[scalardl-auditor] Supprt TLS in ScalarDL Auditor chart

scalar-labs · Feb 27, 2024 · ec251f4 · ec251f4
1 parent d860123
commit ec251f4
Show file tree

Hide file tree

Showing 4 changed files with 97 additions and 0 deletions.
diff --git a/charts/scalardl-audit/README.md b/charts/scalardl-audit/README.md
@@ -66,6 +66,12 @@ Current chart version is `3.0.0-SNAPSHOT`
 | auditor.strategy.rollingUpdate.maxSurge | string | `"25%"` | The number of pods that can be created above the desired amount of pods during an update |
 | auditor.strategy.rollingUpdate.maxUnavailable | string | `"25%"` | The number of pods that can be unavailable during the update process |
 | auditor.strategy.type | string | `"RollingUpdate"` | New pods are added gradually, and old pods are terminated gradually, e.g: Recreate or RollingUpdate |
+| auditor.tls.caRootCertForLedgerSecret | string | `""` | Secret name that includes the custom CA root certificate for TLS communication between Auditor and Ledger. |
+| auditor.tls.caRootCertSecret | string | `""` | Secret name that includes the custom CA root certificate for TLS communication. |
+| auditor.tls.certChainSecret | string | `""` | Secret name that includes the certificate chain file used for TLS communication. |
+| auditor.tls.enabled | bool | `false` | Enable TLS. You need to enable TLS when you use wire encryption feature of ScalarDL Auditor. |
+| auditor.tls.overrideAuthority | string | `""` | Specify the custom authority for TLS communication. This chart uses this value for startupProbe and livenessProbe. |
+| auditor.tls.privateKeySecret | string | `""` | Secret name that includes the private key file used for TLS communication. |
 | auditor.tolerations | list | `[]` | Tolerations are applied to pods, and allow (but do not require) the pods to schedule onto nodes with matching taints. |
 | envoy.enabled | bool | `true` | enable envoy |
 | envoy.envoyConfiguration.serviceListeners | string | `"scalardl-audit-service:40051,scalardl-audit-privileged:40052"` | list of service name and port |

