tls: add client identity configuration for mTLS

gremlin-integrations/Chart.yaml

@@ -15,13 +15,13 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.1.2
+version: 0.2.0
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "0.0.2"
+appVersion: "0.4.0"
 home: https://www.gremlin.com
 maintainers:
   - name: Gremlin Development

gremlin-integrations/templates/_helpers.tpl

@@ -113,3 +113,88 @@ Create chart name and version as used by the chart label.
 {{- define "gremlin.chart" -}}
 {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
 {{- end -}}
+
+{{/*
+gremlinTlsIdentityValidate fails if more than one identity strategy is fully configured for gremlin
+*/}}
+{{- define "gremlinTlsIdentityValidate" -}}
+{{- $remoteSecret := and .Values.gremlin.tls.identity.remoteSecret.cert .Values.gremlin.tls.identity.remoteSecret.key -}}
+{{- $createSecret := and .Values.gremlin.tls.identity.createSecret.name .Values.gremlin.tls.identity.createSecret.cert .Values.gremlin.tls.identity.createSecret.key -}}
+{{- $existingSecret := and .Values.gremlin.tls.identity.existingSecret.name .Values.gremlin.tls.identity.existingSecret.cert .Values.gremlin.tls.identity.existingSecret.key -}}
+{{- $count := 0 -}}
+{{- if $remoteSecret }}{{- $count = add $count 1 -}}{{- end -}}
+{{- if $createSecret }}{{- $count = add $count 1 -}}{{- end -}}
+{{- if $existingSecret }}{{- $count = add $count 1 -}}{{- end -}}
+{{- if gt (int $count) 1 -}}
+{{- fail "gremlin.tls.identity: only one of remoteSecret, createSecret, or existingSecret should be fully configured" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+gremlinTlsIdentityEnv returns the environment variables needed to configure TLS client identity
+When remoteSecret is configured
+  - sets GREMLIN_TLS_IDENTITY_CERTIFICATE and GREMLIN_TLS_IDENTITY_PRIVATE_KEY to their respective `cert` and `key` values
+When createSecret or existingSecret are configured
+  - sets GREMLIN_TLS_IDENTITY_CERTIFICATE and GREMLIN_TLS_IDENTITY_PRIVATE_KEY to their respective file paths, mounted by gremlinTlsIdentityVolumeMounts
+*/}}
+{{- define "gremlinTlsIdentityEnv" -}}
+{{- if .Values.gremlin.tls.identity.enabled -}}
+{{- include "gremlinTlsIdentityValidate" . -}}
+{{- if and .Values.gremlin.tls.identity.remoteSecret.cert .Values.gremlin.tls.identity.remoteSecret.key -}}
+- name: GREMLIN_TLS_IDENTITY_CERTIFICATE
+  value: {{ .Values.gremlin.tls.identity.remoteSecret.cert | quote }}
+- name: GREMLIN_TLS_IDENTITY_PRIVATE_KEY
+  value: {{ .Values.gremlin.tls.identity.remoteSecret.key | quote }}
+{{- else if and .Values.gremlin.tls.identity.createSecret.name .Values.gremlin.tls.identity.createSecret.cert .Values.gremlin.tls.identity.createSecret.key -}}
+- name: GREMLIN_TLS_IDENTITY_CERTIFICATE
+  value: /var/lib/gremlin/tls/identity/cert
+- name: GREMLIN_TLS_IDENTITY_PRIVATE_KEY
+  value: /var/lib/gremlin/tls/identity/key
+{{- else if .Values.gremlin.tls.identity.existingSecret.name -}}
+- name: GREMLIN_TLS_IDENTITY_CERTIFICATE
+  value: /var/lib/gremlin/tls/identity/{{ .Values.gremlin.tls.identity.existingSecret.cert }}
+- name: GREMLIN_TLS_IDENTITY_PRIVATE_KEY
+  value: /var/lib/gremlin/tls/identity/{{ .Values.gremlin.tls.identity.existingSecret.key }}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+gremlinTlsIdentityVolumeMounts returns the mounts needed to access TLS client identity files
+When createSecret or existingSecret are configured
+  - mounts to designated secret files under /var/lib/gremlin/tls/identity
+*/}}
+{{- define "gremlinTlsIdentityVolumeMounts" -}}
+{{- if .Values.gremlin.tls.identity.enabled -}}
+{{- include "gremlinTlsIdentityValidate" . -}}
+{{- if and .Values.gremlin.tls.identity.createSecret.name .Values.gremlin.tls.identity.createSecret.cert .Values.gremlin.tls.identity.createSecret.key -}}
+- name: gremlin-tls-identity
+  mountPath: /var/lib/gremlin/tls/identity
+  readOnly: true
+{{- else if .Values.gremlin.tls.identity.existingSecret.name -}}
+- name: gremlin-tls-identity
+  mountPath: /var/lib/gremlin/tls/identity
+  readOnly: true
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+gremlinTlsIdentityVolumes returns the volumes that contain TLS client identity files
+When createSecret or existingSecret are configured
+  - defines the volume associated with the designated secret
+*/}}
+{{- define "gremlinTlsIdentityVolumes" -}}
+{{- if .Values.gremlin.tls.identity.enabled -}}
+{{- include "gremlinTlsIdentityValidate" . -}}
+{{- if and .Values.gremlin.tls.identity.createSecret.name .Values.gremlin.tls.identity.createSecret.cert .Values.gremlin.tls.identity.createSecret.key -}}
+- name: gremlin-tls-identity
+  secret:
+    secretName: {{ .Values.gremlin.tls.identity.createSecret.name }}
+{{- else if .Values.gremlin.tls.identity.existingSecret.name -}}
+- name: gremlin-tls-identity
+  secret:
+    secretName: {{ .Values.gremlin.tls.identity.existingSecret.name }}
+{{- end -}}
+{{- end -}}
+{{- end -}}

