Merge pull request #1 from pbufio/tls-auth-support

support tls and auth for registry v0.3.0
pbufio · Nov 26, 2023 · e1b7768 · e1b7768
2 parents c1ae54a + db1df7b
commit e1b7768
Show file tree

Hide file tree

Showing 7 changed files with 154 additions and 41 deletions.
diff --git a/.github/workflows/pr.yml b/.github/workflows/pr.yml
@@ -0,0 +1,35 @@
+name: Release Charts
+
+on:
+  pull_request:
+    branches:
+      - 'main'
+    paths-ignore:
+      - '**/**.md'
+      - 'LICENSE'
+
+jobs:
+  release:
+    permissions:
+      contents: write
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+        with:
+          fetch-depth: 0
+
+      - name: Configure Git
+        run: |
+          git config user.name "$GITHUB_ACTOR"
+          git config user.email "[email protected]"
+
+      - name: Install Helm
+        uses: azure/setup-helm@v3
+
+      - name: Run chart-releaser
+        uses: helm/[email protected]
+        with:
+          charts_dir: .
+        env:
+          CR_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
diff --git a/README.md b/README.md
diff --git a/pbuf-registry/Chart.yaml b/pbuf-registry/Chart.yaml
@@ -2,5 +2,5 @@ apiVersion: v2
 name: pbuf-registry
 description: A Helm chart for PBUF Registry
 type: application
-version: 0.2.0
-appVersion: "v0.2.0"
+version: 0.3.0-rc.1
+appVersion: "v0.3.0-rc.1"
diff --git a/pbuf-registry/templates/deployment.yaml b/pbuf-registry/templates/deployment.yaml
@@ -46,12 +46,31 @@ spec:
                 secretKeyRef:
                   name: {{ include "pbuf-registry.fullname" . }}
                   key: DATA_DATABASE_DSN
+            - name: SERVER_STATIC_TOKEN
+              valueFrom:
+                secretKeyRef:
+                  name: {{ include "pbuf-registry.fullname" . }}
+                  key: SERVER_STATIC_TOKEN
+            - name: SERVER_GRPC_TLS_ENABLED
+              value: "{{ .Values.service.grpc.tls.enabled }}"
+            - name: SERVER_GRPC_TLS_CERTFILE
+              value: /app/certs/server-cert.pem
+            - name: SERVER_GRPC_TLS_KEYFILE
+              value: /app/certs/server-key.pem
+            - name: SERVER_GRPC_AUTH_ENABLED
+              value: "{{ .Values.service.grpc.auth.enabled }}"
+            - name: SERVER_GRPC_AUTH_TYPE
+              value: "{{ .Values.service.grpc.auth.type }}"
+            - name: SERVER_HTTP_AUTH_ENABLED
+              value: "{{ .Values.service.http.auth.enabled }}"
+            - name: SERVER_HTTP_AUTH_TYPE
+              value: "{{ .Values.service.http.auth.type }}"
           ports:
             - name: http
               containerPort: 8080
               protocol: TCP
             - name: grpc
-              containerPort: 8081
+              containerPort: 6777
               protocol: TCP
             - name: debug
               containerPort: 8082
@@ -66,6 +85,15 @@ spec:
               port: debug
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
+          volumeMounts:
+            - mountPath: /app/certs/server-cert.pem
+              name: secret
+              readOnly: true
+              subPath: server-cert.pem
+            - mountPath: /app/certs/server-key.pem
+              name: secret
+              readOnly: true
+              subPath: server-key.pem
       {{- with .Values.customSidecarContainers }}
         {{- toYaml . | nindent 8 }}
       {{- end }}
@@ -81,3 +109,7 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
+      volumes:
+      - name: secret
+        secret:
+          secretName: {{ include "pbuf-registry.fullname" . }}
diff --git a/pbuf-registry/templates/eso.yaml b/pbuf-registry/templates/eso.yaml
@@ -15,4 +15,16 @@ spec:
       remoteRef:
         key: {{ .Values.secrets.eso.remoteRefKey }}
         property: {{ .Values.secrets.eso.databaseDSNProperty }}
+    - secretKey: SERVER_STATIC_TOKEN
+      remoteRef:
+        key: {{ .Values.secrets.eso.remoteRefKey }}
+        property: {{ .Values.secrets.eso.serverStaticTokenProperty }}
+    - secretKey: server-cert.pem
+      remoteRef:
+        key: {{ .Values.secrets.eso.remoteRefKey }}
+        property: {{ .Values.secrets.eso.serverGrpcTlsCertFileProperty }}
+    - secretKey: server-key.pem
+      remoteRef:
+        key: {{ .Values.secrets.eso.remoteRefKey }}
+        property: {{ .Values.secrets.eso.serverGrpcTlsKeyFileProperty }}
 {{- end }}
diff --git a/pbuf-registry/templates/secret.yaml b/pbuf-registry/templates/secret.yaml
@@ -8,4 +8,13 @@ data:
 {{- if .Values.secrets.databaseDSN }}
   DATA_DATABASE_DSN: {{ .Values.secrets.databaseDSN | b64enc | quote }}
 {{- end }}
+{{- if .Values.secrets.staticToken }}
+  SERVER_STATIC_TOKEN: {{ .Values.secrets.staticToken | b64enc | quote }}
+{{- end }}
+{{- if .Values.secrets.grpcTlsCert }}
+  server-cert.pem: {{ .Values.secrets.grpcTlsCert | b64enc | quote }}
+{{- end }}
+{{- if .Values.secrets.grpcTlsKey }}
+  server-key.pem: {{ .Values.secrets.grpcTlsKey | b64enc | quote }}
+{{- end }}
 {{- end }}
diff --git a/pbuf-registry/values.yaml b/pbuf-registry/values.yaml
@@ -39,21 +39,35 @@ service:
   type: ClusterIP
   http:
     port: 8080
+    auth:
+      enabled: false
+      type: ""
   grpc:
-    port: 8081
+    port: 6777
+    tls:
+      enabled: false
+    auth:
+      enabled: false
+      type: ""
   debug:
     port: 8082
 
 secrets:
   create: true
   databaseDSN: ""
+  staticToken: ""
+  grpcTlsCert: ""
+  grpcTlsKey: ""
 
   # use external secrets operator for production usage
   eso:
     create: false
     secretStoreRefName: ""
     remoteRefKey: ""
     databaseDSNProperty: ""
+    serverStaticTokenProperty: ""
+    serverGrpcTlsCertFileProperty: ""
+    serverGrpcTlsKeyFileProperty: ""
 
 ingress:
   enabled: false