litmuschaos · Saranya-jena · Jul 10, 2024 · Jul 10, 2024 · Jul 10, 2024 · Jul 10, 2024
diff --git a/chaoscenter/authentication/api/main.go b/chaoscenter/authentication/api/main.go
@@ -197,17 +197,17 @@ func runRestServer(applicationService services.ApplicationService) {
 	routes.UserRouter(app, applicationService)
 	routes.ProjectRouter(app, applicationService)
 
-	log.Infof("Listening and serving HTTP on %s", utils.Port)
+	log.Infof("Listening and serving HTTP on %s", utils.RestPort)
 
 	if utils.EnableInternalTls {
 		if utils.TlsCertPath != "" && utils.TlSKeyPath != "" {
 			conf := utils.GetTlsConfig()
 			server := http.Server{
-				Addr:      utils.PortHttps,
+				Addr:      utils.RestPort,
 				Handler:   app,
 				TLSConfig: conf,
 			}
-			log.Infof("Listening and serving HTTPS on %s", utils.PortHttps)
+			log.Infof("Listening and serving HTTPS on %s", utils.RestPort)
 			err := server.ListenAndServeTLS("", "")
 			if err != nil {
 				log.Fatalf("Failure to start litmus-portal authentication REST server due to %v", err)
@@ -216,8 +216,8 @@ func runRestServer(applicationService services.ApplicationService) {
 			log.Fatalf("Failure to start chaoscenter authentication REST server due to empty TLS cert file path and TLS key path")
 		}
 	} else {
-		log.Infof("Listening and serving HTTP on %s", utils.Port)
-		err := app.Run(utils.Port)
+		log.Infof("Listening and serving HTTP on %s", utils.RestPort)
+		err := app.Run(utils.RestPort)
 		if err != nil {
 			log.Fatalf("Failure to start litmus-portal authentication REST server due to %v", err)
 		}
@@ -244,7 +244,7 @@ func runGrpcServer(applicationService services.ApplicationService) {
 func runGrpcServerWithTLS(applicationService services.ApplicationService) {
 
 	// Starting gRPC server
-	lis, err := net.Listen("tcp", utils.GrpcPortHttps)
+	lis, err := net.Listen("tcp", utils.GrpcPort)
 	if err != nil {
 		log.Fatalf("Failure to start litmus-portal authentication server due to %s", err)
 	}

diff --git a/chaoscenter/authentication/pkg/utils/configs.go b/chaoscenter/authentication/pkg/utils/configs.go
@@ -27,11 +27,9 @@ var (
 	TlsCertPath                  = os.Getenv("TLS_CERT_PATH")
 	TlSKeyPath                   = os.Getenv("TLS_KEY_PATH")
 	CaCertPath                   = os.Getenv("CA_CERT_TLS_PATH")
+	RestPort                     = os.Getenv("REST_PORT")
+	GrpcPort                     = os.Getenv("GRPC_PORT")
 	DBName                       = "auth"
-	Port                         = ":3000"
-	PortHttps                    = ":3001"
-	GrpcPort                     = ":3030"
-	GrpcPortHttps                = ":3031"
 	UserCollection               = "users"
 	ProjectCollection            = "project"
 	AuthConfigCollection         = "auth-config"

diff --git a/chaoscenter/graphql/server/pkg/grpc/auth_grpc_client.go b/chaoscenter/graphql/server/pkg/grpc/auth_grpc_client.go
@@ -30,7 +30,7 @@ func GetAuthGRPCSvcClient(conn *grpc.ClientConn) (protos.AuthRpcServiceClient, *
 			tlsCredential := credentials.NewTLS(conf)
 
 			// Set up a connection to the server.
-			conn, err = grpc.NewClient(utils.Config.LitmusAuthGrpcEndpoint+utils.Config.LitmusAuthGrpcPortHttps, grpc.WithTransportCredentials(tlsCredential))
+			conn, err = grpc.NewClient(utils.Config.LitmusAuthGrpcEndpoint+utils.Config.LitmusAuthGrpcPort, grpc.WithTransportCredentials(tlsCredential))
 			if err != nil {
 				logrus.Fatalf("did not connect: %v", err)
 			}