gremlin-integrations/templates/deployment.yaml

@@ -86,6 +86,9 @@ spec:
             - name: SSL_CERT_DIR
               value: {{ .Values.ssl.certDir }}
           {{- end }}
+          {{- if include "gremlinTlsIdentityEnv" . }}
+          {{- include "gremlinTlsIdentityEnv" . | nindent 12 }}
+          {{- end }}
           {{- with .Values.gremlin.extraEnv }}
             {{- toYaml . | nindent 12 }}
           {{- end }}
@@ -100,6 +103,9 @@ spec:
               mountPath: /etc/gremlin/ssl
               readOnly: true
             {{- end }}
+            {{- if include "gremlinTlsIdentityVolumeMounts" . }}
+            {{- include "gremlinTlsIdentityVolumeMounts" . | nindent 12 }}
+            {{- end }}
       volumes:
         {{- if (eq (include "gremlin.secretType" .) "certificate") }}
         - name: gremlin-cert
@@ -111,6 +117,9 @@ spec:
           secret:
             secretName: integrations-ssl-cert-file
         {{ end }}
+        {{- if include "gremlinTlsIdentityVolumes" . }}
+        {{- include "gremlinTlsIdentityVolumes" . | nindent 8 }}
+        {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

gremlin-integrations/templates/secret-gremlin-tls-identity.yaml

@@ -0,0 +1,18 @@
+{{- if and .Values.gremlin.tls.identity.enabled .Values.gremlin.tls.identity.createSecret.name (and .Values.gremlin.tls.identity.createSecret.cert .Values.gremlin.tls.identity.createSecret.key) }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.gremlin.tls.identity.createSecret.name }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "gremlin.name" . }}
+    helm.sh/chart: {{ include "gremlin.chart" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    version: v1
+type: kubernetes.io/Opaque
+data:
+  cert: {{ .Values.gremlin.tls.identity.createSecret.cert | toString | b64enc }}
+  key: {{ .Values.gremlin.tls.identity.createSecret.key | toString | b64enc }}
+{{- end }}

