init work on supporting tls ingress on k8s

DitZii · Dec 17, 2023 · 53a143d · 53a143d
1 parent 62449f8
commit 53a143d
Show file tree

Hide file tree

Showing 11 changed files with 100 additions and 13 deletions.
diff --git a/docs/integrations.md b/docs/integrations.md
@@ -654,7 +654,7 @@ metadata:
   name: cr-bunkerweb
 rules:
   - apiGroups: [""]
-    resources: ["services", "pods", "configmaps"]
+    resources: ["services", "pods", "configmaps", "secrets"]
     verbs: ["get", "watch", "list"]
   - apiGroups: ["networking.k8s.io"]
     resources: ["ingresses"]

diff --git a/misc/integrations/k8s.mariadb.ui.yml b/misc/integrations/k8s.mariadb.ui.yml
@@ -4,7 +4,7 @@ metadata:
   name: cr-bunkerweb
 rules:
   - apiGroups: [""]
-    resources: ["services", "pods", "configmaps"]
+    resources: ["services", "pods", "configmaps", "secrets"]
     verbs: ["get", "watch", "list"]
   - apiGroups: ["networking.k8s.io"]
     resources: ["ingresses"]

diff --git a/misc/integrations/k8s.mariadb.yml b/misc/integrations/k8s.mariadb.yml
@@ -4,7 +4,7 @@ metadata:
   name: cr-bunkerweb
 rules:
   - apiGroups: [""]
-    resources: ["services", "pods", "configmaps"]
+    resources: ["services", "pods", "configmaps", "secrets"]
     verbs: ["get", "watch", "list"]
   - apiGroups: ["networking.k8s.io"]
     resources: ["ingresses"]

diff --git a/misc/integrations/k8s.mysql.ui.yml b/misc/integrations/k8s.mysql.ui.yml
@@ -4,7 +4,7 @@ metadata:
   name: cr-bunkerweb
 rules:
   - apiGroups: [""]
-    resources: ["services", "pods", "configmaps"]
+    resources: ["services", "pods", "configmaps", "secrets"]
     verbs: ["get", "watch", "list"]
   - apiGroups: ["networking.k8s.io"]
     resources: ["ingresses"]

diff --git a/misc/integrations/k8s.mysql.yml b/misc/integrations/k8s.mysql.yml
@@ -4,7 +4,7 @@ metadata:
   name: cr-bunkerweb
 rules:
   - apiGroups: [""]
-    resources: ["services", "pods", "configmaps"]
+    resources: ["services", "pods", "configmaps", "secrets"]
     verbs: ["get", "watch", "list"]
   - apiGroups: ["networking.k8s.io"]
     resources: ["ingresses"]

diff --git a/misc/integrations/k8s.postgres.ui.yml b/misc/integrations/k8s.postgres.ui.yml
@@ -4,7 +4,7 @@ metadata:
   name: cr-bunkerweb
 rules:
   - apiGroups: [""]
-    resources: ["services", "pods", "configmaps"]
+    resources: ["services", "pods", "configmaps", "secrets"]
     verbs: ["get", "watch", "list"]
   - apiGroups: ["networking.k8s.io"]
     resources: ["ingresses"]

diff --git a/misc/integrations/k8s.postgres.yml b/misc/integrations/k8s.postgres.yml
@@ -4,7 +4,7 @@ metadata:
   name: cr-bunkerweb
 rules:
   - apiGroups: [""]
-    resources: ["services", "pods", "configmaps"]
+    resources: ["services", "pods", "configmaps", "secrets"]
     verbs: ["get", "watch", "list"]
   - apiGroups: ["networking.k8s.io"]
     resources: ["ingresses"]

diff --git a/src/autoconf/IngressController.py b/src/autoconf/IngressController.py
@@ -121,10 +121,6 @@ def _to_services(self, controller_service) -> List[dict]:
                 location += 1
             services.append(service)
 
-        # parse tls
-        if controller_service.spec.tls:  # TODO: support tls
-            self._logger.warning("Ignoring unsupported tls.")
-
         # parse annotations
         if controller_service.metadata.annotations:
             for service in services:
@@ -142,6 +138,37 @@ def _to_services(self, controller_service) -> List[dict]:
                     variable = variable.replace(f"{server_name}_", "", 1)
                     if self._is_setting_context(variable, "multisite"):
                         service[variable] = value
+
+        # parse tls
+        if controller_service.spec.tls:
+            for tls in controller_service.spec.tls:
+                if tls.hosts and tls.secret_name:
+                    for host in tls.hosts:
+                        for service in services:
+                            if host in service["SERVER_NAME"].split(" "):
+                                secret_tls = self.__corev1.list_secret_for_all_namespaces(
+                                    watch=False,
+                                    field_selector=f"metadata.name={tls.secret_name},metadata.namespace={namespace}",
+                                ).items
+                                if not secret_tls:
+                                    self._logger.warning(
+                                        f"Ignoring tls setting for {host} : secret {tls.secret_name} not found.",
+                                    )
+                                    break
+                                if not secret_tls.data:
+                                    self._logger.warning(
+                                        f"Ignoring tls setting for {host} : secret {tls.secret_name} contains no data.",
+                                    )
+                                    break
+                                if "tls.crt" not in secret_tls.data or "tls.key" not in secret_tls.data:
+                                    self._logger.warning(
+                                        f"Ignoring tls setting for {host} : secret {tls.secret_name} is missing tls data.",
+                                    )
+                                    break
+                                service["USE_CUSTOM_SSL"] = "yes"
+                                service["CUSTOM_SSL_CERT_DATA"] = secret_tls.data["tls.crt"]
+                                service["CUSTOM_SSL_KEY_DATA"] = secret_tls.data["tls.key"]
+                                break
         return services
 
