pk/atst
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Keep client CAs as a K8s ConfigMap.

Browse Source 
The CAs used to verify clients are not secrets and can be committed to
the repository as K8s ConfigMaps. This updates the config to include
them.
This commit is contained in:
dandds 2019-11-06 13:10:08 -05:00
parent 630469744a
commit fd57036f74
5 changed files with 2724 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
deploy/README.md
View File

@ -62,24 +62,6 @@ Notes:
- Be careful not to check the override.ini file into source control. - Be careful not to check the override.ini file into source control.
- Be careful not to overwrite one CSP cluster's config with the other's. This will break everything. - Be careful not to overwrite one CSP cluster's config with the other's. This will break everything.
### nginx-client-ca-bundle
(NOTE: This really doesn't need to be a secret since these are public certs. A good change would be to convert it to a k8s configmap.)
This is the PEM certificate file of the DoD Certificate Authority certs. This must be available for CAC authentication.
A local copy of the certs are stored in the repo at `ssl/client-certs/ca-chain.pem`. It can be updated by running `script/sync-dod-certs`. When creating a new cluster, you can copy the cert file to the repo root:
```
cp ssl/client-certs/ca-chain.pem client-ca-bundle.pem
```
and then create a new secret from it:
```
kubectl -n atat create secret generic nginx-client-ca-bundle --from-file=./client-ca-bundle.pem
```
### nginx-htpasswd ### nginx-htpasswd
If the site is running in dev mode, the `/login-dev` endpoint is available. This endpoint is protected by basic HTTP auth. To create a new password file, run: If the site is running in dev mode, the `/login-dev` endpoint is available. This endpoint is protected by basic HTTP auth. To create a new password file, run:

9
deploy/azure/azure.yml
View File

@ -79,12 +79,9 @@ spec:
path: atst-overrides.ini path: atst-overrides.ini
mode: 0644 mode: 0644
- name: nginx-client-ca-bundle - name: nginx-client-ca-bundle
secret: configMap:
secretName: nginx-client-ca-bundle name: nginx-client-ca-bundle
items: defaultMode: 0666
- key: client-ca-bundle.pem
path: client-ca-bundle.pem
mode: 0666
- name: nginx-config - name: nginx-config
configMap: configMap:
name: atst-nginx name: atst-nginx

1359
deploy/azure/nginx-client-ca-bundle.yml Normal file
View File

File diff suppressed because it is too large Load Diff

9
deploy/minikube/minikube.yml
View File

@ -69,12 +69,9 @@ spec:
path: atst-overrides.ini path: atst-overrides.ini
mode: 0644 mode: 0644
- name: nginx-client-ca-bundle - name: nginx-client-ca-bundle
secret: configMap:
secretName: nginx-client-ca-bundle name: nginx-client-ca-bundle
items: defaultMode: 0666
- key: client-ca-bundle.pem
path: client-ca-bundle.pem
mode: 0666
- name: nginx-config - name: nginx-config
configMap: configMap:
name: atst-nginx name: atst-nginx

1359
deploy/minikube/nginx-client-ca-bundle.yml Normal file
View File

File diff suppressed because it is too large Load Diff