Skip to content

Commit

Permalink
[scalardl-ledger] Support TLS in ScalarDL Ledger chart
Browse files Browse the repository at this point in the history
  • Loading branch information
@kota2and3kan
kota2and3kan committed Mar 12, 2024
1 parent d860123 commit 29a58b1
Show file tree
Hide file tree
Showing 4 changed files with 81 additions and 0 deletions.
5 changes: 5 additions & 0 deletions charts/scalardl/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -74,5 +74,10 @@ Current chart version is `5.0.0-SNAPSHOT`
| ledger.strategy.rollingUpdate.maxSurge | string | `"25%"` | The number of pods that can be created above the desired amount of pods during an update |
| ledger.strategy.rollingUpdate.maxUnavailable | string | `"25%"` | The number of pods that can be unavailable during the update process |
| ledger.strategy.type | string | `"RollingUpdate"` | New pods are added gradually, and old pods are terminated gradually, e.g: Recreate or RollingUpdate |
| ledger.tls.caRootCertSecret | string | `""` | Secret name that includes the custom CA root certificate for TLS communication. |
| ledger.tls.certChainSecret | string | `""` | Secret name that includes the certificate chain file used for TLS communication. |
| ledger.tls.enabled | bool | `false` | Enable TLS. You need to enable TLS when you use wire encryption feature of ScalarDL Ledger. |
| ledger.tls.overrideAuthority | string | `""` | Specify the custom authority for TLS communication. This chart uses this value for startupProbe and livenessProbe. |
| ledger.tls.privateKeySecret | string | `""` | Secret name that includes the private key file used for TLS communication. |
| ledger.tolerations | list | `[]` | Tolerations are applied to pods, and allow (but do not require) the pods to schedule onto nodes with matching taints. |
| nameOverride | string | `""` | String to partially override scalardl.fullname template (will maintain the release name) |
44 changes: 44 additions & 0 deletions charts/scalardl/templates/ledger/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,21 @@ spec:
- name: scalardl-ledger-properties-volume
configMap:
name: {{ include "scalardl.fullname" . }}-ledger-properties
{{- if .Values.ledger.tls.caRootCertSecret }}
- name: scalardl-ledger-tls-ca-root-volume
secret:
secretName: {{ .Values.ledger.tls.caRootCertSecret }}
{{- end }}
{{- if .Values.ledger.tls.certChainSecret }}
- name: scalardl-ledger-tls-cert-chain-volume
secret:
secretName: {{ .Values.ledger.tls.certChainSecret }}
{{- end }}
{{- if .Values.ledger.tls.privateKeySecret }}
- name: scalardl-ledger-tls-private-key-volume
secret:
secretName: {{ .Values.ledger.tls.privateKeySecret }}
{{- end }}
{{- with .Values.ledger.extraVolumes }}
{{- toYaml . | nindent 8 }}
{{- end }}
Expand All @@ -61,6 +76,21 @@ spec:
- name: scalardl-ledger-properties-volume
mountPath: /scalar/ledger/ledger.properties
subPath: ledger.properties
{{- if .Values.ledger.tls.caRootCertSecret }}
- name: scalardl-ledger-tls-ca-root-volume
mountPath: /tls/certs/ca-root-cert.pem
subPath: ca-root-cert
{{- end }}
{{- if .Values.ledger.tls.certChainSecret }}
- name: scalardl-ledger-tls-cert-chain-volume
mountPath: /tls/certs/cert-chain.pem
subPath: cert-chain
{{- end }}
{{- if .Values.ledger.tls.privateKeySecret }}
- name: scalardl-ledger-tls-private-key-volume
mountPath: /tls/certs/private-key.pem
subPath: private-key
{{- end }}
{{- with .Values.ledger.extraVolumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
Expand Down Expand Up @@ -114,13 +144,27 @@ spec:
command:
- /usr/local/bin/grpc_health_probe
- -addr=:50051
{{- if .Values.ledger.tls.enabled }}
- -tls
{{- if .Values.ledger.tls.caRootCertSecret }}
- -tls-ca-cert=/tls/certs/ca-root-cert.pem
{{- end }}
- -tls-server-name={{ .Values.ledger.tls.overrideAuthority }}
{{- end }}
failureThreshold: 60
periodSeconds: 5
livenessProbe:
exec:
command:
- /usr/local/bin/grpc_health_probe
- -addr=:50051
{{- if .Values.ledger.tls.enabled }}
- -tls
{{- if .Values.ledger.tls.caRootCertSecret }}
- -tls-ca-cert=/tls/certs/ca-root-cert.pem
{{- end }}
- -tls-server-name={{ .Values.ledger.tls.overrideAuthority }}
{{- end }}
failureThreshold: 3
periodSeconds: 10
successThreshold: 1
Expand Down
20 changes: 20 additions & 0 deletions charts/scalardl/values.schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -325,6 +325,26 @@
}
}
},
"tls": {
"type": "object",
"properties": {
"caRootCertSecret": {
"type": "string"
},
"certChainSecret": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"overrideAuthority": {
"type": "string"
},
"privateKeySecret": {
"type": "string"
}
}
},
"tolerations": {
"type": "array"
}
Expand Down
12 changes: 12 additions & 0 deletions charts/scalardl/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -233,3 +233,15 @@ ledger:
serviceAccountName: ""
# -- Specify to mount a service account token or not
automountServiceAccountToken: false

tls:
# -- Enable TLS. You need to enable TLS when you use wire encryption feature of ScalarDL Ledger.
enabled: false
# -- Specify the custom authority for TLS communication. This chart uses this value for startupProbe and livenessProbe.
overrideAuthority: ""
# -- Secret name that includes the custom CA root certificate for TLS communication.
caRootCertSecret: ""
# -- Secret name that includes the certificate chain file used for TLS communication.
certChainSecret: ""
# -- Secret name that includes the private key file used for TLS communication.
privateKeySecret: ""

0 comments on commit 29a58b1

Please sign in to comment.