Merge branch 'main' into support-tls-scalardl-auditor

scalar-labs · Mar 27, 2024 · f4d5fd9 · f4d5fd9
2 parents 6835289 + 19bf85b
commit f4d5fd9
Show file tree

Hide file tree

Showing 5 changed files with 102 additions and 0 deletions.
diff --git a/.github/postgresql.yaml b/.github/postgresql.yaml
@@ -1,6 +1,9 @@
 primary:
   persistence:
     enabled: false
+  resourcesPreset: none
 
 auth:
   postgresPassword: postgres
+
+postgresqlDataDir: /tmp/data
diff --git a/charts/envoy/README.md b/charts/envoy/README.md
@@ -44,4 +44,12 @@ Current chart version is `3.0.0-SNAPSHOT`
 | serviceMonitor.namespace | string | `"monitoring"` | which namespace prometheus is located. by default monitoring |
 | strategy.rollingUpdate | object | `{"maxSurge":"25%","maxUnavailable":"25%"}` | The number of pods that can be unavailable during the update process |
 | strategy.type | string | `"RollingUpdate"` | New pods are added gradually, and old pods are terminated gradually, e.g: Recreate or RollingUpdate |
+| tls.downstream | object | `{"certChainSecret":"","enabled":false,"privateKeySecret":""}` | TLS configuration between client and Envoy. |
+| tls.downstream.certChainSecret | string | `""` | Name of the Secret containing the certificate chain file used for TLS communication. |
+| tls.downstream.enabled | bool | `false` | Enable TLS between client and Envoy. |
+| tls.downstream.privateKeySecret | string | `""` | Name of the Secret containing the private key file used for TLS communication. |
+| tls.upstream | object | `{"caRootCertSecret":"","enabled":false,"overrideAuthority":""}` | TLS configuration between Envoy and ScalarDB Cluster or ScalarDL. |
+| tls.upstream.caRootCertSecret | string | `""` | Name of the Secret containing the custom CA root certificate for TLS communication. |
+| tls.upstream.enabled | bool | `false` | Enable TLS between Envoy and ScalarDB Cluster or ScalarDL. You need to enable TLS when you use wire encryption feature of ScalarDB Cluster or ScalarDL. |
+| tls.upstream.overrideAuthority | string | `""` | The custom authority for TLS communication. This doesn't change what host is actually connected. This is intended for testing, but may safely be used outside of tests as an alternative to DNS overrides. For example, you can specify the hostname presented in the certificate chain file that you set by using `scalardbCluster.tls.certChainSecret`, `ledger.tls.certChainSecret`, or `auditor.tls.certChainSecret`. Envoy uses this value for certificate verification of TLS connection with ScalarDB Cluster or ScalarDL. |
 | tolerations | list | `[]` | Tolerations are applied to pods, and allow (but do not require) the pods to schedule onto nodes with matching taints. |
diff --git a/charts/envoy/templates/deployment.yaml b/charts/envoy/templates/deployment.yaml
@@ -53,6 +53,14 @@ spec:
             value: {{ include "envoy.fullname" . }}-headless
           - name: service_listeners
             value: "{{ .Values.envoyConfiguration.serviceListeners }}"
+          - name: envoy_tls
+            value: "{{ .Values.tls.downstream.enabled }}"
+          - name: envoy_upstream_tls
+            value: "{{ .Values.tls.upstream.enabled }}"
+          {{- if .Values.tls.upstream.overrideAuthority }}
+          - name: envoy_upstream_tls_override_authority
+            value: "{{ .Values.tls.upstream.overrideAuthority }}"
+          {{- end }}
           startupProbe:
             httpGet:
               path: /ready
@@ -73,6 +81,38 @@ spec:
                 command: ["/bin/sh", "-c", "curl -sX POST 127.0.0.1:9001/healthcheck/fail; sleep 30"]
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
+          volumeMounts:
+            {{- if .Values.tls.upstream.caRootCertSecret }}
+            - name: scalar-envoy-tls-ca-root-volume
+              mountPath: /etc/envoy/upstream/tls/ca.pem
+              subPath: ca-root-cert
+            {{- end }}
+            {{- if .Values.tls.downstream.certChainSecret }}
+            - name: scalar-envoy-tls-cert-chain-volume
+              mountPath: /etc/envoy/cert.pem
+              subPath: cert-chain
+            {{- end }}
+            {{- if .Values.tls.downstream.privateKeySecret }}
+            - name: scalar-envoy-tls-private-key-volume
+              mountPath: /etc/envoy/key.pem
+              subPath: private-key
+            {{- end }}
+      volumes:
+        {{- if .Values.tls.upstream.caRootCertSecret }}
+        - name: scalar-envoy-tls-ca-root-volume
+          secret:
+            secretName: {{ .Values.tls.upstream.caRootCertSecret }}
+        {{- end }}
+        {{- if .Values.tls.downstream.certChainSecret }}
+        - name: scalar-envoy-tls-cert-chain-volume
+          secret:
+            secretName: {{ .Values.tls.downstream.certChainSecret }}
+        {{- end }}
+        {{- if .Values.tls.downstream.privateKeySecret }}
+        - name: scalar-envoy-tls-private-key-volume
+          secret:
+            secretName: {{ .Values.tls.downstream.privateKeySecret }}
+        {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

