diff --git a/charts/scalardb-cluster/README.md b/charts/scalardb-cluster/README.md index 6cff4837..657ef460 100644 --- a/charts/scalardb-cluster/README.md +++ b/charts/scalardb-cluster/README.md @@ -25,6 +25,12 @@ Current chart version is `2.0.0-SNAPSHOT` | fullnameOverride | string | `""` | String to fully override scalardb-cluster.fullname template | | nameOverride | string | `""` | String to partially override scalardb-cluster.fullname template (will maintain the release name) | | scalardbCluster.affinity | object | `{}` | The affinity/anti-affinity feature, greatly expands the types of constraints you can express. | +| scalardbCluster.encryption.enabled | bool | `false` | Enable encryption feature. You must enable encryption when you use the encryption feature of ScalarDB Cluster. | +| scalardbCluster.encryption.type | string | `""` | Type of encryption. You must set the same value as "scalar.db.cluster.encryption.type" of ScalarDB Cluster. | +| scalardbCluster.encryption.vault | object | `{"tls":{"caRootCertSecret":"","enabled":false}}` | Vault specific configurations. | +| scalardbCluster.encryption.vault.tls | object | `{"caRootCertSecret":"","enabled":false}` | TLS configurations to access from ScalarDB Cluster to Vault by using TLS. | +| scalardbCluster.encryption.vault.tls.caRootCertSecret | string | `""` | Name of the Secret containing the custom CA root certificate for TLS communication between ScalarDB Cluster and Vault. The certificate file will be mounted under the /encryption/vault/tls/certs/ directory in the ScalarDB Cluster pod. | +| scalardbCluster.encryption.vault.tls.enabled | bool | `false` | Enable TLS between ScalarDB Cluster and Vault. Note that you must enable the TLS feature on the Vault side. | | scalardbCluster.extraVolumeMounts | list | `[]` | Defines additional volume mounts. If you want to get a heap dump of the ScalarDB Cluster node, you need to mount a volume to make the dump file persistent. | | scalardbCluster.extraVolumes | list | `[]` | Defines additional volumes. If you want to get a heap dump of the ScalarDB Cluster node, you need to mount a volume to make the dump file persistent. | | scalardbCluster.grafanaDashboard.enabled | bool | `false` | Enable grafana dashboard. | @@ -65,12 +71,6 @@ Current chart version is `2.0.0-SNAPSHOT` | scalardbCluster.strategy.rollingUpdate.maxSurge | string | `"25%"` | The number of pods that can be created above the desired amount of pods during an update | | scalardbCluster.strategy.rollingUpdate.maxUnavailable | string | `"25%"` | The number of pods that can be unavailable during the update process | | scalardbCluster.strategy.type | string | `"RollingUpdate"` | New pods are added gradually, and old pods are terminated gradually, e.g: Recreate or RollingUpdate | -| scalardbCluster.tde.enabled | bool | `false` | Enable TDE. You must enable TDE when you use the TDE feature of ScalarDB Cluster. | -| scalardbCluster.tde.type | string | `""` | Type of TDE. You must set the same value as "scalar.db.cluster.encryption.type" of ScalarDB Cluster. | -| scalardbCluster.tde.vault | object | `{"tls":{"caRootCertSecret":"","enabled":false}}` | Vault specific configurations. | -| scalardbCluster.tde.vault.tls | object | `{"caRootCertSecret":"","enabled":false}` | TLS configurations to access from ScalarDB Cluster to Vault by using TLS. | -| scalardbCluster.tde.vault.tls.caRootCertSecret | string | `""` | Name of the Secret containing the custom CA root certificate for TLS communication between ScalarDB Cluster and Vault. The certificate file will be mounted under the /tde/vault/tls/certs/ directory in the ScalarDB Cluster pod. | -| scalardbCluster.tde.vault.tls.enabled | bool | `false` | Enable TLS between ScalarDB Cluster and Vault. Note that you must enable the TLS feature on the Vault side. | | scalardbCluster.tls.caRootCertSecret | string | `""` | Name of the Secret containing the custom CA root certificate for TLS communication. | | scalardbCluster.tls.caRootCertSecretForServiceMonitor | string | `""` | Name of the Secret containing the CA root certificate for TLS communication on the metrics endpoint. Prometheus Operator retrieves the CA root certificate file from this secret resource. You must create this secret resource in the same namespace as Prometheus. | | scalardbCluster.tls.certChainSecret | string | `""` | Name of the Secret containing the certificate chain file used for TLS communication. | diff --git a/charts/scalardb-cluster/templates/scalardb-cluster/deployment.yaml b/charts/scalardb-cluster/templates/scalardb-cluster/deployment.yaml index 8a815718..bda34d65 100644 --- a/charts/scalardb-cluster/templates/scalardb-cluster/deployment.yaml +++ b/charts/scalardb-cluster/templates/scalardb-cluster/deployment.yaml @@ -52,7 +52,7 @@ spec: value: {{ include "scalardb-cluster.fullname" . }}-headless - name: SCALAR_DB_CLUSTER_LOG_LEVEL value: "{{ .Values.scalardbCluster.logLevel }}" - {{- if and (.Values.scalardbCluster.tde.enabled) (eq .Values.scalardbCluster.tde.type "self") }} + {{- if and (.Values.scalardbCluster.encryption.enabled) (eq .Values.scalardbCluster.encryption.type "self") }} - name: SCALAR_DB_CLUSTER_ENCRYPTION_SELF_KUBERNETES_SECRET_NAMESPACE_NAME value: {{ .Release.Namespace }} {{- end }} @@ -101,9 +101,9 @@ spec: - name: scalardb-cluster-tls-volume mountPath: /tls/scalardb-cluster/certs {{- end }} - {{- if and (.Values.scalardbCluster.tde.enabled) (eq .Values.scalardbCluster.tde.type "vault") (.Values.scalardbCluster.tde.vault.tls.enabled) }} - - name: scalardb-cluster-tde-vault-tls-volume - mountPath: /tde/vault/tls/certs + {{- if and (.Values.scalardbCluster.encryption.enabled) (eq .Values.scalardbCluster.encryption.type "vault") (.Values.scalardbCluster.encryption.vault.tls.enabled) }} + - name: scalardb-cluster-encryption-vault-tls-volume + mountPath: /encryption/vault/tls/certs {{- end }} {{- with .Values.scalardbCluster.extraVolumeMounts }} {{- toYaml . | nindent 12 }} @@ -128,10 +128,10 @@ spec: - secret: name: {{ .Values.scalardbCluster.tls.privateKeySecret }} {{- end }} - {{- if and (.Values.scalardbCluster.tde.enabled) (eq .Values.scalardbCluster.tde.type "vault") (.Values.scalardbCluster.tde.vault.tls.enabled) }} - - name: scalardb-cluster-tde-vault-tls-volume + {{- if and (.Values.scalardbCluster.encryption.enabled) (eq .Values.scalardbCluster.encryption.type "vault") (.Values.scalardbCluster.encryption.vault.tls.enabled) }} + - name: scalardb-cluster-encryption-vault-tls-volume secret: - secretName: {{ .Values.scalardbCluster.tde.vault.tls.caRootCertSecret }} + secretName: {{ .Values.scalardbCluster.encryption.vault.tls.caRootCertSecret }} {{- end }} {{- with .Values.scalardbCluster.extraVolumes }} {{- toYaml . | nindent 8 }} diff --git a/charts/scalardb-cluster/templates/scalardb-cluster/role.yaml b/charts/scalardb-cluster/templates/scalardb-cluster/role.yaml index 15dba124..f53e2d6b 100644 --- a/charts/scalardb-cluster/templates/scalardb-cluster/role.yaml +++ b/charts/scalardb-cluster/templates/scalardb-cluster/role.yaml @@ -7,7 +7,7 @@ rules: - apiGroups: [""] resources: ["endpoints"] verbs: ["get", "watch", "list"] - {{- if and (.Values.scalardbCluster.tde.enabled) (eq .Values.scalardbCluster.tde.type "self") }} + {{- if and (.Values.scalardbCluster.encryption.enabled) (eq .Values.scalardbCluster.encryption.type "self") }} - apiGroups: [""] resources: ["secrets"] verbs: ["get", "create", "delete"] diff --git a/charts/scalardb-cluster/values.schema.json b/charts/scalardb-cluster/values.schema.json index c2a163f0..194c75f1 100644 --- a/charts/scalardb-cluster/values.schema.json +++ b/charts/scalardb-cluster/values.schema.json @@ -71,6 +71,33 @@ "affinity": { "type": "object" }, + "encryption": { + "type": "object", + "properties": { + "enabled": { + "type": "boolean" + }, + "type": { + "type": "string" + }, + "vault": { + "type": "object", + "properties": { + "tls": { + "type": "object", + "properties": { + "caRootCertSecret": { + "type": "string" + }, + "enabled": { + "type": "boolean" + } + } + } + } + } + } + }, "extraVolumeMounts": { "type": "array" }, @@ -289,33 +316,6 @@ } } }, - "tde": { - "type": "object", - "properties": { - "enabled": { - "type": "boolean" - }, - "type": { - "type": "string" - }, - "vault": { - "type": "object", - "properties": { - "tls": { - "type": "object", - "properties": { - "caRootCertSecret": { - "type": "string" - }, - "enabled": { - "type": "boolean" - } - } - } - } - } - } - }, "tls": { "type": "object", "properties": { diff --git a/charts/scalardb-cluster/values.yaml b/charts/scalardb-cluster/values.yaml index 419186e6..bb21d41e 100644 --- a/charts/scalardb-cluster/values.yaml +++ b/charts/scalardb-cluster/values.yaml @@ -318,10 +318,10 @@ scalardbCluster: # -- Issuer references of cert-manager. issuerRef: {} - tde: - # -- Enable TDE. You must enable TDE when you use the TDE feature of ScalarDB Cluster. + encryption: + # -- Enable encryption feature. You must enable encryption when you use the encryption feature of ScalarDB Cluster. enabled: false - # -- Type of TDE. You must set the same value as "scalar.db.cluster.encryption.type" of ScalarDB Cluster. + # -- Type of encryption. You must set the same value as "scalar.db.cluster.encryption.type" of ScalarDB Cluster. type: "" # -- Vault specific configurations. vault: @@ -329,5 +329,5 @@ scalardbCluster: tls: # -- Enable TLS between ScalarDB Cluster and Vault. Note that you must enable the TLS feature on the Vault side. enabled: false - # -- Name of the Secret containing the custom CA root certificate for TLS communication between ScalarDB Cluster and Vault. The certificate file will be mounted under the /tde/vault/tls/certs/ directory in the ScalarDB Cluster pod. + # -- Name of the Secret containing the custom CA root certificate for TLS communication between ScalarDB Cluster and Vault. The certificate file will be mounted under the /encryption/vault/tls/certs/ directory in the ScalarDB Cluster pod. caRootCertSecret: ""