feat: add interceptor TLS support to the add-on chart (#642)

Signed-off-by: Joe Wogan <[email protected]>
kedacore · Jun 24, 2024 · 650d761 · 650d761
1 parent 6aa6012
commit 650d761
Show file tree

Hide file tree

Showing 4 changed files with 46 additions and 0 deletions.
diff --git a/http-add-on/README.md b/http-add-on/README.md
@@ -167,6 +167,11 @@ their default values.
 | `interceptor.responseHeaderTimeout` | string | `"500ms"` | How long the interceptor will wait between forwarding a request to a backend and receiving response headers back before failing the request |
 | `interceptor.scaledObject.pollingInterval` | int | `1` | The interval (in milliseconds) that KEDA should poll the external scaler to fetch scaling metrics about the interceptor |
 | `interceptor.tcpConnectTimeout` | string | `"500ms"` | How long the interceptor waits to establish TCP connections with backends before failing a request. |
+| `interceptor.tls.cert_path` | string | `"/certs/tls.crt"` | Mount path of the certificate file to use with the interceptor proxy TLS server |
+| `interceptor.tls.cert_secret` | string | `"keda-tls-certs"` | Name of the Kubernetes secret that contains the certificates to be used with the interceptor proxy TLS server |
+| `interceptor.tls.enabled` | bool | `false` | Whether a TLS server should be started on the interceptor proxy |
+| `interceptor.tls.key_path` | string | `"/certs/tls.key"` | Mount path of the certificate key file to use with the interceptor proxy TLS server |
+| `interceptor.tls.port` | int | `8443` | Port that the interceptor proxy TLS server should be started on |
 | `interceptor.tlsHandshakeTimeout` | string | `"10s"` | The maximum amount of time the interceptor will wait for a TLS handshake. Set to zero to indicate no timeout. |
 | `interceptor.tolerations` | list | `[]` | Tolerations for pod scheduling ([docs](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/)) |
 

diff --git a/http-add-on/templates/interceptor/deployment.yaml b/http-add-on/templates/interceptor/deployment.yaml
@@ -62,11 +62,29 @@ spec:
           value: "{{ .Values.interceptor.tlsHandshakeTimeout }}"
         - name: KEDA_HTTP_EXPECT_CONTINUE_TIMEOUT
           value: "{{ .Values.interceptor.expectContinueTimeout }}"
+        {{- if .Values.interceptor.tls.enabled }}
+        - name: KEDA_HTTP_PROXY_TLS_ENABLED
+          value: "true"
+        - name: KEDA_HTTP_PROXY_TLS_CERT_PATH
+          value: {{ .Values.interceptor.tls.cert_path }}
+        - name: KEDA_HTTP_PROXY_TLS_KEY_PATH
+          value: {{ .Values.interceptor.tls.key_path }}
+        - name: KEDA_HTTP_PROXY_TLS_PORT
+          value: {{ .Values.interceptor.tls.port }}
+        {{- end }}
         ports:
         - containerPort: {{ .Values.interceptor.admin.port }}
           name: admin
         - containerPort: {{ .Values.interceptor.proxy.port }}
           name: proxy
+        {{- if .Values.interceptor.tls.enabled }}
+        - containerPort: {{ .Values.interceptor.tls.port }}
+          name: proxy-tls
+        volumeMounts:
+          - readOnly: true
+            mountPath: "/certs"
+            name: certs
+        {{- end }}
         livenessProbe:
           httpGet:
             path: /livez
@@ -85,6 +103,12 @@ spec:
         {{- toYaml .Values.securityContext | nindent 10 }}
         {{- end }}
       terminationGracePeriodSeconds: 10
+      {{- if .Values.interceptor.tls.enabled }}
+      volumes:
+        - name: certs
+          secret:
+            secretName: {{ .Values.interceptor.tls.cert_secret }}
+      {{- end }}
       nodeSelector:
         kubernetes.io/os: linux
       {{- with .Values.interceptor.nodeSelector }}

diff --git a/http-add-on/templates/interceptor/service-proxy.yaml b/http-add-on/templates/interceptor/service-proxy.yaml
@@ -11,6 +11,11 @@ spec:
   - name: proxy
     port: {{ default 9091 .Values.interceptor.proxy.port }}
     targetPort: proxy
+  {{- if .Values.interceptor.tls.enabled }}
+  - name: proxy-tls
+    port: {{ default 8443 .Values.interceptor.tls.port }}
+    targetPort: proxy-tls
+  {{- end }}
   selector:
     app.kubernetes.io/component: interceptor
     {{- include "keda-http-add-on.matchLabels" . | indent 4 }}
diff --git a/http-add-on/values.yaml b/http-add-on/values.yaml
@@ -178,6 +178,18 @@ interceptor:
     requests:
       cpu: 250m
       memory: 20Mi
+  # configuration of tls for the interceptor
+  tls:
+    # -- Whether a TLS server should be started on the interceptor proxy
+    enabled: false
+    # -- Mount path of the certificate file to use with the interceptor proxy TLS server
+    cert_path: /certs/tls.crt
+    # -- Mount path of the certificate key file to use with the interceptor proxy TLS server
+    key_path: /certs/tls.key
+    # -- Name of the Kubernetes secret that contains the certificates to be used with the interceptor proxy TLS server
+    cert_secret: keda-tls-certs
+    # -- Port that the interceptor proxy TLS server should be started on
+    port: 8443
 
 # configuration for the images to use for each component
 images: