bugfest
commented
2 years ago Hi @michaelarmstrong, thanks for the report. Going to investigate it
Closed michaelarmstrong closed 2 years ago
bugfest
commented
2 years ago Hi @michaelarmstrong, thanks for the report. Going to investigate it
bugfest
commented
2 years ago Hi @michaelarmstrong, it's in deed a documentation error. The secret format the controller expects must have the following keys (note they are base64 encoded in the secret)
Example (output of kubectl get -o yaml secret/issue13 in my test cluster):
apiVersion: v1
data:
onionAddress: ZWxqZGU2a...
privateKey: oMLf2tSS2...
privateKeyFile: PT0gZW...
publicKey: ItIyeT+kH...
publicKeyFile: PT0gZWQyNT...
kind: Secret
metadata:
name: issue13
...
type: tor.k8s.torproject.org/onion-v3Tor controller will generate secrets with this format. You can backup them and store them in a safe location just in case. You can reference them using the secret name but skipping the key (that's a doc typo I'm going to fix now). Example asuming you have a secret test-onion-tor-secret with the above format (of type tor.k8s.torproject.org/onion-v3):
apiVersion: tor.k8s.torproject.org/v1alpha2
kind: OnionService
metadata:
name: test-site-deployment-tor
spec:
version: 3
rules:
- port:
number: 80
backend:
service:
name: test-site-deployment
port:
number: 80
privateKeySecret:
name: test-onion-tor-secretNot sure if you're trying to import an existing ed25519 key file you generated with openssl or Tor itself. If so, I wonder we could create a small script to ease the import process.
bugfest
commented
2 years ago Sorry I missed the first line xD. You're importing from hs_ed25519_secret_key. Let me double check what's the minimum the controller expects to be in that secret
bugfest
commented
2 years ago Ok, so currently the controller expects at least 3 keys present in the secret onionAddress, privateKeyFile and publicKeyFile.
So, to complete the answer to your question, you first create the secret with a command like the following:
$ kubectl create secret generic test-onion-key \
--from-file=privateKeyFile=hs_ed25519_secret_key \
--from-file=publicKeyFile=hs_ed25519_public_key \
--from-file=onionAddress=hostnameAnd reference it in your Onion Service as:
apiVersion: tor.k8s.torproject.org/v1alpha2
kind: OnionService
metadata:
name: test-site-deployment-tor
spec:
version: 3
rules:
- port:
number: 80
backend:
service:
name: test-site-deployment
port:
number: 80
privateKeySecret:
name: test-onion-keyI'm going to prepare a fix so that if the key is specified, just that referenced field will be used.
bugfest
commented
2 years ago Hi @michaelarmstrong, just pushed a new version 0.5.1 with the fix. If you're using helm use the new chart version 0.1.4 (just published):
$ helm repo update
$ helm search repo bugfest
NAME CHART VERSION APP VERSION DESCRIPTION
bugfest/tor-controller 0.1.4 0.5.1 Tor hidden services controller for kubernetesCheck out the section "bring your own secret" in the project's README. Let me know how it goes ; )
Thanks for using my project!
Using a tor v3 private key, created via:
kubectl create secret generic test-onion-key --from-file=hs_ed25519_secret_keyand then referenced in the YAML:
as per documentation. the pod fails to create with:
Warning FailedMount 6s (x5 over 14s) kubelet MountVolume.SetUp failed for volume "private-key" : references non-existent secret key: privateKeyFileI predict its just a configuration error, but I can't seem to debug it and am sure its just missing documentation. Please advise.
FULL YAML: