Skip to content

Commit 757865c

Browse files
joshistejoshiste
authored
Merge pull request #55 from steadybit/feat/insecureSkipVerify
feat: add options for customer certificates
2 parents c79aa8c + a8a24fe commit 757865c

File tree

10 files changed

+302
-25
lines changed

10 files changed

+302
-25
lines changed

CHANGELOG.md

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,8 +1,9 @@
11
# Changelog
22

3-
## v1.1.7 (next)
3+
## v1.1.7
44

55
- Updated dependencies
6+
- add insecureSkipVerify option
67

78
## v1.1.6
89

@@ -39,4 +40,4 @@
3940

4041
## v1.0.0
4142

42-
- Initial release
43+
- Initial release

README.md

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -80,9 +80,47 @@ Make sure that the extension is registered with the agent. In most cases this is
8080
the [documentation](https://docs.steadybit.com/install-and-configure/install-agent/extension-registration) for more
8181
information about extension registration and how to verify.
8282

83+
## Importing your own certificates
84+
85+
You may want to import your own certificates for connecting to Jenkins instances with self-signed certificates. This can be done in two ways:
86+
87+
### Option 1: Using InsecureSkipVerify
88+
89+
The extension provides the `insecureSkipVerify` option which disables TLS certificate verification. This is suitable for testing but not recommended for production environments.
90+
91+
```yaml
92+
instana:
93+
insecureSkipVerify: true
94+
```
95+
96+
### Option 2: Mounting custom certificates
97+
98+
Mount a volume with your custom certificates and reference it in `extraVolumeMounts` and `extraVolumes` in the helm chart.
99+
100+
This example uses a config map to store the `*.crt`-files:
101+
102+
```shell
103+
kubectl create configmap -n steadybit-agent instana-self-signed-ca --from-file=./self-signed-ca.crt
104+
```
105+
106+
```yaml
107+
extraVolumeMounts:
108+
- name: extra-certs
109+
mountPath: /etc/ssl/extra-certs
110+
readOnly: true
111+
extraVolumes:
112+
- name: extra-certs
113+
configMap:
114+
name: instana-self-signed-ca
115+
extraEnv:
116+
- name: SSL_CERT_DIR
117+
value: /etc/ssl/extra-certs:/etc/ssl/certs
118+
```
119+
83120
## Version and Revision
84121

85122
The version and revision of the extension:
86123
- are printed during the startup of the extension
87124
- are added as a Docker label to the image
88125
- are available via the `version.txt`/`revision.txt` files in the root of the image
126+

charts/steadybit-extension-instana/Chart.yaml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
apiVersion: v2
22
name: steadybit-extension-instana
33
description: Steadybit instana extension Helm chart for Kubernetes.
4-
version: 1.1.9
4+
version: 1.1.10
55
appVersion: v1.1.6
66
home: https://www.steadybit.com/
77
icon: https://steadybit-website-assets.s3.amazonaws.com/logo-symbol-transparent.png

charts/steadybit-extension-instana/templates/deployment.yaml

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -66,12 +66,17 @@ spec:
6666
key: api-token
6767
- name: STEADYBIT_EXTENSION_BASE_URL
6868
value: {{ .Values.instana.baseUrl }}
69+
- name: STEADYBIT_EXTENSION_INSECURE_SKIP_VERIFY
70+
value: "{{ .Values.instana.insecureSkipVerify }}"
6971
{{- with .Values.extraEnvFrom }}
7072
envFrom:
7173
{{- toYaml . | nindent 12 }}
7274
{{- end }}
7375
volumeMounts:
7476
{{- include "extensionlib.deployment.volumeMounts" (list .) | nindent 12 }}
77+
{{- with .Values.extraVolumeMounts }}
78+
{{- toYaml . | nindent 12 }}
79+
{{- end }}
7580
livenessProbe:
7681
initialDelaySeconds: {{ .Values.probes.liveness.initialDelaySeconds }}
7782
periodSeconds: {{ .Values.probes.liveness.periodSeconds }}
@@ -96,6 +101,9 @@ spec:
96101
{{- end }}
97102
volumes:
98103
{{- include "extensionlib.deployment.volumes" (list .) | nindent 8 }}
104+
{{- with .Values.extraVolumes }}
105+
{{- toYaml . | nindent 8 }}
106+
{{- end }}
99107
serviceAccountName: {{ .Values.serviceAccount.name }}
100108
{{- with .Values.nodeSelector }}
101109
nodeSelector:

charts/steadybit-extension-instana/tests/__snapshot__/deployment_test.yaml.snap

Lines changed: 190 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,8 @@ manifest should match snapshot using podAnnotations and Labels:
3939
name: steadybit-extension-instana
4040
- name: STEADYBIT_EXTENSION_BASE_URL
4141
value: null
42+
- name: STEADYBIT_EXTENSION_INSECURE_SKIP_VERIFY
43+
value: "false"
4244
image: ghcr.io/steadybit/extension-instana:v0.0.0
4345
imagePullPolicy: IfNotPresent
4446
livenessProbe:
@@ -123,6 +125,8 @@ manifest should match snapshot with TLS:
123125
name: steadybit-extension-instana
124126
- name: STEADYBIT_EXTENSION_BASE_URL
125127
value: null
128+
- name: STEADYBIT_EXTENSION_INSECURE_SKIP_VERIFY
129+
value: "false"
126130
image: ghcr.io/steadybit/extension-instana:v0.0.0
127131
imagePullPolicy: IfNotPresent
128132
livenessProbe:
@@ -171,6 +175,96 @@ manifest should match snapshot with TLS:
171175
secret:
172176
optional: false
173177
secretName: server-cert
178+
manifest should match snapshot with custom certificates mounted:
179+
1: |
180+
apiVersion: apps/v1
181+
kind: Deployment
182+
metadata:
183+
labels:
184+
steadybit.com/discovery-disabled: "true"
185+
steadybit.com/extension: "true"
186+
name: RELEASE-NAME-steadybit-extension-instana
187+
namespace: NAMESPACE
188+
spec:
189+
replicas: 1
190+
selector:
191+
matchLabels:
192+
app.kubernetes.io/instance: RELEASE-NAME
193+
app.kubernetes.io/name: steadybit-extension-instana
194+
template:
195+
metadata:
196+
annotations:
197+
oneagent.dynatrace.com/injection: "false"
198+
labels:
199+
app.kubernetes.io/instance: RELEASE-NAME
200+
app.kubernetes.io/name: steadybit-extension-instana
201+
steadybit.com/discovery-disabled: "true"
202+
steadybit.com/extension: "true"
203+
spec:
204+
containers:
205+
- env:
206+
- name: STEADYBIT_LOG_LEVEL
207+
value: INFO
208+
- name: STEADYBIT_LOG_FORMAT
209+
value: text
210+
- name: SSL_CERT_DIR
211+
value: /etc/ssl/extra-certs:/etc/ssl/certs
212+
- name: STEADYBIT_EXTENSION_API_TOKEN
213+
valueFrom:
214+
secretKeyRef:
215+
key: api-token
216+
name: steadybit-extension-instana
217+
- name: STEADYBIT_EXTENSION_BASE_URL
218+
value: null
219+
- name: STEADYBIT_EXTENSION_INSECURE_SKIP_VERIFY
220+
value: "false"
221+
image: ghcr.io/steadybit/extension-instana:v0.0.0
222+
imagePullPolicy: IfNotPresent
223+
livenessProbe:
224+
failureThreshold: 5
225+
httpGet:
226+
path: /health/liveness
227+
port: 8091
228+
initialDelaySeconds: 10
229+
periodSeconds: 10
230+
successThreshold: 1
231+
timeoutSeconds: 5
232+
name: extension
233+
readinessProbe:
234+
failureThreshold: 3
235+
httpGet:
236+
path: /health/readiness
237+
port: 8091
238+
initialDelaySeconds: 10
239+
periodSeconds: 10
240+
successThreshold: 1
241+
timeoutSeconds: 1
242+
resources:
243+
limits:
244+
cpu: 200m
245+
memory: 128Mi
246+
requests:
247+
cpu: 50m
248+
memory: 32Mi
249+
securityContext:
250+
allowPrivilegeEscalation: false
251+
capabilities:
252+
drop:
253+
- ALL
