feat: add client certs to coderd (#209)

Mike Terhar · ericpaulsen · johnstcn · web-flow · commit aa11b2a719d6 · 2022-02-02T14:18:46.000-06:00
* add client certs to coderd

* update ssl to tls

* add example with client/server cert

* remove db password from clientcerts

* feat: test coverage for coderd client tls

* chore: refactor client TLS to use TLS secret type

* chore: run helm-docs to update README

* chore: naming &amp; examples refactoring

* run make README.md

Co-authored-by: Eric Paulsen &lt;ericpaulsen@coder.com&gt;
Co-authored-by: Cian Johnston &lt;cian@coder.com&gt;
diff --git a/README.md b/README.md
@@ -25,11 +25,13 @@ View [our docs](https://coder.com/docs/setup/installation) for detailed installa
 | certs | object | Certificate that will be mounted inside Coder services. | `{"secret":{"key":"","name":""}}` |
 | certs.secret.key | string | Key pointing to a certificate in the secret. | `""` |
 | certs.secret.name | string | Name of the secret. | `""` |
-| coderd | object | Primary service responsible for all things Coder! | `{"affinity":{"podAntiAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"podAffinityTerm":{"labelSelector":{"matchExpressions":[{"key":"app.kubernetes.io/name","operator":"In","values":["coderd"]}]},"topologyKey":"kubernetes.io/hostname"},"weight":1}]}},"builtinProviderServiceAccount":{"annotations":{},"labels":{}},"devurlsHost":"","extraLabels":{},"image":"","networkPolicy":{"enable":true},"oidc":{"enableRefresh":false,"redirectOptions":{}},"podSecurityContext":{"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}},"proxy":{"exempt":"cluster.local","http":"","https":""},"replicas":1,"resources":{"limits":{"cpu":"250m","memory":"512Mi"},"requests":{"cpu":"250m","memory":"512Mi"}},"reverseProxy":{"headers":[],"trustedOrigins":[]},"satellite":{"accessURL":"","enable":false,"primaryURL":""},"securityContext":{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}},"serviceNodePorts":{"http":null,"https":null},"serviceSpec":{"externalTrafficPolicy":"Local","loadBalancerIP":"","loadBalancerSourceRanges":[],"type":"LoadBalancer"},"superAdmin":{"passwordSecret":{"key":"password","name":""}},"tls":{"devurlsHostSecretName":"","hostSecretName":""},"trustProxyIP":false}` |
+| coderd | object | Primary service responsible for all things Coder! | `{"affinity":{"podAntiAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"podAffinityTerm":{"labelSelector":{"matchExpressions":[{"key":"app.kubernetes.io/name","operator":"In","values":["coderd"]}]},"topologyKey":"kubernetes.io/hostname"},"weight":1}]}},"builtinProviderServiceAccount":{"annotations":{},"labels":{}},"clientTLS":{"secretName":""},"devurlsHost":"","extraLabels":{},"image":"","networkPolicy":{"enable":true},"oidc":{"enableRefresh":false,"redirectOptions":{}},"podSecurityContext":{"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}},"proxy":{"exempt":"cluster.local","http":"","https":""},"replicas":1,"resources":{"limits":{"cpu":"250m","memory":"512Mi"},"requests":{"cpu":"250m","memory":"512Mi"}},"reverseProxy":{"headers":[],"trustedOrigins":[]},"satellite":{"accessURL":"","enable":false,"primaryURL":""},"securityContext":{"allowPrivilegeEscalation":false,"readOnlyRootFilesystem":true,"runAsGroup":1000,"runAsNonRoot":true,"runAsUser":1000,"seccompProfile":{"type":"RuntimeDefault"}},"serviceNodePorts":{"http":null,"https":null},"serviceSpec":{"externalTrafficPolicy":"Local","loadBalancerIP":"","loadBalancerSourceRanges":[],"type":"LoadBalancer"},"superAdmin":{"passwordSecret":{"key":"password","name":""}},"tls":{"devurlsHostSecretName":"","hostSecretName":""},"trustProxyIP":false}` |
 | coderd.affinity | object | Allows specifying an affinity rule for the `coderd` deployment. The default rule prefers to schedule coderd pods on different nodes, which is only applicable if coderd.replicas is greater than 1. | `{"podAntiAffinity":{"preferredDuringSchedulingIgnoredDuringExecution":[{"podAffinityTerm":{"labelSelector":{"matchExpressions":[{"key":"app.kubernetes.io/name","operator":"In","values":["coderd"]}]},"topologyKey":"kubernetes.io/hostname"},"weight":1}]}}` |
 | coderd.builtinProviderServiceAccount | object | Customize the built-in Kubernetes provider service account. | `{"annotations":{},"labels":{}}` |
 | coderd.builtinProviderServiceAccount.annotations | object | A KV mapping of annotations. See: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/ | `{}` |
 | coderd.builtinProviderServiceAccount.labels | object | Add labels to the service account used for the built-in provider. | `{}` |
+| coderd.clientTLS | object | Client-side TLS configuration for coderd. | `{"secretName":""}` |
+| coderd.clientTLS.secretName | string | Secret containing a PEM encoded cert file. | `""` |
 | coderd.devurlsHost | string | Wildcard hostname to allow matching against custom-created dev URLs. Leaving as an empty string results in DevURLs being disabled. | `""` |
 | coderd.extraLabels | object | Allows specifying additional labels to pods in the `coderd` deployment (.spec.template.metadata.labels). | `{}` |
 | coderd.image | string | Injected by Coder during release. | `""` |
diff --git a/examples/clientcerts/clientcerts.values.yaml b/examples/clientcerts/clientcerts.values.yaml
@@ -0,0 +1,23 @@
+# These sections are used for the client side of certificate authentication.
+coderd:
+  clientTLS:
+    secretName: "client-cert-secret"
+
+postgres:
+  default:
+    enable: false
+  host: "some.rds.hostname"
+  port: 5432
+  user: "coder"
+  database: "coder"
+  sslMode: "require"
+  ssl:
+    certSecret:
+      name: "database-client-cert-secret"
+      key: "database-client-cert-filename.crt"
+    keySecret:
+      name: "database-client-key-secret"
+      key: "database-client-key-filename.key"
+    rootCertSecret:
+      name: "database-root-cert-secret"
+      key: "database-root-cert-filename.crt"
diff --git a/templates/_common.tpl b/templates/_common.tpl
@@ -90,6 +90,11 @@ volumes:
     secret:
       secretName: {{ .Values.postgres.ssl.rootCertSecret.name | quote }}
 {{- end }}
+{{- if ne .Values.coderd.clientTLS.secretName "" }}
+  - name: clientcert
+    secret:
+      secretName: {{ .Values.coderd.clientTLS.secretName | quote }}
+{{- end }}
 {{- end }}
 
