Skip to content

Commit

Permalink
Enabled internal TLS between k8s pods by default
Browse files Browse the repository at this point in the history
  • Loading branch information
jk464 committed Feb 8, 2024
1 parent 44aa43a commit 71cd602
Show file tree
Hide file tree
Showing 9 changed files with 324 additions and 8 deletions.
18 changes: 18 additions & 0 deletions templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -411,3 +411,21 @@ Create the custom env list for each deployment
value: {{ $value | quote }}
{{- end }}
{{- end -}}

{{/*
Set up values for Internal TLS
*/}}
{{- define "stackstorm-ha.internal_tls.cert_volume.mount" -}}
{{- if or .Values.st2.tls.enabled .Values.mongodb.tls.enabled .Values.rabbitmq.tls.enabled }}
- name: {{ .Values.st2.tls.secretName }}
mountPath: {{ .Values.st2.tls.mountPath }}/
readOnly: true
{{- end }}
{{- end -}}
{{- define "stackstorm-ha.internal_tls.cert_volume.volume" -}}
{{- if or .Values.st2.tls.enabled .Values.mongodb.tls.enabled .Values.rabbitmq.tls.enabled }}
- name: {{ .Values.st2.tls.secretName }}
secret:
secretName: {{ .Values.st2.tls.secretName }}
{{- end }}
{{- end -}}
21 changes: 21 additions & 0 deletions templates/ca.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
{{- if not ( .Values.st2.tls.certificate_issuer.existing ) -}}
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: {{ .Values.st2.tls.certificate_issuer.name }}
namespace: "{{ $.Release.Namespace }}"
spec:
ca:
secretName: {{ .Values.st2.tls.certificate_issuer.name }}-tls
---
apiVersion: v1
data:
tls.crt: "{{ .Values.secret.ca.crt }}"
tls.key: "{{ .Values.secret.ca.key }}"
kind: Secret
metadata:
name: {{ .Values.st2.tls.certificate_issuer.name }}-tls
namespace: "{{ $.Release.Namespace }}"
type: kubernetes.io/tls
{{- end -}}
28 changes: 28 additions & 0 deletions templates/certificate.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
{{- if or .Values.st2.tls.enabled .Values.mongodb.tls.enabled .Values.rabbitmq.tls.enabled }}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ .Values.st2.tls.secretName }}
labels:
app: stackstorm
heritage: {{.Release.Service | quote}}
release: {{.Release.Name | quote}}
chart: {{ replace "+" "_" .Chart.Version | printf "%s-%s" .Chart.Name }}
spec:
secretName: {{ .Values.st2.tls.secretName }}
dnsNames:
- "*.{{ $.Release.Namespace }}.svc.{{ $.Values.clusterDomain }}"
{{ include "stackstorm-ha.mongodb-nodes" $ | splitList "," | toYaml | indent 4 }}
ipAddresses:
- "127.0.0.1"
renewBefore: 360h # 15d
privateKey:
rotationPolicy: Always
algorithm: RSA
size: 3072
issuerRef:
name: {{ .Values.st2.tls.certificate_issuer.name }}
kind: Issuer
group: cert-manager.io
{{- end -}}
8 changes: 8 additions & 0 deletions templates/configmaps_st2-conf.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,11 @@ data:
# The order of merging: st2.conf < st2.docker.conf < st2.user.conf
st2.docker.conf: |
[auth]
{{- if .Values.rabbitmq.tls.enabled }}
api_url = https://{{ .Release.Name }}-st2api:9111/
{{- else }}
api_url = http://{{ .Release.Name }}-st2api:9101/
{{- end -}}
[system_user]
user = {{ .Values.st2.system_user.user }}
ssh_key_file = {{ tpl .Values.st2.system_user.ssh_key_file . }}
Expand All @@ -21,7 +25,11 @@ data:
{{- end }}
{{- if index .Values "rabbitmq" "enabled" }}
[messaging]
{{- if .Values.rabbitmq.tls.enabled }}
url = amqp://{{ required "rabbitmq.auth.username is required!" (index .Values "rabbitmq" "auth" "username") }}:{{ required "rabbitmq.auth.password is required!" (index .Values "rabbitmq" "auth" "password") }}@{{ .Release.Name }}-rabbitmq:5671{{ required "rabbitmq.ingress.path is required!" (index .Values "rabbitmq" "ingress" "path") }}
{{- else }}
url = amqp://{{ required "rabbitmq.auth.username is required!" (index .Values "rabbitmq" "auth" "username") }}:{{ required "rabbitmq.auth.password is required!" (index .Values "rabbitmq" "auth" "password") }}@{{ .Release.Name }}-rabbitmq:5672{{ required "rabbitmq.ingress.path is required!" (index .Values "rabbitmq" "ingress" "path") }}
{{- end -}}
{{- end }}
{{- if index .Values "mongodb" "enabled" }}
[database]
Expand Down
12 changes: 12 additions & 0 deletions templates/configmaps_st2-urls.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,18 @@ metadata:
description: StackStorm service URLs, used across entire st2 cluster
labels: {{- include "stackstorm-ha.labels" (list $ "st2") | nindent 4 }}
data:
{{- if and .Values.st2.tls.enabled .Values.st2auth.tls.enabled }}
ST2_AUTH_URL: https://{{ .Release.Name }}-st2auth:9100/
{{- else }}
ST2_AUTH_URL: http://{{ .Release.Name }}-st2auth:9100/
{{- end }}
{{- if and .Values.st2.tls.enabled .Values.st2api.tls.enabled }}
ST2_API_URL: https://{{ .Release.Name }}-st2api:9111/
{{- else }}
ST2_API_URL: http://{{ .Release.Name }}-st2api:9101/
{{- end }}
{{- if and .Values.st2.tls.enabled .Values.st2stream.tls.enabled }}
ST2_STREAM_URL: https://{{ .Release.Name }}-st2stream:9112/
{{- else }}
ST2_STREAM_URL: http://{{ .Release.Name }}-st2stream:9102/
{{- end }}
Loading

0 comments on commit 71cd602

Please sign in to comment.