Helm chart now allows to enable TLS and basic auth

Signed-off-by: Vadym Fedorov <[email protected]>
NVIDIA · Mar 27, 2024 · 97cd710 · 97cd710
1 parent 31195d5
commit 97cd710
Show file tree

Hide file tree

Showing 16 changed files with 833 additions and 239 deletions.
diff --git a/.vscode/launch.json b/.vscode/launch.json
@@ -15,7 +15,7 @@
             "-kubeconfig","~/.kube/config",
             "-chart","./../../deployment/",
             "-image-repository","nvidia/dcgm-exporter",
-            "-arguments","{-f=/etc/dcgm-exporter/default-counters.csv,--enable-dcgm-log=true,--dcgm-log-level=ERROR}"],
+            "-arguments","{-f=/etc/dcgm-exporter/default-counters.csv}"],
             "env": {},
             "buildFlags": "-tags=e2e"
         },

diff --git a/deployment/templates/_helpers.tpl b/deployment/templates/_helpers.tpl
@@ -73,3 +73,23 @@ Create the name of the service account to use
     {{ default "default" .Values.serviceAccount.name }}
 {{- end -}}
 {{- end -}}
+
+
+{{/*
+Create the name of the tls secret to use
+*/}}
+{{- define "dcgm-exporter.tlsCertsSecretName" -}}
+{{- if .Values.tlsServerConfig.existingSecret -}}
+    {{- printf "%s" (tpl .Values.tlsServerConfig.existingSecret $) -}}
+{{- else -}}
+    {{ printf "%s-tls" (include "dcgm-exporter.fullname" .) }}
+{{- end -}}
+{{- end -}}
+
+
+{{/*
+Create the name of the web-config configmap name to use
+*/}}
+{{- define "dcgm-exporter.webConfigConfigMap" -}}
+  {{ printf "%s-web-config.yml" (include "dcgm-exporter.fullname" .) }}
+{{- end -}}
diff --git a/deployment/templates/daemonset.yaml b/deployment/templates/daemonset.yaml
@@ -78,6 +78,18 @@ spec:
       - name: "pod-gpu-resources"
         hostPath:
           path: {{ .Values.kubeletPath }}
+    {{- if and .Values.tlsServerConfig.enabled }}
+      - name: "tls"
+        secret:
+          secretName: {{ include "dcgm-exporter.tlsCertsSecretName" . }}
+          defaultMode: 0664
+    {{- end }}
+    {{- if or .Values.tlsServerConfig.enabled $.Values.basicAuth.users}}
+      - name: "web-config-yaml"
+        configMap:
+          name: {{ include "dcgm-exporter.webConfigConfigMap" . }}
+          defaultMode: 0664
+    {{- end }}    
       {{- range .Values.extraHostVolumes }}
       - name: {{ .name | quote }}
         hostPath:
@@ -109,6 +121,10 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: spec.nodeName
+        {{- if or .Values.tlsServerConfig.enabled $.Values.basicAuth.users}}
+        - name: "DCGM_EXPORTER_WEB_CONFIG_FILE"
+          value: /etc/dcgm-exporter/web-config.yaml
+        {{- end }}
         {{- if .Values.extraEnv }}
         {{- toYaml .Values.extraEnv | nindent 8 }}
         {{- end }}
@@ -119,19 +135,40 @@ spec:
         - name: "pod-gpu-resources"
           readOnly: true
           mountPath: "/var/lib/kubelet/pod-resources"
+        {{- if and .Values.tlsServerConfig.enabled }}
+        - name: "tls"
+          mountPath: /etc/dcgm-exporter/tls
+        {{- end }}
+        {{- if or .Values.tlsServerConfig.enabled $.Values.basicAuth.users}}
+        - name: "web-config-yaml"
+          mountPath: /etc/dcgm-exporter/web-config.yaml
+          subPath: web-config.yaml
+        {{- end }}
         {{- if .Values.extraVolumeMounts }}
         {{- toYaml .Values.extraVolumeMounts | nindent 8 }}
         {{- end }}
         livenessProbe:
+          {{- if not $.Values.basicAuth.users }}
           httpGet:
             path: /health
             port: {{ .Values.service.port }}
+            scheme: {{ ternary "HTTPS" "HTTP" $.Values.tlsServerConfig.enabled }}
+          {{- else }}
+          tcpSocket:
+              port: {{ .Values.service.port }}
+          {{- end }}
           initialDelaySeconds: 45
           periodSeconds: 5
         readinessProbe:
+          {{- if not $.Values.basicAuth.users }}
           httpGet:
             path: /health
             port: {{ .Values.service.port }}
+            scheme: {{ ternary "HTTPS" "HTTP" $.Values.tlsServerConfig.enabled }}
+          {{- else }}
+          tcpSocket:
+              port: {{ .Values.service.port }}
+          {{- end }}
           initialDelaySeconds: 45
         {{- if .Values.resources }}
         resources:

diff --git a/deployment/templates/tls-secret.yaml b/deployment/templates/tls-secret.yaml
@@ -0,0 +1,43 @@
+# Copyright (c) 2024, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+{{- if and .Values.tlsServerConfig.enabled (not .Values.tlsServerConfig.existingSecret) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ (include "dcgm-exporter.tlsCertsSecretName" .) }}
+  namespace: {{ include "dcgm-exporter.namespace" . }}
+  labels:
+    app.kubernetes.io/component: "dcgm-exporter"
+    {{- include "dcgm-exporter.labels" . | nindent 4 }}
+type: Opaque
+data:
+  {{- if .Values.tlsServerConfig.autoGenerated }}
+  {{- $ca := genCA "dcgm-exporter-ca" 365 }}
+  {{- $hostname := printf "%s" (include "dcgm-exporter.fullname" .) }}
+  {{- $cert := genSignedCert $hostname nil (list $hostname) 365 $ca }}
+  {{ .Values.tlsServerConfig.certFilename }}: {{ $cert.Cert | b64enc | quote }}
+  {{ .Values.tlsServerConfig.keyFilename }}: {{ $cert.Key | b64enc | quote }}
+  {{- if .Values.tlsServerConfig.clientAuthType }}
+  {{ .Values.tlsServerConfig.caFilename }}: {{ $ca.Cert | b64enc | quote }}
+  {{- end }}
+  {{- else }}
+  {{ .Values.tlsServerConfig.certFilename }}: {{ required "'tlsServerConfig.cert' is required when 'tlsServerConfig.enabled=true'" .Values.tlsServerConfig.cert | b64enc | quote }}
+  {{ .Values.tlsServerConfig.keyFilename }}: {{ required "'tlsServerConfig.key' is required when 'tlsServerConfig.enabled=true'" .Values.tlsServerConfig.key | b64enc | quote }}
+  {{- if .Values.tlsServerConfig.clientAuthType }}
+  {{ .Values.tlsServerConfig.caFilename }}: {{ required "'tlsServerConfig.ca' is required when 'tlsServerConfig.clientAuthType' is provided" .Values.tlsServerConfig.ca | b64enc | quote }}
+  {{- end }}
+  {{- end }}
+{{- end }}
diff --git a/deployment/templates/web-config-configmap.yaml b/deployment/templates/web-config-configmap.yaml
@@ -0,0 +1,40 @@
+# Copyright (c) 2024, NVIDIA CORPORATION.  All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+{{- if or .Values.tlsServerConfig.enabled .Values.basicAuth.users }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "dcgm-exporter.webConfigConfigMap" . }}
+  namespace: {{ include "dcgm-exporter.namespace" . }}
+  labels:
+    app.kubernetes.io/component: "dcgm-exporter"
+    {{- include "dcgm-exporter.labels" . | nindent 4 }}
+data:
+  web-config.yaml: |
+{{- if .Values.tlsServerConfig.enabled }}
+    tls_server_config:
+       cert_file: {{ required "'tlsServerConfig.certFilename' is required when 'tlsServerConfig.enabled=true'" .Values.tlsServerConfig.certFilename | printf "/etc/dcgm-exporter/tls/%s" | quote }}
+       key_file: {{ required "'tlsServerConfig.keyFilename' is required when 'tlsServerConfig.enabled=true'" .Values.tlsServerConfig.keyFilename | printf "/etc/dcgm-exporter/tls/%s" | quote }}
+       {{- if .Values.tlsServerConfig.clientAuthType }}
+       client_auth_type: {{ .Values.tlsServerConfig.clientAuthType }}
+       client_ca_file: {{ required "'tlsServerConfig.caFilename' is required when 'tlsServerConfig.clientAuthType' is provided" .Values.tlsServerConfig.caFilename | printf "/etc/dcgm-exporter/tls/%s" | quote }}
+       {{- end }}
+{{- end }}
+{{- if .Values.basicAuth.users }}
+    basic_auth_users:
+      {{- range $user, $password := .Values.basicAuth.users }}
+      {{ $user }}: {{ (split ":" (htpasswd $user $password))._1 }}
+      {{- end }}
+{{- end }}
+{{- end }}
diff --git a/deployment/values.yaml b/deployment/values.yaml
@@ -154,3 +154,35 @@ extraEnv: []
 
