From affbe07d28729cae9e83df36a2a5dc9980ecf1ca Mon Sep 17 00:00:00 2001 From: Viet Nguyen Duc Date: Fri, 29 Dec 2023 01:31:41 +0530 Subject: [PATCH 1/2] feat(chart): Simplify to enable HTTPS/TLS in Selenium Grid on Kubernetes Signed-off-by: Viet Nguyen Duc --- .github/workflows/helm-chart-test.yml | 8 +- .../start-selenium-grid-distributor.sh | 24 ++++++ EventBus/start-selenium-grid-eventbus.sh | 24 ++++++ Hub/start-selenium-grid-hub.sh | 24 ++++++ Makefile | 4 + NodeBase/start-selenium-node.sh | 28 ++++++- NodeDocker/start-selenium-grid-docker.sh | 24 ++++++ Router/start-selenium-grid-router.sh | 24 ++++++ .../start-selenium-grid-session-queue.sh | 24 ++++++ Sessions/start-selenium-grid-sessions.sh | 24 ++++++ Standalone/start-selenium-standalone.sh | 24 ++++++ .../start-selenium-grid-docker.sh | 24 ++++++ charts/selenium-grid/certs/cert.sh | 58 ++++++++++++++ .../selenium-grid/certs/selenium.jks.base64 | 1 + charts/selenium-grid/certs/selenium.pem | 23 ++++++ .../selenium-grid/certs/selenium.pem.base64 | 1 + .../selenium-grid/certs/selenium.pkcs8.base64 | 1 + charts/selenium-grid/templates/_helpers.tpl | 79 ++++++++++++++++--- .../templates/distributor-deployment.yaml | 14 ++++ .../templates/event-bus-deployment.yaml | 14 ++++ .../templates/hub-deployment.yaml | 22 ++++-- charts/selenium-grid/templates/ingress.yaml | 8 +- .../templates/router-deployment.yaml | 20 ++++- .../templates/server-configmap.yaml | 21 +++++ .../templates/session-map-deployment.yaml | 14 ++++ .../templates/session-queuer-deployment.yaml | 14 ++++ .../templates/tls-cert-secret.yaml | 29 +++++++ charts/selenium-grid/values.yaml | 30 +++++++ tests/SeleniumTests/__init__.py | 7 +- tests/SmokeTests/__init__.py | 5 +- tests/bootstrap.sh | 4 + .../ci/DeploymentAutoScaling-values.yaml | 3 +- tests/charts/ci/JobAutoscaling-values.yaml | 20 +---- tests/charts/ci/auth-ingress-values.yaml | 4 +- tests/charts/ci/tls-values.yaml | 8 ++ tests/charts/make/chart_test.sh | 13 ++- tests/charts/refValues/sample-aws.yaml | 2 +- tests/charts/refValues/simplex-minikube.yaml | 9 ++- tests/charts/templates/render/dummy.yaml | 8 +- tests/charts/templates/test.py | 2 +- 40 files changed, 637 insertions(+), 53 deletions(-) create mode 100755 charts/selenium-grid/certs/cert.sh create mode 100644 charts/selenium-grid/certs/selenium.jks.base64 create mode 100644 charts/selenium-grid/certs/selenium.pem create mode 100644 charts/selenium-grid/certs/selenium.pem.base64 create mode 100644 charts/selenium-grid/certs/selenium.pkcs8.base64 create mode 100644 charts/selenium-grid/templates/server-configmap.yaml create mode 100644 charts/selenium-grid/templates/tls-cert-secret.yaml create mode 100644 tests/charts/ci/tls-values.yaml diff --git a/.github/workflows/helm-chart-test.yml b/.github/workflows/helm-chart-test.yml index 6740317956..42408e0e31 100644 --- a/.github/workflows/helm-chart-test.yml +++ b/.github/workflows/helm-chart-test.yml @@ -13,8 +13,9 @@ jobs: name: Test Helm charts runs-on: ubuntu-latest strategy: + fail-fast: false matrix: - test-strategy: [chart_test, chart_test_parallel_autoscaling] + test-strategy: [chart_test, chart_test_parallel_autoscaling, chart_test_https_tls] steps: - uses: actions/checkout@v4 - name: Output Docker info @@ -24,6 +25,11 @@ jobs: with: python-version: '3.11' check-latest: true + - name: Install CA certificates + run: | + sudo apt install openssl -y + sudo apt install ca-certificates -y + sudo update-ca-certificates --fresh - name: Get branch name (only for push to branch) if: github.event_name == 'push' run: echo "BRANCH=$(echo ${PUSH_BRANCH##*/})" >> $GITHUB_ENV diff --git a/Distributor/start-selenium-grid-distributor.sh b/Distributor/start-selenium-grid-distributor.sh index b0782c3c31..63e7e6c8c7 100755 --- a/Distributor/start-selenium-grid-distributor.sh +++ b/Distributor/start-selenium-grid-distributor.sh @@ -59,6 +59,30 @@ if [ ! -z "$SE_LOG_LEVEL" ]; then SE_OPTS="$SE_OPTS --log-level ${SE_LOG_LEVEL}" fi +if [ ! -z "$SE_EXTERNAL_URL" ]; then + echo "Appending Selenium options: --external-url ${SE_EXTERNAL_URL}" + SE_OPTS="$SE_OPTS --external-url ${SE_EXTERNAL_URL}" +fi + +if [ ! -z "$SE_HTTPS_CERTIFICATE" ]; then + echo "Appending Selenium options: --https-certificate ${SE_HTTPS_CERTIFICATE}" + SE_OPTS="$SE_OPTS --https-certificate ${SE_HTTPS_CERTIFICATE}" +fi + +if [ ! -z "$SE_HTTPS_PRIVATE_KEY" ]; then + echo "Appending Selenium options: --https-private-key ${SE_HTTPS_PRIVATE_KEY}" + SE_OPTS="$SE_OPTS --https-private-key ${SE_HTTPS_PRIVATE_KEY}" +fi + +if [ ! -z "$SE_JAVA_SSL_TRUST_STORE" ]; then + echo "Appending Java options: -Djavax.net.ssl.trustStore=${SE_JAVA_SSL_TRUST_STORE}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStore=${SE_JAVA_SSL_TRUST_STORE}" + echo "Appending Java options: -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" + echo "Appending Java options: -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION:-true}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION:-true}" +fi + EXTRA_LIBS="" if [ ! -z "$SE_ENABLE_TRACING" ]; then diff --git a/EventBus/start-selenium-grid-eventbus.sh b/EventBus/start-selenium-grid-eventbus.sh index a8af2c040a..25c43f10cc 100755 --- a/EventBus/start-selenium-grid-eventbus.sh +++ b/EventBus/start-selenium-grid-eventbus.sh @@ -24,6 +24,30 @@ if [ ! -z "$SE_LOG_LEVEL" ]; then SE_OPTS="$SE_OPTS --log-level ${SE_LOG_LEVEL}" fi +if [ ! -z "$SE_EXTERNAL_URL" ]; then + echo "Appending Selenium options: --external-url ${SE_EXTERNAL_URL}" + SE_OPTS="$SE_OPTS --external-url ${SE_EXTERNAL_URL}" +fi + +if [ ! -z "$SE_HTTPS_CERTIFICATE" ]; then + echo "Appending Selenium options: --https-certificate ${SE_HTTPS_CERTIFICATE}" + SE_OPTS="$SE_OPTS --https-certificate ${SE_HTTPS_CERTIFICATE}" +fi + +if [ ! -z "$SE_HTTPS_PRIVATE_KEY" ]; then + echo "Appending Selenium options: --https-private-key ${SE_HTTPS_PRIVATE_KEY}" + SE_OPTS="$SE_OPTS --https-private-key ${SE_HTTPS_PRIVATE_KEY}" +fi + +if [ ! -z "$SE_JAVA_SSL_TRUST_STORE" ]; then + echo "Appending Java options: -Djavax.net.ssl.trustStore=${SE_JAVA_SSL_TRUST_STORE}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStore=${SE_JAVA_SSL_TRUST_STORE}" + echo "Appending Java options: -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" + echo "Appending Java options: -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION:-true}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION:-true}" +fi + EXTRA_LIBS="" if [ ! -z "$SE_ENABLE_TRACING" ]; then diff --git a/Hub/start-selenium-grid-hub.sh b/Hub/start-selenium-grid-hub.sh index e25fe16d4c..e0314aa122 100755 --- a/Hub/start-selenium-grid-hub.sh +++ b/Hub/start-selenium-grid-hub.sh @@ -27,6 +27,30 @@ if [ ! -z "$SE_LOG_LEVEL" ]; then SE_OPTS="$SE_OPTS --log-level ${SE_LOG_LEVEL}" fi +if [ ! -z "$SE_EXTERNAL_URL" ]; then + echo "Appending Selenium options: --external-url ${SE_EXTERNAL_URL}" + SE_OPTS="$SE_OPTS --external-url ${SE_EXTERNAL_URL}" +fi + +if [ ! -z "$SE_HTTPS_CERTIFICATE" ]; then + echo "Appending Selenium options: --https-certificate ${SE_HTTPS_CERTIFICATE}" + SE_OPTS="$SE_OPTS --https-certificate ${SE_HTTPS_CERTIFICATE}" +fi + +if [ ! -z "$SE_HTTPS_PRIVATE_KEY" ]; then + echo "Appending Selenium options: --https-private-key ${SE_HTTPS_PRIVATE_KEY}" + SE_OPTS="$SE_OPTS --https-private-key ${SE_HTTPS_PRIVATE_KEY}" +fi + +if [ ! -z "$SE_JAVA_SSL_TRUST_STORE" ]; then + echo "Appending Java options: -Djavax.net.ssl.trustStore=${SE_JAVA_SSL_TRUST_STORE}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStore=${SE_JAVA_SSL_TRUST_STORE}" + echo "Appending Java options: -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" + echo "Appending Java options: -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION:-true}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION:-true}" +fi + EXTRA_LIBS="" if [ ! -z "$SE_ENABLE_TRACING" ]; then diff --git a/Makefile b/Makefile index f9e55dd2c8..39a4723ecf 100644 --- a/Makefile +++ b/Makefile @@ -397,6 +397,10 @@ chart_test_edge: chart_test_parallel_autoscaling: VERSION=$(TAG_VERSION) NAMESPACE=$(NAMESPACE) ./tests/charts/make/chart_test.sh JobAutoscaling +chart_test_https_tls: + VERSION=$(TAG_VERSION) NAMESPACE=$(NAMESPACE) SELENIUM_GRID_PROTOCOL=https SELENIUM_GRID_PORT=443 \ + ./tests/charts/make/chart_test.sh JobAutoscaling + .PHONY: \ all \ base \ diff --git a/NodeBase/start-selenium-node.sh b/NodeBase/start-selenium-node.sh index 21cd7b9463..6f4888653e 100755 --- a/NodeBase/start-selenium-node.sh +++ b/NodeBase/start-selenium-node.sh @@ -32,8 +32,8 @@ if [ ! -z "$SE_OPTS" ]; then fi if [ ! -z "$SE_NODE_SESSION_TIMEOUT" ]; then - SE_OPTS="$SE_OPTS --session-timeout $SE_NODE_SESSION_TIMEOUT" - echo "Appending Selenium node session timeout via SE_OPTS: ${SE_OPTS}" + echo "Appending Selenium options: --session-timeout ${SE_NODE_SESSION_TIMEOUT}" + SE_OPTS="$SE_OPTS --session-timeout ${SE_NODE_SESSION_TIMEOUT}" fi if [ ! -z "$SE_LOG_LEVEL" ]; then @@ -41,6 +41,30 @@ if [ ! -z "$SE_LOG_LEVEL" ]; then SE_OPTS="$SE_OPTS --log-level ${SE_LOG_LEVEL}" fi +if [ ! -z "$SE_EXTERNAL_URL" ]; then + echo "Appending Selenium options: --external-url ${SE_EXTERNAL_URL}" + SE_OPTS="$SE_OPTS --external-url ${SE_EXTERNAL_URL}" +fi + +if [ ! -z "$SE_HTTPS_CERTIFICATE" ]; then + echo "Appending Selenium options: --https-certificate ${SE_HTTPS_CERTIFICATE}" + SE_OPTS="$SE_OPTS --https-certificate ${SE_HTTPS_CERTIFICATE}" +fi + +if [ ! -z "$SE_HTTPS_PRIVATE_KEY" ]; then + echo "Appending Selenium options: --https-private-key ${SE_HTTPS_PRIVATE_KEY}" + SE_OPTS="$SE_OPTS --https-private-key ${SE_HTTPS_PRIVATE_KEY}" +fi + +if [ ! -z "$SE_JAVA_SSL_TRUST_STORE" ]; then + echo "Appending Java options: -Djavax.net.ssl.trustStore=${SE_JAVA_SSL_TRUST_STORE}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStore=${SE_JAVA_SSL_TRUST_STORE}" + echo "Appending Java options: -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" + echo "Appending Java options: -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION:-true}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION:-true}" +fi + if [ "$GENERATE_CONFIG" = true ]; then echo "Generating Selenium Config" /opt/bin/generate_config diff --git a/NodeDocker/start-selenium-grid-docker.sh b/NodeDocker/start-selenium-grid-docker.sh index a811780e75..935fbee466 100755 --- a/NodeDocker/start-selenium-grid-docker.sh +++ b/NodeDocker/start-selenium-grid-docker.sh @@ -34,6 +34,30 @@ if [ ! -z "$SE_LOG_LEVEL" ]; then SE_OPTS="$SE_OPTS --log-level ${SE_LOG_LEVEL}" fi +if [ ! -z "$SE_EXTERNAL_URL" ]; then + echo "Appending Selenium options: --external-url ${SE_EXTERNAL_URL}" + SE_OPTS="$SE_OPTS --external-url ${SE_EXTERNAL_URL}" +fi + +if [ ! -z "$SE_HTTPS_CERTIFICATE" ]; then + echo "Appending Selenium options: --https-certificate ${SE_HTTPS_CERTIFICATE}" + SE_OPTS="$SE_OPTS --https-certificate ${SE_HTTPS_CERTIFICATE}" +fi + +if [ ! -z "$SE_HTTPS_PRIVATE_KEY" ]; then + echo "Appending Selenium options: --https-private-key ${SE_HTTPS_PRIVATE_KEY}" + SE_OPTS="$SE_OPTS --https-private-key ${SE_HTTPS_PRIVATE_KEY}" +fi + +if [ ! -z "$SE_JAVA_SSL_TRUST_STORE" ]; then + echo "Appending Java options: -Djavax.net.ssl.trustStore=${SE_JAVA_SSL_TRUST_STORE}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStore=${SE_JAVA_SSL_TRUST_STORE}" + echo "Appending Java options: -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" + echo "Appending Java options: -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION:-true}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION:-true}" +fi + EXTRA_LIBS="" if [ ! -z "$SE_ENABLE_TRACING" ]; then diff --git a/Router/start-selenium-grid-router.sh b/Router/start-selenium-grid-router.sh index bb848a1c7e..0391769326 100755 --- a/Router/start-selenium-grid-router.sh +++ b/Router/start-selenium-grid-router.sh @@ -59,6 +59,30 @@ if [ ! -z "$SE_LOG_LEVEL" ]; then SE_OPTS="$SE_OPTS --log-level ${SE_LOG_LEVEL}" fi +if [ ! -z "$SE_EXTERNAL_URL" ]; then + echo "Appending Selenium options: --external-url ${SE_EXTERNAL_URL}" + SE_OPTS="$SE_OPTS --external-url ${SE_EXTERNAL_URL}" +fi + +if [ ! -z "$SE_HTTPS_CERTIFICATE" ]; then + echo "Appending Selenium options: --https-certificate ${SE_HTTPS_CERTIFICATE}" + SE_OPTS="$SE_OPTS --https-certificate ${SE_HTTPS_CERTIFICATE}" +fi + +if [ ! -z "$SE_HTTPS_PRIVATE_KEY" ]; then + echo "Appending Selenium options: --https-private-key ${SE_HTTPS_PRIVATE_KEY}" + SE_OPTS="$SE_OPTS --https-private-key ${SE_HTTPS_PRIVATE_KEY}" +fi + +if [ ! -z "$SE_JAVA_SSL_TRUST_STORE" ]; then + echo "Appending Java options: -Djavax.net.ssl.trustStore=${SE_JAVA_SSL_TRUST_STORE}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStore=${SE_JAVA_SSL_TRUST_STORE}" + echo "Appending Java options: -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" + echo "Appending Java options: -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION:-true}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION:-true}" +fi + EXTRA_LIBS="" if [ ! -z "$SE_ENABLE_TRACING" ]; then diff --git a/SessionQueue/start-selenium-grid-session-queue.sh b/SessionQueue/start-selenium-grid-session-queue.sh index 11074afb95..ac6f5a7637 100755 --- a/SessionQueue/start-selenium-grid-session-queue.sh +++ b/SessionQueue/start-selenium-grid-session-queue.sh @@ -24,6 +24,30 @@ if [ ! -z "$SE_LOG_LEVEL" ]; then SE_OPTS="$SE_OPTS --log-level ${SE_LOG_LEVEL}" fi +if [ ! -z "$SE_EXTERNAL_URL" ]; then + echo "Appending Selenium options: --external-url ${SE_EXTERNAL_URL}" + SE_OPTS="$SE_OPTS --external-url ${SE_EXTERNAL_URL}" +fi + +if [ ! -z "$SE_HTTPS_CERTIFICATE" ]; then + echo "Appending Selenium options: --https-certificate ${SE_HTTPS_CERTIFICATE}" + SE_OPTS="$SE_OPTS --https-certificate ${SE_HTTPS_CERTIFICATE}" +fi + +if [ ! -z "$SE_HTTPS_PRIVATE_KEY" ]; then + echo "Appending Selenium options: --https-private-key ${SE_HTTPS_PRIVATE_KEY}" + SE_OPTS="$SE_OPTS --https-private-key ${SE_HTTPS_PRIVATE_KEY}" +fi + +if [ ! -z "$SE_JAVA_SSL_TRUST_STORE" ]; then + echo "Appending Java options: -Djavax.net.ssl.trustStore=${SE_JAVA_SSL_TRUST_STORE}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStore=${SE_JAVA_SSL_TRUST_STORE}" + echo "Appending Java options: -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" + echo "Appending Java options: -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION:-true}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION:-true}" +fi + EXTRA_LIBS="" if [ ! -z "$SE_ENABLE_TRACING" ]; then diff --git a/Sessions/start-selenium-grid-sessions.sh b/Sessions/start-selenium-grid-sessions.sh index 4d34a1a5bf..3a61123885 100755 --- a/Sessions/start-selenium-grid-sessions.sh +++ b/Sessions/start-selenium-grid-sessions.sh @@ -39,6 +39,30 @@ if [ ! -z "$SE_LOG_LEVEL" ]; then SE_OPTS="$SE_OPTS --log-level ${SE_LOG_LEVEL}" fi +if [ ! -z "$SE_EXTERNAL_URL" ]; then + echo "Appending Selenium options: --external-url ${SE_EXTERNAL_URL}" + SE_OPTS="$SE_OPTS --external-url ${SE_EXTERNAL_URL}" +fi + +if [ ! -z "$SE_HTTPS_CERTIFICATE" ]; then + echo "Appending Selenium options: --https-certificate ${SE_HTTPS_CERTIFICATE}" + SE_OPTS="$SE_OPTS --https-certificate ${SE_HTTPS_CERTIFICATE}" +fi + +if [ ! -z "$SE_HTTPS_PRIVATE_KEY" ]; then + echo "Appending Selenium options: --https-private-key ${SE_HTTPS_PRIVATE_KEY}" + SE_OPTS="$SE_OPTS --https-private-key ${SE_HTTPS_PRIVATE_KEY}" +fi + +if [ ! -z "$SE_JAVA_SSL_TRUST_STORE" ]; then + echo "Appending Java options: -Djavax.net.ssl.trustStore=${SE_JAVA_SSL_TRUST_STORE}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStore=${SE_JAVA_SSL_TRUST_STORE}" + echo "Appending Java options: -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" + echo "Appending Java options: -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION:-true}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION:-true}" +fi + EXTRA_LIBS="" if [ ! -z "$SE_ENABLE_TRACING" ]; then diff --git a/Standalone/start-selenium-standalone.sh b/Standalone/start-selenium-standalone.sh index 955cb15f4f..9f8c50baae 100755 --- a/Standalone/start-selenium-standalone.sh +++ b/Standalone/start-selenium-standalone.sh @@ -16,6 +16,30 @@ if [ ! -z "$SE_LOG_LEVEL" ]; then SE_OPTS="$SE_OPTS --log-level ${SE_LOG_LEVEL}" fi +if [ ! -z "$SE_EXTERNAL_URL" ]; then + echo "Appending Selenium options: --external-url ${SE_EXTERNAL_URL}" + SE_OPTS="$SE_OPTS --external-url ${SE_EXTERNAL_URL}" +fi + +if [ ! -z "$SE_HTTPS_CERTIFICATE" ]; then + echo "Appending Selenium options: --https-certificate ${SE_HTTPS_CERTIFICATE}" + SE_OPTS="$SE_OPTS --https-certificate ${SE_HTTPS_CERTIFICATE}" +fi + +if [ ! -z "$SE_HTTPS_PRIVATE_KEY" ]; then + echo "Appending Selenium options: --https-private-key ${SE_HTTPS_PRIVATE_KEY}" + SE_OPTS="$SE_OPTS --https-private-key ${SE_HTTPS_PRIVATE_KEY}" +fi + +if [ ! -z "$SE_JAVA_SSL_TRUST_STORE" ]; then + echo "Appending Java options: -Djavax.net.ssl.trustStore=${SE_JAVA_SSL_TRUST_STORE}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStore=${SE_JAVA_SSL_TRUST_STORE}" + echo "Appending Java options: -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" + echo "Appending Java options: -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION:-true}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION:-true}" +fi + /opt/bin/generate_config echo "Selenium Grid Standalone configuration: " diff --git a/StandaloneDocker/start-selenium-grid-docker.sh b/StandaloneDocker/start-selenium-grid-docker.sh index 8571abc7a8..cf75e52793 100755 --- a/StandaloneDocker/start-selenium-grid-docker.sh +++ b/StandaloneDocker/start-selenium-grid-docker.sh @@ -19,6 +19,30 @@ if [ ! -z "$SE_LOG_LEVEL" ]; then SE_OPTS="$SE_OPTS --log-level ${SE_LOG_LEVEL}" fi +if [ ! -z "$SE_EXTERNAL_URL" ]; then + echo "Appending Selenium options: --external-url ${SE_EXTERNAL_URL}" + SE_OPTS="$SE_OPTS --external-url ${SE_EXTERNAL_URL}" +fi + +if [ ! -z "$SE_HTTPS_CERTIFICATE" ]; then + echo "Appending Selenium options: --https-certificate ${SE_HTTPS_CERTIFICATE}" + SE_OPTS="$SE_OPTS --https-certificate ${SE_HTTPS_CERTIFICATE}" +fi + +if [ ! -z "$SE_HTTPS_PRIVATE_KEY" ]; then + echo "Appending Selenium options: --https-private-key ${SE_HTTPS_PRIVATE_KEY}" + SE_OPTS="$SE_OPTS --https-private-key ${SE_HTTPS_PRIVATE_KEY}" +fi + +if [ ! -z "$SE_JAVA_SSL_TRUST_STORE" ]; then + echo "Appending Java options: -Djavax.net.ssl.trustStore=${SE_JAVA_SSL_TRUST_STORE}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStore=${SE_JAVA_SSL_TRUST_STORE}" + echo "Appending Java options: -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djavax.net.ssl.trustStorePassword=${SE_JAVA_SSL_TRUST_STORE_PASSWORD}" + echo "Appending Java options: -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION:-true}" + SE_JAVA_OPTS="$SE_JAVA_OPTS -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION:-true}" +fi + EXTRA_LIBS="" if [ ! -z "$SE_ENABLE_TRACING" ]; then diff --git a/charts/selenium-grid/certs/cert.sh b/charts/selenium-grid/certs/cert.sh new file mode 100755 index 0000000000..1544f95794 --- /dev/null +++ b/charts/selenium-grid/certs/cert.sh @@ -0,0 +1,58 @@ +# README: This script is used to generate a self-signed certificate for enabling HTTPS/TLS in Selenium Grid + +CERTNAME=${1:-selenium} +STOREPASS=${2:-changeit} +KEYPASS=${3:-changeit} +ALIAS=${4:-SeleniumHQ} + +# Remove existing files +rm -f ${CERTNAME}.* + +# Create JKS (Java Keystore) - this is used to set for JAVA_OPTS -Djavax.net.ssl.trustStore= +# The key pass set to JAVA_OPTS -Djavax.net.ssl.trustStorePassword= +# Dummy cert without correct SAN, DNS, to skip hostname verification by JAVA_OPTS -Djdk.internal.httpclient.disableHostnameVerification=true +keytool -genkeypair \ + -alias ${ALIAS} \ + -keyalg RSA \ + -v \ + -dname "CN=SeleniumHQ,OU=Software Freedom Conservancy,O=SeleniumHQ,L=Unknown,ST=Unknown,C=Unknown" \ + -ext "SAN:c=DNS:localhost,DNS:selenium-grid.local" \ + -validity 3650 \ + -storepass ${STOREPASS} \ + -keypass ${KEYPASS} \ + -keystore ${CERTNAME}.jks + +# Base64 encode JKS file (for Kubernetes Secret) +base64 -i ${CERTNAME}.jks -w 0 > ${CERTNAME}.jks.base64 + +# Create PKCS12 from JKS +keytool -importkeystore -srckeystore ${CERTNAME}.jks \ + -destkeystore ${CERTNAME}.p12 \ + -srcstoretype jks \ + -storepass ${STOREPASS} -keypass ${KEYPASS} -srcstorepass ${STOREPASS} \ + -deststoretype pkcs12 + +# Create private key PEM from PKCS12 +openssl pkcs12 -nodes -in ${CERTNAME}.p12 -out ${CERTNAME}.key \ + -passin pass:${KEYPASS} + +# Create private key PKCS8 format (this is used to set for option --https-private-key) +openssl pkcs8 -in ${CERTNAME}.key -topk8 -nocrypt -out ${CERTNAME}.pkcs8 + +# Base64 encode PKCS8 file (for Kubernetes Secret) +base64 -i ${CERTNAME}.pkcs8 -w 0 > ${CERTNAME}.pkcs8.base64 + +# Create certificate PEM from JKS (this is used to set for option --https-certificate) +keytool -exportcert -alias ${ALIAS} \ + -storepass ${STOREPASS} -keypass ${KEYPASS} \ + -keystore ${CERTNAME}.jks -rfc -file ${CERTNAME}.pem + +# Bsae64 encode Certificate PEM file (for Kubernetes Secret) +base64 -i ${CERTNAME}.pem -w 0 > ${CERTNAME}.pem.base64 + +# Remove source files (prevent sensitive data leak) +rm -f ${CERTNAME}.key +rm -f ${CERTNAME}.p12 +rm -f ${CERTNAME}.jks +rm -f ${CERTNAME}.pkcs8 +# Retain ${CERTNAME}.pem for client establishing HTTPS connection diff --git a/charts/selenium-grid/certs/selenium.jks.base64 b/charts/selenium-grid/certs/selenium.jks.base64 new file mode 100644 index 0000000000..fbf94d7d8a --- /dev/null +++ b/charts/selenium-grid/certs/selenium.jks.base64 @@ -0,0 +1 @@ +MIIKiwIBAzCCCkQGCSqGSIb3DQEHAaCCCjUEggoxMIIKLTCCBXEGCSqGSIb3DQEHAaCCBWIEggVeMIIFWjCCBVYGCyqGSIb3DQEMCgECoIIE+zCCBPcwKQYKKoZIhvcNAQwBAzAbBBQ3gGmGmsf3bmNI0iexeK+VDuc8FAIDAMNQBIIEyBwkeVFIPKT2eXNZU/Kef8Di4ULge5aBbIXqvtYnX4PIvBjGhXTZSUdhkKzwa/q1tGEQm9bTQGbg/uixaDhALQYoSixUvd4ls3TCLr6exT1O7uMz1Sf4l40AZxHS2wvKluI/uY9LlbiSSKBmiDxPlS4Fxrcl+l+VKoNOvCIYwwq0d1lTLsPkFO1UyrBS0fYrsYtCI0YEmyMvtnut8ZKedXljJUqUG7Z4KPLK/Qsvej9Qc5mBgN75B+MpuPSChlTn0US09NbcpqI1PW3285mW1Uag9PLIbtIchj20x6tnG6H7zs2cRYZlmtAN4L1LbtWSAOlmvZ/GlrHFGVIFwKoJvHPctGQm7PhjsEgpwTH/9ZHrHBQJXh2bXuMJj253nMxdGx1IKSGaWxaGcy4Rt5sY0AIxnLWbz9EdjNpfhAiR0Bu2MTHCJnxb9U80DgFy60sUT4kJL0Vs5rZ/vO7WEUIVlT8hmPzpmtoo+pm+MJc+57VrwFXIrf+w+HrOBVkMu3waCuP9At+51xe7AWt6u+UtBYyygreshe4gJnakHqQ5n7hEA2eNi6VbwGV4BC9ynJr94BfnhEd7yg8fxh6pveupZQyxl1FdyRR3pJQ0qPSnCi2eUkqKVlPlJ0FXVPU4vWiTz0zpY+KeVBZlVAO3riP/FjYJhp0wWkjft42ruGsj6mkqY35vQ2syWzb463m1ainCoeTnpeON/pzlZNQIBtq06dy4Mj4eyNvJFbEMXFuAJiwDMymxyLHhR0wEc49l/gfIIubg7PQ/vFzkygOApjS42vcepMkZssKQ06Ts9XAw7tLcy2KpKphWCCWrdst6Z7UpDpo/lbgJhmYTg1lSBmMIYZIHXsp1W97PVEmvSf3xtqtSMkeJPk1Lgxczx1KH+AyNssxNHfLbfMSkM4JUqsgiDPr/G/XYUl52FLZLHZ+uuMrkIHG01Hy2ACYcW2frVL4J47kfciNEe4j/cDgzSPuWRwHaiZDhBbG9qt6IUD/oa+wMe2yh8alRvCnqP9kLR0qLExoCaIG3i548WbnKP4UcQdBa03ESRyTWq3SoqN1CNGB6qjyvLAJsfPhIf5GAHm8gHZODUKbRkJ7JxRcGNttOVSHFgmsdnWKhFMba6x/gqxvtX7PtiYKaEu25ok/GD463kYuSvjl/HgMGzTF3TDdYsBJP1NnnkmfzJk9s09OGDzjpVY86VfNELwwEnEfPen1ErlooV9zC5HweQ3+ziJPMNg9rTXXiEBFLoIZMqFsak5MRknDqY0kHpo8tj9MbZbChtT/38iojd1t8QCMgBFIO0n3TxDzmtiqhv4tIbpezj2mFwNlzV4JSIX4HW8mK7TQlQ730Ou3IuHaLwzqMQDCifmVwMZSrBJD7b/Kqsx393FcydOYh00bB2l8T4uGC9qnAsRa5tCqCANOR0ATMEMrHa2mjgTnIyHnM2OhMeAxoj85uMksURukIszy0o25+4Q2Z53WE/GQMMj4A7PWl8NrHMueAJmGrdQsg8Ds0GEd0yk4/DquVFD4/xRaanNYdN3z2xsBiMGGTgGWhbYc5wRtPXtUUdUH4OxacozKjOadcLfptKvu2tITTor/BIVldDrFXvI0I5daOWRlGla1B5MAX5gZCYM9/JmN7vjFIMCMGCSqGSIb3DQEJFDEWHhQAcwBlAGwAZQBuAGkAdQBtAGgAcTAhBgkqhkiG9w0BCRUxFAQSVGltZSAxNzA0MTU2NzQ3NDQ3MIIEtAYJKoZIhvcNAQcGoIIEpTCCBKECAQAwggSaBgkqhkiG9w0BBwEwKQYKKoZIhvcNAQwBBjAbBBRX3dOdhMDRZiJVvHeGfmCxXgtVAwIDAMNQgIIEYOp24LHVsdSt6TU7MmXzNu/QD5J6Jad0DwZHI+wmDwAjFZ5RR3G7flUqlKEAV0ZN3XkWVOdPLIJXPfjBcWzl6z2TCKwUvCaBHhpgYRxUw5s42iWcRlfmrA1mI3uCaAX1mE2b0DiGE9gM+Mkeffqr1AEp334q6yQQIAxV1xGvqVBgOwL3k7D5YtMX2SJF8xXkLrNSCAaXaSPQdZr5v+P8ObOn8qPs0ntbjVzqCmrmdodhHn8PZO1qS7ihHATVEoTmSDsbz5Hj+ktb+cV511kIFVSQ9IVHhJGLXcGE9YszMsWbhZsNRXJi3QzRXnTLNEnAN2pXbTWHnmn/Wfyrh8kvdMZX1mK6+xrEIcaX2RULzG0JzjhD+VeNctG/JctjsTRZBX1+how8//kDxXWqV+ccoDxkd7nkz9fdRRPIUXjAgERy9seeMIqRKSW4M1x8WAHwDTN2UiI3q4d3KAeE9PmFL8ww1rSIb2b/KRXclvPES95xLj6B6ha3yYpJKjhX3J+sJrnHAjsZvElKW81ski+m6KrcBKtZE7UxIQwav8KN2m2uV3chF9X/UKNyiwncYKdrcXk+uvFNqII2Sog3Xn4/j9+lAjz5fLk8dfr+VIo/pOtScRr5gpAsz110jwQfDOutvwK1yjjLjtUwweBvk+NwciWmgpRBI5NlIkJgrw0c3wxWDRZsAFHPKh+QvPI/xg5RqE6cmRWUC7beMs1EddyVv6+yju4Qfy/f+ZBkGAfuRE+yiNblLsML6VoqHko0Y1fuktzxqL4Dkrb6O6EJCUfgkenXTqbGyu9aDVIAGfFJUIoy84wCI8Xs+XvvnbZfpdd5sBLEulOJZ3Td1annmycHBxU91FlwSYe1kads7wBXvQmvjXyeEYGY+2PIHygGyx4ozo7+Z2krudW1VoInbblgVQ9//DHLEzojSjuGWOcNUU+vSosh9Csg18QTUpfc9f1WPVcyyNN6uKUixMUqQhCwx4J/a2IESs5PkMvY1FwWnZw5276Nz08GsgZNNwCOreGhxfKaISuTecW1ZLa8QFOqdNv7YidHUBE+VGkGVAHDa3DhYTRNayT09UA66u8d8A1nrg/nKOAnyucLn/yt0S0BfBao0AnBOxc9ebjSuAyX4d2zfApi0oaKhXFp87nz82obnHnTlGvI+VNebtsQofNS403wz/46OJsTKbUdRgkAdpQB/rD+83i7VS5OY6PcAi14YuxG48oIyICmiWsSFFZWxR+j4vMxpmZXSxxb/DylupLy+oQgUv4U5ZE6owVzW971+e/smI4dp7VAokM4A7urfT8t76SMlNNkRs3vlshbXAurmWGWAxLwkznxqmoOuY03P9PQUVWeRsJKicrtAc7GyU/fMF3dshNdcyc5o7MswrLXJQRMm77M1E3NWhDyBR/gc0wHH7Xz2hlvZgE+frLN21BZC3zqU0Ccb5ssIpFHVB9kTIQjUS4ipIklIdZQaqPrqic9018OdOQSrysEsOSDuDQwPjAhMAkGBSsOAwIaBQAEFNlUbB5eTYyk906jf0Vf6V8ijD0IBBT5s0mdWFKMmgiVQKSsRwvuIT83jAIDAYag \ No newline at end of file diff --git a/charts/selenium-grid/certs/selenium.pem b/charts/selenium-grid/certs/selenium.pem new file mode 100644 index 0000000000..138c1c7723 --- /dev/null +++ b/charts/selenium-grid/certs/selenium.pem @@ -0,0 +1,23 @@ +-----BEGIN CERTIFICATE----- +MIID3TCCAsWgAwIBAgIEBJE7TDANBgkqhkiG9w0BAQsFADCBhzEQMA4GA1UEBhMH +VW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjETMBEG +A1UEChMKU2VsZW5pdW1IUTElMCMGA1UECxMcU29mdHdhcmUgRnJlZWRvbSBDb25z +ZXJ2YW5jeTETMBEGA1UEAxMKU2VsZW5pdW1IUTAeFw0yNDAxMDIwMDUyMjdaFw0z +MzEyMzAwMDUyMjdaMIGHMRAwDgYDVQQGEwdVbmtub3duMRAwDgYDVQQIEwdVbmtu +b3duMRAwDgYDVQQHEwdVbmtub3duMRMwEQYDVQQKEwpTZWxlbml1bUhRMSUwIwYD +VQQLExxTb2Z0d2FyZSBGcmVlZG9tIENvbnNlcnZhbmN5MRMwEQYDVQQDEwpTZWxl +bml1bUhRMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnX4ITZb0DyET +xqilk1I/WhC5qrUjo6n23uM9/jkqH8BfvLCw47kWy0IzIbCjJPs3d/epP87aArvN +O7CFkbXoP8TYjAFPVE5Zhd65qmfbPHVhY0b1HdyOxkpHtahJetIFdkeY1ZzjV8zD +0RhqM3px9OsabqH1yx6Nte1C4C/fTzNwYQWZNLkYK+t1wGh2aeyQi166mDRyVauk +xZHoXKhgFK36EoWepBCpl/SWJ7BSP6Zw35vT2AzRCD2KdtOj+6syqAJBUGCisjDk +CipaSJQeFb4xcFkJB+zS2jQQMPPRq7vaW8Y4GppNbQ7MJ9WoCJdlnBCyTfGi9BMM +oP+XaqLeGwIDAQABo08wTTAdBgNVHQ4EFgQUcCyjX3qxVW3HUSjWcbDtZEyKoZsw +LAYDVR0RAQH/BCIwIIIJbG9jYWxob3N0ghNzZWxlbml1bS1ncmlkLmxvY2FsMA0G +CSqGSIb3DQEBCwUAA4IBAQCY30LusrLFc0xzBBijtx/sQZJTPrHZcj301Z8Hl4ik +VjDiwD+Jso1Aw7tZbq+kK52MHrT0bDGZeauJDpGTVRsEktxd/FwOiL8dlbpycb77 +YUGad3pEQsLtKZbA+HCj8whjtaiQdbakrSDvE7/ZGCXdzzIH/dNmoAB5jFf8m7ZB +rH1QU5mkEXXgYIrgRzC56TB5gVKu9KcW2NOwZXqUEx7nvocyekHLgzcmsX6LmbZn +S0liXPlc7yOOhFGA3EOGZCJ47/KEvQyt31lEcWiiqC25nw+1F6JDvkGdIts6I5JX +vuOjs9JGcW55dK6fxgNk7n+N8G8qaLgyHOYR3ceXB4os +-----END CERTIFICATE----- diff --git a/charts/selenium-grid/certs/selenium.pem.base64 