Skip to content

Commit

Permalink
[envoy] Support TLS in Scalar Envoy chart (#253)
Browse files Browse the repository at this point in the history
  • Loading branch information
kota2and3kan authored Mar 21, 2024
1 parent d860123 commit ee726cb
Show file tree
Hide file tree
Showing 4 changed files with 99 additions and 0 deletions.
8 changes: 8 additions & 0 deletions charts/envoy/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -44,4 +44,12 @@ Current chart version is `3.0.0-SNAPSHOT`
| serviceMonitor.namespace | string | `"monitoring"` | which namespace prometheus is located. by default monitoring |
| strategy.rollingUpdate | object | `{"maxSurge":"25%","maxUnavailable":"25%"}` | The number of pods that can be unavailable during the update process |
| strategy.type | string | `"RollingUpdate"` | New pods are added gradually, and old pods are terminated gradually, e.g: Recreate or RollingUpdate |
| tls.downstream | object | `{"certChainSecret":"","enabled":false,"privateKeySecret":""}` | TLS configuration between client and Envoy. |
| tls.downstream.certChainSecret | string | `""` | Name of the Secret containing the certificate chain file used for TLS communication. |
| tls.downstream.enabled | bool | `false` | Enable TLS between client and Envoy. |
| tls.downstream.privateKeySecret | string | `""` | Name of the Secret containing the private key file used for TLS communication. |
| tls.upstream | object | `{"caRootCertSecret":"","enabled":false,"overrideAuthority":""}` | TLS configuration between Envoy and ScalarDB Cluster or ScalarDL. |
| tls.upstream.caRootCertSecret | string | `""` | Name of the Secret containing the custom CA root certificate for TLS communication. |
| tls.upstream.enabled | bool | `false` | Enable TLS between Envoy and ScalarDB Cluster or ScalarDL. You need to enable TLS when you use wire encryption feature of ScalarDB Cluster or ScalarDL. |
| tls.upstream.overrideAuthority | string | `""` | The custom authority for TLS communication. This doesn't change what host is actually connected. This is intended for testing, but may safely be used outside of tests as an alternative to DNS overrides. For example, you can specify the hostname presented in the certificate chain file that you set by using `scalardbCluster.tls.certChainSecret`, `ledger.tls.certChainSecret`, or `auditor.tls.certChainSecret`. Envoy uses this value for certificate verification of TLS connection with ScalarDB Cluster or ScalarDL. |
| tolerations | list | `[]` | Tolerations are applied to pods, and allow (but do not require) the pods to schedule onto nodes with matching taints. |
40 changes: 40 additions & 0 deletions charts/envoy/templates/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,14 @@ spec:
value: {{ include "envoy.fullname" . }}-headless
- name: service_listeners
value: "{{ .Values.envoyConfiguration.serviceListeners }}"
- name: envoy_tls
value: "{{ .Values.tls.downstream.enabled }}"
- name: envoy_upstream_tls
value: "{{ .Values.tls.upstream.enabled }}"
{{- if .Values.tls.upstream.overrideAuthority }}
- name: envoy_upstream_tls_override_authority
value: "{{ .Values.tls.upstream.overrideAuthority }}"
{{- end }}
startupProbe:
httpGet:
path: /ready
Expand All @@ -73,6 +81,38 @@ spec:
command: ["/bin/sh", "-c", "curl -sX POST 127.0.0.1:9001/healthcheck/fail; sleep 30"]
resources:
{{- toYaml .Values.resources | nindent 12 }}
volumeMounts:
{{- if .Values.tls.upstream.caRootCertSecret }}
- name: scalar-envoy-tls-ca-root-volume
mountPath: /etc/envoy/upstream/tls/ca.pem
subPath: ca-root-cert
{{- end }}
{{- if .Values.tls.downstream.certChainSecret }}
- name: scalar-envoy-tls-cert-chain-volume
mountPath: /etc/envoy/cert.pem
subPath: cert-chain
{{- end }}
{{- if .Values.tls.downstream.privateKeySecret }}
- name: scalar-envoy-tls-private-key-volume
mountPath: /etc/envoy/key.pem
subPath: private-key
{{- end }}
volumes:
{{- if .Values.tls.upstream.caRootCertSecret }}
- name: scalar-envoy-tls-ca-root-volume
secret:
secretName: {{ .Values.tls.upstream.caRootCertSecret }}
{{- end }}
{{- if .Values.tls.downstream.certChainSecret }}
- name: scalar-envoy-tls-cert-chain-volume
secret:
secretName: {{ .Values.tls.downstream.certChainSecret }}
{{- end }}
{{- if .Values.tls.downstream.privateKeySecret }}
- name: scalar-envoy-tls-private-key-volume
secret:
secretName: {{ .Values.tls.downstream.privateKeySecret }}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
Expand Down
33 changes: 33 additions & 0 deletions charts/envoy/values.schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -184,6 +184,39 @@
}
}
},
"tls": {
"type": "object",
"properties": {
"downstream": {
"type": "object",
"properties": {
"certChainSecret": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"privateKeySecret": {
"type": "string"
}
}
},
"upstream": {
"type": "object",
"properties": {
"caRootCertSecret": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"overrideAuthority": {
"type": "string"
}
}
}
}
},
"tolerations": {
"type": "array"
}
Expand Down
18 changes: 18 additions & 0 deletions charts/envoy/values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -114,3 +114,21 @@ tolerations: []

# affinity -- the affinity/anti-affinity feature, greatly expands the types of constraints you can express
affinity: {}

tls:
# -- TLS configuration between client and Envoy.
downstream:
# -- Enable TLS between client and Envoy.
enabled: false
# -- Name of the Secret containing the certificate chain file used for TLS communication.
certChainSecret: ""
# -- Name of the Secret containing the private key file used for TLS communication.
privateKeySecret: ""
# -- TLS configuration between Envoy and ScalarDB Cluster or ScalarDL.
upstream:
# -- Enable TLS between Envoy and ScalarDB Cluster or ScalarDL. You need to enable TLS when you use wire encryption feature of ScalarDB Cluster or ScalarDL.
enabled: false
# -- The custom authority for TLS communication. This doesn't change what host is actually connected. This is intended for testing, but may safely be used outside of tests as an alternative to DNS overrides. For example, you can specify the hostname presented in the certificate chain file that you set by using `scalardbCluster.tls.certChainSecret`, `ledger.tls.certChainSecret`, or `auditor.tls.certChainSecret`. Envoy uses this value for certificate verification of TLS connection with ScalarDB Cluster or ScalarDL.
overrideAuthority: ""
# -- Name of the Secret containing the custom CA root certificate for TLS communication.
caRootCertSecret: ""

0 comments on commit ee726cb

Please sign in to comment.