diff --git a/chaoscenter/graphql/server/server.go b/chaoscenter/graphql/server/server.go
@@ -116,7 +116,7 @@ func main() {
 			log.Fatalf("Failure to start chaoscenter authentication REST server due to empty TLS cert file path and TLS key path")
 		}
 	} else {
-		go startGRPCServer(utils.Config.RpcPort, mongodbOperator) // start GRPC serve
+		go startGRPCServer(utils.Config.GrpcPort, mongodbOperator) // start GRPC serve
 	}
 
 	srv := handler.New(generated.NewExecutableSchema(graph.NewConfig(mongodbOperator)))
@@ -171,12 +171,12 @@ func main() {
 
 	if enableHTTPSConnection {
 		if utils.Config.TlsCertPath != "" && utils.Config.TlsKeyPath != "" {
-			log.Infof("graphql server running at https://localhost:%s", utils.Config.HttpsPort)
+			log.Infof("graphql server running at https://localhost:%s", utils.Config.RestPort)
 			// configuring TLS config based on provided certificates & keys
 			conf := utils.GetTlsConfig(utils.Config.TlsCertPath, utils.Config.TlsKeyPath, true)
 
 			server := http.Server{
-				Addr:      ":" + utils.Config.HttpsPort,
+				Addr:      ":" + utils.Config.RestPort,
 				Handler:   router,
 				TLSConfig: conf,
 			}
@@ -188,8 +188,8 @@ func main() {
 			log.Fatalf("Failure to start chaoscenter authentication GRPC server due to empty TLS cert file path and TLS key path")
 		}
 	} else {
-		log.Infof("graphql server running at http://localhost:%s", utils.Config.HttpPort)
-		log.Fatal(http.ListenAndServe(":"+utils.Config.HttpPort, router))
+		log.Infof("graphql server running at http://localhost:%s", utils.Config.RestPort)
+		log.Fatal(http.ListenAndServe(":"+utils.Config.RestPort, router))
 	}
 
 }
@@ -214,7 +214,7 @@ func startGRPCServer(port string, mongodbOperator mongodb.MongoOperator) {
 // startGRPCServerWithTLS initializes, registers services to and starts the gRPC server for RPC calls
 func startGRPCServerWithTLS(mongodbOperator mongodb.MongoOperator) {
 
-	lis, err := net.Listen("tcp", ":"+utils.Config.RpcPortHttps)
+	lis, err := net.Listen("tcp", ":"+utils.Config.GrpcPort)
 	if err != nil {
 		log.Fatal("failed to listen: %w", err)
 	}

diff --git a/chaoscenter/graphql/server/utils/variables.go b/chaoscenter/graphql/server/utils/variables.go
@@ -23,14 +23,11 @@ type Configuration struct {
 	TlsCertB64                  string   `split_words:"true"`
 	LitmusAuthGrpcEndpoint      string   `split_words:"true" default:"localhost"`
 	LitmusAuthGrpcPort          string   `split_words:"true" default:":3030"`
-	LitmusAuthGrpcPortHttps     string   `split_words:"true" default:":3031"`
 	KubeConfigFilePath          string   `split_words:"true"`
 	RemoteHubMaxSize            string   `split_words:"true"`
 	SkipSslVerify               string   `split_words:"true"`
-	HttpPort                    string   `split_words:"true" default:"8080"`
-	HttpsPort                   string   `split_words:"true" default:"8081"`
-	RpcPort                     string   `split_words:"true" default:"8000"`
-	RpcPortHttps                string   `split_words:"true" default:"8001"`
+	RestPort                    string   `split_words:"true" default:"8080"`
+	GrpcPort                    string   `split_words:"true" default:"8000"`
 	InfraCompatibleVersions     string   `required:"true" split_words:"true"`
 	DefaultHubGitURL            string   `required:"true" default:"https://github.com/litmuschaos/chaos-charts"`
 	DefaultHubBranchName        string   `required:"true" split_words:"true"`

diff --git a/chaoscenter/manifests/litmus-getting-started.yaml b/chaoscenter/manifests/litmus-getting-started.yaml
@@ -253,6 +253,10 @@ spec:
               value: ""
             - name: CA_CERT_TLS_PATH
               value: ""
+            - name: REST_PORT
+              value: 8080
+            - name: GRPC_PORT
+              value: 8000
           ports:
             - containerPort: 8080
             - containerPort: 8000
@@ -353,6 +357,10 @@ spec:
               value: ""
             - name: CA_CERT_TLS_PATH
               value: ""
+            - name: REST_PORT
+              value: 3000
+            - name: GRPC_PORT
+              value: 3030
           ports:
             - containerPort: 3000
             - containerPort: 3030

