From c8b6cea8de16068379ebfe601df5be2a6aea5544 Mon Sep 17 00:00:00 2001 From: kota2and3kan <47254383+kota2and3kan@users.noreply.github.com> Date: Wed, 27 Mar 2024 14:15:17 +0900 Subject: [PATCH] [scalardl-ledger] Support TLS in ScalarDL Ledger chart (#256) --- charts/scalardl/README.md | 5 ++ .../scalardl/templates/ledger/deployment.yaml | 52 ++++++++++++++++++- charts/scalardl/values.schema.json | 20 +++++++ charts/scalardl/values.yaml | 12 +++++ 4 files changed, 87 insertions(+), 2 deletions(-) diff --git a/charts/scalardl/README.md b/charts/scalardl/README.md index c0dbd5f2..c8705252 100644 --- a/charts/scalardl/README.md +++ b/charts/scalardl/README.md @@ -74,5 +74,10 @@ Current chart version is `5.0.0-SNAPSHOT` | ledger.strategy.rollingUpdate.maxSurge | string | `"25%"` | The number of pods that can be created above the desired amount of pods during an update | | ledger.strategy.rollingUpdate.maxUnavailable | string | `"25%"` | The number of pods that can be unavailable during the update process | | ledger.strategy.type | string | `"RollingUpdate"` | New pods are added gradually, and old pods are terminated gradually, e.g: Recreate or RollingUpdate | +| ledger.tls.caRootCertSecret | string | `""` | Name of the Secret containing the custom CA root certificate for TLS communication. | +| ledger.tls.certChainSecret | string | `""` | Name of the Secret containing the certificate chain file used for TLS communication. | +| ledger.tls.enabled | bool | `false` | Enable TLS. You need to enable TLS when you use wire encryption feature of ScalarDL Ledger. | +| ledger.tls.overrideAuthority | string | `""` | The custom authority for TLS communication. This doesn't change what host is actually connected. This is intended for testing, but may safely be used outside of tests as an alternative to DNS overrides. For example, you can specify the hostname presented in the certificate chain file that you set by using `ledger.tls.certChainSecret`. This chart uses this value for startupProbe and livenessProbe. | +| ledger.tls.privateKeySecret | string | `""` | Name of the Secret containing the private key file used for TLS communication. | | ledger.tolerations | list | `[]` | Tolerations are applied to pods, and allow (but do not require) the pods to schedule onto nodes with matching taints. | | nameOverride | string | `""` | String to partially override scalardl.fullname template (will maintain the release name) | diff --git a/charts/scalardl/templates/ledger/deployment.yaml b/charts/scalardl/templates/ledger/deployment.yaml index e92c43df..3440728a 100644 --- a/charts/scalardl/templates/ledger/deployment.yaml +++ b/charts/scalardl/templates/ledger/deployment.yaml @@ -43,6 +43,21 @@ spec: - name: scalardl-ledger-properties-volume configMap: name: {{ include "scalardl.fullname" . }}-ledger-properties + {{- if .Values.ledger.tls.caRootCertSecret }} + - name: scalardl-ledger-tls-ca-root-volume + secret: + secretName: {{ .Values.ledger.tls.caRootCertSecret }} + {{- end }} + {{- if .Values.ledger.tls.certChainSecret }} + - name: scalardl-ledger-tls-cert-chain-volume + secret: + secretName: {{ .Values.ledger.tls.certChainSecret }} + {{- end }} + {{- if .Values.ledger.tls.privateKeySecret }} + - name: scalardl-ledger-tls-private-key-volume + secret: + secretName: {{ .Values.ledger.tls.privateKeySecret }} + {{- end }} {{- with .Values.ledger.extraVolumes }} {{- toYaml . | nindent 8 }} {{- end }} @@ -61,6 +76,21 @@ spec: - name: scalardl-ledger-properties-volume mountPath: /scalar/ledger/ledger.properties subPath: ledger.properties + {{- if .Values.ledger.tls.caRootCertSecret }} + - name: scalardl-ledger-tls-ca-root-volume + mountPath: /tls/certs/ca-root-cert.pem + subPath: ca-root-cert + {{- end }} + {{- if .Values.ledger.tls.certChainSecret }} + - name: scalardl-ledger-tls-cert-chain-volume + mountPath: /tls/certs/cert-chain.pem + subPath: cert-chain + {{- end }} + {{- if .Values.ledger.tls.privateKeySecret }} + - name: scalardl-ledger-tls-private-key-volume + mountPath: /tls/certs/private-key.pem + subPath: private-key + {{- end }} {{- with .Values.ledger.extraVolumeMounts }} {{- toYaml . | nindent 12 }} {{- end }} @@ -113,14 +143,32 @@ spec: exec: command: - /usr/local/bin/grpc_health_probe - - -addr=:50051 + - -addr=localhost:50051 + {{- if .Values.ledger.tls.enabled }} + - -tls + {{- if .Values.ledger.tls.caRootCertSecret }} + - -tls-ca-cert=/tls/certs/ca-root-cert.pem + {{- end }} + {{- if .Values.ledger.tls.overrideAuthority }} + - -tls-server-name={{ .Values.ledger.tls.overrideAuthority }} + {{- end }} + {{- end }} failureThreshold: 60 periodSeconds: 5 livenessProbe: exec: command: - /usr/local/bin/grpc_health_probe - - -addr=:50051 + - -addr=localhost:50051 + {{- if .Values.ledger.tls.enabled }} + - -tls + {{- if .Values.ledger.tls.caRootCertSecret }} + - -tls-ca-cert=/tls/certs/ca-root-cert.pem + {{- end }} + {{- if .Values.ledger.tls.overrideAuthority }} + - -tls-server-name={{ .Values.ledger.tls.overrideAuthority }} + {{- end }} + {{- end }} failureThreshold: 3 periodSeconds: 10 successThreshold: 1 diff --git a/charts/scalardl/values.schema.json b/charts/scalardl/values.schema.json index b043c16e..ba49b76a 100644 --- a/charts/scalardl/values.schema.json +++ b/charts/scalardl/values.schema.json @@ -325,6 +325,26 @@ } } }, + "tls": { + "type": "object", + "properties": { + "caRootCertSecret": { + "type": "string" + }, + "certChainSecret": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "overrideAuthority": { + "type": "string" + }, + "privateKeySecret": { + "type": "string" + } + } + }, "tolerations": { "type": "array" } diff --git a/charts/scalardl/values.yaml b/charts/scalardl/values.yaml index cbbd72cd..e069c3bc 100644 --- a/charts/scalardl/values.yaml +++ b/charts/scalardl/values.yaml @@ -233,3 +233,15 @@ ledger: serviceAccountName: "" # -- Specify to mount a service account token or not automountServiceAccountToken: false + + tls: + # -- Enable TLS. You need to enable TLS when you use wire encryption feature of ScalarDL Ledger. + enabled: false + # -- The custom authority for TLS communication. This doesn't change what host is actually connected. This is intended for testing, but may safely be used outside of tests as an alternative to DNS overrides. For example, you can specify the hostname presented in the certificate chain file that you set by using `ledger.tls.certChainSecret`. This chart uses this value for startupProbe and livenessProbe. + overrideAuthority: "" + # -- Name of the Secret containing the custom CA root certificate for TLS communication. + caRootCertSecret: "" + # -- Name of the Secret containing the certificate chain file used for TLS communication. + certChainSecret: "" + # -- Name of the Secret containing the private key file used for TLS communication. + privateKeySecret: ""