     def _get_static_services(self) -> List[dict]:

diff --git a/src/common/core/customcert/confs/server-http/custom-cert.conf b/src/common/core/customcert/confs/server-http/custom-cert.conf
@@ -31,5 +31,4 @@ ssl_dhparam /etc/nginx/dhparam;
 ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
 {% endif %}
 
-{% endif %}
-{% endif %}
+{% endif %}
diff --git a/src/common/core/customcert/jobs/custom-cert.py b/src/common/core/customcert/jobs/custom-cert.py
@@ -6,6 +6,7 @@
 from sys import exit as sys_exit, path as sys_path
 from traceback import format_exc
 from typing import Optional
+from base64 import b64decode
 
 for deps_path in [
     join(sep, "usr", "share", "bunkerweb", *paths)
@@ -99,6 +100,28 @@ def check_cert(cert_path: str, key_path: str, first_server: Optional[str] = None
         cert_path = getenv("CUSTOM_SSL_CERT", "")
         key_path = getenv("CUSTOM_SSL_KEY", "")
 
+        cert_data = b64decode(getenv("CUSTOM_SSL_CERT_DATA", ""))
+        key_data = b64decode(getenv("CUSTOM_SSL_KEY_DATA", ""))
+        for file, data in [("cert.pem", cert_data), ("key.pem", key_data)]:
+            if data != b"":
+                file_path = Path(
+                    sep,
+                    "var",
+                    "tmp",
+                    "bunkerweb",
+                    "customcert",
+                    file
+                )
+                file_path.parent.mkdir(parents=True, exist_ok=True)
+                file_path.write_bytes(data)
+                if file == "cert.pem":
+                    cert_path = str(file_path)
+                else:
+                    key_path = str(file_path)
+
+        if cert_data != b"":
+            with open()
+
         if cert_path and key_path:
             logger.info(f"Checking certificate {cert_path} ...")
             need_reload = check_cert(cert_path, key_path)
@@ -124,6 +147,26 @@ def check_cert(cert_path: str, key_path: str, first_server: Optional[str] = None
             cert_path = getenv(f"{first_server}_CUSTOM_SSL_CERT", "")
             key_path = getenv(f"{first_server}_CUSTOM_SSL_KEY", "")
 
+            cert_data = b64decode(getenv(f"{first_server}_CUSTOM_SSL_CERT_DATA", ""))
+            key_data = b64decode(getenv(f"{first_server}_CUSTOM_SSL_KEY_DATA", ""))
+            for file, data in [("cert.pem", cert_data), ("key.pem", key_data)]:
+                if data != b"":
+                    file_path = Path(
+                        sep,
+                        "var",
+                        "tmp",
+                        "bunkerweb",
+                        "customcert",
+                        server_name,
+                        file
+                    )
+                    file_path.parent.mkdir(parents=True, exist_ok=True)
+                    file_path.write_bytes(data)
+                    if file == "cert.pem":
+                        cert_path = str(file_path)
+                    else:
+                        key_path = str(file_path)
+
             if cert_path and key_path:
                 logger.info(
                     f"Checking certificate {cert_path} ...",

diff --git a/src/common/core/customcert/plugin.json b/src/common/core/customcert/plugin.json
@@ -31,6 +31,24 @@
       "label": "Key path",
       "regex": "^(/[\\w. \\-]+)*/?$",
       "type": "text"
+    },
+    "CUSTOM_SSL_CERT_DATA": {
+      "context": "multisite",
+      "default": "",
+      "help": "Certificate data encoded in base64.",
+      "id": "custom-https-cert-data",
+      "label": "Certificate data (base64)",
+      "regex": "^.*$",
+      "type": "text"
+    },
+    "CUSTOM_SSL_KEY_DATA": {
+      "context": "multisite",
+      "default": "",
+      "help": "Key data encoded in base64.",
+      "id": "custom-https-key-data",
+      "label": "Key data (base64)",
+      "regex": "^.*$",
+      "type": "text"
     }
   },
   "jobs": [