gsh-digital-services/seaweedFS
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix worker and admin ca (#7807)

Browse Source 
* Fix Worker and Admin CA in helm chart

* Fix Worker and Admin CA in helm chart - add security.toml modification

* Fix Worker and Admin CA in helm chart - fix security.toml modification error

* Fix Worker and Admin CA in helm chart - fix  errors in volume mounts

* Fix Worker and Admin CA in helm chart - address review comments

- Remove worker-cert from admin pod (principle of least privilege)
- Remove admin-cert from worker pod (principle of least privilege)
- Remove overly broad namespace wildcards from admin-cert dnsNames
- Remove overly broad namespace wildcards from worker-cert dnsNames

---------

Co-authored-by: chrislu <chris.lu@gmail.com>
This commit is contained in:
MorezMartin
2025-12-17 21:51:45 +01:00
committed by GitHub
parent df0ea18084
commit 22271358c6
5 changed files with 106 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
k8s/charts/seaweedfs/templates/admin/admin-statefulset.yaml
View File

@@ -203,6 +203,9 @@ spec:
- name: client-cert - name: client-cert
readOnly: true readOnly: true
mountPath: /usr/local/share/ca-certificates/client/ mountPath: /usr/local/share/ca-certificates/client/
- name: admin-cert
readOnly: true
mountPath: /usr/local/share/ca-certificates/admin/
{{- end }} {{- end }}
{{ tpl .Values.admin.extraVolumeMounts . | nindent 12 | trim }} {{ tpl .Values.admin.extraVolumeMounts . | nindent 12 | trim }}
ports: ports:
@@ -298,6 +301,9 @@ spec:
- name: client-cert - name: client-cert
secret: secret:
secretName: {{ template "seaweedfs.name" . }}-client-cert secretName: {{ template "seaweedfs.name" . }}-client-cert
- name: admin-cert
secret:
secretName: {{ template "seaweedfs.name" . }}-admin-cert
{{- end }} {{- end }}
{{ tpl .Values.admin.extraVolumes . | indent 8 | trim }} {{ tpl .Values.admin.extraVolumes . | indent 8 | trim }}
{{- if .Values.admin.nodeSelector }} {{- if .Values.admin.nodeSelector }}

43
k8s/charts/seaweedfs/templates/cert/admin-cert.yaml Normal file
View File

@@ -0,0 +1,43 @@
{{- if and .Values.global.enableSecurity (not .Values.certificates.externalCertificates.enabled)}}
apiVersion: cert-manager.io/v1{{ if .Values.global.certificates.alphacrds }}alpha1{{ end }}
kind: Certificate
metadata:
name: {{ template "seaweedfs.name" . }}-admin-cert
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ template "seaweedfs.name" . }}
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: admin
{{- if .Values.admin.annotations }}
annotations:
{{- toYaml .Values.admin.annotations | nindent 4 }}
{{- end }}
spec:
secretName: {{ template "seaweedfs.name" . }}-admin-cert
issuerRef:
name: {{ template "seaweedfs.name" . }}-ca-issuer
kind: Issuer
commonName: {{ .Values.certificates.commonName }}
subject:
organizations:
- "SeaweedFS CA"
dnsNames:
- '*.{{ template "seaweedfs.name" . }}-admin'
- '*.{{ template "seaweedfs.name" . }}-admin.{{ .Release.Namespace }}'
- '*.{{ template "seaweedfs.name" . }}-admin.{{ .Release.Namespace }}.svc'
- '*.{{ template "seaweedfs.name" . }}-admin.{{ .Release.Namespace }}.svc.cluster.local'
{{- if .Values.certificates.ipAddresses }}
ipAddresses:
{{- range .Values.certificates.ipAddresses }}
- {{ . }}
{{- end }}
{{- end }}
privateKey:
algorithm: {{ .Values.certificates.keyAlgorithm }}
size: {{ .Values.certificates.keySize }}
duration: {{ .Values.certificates.duration }}
renewBefore: {{ .Values.certificates.renewBefore }}
{{- end }}

