Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(kopia-b2): switch to end-to-end TLS #1582

Merged
merged 1 commit into from
Nov 12, 2024
Merged

fix(kopia-b2): switch to end-to-end TLS #1582

merged 1 commit into from
Nov 12, 2024

Conversation

martinohmann
Copy link
Owner

No description provided.

@github-actions github-actions bot added area/kubernetes Changes made in the kubernetes directory area/terraform Changes made in the terraform directory cluster/main cluster/storage labels Nov 12, 2024
@github-actions GitHub Actions
Copy link

kustomization changes in kubernetes/storage

--- kubernetes/storage/apps/default/kopia/b2 Kustomization: flux-system/kopia-b2 HelmRelease: default/kopia-b2

+++ kubernetes/storage/apps/default/kopia/b2 Kustomization: flux-system/kopia-b2 HelmRelease: default/kopia-b2

@@ -26,76 +26,61 @@

           reloader.stakater.com/auto: 'true'
         containers:
           app:
             args:
             - server
             - start
-            - --insecure
             - --address
-            - 0.0.0.0:80
+            - 0.0.0.0:443
+            - --tls-cert-file
+            - /app/certs/tls.crt
+            - --tls-key-file
+            - /app/certs/tls.key
             - --override-hostname
             - storage.svc.18b.lan
             - --override-username
             - mohmann
-            - --without-password
             - --metrics-listen-addr
             - 0.0.0.0:8080
             envFrom:
             - secretRef:
                 name: kopia-b2-secret
             image:
               repository: docker.io/kopia/kopia
               tag: 0.17.0
             probes:
               liveness:
-                custom: true
-                enabled: true
-                spec:
-                  failureThreshold: 6
-                  httpGet:
-                    path: /
-                    port: 80
-                  initialDelaySeconds: 10
-                  periodSeconds: 10
-                  timeoutSeconds: 10
+                enabled: false
               readiness:
-                custom: true
-                enabled: true
-                spec:
-                  failureThreshold: 6
-                  httpGet:
-                    path: /
-                    port: 80
-                  initialDelaySeconds: 10
-                  periodSeconds: 10
-                  timeoutSeconds: 10
+                enabled: false
               startup:
                 enabled: false
             resources:
               requests:
                 cpu: 5m
                 memory: 128Mi
             securityContext:
               privileged: true
               runAsUser: 0
     ingress:
       app:
         annotations:
-          nginx.ingress.kubernetes.io/auth-response-headers: Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid
+          nginx.ingress.kubernetes.io/auth-response-headers: Authorization,Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid
           nginx.ingress.kubernetes.io/auth-signin: https://kopia-b2.18b.haus/outpost.goauthentik.io/start?rd=$escaped_request_uri
           nginx.ingress.kubernetes.io/auth-snippet: |
             proxy_set_header X-Forwarded-Host $http_host;
           nginx.ingress.kubernetes.io/auth-url: http://authentik-outpost-proxy.identity.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx
+          nginx.ingress.kubernetes.io/backend-protocol: GRPCS
         className: internal
         hosts:
         - host: kopia-b2.18b.haus
           paths:
           - path: /
             service:
               identifier: app
-              port: http
+              port: grpcs
         tls:
         - hosts:
           - kopia-b2.18b.haus
     persistence:
       backup:
         globalMounts:
@@ -105,12 +90,18 @@

         hostPathType: Directory
         type: hostPath
       cache:
         globalMounts:
         - path: /app/cache
         type: emptyDir
+      certs:
+        globalMounts:
+        - path: /app/certs
+          readOnly: true
+        name: kopia-b2-tls
+        type: secret
       config-file:
         globalMounts:
         - path: /app/config/repository.config
           readOnly: true
           subPath: repository.config
         name: kopia-b2-repository-secret
@@ -126,20 +117,29 @@

         hostPathType: Directory
         type: hostPath
     service:
       app:
         controller: kopia-b2
         ports:
-          http:
-            port: 80
+          grpcs:
+            port: 443
           metrics:
             port: 8080
+      repo:
+        annotations:
+          external-dns.alpha.kubernetes.io/hostname: repo.kopia-b2.18b.haus
+          io.cilium/lb-ipam-ips: 192.168.40.155
+        controller: kopia-b2
+        ports:
+          grpcs:
+            port: 443
+        type: LoadBalancer
     serviceMonitor:
       app:
         endpoints:
         - interval: 1m
           path: /metrics
           port: metrics
           scheme: http
           scrapeTimeout: 10s
-        serviceName: kopia-b2
+        serviceName: kopia-b2-app
 
--- kubernetes/storage/apps/default/kopia/b2 Kustomization: flux-system/kopia-b2 Certificate: default/kopia-b2

