From ee726cbe477850837d11d4ca397359133100f36f Mon Sep 17 00:00:00 2001 From: kota2and3kan <47254383+kota2and3kan@users.noreply.github.com> Date: Fri, 22 Mar 2024 08:47:00 +0900 Subject: [PATCH 1/2] [envoy] Support TLS in Scalar Envoy chart (#253) --- charts/envoy/README.md | 8 ++++++ charts/envoy/templates/deployment.yaml | 40 ++++++++++++++++++++++++++ charts/envoy/values.schema.json | 33 +++++++++++++++++++++ charts/envoy/values.yaml | 18 ++++++++++++ 4 files changed, 99 insertions(+) diff --git a/charts/envoy/README.md b/charts/envoy/README.md index 53d65ed7..ae363d67 100644 --- a/charts/envoy/README.md +++ b/charts/envoy/README.md @@ -44,4 +44,12 @@ Current chart version is `3.0.0-SNAPSHOT` | serviceMonitor.namespace | string | `"monitoring"` | which namespace prometheus is located. by default monitoring | | strategy.rollingUpdate | object | `{"maxSurge":"25%","maxUnavailable":"25%"}` | The number of pods that can be unavailable during the update process | | strategy.type | string | `"RollingUpdate"` | New pods are added gradually, and old pods are terminated gradually, e.g: Recreate or RollingUpdate | +| tls.downstream | object | `{"certChainSecret":"","enabled":false,"privateKeySecret":""}` | TLS configuration between client and Envoy. | +| tls.downstream.certChainSecret | string | `""` | Name of the Secret containing the certificate chain file used for TLS communication. | +| tls.downstream.enabled | bool | `false` | Enable TLS between client and Envoy. | +| tls.downstream.privateKeySecret | string | `""` | Name of the Secret containing the private key file used for TLS communication. | +| tls.upstream | object | `{"caRootCertSecret":"","enabled":false,"overrideAuthority":""}` | TLS configuration between Envoy and ScalarDB Cluster or ScalarDL. | +| tls.upstream.caRootCertSecret | string | `""` | Name of the Secret containing the custom CA root certificate for TLS communication. | +| tls.upstream.enabled | bool | `false` | Enable TLS between Envoy and ScalarDB Cluster or ScalarDL. You need to enable TLS when you use wire encryption feature of ScalarDB Cluster or ScalarDL. | +| tls.upstream.overrideAuthority | string | `""` | The custom authority for TLS communication. This doesn't change what host is actually connected. This is intended for testing, but may safely be used outside of tests as an alternative to DNS overrides. For example, you can specify the hostname presented in the certificate chain file that you set by using `scalardbCluster.tls.certChainSecret`, `ledger.tls.certChainSecret`, or `auditor.tls.certChainSecret`. Envoy uses this value for certificate verification of TLS connection with ScalarDB Cluster or ScalarDL. | | tolerations | list | `[]` | Tolerations are applied to pods, and allow (but do not require) the pods to schedule onto nodes with matching taints. | diff --git a/charts/envoy/templates/deployment.yaml b/charts/envoy/templates/deployment.yaml index 3bea0e9a..89725d74 100644 --- a/charts/envoy/templates/deployment.yaml +++ b/charts/envoy/templates/deployment.yaml @@ -53,6 +53,14 @@ spec: value: {{ include "envoy.fullname" . }}-headless - name: service_listeners value: "{{ .Values.envoyConfiguration.serviceListeners }}" + - name: envoy_tls + value: "{{ .Values.tls.downstream.enabled }}" + - name: envoy_upstream_tls + value: "{{ .Values.tls.upstream.enabled }}" + {{- if .Values.tls.upstream.overrideAuthority }} + - name: envoy_upstream_tls_override_authority + value: "{{ .Values.tls.upstream.overrideAuthority }}" + {{- end }} startupProbe: httpGet: path: /ready @@ -73,6 +81,38 @@ spec: command: ["/bin/sh", "-c", "curl -sX POST 127.0.0.1:9001/healthcheck/fail; sleep 30"] resources: {{- toYaml .Values.resources | nindent 12 }} + volumeMounts: + {{- if .Values.tls.upstream.caRootCertSecret }} + - name: scalar-envoy-tls-ca-root-volume + mountPath: /etc/envoy/upstream/tls/ca.pem + subPath: ca-root-cert + {{- end }} + {{- if .Values.tls.downstream.certChainSecret }} + - name: scalar-envoy-tls-cert-chain-volume + mountPath: /etc/envoy/cert.pem + subPath: cert-chain + {{- end }} + {{- if .Values.tls.downstream.privateKeySecret }} + - name: scalar-envoy-tls-private-key-volume + mountPath: /etc/envoy/key.pem + subPath: private-key + {{- end }} + volumes: + {{- if .Values.tls.upstream.caRootCertSecret }} + - name: scalar-envoy-tls-ca-root-volume + secret: + secretName: {{ .Values.tls.upstream.caRootCertSecret }} + {{- end }} + {{- if .Values.tls.downstream.certChainSecret }} + - name: scalar-envoy-tls-cert-chain-volume + secret: + secretName: {{ .Values.tls.downstream.certChainSecret }} + {{- end }} + {{- if .Values.tls.downstream.privateKeySecret }} + - name: scalar-envoy-tls-private-key-volume + secret: + secretName: {{ .Values.tls.downstream.privateKeySecret }} + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/envoy/values.schema.json b/charts/envoy/values.schema.json index 6f398415..4c6c2c7e 100644 --- a/charts/envoy/values.schema.json +++ b/charts/envoy/values.schema.json @@ -184,6 +184,39 @@ } } }, + "tls": { + "type": "object", + "properties": { + "downstream": { + "type": "object", + "properties": { + "certChainSecret": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "privateKeySecret": { + "type": "string" + } + } + }, + "upstream": { + "type": "object", + "properties": { + "caRootCertSecret": { + "type": "string" + }, + "enabled": { + "type": "boolean" + }, + "overrideAuthority": { + "type": "string" + } + } + } + } + }, "tolerations": { "type": "array" } diff --git a/charts/envoy/values.yaml b/charts/envoy/values.yaml index 914a6918..17d31a93 100644 --- a/charts/envoy/values.yaml +++ b/charts/envoy/values.yaml @@ -114,3 +114,21 @@ tolerations: [] # affinity -- the affinity/anti-affinity feature, greatly expands the types of constraints you can express affinity: {} + +tls: + # -- TLS configuration between client and Envoy. + downstream: + # -- Enable TLS between client and Envoy. + enabled: false + # -- Name of the Secret containing the certificate chain file used for TLS communication. + certChainSecret: "" + # -- Name of the Secret containing the private key file used for TLS communication. + privateKeySecret: "" + # -- TLS configuration between Envoy and ScalarDB Cluster or ScalarDL. + upstream: + # -- Enable TLS between Envoy and ScalarDB Cluster or ScalarDL. You need to enable TLS when you use wire encryption feature of ScalarDB Cluster or ScalarDL. + enabled: false + # -- The custom authority for TLS communication. This doesn't change what host is actually connected. This is intended for testing, but may safely be used outside of tests as an alternative to DNS overrides. For example, you can specify the hostname presented in the certificate chain file that you set by using `scalardbCluster.tls.certChainSecret`, `ledger.tls.certChainSecret`, or `auditor.tls.certChainSecret`. Envoy uses this value for certificate verification of TLS connection with ScalarDB Cluster or ScalarDL. + overrideAuthority: "" + # -- Name of the Secret containing the custom CA root certificate for TLS communication. + caRootCertSecret: "" From 19bf85b514c7c4f3dcc953687abd28f7c19017d4 Mon Sep 17 00:00:00 2001 From: kota2and3kan <47254383+kota2and3kan@users.noreply.github.com> Date: Tue, 26 Mar 2024 14:33:18 +0900 Subject: [PATCH 2/2] Update configuration of PostgreSQL for CI to use /tmp directory (#259) --- .github/postgresql.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/postgresql.yaml b/.github/postgresql.yaml index abd1676b..9070ac19 100644 --- a/.github/postgresql.yaml +++ b/.github/postgresql.yaml @@ -1,6 +1,9 @@ primary: persistence: enabled: false + resourcesPreset: none auth: postgresPassword: postgres + +postgresqlDataDir: /tmp/data