diff --git a/chaoscenter/manifests/litmus-installation.yaml b/chaoscenter/manifests/litmus-installation.yaml
@@ -279,6 +279,10 @@ spec:
               value: "/etc/tls/tls.key"
             - name: CA_CERT_TLS_PATH
               value: "/etc/tls/ca.crt"
+            - name: REST_PORT
+              value: 8081
+            - name: GRPC_PORT
+              value: 8001
           ports:
             - containerPort: 8081
             - containerPort: 8001
@@ -386,6 +390,10 @@ spec:
               value: "/etc/tls/ctls.key"
             - name: CA_CERT_TLS_PATH
               value: "/etc/tls/ca.crt"
+            - name: REST_PORT
+              value: 3001
+            - name: GRPC_PORT
+              value: 3031
           ports:
             - containerPort: 3001
             - containerPort: 3031

diff --git a/chaoscenter/manifests/litmus-without-resources.yaml b/chaoscenter/manifests/litmus-without-resources.yaml
@@ -16,6 +16,13 @@ data:
   DB_SERVER: mongodb://my-release-mongodb-0.my-release-mongodb-headless:27017,my-release-mongodb-1.my-release-mongodb-headless:27017,my-release-mongodb-2.my-release-mongodb-headless:27017/admin
   VERSION: "ci"
   SKIP_SSL_VERIFY: "false"
+    # Configurations if you are using dex for OAuth
+  DEX_ENABLED: "false"
+  OIDC_ISSUER: "http://<Your Domain>:32000"
+  DEX_OAUTH_CALLBACK_URL: "http://<litmus-portal frontend exposed URL>:8080/auth/dex/callback"
+  DEX_OAUTH_CLIENT_ID: "LitmusPortalAuthBackend"
+  DEX_OAUTH_CLIENT_SECRET: "ZXhhbXBsZS1hcHAtc2VjcmV0"
+  OAuthJwtSecret: "litmus-oauth@123"
 ---
 apiVersion: v1
 kind: ConfigMap
@@ -57,7 +64,15 @@ data:
         error_log /var/log/nginx/error.log;
 
         server {
-            listen 8185 default_server;
+            listen 8185 ssl;
+            ssl_certificate /etc/tls/tls.crt;
+            ssl_certificate_key /etc/tls/tls.key;
+            ssl_protocols TLSv1.2 TLSv1.3;
+            ssl_client_certificate /etc/tls/ca.crt;
+            ssl_ciphers HIGH:!aNULL:!MD5;
+            ssl_prefer_server_ciphers on;
+            ssl_session_cache shared:SSL:10m;
+
             root   /opt/chaos;
 
             location /health {
@@ -79,23 +94,31 @@ data:
             }
 
             location /auth/ {
+                proxy_ssl_verify        off;
+                proxy_ssl_session_reuse on;
                 proxy_http_version 1.1;
                 proxy_set_header   Host                 $host;
                 proxy_set_header   X-Real-IP            $remote_addr;
                 proxy_set_header   X-Forwarded-For      $proxy_add_x_forwarded_for;
                 proxy_set_header   X-Forwarded-Proto    $scheme;
-                proxy_pass "http://litmusportal-auth-server-service:9003/";
+                proxy_pass "https://litmusportal-auth-server-service:9005/";
+                proxy_ssl_certificate /etc/tls/tls.crt;
+                proxy_ssl_certificate_key /etc/tls/tls.key;
             }
 
