From 39b7cf5d6ff5a97c67b21da33bd1403461372629 Mon Sep 17 00:00:00 2001 From: Saranya-jena Date: Wed, 10 Jul 2024 16:58:10 +0530 Subject: [PATCH] Updated litmus installation yaml and envs Signed-off-by: Saranya-jena --- chaoscenter/authentication/api/main.go | 12 +-- .../authentication/pkg/utils/configs.go | 6 +- .../server/pkg/grpc/auth_grpc_client.go | 2 +- chaoscenter/graphql/server/server.go | 12 +-- chaoscenter/graphql/server/utils/variables.go | 7 +- .../manifests/litmus-getting-started.yaml | 8 ++ .../manifests/litmus-installation.yaml | 8 ++ .../manifests/litmus-without-resources.yaml | 90 +++++++++++++------ 8 files changed, 94 insertions(+), 51 deletions(-) diff --git a/chaoscenter/authentication/api/main.go b/chaoscenter/authentication/api/main.go index 4f0e837147b..c325ccf97d4 100644 --- a/chaoscenter/authentication/api/main.go +++ b/chaoscenter/authentication/api/main.go @@ -197,17 +197,17 @@ func runRestServer(applicationService services.ApplicationService) { routes.UserRouter(app, applicationService) routes.ProjectRouter(app, applicationService) - log.Infof("Listening and serving HTTP on %s", utils.Port) + log.Infof("Listening and serving HTTP on %s", utils.RestPort) if utils.EnableInternalTls { if utils.TlsCertPath != "" && utils.TlSKeyPath != "" { conf := utils.GetTlsConfig() server := http.Server{ - Addr: utils.PortHttps, + Addr: utils.RestPort, Handler: app, TLSConfig: conf, } - log.Infof("Listening and serving HTTPS on %s", utils.PortHttps) + log.Infof("Listening and serving HTTPS on %s", utils.RestPort) err := server.ListenAndServeTLS("", "") if err != nil { log.Fatalf("Failure to start litmus-portal authentication REST server due to %v", err) @@ -216,8 +216,8 @@ func runRestServer(applicationService services.ApplicationService) { log.Fatalf("Failure to start chaoscenter authentication REST server due to empty TLS cert file path and TLS key path") } } else { - log.Infof("Listening and serving HTTP on %s", utils.Port) - err := app.Run(utils.Port) + log.Infof("Listening and serving HTTP on %s", utils.RestPort) + err := app.Run(utils.RestPort) if err != nil { log.Fatalf("Failure to start litmus-portal authentication REST server due to %v", err) } @@ -244,7 +244,7 @@ func runGrpcServer(applicationService services.ApplicationService) { func runGrpcServerWithTLS(applicationService services.ApplicationService) { // Starting gRPC server - lis, err := net.Listen("tcp", utils.GrpcPortHttps) + lis, err := net.Listen("tcp", utils.GrpcPort) if err != nil { log.Fatalf("Failure to start litmus-portal authentication server due to %s", err) } diff --git a/chaoscenter/authentication/pkg/utils/configs.go b/chaoscenter/authentication/pkg/utils/configs.go index bef38ad4b5c..16aa0356aa7 100644 --- a/chaoscenter/authentication/pkg/utils/configs.go +++ b/chaoscenter/authentication/pkg/utils/configs.go @@ -27,11 +27,9 @@ var ( TlsCertPath = os.Getenv("TLS_CERT_PATH") TlSKeyPath = os.Getenv("TLS_KEY_PATH") CaCertPath = os.Getenv("CA_CERT_TLS_PATH") + RestPort = os.Getenv("REST_PORT") + GrpcPort = os.Getenv("GRPC_PORT") DBName = "auth" - Port = ":3000" - PortHttps = ":3001" - GrpcPort = ":3030" - GrpcPortHttps = ":3031" UserCollection = "users" ProjectCollection = "project" AuthConfigCollection = "auth-config" diff --git a/chaoscenter/graphql/server/pkg/grpc/auth_grpc_client.go b/chaoscenter/graphql/server/pkg/grpc/auth_grpc_client.go index f719d074bd9..e1b996eefbf 100644 --- a/chaoscenter/graphql/server/pkg/grpc/auth_grpc_client.go +++ b/chaoscenter/graphql/server/pkg/grpc/auth_grpc_client.go @@ -30,7 +30,7 @@ func GetAuthGRPCSvcClient(conn *grpc.ClientConn) (protos.AuthRpcServiceClient, * tlsCredential := credentials.NewTLS(conf) // Set up a connection to the server. - conn, err = grpc.NewClient(utils.Config.LitmusAuthGrpcEndpoint+utils.Config.LitmusAuthGrpcPortHttps, grpc.WithTransportCredentials(tlsCredential)) + conn, err = grpc.NewClient(utils.Config.LitmusAuthGrpcEndpoint+utils.Config.LitmusAuthGrpcPort, grpc.WithTransportCredentials(tlsCredential)) if err != nil { logrus.Fatalf("did not connect: %v", err) } diff --git a/chaoscenter/graphql/server/server.go b/chaoscenter/graphql/server/server.go index ca233f6fd6f..bf6a3df67f9 100644 --- a/chaoscenter/graphql/server/server.go +++ b/chaoscenter/graphql/server/server.go @@ -116,7 +116,7 @@ func main() { log.Fatalf("Failure to start chaoscenter authentication REST server due to empty TLS cert file path and TLS key path") } } else { - go startGRPCServer(utils.Config.RpcPort, mongodbOperator) // start GRPC serve + go startGRPCServer(utils.Config.GrpcPort, mongodbOperator) // start GRPC serve } srv := handler.New(generated.NewExecutableSchema(graph.NewConfig(mongodbOperator))) @@ -171,12 +171,12 @@ func main() { if enableHTTPSConnection { if utils.Config.TlsCertPath != "" && utils.Config.TlsKeyPath != "" { - log.Infof("graphql server running at https://localhost:%s", utils.Config.HttpsPort) + log.Infof("graphql server running at https://localhost:%s", utils.Config.RestPort) // configuring TLS config based on provided certificates & keys conf := utils.GetTlsConfig(utils.Config.TlsCertPath, utils.Config.TlsKeyPath, true) server := http.Server{ - Addr: ":" + utils.Config.HttpsPort, + Addr: ":" + utils.Config.RestPort, Handler: router, TLSConfig: conf, } @@ -188,8 +188,8 @@ func main() { log.Fatalf("Failure to start chaoscenter authentication GRPC server due to empty TLS cert file path and TLS key path") } } else { - log.Infof("graphql server running at http://localhost:%s", utils.Config.HttpPort) - log.Fatal(http.ListenAndServe(":"+utils.Config.HttpPort, router)) + log.Infof("graphql server running at http://localhost:%s", utils.Config.RestPort) + log.Fatal(http.ListenAndServe(":"+utils.Config.RestPort, router)) } } @@ -214,7 +214,7 @@ func startGRPCServer(port string, mongodbOperator mongodb.MongoOperator) { // startGRPCServerWithTLS initializes, registers services to and starts the gRPC server for RPC calls func startGRPCServerWithTLS(mongodbOperator mongodb.MongoOperator) { - lis, err := net.Listen("tcp", ":"+utils.Config.RpcPortHttps) + lis, err := net.Listen("tcp", ":"+utils.Config.GrpcPort) if err != nil { log.Fatal("failed to listen: %w", err) } diff --git a/chaoscenter/graphql/server/utils/variables.go b/chaoscenter/graphql/server/utils/variables.go index 65f8620fd0b..a9d1f58661b 100644 --- a/chaoscenter/graphql/server/utils/variables.go +++ b/chaoscenter/graphql/server/utils/variables.go @@ -23,14 +23,11 @@ type Configuration struct { TlsCertB64 string `split_words:"true"` LitmusAuthGrpcEndpoint string `split_words:"true" default:"localhost"` LitmusAuthGrpcPort string `split_words:"true" default:":3030"` - LitmusAuthGrpcPortHttps string `split_words:"true" default:":3031"` KubeConfigFilePath string `split_words:"true"` RemoteHubMaxSize string `split_words:"true"` SkipSslVerify string `split_words:"true"` - HttpPort string `split_words:"true" default:"8080"` - HttpsPort string `split_words:"true" default:"8081"` - RpcPort string `split_words:"true" default:"8000"` - RpcPortHttps string `split_words:"true" default:"8001"` + RestPort string `split_words:"true" default:"8080"` + GrpcPort string `split_words:"true" default:"8000"` InfraCompatibleVersions string `required:"true" split_words:"true"` DefaultHubGitURL string `required:"true" default:"https://github.com/litmuschaos/chaos-charts"` DefaultHubBranchName string `required:"true" split_words:"true"` diff --git a/chaoscenter/manifests/litmus-getting-started.yaml b/chaoscenter/manifests/litmus-getting-started.yaml index 712881fe005..8f26c8bf59e 100644 --- a/chaoscenter/manifests/litmus-getting-started.yaml +++ b/chaoscenter/manifests/litmus-getting-started.yaml @@ -253,6 +253,10 @@ spec: value: "" - name: CA_CERT_TLS_PATH value: "" + - name: REST_PORT + value: 8080 + - name: GRPC_PORT + value: 8000 ports: - containerPort: 8080 - containerPort: 8000 @@ -353,6 +357,10 @@ spec: value: "" - name: CA_CERT_TLS_PATH value: "" + - name: REST_PORT + value: 3000 + - name: GRPC_PORT + value: 3030 ports: - containerPort: 3000 - containerPort: 3030 diff --git a/chaoscenter/manifests/litmus-installation.yaml b/chaoscenter/manifests/litmus-installation.yaml index 80e295ac1b7..aa214b00b03 100644 --- a/chaoscenter/manifests/litmus-installation.yaml +++ b/chaoscenter/manifests/litmus-installation.yaml @@ -279,6 +279,10 @@ spec: value: "/etc/tls/tls.key" - name: CA_CERT_TLS_PATH value: "/etc/tls/ca.crt" + - name: REST_PORT + value: 8081 + - name: GRPC_PORT + value: 8001 ports: - containerPort: 8081 - containerPort: 8001 @@ -386,6 +390,10 @@ spec: value: "/etc/tls/ctls.key" - name: CA_CERT_TLS_PATH value: "/etc/tls/ca.crt" + - name: REST_PORT + value: 3001 + - name: GRPC_PORT + value: 3031 ports: - containerPort: 3001 - containerPort: 3031 diff --git a/chaoscenter/manifests/litmus-without-resources.yaml b/chaoscenter/manifests/litmus-without-resources.yaml index f27e210337c..49e07dfb5f9 100644 --- a/chaoscenter/manifests/litmus-without-resources.yaml +++ b/chaoscenter/manifests/litmus-without-resources.yaml @@ -16,6 +16,13 @@ data: DB_SERVER: mongodb://my-release-mongodb-0.my-release-mongodb-headless:27017,my-release-mongodb-1.my-release-mongodb-headless:27017,my-release-mongodb-2.my-release-mongodb-headless:27017/admin VERSION: "ci" SKIP_SSL_VERIFY: "false" + # Configurations if you are using dex for OAuth + DEX_ENABLED: "false" + OIDC_ISSUER: "http://:32000" + DEX_OAUTH_CALLBACK_URL: "http://:8080/auth/dex/callback" + DEX_OAUTH_CLIENT_ID: "LitmusPortalAuthBackend" + DEX_OAUTH_CLIENT_SECRET: "ZXhhbXBsZS1hcHAtc2VjcmV0" + OAuthJwtSecret: "litmus-oauth@123" --- apiVersion: v1 kind: ConfigMap @@ -57,7 +64,15 @@ data: error_log /var/log/nginx/error.log; server { - listen 8185 default_server; + listen 8185 ssl; + ssl_certificate /etc/tls/tls.crt; + ssl_certificate_key /etc/tls/tls.key; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_client_certificate /etc/tls/ca.crt; + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + root /opt/chaos; location /health { @@ -79,15 +94,21 @@ data: } location /auth/ { + proxy_ssl_verify off; + proxy_ssl_session_reuse on; proxy_http_version 1.1; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; - proxy_pass "http://litmusportal-auth-server-service:9003/"; + proxy_pass "https://litmusportal-auth-server-service:9005/"; + proxy_ssl_certificate /etc/tls/tls.crt; + proxy_ssl_certificate_key /etc/tls/tls.key; } location /api/ { + proxy_ssl_verify off; + proxy_ssl_session_reuse on; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; @@ -95,7 +116,9 @@ data: proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; - proxy_pass "http://litmusportal-server-service:9002/"; + proxy_pass "https://litmusportal-server-service:9004/"; + proxy_ssl_certificate /etc/tls/tls.crt; + proxy_ssl_certificate_key /etc/tls/tls.key; } } } @@ -131,10 +154,15 @@ spec: - name: nginx-config mountPath: /etc/nginx/nginx.conf subPath: nginx.conf + - mountPath: /etc/tls + name: tls-secret volumes: - name: nginx-config configMap: name: litmusportal-frontend-nginx-configuration + - name: tls-secret + secret: + secretName: tls-secret --- apiVersion: v1 kind: Service @@ -171,6 +199,9 @@ spec: emptyDir: {} - name: hub-storage emptyDir: {} + - name: tls-secret + secret: + secretName: tls-secret containers: - name: graphql-server image: litmuschaos/litmusportal-server:ci @@ -179,6 +210,8 @@ spec: name: gitops-storage - mountPath: /tmp/version name: hub-storage + - mountPath: /etc/tls + name: tls-secret securityContext: runAsUser: 2000 allowPrivilegeEscalation: false @@ -228,18 +261,20 @@ spec: - name: INFRA_COMPATIBLE_VERSIONS value: '["ci"]' - name: ALLOWED_ORIGINS - value: ".*" + value: ".*" #eg: ^(http://|https://|)litmuschaos.io(:[0-9]+|)?,^(http://|https://|)litmusportal-server-service(:[0-9]+|)? - name: ENABLE_INTERNAL_TLS - value: "false" + value: "true" - name: TLS_CERT_PATH - value: "" + value: "/etc/tls/tls.crt" - name: TLS_KEY_PATH - value: "" + value: "/etc/tls/tls.key" - name: CA_CERT_TLS_PATH - value: "" + value: "/etc/tls/ca.crt" + - name: REST_PORT + value: 8081 + - name: GRPC_PORT + value: 8001 ports: - - containerPort: 8080 - - containerPort: 8000 - containerPort: 8081 - containerPort: 8001 imagePullPolicy: Always @@ -270,12 +305,6 @@ metadata: spec: type: NodePort ports: - - name: graphql-server - port: 9002 - targetPort: 8080 - - name: graphql-rpc-server - port: 8000 - targetPort: 8000 - name: graphql-server-https port: 9004 targetPort: 8081 @@ -301,9 +330,16 @@ spec: labels: component: litmusportal-auth-server spec: + volumes: + - name: tls-secret + secret: + secretName: tls-secret automountServiceAccountToken: false containers: - name: auth-server + volumeMounts: + - mountPath: /etc/tls + name: tls-secret image: litmuschaos/litmusportal-auth-server:ci securityContext: runAsUser: 2000 @@ -327,18 +363,20 @@ spec: - name: LITMUS_GQL_GRPC_PORT value: ":8000" - name: ALLOWED_ORIGINS - value: ".*" + value: "^(http://|https://|)litmuschaos.io(:[0-9]+|)?,^(http://|https://|)litmusportal-server-service(:[0-9]+|)?" #ip needs to added here - name: ENABLE_INTERNAL_TLS - value: "false" + value: "true" - name: TLS_CERT_PATH - value: "" + value: "/etc/tls/tls.crt" - name: TLS_KEY_PATH - value: "" + value: "/etc/tls/ctls.key" - name: CA_CERT_TLS_PATH - value: "" + value: "/etc/tls/ca.crt" + - name: REST_PORT + value: 3001 + - name: GRPC_PORT + value: 3031 ports: - - containerPort: 3000 - - containerPort: 3030 - containerPort: 3001 - containerPort: 3031 imagePullPolicy: Always @@ -373,12 +411,6 @@ metadata: spec: type: NodePort ports: - - name: auth-server - port: 9003 - targetPort: 3000 - - name: auth-rpc-server - port: 3030 - targetPort: 3030 - name: auth-server-https port: 9005 targetPort: 3001