From 797597248355d90546cd3664cf822359be15f5c3 Mon Sep 17 00:00:00 2001 From: Philipp Eder Date: Mon, 23 Oct 2023 14:06:00 +0200 Subject: [PATCH] Change: ingress example within openvasd Changes ingress example within values of openvasd to be traefik for a single http instance. --- charts/openvasd/README.md | 8 ++++++ charts/openvasd/http-root.yaml | 24 +++++++++++++++++ charts/openvasd/templates/deployment.yaml | 12 +++++++++ charts/openvasd/values.yaml | 32 ++++++++++++++--------- 4 files changed, 63 insertions(+), 13 deletions(-) create mode 100644 charts/openvasd/http-root.yaml diff --git a/charts/openvasd/README.md b/charts/openvasd/README.md index 9afc351410..6855aacc51 100644 --- a/charts/openvasd/README.md +++ b/charts/openvasd/README.md @@ -27,6 +27,14 @@ helm install openvasd ./openvasd/ -f openvasd/values.yaml -f ~/openvasd.yaml it will use `nichtsfrei/openvas-scanner` instead of `greenbone/openvas-scanner`. +# Preconfigured deployment scenarios + +## http single instance + +To deploy openvasd as http intance on the root path execute: +``` +helm install --namespace openvasd --create-namespace openvasd openvasd/ --values openvasd/values.yaml --values openvasd/http-root.yaml +``` ## TLS configuration This chart is provided with server certificate and private key for example purposes and they should not be used in production systems. Certificate and key where created with [this scripts](../../rust/examples/tls/Self-Signed mTLS Method) diff --git a/charts/openvasd/http-root.yaml b/charts/openvasd/http-root.yaml new file mode 100644 index 0000000000..6c8a644b45 --- /dev/null +++ b/charts/openvasd/http-root.yaml @@ -0,0 +1,24 @@ +ingress: + enabled: true + annotations: + kubernetes.io/ingress.class: "traefik" + className: "traefik" + hosts: + # Captures everything of / delegates it to openvasd although this is not feasible + # on deployments that contain multiple http services our current deployment model + # sees a sensor as an own machine. + # Currently it is configures with http instead of https in mind + # Do not use it in production environments. + - paths: + - path: / + pathType: ImplementationSpecific + backend: + service: + name: openvasd + port: + number: 80 +openvasd: + tls: + certificates: + deploy_server: false + deploy_client: false diff --git a/charts/openvasd/templates/deployment.yaml b/charts/openvasd/templates/deployment.yaml index 3e4c312a64..dac5d24aae 100644 --- a/charts/openvasd/templates/deployment.yaml +++ b/charts/openvasd/templates/deployment.yaml @@ -42,12 +42,16 @@ spec: emptyDir: {} - name: ospd-logs emptyDir: {} + {{- if eq .Values.openvasd.tls.certificates.deploy_server true }} - name: server-private-key secret: secretName: server-private-key + {{ end }} + {{- if eq .Values.openvasd.tls.certificates.deploy_client true }} - name: client-certs secret: secretName: client-certs + {{ end }} initContainers: - name: nasl image: "{{ .Values.vulnerabilitytests.repository }}:{{ .Values.vulnerabilitytests.tag }}" @@ -146,12 +150,16 @@ spec: mountPath: /etc/openvas - name: ospd-socket mountPath: /run/ospd/ + {{- if eq .Values.openvasd.tls.certificates.deploy_server true }} - mountPath: "/etc/openvasd/tls/" name: server-private-key readOnly: true + {{ end }} + {{- if eq .Values.openvasd.tls.certificates.deploy_client true }} - mountPath: "/etc/openvasd/clientcerts" name: client-certs readOnly: true + {{ end }} securityContext: capabilities: add: @@ -169,12 +177,16 @@ spec: value: {{ .Values.openvasd.loglevel | default "INFO" }} - name: API_KEY value: {{ .Values.openvasd.apikey }} + {{- if eq .Values.openvasd.tls.certificates.deploy_server true }} - name: TLS_CERTS value: "/etc/openvasd/tls/certs.pem" - name: TLS_KEY value: "/etc/openvasd/tls/key.pem" + {{ end }} + {{- if eq .Values.openvasd.tls.certificates.deploy_client true }} - name: TLS_CLIENT_CERTS value: "/etc/openvasd/clientcerts/" + {{ end }} - name: ospd image: "{{ .Values.ospd.repository }}:{{ .Values.ospd.tag }}" imagePullPolicy: Always diff --git a/charts/openvasd/values.yaml b/charts/openvasd/values.yaml index e611740ab1..bfd8cea89c 100644 --- a/charts/openvasd/values.yaml +++ b/charts/openvasd/values.yaml @@ -21,6 +21,14 @@ openvasd: # openvasd is provided by the openvas image loglevel: TRACE apikey: changeme + tls: + # enables the server-/client-certs deployment via secret + # templates/client-certs.yaml + # templates/server-certs.yaml + # deplying a client certificate without a server certificate will not have any effect. + certificates: + deploy_server: false + deploy_client: false # Required for version checks notus: @@ -87,31 +95,29 @@ service: type: ClusterIP port: 80 -# openvasd listens on root without any service prefix -# in an environment with multiple http services it is -# wisely to configure ingress to rewrite targets to root for openvasd. ingress: enabled: false - className: "nginx" annotations: - nginx.ingress.kubernetes.io/use-regex: "true" - nginx.ingress.kubernetes.io/rewrite-target: /$2 - # kubernetes.io/tls-acme: "true" + kubernetes.io/ingress.class: "traefik" + className: "traefik" hosts: - - host: chart-example.local - paths: - - path: /api/openvasd(/|$)(.*) - pathType: Prefix + # Captures everything of / delegates it to openvasd although this is not feasible + # on deployments that contain multiple http services our current deployment model + # sees a sensor as an own machine. + # Currently it is configures with http instead of https in mind + # Do not use it in production environments. + - paths: + - path: / + pathType: ImplementationSpecific backend: service: name: openvasd port: - number: 3000 + number: 80 tls: [] # - secretName: chart-example-tls # hosts: # - chart-example.local - resources: {} # We usually recommend not to specify default resources and to leave this as a conscious