             location /api/ {
+                proxy_ssl_verify        off;
+                proxy_ssl_session_reuse on;
                 proxy_http_version 1.1;
                 proxy_set_header   Upgrade              $http_upgrade;
                 proxy_set_header   Connection           $connection_upgrade;
                 proxy_set_header   Host                 $host;
                 proxy_set_header   X-Real-IP            $remote_addr;
                 proxy_set_header   X-Forwarded-For      $proxy_add_x_forwarded_for;
                 proxy_set_header   X-Forwarded-Proto    $scheme;
-                proxy_pass "http://litmusportal-server-service:9002/";
+                proxy_pass "https://litmusportal-server-service:9004/";
+                proxy_ssl_certificate /etc/tls/tls.crt;
+                proxy_ssl_certificate_key /etc/tls/tls.key;
             }
         }
     }
@@ -131,10 +154,15 @@ spec:
             - name: nginx-config
               mountPath: /etc/nginx/nginx.conf
               subPath: nginx.conf
+            - mountPath: /etc/tls
+              name: tls-secret
       volumes:
         - name: nginx-config
           configMap:
             name: litmusportal-frontend-nginx-configuration
+        - name: tls-secret
+          secret:
+            secretName: tls-secret
 ---
 apiVersion: v1
 kind: Service
@@ -171,6 +199,9 @@ spec:
           emptyDir: {}
         - name: hub-storage
           emptyDir: {}
+        - name: tls-secret
+          secret:
+            secretName: tls-secret
       containers:
         - name: graphql-server
           image: litmuschaos/litmusportal-server:ci
@@ -179,6 +210,8 @@ spec:
               name: gitops-storage
             - mountPath: /tmp/version
               name: hub-storage
+            - mountPath: /etc/tls
+              name: tls-secret
           securityContext:
             runAsUser: 2000
             allowPrivilegeEscalation: false
@@ -228,18 +261,20 @@ spec:
             - name: INFRA_COMPATIBLE_VERSIONS
               value: '["ci"]'
             - name: ALLOWED_ORIGINS
-              value: ".*" 
+              value: ".*" #eg: ^(http://|https://|)litmuschaos.io(:[0-9]+|)?,^(http://|https://|)litmusportal-server-service(:[0-9]+|)?
             - name: ENABLE_INTERNAL_TLS
-              value: "false"
+              value: "true"
             - name: TLS_CERT_PATH
-              value: ""
+              value: "/etc/tls/tls.crt"
             - name: TLS_KEY_PATH
-              value: ""
+              value: "/etc/tls/tls.key"
             - name: CA_CERT_TLS_PATH
-              value: ""
+              value: "/etc/tls/ca.crt"
+            - name: REST_PORT
+              value: 8081
+            - name: GRPC_PORT
+              value: 8001
           ports:
-            - containerPort: 8080
-            - containerPort: 8000
             - containerPort: 8081
             - containerPort: 8001
           imagePullPolicy: Always
@@ -270,12 +305,6 @@ metadata:
 spec:
   type: NodePort
   ports:
-    - name: graphql-server
-      port: 9002
-      targetPort: 8080
-    - name: graphql-rpc-server
-      port: 8000
-      targetPort: 8000
     - name: graphql-server-https
       port: 9004
       targetPort: 8081
@@ -301,9 +330,16 @@ spec:
       labels:
         component: litmusportal-auth-server
     spec:
+      volumes:
+        - name: tls-secret
+          secret:
+            secretName: tls-secret
       automountServiceAccountToken: false
       containers:
         - name: auth-server
+          volumeMounts:
+            - mountPath: /etc/tls
+              name: tls-secret
           image: litmuschaos/litmusportal-auth-server:ci
           securityContext:
             runAsUser: 2000
@@ -327,18 +363,20 @@ spec:
             - name: LITMUS_GQL_GRPC_PORT
               value: ":8000"
             - name: ALLOWED_ORIGINS
-              value: ".*"
+              value: "^(http://|https://|)litmuschaos.io(:[0-9]+|)?,^(http://|https://|)litmusportal-server-service(:[0-9]+|)?" #ip needs to added here
             - name: ENABLE_INTERNAL_TLS
-              value: "false"
+              value: "true"
             - name: TLS_CERT_PATH
-              value: ""
+              value: "/etc/tls/tls.crt"
             - name: TLS_KEY_PATH
-              value: ""
+              value: "/etc/tls/ctls.key"
             - name: CA_CERT_TLS_PATH
-              value: ""
+              value: "/etc/tls/ca.crt"
+            - name: REST_PORT
+              value: 3001
+            - name: GRPC_PORT
+              value: 3031
           ports:
-            - containerPort: 3000
-            - containerPort: 3030
             - containerPort: 3001
             - containerPort: 3031
           imagePullPolicy: Always
@@ -373,12 +411,6 @@ metadata:
 spec:
   type: NodePort
   ports:
-    - name: auth-server
-      port: 9003
-      targetPort: 3000
-    - name: auth-rpc-server
-      port: 3030
-      targetPort: 3030
     - name: auth-server-https
       port: 9005
       targetPort: 3001