local/share/ca-certificates/worker/
            {{- end }}
            {{ tpl .Values.worker.extraVolumeMounts . | nindent 12 | trim }}
          ports:
@@ -262,6 +265,9 @@ spec:
        - name: client-cert
          secret:
            secretName: {{ template "seaweedfs.name" . }}-client-cert
+        - name: worker-cert
+          secret:
+            secretName: {{ template "seaweedfs.name" . }}-worker-cert
        {{- end }}
        {{ tpl .Values.worker.extraVolumes . | indent 8 | trim }}
      {{- if .Values.worker.nodeSelector }}