+++ kubernetes/storage/apps/default/kopia/b2 Kustomization: flux-system/kopia-b2 Certificate: default/kopia-b2

@@ -0,0 +1,20 @@

+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  labels:
+    app.kubernetes.io/name: kopia-b2
+    kustomize.toolkit.fluxcd.io/name: kopia-b2
+    kustomize.toolkit.fluxcd.io/namespace: flux-system
+  name: kopia-b2
+  namespace: default
+spec:
+  commonName: kopia-b2.18b.haus
+  dnsNames:
+  - kopia-b2.18b.haus
+  - repo.kopia-b2.18b.haus
+  issuerRef:
+    kind: ClusterIssuer
+    name: letsencrypt-production
+  secretName: kopia-b2-tls
+
--- kubernetes/storage/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/kopia-b2

+++ kubernetes/storage/apps Kustomization: flux-system/cluster-apps Kustomization: flux-system/kopia-b2

@@ -12,12 +12,14 @@

     labels:
       app.kubernetes.io/name: kopia-b2
   decryption:
     provider: sops
     secretRef:
       name: sops-age
+  dependsOn:
+  - name: cert-manager-issuers
   interval: 30m
   path: ./kubernetes/storage/apps/default/kopia/b2
   postBuild:
     substituteFrom:
     - kind: Secret
       name: cluster-secrets

@github-actions GitHub Actions
Copy link

helmrelease changes in kubernetes/storage

--- HelmRelease: default/kopia-b2 Service: default/kopia-b2

+++ HelmRelease: default/kopia-b2 Service: default/kopia-b2

@@ -1,26 +0,0 @@

----
-apiVersion: v1
-kind: Service
-metadata:
-  name: kopia-b2
-  labels:
-    app.kubernetes.io/instance: kopia-b2
-    app.kubernetes.io/managed-by: Helm
-    app.kubernetes.io/name: kopia-b2
-    app.kubernetes.io/service: kopia-b2
-spec:
-  type: ClusterIP
-  ports:
-  - port: 80
-    targetPort: 80
-    protocol: TCP
-    name: http
-  - port: 8080
-    targetPort: 8080
-    protocol: TCP
-    name: metrics
-  selector:
-    app.kubernetes.io/component: kopia-b2
-    app.kubernetes.io/instance: kopia-b2
-    app.kubernetes.io/name: kopia-b2
-
--- HelmRelease: default/kopia-b2 Deployment: default/kopia-b2

+++ HelmRelease: default/kopia-b2 Deployment: default/kopia-b2

@@ -35,43 +35,29 @@

       hostPID: false
       dnsPolicy: ClusterFirst
       containers:
       - args:
         - server
         - start
-        - --insecure
         - --address
-        - 0.0.0.0:80
+        - 0.0.0.0:443
+        - --tls-cert-file
+        - /app/certs/tls.crt
+        - --tls-key-file
+        - /app/certs/tls.key
         - --override-hostname
         - storage.svc.18b.lan
         - --override-username
         - mohmann
-        - --without-password
         - --metrics-listen-addr
         - 0.0.0.0:8080
         envFrom:
         - secretRef:
             name: kopia-b2-secret
         image: docker.io/kopia/kopia:0.17.0
-        livenessProbe:
-          failureThreshold: 6
-          httpGet:
-            path: /
-            port: 80
-          initialDelaySeconds: 10
-          periodSeconds: 10
-          timeoutSeconds: 10
         name: app
-        readinessProbe:
-          failureThreshold: 6
-          httpGet:
-            path: /
-            port: 80
-          initialDelaySeconds: 10
-          periodSeconds: 10
-          timeoutSeconds: 10
         resources:
           requests:
             cpu: 5m
             memory: 128Mi
         securityContext:
           privileged: true
@@ -79,12 +65,15 @@

         volumeMounts:
         - mountPath: /io/backup
           name: backup
           readOnly: true
         - mountPath: /app/cache
           name: cache
+        - mountPath: /app/certs
+          name: certs
+          readOnly: true
         - mountPath: /app/config/repository.config
           name: config-file
           readOnly: true
           subPath: repository.config
         - mountPath: /app/logs
           name: logs
@@ -94,12 +83,15 @@

       - hostPath:
           path: /io/backup
           type: Directory
         name: backup
       - emptyDir: {}
         name: cache
+      - name: certs
+        secret:
+          secretName: kopia-b2-tls
       - name: config-file
         secret:
           secretName: kopia-b2-repository-secret
       - emptyDir: {}
         name: logs
       - hostPath:
--- HelmRelease: default/kopia-b2 Ingress: default/kopia-b2