gremlin-integrations/tests/deployment_tls_test.yaml

@@ -0,0 +1,208 @@
+suite: "Gremlin Integrations Deployment TLS Identity Tests"
+templates:
+  - "templates/deployment.yaml"
+
+tests:
+  # gremlin.tls.identity tests
+
+  - it: should not include TLS identity env vars when tls identity is not enabled
+    asserts:
+      - notContains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: GREMLIN_TLS_IDENTITY_CERTIFICATE
+          any: true
+      - notContains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: GREMLIN_TLS_IDENTITY_PRIVATE_KEY
+          any: true
+
+  - it: should set TLS identity env vars to ARN values when remoteSecret is configured
+    set:
+      gremlin.tls.identity.enabled: true
+      gremlin.tls.identity.remoteSecret.cert: "arn:aws:secretsmanager:us-east-1:123456789:secret:cert"
+      gremlin.tls.identity.remoteSecret.key: "arn:aws:secretsmanager:us-east-1:123456789:secret:key"
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: GREMLIN_TLS_IDENTITY_CERTIFICATE
+            value: "arn:aws:secretsmanager:us-east-1:123456789:secret:cert"
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: GREMLIN_TLS_IDENTITY_PRIVATE_KEY
+            value: "arn:aws:secretsmanager:us-east-1:123456789:secret:key"
+
+  - it: should not mount TLS identity volumes when remoteSecret is configured
+    set:
+      gremlin.tls.identity.enabled: true
+      gremlin.tls.identity.remoteSecret.cert: "arn:aws:secretsmanager:us-east-1:123456789:secret:cert"
+      gremlin.tls.identity.remoteSecret.key: "arn:aws:secretsmanager:us-east-1:123456789:secret:key"
+    asserts:
+      - notContains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            name: gremlin-tls-identity
+            mountPath: /var/lib/gremlin/tls/identity
+            readOnly: true
+      - notContains:
+          path: spec.template.spec.volumes
+          content:
+            name: gremlin-tls-identity
+          any: true
+
+  - it: should set TLS identity env vars to file paths when createSecret is configured
+    set:
+      gremlin.tls.identity.enabled: true
+      gremlin.tls.identity.createSecret.name: gremlin-tls-identity
+      gremlin.tls.identity.createSecret.cert: |
+        -----BEGIN CERTIFICATE-----
+        1111111111111111111111111111111111111111111111111111111111111111
+        1111111111111111111111111111111111111111111111111111111111111111
+        1111111111111111111111111111111111111111111111111111111111111111
+        1111111111111111111111111111111111111111111111111111111111111111
+        1111111111111111111111111111111111111111111111111111111111111111
+        1111111111111111111111111111111111111111111111111111111111111111
+        1111111111111111111111111111111111111111111111111111111111111111
+        1111111111111111111111111111111111111111111111111111111111111111
+        1111111111111111111111111111111111111111111111111111111111111111
+        11111111111111111111111111111111111111111111111111==
+        -----END CERTIFICATE-----
+      gremlin.tls.identity.createSecret.key:
+        -----BEGIN PRIVATE KEY-----
+        1111111111111111111111111111111111111111111111111111111111111111
+        1111111111111111111111111111111111111111111111111111111111111111
+        1111111111111111111111111111111111111111111111111111111111111111
+        1111111111111111111111111111111111111111111111111111111111111111
+        1111111111111111111111111111111111111111111111111111111111111111
+        1111111111111111111111111111111111111111111111111111111111111111
+        1111111111111111111111111111111111111111111111111111111111111111
+        1111111111111111111111111111111111111111111111111111111111111111
+        1111111111111111111111111111111111111111111111111111111111111111
+        11111111111111111111111111111111111111111111111111==
+        -----END PRIVATE KEY-----
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: GREMLIN_TLS_IDENTITY_CERTIFICATE
+            value: /var/lib/gremlin/tls/identity/cert
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: GREMLIN_TLS_IDENTITY_PRIVATE_KEY
+            value: /var/lib/gremlin/tls/identity/key
+
+  - it: should mount TLS identity volume when createSecret is configured
+    set:
+      gremlin.tls.identity.enabled: true
+      gremlin.tls.identity.createSecret.name: gremlin-tls-identity
+      gremlin.tls.identity.createSecret.cert: |
+        -----BEGIN CERTIFICATE-----
+        1111111111111111111111111111111111111111111111111111111111111111
+        1111111111111111111111111111111111111111111111111111111111111111