254+
readOnlyRootFilesystem: true
255+
volumeMounts:
256+
- mountPath: /etc/ssl/extra-certs
257+
name: extra-certs
258+
readOnly: true
259+
securityContext:
260+
runAsNonRoot: true
261+
seccompProfile:
262+
type: RuntimeDefault
263+
serviceAccountName: steadybit-extension-instana
264+
volumes:
265+
- configMap:
266+
name: instana-self-signed-ca
267+
name: extra-certs
174268
manifest should match snapshot with extra env vars:
175269
1: |
176270
apiVersion: apps/v1
@@ -212,6 +306,8 @@ manifest should match snapshot with extra env vars:
212306
name: steadybit-extension-instana
213307
- name: STEADYBIT_EXTENSION_BASE_URL
214308
value: null
309+
- name: STEADYBIT_EXTENSION_INSECURE_SKIP_VERIFY
310+
value: "false"
215311
envFrom:
216312
- configMapRef: null
217313
name: env-configmap
@@ -299,6 +395,90 @@ manifest should match snapshot with extra labels:
299395
name: steadybit-extension-instana
300396
- name: STEADYBIT_EXTENSION_BASE_URL
301397
value: null
398+
- name: STEADYBIT_EXTENSION_INSECURE_SKIP_VERIFY
399+
value: "false"
400+
image: ghcr.io/steadybit/extension-instana:v0.0.0
401+
imagePullPolicy: IfNotPresent
402+
livenessProbe:
403+
failureThreshold: 5
404+
httpGet:
405+
path: /health/liveness
406+
port: 8091
407+
initialDelaySeconds: 10
408+
periodSeconds: 10
409+
successThreshold: 1
410+
timeoutSeconds: 5
411+
name: extension
412+
readinessProbe:
413+
failureThreshold: 3
414+
httpGet:
415+
path: /health/readiness
416+
port: 8091
417+
initialDelaySeconds: 10
418+
periodSeconds: 10
419+
successThreshold: 1
420+
timeoutSeconds: 1
421+
resources:
422+
limits:
423+
cpu: 200m
424+
memory: 128Mi
425+
requests:
426+
cpu: 50m
427+
memory: 32Mi
428+
securityContext:
429+
allowPrivilegeEscalation: false
430+
capabilities:
431+
drop:
432+
- ALL
433+
readOnlyRootFilesystem: true
434+
volumeMounts: null
435+
securityContext:
436+
runAsNonRoot: true
437+
seccompProfile:
438+
type: RuntimeDefault
439+
serviceAccountName: steadybit-extension-instana
440+
volumes: null
441+
manifest should match snapshot with insecureSkipVerify enabled:
442+
1: |
443+
apiVersion: apps/v1
444+
kind: Deployment
445+
metadata:
446+
labels:
447+
steadybit.com/discovery-disabled: "true"
448+
steadybit.com/extension: "true"
449+
name: RELEASE-NAME-steadybit-extension-instana
450+
namespace: NAMESPACE
451+
spec:
452+
replicas: 1
453+
selector:
454+
matchLabels:
455+
app.kubernetes.io/instance: RELEASE-NAME
456+
app.kubernetes.io/name: steadybit-extension-instana
457+
template:
458+
metadata:
459+
annotations:
460+
oneagent.dynatrace.com/injection: "false"
461+
labels:
462+
app.kubernetes.io/instance: RELEASE-NAME
463+
app.kubernetes.io/name: steadybit-extension-instana
464+
steadybit.com/discovery-disabled: "true"
465+
steadybit.com/extension: "true"
466+
spec:
467+
containers:
468+
- env:
469+
- name: STEADYBIT_LOG_LEVEL
470+
value: INFO
471+
- name: STEADYBIT_LOG_FORMAT
472+
value: text
473+
- name: STEADYBIT_EXTENSION_API_TOKEN
474+
valueFrom:
475+
secretKeyRef:
476+
key: api-token
477+
name: steadybit-extension-instana
478+
- name: STEADYBIT_EXTENSION_BASE_URL
479+
value: null
480+
- name: STEADYBIT_EXTENSION_INSECURE_SKIP_VERIFY
481+
value: "true"
302482
image: ghcr.io/steadybit/extension-instana:v0.0.0
303483
imagePullPolicy: IfNotPresent
304484
livenessProbe:
@@ -385,6 +565,8 @@ manifest should match snapshot with mutual TLS:
385565
name: steadybit-extension-instana
386566
- name: STEADYBIT_EXTENSION_BASE_URL
387567
value: null
568+
- name: STEADYBIT_EXTENSION_INSECURE_SKIP_VERIFY
569+
value: "false"
388570
image: ghcr.io/steadybit/extension-instana:v0.0.0
389571
imagePullPolicy: IfNotPresent
390572
livenessProbe:
@@ -485,6 +667,8 @@ manifest should match snapshot with mutual TLS using containerPaths:
485667
name: steadybit-extension-instana
486668
- name: STEADYBIT_EXTENSION_BASE_URL
487669
value: null
670+
- name: STEADYBIT_EXTENSION_INSECURE_SKIP_VERIFY
671+
value: "false"
488672
image: ghcr.io/steadybit/extension-instana:v0.0.0
489673
imagePullPolicy: IfNotPresent
490674
livenessProbe:
@@ -565,6 +749,8 @@ manifest should match snapshot with podSecurityContext:
565749
name: steadybit-extension-instana
566750
- name: STEADYBIT_EXTENSION_BASE_URL
567751
value: null
752+
- name: STEADYBIT_EXTENSION_INSECURE_SKIP_VERIFY
753+
value: "false"
568754
image: ghcr.io/steadybit/extension-instana:v0.0.0
569755
imagePullPolicy: IfNotPresent
570756
livenessProbe:
@@ -646,6 +832,8 @@ manifest should match snapshot with priority class:
646832
name: steadybit-extension-instana
647833
- name: STEADYBIT_EXTENSION_BASE_URL
648834
value: null
835+
- name: STEADYBIT_EXTENSION_INSECURE_SKIP_VERIFY
836+
value: "false"
649837
image: ghcr.io/steadybit/extension-instana:v0.0.0
650838
imagePullPolicy: IfNotPresent
651839
livenessProbe:
@@ -727,6 +915,8 @@ manifest should match snapshot without TLS:
727915
name: steadybit-extension-instana
728916
- name: STEADYBIT_EXTENSION_BASE_URL
729917
value: null
918+
- name: STEADYBIT_EXTENSION_INSECURE_SKIP_VERIFY
919+
value: "false"
730920
image: ghcr.io/steadybit/extension-instana:v0.0.0
731921
imagePullPolicy: IfNotPresent
732922
livenessProbe:

charts/steadybit-extension-instana/tests/deployment_test.yaml

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -80,3 +80,26 @@ tests:
8080
priorityClassName: my-priority-class
8181
asserts:
8282
- matchSnapshot: {}
83+
84+
- it: manifest should match snapshot with insecureSkipVerify enabled
85+
set:
86+
instana:
87+
insecureSkipVerify: true
88+
asserts:
89+
- matchSnapshot: {}
90+
91+
- it: manifest should match snapshot with custom certificates mounted
92+
set:
93+
extraVolumeMounts:
94+
- name: extra-certs
95+
mountPath: /etc/ssl/extra-certs
96+
readOnly: true
97+
extraVolumes:
98+
- name: extra-certs
99+
configMap:
100+
name: instana-self-signed-ca
101+
extraEnv:
102+
- name: SSL_CERT_DIR
103+
value: /etc/ssl/extra-certs:/etc/ssl/certs
104+
asserts:
105+
- matchSnapshot: {}

0 commit comments

Comments
 (0)