diff --git a/charts/scalardl-audit/templates/auditor/deployment.yaml b/charts/scalardl-audit/templates/auditor/deployment.yaml
@@ -41,6 +41,26 @@ spec:
         - name: scalardl-auditor-properties-volume
           configMap:
             name: {{ include "scalardl-audit.fullname" . }}-auditor-properties
+      {{- if .Values.auditor.tls.caRootCertSecret }}
+        - name: scalardl-auditor-tls-ca-root-volume
+          secret:
+            secretName: {{ .Values.auditor.tls.caRootCertSecret }}
+      {{- end }}
+      {{- if .Values.auditor.tls.certChainSecret }}
+        - name: scalardl-auditor-tls-cert-chain-volume
+          secret:
+            secretName: {{ .Values.auditor.tls.certChainSecret }}
+      {{- end }}
+      {{- if .Values.auditor.tls.privateKeySecret }}
+        - name: scalardl-auditor-tls-private-key-volume
+          secret:
+            secretName: {{ .Values.auditor.tls.privateKeySecret }}
+      {{- end }}
+      {{- if .Values.auditor.tls.caRootCertForLedgerSecret }}
+        - name: scalardl-auditor-tls-ca-root-for-ledger-volume
+          secret:
+            secretName: {{ .Values.auditor.tls.caRootCertForLedgerSecret }}
+      {{- end }}
       {{- with .Values.auditor.extraVolumes }}
         {{- toYaml . | nindent 8 }}
       {{- end }}
@@ -61,6 +81,26 @@ spec:
             - name: scalardl-auditor-properties-volume
               mountPath: /scalar/auditor/auditor.properties
               subPath: auditor.properties
+          {{- if .Values.auditor.tls.caRootCertSecret }}
+            - name: scalardl-auditor-tls-ca-root-volume
+              mountPath: /tls/certs/ca-root-cert.pem
+              subPath: ca-root-cert
+          {{- end }}
+          {{- if .Values.auditor.tls.certChainSecret }}
+            - name: scalardl-auditor-tls-cert-chain-volume
+              mountPath: /tls/certs/cert-chain.pem
+              subPath: cert-chain
+          {{- end }}
+          {{- if .Values.auditor.tls.privateKeySecret }}
+            - name: scalardl-auditor-tls-private-key-volume
+              mountPath: /tls/certs/private-key.pem
+              subPath: private-key
+          {{- end }}
+          {{- if .Values.auditor.tls.caRootCertSecret }}
+            - name: scalardl-auditor-tls-ca-root-for-ledger-volume
+              mountPath: /tls/certs/ca-root-cert-for-ledger.pem
+              subPath: ca-root-cert-for-ledger
+          {{- end }}
           {{- with .Values.auditor.extraVolumeMounts }}
             {{- toYaml . | nindent 12 }}
           {{- end }}
@@ -122,13 +162,27 @@ spec:
               command:
               - /usr/local/bin/grpc_health_probe
               - -addr=:40051
+              {{- if .Values.auditor.tls.enabled }}
+              - -tls
+              {{- if .Values.auditor.tls.caRootCertSecret }}
+              - -tls-ca-cert=/tls/certs/ca-root-cert.pem
+              {{- end }}
+              - -tls-server-name={{ .Values.auditor.tls.overrideAuthority }}
+              {{- end }}
             failureThreshold: 60
             periodSeconds: 5
           livenessProbe:
             exec:
               command:
               - /usr/local/bin/grpc_health_probe
               - -addr=:40051
+              {{- if .Values.auditor.tls.enabled }}
+              - -tls
+              {{- if .Values.auditor.tls.caRootCertSecret }}
+              - -tls-ca-cert=/tls/certs/ca-root-cert.pem
+              {{- end }}
+              - -tls-server-name={{ .Values.auditor.tls.overrideAuthority }}
+              {{- end }}
             failureThreshold: 3
             periodSeconds: 10
             successThreshold: 1

diff --git a/charts/scalardl-audit/values.schema.json b/charts/scalardl-audit/values.schema.json
@@ -266,6 +266,29 @@
                         }
                     }
                 },
+                "tls": {
+                    "type": "object",
+                    "properties": {
+                        "caRootCertForLedgerSecret": {
+                            "type": "string"
+                        },
+                        "caRootCertSecret": {
+                            "type": "string"
+                        },
+                        "certChainSecret": {
+                            "type": "string"
+                        },
+                        "enabled": {
+                            "type": "boolean"
+                        },
+                        "overrideAuthority": {
+                            "type": "string"
+                        },
+                        "privateKeySecret": {
+                            "type": "string"
+                        }
+                    }
+                },
                 "tolerations": {
                     "type": "array"
                 }

diff --git a/charts/scalardl-audit/values.yaml b/charts/scalardl-audit/values.yaml
@@ -266,3 +266,17 @@ auditor:
     serviceAccountName: ""
     # -- Specify to mount a service account token or not
     automountServiceAccountToken: false
+
+  tls:
+    # -- Enable TLS. You need to enable TLS when you use wire encryption feature of ScalarDL Auditor.
+    enabled: false
+    # -- Specify the custom authority for TLS communication. This chart uses this value for startupProbe and livenessProbe.
+    overrideAuthority: ""
+    # -- Secret name that includes the custom CA root certificate for TLS communication.
+    caRootCertSecret: ""
+    # -- Secret name that includes the certificate chain file used for TLS communication.
+    certChainSecret: ""
+    # -- Secret name that includes the private key file used for TLS communication.
+    privateKeySecret: ""
+    # -- Secret name that includes the custom CA root certificate for TLS communication between Auditor and Ledger.
+    caRootCertForLedgerSecret: ""