+        1111111111111111111111111111111111111111111111111111111111111111
+        1111111111111111111111111111111111111111111111111111111111111111
+        1111111111111111111111111111111111111111111111111111111111111111
+        1111111111111111111111111111111111111111111111111111111111111111
+        1111111111111111111111111111111111111111111111111111111111111111
+        1111111111111111111111111111111111111111111111111111111111111111
+        1111111111111111111111111111111111111111111111111111111111111111
+        11111111111111111111111111111111111111111111111111==
+        -----END CERTIFICATE-----
+      gremlin.tls.identity.createSecret.key:
+        -----BEGIN PRIVATE KEY-----
+        1111111111111111111111111111111111111111111111111111111111111111
+        1111111111111111111111111111111111111111111111111111111111111111
+        1111111111111111111111111111111111111111111111111111111111111111
+        1111111111111111111111111111111111111111111111111111111111111111
+        1111111111111111111111111111111111111111111111111111111111111111
+        1111111111111111111111111111111111111111111111111111111111111111
+        1111111111111111111111111111111111111111111111111111111111111111
+        1111111111111111111111111111111111111111111111111111111111111111
+        1111111111111111111111111111111111111111111111111111111111111111
+        11111111111111111111111111111111111111111111111111==
+        -----END PRIVATE KEY-----
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            name: gremlin-tls-identity
+            mountPath: /var/lib/gremlin/tls/identity
+            readOnly: true
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: gremlin-tls-identity
+            secret:
+              secretName: gremlin-tls-identity
+
+  - it: should set TLS identity env vars to file paths when existingSecret is configured
+    set:
+      gremlin.tls.identity.enabled: true
+      gremlin.tls.identity.existingSecret.name: my-existing-secret
+      gremlin.tls.identity.existingSecret.cert: tls.crt
+      gremlin.tls.identity.existingSecret.key: tls.key
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: GREMLIN_TLS_IDENTITY_CERTIFICATE
+            value: /var/lib/gremlin/tls/identity/tls.crt
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: GREMLIN_TLS_IDENTITY_PRIVATE_KEY
+            value: /var/lib/gremlin/tls/identity/tls.key
+
+  - it: should set TLS identity env vars to file paths when existingSecret is customized
+    set:
+      gremlin.tls.identity.enabled: true
+      gremlin.tls.identity.existingSecret.name: my-existing-secret
+      gremlin.tls.identity.existingSecret.cert: custom.crt
+      gremlin.tls.identity.existingSecret.key: custom.key
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: GREMLIN_TLS_IDENTITY_CERTIFICATE
+            value: /var/lib/gremlin/tls/identity/custom.crt
+      - contains:
+          path: spec.template.spec.containers[0].env
+          content:
+            name: GREMLIN_TLS_IDENTITY_PRIVATE_KEY
+            value: /var/lib/gremlin/tls/identity/custom.key
+
+  - it: should mount TLS identity volume from existingSecret when configured
+    set:
+      gremlin.tls.identity.enabled: true
+      gremlin.tls.identity.existingSecret.name: my-existing-secret
+      gremlin.tls.identity.existingSecret.cert: tls.crt
+      gremlin.tls.identity.existingSecret.key: tls.key
+    asserts:
+      - contains:
+          path: spec.template.spec.containers[0].volumeMounts
+          content:
+            name: gremlin-tls-identity
+            mountPath: /var/lib/gremlin/tls/identity
+            readOnly: true
+      - contains:
+          path: spec.template.spec.volumes
+          content:
+            name: gremlin-tls-identity
+            secret:
+              secretName: my-existing-secret
+
+  - it: should fail when multiple TLS identity strategies are configured for gremlin
+    set:
+      gremlin.tls.identity.enabled: true
+      gremlin.tls.identity.remoteSecret.cert: "arn:aws:secretsmanager:us-east-1:123456789:secret:cert"
+      gremlin.tls.identity.remoteSecret.key: "arn:aws:secretsmanager:us-east-1:123456789:secret:key"
+      gremlin.tls.identity.createSecret.name: gremlin-tls-identity
+      gremlin.tls.identity.createSecret.cert: "dummy-cert"
+      gremlin.tls.identity.createSecret.key: "dummy-key"
+    asserts:
+      - failedTemplate:
+          errorMessage: "gremlin.tls.identity: only one of remoteSecret, createSecret, or existingSecret should be fully configured"