 # Path to the kubelet socket for /pod-resources
 kubeletPath: "/var/lib/kubelet/pod-resources"
+
+# HTTPS configuration
+tlsServerConfig:
+  # Enable or disable HTTPS configuration
+  enabled: false
+  # Use autogenerated self-signed TLS certificates
+  autoGenerated: true
+  # Existing secret containing your own server key and certificate
+  existingSecret: ""
+  # Certificate file name
+  certFilename: "tls.crt"
+  # Key file name
+  keyFilename: "tls.key"
+  # CA certificate file name
+  caFilename: "ca.crt"
+  # Server policy for client authentication. Maps to ClientAuth Policies.
+  # For more detail on clientAuth options:
+  # https://golang.org/pkg/crypto/tls/#ClientAuthType
+  #
+  # NOTE: If you want to enable client authentication, you need to use
+  # RequireAndVerifyClientCert. Other values are insecure.
+  clientAuthType: ""
+  # TLS Key for HTTPS - ignored if existingSecret is provided
+  key: ""
+  # TLS Certificate for HTTPS - ignored if existingSecret is provided
+  cert: ""
+  # CA Certificate for HTTPS - ignored if existingSecret is provided
+  ca: ""
+
+basicAuth:
+  #Object containing <user>:<passwords> key-value pairs for each user that will have access via basic authentication
+  users: {}
diff --git a/pkg/cmd/app.go b/pkg/cmd/app.go
@@ -183,7 +183,7 @@ func NewApp(buildVersion ...string) *cli.App {
 		&cli.StringFlag{
 			Name:    CLIWebConfigFile,
 			Value:   "",
-			Usage:   "TLS config file following webConfig spec.",
+			Usage:   "Web configuration file following webConfig spec: https://github.com/prometheus/exporter-toolkit/blob/master/docs/web-configuration.md.",
 			EnvVars: []string{"DCGM_EXPORTER_WEB_CONFIG_FILE"},
 		},
 		&cli.IntFlag{

diff --git a/tests/e2e/Makefile b/tests/e2e/Makefile
@@ -45,5 +45,23 @@ e2e-test-no-profiling:
 	@$(TEST_CMD) \
 		-arguments="{-f=/etc/dcgm-exporter/default-counters.csv}"
 
+.PHONY: e2e-basic-auth
+e2e-basic-auth:
+	@$(TEST_CMD) \
+		-arguments="{-f=/etc/dcgm-exporter/default-counters.csv}" \
+		--ginkgo.label-filter=basicAuth
+
+.PHONY: e2e-tls
+e2e-tls:
+	@$(TEST_CMD) \
+		-arguments="{-f=/etc/dcgm-exporter/default-counters.csv}" \
+		--ginkgo.label-filter=tls
+
+.PHONY: e2e-default
+e2e-default:
+	@$(TEST_CMD) \
+		-arguments="{-f=/etc/dcgm-exporter/default-counters.csv}" \
+		--ginkgo.label-filter=default
+
 binary:
-	go test -c --tags="e2e" .
+	go test -c --tags="e2e" .