Skip to content

ROX-28296: add OpenShift reencrypt route #14416

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
stehessel merged 13 commits into from
Apr 1, 2025
Merged

ROX-28296: add OpenShift reencrypt route #14416

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
dd7ea80
ROX-28296: add OpenShift reencrypt route to Helm chart
stehessel Feb 28, 2025
d31ea7a
address feedback
stehessel Mar 4, 2025
949e762
make destination CA configurable
stehessel Mar 10, 2025
4e8ddbc
address comments
stehessel Mar 24, 2025
501fe64
Update image/templates/helm/stackrox-central/internal/config-shape.yaml
stehessel Mar 25, 2025
98410c8
remove null from defaults
stehessel Mar 25, 2025
bbf51e4
refactor with variable
stehessel Mar 25, 2025
045bc1f
validate cert and key
stehessel Mar 25, 2025
7a0b9b5
refactor validation
stehessel Mar 26, 2025
558cf21
fail -> warn
stehessel Mar 26, 2025
429eca1
default to rox CA
stehessel Mar 28, 2025
1426ef3
add commata
stehessel Apr 1, 2025
29e9072
Update image/templates/helm/stackrox-central/templates/_init.tpl.htpl
stehessel Apr 1, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ Please avoid adding duplicate information across this changelog and JIRA/doc inp
- ROX-13493: Support for scale subresource in the admission controller to enable policy detection and enforcement on admission review requests on the scale subresource.
- RHPF-98: Log creation of API token. The token creation log message will trigger an administration event.
- ROX-28716: New policy criterion "Days Since CVE Was Published" to allow creation of a policy that offers a grace period to teams to fix vulnerabilities within the number of days from when the CVE was published in the vulnerability feeds.
- ROX-28296: Support for an OpenShift reencrypt route to expose Central (`central.exposure.route.reencrypt.enabled: true`).

### Removed Features

Expand Down
8 changes: 8 additions & 0 deletions image/templates/helm/stackrox-central/internal/config-shape.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,6 +71,14 @@ central:
route:
enabled: null # bool
host: null # string
reencrypt:
enabled: null # bool
host: null # string
tls:
caCertificate: null # string
certificate: null # string
destinationCACertificate: null # string
key: null # string
declarativeConfiguration:
mounts:
configMaps: null # [string]
Expand Down
3 changes: 2 additions & 1 deletion image/templates/helm/stackrox-central/internal/defaults.yaml.htpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -69,9 +69,10 @@ defaults:
port: 443
nodePort:
enabled: false
port: null
route:
enabled: false
reencrypt:
enabled: false
db:
external: false

Expand Down
46 changes: 45 additions & 1 deletion image/templates/helm/stackrox-central/templates/01-central-15-exposure.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@ metadata:
{{- include "srox.annotations" (list . "route" "central") | nindent 4 }}
spec:
{{- if ._rox.central.exposure.route.host }}
host: {{ ._rox.central.exposure.route.host }}
host: {{ ._rox.central.exposure.route.host | quote }}
{{- end }}
port:
targetPort: https
Expand Down Expand Up @@ -41,6 +41,50 @@ spec:
kind: Service
name: central
---

{{ $reencryptConfig := ._rox.central.exposure.route.reencrypt }}
{{- if $reencryptConfig.enabled }}
apiVersion: route.openshift.io/v1
kind: Route
metadata:
name: central-reencrypt
namespace: {{ .Release.Namespace }}
labels:
{{- include "srox.labels" (list . "route" "central-reencrypt") | nindent 4 }}
annotations:
{{- include "srox.annotations" (list . "route" "central-reencrypt") | nindent 4 }}
spec:
{{- if $reencryptConfig.host }}
host: {{ $reencryptConfig.host | quote }}
{{- end }}
port:
targetPort: https
tls:
termination: reencrypt
{{- with $reencryptConfig.tls }}
{{- if .caCertificate }}
caCertificate: |
{{- .caCertificate | nindent 6 }}
{{- end }}
{{- if .certificate }}
certificate: |
{{- .certificate | nindent 6 }}
{{- end }}
{{- if .destinationCACertificate }}
destinationCACertificate: |
{{- .destinationCACertificate | nindent 6 }}
{{- end }}
{{- if .key }}
key: |
{{- .key | nindent 6 }}
{{- end }}
{{- end }}
to:
kind: Service
name: central
---
{{- end }}

{{- end }}

{{- if ._rox.central.exposure.nodePort.enabled }}
Expand Down
18 changes: 18 additions & 0 deletions image/templates/helm/stackrox-central/templates/_init.tpl.htpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -208,6 +208,24 @@
{{ end }}
{{ $_ = set $._rox "_additionalCAs" $additionalCAs }}

{{/* Route configuration */}}
{{ $reencryptConfig := $._rox.central.exposure.route.reencrypt }}
{{ if $reencryptConfig.enabled }}
{{/* Default the destination CA certificate to the Central CA. */}}
{{ if kindIs "invalid" $reencryptConfig.tls.destinationCACertificate }}
{{ if kindIs "invalid" $._rox._ca.Cert }}
{{ include "srox.warn" (list $ "The reencrypt route does not specify a destination certificate authority. Routing may be impaired.") }}
{{ else }}
{{ $_ := set $reencryptConfig.tls "destinationCACertificate" $._rox._ca.Cert }}
{{ end }}
{{ end }}
{{ if and (kindIs "invalid" $reencryptConfig.tls.certificate) (kindIs "invalid" $reencryptConfig.tls.key) }}
{{ include "srox.note" (list $ "The reencrypt route will serve a certificate signed by the OpenShift certificate authority.") }}
{{ else if or $reencryptConfig.tls.certificate $reencryptConfig.tls.key }}
{{ include "srox.fail" "The reencrypt route must specify either both, certificate and key, or neither." }}
{{ end }}
{{ end }}

{{/* Proxy configuration.
Note: The reason this is different is that unlike the endpoints config, the proxy configuration
might contain sensitive data and thus might _not_ be stored in the always available canonical
Expand Down
10 changes: 9 additions & 1 deletion image/templates/helm/stackrox-central/values-public.yaml.example.htpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -226,9 +226,17 @@
# # letting Kubernetes automatically select a node port (recommended).
# port: 32000
#
# # Exposure via an OpenShift route. Only available for OpenShift clusters
# # Exposure via an OpenShift passthrough route. Sensor must communicate with Central
# # via a passthrough route because of mutual TLS encryption.
# # Only available for OpenShift clusters.
# route:
# enabled: true
# # Exposure via an OpenShift reencrypt route. The route serves a certificate that was
# # signed by the OpenShift certificate authority. The reencrypt route cannot be used
# # for communication between Sensor and Central because of mutual TLS encryption.
# # Only available for OpenShift clusters.
# reencrypt:
# enabled: true
#
# # Additional volume mounts for the Central container. Only few people will require this.
# extraMounts:
Expand Down
Loading