+++ HelmRelease: default/kopia-b2 Ingress: default/kopia-b2

@@ -5,17 +5,18 @@

   name: kopia-b2
   labels:
     app.kubernetes.io/instance: kopia-b2
     app.kubernetes.io/managed-by: Helm
     app.kubernetes.io/name: kopia-b2
   annotations:
-    nginx.ingress.kubernetes.io/auth-response-headers: Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid
+    nginx.ingress.kubernetes.io/auth-response-headers: Authorization,Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid
     nginx.ingress.kubernetes.io/auth-signin: https://kopia-b2.18b.haus/outpost.goauthentik.io/start?rd=$escaped_request_uri
     nginx.ingress.kubernetes.io/auth-snippet: |
       proxy_set_header X-Forwarded-Host $http_host;
     nginx.ingress.kubernetes.io/auth-url: http://authentik-outpost-proxy.identity.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx
+    nginx.ingress.kubernetes.io/backend-protocol: GRPCS
 spec:
   ingressClassName: internal
   tls:
   - hosts:
     - kopia-b2.18b.haus
   rules:
@@ -23,10 +24,10 @@

     http:
       paths:
       - path: /
         pathType: Prefix
         backend:
           service:
-            name: kopia-b2
+            name: kopia-b2-app
             port:
-              number: 80
+              number: 443
 
--- HelmRelease: default/kopia-b2 ServiceMonitor: default/kopia-b2

+++ HelmRelease: default/kopia-b2 ServiceMonitor: default/kopia-b2

@@ -11,13 +11,13 @@

   jobLabel: kopia-b2
   namespaceSelector:
     matchNames:
     - default
   selector:
     matchLabels:
-      app.kubernetes.io/service: kopia-b2
+      app.kubernetes.io/service: kopia-b2-app
       app.kubernetes.io/name: kopia-b2
       app.kubernetes.io/instance: kopia-b2
   endpoints:
   - interval: 1m
     path: /metrics
     port: metrics
--- HelmRelease: default/kopia-b2 Service: default/kopia-b2-app

+++ HelmRelease: default/kopia-b2 Service: default/kopia-b2-app

@@ -0,0 +1,26 @@

+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: kopia-b2-app
+  labels:
+    app.kubernetes.io/instance: kopia-b2
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: kopia-b2
+    app.kubernetes.io/service: kopia-b2-app
+spec:
+  type: ClusterIP
+  ports:
+  - port: 443
+    targetPort: 443
+    protocol: TCP
+    name: grpcs
+  - port: 8080
+    targetPort: 8080
+    protocol: TCP
+    name: metrics
+  selector:
+    app.kubernetes.io/component: kopia-b2
+    app.kubernetes.io/instance: kopia-b2
+    app.kubernetes.io/name: kopia-b2
+
--- HelmRelease: default/kopia-b2 Service: default/kopia-b2-repo

+++ HelmRelease: default/kopia-b2 Service: default/kopia-b2-repo

@@ -0,0 +1,25 @@

+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: kopia-b2-repo
+  labels:
+    app.kubernetes.io/instance: kopia-b2
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: kopia-b2
+    app.kubernetes.io/service: kopia-b2-repo
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: repo.kopia-b2.18b.haus
+    io.cilium/lb-ipam-ips: 192.168.40.155
+spec:
+  type: LoadBalancer
+  ports:
+  - port: 443
+    targetPort: 443
+    protocol: TCP
+    name: grpcs
+  selector:
+    app.kubernetes.io/component: kopia-b2
+    app.kubernetes.io/instance: kopia-b2
+    app.kubernetes.io/name: kopia-b2
+

@github-actions GitHub Actions
Copy link

kustomization changes in kubernetes/main

--- kubernetes/main/apps/default/homepage/app Kustomization: flux-system/homepage ConfigMap: default/homepage

+++ kubernetes/main/apps/default/homepage/app Kustomization: flux-system/homepage ConfigMap: default/homepage

@@ -26,17 +26,17 @@

             href: https://unifi.18b.haus
             icon: unifi-controller.png
     - Storage:
         - Filebrowser:
             href: https://filebrowser.18b.haus
             icon: filebrowser.png
-        - Kopia:
-            href: https://kopia.18b.haus
-            icon: kopia.png
         - Kopia (b2):
             href: https://kopia-b2.18b.haus
+            icon: kopia.png
+        - Kopia (local):
+            href: https://kopia.18b.haus
             icon: kopia.png
         - Minio:
             href: https://minio.18b.haus
             icon: minio.png
     - Tools:
         - Zot Registry:

@martinohmann martinohmann merged commit 21e69ea into main Nov 12, 2024
10 checks passed
@martinohmann martinohmann deleted the kopia/b2-tls branch November 12, 2024 18:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
area/kubernetes Changes made in the kubernetes directory area/terraform Changes made in the terraform directory cluster/main cluster/storage
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@martinohmann