43
k8s/charts/seaweedfs/templates/cert/worker-cert.yaml Normal file
View File

@@ -0,0 +1,43 @@
{{- if and .Values.global.enableSecurity (not .Values.certificates.externalCertificates.enabled)}}
apiVersion: cert-manager.io/v1{{ if .Values.global.certificates.alphacrds }}alpha1{{ end }}
kind: Certificate
metadata:
name: {{ template "seaweedfs.name" . }}-worker-cert
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ template "seaweedfs.name" . }}
helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/component: worker
{{- if .Values.worker.annotations }}
annotations:
{{- toYaml .Values.worker.annotations | nindent 4 }}
{{- end }}
spec:
secretName: {{ template "seaweedfs.name" . }}-worker-cert
issuerRef:
name: {{ template "seaweedfs.name" . }}-ca-issuer
kind: Issuer
commonName: {{ .Values.certificates.commonName }}
subject:
organizations:
- "SeaweedFS CA"
dnsNames:
- '*.{{ template "seaweedfs.name" . }}-worker'
- '*.{{ template "seaweedfs.name" . }}-worker.{{ .Release.Namespace }}'
- '*.{{ template "seaweedfs.name" . }}-worker.{{ .Release.Namespace }}.svc'
- '*.{{ template "seaweedfs.name" . }}-worker.{{ .Release.Namespace }}.svc.cluster.local'
{{- if .Values.certificates.ipAddresses }}
ipAddresses:
{{- range .Values.certificates.ipAddresses }}
- {{ . }}
{{- end }}
{{- end }}
privateKey:
algorithm: {{ .Values.certificates.keyAlgorithm }}
size: {{ .Values.certificates.keySize }}
duration: {{ .Values.certificates.duration }}
renewBefore: {{ .Values.certificates.renewBefore }}
{{- end }}

8
k8s/charts/seaweedfs/templates/shared/security-configmap.yaml
View File

@@ -65,6 +65,14 @@ data:
cert = "/usr/local/share/ca-certificates/filer/tls.crt" cert = "/usr/local/share/ca-certificates/filer/tls.crt"
key = "/usr/local/share/ca-certificates/filer/tls.key" key = "/usr/local/share/ca-certificates/filer/tls.key"
[grpc.admin]
cert = "/usr/local/share/ca-certificates/admin/tls.crt"
key = "/usr/local/share/ca-certificates/admin/tls.key"
[grpc.worker]
cert = "/usr/local/share/ca-certificates/worker/tls.crt"
key = "/usr/local/share/ca-certificates/worker/tls.key"
# use this for any place needs a grpc client # use this for any place needs a grpc client
# i.e., "weed backup|benchmark|filer.copy|filer.replicate|mount|s3|upload" # i.e., "weed backup|benchmark|filer.copy|filer.replicate|mount|s3|upload"
[grpc.client] [grpc.client]

6
k8s/charts/seaweedfs/templates/worker/worker-deployment.yaml
View File

@@ -171,6 +171,9 @@ spec:
- name: client-cert - name: client-cert
readOnly: true readOnly: true
mountPath: /usr/local/share/ca-certificates/client/ mountPath: /usr/local/share/ca-certificates/client/
- name: worker-cert
readOnly: true
mountPath: /usr/local/share/ca-certificates/worker/
{{- end }} {{- end }}
{{ tpl .Values.worker.extraVolumeMounts . | nindent 12 | trim }} {{ tpl .Values.worker.extraVolumeMounts . | nindent 12 | trim }}
ports: ports:
@@ -262,6 +265,9 @@ spec:
- name: client-cert - name: client-cert
secret: secret:
secretName: {{ template "seaweedfs.name" . }}-client-cert secretName: {{ template "seaweedfs.name" . }}-client-cert
- name: worker-cert
secret:
secretName: {{ template "seaweedfs.name" . }}-worker-cert
{{- end }} {{- end }}
{{ tpl .Values.worker.extraVolumes . | indent 8 | trim }} {{ tpl .Values.worker.extraVolumes . | indent 8 | trim }}
{{- if .Values.worker.nodeSelector }} {{- if .Values.worker.nodeSelector }}