From b3e41fd70400425531ef726f2fa667633e2cb339 Mon Sep 17 00:00:00 2001 From: Sven Tennie Date: Fri, 10 Mar 2023 17:57:08 +0100 Subject: [PATCH 1/4] Use cert-manager to use HTTPS on inbucket ingress --- charts/inbucket/templates/cert.yaml | 28 ++++++++++++++++++++++++++ charts/inbucket/templates/ingress.yaml | 9 +++++++++ charts/inbucket/templates/issuer.yaml | 19 +++++++++++++++++ 3 files changed, 56 insertions(+) create mode 100644 charts/inbucket/templates/cert.yaml create mode 100644 charts/inbucket/templates/issuer.yaml diff --git a/charts/inbucket/templates/cert.yaml b/charts/inbucket/templates/cert.yaml new file mode 100644 index 0000000000..6d419a8060 --- /dev/null +++ b/charts/inbucket/templates/cert.yaml @@ -0,0 +1,28 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: "letsencrypt-inbucket-csr" + namespace: {{ .Release.Namespace }} + labels: + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" +spec: + issuerRef: + name: letsencrypt-http01 + kind: Issuer + usages: + - server auth + duration: 2160h # 90d, Letsencrypt default; NOTE: changes are ignored by Letsencrypt + renewBefore: 360h # 15d + isCA: false + secretName: letsencrypt-inbucket-secret + + privateKey: + algorithm: ECDSA + size: 384 # 521 is not supported by Letsencrypt + encoding: PKCS1 + rotationPolicy: Always + + dnsNames: + - {{ .Values.host }} diff --git a/charts/inbucket/templates/ingress.yaml b/charts/inbucket/templates/ingress.yaml index c2803b4e00..6134e4fe3d 100644 --- a/charts/inbucket/templates/ingress.yaml +++ b/charts/inbucket/templates/ingress.yaml @@ -10,7 +10,16 @@ metadata: app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} helm.sh/chart: {{ include "inbucket.chart" . }} + annotations: + kubernetes.io/ingress.class: nginx +# {{- if (hasKey .Values "ipAllowList") }} +# nginx.ingress.kubernetes.io/whitelist-source-range: {{- .Values.ipAllowList }} +# {{- end }} spec: + tls: + - hosts: + - {{ required "must specify host" .Values.host | quote }} + secretName: letsencrypt-inbucket-secret rules: - host: {{ required "must specify host" .Values.host | quote }} http: diff --git a/charts/inbucket/templates/issuer.yaml b/charts/inbucket/templates/issuer.yaml new file mode 100644 index 0000000000..715484eeb6 --- /dev/null +++ b/charts/inbucket/templates/issuer.yaml @@ -0,0 +1,19 @@ +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: letsencrypt-inbucket + namespace: {{ .Release.Namespace }} +spec: + acme: + # TODO: Replace with prod ACME server + server: https://acme-staging-v02.api.letsencrypt.org/directory + # Email address used for ACME registration + email: {{ required "must specify certManager.certmasterEmail" .Values.certManager.certmasterEmail | quote }} + # Name of a secret used to store the ACME account private key + privateKeySecretRef: + name: letsencrypt-inbucket-key + # Enable the HTTP-01 challenge provider + solvers: + - http01: + ingress: + class: nginx From 01cfe2236760fd5d834d7169e5501928067a23cd Mon Sep 17 00:00:00 2001 From: Sven Tennie Date: Thu, 16 Mar 2023 15:52:46 +0100 Subject: [PATCH 2/4] Use staging server --- charts/inbucket/templates/basic-auth-secret.yaml | 15 +++++++++++++++ charts/inbucket/templates/cert.yaml | 6 +++++- charts/inbucket/templates/ingress.yaml | 8 +++++--- charts/inbucket/templates/issuer.yaml | 10 +++++++++- charts/inbucket/values.yaml | 9 +++++++++ .../templates/certificate.yaml | 4 ---- 6 files changed, 43 insertions(+), 9 deletions(-) create mode 100644 charts/inbucket/templates/basic-auth-secret.yaml diff --git a/charts/inbucket/templates/basic-auth-secret.yaml b/charts/inbucket/templates/basic-auth-secret.yaml new file mode 100644 index 0000000000..9918cbb716 --- /dev/null +++ b/charts/inbucket/templates/basic-auth-secret.yaml @@ -0,0 +1,15 @@ +{{- if (hasKey .Values "basicAuthSecret") }} +apiVersion: v1 +kind: Secret +metadata: + name: inbucket-basic-auth + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "inbucket.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + helm.sh/chart: {{ include "inbucket.chart" . }} +type: Opaque +data: + auth: {{ .Values.basicAuthSecret | b64enc | quote }} +{{- end }} diff --git a/charts/inbucket/templates/cert.yaml b/charts/inbucket/templates/cert.yaml index 6d419a8060..3d6996212f 100644 --- a/charts/inbucket/templates/cert.yaml +++ b/charts/inbucket/templates/cert.yaml @@ -7,9 +7,13 @@ metadata: chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" release: "{{ .Release.Name }}" heritage: "{{ .Release.Service }}" + annotations: + # The issuer changes when it's configured to use staging or prod ACME + # servers. + checksum/issuer: {{ include (print .Template.BasePath "/issuer.yaml") . | sha256sum }} spec: issuerRef: - name: letsencrypt-http01 + name: letsencrypt-inbucket kind: Issuer usages: - server auth diff --git a/charts/inbucket/templates/ingress.yaml b/charts/inbucket/templates/ingress.yaml index 6134e4fe3d..1866c5fc6a 100644 --- a/charts/inbucket/templates/ingress.yaml +++ b/charts/inbucket/templates/ingress.yaml @@ -12,9 +12,11 @@ metadata: helm.sh/chart: {{ include "inbucket.chart" . }} annotations: kubernetes.io/ingress.class: nginx -# {{- if (hasKey .Values "ipAllowList") }} -# nginx.ingress.kubernetes.io/whitelist-source-range: {{- .Values.ipAllowList }} -# {{- end }} +{{- if (hasKey .Values "basicAuthSecret") }} + nginx.ingress.kubernetes.io/auth-type: basic + nginx.ingress.kubernetes.io/auth-secret: inbucket-basic-auth + nginx.ingress.kubernetes.io/auth-realm: 'Authentication Required - inbucket' +{{- end }} spec: tls: - hosts: diff --git a/charts/inbucket/templates/issuer.yaml b/charts/inbucket/templates/issuer.yaml index 715484eeb6..d3f1d1bc94 100644 --- a/charts/inbucket/templates/issuer.yaml +++ b/charts/inbucket/templates/issuer.yaml @@ -3,10 +3,18 @@ kind: Issuer metadata: name: letsencrypt-inbucket namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: {{ include "inbucket.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + helm.sh/chart: {{ include "inbucket.chart" . }} spec: acme: - # TODO: Replace with prod ACME server +{{- if .Values.useStagingACMEServer }} server: https://acme-staging-v02.api.letsencrypt.org/directory +{{- else }} + server: https://acme-v02.api.letsencrypt.org/directory +{{- end }} # Email address used for ACME registration email: {{ required "must specify certManager.certmasterEmail" .Values.certManager.certmasterEmail | quote }} # Name of a secret used to store the ACME account private key diff --git a/charts/inbucket/values.yaml b/charts/inbucket/values.yaml index 3bff990c7e..4a15cfa1ab 100644 --- a/charts/inbucket/values.yaml +++ b/charts/inbucket/values.yaml @@ -11,3 +11,12 @@ inbucket: INBUCKET_WEB_GREETINGFILE: "/config/greeting.html" INBUCKET_MAILBOXNAMING: full INBUCKET_STORAGE_RETENTIONPERIOD: "72h" + +# The production ACME server of let's encrypt has a very strict rate limiting +# and bans for weeks. Better try with the staging ACME server first. +useStagingACMEServer: true + +# Enables and configures HTTP Basic Auth secret as e.g. created with +# `htpasswd -bc auth username password`. +# +# basicAuthSecret: username:$apr1$3jXFMMZX$z6OOf4eUn1wU.NYJt246u1 diff --git a/charts/nginx-ingress-services/templates/certificate.yaml b/charts/nginx-ingress-services/templates/certificate.yaml index 58da22ac4d..016639696a 100644 --- a/charts/nginx-ingress-services/templates/certificate.yaml +++ b/charts/nginx-ingress-services/templates/certificate.yaml @@ -4,10 +4,6 @@ kind: Certificate metadata: name: "{{ include "nginx-ingress-services.zone" . | replace "." "-" }}-csr" namespace: {{ .Release.Namespace }} - labels: - chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" - release: "{{ .Release.Name }}" - heritage: "{{ .Release.Service }}" spec: issuerRef: name: {{ .Values.tls.issuer.name }} From 8bb2704b60e4c969b83885a245898fade8f8ec83 Mon Sep 17 00:00:00 2001 From: Sven Tennie Date: Thu, 16 Mar 2023 16:12:46 +0100 Subject: [PATCH 3/4] Add changelog --- changelog.d/2-features/inbucket-tls-and-basic-auth | 1 + 1 file changed, 1 insertion(+) create mode 100644 changelog.d/2-features/inbucket-tls-and-basic-auth diff --git a/changelog.d/2-features/inbucket-tls-and-basic-auth b/changelog.d/2-features/inbucket-tls-and-basic-auth new file mode 100644 index 0000000000..27ad9c766e --- /dev/null +++ b/changelog.d/2-features/inbucket-tls-and-basic-auth @@ -0,0 +1 @@ +Add TLS and basic authentication to the inbucket (fake webmailer) ingress. From 6fad79a2b8a65cb1fe1a9a9c63aa10a48122eaa3 Mon Sep 17 00:00:00 2001 From: Sven Tennie Date: Thu, 16 Mar 2023 16:20:41 +0100 Subject: [PATCH 4/4] Revert non-sense --- charts/nginx-ingress-services/templates/certificate.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/charts/nginx-ingress-services/templates/certificate.yaml b/charts/nginx-ingress-services/templates/certificate.yaml index 016639696a..58da22ac4d 100644 --- a/charts/nginx-ingress-services/templates/certificate.yaml +++ b/charts/nginx-ingress-services/templates/certificate.yaml @@ -4,6 +4,10 @@ kind: Certificate metadata: name: "{{ include "nginx-ingress-services.zone" . | replace "." "-" }}-csr" namespace: {{ .Release.Namespace }} + labels: + chart: "{{ .Chart.Name }}-{{ .Chart.Version }}" + release: "{{ .Release.Name }}" + heritage: "{{ .Release.Service }}" spec: issuerRef: name: {{ .Values.tls.issuer.name }}