 # coder.volumeMounts adds a volume mounts stanza if a cert.secret is
@@ -128,6 +133,11 @@ volumeMounts:
     mountPath: /etc/ssl/certs/pg/rootcert
     readOnly: true
 {{- end }}
+{{- if ne .Values.coderd.clientTLS.secretName "" }}
+  - name: clientcert
+    mountPath: /etc/ssl/certs/client
+    readOnly: true
+{{- end }}
 {{- end }}
 
 # coder.serviceTolerations adds tolerations if any are specified to
diff --git a/templates/coderd.yaml b/templates/coderd.yaml
@@ -187,6 +187,12 @@ spec:
               value: {{ join "," .Values.coderd.reverseProxy.trustedOrigins | quote }}
             - name: PROXY_TRUSTED_HEADERS
               value: {{ join "," .Values.coderd.reverseProxy.headers | quote }}
+            {{- if ne .Values.coderd.clientTLS.secretName "" }}
+            - name: SSL_CLIENT_CERT_FILE
+              value: "/etc/ssl/certs/client/tls.crt"
+            - name: SSL_CLIENT_KEY_FILE
+              value: "/etc/ssl/certs/client/tls.key"
+            {{- end }}
             {{- include "coder.workspaces.configMapEnv" . | indent 12 }}
             {{- include "coder.postgres.env" . | indent 12 }}
           command:
diff --git a/tests/client_tls_test.go b/tests/client_tls_test.go
@@ -0,0 +1,48 @@
+package tests
+
+import (
+	"path/filepath"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	v1 "k8s.io/api/core/v1"
+)
+
+// ensures client TLS certs are correctly applied to coderd
+func Test_ClientTLS(t *testing.T) {
+	t.Parallel()
+
+	var (
+		chart = LoadChart(t)
+
+		certVolName    = "clientcert"
+		certSecretName = "coder-tls-cert"
+		certMountPath  = "/etc/ssl/certs/client"
+	)
+
+	objs := chart.MustRender(t, func(cv *CoderValues) {
+		cv.Coderd.ClientTLS = &CoderdClientTLSValues{
+			SecretName: &certSecretName,
+		}
+	})
+
+	coderd := MustFindDeployment(t, objs, "coderd")
+	require.Len(t, coderd.Spec.Template.Spec.Containers, 1)
+	coderdCtr := coderd.Spec.Template.Spec.Containers[0]
+	envVars := EnvVarsAsMap(coderdCtr.Env)
+
+	// Assert volumes and volume mounts for both the cert and key.
+	AssertVolume(t, coderd.Spec.Template.Spec.Volumes, certVolName, func(t testing.TB, v v1.Volume) {
+		require.NotNil(t, v.Secret)
+		assert.Equal(t, certSecretName, v.Secret.SecretName)
+	})
+
+	AssertVolumeMount(t, coderdCtr.VolumeMounts, certVolName, func(t testing.TB, v v1.VolumeMount) {
+		assert.Equal(t, certMountPath, v.MountPath)
+		assert.True(t, v.ReadOnly)
+	})
+
+	assert.Equal(t, envVars["SSL_CLIENT_CERT_FILE"], filepath.Join(certMountPath, "tls.crt"))
+	assert.Equal(t, envVars["SSL_CLIENT_KEY_FILE"], filepath.Join(certMountPath, "tls.key"))
+}
diff --git a/tests/values.go b/tests/values.go
@@ -94,6 +94,11 @@ type CoderdValues struct {
 	Proxy                         *CoderdProxyValues                         `json:"proxy" yaml:"proxy"`
 	ReverseProxy                  *CoderdReverseProxyValues                  `json:"reverseProxy" yaml:"reverseProxy"`
 	NetworkPolicy                 *CoderdNetworkPolicyValues                 `json:"networkPolicy" yaml:"networkPolicy"`
+	ClientTLS                     *CoderdClientTLSValues                     `json:"clientTLS" yaml:"clientTLS"`
+}
+
+type CoderdClientTLSValues struct {
+	SecretName *string `json:"secretName" yaml:"secretName"`
 }
 
 // CoderdServiceNodePortsValues reflect values from
diff --git a/values.yaml b/values.yaml
@@ -51,6 +51,11 @@ coderd:
     # coderd.tls.devurlsHostSecretName -- The secret to use for DevURL TLS.
     devurlsHostSecretName: ""
 
+  # coderd.clientTLS -- Client-side TLS configuration for coderd.
+  clientTLS:
+    # coderd.clientTLS.secretName -- Secret containing a PEM encoded cert file.
+    secretName: ""
+
   # coderd.proxy -- Whether Coder should initiate outbound connections using
   # a proxy.
   proxy:
