search

zabbix-community / helm-zabbix

Helm chart for Zabbix
https://artifacthub.io/packages/helm/zabbix-community/zabbix
Apache License 2.0
83 stars 48 forks source link

Possibility to add TLS certs during deployment? #14

Closed IlyaPupkovs closed 1 year ago

IlyaPupkovs commented 1 year ago

Hi, I am doing PoC for moving our zabbix server to k8s and so far this helm chart performed very well. But recently I tried to test TLS encryption between zabbix server and zabbix proxies and hit a brick wall trying to pass certs during server pod deployment process. Initial idea was to put certs into Hashicorp Vault and fetch them using PodAnnotations but it seems there are no place in this helm chart for PodAnnotations.

Can you advise on possibilities how certificates can be put inside server pod/container? Or where annotations can be put to take effect?

sa-ChristianAnton commented 1 year ago

Hi!

I am happy to hear that you are considering the use of this Helm chart for your project.

I have personally not yet used Hashicorp Vault, but I have checked their docs and I believe to understand what you mean: you simply want to add some annotations to both the deployment of the Zabbix server and the one for the Zabbix proxy in order to make the Hashicorp operator inject a certificate.

I had to notice that we didn't have the need for this yet, but I totally agree with you this is an important feature of the Helm chart which we are missing. We do not only miss ability to add custom annotations to the deployments, but also to the Ingress, the services and maybe some more.

Unfortunately, I am not having much time this week to "just do" this implementation, so I need to ask you for some patience. Alternatively, and preferred, would be indeed you to submit a Pull Request with this additions. Please check CONTRIBUTING.md within this repository. We would happily receive this PR from you.

Cheers

Christian

sa-ChristianAnton commented 1 year ago

ok, sometimes it goes faster than expected. Checked again and found that it would be an easy one. So, did the implementation and some tests quickly. I believe Aecio will review during the next couple of days, and you should be fine to go with your Hashicorp Vault based secrets.

IlyaPupkovs commented 1 year ago

Very impressive, thank you!

aeciopires commented 1 year ago

Hi @IlyaPupkovs!

How @sa-ChristianAnton said, thank you for use this helm chart. This is a different use case. Thanks @sa-ChristianAnton for solved this issue. I don't knew how solve this. The PR is OK for me. I will approve.

IlyaPupkovs commented 1 year ago

So I did few tests in my project (bumped helm to v3.4.1) and it is no luck - annotations there has no effect.

I've been told by our DevOps that we need annotations to be available inside metadata here: https://github.com/zabbix-community/helm-zabbix/blob/master/charts/zabbix/templates/deployment-zabbix-server.yaml#L23

So when deployment is done I should have containers for server and vault-injector which is responsible for fetching and injecting certs into server container. Unfortunately I am not skilled enough to make PR myself.

aeciopires commented 1 year ago

Hello @IlyaPupkovs !

Thank you for explaining your need in detail. I will try to implement this.

IlyaPupkovs commented 1 year ago

Its hard to say for me as I use only stateless stuff in my project (no k8s proxies/dbs, just server + agent + ingress, rest is outside k8s). But I think it should be in similar place (since both have similar constructs): https://github.com/zabbix-community/helm-zabbix/blob/master/charts/zabbix/templates/statefulset-zabbix-proxy.yaml#L24

I can try to build zabbix proxy to test how it works when helm chart is adjusted

IlyaPupkovs commented 1 year ago

It works as expected. Thank you, guys! If someone interested these are annotations I've used to inject certs:

containerAnnotations:
  vault.hashicorp.com/log-level: INFO
  vault.hashicorp.com/agent-inject: "true"
  vault.hashicorp.com/agent-pre-populate-only: "true"
  vault.hashicorp.com/role: <vault_role_name>
  vault.hashicorp.com/agent-inject-secret-<cert_name>: "<path_to_certificate_in_vault>"
  vault.hashicorp.com/secret-volume-path-<cert_name>: "/var/lib/zabbix/enc/"
  vault.hashicorp.com/agent-inject-template-<cert_name>: |
    {{- with secret "<path_to_certificate_in_vault>" }}
    {{ .Data.data.<cert_name> }}
    {{- end }}
  vault.hashicorp.com/agent-inject-secret-<ca_cert_name>: "<path_to_ca_certificate_in_vault>"
  vault.hashicorp.com/secret-volume-path-<ca_cert_name>: "/var/lib/zabbix/enc/"
  vault.hashicorp.com/agent-inject-template-<ca_cert_name>: |
    {{- with secret "<path_to_ca_certificate_in_vault>" }}
    {{ .Data.data.<ca_cert_name> }}
    {{- end }}
  vault.hashicorp.com/agent-inject-secret-<key_name>: "<path_to_certificate_key_in_vault>"
  vault.hashicorp.com/secret-volume-path-<key_name>: "/var/lib/zabbix/enc/"
  vault.hashicorp.com/agent-inject-template-<key_name>: |
    {{- with secret "<path_to_certificate_key_in_vault>" }}
    {{ .Data.data.<key_name> }}
    {{- end }}
aeciopires commented 1 year ago

Thanks for feedback @IlyaPupkovs!

We are happy for help you.

You can edit your answer and put the annotations as code for keep the formatation and white spaces?

This is important for other people that use CRTL+C and CRTL+V...