b/charts/selenium-grid/certs/selenium.pem.base64 new file mode 100644 index 0000000000..854537f2ca --- /dev/null +++ b/charts/selenium-grid/certs/selenium.pem.base64 @@ -0,0 +1 @@ +LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQzVENDQXNXZ0F3SUJBZ0lFQkpFN1REQU5CZ2txaGtpRzl3MEJBUXNGQURDQmh6RVFNQTRHQTFVRUJoTUgNClZXNXJibTkzYmpFUU1BNEdBMVVFQ0JNSFZXNXJibTkzYmpFUU1BNEdBMVVFQnhNSFZXNXJibTkzYmpFVE1CRUcNCkExVUVDaE1LVTJWc1pXNXBkVzFJVVRFbE1DTUdBMVVFQ3hNY1UyOW1kSGRoY21VZ1JuSmxaV1J2YlNCRGIyNXoNClpYSjJZVzVqZVRFVE1CRUdBMVVFQXhNS1UyVnNaVzVwZFcxSVVUQWVGdzB5TkRBeE1ESXdNRFV5TWpkYUZ3MHoNCk16RXlNekF3TURVeU1qZGFNSUdITVJBd0RnWURWUVFHRXdkVmJtdHViM2R1TVJBd0RnWURWUVFJRXdkVmJtdHUNCmIzZHVNUkF3RGdZRFZRUUhFd2RWYm10dWIzZHVNUk13RVFZRFZRUUtFd3BUWld4bGJtbDFiVWhSTVNVd0l3WUQNClZRUUxFeHhUYjJaMGQyRnlaU0JHY21WbFpHOXRJRU52Ym5ObGNuWmhibU41TVJNd0VRWURWUVFERXdwVFpXeGwNCmJtbDFiVWhSTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFuWDRJVFpiMER5RVQNCnhxaWxrMUkvV2hDNXFyVWpvNm4yM3VNOS9qa3FIOEJmdkxDdzQ3a1d5MEl6SWJDakpQczNkL2VwUDg3YUFydk4NCk83Q0ZrYlhvUDhUWWpBRlBWRTVaaGQ2NXFtZmJQSFZoWTBiMUhkeU94a3BIdGFoSmV0SUZka2VZMVp6alY4ekQNCjBSaHFNM3B4OU9zYWJxSDF5eDZOdGUxQzRDL2ZUek53WVFXWk5Ma1lLK3Qxd0doMmFleVFpMTY2bURSeVZhdWsNCnhaSG9YS2hnRkszNkVvV2VwQkNwbC9TV0o3QlNQNlp3MzV2VDJBelJDRDJLZHRPais2c3lxQUpCVUdDaXNqRGsNCkNpcGFTSlFlRmI0eGNGa0pCK3pTMmpRUU1QUFJxN3ZhVzhZNEdwcE5iUTdNSjlXb0NKZGxuQkN5VGZHaTlCTU0NCm9QK1hhcUxlR3dJREFRQUJvMDh3VFRBZEJnTlZIUTRFRmdRVWNDeWpYM3F4VlczSFVTaldjYkR0WkV5S29ac3cNCkxBWURWUjBSQVFIL0JDSXdJSUlKYkc5allXeG9iM04wZ2hOelpXeGxibWwxYlMxbmNtbGtMbXh2WTJGc01BMEcNCkNTcUdTSWIzRFFFQkN3VUFBNElCQVFDWTMwTHVzckxGYzB4ekJCaWp0eC9zUVpKVFBySFpjajMwMVo4SGw0aWsNClZqRGl3RCtKc28xQXc3dFpicStrSzUyTUhyVDBiREdaZWF1SkRwR1RWUnNFa3R4ZC9Gd09pTDhkbGJweWNiNzcNCllVR2FkM3BFUXNMdEtaYkErSENqOHdoanRhaVFkYmFrclNEdkU3L1pHQ1hkenpJSC9kTm1vQUI1akZmOG03WkINCnJIMVFVNW1rRVhYZ1lJcmdSekM1NlRCNWdWS3U5S2NXMk5Pd1pYcVVFeDdudm9jeWVrSExnemNtc1g2TG1iWm4NClMwbGlYUGxjN3lPT2hGR0EzRU9HWkNKNDcvS0V2UXl0MzFsRWNXaWlxQzI1bncrMUY2SkR2a0dkSXRzNkk1SlgNCnZ1T2pzOUpHY1c1NWRLNmZ4Z05rN24rTjhHOHFhTGd5SE9ZUjNjZVhCNG9zCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K \ No newline at end of file diff --git a/charts/selenium-grid/certs/selenium.pkcs8.base64 b/charts/selenium-grid/certs/selenium.pkcs8.base64 new file mode 100644 index 0000000000..227134266a --- /dev/null +++ b/charts/selenium-grid/certs/selenium.pkcs8.base64 @@ -0,0 +1 @@ +LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2RmZ2hObHZRUElSUEcKcUtXVFVqOWFFTG1xdFNPanFmYmU0ejMrT1NvZndGKzhzTERqdVJiTFFqTWhzS01rK3pkMzk2ay96dG9DdTgwNwpzSVdSdGVnL3hOaU1BVTlVVGxtRjNybXFaOXM4ZFdGalJ2VWQzSTdHU2tlMXFFbDYwZ1YyUjVqVm5PTlh6TVBSCkdHb3plbkgwNnhwdW9mWExIbzIxN1VMZ0w5OVBNM0JoQlprMHVSZ3I2M1hBYUhacDdKQ0xYcnFZTkhKVnE2VEYKa2VoY3FHQVVyZm9TaFo2a0VLbVg5Slluc0ZJL3BuRGZtOVBZRE5FSVBZcDIwNlA3cXpLb0FrRlFZS0t5TU9RSwpLbHBJbEI0VnZqRndXUWtIN05MYU5CQXc4OUdydTlwYnhqZ2FtazF0RHN3bjFhZ0lsMldjRUxKTjhhTDBFd3lnCi81ZHFvdDRiQWdNQkFBRUNnZ0VBS3F0bTNINjFpUlBSSTlXMVpvQzJJVlMrdVAxeXRuanFKZUV6ZnBsR1RHdjIKaEV6cTRBZlpvU0JDY2pKRlFWTys1NFgyR1ErV0NYK1FUMGU0S0k0OGFtcU9zUC81MmtHUUI3RWNaSXJXM3o1KwpNRU9kVFlYZ09PRVBKS3gvbkFNaTc3VGVONkhXQm9lMzFnTGpZeWNka05uUnczK2w5RzVHdnErVm10L2RoTHRnCi9NUk5IUFduQ2YvOHBPUmpvcVNuK1hkdjNkeURPMFJ3ZGxKcmVJQ3huRWpGSkJvdk41K3BNTWtxZm0wMDcrTkYKMC9iVnVsUFpGcGVJdUh5dnBjeXlIaG1YOFIrZFdvbHdaL2NJdXFNZSs5Qno3VUhYa2U5bXNWNU0zRzhMZk1yTApicDdBdWlpbUIySjExeFFLM2ZOSmg0b1lXWlY5OFRxamtyaXR5Vy9yQVFLQmdRRHBwOUtjT2JMVGpqN2ttVXErClpkVmw4UE5hREFZQnpOVWRuTjA1Q1RLL01NelkvZU85dlFTd2xOQ1lQdW0xN3BzVStSRDRrU01vL2x3Y3JlakgKSHR4RHhoR3I0MDRqUWgwSWpXNmZTNlZqUFZ4RFQxOStNSG0vRzg4TW0wUGlsZjd6SkJ5SUNCUkc3bG83aFdYVQpaVS92dk1TZldtVkVoeDNSemxxM0p0azh1d0tCZ1FDc2phT21TSTAzcFNDdGROZGFYMi9FdWVxRmphemxRMW1BCmZMQzh4MkFIZU4yMHd6WUxVbklZZm5iUk9HeGRmMW5TOFpzSm9LQWlmdkZwM09pcldHUStYcjVEOUxoU3A0UTMKREVpY0hERXpaR285RGlZTlduMzN3eXE4Q0tCT2FyWW5DZGRCeXYzNlJLNTk3VkxuMmZvL042ZHRDWndQNVluegphQzR1dVZwK0lRS0JnQ0RQbTBpcTVZekZ0ZGsrR1h2aEt2VlV2NmVPZHExOENSVk9lTlpRajFxL3pKUlFHdElECklBeDM2VTduenNQb2pNaUdMVGJxa3Fob0I2RlRYcFBQcHBpeDBMdDFnUHg4aFQwMU55cVJZZGtzdmE4S0QxdlcKRE5La1lnL2dJY2xJelBOeHg3dm1mb3B6WUNKcG1pSVlWQUJUWHIwTjRaaWM3TGdRcFRhQTh4S1BBb0dBZmRlKwpwaUw3ZXIyZkcyRy9QVldrK2VCdFBZR1p1b3BuMStFWU5GVmpuNDl5Z2Nac3Y4MGRFT2dLVjRQQzVGMWdjUXRyCmVwWCtzNm5JL3QveGdDVXkxcG5hUVUxVXNGTWpoZElia2w2dE0wSGtpU3FzYmNpMVhlQ2taZ1lVZzV3bnhFalYKQ0ZLMjc3THZYeitaMnlXSjhGanliZjg0SmcvTmtBdEd3eVRDN29FQ2dZRUFtaElPTlR4OUw5ZVloS2FNaERkZwpkN0xxQlhGOGMxdlRMTkZVM2NubnQ3UW9TcUUzaWozZktPQ0h4cW9IaGN2NXIvZnZtNVhxemhLcVI2VUNLME1NClYyR1RhUFVJSno3NFFCMk9nWkh2NllkS2tFOGdmR01KeGQ5SXZpV08wVEdxTXJaUDB4aDJXY21rV3llQ0xBOFgKYW14YUVFa2JiaDRnUkZtUTJtQWV2ME09Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K \ No newline at end of file diff --git a/charts/selenium-grid/templates/_helpers.tpl b/charts/selenium-grid/templates/_helpers.tpl index baa2bc3beb..8afc9bf4fe 100644 --- a/charts/selenium-grid/templates/_helpers.tpl +++ b/charts/selenium-grid/templates/_helpers.tpl @@ -1,3 +1,33 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "seleniumGrid.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +*/}} +{{- define "seleniumGrid.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "seleniumGrid.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} + {{/* Common labels */}} @@ -6,7 +36,7 @@ app.kubernetes.io/managed-by: {{ .Release.Service | lower }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/version: {{ .Chart.AppVersion }} app.kubernetes.io/component: {{ printf "selenium-grid-%s" .Chart.AppVersion }} -helm.sh/chart: {{ printf "%s-%s" .Chart.Name (.Chart.Version | replace "+" "_") }} +helm.sh/chart: {{ include "seleniumGrid.chart" . }} {{- end -}} {{/* @@ -72,7 +102,6 @@ Edge node fullname {{- default "selenium-edge-node" .Values.edgeNode.nameOverride | trunc 63 | trimSuffix "-" -}} {{- end -}} - {{/* Ingress fullname */}} @@ -80,11 +109,18 @@ Ingress fullname {{- default "selenium-ingress" .Values.ingress.nameOverride | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/* +Protocol of server components +*/}} +{{- define "seleniumGrid.server.protocol" -}} +{{- .Values.tls.enabled | ternary "https" "http" -}} +{{- end -}} + {{/* Probe httpGet schema */}} {{- define "seleniumGrid.probe.httpGet.schema" -}} -{{- "HTTP" -}} +{{- .Values.tls.enabled | ternary "HTTPS" "HTTP" -}} {{- end -}} {{/* @@ -130,6 +166,13 @@ Get probe settings {{- $settings | toYaml -}} {{- end -}} +{{/* +Secret TLS fullname +*/}} +{{- define "seleniumGrid.tls.fullname" -}} +{{- default "selenium-tls-secret" .Values.tls.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + {{- define "seleniumGrid.ingress.nginx.annotations.default" -}} {{- with .Values.ingress.nginx }} {{- with .proxyTimeout }} @@ -151,6 +194,10 @@ nginx.ingress.kubernetes.io/proxy-buffers-number: {{ . | quote }} {{- end }} {{- end }} {{- end }} +{{- if .Values.tls.enabled }} +nginx.ingress.kubernetes.io/ssl-passthrough: "true" +nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" +{{- end }} {{- end -}} {{/* @@ -262,6 +309,8 @@ template: name: {{ .Values.nodeConfigMap.name }} - configMapRef: name: {{ .Values.loggingConfigMap.name }} + - configMapRef: + name: {{ .Values.serverConfigMap.name }} {{- with .node.extraEnvFrom }} {{- tpl (toYaml .) $ | nindent 10 }} {{- end }} @@ -285,6 +334,11 @@ template: - name: {{ .Values.nodeConfigMap.scriptVolumeMountName }} mountPath: /opt/selenium/{{ .Values.nodeConfigMap.preStopScript }} subPath: {{ .Values.nodeConfigMap.preStopScript }} + {{- if .Values.tls.enabled }} + - name: {{ include "seleniumGrid.tls.fullname" $ | quote }} + mountPath: {{ .Values.serverConfigMap.certVolumeMountPath }} + readOnly: true + {{- end }} {{- if .node.extraVolumeMounts }} {{- tpl (toYaml .node.extraVolumeMounts) $ | nindent 10 }} {{- end }} @@ -302,7 +356,7 @@ template: {{- include "seleniumGrid.probe.fromUserDefine" . | nindent 10 }} {{- else }} httpGet: - scheme: {{ default (include "seleniumGrid.probe.httpGet.schema" .) .schema }} + scheme: {{ default (include "seleniumGrid.probe.httpGet.schema" $) .schema }} path: {{ .path }} port: {{ default ($.node.port) .port }} {{- end }} @@ -318,7 +372,7 @@ template: {{- include "seleniumGrid.probe.fromUserDefine" . | nindent 12 }} {{- else }} httpGet: - scheme: {{ default (include "seleniumGrid.probe.httpGet.schema" .) .schema }} + scheme: {{ default (include "seleniumGrid.probe.httpGet.schema" $) .schema }} path: {{ .path }} port: {{ default ($.node.port) .port }} {{- end }} @@ -334,7 +388,7 @@ template: {{- include "seleniumGrid.probe.fromUserDefine" . | nindent 10 }} {{- else }} httpGet: - scheme: {{ default (include "seleniumGrid.probe.httpGet.schema" .) .schema }} + scheme: {{ default (include "seleniumGrid.probe.httpGet.schema" $) .schema }} path: {{ .path }} port: {{ default ($.node.port) .port }} {{- end }} @@ -438,6 +492,11 @@ template: emptyDir: medium: Memory sizeLimit: {{ default "1Gi" .node.dshmVolumeSizeLimit }} + {{- if .Values.tls.enabled }} + - name: {{ include "seleniumGrid.tls.fullname" $ | quote }} + secret: + secretName: {{ include "seleniumGrid.tls.fullname" $ | quote }} + {{- end }} {{- if .node.extraVolumes }} {{ tpl (toYaml .node.extraVolumes) $ | nindent 6 }} {{- end }} @@ -456,7 +515,9 @@ Get the url of the grid. If the external url can be figured out from the ingress {{- define "seleniumGrid.url.schema" -}} {{- $schema := "http" -}} -{{- if .Values.ingress.enabled -}} +{{- if .Values.tls.enabled -}} + {{- $schema = "https" -}} +{{- else if .Values.ingress.enabled -}} {{- if .Values.ingress.tls -}} {{- $schema = "https" -}} {{- end -}} @@ -522,14 +583,14 @@ Get the url of the grid. If the external url can be figured out from the ingress Graphql Url of the hub or the router */}} {{- define "seleniumGrid.graphqlURL" -}} -{{- printf "http://%s%s%s/graphql" (include "seleniumGrid.url.basicAuth" .) (printf "%s.%s" (include ($.Values.isolateComponents | ternary "seleniumGrid.router.fullname" "seleniumGrid.hub.fullname") $) (.Release.Namespace)) (printf ":%s" ($.Values.isolateComponents | ternary ($.Values.components.router.port | toString) ($.Values.hub.port | toString))) -}} +{{- printf "%s://%s%s%s/graphql" (include "seleniumGrid.server.protocol" .) (include "seleniumGrid.url.basicAuth" .) (printf "%s.%s" (include ($.Values.isolateComponents | ternary "seleniumGrid.router.fullname" "seleniumGrid.hub.fullname") $) (.Release.Namespace)) (printf ":%s" ($.Values.isolateComponents | ternary ($.Values.components.router.port | toString) ($.Values.hub.port | toString))) -}} {{- end -}} {{/* Graphql unsafeSsl of the hub or the router */}} {{- define "seleniumGrid.graphqlURL.unsafeSsl" -}} -{{- $unsafeSsl := printf "%s" (ternary "false" "true" (contains (include "seleniumGrid.graphqlURL" .) "https")) -}} +{{- $unsafeSsl := printf "%s" (ternary "true" "false" .Values.serverConfigMap.disableHostnameVerification) -}} {{- $unsafeSsl }} {{- end -}} diff --git a/charts/selenium-grid/templates/distributor-deployment.yaml b/charts/selenium-grid/templates/distributor-deployment.yaml index 990e519fb8..117b9e4be7 100644 --- a/charts/selenium-grid/templates/distributor-deployment.yaml +++ b/charts/selenium-grid/templates/distributor-deployment.yaml @@ -49,9 +49,17 @@ spec: name: {{ .Values.busConfigMap.name }} - configMapRef: name: {{ .Values.loggingConfigMap.name }} + - configMapRef: + name: {{ .Values.serverConfigMap.name }} {{- with .Values.components.extraEnvFrom }} {{- toYaml . | nindent 12 }} {{- end }} + volumeMounts: + {{- if .Values.tls.enabled }} + - name: {{ include "seleniumGrid.tls.fullname" . | quote }} + mountPath: {{ .Values.serverConfigMap.certVolumeMountPath | quote }} + readOnly: true + {{- end }} ports: - containerPort: {{ .Values.components.distributor.port }} protocol: TCP @@ -78,4 +86,10 @@ spec: {{- with .Values.components.distributor.priorityClassName }} priorityClassName: {{ . }} {{- end }} + volumes: + {{- if .Values.tls.enabled }} + - name: {{ include "seleniumGrid.tls.fullname" . | quote }} + secret: + secretName: {{ include "seleniumGrid.tls.fullname" . | quote }} + {{- end }} {{- end }} diff --git a/charts/selenium-grid/templates/event-bus-deployment.yaml b/charts/selenium-grid/templates/event-bus-deployment.yaml index 498570c9b8..203a3127ae 100644 --- a/charts/selenium-grid/templates/event-bus-deployment.yaml +++ b/charts/selenium-grid/templates/event-bus-deployment.yaml @@ -45,9 +45,17 @@ spec: envFrom: - configMapRef: name: {{ .Values.loggingConfigMap.name }} + - configMapRef: + name: {{ .Values.serverConfigMap.name }} {{- with .Values.components.extraEnvFrom }} {{- toYaml . | nindent 12 }} {{- end }} + volumeMounts: + {{- if .Values.tls.enabled }} + - name: {{ include "seleniumGrid.tls.fullname" . | quote }} + mountPath: {{ .Values.serverConfigMap.certVolumeMountPath | quote }} + readOnly: true + {{- end }} {{- with .Values.components.eventBus.resources }} resources: {{- toYaml . | nindent 12 }} {{- end }} @@ -71,4 +79,10 @@ spec: {{- with .Values.components.eventBus.priorityClassName }} priorityClassName: {{ . }} {{- end }} + volumes: + {{- if .Values.tls.enabled }} + - name: {{ include "seleniumGrid.tls.fullname" . | quote }} + secret: + secretName: {{ include "seleniumGrid.tls.fullname" . | quote }} + {{- end }} {{- end }} diff --git a/charts/selenium-grid/templates/hub-deployment.yaml b/charts/selenium-grid/templates/hub-deployment.yaml index 71473b2097..b2d2f4e25d 100644 --- a/charts/selenium-grid/templates/hub-deployment.yaml +++ b/charts/selenium-grid/templates/hub-deployment.yaml @@ -49,7 +49,7 @@ spec: {{- include "seleniumGrid.probe.fromUserDefine" . | nindent 10 }} {{- else }} httpGet: - scheme: {{ default (include "seleniumGrid.probe.httpGet.schema" .) .schema }} + scheme: {{ default (include "seleniumGrid.probe.httpGet.schema" $) .schema }} path: {{ .path }} port: {{ default ($.Values.hub.port) .port }} {{- end }} @@ -65,7 +65,7 @@ spec: {{- include "seleniumGrid.probe.fromUserDefine" . | nindent 10 }} {{- else }} httpGet: - scheme: {{ default (include "seleniumGrid.probe.httpGet.schema" .) .schema }} + scheme: {{ default (include "seleniumGrid.probe.httpGet.schema" $) .schema }} path: {{ .path }} port: {{ default ($.Values.hub.port) .port }} {{- end }} @@ -81,7 +81,7 @@ spec: {{- include "seleniumGrid.probe.fromUserDefine" . | nindent 10 }} {{- else }} httpGet: - scheme: {{ default (include "seleniumGrid.probe.httpGet.schema" .) .schema }} + scheme: {{ default (include "seleniumGrid.probe.httpGet.schema" $) .schema }} path: {{ .path }} port: {{ default ($.Values.hub.port) .port }} {{- end }} @@ -107,11 +107,18 @@ spec: envFrom: - configMapRef: name: {{ .Values.loggingConfigMap.name }} + - configMapRef: + name: {{ .Values.serverConfigMap.name }} {{- with .Values.hub.extraEnvFrom }} {{- toYaml . | nindent 12 }} {{- end }} - {{- with .Values.hub.extraVolumeMounts }} volumeMounts: + {{- if .Values.tls.enabled }} + - name: {{ include "seleniumGrid.tls.fullname" . | quote }} + mountPath: {{ .Values.serverConfigMap.certVolumeMountPath | quote }} + readOnly: true + {{- end }} + {{- with .Values.hub.extraVolumeMounts }} {{- tpl (toYaml .) $ | nindent 12 }} {{- end }} {{- with .Values.hub.resources }} @@ -137,8 +144,13 @@ spec: {{- with .Values.hub.priorityClassName }} priorityClassName: {{ . }} {{- end }} - {{- with .Values.hub.extraVolumes }} volumes: + {{- if .Values.tls.enabled }} + - name: {{ include "seleniumGrid.tls.fullname" . | quote }} + secret: + secretName: {{ include "seleniumGrid.tls.fullname" . | quote }} + {{- end }} + {{- with .Values.hub.extraVolumes }} {{- tpl (toYaml .) $ | nindent 8 }} {{- end }} {{- end }} diff --git a/charts/selenium-grid/templates/ingress.yaml b/charts/selenium-grid/templates/ingress.yaml index 215cfbacea..907c510e4c 100644 --- a/charts/selenium-grid/templates/ingress.yaml +++ b/charts/selenium-grid/templates/ingress.yaml @@ -32,14 +32,18 @@ spec: {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} ingressClassName: {{ .Values.ingress.className }} {{- end }} - {{- if .Values.ingress.tls }} tls: + {{- if and .Values.tls.enabled (and .Values.ingress.enabled (not .Values.ingress.tls)) }} + - hosts: + - {{ default .Values.tls.defaultCN .Values.ingress.hostname | quote }} + secretName: {{ include "seleniumGrid.tls.fullname" . | quote }} + {{- else if .Values.ingress.tls }} {{- range .Values.ingress.tls }} - hosts: {{- range .hosts }} - {{ . | quote }} {{- end }} - secretName: {{ .secretName }} + secretName: {{ tpl (.secretName) $ | quote }} {{- end }} {{- end }} rules: diff --git a/charts/selenium-grid/templates/router-deployment.yaml b/charts/selenium-grid/templates/router-deployment.yaml index e02829d464..532dfe5d29 100644 --- a/charts/selenium-grid/templates/router-deployment.yaml +++ b/charts/selenium-grid/templates/router-deployment.yaml @@ -61,9 +61,17 @@ spec: envFrom: - configMapRef: name: {{ .Values.loggingConfigMap.name }} + - configMapRef: + name: {{ .Values.serverConfigMap.name }} {{- with .Values.components.extraEnvFrom }} {{- toYaml . | nindent 12 }} {{- end }} + volumeMounts: + {{- if .Values.tls.enabled }} + - name: {{ include "seleniumGrid.tls.fullname" . | quote }} + mountPath: {{ .Values.serverConfigMap.certVolumeMountPath | quote }} + readOnly: true + {{- end }} ports: - containerPort: {{ .Values.components.router.port }} protocol: TCP @@ -74,7 +82,7 @@ spec: {{- include "seleniumGrid.probe.fromUserDefine" . | nindent 10 }} {{- else }} httpGet: - scheme: {{ default (include "seleniumGrid.probe.httpGet.schema" .) .schema }} + scheme: {{ default (include "seleniumGrid.probe.httpGet.schema" $) .schema }} path: {{ .path }} port: {{ default ($.Values.components.router.port) .port }} {{- end }} @@ -90,7 +98,7 @@ spec: {{- include "seleniumGrid.probe.fromUserDefine" . | nindent 10 }} {{- else }} httpGet: - scheme: {{ default (include "seleniumGrid.probe.httpGet.schema" .) .schema }} + scheme: {{ default (include "seleniumGrid.probe.httpGet.schema" $) .schema }} path: {{ .path }} port: {{ default ($.Values.components.router.port) .port }} {{- end }} @@ -107,7 +115,7 @@ spec: {{- include "seleniumGrid.probe.fromUserDefine" . | nindent 10 }} {{- else }} httpGet: - scheme: {{ default (include "seleniumGrid.probe.httpGet.schema" .) .schema }} + scheme: {{ default (include "seleniumGrid.probe.httpGet.schema" $) .schema }} path: {{ .path }} port: {{ default ($.Values.components.router.port) .port }} {{- end }} @@ -139,4 +147,10 @@ spec: {{- with .Values.components.router.priorityClassName }} priorityClassName: {{ . }} {{- end }} + volumes: + {{- if .Values.tls.enabled }} + - name: {{ include "seleniumGrid.tls.fullname" . | quote }} + secret: + secretName: {{ include "seleniumGrid.tls.fullname" . | quote }} + {{- end }} {{- end }} diff --git a/charts/selenium-grid/templates/server-configmap.yaml b/charts/selenium-grid/templates/server-configmap.yaml new file mode 100644 index 0000000000..f0bb39a394 --- /dev/null +++ b/charts/selenium-grid/templates/server-configmap.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ .Values.serverConfigMap.name }} + namespace: {{ .Release.Namespace }} +{{- with .Values.busConfigMap.annotations }} + annotations: {{- toYaml . | nindent 4 }} +{{- end }} + labels: + {{- include "seleniumGrid.commonLabels" . | nindent 4 }} + {{- with .Values.customLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} +data: +{{- if .Values.tls.enabled }} + SE_HTTPS_CERTIFICATE: {{ printf "%s/%s" .Values.serverConfigMap.certVolumeMountPath .Values.serverConfigMap.certificateFile | quote }} + SE_HTTPS_PRIVATE_KEY: {{ printf "%s/%s" .Values.serverConfigMap.certVolumeMountPath .Values.serverConfigMap.privateKeyFile | quote }} + SE_JAVA_SSL_TRUST_STORE: {{ printf "%s/%s" .Values.serverConfigMap.certVolumeMountPath .Values.serverConfigMap.trustStoreFile | quote }} + SE_JAVA_SSL_TRUST_STORE_PASSWORD: {{ .Values.serverConfigMap.trustStorePassword | quote }} + SE_JAVA_DISABLE_HOSTNAME_VERIFICATION: {{ .Values.serverConfigMap.disableHostnameVerification | quote }} +{{- end }} diff --git a/charts/selenium-grid/templates/session-map-deployment.yaml b/charts/selenium-grid/templates/session-map-deployment.yaml index 2edd701e2e..2b04917583 100644 --- a/charts/selenium-grid/templates/session-map-deployment.yaml +++ b/charts/selenium-grid/templates/session-map-deployment.yaml @@ -38,11 +38,19 @@ spec: envFrom: - configMapRef: name: {{ .Values.loggingConfigMap.name }} + - configMapRef: + name: {{ .Values.serverConfigMap.name }} - configMapRef: name: {{ .Values.busConfigMap.name }} {{- with .Values.components.extraEnvFrom }} {{- toYaml . | nindent 12 }} {{- end }} + volumeMounts: + {{- if .Values.tls.enabled }} + - name: {{ include "seleniumGrid.tls.fullname" . | quote }} + mountPath: {{ .Values.serverConfigMap.certVolumeMountPath | quote }} + readOnly: true + {{- end }} ports: - containerPort: {{ .Values.components.sessionMap.port }} protocol: TCP @@ -69,4 +77,10 @@ spec: {{- with .Values.components.sessionMap.priorityClassName }} priorityClassName: {{ . }} {{- end }} + volumes: + {{- if .Values.tls.enabled }} + - name: {{ include "seleniumGrid.tls.fullname" . | quote }} + secret: + secretName: {{ include "seleniumGrid.tls.fullname" . | quote }} + {{- end }} {{- end }} diff --git a/charts/selenium-grid/templates/session-queuer-deployment.yaml b/charts/selenium-grid/templates/session-queuer-deployment.yaml index 3792850381..c6cf9e58dd 100644 --- a/charts/selenium-grid/templates/session-queuer-deployment.yaml +++ b/charts/selenium-grid/templates/session-queuer-deployment.yaml @@ -38,9 +38,17 @@ spec: envFrom: - configMapRef: name: {{ .Values.loggingConfigMap.name }} + - configMapRef: + name: {{ .Values.serverConfigMap.name }} {{- with .Values.components.extraEnvFrom }} {{- toYaml . | nindent 12 }} {{- end }} + volumeMounts: + {{- if .Values.tls.enabled }} + - name: {{ include "seleniumGrid.tls.fullname" . | quote }} + mountPath: {{ .Values.serverConfigMap.certVolumeMountPath | quote }} + readOnly: true + {{- end }} ports: - containerPort: {{ .Values.components.sessionQueue.port }} protocol: TCP @@ -67,4 +75,10 @@ spec: {{- with .Values.components.sessionQueue.priorityClassName }} priorityClassName: {{ . }} {{- end }} + volumes: + {{- if .Values.tls.enabled }} + - name: {{ include "seleniumGrid.tls.fullname" . | quote }} + secret: + secretName: {{ include "seleniumGrid.tls.fullname" . | quote }} + {{- end }} {{- end }} diff --git a/charts/selenium-grid/templates/tls-cert-secret.yaml b/charts/selenium-grid/templates/tls-cert-secret.yaml new file mode 100644 index 0000000000..f025b514be --- /dev/null +++ b/charts/selenium-grid/templates/tls-cert-secret.yaml @@ -0,0 +1,29 @@ +{{- if .Values.tls.enabled }} +apiVersion: v1 +kind: Secret +metadata: + annotations: + "restartOnUpdate": "true" + name: {{ include "seleniumGrid.tls.fullname" . }} + labels: + {{- include "seleniumGrid.commonLabels" . | nindent 4 }} + {{- with .Values.customLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} +type: Opaque +data: +{{- if .Values.tls.generateTLS }} + {{- $name := default "SeleniumHQ" .Values.tls.defaultName -}} + {{- $days := default 365 (.Values.tls.defaultDays | int) -}} + {{- $cn := ternary .Values.tls.defaultCN .Values.ingress.hostname (empty .Values.ingress.hostname) -}} + {{- $server := genSelfSignedCert $cn ( default nil .Values.tls.defaultIPList ) ( default nil .Values.tls.defaultSANList ) $days }} + tls.crt: {{ $server.Cert | b64enc }} + tls.key: {{ $server.Key | b64enc }} +{{- else }} + tls.crt: {{ default (.Files.Get (printf "certs/%s.base64" .Values.serverConfigMap.certificateFile) | b64dec) .Values.tls.certificate | b64enc }} + tls.key: {{ default (.Files.Get (printf "certs/%s.base64" .Values.serverConfigMap.privateKeyFile) | b64dec) .Values.tls.privateKey | b64enc }} +{{- end }} + {{ .Values.serverConfigMap.privateKeyFile }}: {{ default (.Files.Get (printf "certs/%s.base64" .Values.serverConfigMap.privateKeyFile) | b64dec) .Values.tls.privateKey | b64enc }} + {{ .Values.serverConfigMap.certificateFile }}: {{ default (.Files.Get (printf "certs/%s.base64" .Values.serverConfigMap.certificateFile) | b64dec) .Values.tls.certificate | b64enc }} + {{ .Values.serverConfigMap.trustStoreFile }}: {{ default (.Files.Get (printf "certs/%s.base64" .Values.serverConfigMap.trustStoreFile) | b64dec) .Values.tls.trustStore | b64enc }} +{{- end }} diff --git a/charts/selenium-grid/values.yaml b/charts/selenium-grid/values.yaml index f4a094c16e..540f70000a 100644 --- a/charts/selenium-grid/values.yaml +++ b/charts/selenium-grid/values.yaml @@ -17,6 +17,22 @@ global: # Log level for all components. Possible values describe here: https://www.selenium.dev/documentation/grid/configuration/cli_options/#logging logLevel: INFO +tls: + enabled: false + generateTLS: false + defaultName: "SeleniumHQ" + defaultDays: 3650 + defaultCN: "www.selenium.dev" + # or *.domain.com + defaultSANList: [] + # - domain.com + # - production.domain.com + defaultIPList: [] + # - 10.10.10.10 + certificate: + privateKey: + trustStore: + # Basic auth settings for Selenium Grid basicAuth: # Enable or disable basic auth @@ -89,6 +105,20 @@ loggingConfigMap: # Custom annotations for configmap annotations: {} +# ConfigMap that contains common environment variables for Server (https://www.selenium.dev/documentation/grid/configuration/cli_options/#server) +serverConfigMap: + name: selenium-server-config + certVolumeMountPath: /etc/ssl/certs/selenium + certificateFile: selenium.pem + privateKeyFile: selenium.pkcs8 + trustStoreFile: selenium.jks + # Trust store password + trustStorePassword: changeit + # Disable verification the hostname included in the server's TLS/SSL certificates matches the hostnames provided + disableHostnameVerification: true + # Custom annotations for configmap + annotations: {} + # Configuration for isolated components (applied only if `isolateComponents: true`) components: diff --git a/tests/SeleniumTests/__init__.py b/tests/SeleniumTests/__init__.py index 4ca352683f..0938d69394 100644 --- a/tests/SeleniumTests/__init__.py +++ b/tests/SeleniumTests/__init__.py @@ -10,6 +10,7 @@ from selenium.webdriver.edge.options import Options as EdgeOptions from selenium.webdriver.chrome.options import Options as ChromeOptions +SELENIUM_GRID_PROTOCOL = os.environ.get('SELENIUM_GRID_PROTOCOL', 'http') SELENIUM_GRID_HOST = os.environ.get('SELENIUM_GRID_HOST', 'localhost') SELENIUM_GRID_PORT = os.environ.get('SELENIUM_GRID_PORT', '4444') WEB_DRIVER_WAIT_TIMEOUT = int(os.environ.get('WEB_DRIVER_WAIT_TIMEOUT', 60)) @@ -95,7 +96,7 @@ def setUp(self): options.add_argument('disable-features=DownloadBubble,DownloadBubbleV2') self.driver = webdriver.Remote( options=options, - command_executor="http://%s:%s" % (SELENIUM_GRID_HOST,SELENIUM_GRID_PORT) + command_executor="%s://%s:%s" % (SELENIUM_GRID_PROTOCOL,SELENIUM_GRID_HOST,SELENIUM_GRID_PORT) ) class EdgeTests(SeleniumGenericTests): @@ -105,7 +106,7 @@ def setUp(self): options.add_argument('disable-features=DownloadBubble,DownloadBubbleV2') self.driver = webdriver.Remote( options=options, - command_executor="http://%s:%s" % (SELENIUM_GRID_HOST,SELENIUM_GRID_PORT) + command_executor="%s://%s:%s" % (SELENIUM_GRID_PROTOCOL,SELENIUM_GRID_HOST,SELENIUM_GRID_PORT) ) @@ -119,7 +120,7 @@ def setUp(self): options.enable_downloads = True self.driver = webdriver.Remote( options=options, - command_executor="http://%s:%s" % (SELENIUM_GRID_HOST,SELENIUM_GRID_PORT) + command_executor="%s://%s:%s" % (SELENIUM_GRID_PROTOCOL,SELENIUM_GRID_HOST,SELENIUM_GRID_PORT) ) def test_title_and_maximize_window(self): diff --git a/tests/SmokeTests/__init__.py b/tests/SmokeTests/__init__.py index a2f74c7fad..2cd737017d 100644 --- a/tests/SmokeTests/__init__.py +++ b/tests/SmokeTests/__init__.py @@ -2,12 +2,13 @@ import unittest import time import json - +from ssl import _create_unverified_context try: from urllib2 import urlopen except ImportError: from urllib.request import urlopen +SELENIUM_GRID_PROTOCOL = os.environ.get('SELENIUM_GRID_PROTOCOL', 'http') SELENIUM_GRID_HOST = os.environ.get('SELENIUM_GRID_HOST', 'localhost') SELENIUM_GRID_PORT = os.environ.get('SELENIUM_GRID_PORT', '4444') SELENIUM_GRID_AUTOSCALING = os.environ.get('SELENIUM_GRID_AUTOSCALING', 'false') @@ -28,7 +29,7 @@ def smoke_test_container(self, port): while current_attempts < max_attempts: current_attempts = current_attempts + 1 try: - response = urlopen('http://%s:%s/status' % (SELENIUM_GRID_HOST, port)) + response = urlopen('%s://%s:%s/status' % (SELENIUM_GRID_PROTOCOL, SELENIUM_GRID_HOST, port), context=_create_unverified_context()) status_json = json.loads(response.read()) if not auto_scaling or (auto_scaling and auto_scaling_min_replica > 0): self.assertTrue(status_json['value']['ready'], "Container is not ready on port %s" % port) diff --git a/tests/bootstrap.sh b/tests/bootstrap.sh index 7ce7b8cf48..3d02bf5501 100755 --- a/tests/bootstrap.sh +++ b/tests/bootstrap.sh @@ -11,6 +11,10 @@ python -m pip install selenium==4.16.0 \ docker===6.1.3 \ | grep -v 'Requirement already satisfied' +if [ "${SELENIUM_GRID_PROTOCOL}" = "https" ]; then + export REQUESTS_CA_BUNDLE="${CHART_CERT_PATH}" +fi + python test.py $1 ret_code=$? diff --git a/tests/charts/ci/DeploymentAutoScaling-values.yaml b/tests/charts/ci/DeploymentAutoScaling-values.yaml index b9e5b120ee..08dcf1cb0a 100644 --- a/tests/charts/ci/DeploymentAutoScaling-values.yaml +++ b/tests/charts/ci/DeploymentAutoScaling-values.yaml @@ -35,14 +35,13 @@ chromeNode: extraEnvironmentVariables: &extraEnvironmentVariables - name: SE_OPTS value: "--enable-managed-downloads true" - - name: SE_DRAIN_AFTER_SESSION_COUNT - value: "0" readinessProbe: enabled: &readinessProbe true livenessProbe: enabled: &livenessProbe true # Configuration for edge nodes edgeNode: + port: 8888 # (test): user is able to define extra container ports ports: - containerPort: 5900 diff --git a/tests/charts/ci/JobAutoscaling-values.yaml b/tests/charts/ci/JobAutoscaling-values.yaml index d8fc0bc792..35742e41a5 100644 --- a/tests/charts/ci/JobAutoscaling-values.yaml +++ b/tests/charts/ci/JobAutoscaling-values.yaml @@ -11,7 +11,7 @@ autoscaling: # Configuration for chrome nodes chromeNode: nameOverride: my-chrome-name - extraEnvironmentVariables: + extraEnvironmentVariables: &extraEnvironmentVariables - name: SE_OPTS value: "--enable-managed-downloads true" readinessProbe: @@ -21,9 +21,7 @@ chromeNode: # Configuration for edge nodes edgeNode: nameOverride: my-edge-name - extraEnvironmentVariables: - - name: SE_OPTS - value: "--enable-managed-downloads true" + extraEnvironmentVariables: *extraEnvironmentVariables readinessProbe: enabled: *readinessProbe livenessProbe: @@ -31,20 +29,8 @@ edgeNode: # Configuration for firefox nodes firefoxNode: nameOverride: my-firefox-name - extraEnvironmentVariables: - - name: SE_OPTS - value: "--enable-managed-downloads true" + extraEnvironmentVariables: *extraEnvironmentVariables readinessProbe: enabled: *readinessProbe livenessProbe: enabled: *livenessProbe - -ingress: - paths: - - path: /selenium(/|$)(.*) - pathType: ImplementationSpecific - backend: - service: - name: '{{ template "seleniumGrid.hub.fullname" $ }}' - port: - number: 4444 diff --git a/tests/charts/ci/auth-ingress-values.yaml b/tests/charts/ci/auth-ingress-values.yaml index 38bc87e1b3..4ccd0a6f27 100644 --- a/tests/charts/ci/auth-ingress-values.yaml +++ b/tests/charts/ci/auth-ingress-values.yaml @@ -1,5 +1,7 @@ global: K8S_PUBLIC_IP: localhost + seleniumGrid: + logLevel: INFO ingress: annotations: @@ -17,7 +19,7 @@ ingress: pathType: ImplementationSpecific backend: service: - name: '{{ template "seleniumGrid.router.fullname" $ }}' + name: '{{ ternary (include "seleniumGrid.router.fullname" $ ) (include "seleniumGrid.hub.fullname" $ ) $.Values.isolateComponents }}' port: number: 4444 diff --git a/tests/charts/ci/tls-values.yaml b/tests/charts/ci/tls-values.yaml new file mode 100644 index 0000000000..fb42db2ea6 --- /dev/null +++ b/tests/charts/ci/tls-values.yaml @@ -0,0 +1,8 @@ +tls: + enabled: true + generateTLS: false + +ingress-nginx: + controller: + extraArgs: + default-ssl-certificate: '$(POD_NAMESPACE)/selenium-tls-secret' diff --git a/tests/charts/make/chart_test.sh b/tests/charts/make/chart_test.sh index 194bb60560..617d3ef6e0 100755 --- a/tests/charts/make/chart_test.sh +++ b/tests/charts/make/chart_test.sh @@ -11,6 +11,7 @@ INGRESS_NAMESPACE=${INGRESS_NAMESPACE:-"ingress-nginx"} SUB_PATH=${SUB_PATH:-"/selenium"} CHART_PATH=${CHART_PATH:-"charts/selenium-grid"} TEST_VALUES_PATH=${TEST_VALUES_PATH:-"tests/charts/ci"} +SELENIUM_GRID_PROTOCOL=${SELENIUM_GRID_PROTOCOL:-"http"} SELENIUM_GRID_HOST=${SELENIUM_GRID_HOST:-"localhost"} SELENIUM_GRID_PORT=${SELENIUM_GRID_PORT:-"80"} MATRIX_BROWSER=${1:-"NodeChrome"} @@ -20,6 +21,8 @@ WAIT_TIMEOUT=${WAIT_TIMEOUT:-"90s"} HUB_CHECKS_INTERVAL=${HUB_CHECKS_INTERVAL:-45} WEB_DRIVER_WAIT_TIMEOUT=${WEB_DRIVER_WAIT_TIMEOUT:-120} SKIP_CLEANUP=${SKIP_CLEANUP:-"false"} # For debugging purposes, retain the cluster after the test run +CHART_CERT_PATH=${CHART_CERT_PATH:-"${CHART_PATH}/certs/selenium.pem"} +SSL_CERT_DIR=${SSL_CERT_DIR:-"/etc/ssl/certs"} cleanup() { if [ "${SKIP_CLEANUP}" = "false" ]; then @@ -49,11 +52,17 @@ if [ "${SELENIUM_GRID_AUTOSCALING}" = "true" ]; then --set autoscaling.scaledOptions.minReplicaCount=${SELENIUM_GRID_AUTOSCALING_MIN_REPLICA}" fi +HELM_COMMAND_SET_TLS="" +if [ "${SELENIUM_GRID_PROTOCOL}" = "https" ]; then + HELM_COMMAND_SET_TLS="--values ${TEST_VALUES_PATH}/tls-values.yaml" +fi + HELM_COMMAND_ARGS="${RELEASE_NAME} \ --values ${TEST_VALUES_PATH}/auth-ingress-values.yaml \ --values ${TEST_VALUES_PATH}/tracing-values.yaml \ ---values ${TEST_VALUES_PATH}/${MATRIX_BROWSER}-values.yaml \ ${HELM_COMMAND_SET_AUTOSCALING} \ +${HELM_COMMAND_SET_TLS} \ +--values ${TEST_VALUES_PATH}/${MATRIX_BROWSER}-values.yaml \ --set global.seleniumGrid.imageTag=${VERSION} --set global.seleniumGrid.imageRegistry=${NAMESPACE} \ --set global.seleniumGrid.nodesImageTag=${VERSION} \ ${CHART_PATH} --namespace ${SELENIUM_NAMESPACE} --create-namespace" @@ -65,6 +74,8 @@ echo "Deploy Selenium Grid Chart" helm upgrade --install ${HELM_COMMAND_ARGS} echo "Run Tests" +export CHART_CERT_PATH=$(readlink -f ${CHART_CERT_PATH}) +export SELENIUM_GRID_PROTOCOL=${SELENIUM_GRID_PROTOCOL} export SELENIUM_GRID_HOST=${SELENIUM_GRID_HOST} export SELENIUM_GRID_PORT=${SELENIUM_GRID_PORT}""${SUB_PATH} export SELENIUM_GRID_AUTOSCALING=${SELENIUM_GRID_AUTOSCALING} diff --git a/tests/charts/refValues/sample-aws.yaml b/tests/charts/refValues/sample-aws.yaml index 06172f0e36..097eb4277e 100644 --- a/tests/charts/refValues/sample-aws.yaml +++ b/tests/charts/refValues/sample-aws.yaml @@ -22,7 +22,7 @@ ingress: pathType: ImplementationSpecific backend: service: - name: '{{ template "seleniumGrid.router.fullname" $ }}' + name: '{{ ternary (include "seleniumGrid.router.fullname" $ ) (include "seleniumGrid.hub.fullname" $ ) $.Values.isolateComponents }}' port: number: 4444 diff --git a/tests/charts/refValues/simplex-minikube.yaml b/tests/charts/refValues/simplex-minikube.yaml index 5239714c7a..08376c866a 100644 --- a/tests/charts/refValues/simplex-minikube.yaml +++ b/tests/charts/refValues/simplex-minikube.yaml @@ -23,12 +23,16 @@ ingress: nginx.ingress.kubernetes.io/app-root: &gridAppRoot "/selenium" ingressClassName: nginx hostname: "" +# tls: +# - secretName: '{{ include "seleniumGrid.tls.fullname" . }}' +# hosts: +# - *.domain.com paths: - path: /selenium(/|$)(.*) pathType: ImplementationSpecific backend: service: - name: '{{ template "seleniumGrid.router.fullname" $ }}' + name: '{{ ternary (include "seleniumGrid.router.fullname" $ ) (include "seleniumGrid.hub.fullname" $ ) $.Values.isolateComponents }}' port: number: 4444 @@ -82,6 +86,9 @@ videoRecorder: ingress-nginx: enabled: true controller: + # Set controller default certificate use the same with Selenium Grid + extraArgs: + default-ssl-certificate: '$(POD_NAMESPACE)/selenium-tls-secret' hostNetwork: true kind: DaemonSet service: diff --git a/tests/charts/templates/render/dummy.yaml b/tests/charts/templates/render/dummy.yaml index 42864d78fc..b5b2ef9715 100644 --- a/tests/charts/templates/render/dummy.yaml +++ b/tests/charts/templates/render/dummy.yaml @@ -18,6 +18,10 @@ basicAuth: username: sysadmin password: strongPassword +tls: + enabled: true + generateTLS: false + ingress: nginx: proxyTimeout: 360 # Set different proxy timout @@ -39,14 +43,14 @@ ingress: pathType: ImplementationSpecific backend: service: - name: '{{ template "seleniumGrid.router.fullname" $ }}' + name: '{{ ternary (include "seleniumGrid.router.fullname" $ ) (include "seleniumGrid.hub.fullname" $ ) $.Values.isolateComponents }}' port: number: 4444 - path: /(/?)(session/.*/se/vnc) pathType: ImplementationSpecific backend: service: - name: '{{ template "seleniumGrid.router.fullname" $ }}' + name: '{{ ternary (include "seleniumGrid.router.fullname" $ ) (include "seleniumGrid.hub.fullname" $ ) $.Values.isolateComponents }}' port: number: 4444 diff --git a/tests/charts/templates/test.py b/tests/charts/templates/test.py index 8587b42d7c..695a846ed7 100644 --- a/tests/charts/templates/test.py +++ b/tests/charts/templates/test.py @@ -51,7 +51,7 @@ def test_sub_path_append_to_node_grid_url(self): for doc in LIST_OF_DOCUMENTS: if doc['metadata']['name'] in resources_name and doc['kind'] == 'ConfigMap': logger.info(f"Assert subPath is appended to node grid url") - self.assertTrue(doc['data']['SE_NODE_GRID_URL'] == 'http://sysadmin:strongPassword@10.10.10.10:8081/selenium') + self.assertTrue(doc['data']['SE_NODE_GRID_URL'] == 'https://sysadmin:strongPassword@10.10.10.10:8443/selenium') count += 1 self.assertEqual(count, len(resources_name), "No node config resources found") From 5c2c0a612142e9f7a51c7d4b2e6a7ebcb0ee9e70 Mon Sep 17 00:00:00 2001 From: Viet Nguyen Duc Date: Thu, 4 Jan 2024 00:16:33 +0530 Subject: [PATCH 2/2] feat(chart): Simplify to enable node registration secret Signed-off-by: Viet Nguyen Duc --- .../start-selenium-grid-distributor.sh | 5 + Hub/start-selenium-grid-hub.sh | 5 + NodeBase/start-selenium-node.sh | 5 + Router/start-selenium-grid-router.sh | 5 + charts/selenium-grid/README.md | 92 ++++++++++++++++++ charts/selenium-grid/certs/cert.sh | 23 +++-- charts/selenium-grid/certs/selenium.jks | Bin 0 -> 2864 bytes .../selenium-grid/certs/selenium.jks.base64 | 1 - charts/selenium-grid/certs/selenium.pem | 42 ++++---- .../selenium-grid/certs/selenium.pem.base64 | 1 - .../selenium-grid/certs/selenium.pkcs8.base64 | 2 +- charts/selenium-grid/templates/_helpers.tpl | 29 ++++++ .../templates/distributor-deployment.yaml | 2 + .../templates/event-bus-deployment.yaml | 2 + .../templates/hub-deployment.yaml | 8 +- charts/selenium-grid/templates/ingress.yaml | 5 +- .../templates/router-deployment.yaml | 8 +- charts/selenium-grid/templates/secrets.yaml | 33 +++++++ .../templates/server-configmap.yaml | 1 - .../templates/session-map-deployment.yaml | 2 + .../templates/session-queuer-deployment.yaml | 2 + .../templates/tls-cert-secret.yaml | 24 ++--- charts/selenium-grid/values.yaml | 39 +++++--- tests/charts/ci/tls-values.yaml | 3 + tests/charts/refValues/simplex-minikube.yaml | 12 ++- tests/charts/templates/test.py | 5 +- 26 files changed, 276 insertions(+), 80 deletions(-) create mode 100644 charts/selenium-grid/certs/selenium.jks delete mode 100644 charts/selenium-grid/certs/selenium.jks.base64 delete mode 100644 charts/selenium-grid/certs/selenium.pem.base64 create mode 100644 charts/selenium-grid/templates/secrets.yaml diff --git a/Distributor/start-selenium-grid-distributor.sh b/Distributor/start-selenium-grid-distributor.sh index 63e7e6c8c7..c9af77f711 100755 --- a/Distributor/start-selenium-grid-distributor.sh +++ b/Distributor/start-selenium-grid-distributor.sh @@ -83,6 +83,11 @@ if [ ! -z "$SE_JAVA_SSL_TRUST_STORE" ]; then SE_JAVA_OPTS="$SE_JAVA_OPTS -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION:-true}" fi +if [ ! -z "$SE_REGISTRATION_SECRET" ]; then + echo "Appending Selenium options: --registration-secret ${SE_REGISTRATION_SECRET}" + SE_OPTS="$SE_OPTS --registration-secret ${SE_REGISTRATION_SECRET}" +fi + EXTRA_LIBS="" if [ ! -z "$SE_ENABLE_TRACING" ]; then diff --git a/Hub/start-selenium-grid-hub.sh b/Hub/start-selenium-grid-hub.sh index e0314aa122..682b28e503 100755 --- a/Hub/start-selenium-grid-hub.sh +++ b/Hub/start-selenium-grid-hub.sh @@ -51,6 +51,11 @@ if [ ! -z "$SE_JAVA_SSL_TRUST_STORE" ]; then SE_JAVA_OPTS="$SE_JAVA_OPTS -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION:-true}" fi +if [ ! -z "$SE_REGISTRATION_SECRET" ]; then + echo "Appending Selenium options: --registration-secret ${SE_REGISTRATION_SECRET}" + SE_OPTS="$SE_OPTS --registration-secret ${SE_REGISTRATION_SECRET}" +fi + EXTRA_LIBS="" if [ ! -z "$SE_ENABLE_TRACING" ]; then diff --git a/NodeBase/start-selenium-node.sh b/NodeBase/start-selenium-node.sh index 6f4888653e..65402cbecb 100755 --- a/NodeBase/start-selenium-node.sh +++ b/NodeBase/start-selenium-node.sh @@ -65,6 +65,11 @@ if [ ! -z "$SE_JAVA_SSL_TRUST_STORE" ]; then SE_JAVA_OPTS="$SE_JAVA_OPTS -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION:-true}" fi +if [ ! -z "$SE_REGISTRATION_SECRET" ]; then + echo "Appending Selenium options: --registration-secret ${SE_REGISTRATION_SECRET}" + SE_OPTS="$SE_OPTS --registration-secret ${SE_REGISTRATION_SECRET}" +fi + if [ "$GENERATE_CONFIG" = true ]; then echo "Generating Selenium Config" /opt/bin/generate_config diff --git a/Router/start-selenium-grid-router.sh b/Router/start-selenium-grid-router.sh index 0391769326..6a7c0bc782 100755 --- a/Router/start-selenium-grid-router.sh +++ b/Router/start-selenium-grid-router.sh @@ -83,6 +83,11 @@ if [ ! -z "$SE_JAVA_SSL_TRUST_STORE" ]; then SE_JAVA_OPTS="$SE_JAVA_OPTS -Djdk.internal.httpclient.disableHostnameVerification=${SE_JAVA_DISABLE_HOSTNAME_VERIFICATION:-true}" fi +if [ ! -z "$SE_REGISTRATION_SECRET" ]; then + echo "Appending Selenium options: --registration-secret ${SE_REGISTRATION_SECRET}" + SE_OPTS="$SE_OPTS --registration-secret ${SE_REGISTRATION_SECRET}" +fi + EXTRA_LIBS="" if [ ! -z "$SE_ENABLE_TRACING" ]; then diff --git a/charts/selenium-grid/README.md b/charts/selenium-grid/README.md index 3568d4cd5e..5368ca2ea8 100644 --- a/charts/selenium-grid/README.md +++ b/charts/selenium-grid/README.md @@ -21,6 +21,9 @@ This chart enables the creation of a Selenium Grid Server in Kubernetes. * [Configuration of Nodes](#configuration-of-nodes) * [Container ports and Service ports](#container-ports-and-service-ports) * [Probes](#probes) + * [Configuration of Secure Communication (HTTPS)](#configuration-of-secure-communication-https) + * [Secure Communication](#secure-communication) + * [Node Registration](#node-registration) * [Configuration of Selenium Grid chart](#configuration-of-selenium-grid-chart) * [Configuration of KEDA](#configuration-of-keda) * [Configuration of Ingress NGINX Controller](#configuration-of-ingress-nginx-controller) @@ -228,6 +231,23 @@ nginx.ingress.kubernetes.io/client-body-buffer-size nginx.ingress.kubernetes.io/proxy-buffers-number ``` +You can generate a dummy self-signed certificate specify for your `hostname`, assign it to spec `ingress.tls` and NGINX ingress controller default certificate (if it is enabled inline). For example: + +```yaml +tls: + ingress: + generateTLS: true + +ingress: + hostname: "your.domain.com" + +ingress-nginx: + enabled: true + controller: + extraArgs: + default-ssl-certificate: '$(POD_NAMESPACE)/selenium-tls-secret' +``` + ## Configuration ### Configuration global @@ -342,6 +362,78 @@ edgeNode: periodSeconds: 5 ``` +### Configuration of Secure Communication (HTTPS) + +Selenium Grid supports secure communication between components. Refer to the [instructions](https://github.com/SeleniumHQ/selenium/blob/trunk/java/src/org/openqa/selenium/grid/commands/security.txt) and [options](https://www.selenium.dev/documentation/grid/configuration/cli_options/#server) are able to configure the secure communication. Below is the details on how to enable secure communication in Selenium Grid chart. + +#### Secure Communication + +In the chart, there is directory [certs](./certs) contains the default certificate, private key (as PKCS8 format), and Java Keystore (JKS) to teach Java about secure connection (since we are using a non-standard CA) for your trial, local testing purpose. You can generate your own self-signed certificate put them in that default directory by using script [cert.sh](./certs/cert.sh) with adjust needed information. The certificate, private key, truststore are mounted to the components via `Secret`. + +There are multiple ways to configure your certificate, private key, truststore to the components. You can choose one of them or combine them together. + +- Use the default directory [certs](./certs). Rename your own files to be same as the default files and replace them. Give `--set tls.enabled=true` to enable secure communication. + +- Use the default directory [certs](./certs). Copy your own files to there and adjust the file name under config `tls.defaultFile`, those will be picked up when installing chart. For example: + + ```yaml + tls: + enabled: true + trustStorePassword: "your_truststore_password" + defaultFile: + certificate: "certs/your_cert.pem" + privateKey: "certs/your_private_key.pkcs8" + trustStore: "certs/your_truststore.jks" + ``` + For some security reasons, you may not able to put private key in your source code or your customization chart package. You can provide files with contents are encoded in Base64 format, just append `.base64` to the file name for chart able to know and decode them. For example: + + ```yaml + tls: + enabled: true + trustStorePassword: "your_truststore_password" + defaultFile: + certificate: "certs/your_cert.pem.base64" + privateKey: "certs/your_private_key.pkcs8.base64" + trustStore: "certs/your_truststore.jks.base64" + ``` + +- Using Helm CLI `--set-file` to pass your own file to particular config key. For example: + + ```bash + helm upgrade -i test selenium-grid \ + --set tls.enabled=true \ + --set-file tls.certificate=/path/to/your_cert.pem \ + --set-file tls.privateKey=/path/to/your_private_key.pkcs8 \ + --set-file tls.trustStore=/path/to/your_truststore.jks \ + --set-string tls.trustStorePassword=your_truststore_password + ``` + +If you start NGINX ingress controller inline with Selenium Grid chart, you can configure the default certificate of NGINX ingress controller to use the same certificate as Selenium Grid. For example: + +```yaml +tls: + enabled: true + +ingress-nginx: + enabled: true + controller: + extraArgs: + default-ssl-certificate: '$(POD_NAMESPACE)/selenium-tls-secret' +``` + +#### Node Registration + +In order to enable secure in the node registration to make sure that the node is one you control and not a rouge node, you can enable and provide a registration secret string to Distributor, Router and +Node servers in config `tls.registrationSecret`. For example: + +```yaml +tls: + enabled: true + registrationSecret: + enabled: true + value: "matchThisSecret" +``` + ### Configuration of Selenium Grid chart This table contains the configuration parameters of the chart and their default values: diff --git a/charts/selenium-grid/certs/cert.sh b/charts/selenium-grid/certs/cert.sh index 1544f95794..d170d262a2 100755 --- a/charts/selenium-grid/certs/cert.sh +++ b/charts/selenium-grid/certs/cert.sh @@ -4,6 +4,7 @@ CERTNAME=${1:-selenium} STOREPASS=${2:-changeit} KEYPASS=${3:-changeit} ALIAS=${4:-SeleniumHQ} +BASE64_ONLY=1 # Remove existing files rm -f ${CERTNAME}.* @@ -23,7 +24,7 @@ keytool -genkeypair \ -keystore ${CERTNAME}.jks # Base64 encode JKS file (for Kubernetes Secret) -base64 -i ${CERTNAME}.jks -w 0 > ${CERTNAME}.jks.base64 +#base64 -i ${CERTNAME}.jks -w 0 > ${CERTNAME}.jks.base64 # Create PKCS12 from JKS keytool -importkeystore -srckeystore ${CERTNAME}.jks \ @@ -47,12 +48,14 @@ keytool -exportcert -alias ${ALIAS} \ -storepass ${STOREPASS} -keypass ${KEYPASS} \ -keystore ${CERTNAME}.jks -rfc -file ${CERTNAME}.pem -# Bsae64 encode Certificate PEM file (for Kubernetes Secret) -base64 -i ${CERTNAME}.pem -w 0 > ${CERTNAME}.pem.base64 - -# Remove source files (prevent sensitive data leak) -rm -f ${CERTNAME}.key -rm -f ${CERTNAME}.p12 -rm -f ${CERTNAME}.jks -rm -f ${CERTNAME}.pkcs8 -# Retain ${CERTNAME}.pem for client establishing HTTPS connection +# Base64 encode Certificate PEM file (for Kubernetes Secret) +#base64 -i ${CERTNAME}.pem -w 0 > ${CERTNAME}.pem.base64 + +if [ ${BASE64_ONLY} -eq 1 ]; then + # Remove source files (prevent sensitive data leak) + rm -f ${CERTNAME}.key + rm -f ${CERTNAME}.p12 + rm -f ${CERTNAME}.pkcs8 + # Retain ${CERTNAME}.jks for Java client establishing HTTPS connection + # Retain ${CERTNAME}.pem for client establishing HTTPS connection +fi diff --git a/charts/selenium-grid/certs/selenium.jks b/charts/selenium-grid/certs/selenium.jks new file mode 100644 index 0000000000000000000000000000000000000000..f3ea9229b476e696767939b702d42d943f2457d6 GIT binary patch literal 2864 zcma);X*d*&7RP7Cj4{Sq)|Rnl8Czq^kfpM3A+jV(mSKdH%*YZZrWYX*$~M*^6tWYO zHEZ^*>@;>VwuIj9bMMpp+)wv@_&?`4|8xH5eN zP#ny*73|ABzKRzqk?dwKrdXEPe zA-rSo_E!7mliJh8a1oYHqoN?S^Z6aZw}Y5O8@V&*jRMF;kMx6iE~Sxf4^KJ-oJR0; zO?vNFg)y>?+;{!Vi^_ev)!s2-Iggb1tY45#?RZ_Eq&~hDTd;zN`JwPepj+tl*m5MY zN4giz%Sz16DqRcGCL<2a@SAo#=K?R24vB&q^i%M*`eH9Yk&-X7)9pL#94CW6X{MD` z0TfjVXZk$pP+u%f;sy8UUW?Nv*# zDe637+Ww=*f(9CV_?B&8l4M`qcG!g#_?mm5ho@zuE`wBc#M*)wx)hq5dzBOPep(NN zPocl*jRGOjf%)U^Z(>Z$eI{pDqL}&S;bOR1p^mud>o%{oca(_0jmsIsKuxpRQBrF}Uz+(TJOE)u(7Dy*R_Yn@lFvj}0In0k7BXmb@k|BrSbb@H5SfAz+F* z*44=Gv=-2H*TNK*$j4PF<*w`=Gb6LS{@oO7$CsVVm%xb|Z2<|VZDasn@j1n_eqEA?lZBP&mE_2Sesu; zm6qQ(=O|foAEef=M~T++*YAjgs+@5`vPTCt@BEx{l(NKpy1TuNvuxS0E@lzj5V@i% zc<-;Vb!AM0y4+eFDRq{UW2@;?v2x?5oQ0XsQo2r|efwk3Tc!2Fl7naZsz|Z5UUEKT zQR;KA4d-R9wRuO)y@L2J>?Sr|5vdTt%(&^)jlHM%#@v=D0f{_X;K{x@7}%_--bztt zoooG0$ikk~NIb<-$gTU@qx@s~TnYWfXwkCIxb5AnexnO+5tpJCDV7Cp@`r>j60323 zNV-G!3k%y6=3rKv(LF_lWOcQ@pp2wKais_siMdf-Q1V7VRt<#8p}QB{LiWMGaI&!Km><$OzzoG;S9E%C&-cjT7Q z5!DBO*>NT zqll81lUGtwl2uf^^qa)MKTA-05&^u8B7iqQK)~-p{bvIFU%39frjDy+yT=XfxKqy9 zciMb?$4>D7!8LxcacIiD)Gk^+Q;hkmOHBv??7i|OP096xo-?OtRgBY3 zJtThj*Jj2-$D~d`1NQC_k&M|vgELWbI%Uq#17oT*uF>i4{V%w(8ZZU(1{V9YB|}}n zGwJ@;)>d@lu{)RFeWiSG#iY6RVJ`AwsWZC?$LbtC3&IH$kMoVN%$H)z2(V~DN&0Zq zm+d^hzKsb(v+?CQ%ZSJl3F7^h&(H%%mbqtoMrWhYQnpn$LmF zV&8?^)3s?~M_Da69UoTysKWT`PaW$TZ4ffQFprF%UNOLEN7ErKmVvC^sxnrzZkroG zZ>zx}tJdY^!_|f|9|=A8N_xM}p5US889UHcEdm@Foc%5ML;3Lw7Tn^8NU()eleKNv#%Un+VQXeJ{y(Q7R%v% z-KEeufpe3)Xn6*;J5MH4#z$Gx{AUrgR*~hQr+t~hhJCaUEMFvau;BYM90lZEa;{U_ zR;ss(ucrED8DY(ftMD8OYqrJDCbGUQ%XGyww{}0E zVR{mhMrC2`35zibWXsRP*vLd~?9Nj~u4}XuS8!GxgEY>6x|tz0SD%Stu2900{j9Q` zkd@Bmb#z^sFIX%LGsB}rc0n1TWKhh1zDN)d0s!;xZ){YX3lQ4-9?6npPpQy8r}%l9wj{SCOeGj{+0 literal 0 HcmV?d00001 diff --git a/charts/selenium-grid/certs/selenium.jks.base64 b/charts/selenium-grid/certs/selenium.jks.base64 deleted file mode 100644 index fbf94d7d8a..0000000000 --- a/charts/selenium-grid/certs/selenium.jks.base64 +++ /dev/null @@ -1 +0,0 @@ -MIIKiwIBAzCCCkQGCSqGSIb3DQEHAaCCCjUEggoxMIIKLTCCBXEGCSqGSIb3DQEHAaCCBWIEggVeMIIFWjCCBVYGCyqGSIb3DQEMCgECoIIE+zCCBPcwKQYKKoZIhvcNAQwBAzAbBBQ3gGmGmsf3bmNI0iexeK+VDuc8FAIDAMNQBIIEyBwkeVFIPKT2eXNZU/Kef8Di4ULge5aBbIXqvtYnX4PIvBjGhXTZSUdhkKzwa/q1tGEQm9bTQGbg/uixaDhALQYoSixUvd4ls3TCLr6exT1O7uMz1Sf4l40AZxHS2wvKluI/uY9LlbiSSKBmiDxPlS4Fxrcl+l+VKoNOvCIYwwq0d1lTLsPkFO1UyrBS0fYrsYtCI0YEmyMvtnut8ZKedXljJUqUG7Z4KPLK/Qsvej9Qc5mBgN75B+MpuPSChlTn0US09NbcpqI1PW3285mW1Uag9PLIbtIchj20x6tnG6H7zs2cRYZlmtAN4L1LbtWSAOlmvZ/GlrHFGVIFwKoJvHPctGQm7PhjsEgpwTH/9ZHrHBQJXh2bXuMJj253nMxdGx1IKSGaWxaGcy4Rt5sY0AIxnLWbz9EdjNpfhAiR0Bu2MTHCJnxb9U80DgFy60sUT4kJL0Vs5rZ/vO7WEUIVlT8hmPzpmtoo+pm+MJc+57VrwFXIrf+w+HrOBVkMu3waCuP9At+51xe7AWt6u+UtBYyygreshe4gJnakHqQ5n7hEA2eNi6VbwGV4BC9ynJr94BfnhEd7yg8fxh6pveupZQyxl1FdyRR3pJQ0qPSnCi2eUkqKVlPlJ0FXVPU4vWiTz0zpY+KeVBZlVAO3riP/FjYJhp0wWkjft42ruGsj6mkqY35vQ2syWzb463m1ainCoeTnpeON/pzlZNQIBtq06dy4Mj4eyNvJFbEMXFuAJiwDMymxyLHhR0wEc49l/gfIIubg7PQ/vFzkygOApjS42vcepMkZssKQ06Ts9XAw7tLcy2KpKphWCCWrdst6Z7UpDpo/lbgJhmYTg1lSBmMIYZIHXsp1W97PVEmvSf3xtqtSMkeJPk1Lgxczx1KH+AyNssxNHfLbfMSkM4JUqsgiDPr/G/XYUl52FLZLHZ+uuMrkIHG01Hy2ACYcW2frVL4J47kfciNEe4j/cDgzSPuWRwHaiZDhBbG9qt6IUD/oa+wMe2yh8alRvCnqP9kLR0qLExoCaIG3i548WbnKP4UcQdBa03ESRyTWq3SoqN1CNGB6qjyvLAJsfPhIf5GAHm8gHZODUKbRkJ7JxRcGNttOVSHFgmsdnWKhFMba6x/gqxvtX7PtiYKaEu25ok/GD463kYuSvjl/HgMGzTF3TDdYsBJP1NnnkmfzJk9s09OGDzjpVY86VfNELwwEnEfPen1ErlooV9zC5HweQ3+ziJPMNg9rTXXiEBFLoIZMqFsak5MRknDqY0kHpo8tj9MbZbChtT/38iojd1t8QCMgBFIO0n3TxDzmtiqhv4tIbpezj2mFwNlzV4JSIX4HW8mK7TQlQ730Ou3IuHaLwzqMQDCifmVwMZSrBJD7b/Kqsx393FcydOYh00bB2l8T4uGC9qnAsRa5tCqCANOR0ATMEMrHa2mjgTnIyHnM2OhMeAxoj85uMksURukIszy0o25+4Q2Z53WE/GQMMj4A7PWl8NrHMueAJmGrdQsg8Ds0GEd0yk4/DquVFD4/xRaanNYdN3z2xsBiMGGTgGWhbYc5wRtPXtUUdUH4OxacozKjOadcLfptKvu2tITTor/BIVldDrFXvI0I5daOWRlGla1B5MAX5gZCYM9/JmN7vjFIMCMGCSqGSIb3DQEJFDEWHhQAcwBlAGwAZQBuAGkAdQBtAGgAcTAhBgkqhkiG9w0BCRUxFAQSVGltZSAxNzA0MTU2NzQ3NDQ3MIIEtAYJKoZIhvcNAQcGoIIEpTCCBKECAQAwggSaBgkqhkiG9w0BBwEwKQYKKoZIhvcNAQwBBjAbBBRX3dOdhMDRZiJVvHeGfmCxXgtVAwIDAMNQgIIEYOp24LHVsdSt6TU7MmXzNu/QD5J6Jad0DwZHI+wmDwAjFZ5RR3G7flUqlKEAV0ZN3XkWVOdPLIJXPfjBcWzl6z2TCKwUvCaBHhpgYRxUw5s42iWcRlfmrA1mI3uCaAX1mE2b0DiGE9gM+Mkeffqr1AEp334q6yQQIAxV1xGvqVBgOwL3k7D5YtMX2SJF8xXkLrNSCAaXaSPQdZr5v+P8ObOn8qPs0ntbjVzqCmrmdodhHn8PZO1qS7ihHATVEoTmSDsbz5Hj+ktb+cV511kIFVSQ9IVHhJGLXcGE9YszMsWbhZsNRXJi3QzRXnTLNEnAN2pXbTWHnmn/Wfyrh8kvdMZX1mK6+xrEIcaX2RULzG0JzjhD+VeNctG/JctjsTRZBX1+how8//kDxXWqV+ccoDxkd7nkz9fdRRPIUXjAgERy9seeMIqRKSW4M1x8WAHwDTN2UiI3q4d3KAeE9PmFL8ww1rSIb2b/KRXclvPES95xLj6B6ha3yYpJKjhX3J+sJrnHAjsZvElKW81ski+m6KrcBKtZE7UxIQwav8KN2m2uV3chF9X/UKNyiwncYKdrcXk+uvFNqII2Sog3Xn4/j9+lAjz5fLk8dfr+VIo/pOtScRr5gpAsz110jwQfDOutvwK1yjjLjtUwweBvk+NwciWmgpRBI5NlIkJgrw0c3wxWDRZsAFHPKh+QvPI/xg5RqE6cmRWUC7beMs1EddyVv6+yju4Qfy/f+ZBkGAfuRE+yiNblLsML6VoqHko0Y1fuktzxqL4Dkrb6O6EJCUfgkenXTqbGyu9aDVIAGfFJUIoy84wCI8Xs+XvvnbZfpdd5sBLEulOJZ3Td1annmycHBxU91FlwSYe1kads7wBXvQmvjXyeEYGY+2PIHygGyx4ozo7+Z2krudW1VoInbblgVQ9//DHLEzojSjuGWOcNUU+vSosh9Csg18QTUpfc9f1WPVcyyNN6uKUixMUqQhCwx4J/a2IESs5PkMvY1FwWnZw5276Nz08GsgZNNwCOreGhxfKaISuTecW1ZLa8QFOqdNv7YidHUBE+VGkGVAHDa3DhYTRNayT09UA66u8d8A1nrg/nKOAnyucLn/yt0S0BfBao0AnBOxc9ebjSuAyX4d2zfApi0oaKhXFp87nz82obnHnTlGvI+VNebtsQofNS403wz/46OJsTKbUdRgkAdpQB/rD+83i7VS5OY6PcAi14YuxG48oIyICmiWsSFFZWxR+j4vMxpmZXSxxb/DylupLy+oQgUv4U5ZE6owVzW971+e/smI4dp7VAokM4A7urfT8t76SMlNNkRs3vlshbXAurmWGWAxLwkznxqmoOuY03P9PQUVWeRsJKicrtAc7GyU/fMF3dshNdcyc5o7MswrLXJQRMm77M1E3NWhDyBR/gc0wHH7Xz2hlvZgE+frLN21BZC3zqU0Ccb5ssIpFHVB9kTIQjUS4ipIklIdZQaqPrqic9018OdOQSrysEsOSDuDQwPjAhMAkGBSsOAwIaBQAEFNlUbB5eTYyk906jf0Vf6V8ijD0IBBT5s0mdWFKMmgiVQKSsRwvuIT83jAIDAYag \ No newline at end of file diff --git a/charts/selenium-grid/certs/selenium.pem b/charts/selenium-grid/certs/selenium.pem index 138c1c7723..b870d2900b 100644 --- a/charts/selenium-grid/certs/selenium.pem +++ b/charts/selenium-grid/certs/selenium.pem @@ -1,23 +1,23 @@ -----BEGIN CERTIFICATE----- -MIID3TCCAsWgAwIBAgIEBJE7TDANBgkqhkiG9w0BAQsFADCBhzEQMA4GA1UEBhMH -VW5rbm93bjEQMA4GA1UECBMHVW5rbm93bjEQMA4GA1UEBxMHVW5rbm93bjETMBEG -A1UEChMKU2VsZW5pdW1IUTElMCMGA1UECxMcU29mdHdhcmUgRnJlZWRvbSBDb25z -ZXJ2YW5jeTETMBEGA1UEAxMKU2VsZW5pdW1IUTAeFw0yNDAxMDIwMDUyMjdaFw0z -MzEyMzAwMDUyMjdaMIGHMRAwDgYDVQQGEwdVbmtub3duMRAwDgYDVQQIEwdVbmtu -b3duMRAwDgYDVQQHEwdVbmtub3duMRMwEQYDVQQKEwpTZWxlbml1bUhRMSUwIwYD -VQQLExxTb2Z0d2FyZSBGcmVlZG9tIENvbnNlcnZhbmN5MRMwEQYDVQQDEwpTZWxl -bml1bUhRMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnX4ITZb0DyET -xqilk1I/WhC5qrUjo6n23uM9/jkqH8BfvLCw47kWy0IzIbCjJPs3d/epP87aArvN -O7CFkbXoP8TYjAFPVE5Zhd65qmfbPHVhY0b1HdyOxkpHtahJetIFdkeY1ZzjV8zD -0RhqM3px9OsabqH1yx6Nte1C4C/fTzNwYQWZNLkYK+t1wGh2aeyQi166mDRyVauk -xZHoXKhgFK36EoWepBCpl/SWJ7BSP6Zw35vT2AzRCD2KdtOj+6syqAJBUGCisjDk -CipaSJQeFb4xcFkJB+zS2jQQMPPRq7vaW8Y4GppNbQ7MJ9WoCJdlnBCyTfGi9BMM -oP+XaqLeGwIDAQABo08wTTAdBgNVHQ4EFgQUcCyjX3qxVW3HUSjWcbDtZEyKoZsw -LAYDVR0RAQH/BCIwIIIJbG9jYWxob3N0ghNzZWxlbml1bS1ncmlkLmxvY2FsMA0G -CSqGSIb3DQEBCwUAA4IBAQCY30LusrLFc0xzBBijtx/sQZJTPrHZcj301Z8Hl4ik -VjDiwD+Jso1Aw7tZbq+kK52MHrT0bDGZeauJDpGTVRsEktxd/FwOiL8dlbpycb77 -YUGad3pEQsLtKZbA+HCj8whjtaiQdbakrSDvE7/ZGCXdzzIH/dNmoAB5jFf8m7ZB -rH1QU5mkEXXgYIrgRzC56TB5gVKu9KcW2NOwZXqUEx7nvocyekHLgzcmsX6LmbZn -S0liXPlc7yOOhFGA3EOGZCJ47/KEvQyt31lEcWiiqC25nw+1F6JDvkGdIts6I5JX -vuOjs9JGcW55dK6fxgNk7n+N8G8qaLgyHOYR3ceXB4os +MIID4jCCAsqgAwIBAgIJAJcK6V/XPo7CMA0GCSqGSIb3DQEBCwUAMIGHMRAwDgYD +VQQGEwdVbmtub3duMRAwDgYDVQQIEwdVbmtub3duMRAwDgYDVQQHEwdVbmtub3du +MRMwEQYDVQQKEwpTZWxlbml1bUhRMSUwIwYDVQQLExxTb2Z0d2FyZSBGcmVlZG9t +IENvbnNlcnZhbmN5MRMwEQYDVQQDEwpTZWxlbml1bUhRMB4XDTI0MDEwNDA2MzMx +MloXDTM0MDEwMTA2MzMxMlowgYcxEDAOBgNVBAYTB1Vua25vd24xEDAOBgNVBAgT +B1Vua25vd24xEDAOBgNVBAcTB1Vua25vd24xEzARBgNVBAoTClNlbGVuaXVtSFEx +JTAjBgNVBAsTHFNvZnR3YXJlIEZyZWVkb20gQ29uc2VydmFuY3kxEzARBgNVBAMT +ClNlbGVuaXVtSFEwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCekj09 +xvrD4+nkKmZf10h3TntIFqKI75x35Z2GxwHE2Kqt3eNwbqUrni2zRbYIalddnawW +bOqc2pgEnLtM7VRoCgxlYzARaevfI2uY+EBI4QjgzSTZstuWksPqSmHrLOo4q75w +OSYFUtfaa+6l7ijnVQLKWo4wCnGssk9UBJWvNU9ZMdTzEqLvIMr2Hi0LmKXs9k/F +bIM+XIAAynf8aG4awq0s/eZTirmEqbhmi2udwMNMV60IaC8ZNo53k4VJ+lQWOOwB +/Q1CHRWotjvD4WFt2XI9cCAjbDMpkZONaaCIA70XjTG+5DiGDOUAlap6LFlBrUh4 +3YHQHvXEIKZe2tVDAgMBAAGjTzBNMB0GA1UdDgQWBBRpoVLPxMaU/3QI5x3KUl0x +wL4bVjAsBgNVHREBAf8EIjAggglsb2NhbGhvc3SCE3NlbGVuaXVtLWdyaWQubG9j +YWwwDQYJKoZIhvcNAQELBQADggEBAByNMqeuoiSG1BxnoUGKYiPEurKl8wdsJH8+ +doL5loA7PUnUFY8Vpd4IRHf/RMgTCkSGyLDI/y9lLNLkwkyzt+Wlnfh6sPVXT6DL +cHMrPYavBXZFNStvawS4BztSpcOPOGq6Y2W0gkcVUun8dpS2Dx/w5CW56HzmbPVu +iL9ZW3D6rSm/Qz4cay3rN9MA7WPzTLA3g1YizQLhkvk9JIwNphO16X28qEMIoD2Q +vCGFDdS3xtxmRBj3x/4nGU19WTqECG7eOS4+1Xp5faYietKZVkfhl5rue53wv6lu +v+QNozSyg5nW3YcydA3SeRuf2/kwkvyP61zey4HMHThR+vPKz9U= -----END CERTIFICATE----- diff --git a/charts/selenium-grid/certs/selenium.pem.base64 b/charts/selenium-grid/certs/selenium.pem.base64 deleted file mode 100644 index 854537f2ca..0000000000 --- a/charts/selenium-grid/certs/selenium.pem.base64 +++ /dev/null @@ -1 +0,0 @@ -LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUQzVENDQXNXZ0F3SUJBZ0lFQkpFN1REQU5CZ2txaGtpRzl3MEJBUXNGQURDQmh6RVFNQTRHQTFVRUJoTUgNClZXNXJibTkzYmpFUU1BNEdBMVVFQ0JNSFZXNXJibTkzYmpFUU1BNEdBMVVFQnhNSFZXNXJibTkzYmpFVE1CRUcNCkExVUVDaE1LVTJWc1pXNXBkVzFJVVRFbE1DTUdBMVVFQ3hNY1UyOW1kSGRoY21VZ1JuSmxaV1J2YlNCRGIyNXoNClpYSjJZVzVqZVRFVE1CRUdBMVVFQXhNS1UyVnNaVzVwZFcxSVVUQWVGdzB5TkRBeE1ESXdNRFV5TWpkYUZ3MHoNCk16RXlNekF3TURVeU1qZGFNSUdITVJBd0RnWURWUVFHRXdkVmJtdHViM2R1TVJBd0RnWURWUVFJRXdkVmJtdHUNCmIzZHVNUkF3RGdZRFZRUUhFd2RWYm10dWIzZHVNUk13RVFZRFZRUUtFd3BUWld4bGJtbDFiVWhSTVNVd0l3WUQNClZRUUxFeHhUYjJaMGQyRnlaU0JHY21WbFpHOXRJRU52Ym5ObGNuWmhibU41TVJNd0VRWURWUVFERXdwVFpXeGwNCmJtbDFiVWhSTUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEFNSUlCQ2dLQ0FRRUFuWDRJVFpiMER5RVQNCnhxaWxrMUkvV2hDNXFyVWpvNm4yM3VNOS9qa3FIOEJmdkxDdzQ3a1d5MEl6SWJDakpQczNkL2VwUDg3YUFydk4NCk83Q0ZrYlhvUDhUWWpBRlBWRTVaaGQ2NXFtZmJQSFZoWTBiMUhkeU94a3BIdGFoSmV0SUZka2VZMVp6alY4ekQNCjBSaHFNM3B4OU9zYWJxSDF5eDZOdGUxQzRDL2ZUek53WVFXWk5Ma1lLK3Qxd0doMmFleVFpMTY2bURSeVZhdWsNCnhaSG9YS2hnRkszNkVvV2VwQkNwbC9TV0o3QlNQNlp3MzV2VDJBelJDRDJLZHRPais2c3lxQUpCVUdDaXNqRGsNCkNpcGFTSlFlRmI0eGNGa0pCK3pTMmpRUU1QUFJxN3ZhVzhZNEdwcE5iUTdNSjlXb0NKZGxuQkN5VGZHaTlCTU0NCm9QK1hhcUxlR3dJREFRQUJvMDh3VFRBZEJnTlZIUTRFRmdRVWNDeWpYM3F4VlczSFVTaldjYkR0WkV5S29ac3cNCkxBWURWUjBSQVFIL0JDSXdJSUlKYkc5allXeG9iM04wZ2hOelpXeGxibWwxYlMxbmNtbGtMbXh2WTJGc01BMEcNCkNTcUdTSWIzRFFFQkN3VUFBNElCQVFDWTMwTHVzckxGYzB4ekJCaWp0eC9zUVpKVFBySFpjajMwMVo4SGw0aWsNClZqRGl3RCtKc28xQXc3dFpicStrSzUyTUhyVDBiREdaZWF1SkRwR1RWUnNFa3R4ZC9Gd09pTDhkbGJweWNiNzcNCllVR2FkM3BFUXNMdEtaYkErSENqOHdoanRhaVFkYmFrclNEdkU3L1pHQ1hkenpJSC9kTm1vQUI1akZmOG03WkINCnJIMVFVNW1rRVhYZ1lJcmdSekM1NlRCNWdWS3U5S2NXMk5Pd1pYcVVFeDdudm9jeWVrSExnemNtc1g2TG1iWm4NClMwbGlYUGxjN3lPT2hGR0EzRU9HWkNKNDcvS0V2UXl0MzFsRWNXaWlxQzI1bncrMUY2SkR2a0dkSXRzNkk1SlgNCnZ1T2pzOUpHY1c1NWRLNmZ4Z05rN24rTjhHOHFhTGd5SE9ZUjNjZVhCNG9zCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K \ No newline at end of file diff --git a/charts/selenium-grid/certs/selenium.pkcs8.base64 b/charts/selenium-grid/certs/selenium.pkcs8.base64 index 227134266a..f661b989dd 100644 --- a/charts/selenium-grid/certs/selenium.pkcs8.base64 +++ b/charts/selenium-grid/certs/selenium.pkcs8.base64 @@ -1 +1 @@ -LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2RmZ2hObHZRUElSUEcKcUtXVFVqOWFFTG1xdFNPanFmYmU0ejMrT1NvZndGKzhzTERqdVJiTFFqTWhzS01rK3pkMzk2ay96dG9DdTgwNwpzSVdSdGVnL3hOaU1BVTlVVGxtRjNybXFaOXM4ZFdGalJ2VWQzSTdHU2tlMXFFbDYwZ1YyUjVqVm5PTlh6TVBSCkdHb3plbkgwNnhwdW9mWExIbzIxN1VMZ0w5OVBNM0JoQlprMHVSZ3I2M1hBYUhacDdKQ0xYcnFZTkhKVnE2VEYKa2VoY3FHQVVyZm9TaFo2a0VLbVg5Slluc0ZJL3BuRGZtOVBZRE5FSVBZcDIwNlA3cXpLb0FrRlFZS0t5TU9RSwpLbHBJbEI0VnZqRndXUWtIN05MYU5CQXc4OUdydTlwYnhqZ2FtazF0RHN3bjFhZ0lsMldjRUxKTjhhTDBFd3lnCi81ZHFvdDRiQWdNQkFBRUNnZ0VBS3F0bTNINjFpUlBSSTlXMVpvQzJJVlMrdVAxeXRuanFKZUV6ZnBsR1RHdjIKaEV6cTRBZlpvU0JDY2pKRlFWTys1NFgyR1ErV0NYK1FUMGU0S0k0OGFtcU9zUC81MmtHUUI3RWNaSXJXM3o1KwpNRU9kVFlYZ09PRVBKS3gvbkFNaTc3VGVONkhXQm9lMzFnTGpZeWNka05uUnczK2w5RzVHdnErVm10L2RoTHRnCi9NUk5IUFduQ2YvOHBPUmpvcVNuK1hkdjNkeURPMFJ3ZGxKcmVJQ3huRWpGSkJvdk41K3BNTWtxZm0wMDcrTkYKMC9iVnVsUFpGcGVJdUh5dnBjeXlIaG1YOFIrZFdvbHdaL2NJdXFNZSs5Qno3VUhYa2U5bXNWNU0zRzhMZk1yTApicDdBdWlpbUIySjExeFFLM2ZOSmg0b1lXWlY5OFRxamtyaXR5Vy9yQVFLQmdRRHBwOUtjT2JMVGpqN2ttVXErClpkVmw4UE5hREFZQnpOVWRuTjA1Q1RLL01NelkvZU85dlFTd2xOQ1lQdW0xN3BzVStSRDRrU01vL2x3Y3JlakgKSHR4RHhoR3I0MDRqUWgwSWpXNmZTNlZqUFZ4RFQxOStNSG0vRzg4TW0wUGlsZjd6SkJ5SUNCUkc3bG83aFdYVQpaVS92dk1TZldtVkVoeDNSemxxM0p0azh1d0tCZ1FDc2phT21TSTAzcFNDdGROZGFYMi9FdWVxRmphemxRMW1BCmZMQzh4MkFIZU4yMHd6WUxVbklZZm5iUk9HeGRmMW5TOFpzSm9LQWlmdkZwM09pcldHUStYcjVEOUxoU3A0UTMKREVpY0hERXpaR285RGlZTlduMzN3eXE4Q0tCT2FyWW5DZGRCeXYzNlJLNTk3VkxuMmZvL042ZHRDWndQNVluegphQzR1dVZwK0lRS0JnQ0RQbTBpcTVZekZ0ZGsrR1h2aEt2VlV2NmVPZHExOENSVk9lTlpRajFxL3pKUlFHdElECklBeDM2VTduenNQb2pNaUdMVGJxa3Fob0I2RlRYcFBQcHBpeDBMdDFnUHg4aFQwMU55cVJZZGtzdmE4S0QxdlcKRE5La1lnL2dJY2xJelBOeHg3dm1mb3B6WUNKcG1pSVlWQUJUWHIwTjRaaWM3TGdRcFRhQTh4S1BBb0dBZmRlKwpwaUw3ZXIyZkcyRy9QVldrK2VCdFBZR1p1b3BuMStFWU5GVmpuNDl5Z2Nac3Y4MGRFT2dLVjRQQzVGMWdjUXRyCmVwWCtzNm5JL3QveGdDVXkxcG5hUVUxVXNGTWpoZElia2w2dE0wSGtpU3FzYmNpMVhlQ2taZ1lVZzV3bnhFalYKQ0ZLMjc3THZYeitaMnlXSjhGanliZjg0SmcvTmtBdEd3eVRDN29FQ2dZRUFtaElPTlR4OUw5ZVloS2FNaERkZwpkN0xxQlhGOGMxdlRMTkZVM2NubnQ3UW9TcUUzaWozZktPQ0h4cW9IaGN2NXIvZnZtNVhxemhLcVI2VUNLME1NClYyR1RhUFVJSno3NFFCMk9nWkh2NllkS2tFOGdmR01KeGQ5SXZpV08wVEdxTXJaUDB4aDJXY21rV3llQ0xBOFgKYW14YUVFa2JiaDRnUkZtUTJtQWV2ME09Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K \ No newline at end of file +LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQ2VrajA5eHZyRDQrbmsKS21aZjEwaDNUbnRJRnFLSTc1eDM1WjJHeHdIRTJLcXQzZU53YnFVcm5pMnpSYllJYWxkZG5hd1diT3FjMnBnRQpuTHRNN1ZSb0NneGxZekFSYWV2ZkkydVkrRUJJNFFqZ3pTVFpzdHVXa3NQcVNtSHJMT280cTc1d09TWUZVdGZhCmErNmw3aWpuVlFMS1dvNHdDbkdzc2s5VUJKV3ZOVTlaTWRUekVxTHZJTXIySGkwTG1LWHM5ay9GYklNK1hJQUEKeW5mOGFHNGF3cTBzL2VaVGlybUVxYmhtaTJ1ZHdNTk1WNjBJYUM4Wk5vNTNrNFZKK2xRV09Pd0IvUTFDSFJXbwp0anZENFdGdDJYSTljQ0FqYkRNcGtaT05hYUNJQTcwWGpURys1RGlHRE9VQWxhcDZMRmxCclVoNDNZSFFIdlhFCklLWmUydFZEQWdNQkFBRUNnZ0VBSmpSNXlONmVJSUJUSkFRTE1tQStOM0NUUjJVY3QvMXpKM2dOSWlIa2pUYmUKdUpGVGNRMVhnbERVRmZOZnpsdEF2Vzkxdk5sMUZXR2RhczhRV1pKODJheENIRk52aTJLSHovVkt3VXBld3JCbApZVFJNQXArVFJJNEw0ZkVWOG9HWjFSbWNBcEhpVlRvR2c3dXBmaFVKaWVMemp5bU9SSWpmcG9vM2pyaWtEOWhZCnMzTTJXaHNHdDBwZ1FwZVEreHNTeXRxNjFhT21xdnpLZUE5OUVxZE9keUJ2QkxSMDZyN0FDdlpmeTJvUVpHYXAKUEJ3ZHZIWmNQdXZlUGxVNUpDQWhEcWhlbFIyTHd2dzVhN3FLbjBvTkRFTG5zVnFWblJ3Q0ErUUhjYVBTbG40Nwp0SzI2YUxVdUZLSFg0QW5idDZaNWNMTWdNUzR2bGV3R0h0OG9JUXVCa1FLQmdRQzE1N2NWRkhPc3poUkh6LzBBCkhIVGNqcXB4ditzSUFNVnNCWUlJTVozKzI3MjlVeGFoMllPN1crZjEzVTJlakVsMk1qaW5jTnF1QWVpSmEveWYKTklqcFJtbFJVaWRScUpUUHNQdVJJcEZOWmNCNjh0MnpudFNMa0NkUDJDVTBZaFRpdklVY1RYOEJDRWZ6VDdwSwpjTyt3cTArc0FpRFhoS3pRSUJGaW9sNVZsd0tCZ1FEZktWM0w4V2ZLemFvODFhYndJQkd4M0dnK3BNNElnaTNWCldwMW40TVRuY05mRUJwZ251bVhDa00zSEMvT0VaUnRoYTU0QXdFOWwxUy9vN2RUWEZNNXRWQVQwNXpjNDZuL04KdkFCNUhuYnplS1hDTk5lakI4S1JZNjlvR0U2Ulptb0kxczhvd3ZQUHpCeGE4anN5V3p6M0VoZXY2Z2xHUXBGTwpyVmhWN0h0ck5RS0JnRmpjZEJ5UkhCMExvdTZkMVJzTHk2Nis1dGFnaVdFa2Qwell0L2ZtdlNiMkU0OThHbTlBClFkRHlDYk9hdzBNemh1TjlqeDJFek43NlFhMTRHalZ2eFg0bmptVlNlN0N4YU5pNHZYdmQ1aHRvSElvelFFaHgKeTZUTjY5WmVZWFpnZjVGdnhKclo1TFFOWnBDZW53T2tmZ0xRL1IrcS9uNHA2djNVM0lsUmhrSExBb0dCQU11SgpzVEVYNXpERDBHZFgvc0M0bnlyMyttUlljRXEyWVJOZGFIK2NORHRiWXBBNTY0RWdzenQ0VXhjZXdXYVp5UlZiCjBHcWkvRWZHMzhHMVdoRXB1dlZnVW4wRWZndDlaai9CSHpWWklla0N1enljY2FrU3BOVnlkRU9mRjlucDdRQk8KMi9jemlLaVlZNnhYanNKcEVQdlFGcWF0OFBPU04zSHBETTZodUJlWkFvR0FSZE9IRzlVWXA3M25DQ3d4VHJjKwpnNk91eXI5aXFacVBsalFDK1V4MmtySC9HMTkrSE96RHJLWWFSRElqQk4wTHRyeXJpcVZFQWJWZjZQNHNnNVpCCitjVS9pbDZLb1k2ditQa2tydnZJRVUyVUZHRnpmcnNVZklFQURrdHR5OEdIcTFja0tobjAxWGlNNDJnaGZaSEsKK0lYRExZYzRCMDZ5dFY1bmFZYU9US1k9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K \ No newline at end of file diff --git a/charts/selenium-grid/templates/_helpers.tpl b/charts/selenium-grid/templates/_helpers.tpl index 8afc9bf4fe..e033bdac4a 100644 --- a/charts/selenium-grid/templates/_helpers.tpl +++ b/charts/selenium-grid/templates/_helpers.tpl @@ -173,6 +173,33 @@ Secret TLS fullname {{- default "selenium-tls-secret" .Values.tls.nameOverride | trunc 63 | trimSuffix "-" -}} {{- end -}} +{{/* +Is registration secret enabled +*/}} +{{- define "seleniumGrid.tls.registrationSecret.enabled" -}} +{{- and .Values.tls.enabled .Values.tls.registrationSecret.enabled | ternary "true" "" -}} +{{- end -}} + +{{/* +Get default certificate file name in chart +*/}} +{{- define "seleniumGrid.tls.getDefaultFile" -}} +{{- $value := index . 0 -}} +{{- $global := index . 1 -}} +{{- $content := $global.Files.Get $value -}} +{{- if (contains "base64" (lower $value)) -}} + {{- $content = $content | b64dec -}} +{{- end -}} +{{- $content -}} +{{- end -}} + +{{/* +Common secrets cross components +*/}} +{{- define "seleniumGrid.common.secrets" -}} +{{- default "selenium-secrets" .Values.secrets.