search

chainloop-dev / chainloop

Chainloop is an Open Source evidence store for your Software Supply Chain attestations, SBOMs, VEX, SARIF, CSAF files, QA reports, and more.
https://docs.chainloop.dev
Apache License 2.0
367 stars 27 forks source link

Look into OpenShift `routes` support #1009

Closed migmartri closed 4 months ago

migmartri commented 4 months ago

Chainloop can be deployed in Kubernetes through our provided Helm Chart. Our chart support exposing services through K8s Ingresses, but in the case of OpenShift, there is an alternative construct called Route

This task is about looking into Chainloop's compatibility with routes, document it and potentially add these k8s primitives in our Chart too.

The biggest unknown is how to configure such route entries to support GRPC, similarly to what we do with nginx ingress controller.

nginx.ingress.kubernetes.io/backend-protocol: "GRPC"

or AWS ALBs

alb.ingress.kubernetes.io/backend-protocol-version: GRPC

cc/ @hanygirgis

hanygirgis commented 4 months ago

I think this article can help (I'm trying to get it working) : https://www.redhat.com/en/blog/grpc-or-http/2-ingress-connectivity-in-openshift

migmartri commented 4 months ago

Thanks @hanygirgis for the pointer.

It seems that with H/A proxy we'll have the problem we had with AWS ALB or Google Load Balancer, basically for the gRPC endpoint, we are going to need http2 and TLS termination in the pod.

TLS encryption is doable today in the control-plane and CAS pods, you can provide them using these options in the Helm Chart https://github.com/chainloop-dev/chainloop/blob/4801f98dba175b5b5038522ac99384436ffcf39c/deployment/chainloop/values.yaml#L112-L115

This will run the gRPC servers with tls enabled, next, I'd set the cert in the route and enable re-encryption

migmartri commented 4 months ago

and secured routes https://docs.openshift.com/container-platform/4.8/networking/routes/secured-routes.html#nw-ingress-creating-a-passthrough-route_secured-routes

migmartri commented 4 months ago

We do support the three kinds of routes, edges, reencrypt and passthrough

The latter two can be enabled with a combination of a) setting server certs for CAS and Controlplane 

cas:
  tlsConfig:
    secret:
      name: custom-cert
controlplane:
  tlsConfig:
    secret:
      name: custom-cert
****

and b) adding custom CAs for CP -> CAS communication.

  auth:
    oidc:
      customCAs:
        - |- 
          -----BEGIN CERTIFICATE-----

both of those can be performed via the Helm Chart values.yaml file.

For passthrough, the CLI now supports receiving a custom CA as well to verify the self-signed cert loaded in the pods https://github.com/chainloop-dev/chainloop/pull/1017