wireapp
diff --git a/‎CHANGELOG.md‎
Lines changed: 4 additions & 3 deletions b/‎CHANGELOG.md‎
Lines changed: 4 additions & 3 deletions
diff --git a/‎Makefile‎
Lines changed: 4 additions & 0 deletions b/‎Makefile‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎charts/federator/templates/ca.yaml‎
Lines changed: 15 additions & 0 deletions b/‎charts/federator/templates/ca.yaml‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎charts/federator/templates/configmap-ca.yaml‎
Lines changed: 0 additions & 14 deletions b/‎charts/federator/templates/configmap-ca.yaml‎
Lines changed: 0 additions & 14 deletions
diff --git a/‎charts/federator/templates/configmap.yaml‎
Lines changed: 3 additions & 1 deletion b/‎charts/federator/templates/configmap.yaml‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎charts/federator/templates/deployment.yaml‎
Lines changed: 23 additions & 5 deletions b/‎charts/federator/templates/deployment.yaml‎
Lines changed: 23 additions & 5 deletions
diff --git a/‎charts/federator/templates/secret.yaml‎
Lines changed: 19 additions & 0 deletions b/‎charts/federator/templates/secret.yaml‎
Lines changed: 19 additions & 0 deletions
diff --git a/‎charts/federator/templates/tests/federator-integration.yaml‎
Lines changed: 8 additions & 2 deletions b/‎charts/federator/templates/tests/federator-integration.yaml‎
Lines changed: 8 additions & 2 deletions
diff --git a/‎charts/federator/values.yaml‎
Lines changed: 8 additions & 0 deletions b/‎charts/federator/values.yaml‎
Lines changed: 8 additions & 0 deletions
diff --git a/‎charts/nginx-ingress-services/templates/ca_federator.yaml‎
Lines changed: 19 additions & 0 deletions b/‎charts/nginx-ingress-services/templates/ca_federator.yaml‎
Lines changed: 19 additions & 0 deletions
@@ -22,7 +22,7 @@
 
 # [unreleased]
 
-[please put all changes that only affect federation into this section to unclutter the rest of the release notes.]
+[please put all changes that only affect federation into the "Federation changes" section to unclutter the rest of the release notes.]
 [if something is both an API change and a feature, please mention it twice (you can abbreviate the second mention and add "see above").]
 
 ## Release Notes
@@ -37,6 +37,9 @@
 
 ## Internal changes
 
+## Federation changes
+
+* Added client certificate support for server to server authentication (#1682)
 
 # [2021-08-16]
 
@@ -72,7 +75,6 @@ This is a routine release requiring only the routine upgrade steps.
 * Added a mechanism to derive `AsUnion` instances automatically (#1693)
 * Integration test coverage (#1696, #1704)
 
-
 # [2021-08-02]
 
 ## Release Notes
@@ -124,7 +126,6 @@ Upgrade nginz (#1658)
 * Renamed `DomainHeader` type to `OriginDomainHeader` (#1689)
 * Added golden tests for protobuf serialisation / deserialisation (#1644).
 
-
 # [2021-07-09]
 
 ## Release Notes
 
@@ -334,6 +334,10 @@ chart-%:
 .PHONY: charts-integration
 charts-integration: $(foreach chartName,$(CHARTS_INTEGRATION),chart-$(chartName))
 
+.PHONY: charts-serve
+charts-serve: charts-integration
+	./hack/bin/serve-charts.sh $(CHARTS_INTEGRATION)
+
 # Usecase for this make target:
 # 1. for releases of helm charts
 # 2. for testing helm charts more generally
 
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: "federator-ca"
+  labels:
+    wireService: federator
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+data:
+{{- if .Values.remoteCAContents }}
+  ca.crt: {{ .Values.remoteCAContents | quote }}
+{{- else }}
+  {}
+{{- end }}
@@ -43,8 +43,10 @@ data:
       # Filepath to one or more PEM-encoded server certificates to use as a trust
       # store when making grpc requests to remote backends
       {{- if $.Values.remoteCAContents }}
-      remoteCAStore: "/etc/wire/federator/ca/remote-ca.pem"
+      remoteCAStore: "/etc/wire/federator/ca/ca.crt"
       {{- end }}
+      clientCertificate: "/etc/wire/federator/secrets/tls.crt"
+      clientPrivateKey: "/etc/wire/federator/secrets/tls.key"
       useSystemCAStore: {{ .useSystemCAStore }}
       federationStrategy:
         {{- if .federationStrategy.allowAll }}
 
