Change: ingress example within openvasd

Changes ingress example within values of openvasd to be traefik for a single http instance.
greenbone · Oct 23, 2023 · 7975972 · 7975972
1 parent 0899d3f
commit 7975972
Show file tree

Hide file tree

Showing 4 changed files with 63 additions and 13 deletions.
diff --git a/charts/openvasd/README.md b/charts/openvasd/README.md
@@ -27,6 +27,14 @@ helm install openvasd ./openvasd/ -f openvasd/values.yaml -f ~/openvasd.yaml
 
 it will use `nichtsfrei/openvas-scanner` instead of `greenbone/openvas-scanner`.
 
+# Preconfigured deployment scenarios
+
+## http single instance
+
+To deploy openvasd as http intance on the root path execute:
+```
+helm install --namespace openvasd --create-namespace openvasd openvasd/ --values openvasd/values.yaml --values openvasd/http-root.yaml
+```
 ## TLS configuration
 
 This chart is provided with server certificate and private key for example purposes and they should not be used in production systems. Certificate and key where created with [this scripts](../../rust/examples/tls/Self-Signed mTLS Method)

diff --git a/charts/openvasd/http-root.yaml b/charts/openvasd/http-root.yaml
@@ -0,0 +1,24 @@
+ingress:
+  enabled: true
+  annotations:
+    kubernetes.io/ingress.class: "traefik"
+  className: "traefik"
+  hosts:
+    # Captures everything of / delegates it to openvasd although this is not feasible
+    # on deployments that contain multiple http services our current deployment model
+    # sees a sensor as an own machine.
+    # Currently it is configures with http instead of https in mind
+    # Do not use it in production environments.
+    - paths:
+        - path: /
+          pathType: ImplementationSpecific 
+          backend:
+            service:
+              name: openvasd
+              port:
+                number: 80
+openvasd: 
+  tls:
+    certificates:
+      deploy_server: false
+      deploy_client: false
diff --git a/charts/openvasd/templates/deployment.yaml b/charts/openvasd/templates/deployment.yaml
@@ -42,12 +42,16 @@ spec:
         emptyDir: {}
       - name: ospd-logs
         emptyDir: {}
+      {{- if eq .Values.openvasd.tls.certificates.deploy_server true }}
       - name: server-private-key
         secret:
           secretName: server-private-key
+      {{ end }}
+      {{- if eq .Values.openvasd.tls.certificates.deploy_client true }}
       - name: client-certs
         secret:
           secretName: client-certs
+      {{ end }}
       initContainers:
       - name: nasl
         image: "{{ .Values.vulnerabilitytests.repository }}:{{ .Values.vulnerabilitytests.tag }}"
@@ -146,12 +150,16 @@ spec:
           mountPath: /etc/openvas
         - name: ospd-socket
           mountPath: /run/ospd/
+        {{- if eq .Values.openvasd.tls.certificates.deploy_server true }}
         - mountPath: "/etc/openvasd/tls/"
           name: server-private-key
           readOnly: true
+        {{ end }}
+        {{- if eq .Values.openvasd.tls.certificates.deploy_client true }}
         - mountPath: "/etc/openvasd/clientcerts"
           name: client-certs
           readOnly: true
+        {{ end }}
         securityContext:
           capabilities:
             add:
@@ -169,12 +177,16 @@ spec:
             value: {{ .Values.openvasd.loglevel | default "INFO" }} 
           - name: API_KEY
             value: {{ .Values.openvasd.apikey }}
+          {{- if eq .Values.openvasd.tls.certificates.deploy_server true }}
           - name: TLS_CERTS
             value: "/etc/openvasd/tls/certs.pem"
           - name: TLS_KEY
             value: "/etc/openvasd/tls/key.pem"
+          {{ end }}
+          {{- if eq .Values.openvasd.tls.certificates.deploy_client true }}
           - name: TLS_CLIENT_CERTS
             value: "/etc/openvasd/clientcerts/"
+          {{ end }}
       - name: ospd
         image: "{{ .Values.ospd.repository }}:{{ .Values.ospd.tag }}"
         imagePullPolicy: Always

diff --git a/charts/openvasd/values.yaml b/charts/openvasd/values.yaml
@@ -21,6 +21,14 @@ openvasd:
   # openvasd is provided by the openvas image
   loglevel: TRACE
   apikey: changeme
+  tls:
+    # enables the server-/client-certs deployment via secret 
+    # templates/client-certs.yaml
+    # templates/server-certs.yaml
+    # deplying a client certificate without a server certificate will not have any effect.
+    certificates:
+      deploy_server: false
+      deploy_client: false
 
 # Required for version checks 
 notus:
@@ -87,31 +95,29 @@ service:
   type: ClusterIP
   port: 80
 
-# openvasd listens on root without any service prefix
-# in an environment with multiple http services it is 
-# wisely to configure ingress to rewrite targets to root for openvasd.
 ingress:
   enabled: false
-  className: "nginx"
   annotations:
-    nginx.ingress.kubernetes.io/use-regex: "true"
-    nginx.ingress.kubernetes.io/rewrite-target: /$2
-    # kubernetes.io/tls-acme: "true"
+    kubernetes.io/ingress.class: "traefik"
+  className: "traefik"
   hosts:
-    - host: chart-example.local
-      paths:
-        - path: /api/openvasd(/|$)(.*)
-          pathType: Prefix
+    # Captures everything of / delegates it to openvasd although this is not feasible
+    # on deployments that contain multiple http services our current deployment model
+    # sees a sensor as an own machine.
+    # Currently it is configures with http instead of https in mind
+    # Do not use it in production environments.
+    - paths:
+        - path: /
+          pathType: ImplementationSpecific 
           backend:
             service:
               name: openvasd
               port:
-                number: 3000
+                number: 80
   tls: []
   #  - secretName: chart-example-tls
   #    hosts:
   #      - chart-example.local
-
 resources:
   {}
   # We usually recommend not to specify default resources and to leave this as a conscious