diff --git a/charts/envoy/values.schema.json b/charts/envoy/values.schema.json
@@ -184,6 +184,39 @@
                 }
             }
         },
+        "tls": {
+            "type": "object",
+            "properties": {
+                "downstream": {
+                    "type": "object",
+                    "properties": {
+                        "certChainSecret": {
+                            "type": "string"
+                        },
+                        "enabled": {
+                            "type": "boolean"
+                        },
+                        "privateKeySecret": {
+                            "type": "string"
+                        }
+                    }
+                },
+                "upstream": {
+                    "type": "object",
+                    "properties": {
+                        "caRootCertSecret": {
+                            "type": "string"
+                        },
+                        "enabled": {
+                            "type": "boolean"
+                        },
+                        "overrideAuthority": {
+                            "type": "string"
+                        }
+                    }
+                }
+            }
+        },
         "tolerations": {
             "type": "array"
         }

diff --git a/charts/envoy/values.yaml b/charts/envoy/values.yaml
@@ -114,3 +114,21 @@ tolerations: []
 
 # affinity -- the affinity/anti-affinity feature, greatly expands the types of constraints you can express
 affinity: {}
+
+tls:
+  # -- TLS configuration between client and Envoy.
+  downstream:
+    # -- Enable TLS between client and Envoy.
+    enabled: false
+    # -- Name of the Secret containing the certificate chain file used for TLS communication.
+    certChainSecret: ""
+    # -- Name of the Secret containing the private key file used for TLS communication.
+    privateKeySecret: ""
+  # -- TLS configuration between Envoy and ScalarDB Cluster or ScalarDL.
+  upstream:
+    # -- Enable TLS between Envoy and ScalarDB Cluster or ScalarDL. You need to enable TLS when you use wire encryption feature of ScalarDB Cluster or ScalarDL.
+    enabled: false
+    # -- The custom authority for TLS communication. This doesn't change what host is actually connected. This is intended for testing, but may safely be used outside of tests as an alternative to DNS overrides. For example, you can specify the hostname presented in the certificate chain file that you set by using `scalardbCluster.tls.certChainSecret`, `ledger.tls.certChainSecret`, or `auditor.tls.certChainSecret`. Envoy uses this value for certificate verification of TLS connection with ScalarDB Cluster or ScalarDL.
+    overrideAuthority: ""
+    # -- Name of the Secret containing the custom CA root certificate for TLS communication.
+    caRootCertSecret: ""