@@ -25,25 +25,43 @@ spec:
       annotations:
         # An annotation of the configmap checksum ensures changes to the configmap cause a redeployment upon `helm upgrade`
         checksum/configmap: {{ include (print .Template.BasePath "/configmap.yaml") . | sha256sum }}
-        checksum/configmap-ca: {{ include (print .Template.BasePath "/configmap-ca.yaml") . | sha256sum }}
+        {{- if not .Values.tls.shareFederatorSecret }}
+        checksum/secret: {{ include (print .Template.BasePath "/secret.yaml") . | sha256sum }}
+        {{- end }}
         fluentbit.io/parser: json
     spec:
       volumes:
         - name: "federator-config"
           configMap:
             name: "federator"
-        # federator-ca holds CA certificates to use as a trust store
-        # when making requests to remote backends
-        - name: "federator-ca"
+
+        # federator-secrets contains the client certificate and the
+        # corresponding private key to use when making requests to remote
+        # backends.
+        # NOTE: if tls.useSharedFederatorSecret is set, we use the same secret
+        # as the one for the federator ingress
+        - name: "federator-secrets"
           secret:
-            secretName: "federator-ca"
+            secretName: {{ if .Values.tls.useSharedFederatorSecret -}}
+              "federator-certificate-secret"
+              {{- else if .Values.clientCertificateContents -}}
+              "federator-secret"
+              {{- else }}
+              {{ fail "must set .Values.tls.useSharedFederatorSecret to true or specify .Values.clientCertificateContents" }}
+              {{- end }}
+
+        - name: "federator-ca"
+          configMap:
+            name: "federator-ca"
       containers:
         - name: federator
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           imagePullPolicy: {{ default "" .Values.imagePullPolicy | quote }}
           volumeMounts:
             - name: "federator-config"
               mountPath: "/etc/wire/federator/conf"
+            - name: "federator-secrets"
+              mountPath: "/etc/wire/federator/secrets"
             - name: "federator-ca"
               mountPath: "/etc/wire/federator/ca"
           ports:
 
@@ -0,0 +1,19 @@
+{{- if not .Values.tls.useSharedFederatorSecret -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: "federator-secret"
+  labels:
+    wireService: federator
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: {{ .Release.Name }}
+    heritage: {{ .Release.Service }}
+type: kubernetes.io/tls
+data:
+  {{- if .Values.clientPrivateKeyContents }}
+  tls.key: {{ .Values.clientPrivateKeyContents | b64enc | quote }}
+  {{- end -}}
+  {{- if .Values.clientCertificateContents }}
+  tls.crt: {{ .Values.clientCertificateContents | b64enc | quote }}
+  {{- end -}}
+{{- end -}}
@@ -13,10 +13,14 @@ spec:
     - name: "federator-config"
       configMap:
         name: "federator"
+    # integration tests need access to the client certificate private key
+    - name: "federator-secrets"
+      secret:
+        secretName: "federator-secret"
     # integration tests need access to the CA
     - name: "federator-ca"
-      secret:
-        secretName: "federator-ca"
+      configMap:
+        name: "federator-ca"
   containers:
   - name: integration
     command: ["federator-integration"]
@@ -26,6 +30,8 @@ spec:
       mountPath: "/etc/wire/integration"
     - name: "federator-config"
       mountPath: "/etc/wire/federator/conf"
+    - name: "federator-secrets"
+      mountPath: "/etc/wire/federator/secrets"
     - name: "federator-ca"
       mountPath: "/etc/wire/federator/ca"
   restartPolicy: Never
@@ -8,6 +8,11 @@ service:
   internalFederatorPort: 8080
   externalFederatorPort: 8081
 
+tls:
+  # if enabled, federator will get its client certificate and private key from
+  # the secret used by the federator ingress
+  useSharedFederatorSecret: false
+
 resources:
   # FUTUREWORK: come up with numbers which didn't appear out of thin air
   requests:
@@ -30,6 +35,9 @@ config:
     #
     # Using custom CA doesn't automatically disable system CA store, it should
     # be disabled explicitly by setting useSystemCAStore to false.
+    #
+    # A client certificate and corresponding private key can be specified
+    # similarly to a custom CA store.
     useSystemCAStore: true
     federationStrategy:
       allowedDomains: []
@@ -0,0 +1,19 @@
+{{- /* This is the CA used by the federator ingress to verify client
+certificates. This does not need to be a secret in principle, but the ingress
+controller requires it to be. Also, this could in principle be bundled with the
+corresponding certificate (in secret_federator.yaml), but it is a separate
+secret because cert-manager interferes with the ca.crt field when setting the
+certificate in a secret. */ -}}
+
+{{- if .Values.federator.enabled -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: federator-ca-secret
+  labels:
+    chart: "{{ .Chart.Name }}-{{ .Chart.Version }}"
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+data:
+  ca.crt: {{ .Values.secrets.tlsClientCA | b64enc | quote }}
+{{- end -}}