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + {{- define "seleniumGrid.ingress.nginx.annotations.default" -}} {{- with .Values.ingress.nginx }} {{- with .proxyTimeout }} @@ -311,6 +338,8 @@ template: name: {{ .Values.loggingConfigMap.name }} - configMapRef: name: {{ .Values.serverConfigMap.name }} + - secretRef: + name: {{ include "seleniumGrid.common.secrets" $ | quote }} {{- with .node.extraEnvFrom }} {{- tpl (toYaml .) $ | nindent 10 }} {{- end }} diff --git a/charts/selenium-grid/templates/distributor-deployment.yaml b/charts/selenium-grid/templates/distributor-deployment.yaml index 117b9e4be7..52578d6c79 100644 --- a/charts/selenium-grid/templates/distributor-deployment.yaml +++ b/charts/selenium-grid/templates/distributor-deployment.yaml @@ -51,6 +51,8 @@ spec: name: {{ .Values.loggingConfigMap.name }} - configMapRef: name: {{ .Values.serverConfigMap.name }} + - secretRef: + name: {{ include "seleniumGrid.common.secrets" $ | quote }} {{- with .Values.components.extraEnvFrom }} {{- toYaml . | nindent 12 }} {{- end }} diff --git a/charts/selenium-grid/templates/event-bus-deployment.yaml b/charts/selenium-grid/templates/event-bus-deployment.yaml index 203a3127ae..ef29a6908c 100644 --- a/charts/selenium-grid/templates/event-bus-deployment.yaml +++ b/charts/selenium-grid/templates/event-bus-deployment.yaml @@ -47,6 +47,8 @@ spec: name: {{ .Values.loggingConfigMap.name }} - configMapRef: name: {{ .Values.serverConfigMap.name }} + - secretRef: + name: {{ include "seleniumGrid.common.secrets" $ | quote }} {{- with .Values.components.extraEnvFrom }} {{- toYaml . | nindent 12 }} {{- end }} diff --git a/charts/selenium-grid/templates/hub-deployment.yaml b/charts/selenium-grid/templates/hub-deployment.yaml index b2d2f4e25d..e952215a41 100644 --- a/charts/selenium-grid/templates/hub-deployment.yaml +++ b/charts/selenium-grid/templates/hub-deployment.yaml @@ -95,12 +95,6 @@ spec: - name: SE_SUB_PATH value: {{ . | quote }} {{- end }} - {{- if eq .Values.basicAuth.enabled true}} - - name: ROUTER_USERNAME - value: {{ .Values.basicAuth.username }} - - name: ROUTER_PASSWORD - value: {{ .Values.basicAuth.password }} - {{- end }} {{- with .Values.hub.extraEnvironmentVariables }} {{- tpl (toYaml .) $ | nindent 12 }} {{- end }} @@ -109,6 +103,8 @@ spec: name: {{ .Values.loggingConfigMap.name }} - configMapRef: name: {{ .Values.serverConfigMap.name }} + - secretRef: + name: {{ include "seleniumGrid.common.secrets" $ | quote }} {{- with .Values.hub.extraEnvFrom }} {{- toYaml . | nindent 12 }} {{- end }} diff --git a/charts/selenium-grid/templates/ingress.yaml b/charts/selenium-grid/templates/ingress.yaml index 907c510e4c..2f8195b6ea 100644 --- a/charts/selenium-grid/templates/ingress.yaml +++ b/charts/selenium-grid/templates/ingress.yaml @@ -32,12 +32,13 @@ spec: {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} ingressClassName: {{ .Values.ingress.className }} {{- end }} + {{- if and (or .Values.tls.enabled .Values.tls.ingress.generateTLS) .Values.ingress.hostname (not .Values.ingress.tls) }} tls: - {{- if and .Values.tls.enabled (and .Values.ingress.enabled (not .Values.ingress.tls)) }} - hosts: - - {{ default .Values.tls.defaultCN .Values.ingress.hostname | quote }} + - {{ .Values.ingress.hostname | quote }} secretName: {{ include "seleniumGrid.tls.fullname" . | quote }} {{- else if .Values.ingress.tls }} + tls: {{- range .Values.ingress.tls }} - hosts: {{- range .hosts }} diff --git a/charts/selenium-grid/templates/router-deployment.yaml b/charts/selenium-grid/templates/router-deployment.yaml index 532dfe5d29..a57e2682c6 100644 --- a/charts/selenium-grid/templates/router-deployment.yaml +++ b/charts/selenium-grid/templates/router-deployment.yaml @@ -49,12 +49,6 @@ spec: - name: SE_SUB_PATH value: {{ . | quote }} {{- end }} - {{- if eq .Values.basicAuth.enabled true}} - - name: ROUTER_USERNAME - value: {{ .Values.basicAuth.username }} - - name: ROUTER_PASSWORD - value: {{ .Values.basicAuth.password }} - {{- end }} {{- with .Values.components.extraEnvironmentVariables }} {{- tpl (toYaml .) $ | nindent 12 }} {{- end }} @@ -63,6 +57,8 @@ spec: name: {{ .Values.loggingConfigMap.name }} - configMapRef: name: {{ .Values.serverConfigMap.name }} + - secretRef: + name: {{ include "seleniumGrid.common.secrets" $ | quote }} {{- with .Values.components.extraEnvFrom }} {{- toYaml . | nindent 12 }} {{- end }} diff --git a/charts/selenium-grid/templates/secrets.yaml b/charts/selenium-grid/templates/secrets.yaml new file mode 100644 index 0000000000..06881d15a6 --- /dev/null +++ b/charts/selenium-grid/templates/secrets.yaml @@ -0,0 +1,33 @@ +{{- if .Values.secrets.create }} +apiVersion: v1 +kind: Secret +metadata: +{{- with .Values.secrets.annotations }} + annotations: {{- toYaml . | nindent 4 }} +{{- end }} + name: {{ include "seleniumGrid.common.secrets" . }} + labels: + {{- include "seleniumGrid.commonLabels" . | nindent 4 }} + {{- with .Values.customLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} +type: Opaque +data: +{{- range $name, $value := .Values.secrets.env }} +{{- if not (empty $value) }} + {{- $_ := set $ "name" $name }} + {{- $_ := set $ "value" $value }} + {{ $name }}: {{ tpl ($value) $ | b64enc }} +{{- end }} +{{- end }} +{{- if eq .Values.basicAuth.enabled true }} + ROUTER_USERNAME: {{ .Values.basicAuth.username | b64enc }} + ROUTER_PASSWORD: {{ .Values.basicAuth.password | b64enc }} +{{- end }} +{{- if .Values.tls.enabled }} + SE_JAVA_SSL_TRUST_STORE_PASSWORD: {{ .Values.tls.trustStorePassword | b64enc }} +{{- end }} +{{- if (include "seleniumGrid.tls.registrationSecret.enabled" $) }} + SE_REGISTRATION_SECRET: {{ .Values.tls.registrationSecret.value | b64enc }} +{{- end }} +{{- end }} diff --git a/charts/selenium-grid/templates/server-configmap.yaml b/charts/selenium-grid/templates/server-configmap.yaml index f0bb39a394..3e4e4b766c 100644 --- a/charts/selenium-grid/templates/server-configmap.yaml +++ b/charts/selenium-grid/templates/server-configmap.yaml @@ -16,6 +16,5 @@ data: SE_HTTPS_CERTIFICATE: {{ printf "%s/%s" .Values.serverConfigMap.certVolumeMountPath .Values.serverConfigMap.certificateFile | quote }} SE_HTTPS_PRIVATE_KEY: {{ printf "%s/%s" .Values.serverConfigMap.certVolumeMountPath .Values.serverConfigMap.privateKeyFile | quote }} SE_JAVA_SSL_TRUST_STORE: {{ printf "%s/%s" .Values.serverConfigMap.certVolumeMountPath .Values.serverConfigMap.trustStoreFile | quote }} - SE_JAVA_SSL_TRUST_STORE_PASSWORD: {{ .Values.serverConfigMap.trustStorePassword | quote }} SE_JAVA_DISABLE_HOSTNAME_VERIFICATION: {{ .Values.serverConfigMap.disableHostnameVerification | quote }} {{- end }} diff --git a/charts/selenium-grid/templates/session-map-deployment.yaml b/charts/selenium-grid/templates/session-map-deployment.yaml index 2b04917583..27d120540c 100644 --- a/charts/selenium-grid/templates/session-map-deployment.yaml +++ b/charts/selenium-grid/templates/session-map-deployment.yaml @@ -40,6 +40,8 @@ spec: name: {{ .Values.loggingConfigMap.name }} - configMapRef: name: {{ .Values.serverConfigMap.name }} + - secretRef: + name: {{ include "seleniumGrid.common.secrets" $ | quote }} - configMapRef: name: {{ .Values.busConfigMap.name }} {{- with .Values.components.extraEnvFrom }} diff --git a/charts/selenium-grid/templates/session-queuer-deployment.yaml b/charts/selenium-grid/templates/session-queuer-deployment.yaml index c6cf9e58dd..546090e43c 100644 --- a/charts/selenium-grid/templates/session-queuer-deployment.yaml +++ b/charts/selenium-grid/templates/session-queuer-deployment.yaml @@ -40,6 +40,8 @@ spec: name: {{ .Values.loggingConfigMap.name }} - configMapRef: name: {{ .Values.serverConfigMap.name }} + - secretRef: + name: {{ include "seleniumGrid.common.secrets" $ | quote }} {{- with .Values.components.extraEnvFrom }} {{- toYaml . | nindent 12 }} {{- end }} diff --git a/charts/selenium-grid/templates/tls-cert-secret.yaml b/charts/selenium-grid/templates/tls-cert-secret.yaml index f025b514be..000a1e5a79 100644 --- a/charts/selenium-grid/templates/tls-cert-secret.yaml +++ b/charts/selenium-grid/templates/tls-cert-secret.yaml @@ -1,4 +1,3 @@ -{{- if .Values.tls.enabled }} apiVersion: v1 kind: Secret metadata: @@ -12,18 +11,19 @@ metadata: {{- end }} type: Opaque data: -{{- if .Values.tls.generateTLS }} - {{- $name := default "SeleniumHQ" .Values.tls.defaultName -}} - {{- $days := default 365 (.Values.tls.defaultDays | int) -}} - {{- $cn := ternary .Values.tls.defaultCN .Values.ingress.hostname (empty .Values.ingress.hostname) -}} - {{- $server := genSelfSignedCert $cn ( default nil .Values.tls.defaultIPList ) ( default nil .Values.tls.defaultSANList ) $days }} +{{- if and .Values.ingress.enabled .Values.tls.ingress.generateTLS (not .Values.tls.enabled) }} + {{- $name := default "SeleniumHQ" .Values.tls.ingress.defaultName -}} + {{- $days := default 365 (.Values.tls.ingress.defaultDays | int) -}} + {{- $cn := ternary .Values.tls.ingress.defaultCN .Values.ingress.hostname (empty .Values.ingress.hostname) -}} + {{- $server := genSelfSignedCert $cn ( default nil .Values.tls.ingress.defaultIPList ) ( default nil .Values.tls.ingress.defaultSANList ) $days }} tls.crt: {{ $server.Cert | b64enc }} tls.key: {{ $server.Key | b64enc }} -{{- else }} - tls.crt: {{ default (.Files.Get (printf "certs/%s.base64" .Values.serverConfigMap.certificateFile) | b64dec) .Values.tls.certificate | b64enc }} - tls.key: {{ default (.Files.Get (printf "certs/%s.base64" .Values.serverConfigMap.privateKeyFile) | b64dec) .Values.tls.privateKey | b64enc }} +{{- else if and .Values.ingress.enabled .Values.tls.enabled }} + tls.crt: {{ default (include "seleniumGrid.tls.getDefaultFile" (list .Values.tls.defaultFile.certificate $)) .Values.tls.certificate | b64enc }} + tls.key: {{ default (include "seleniumGrid.tls.getDefaultFile" (list .Values.tls.defaultFile.privateKey $)) .Values.tls.privateKey | b64enc }} {{- end }} - {{ .Values.serverConfigMap.privateKeyFile }}: {{ default (.Files.Get (printf "certs/%s.base64" .Values.serverConfigMap.privateKeyFile) | b64dec) .Values.tls.privateKey | b64enc }} - {{ .Values.serverConfigMap.certificateFile }}: {{ default (.Files.Get (printf "certs/%s.base64" .Values.serverConfigMap.certificateFile) | b64dec) .Values.tls.certificate | b64enc }} - {{ .Values.serverConfigMap.trustStoreFile }}: {{ default (.Files.Get (printf "certs/%s.base64" .Values.serverConfigMap.trustStoreFile) | b64dec) .Values.tls.trustStore | b64enc }} +{{- if .Values.tls.enabled }} + {{ .Values.serverConfigMap.privateKeyFile }}: {{ default (include "seleniumGrid.tls.getDefaultFile" (list .Values.tls.defaultFile.privateKey $)) .Values.tls.privateKey | b64enc }} + {{ .Values.serverConfigMap.certificateFile }}: {{ default (include "seleniumGrid.tls.getDefaultFile" (list .Values.tls.defaultFile.certificate $)) .Values.tls.certificate | b64enc }} + {{ .Values.serverConfigMap.trustStoreFile }}: {{ default (include "seleniumGrid.tls.getDefaultFile" (list .Values.tls.defaultFile.trustStore $)) .Values.tls.trustStore | b64enc }} {{- end }} diff --git a/charts/selenium-grid/values.yaml b/charts/selenium-grid/values.yaml index 540f70000a..fa29d28b9f 100644 --- a/charts/selenium-grid/values.yaml +++ b/charts/selenium-grid/values.yaml @@ -19,19 +19,28 @@ global: tls: enabled: false - generateTLS: false - defaultName: "SeleniumHQ" - defaultDays: 3650 - defaultCN: "www.selenium.dev" - # or *.domain.com - defaultSANList: [] - # - domain.com - # - production.domain.com - defaultIPList: [] - # - 10.10.10.10 + ingress: + generateTLS: false + defaultName: "SeleniumHQ" + defaultDays: 3650 + defaultCN: "www.selenium.dev" + # or *.domain.com + defaultSANList: [] + # - domain.com + # - production.domain.com + defaultIPList: [] + # - 10.10.10.10 + defaultFile: + certificate: "certs/selenium.pem" + privateKey: "certs/selenium.pkcs8.base64" + trustStore: "certs/selenium.jks" certificate: privateKey: trustStore: + trustStorePassword: "changeit" + registrationSecret: + enabled: false + value: "HappyTesting" # Basic auth settings for Selenium Grid basicAuth: @@ -112,13 +121,19 @@ serverConfigMap: certificateFile: selenium.pem privateKeyFile: selenium.pkcs8 trustStoreFile: selenium.jks - # Trust store password - trustStorePassword: changeit # Disable verification the hostname included in the server's TLS/SSL certificates matches the hostnames provided disableHostnameVerification: true # Custom annotations for configmap annotations: {} +# Secrets for all components. Components environment variables contain sensitive data should be stored in secrets. +secrets: + create: true + name: selenium-secrets + env: + SE_VNC_PASSWORD: "secret" + annotations: {} + # Configuration for isolated components (applied only if `isolateComponents: true`) components: diff --git a/tests/charts/ci/tls-values.yaml b/tests/charts/ci/tls-values.yaml index fb42db2ea6..0f7439251a 100644 --- a/tests/charts/ci/tls-values.yaml +++ b/tests/charts/ci/tls-values.yaml @@ -1,6 +1,9 @@ tls: enabled: true generateTLS: false + registrationSecret: + enabled: true + value: "HappyTestOps" ingress-nginx: controller: diff --git a/tests/charts/refValues/simplex-minikube.yaml b/tests/charts/refValues/simplex-minikube.yaml index 08376c866a..a67b0bbf2a 100644 --- a/tests/charts/refValues/simplex-minikube.yaml +++ b/tests/charts/refValues/simplex-minikube.yaml @@ -14,6 +14,11 @@ global: # nodesImageTag: latest # videoImageTag: latest +tls: +# enabled: true + ingress: + generateTLS: true + ingress: enabled: true annotations: @@ -23,10 +28,6 @@ ingress: nginx.ingress.kubernetes.io/app-root: &gridAppRoot "/selenium" ingressClassName: nginx hostname: "" -# tls: -# - secretName: '{{ include "seleniumGrid.tls.fullname" . }}' -# hosts: -# - *.domain.com paths: - path: /selenium(/|$)(.*) pathType: ImplementationSpecific @@ -42,7 +43,8 @@ basicAuth: isolateComponents: true autoscaling: - enabled: true +# enabled: true + enableWithExistingKEDA: true scalingType: job annotations: helm.sh/hook: post-install,post-upgrade,post-rollback diff --git a/tests/charts/templates/test.py b/tests/charts/templates/test.py index 695a846ed7..a40cbd22db 100644 --- a/tests/charts/templates/test.py +++ b/tests/charts/templates/test.py @@ -84,8 +84,9 @@ def test_log_level_set_to_logging_config_map(self): logger.info(f"Assert logging ConfigMap is set to envFrom in resource {doc['metadata']['name']}") list_env_from = doc['spec']['template']['spec']['containers'][0]['envFrom'] for env in list_env_from: - if env['configMapRef']['name'] == 'selenium-logging-config': - is_present = True + if env.get('configMapRef') is not None: + if env['configMapRef']['name'] == 'selenium-logging-config': + is_present = True self.assertTrue(is_present, "envFrom doesn't contain logging ConfigMap") count += 1 self.assertEqual(count, len(resources_name), "Logging ConfigMap is not present in expected resources")