Skip to content

Commit

Permalink
[scalardl-auditor] Support cert-manager in ScalarDL Auditor chart (#265)
Browse files Browse the repository at this point in the history
  • Loading branch information
@kota2and3kan
kota2and3kan authored May 31, 2024
1 parent 002381e commit 9e77976
Show file tree
Hide file tree
Showing 5 changed files with 212 additions and 39 deletions.
10 changes: 10 additions & 0 deletions charts/scalardl-audit/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,16 @@ Current chart version is `3.0.0-SNAPSHOT`
| auditor.tls.caRootCertForLedgerSecret | string | `""` | Name of the Secret containing the custom CA root certificate for TLS communication between Auditor and Ledger. |
| auditor.tls.caRootCertSecret | string | `""` | Name of the Secret containing the custom CA root certificate for TLS communication. |
| auditor.tls.certChainSecret | string | `""` | Name of the Secret containing the certificate chain file used for TLS communication. |
| auditor.tls.certManager.dnsNames | list | `["localhost"]` | Subject Alternative Name (SAN) of a certificate. |
| auditor.tls.certManager.duration | string | `"8760h0m0s"` | Duration of a certificate. |
| auditor.tls.certManager.enabled | bool | `false` | Use cert-manager to manage private key and certificate files. |
| auditor.tls.certManager.issuerRef | object | `{}` | Issuer references of cert-manager. |
| auditor.tls.certManager.privateKey | object | `{"algorithm":"ECDSA","encoding":"PKCS1","size":256}` | Configuration of a private key. |
| auditor.tls.certManager.renewBefore | string | `"360h0m0s"` | How long before expiry a certificate should be renewed. |
| auditor.tls.certManager.selfSigned.caRootCert.duration | string | `"8760h0m0s"` | Duration of a self-signed CA certificate. |
| auditor.tls.certManager.selfSigned.caRootCert.renewBefore | string | `"360h0m0s"` | How long before expiry a self-signed CA certificate should be renewed. |
| auditor.tls.certManager.selfSigned.enabled | bool | `false` | Use self-signed CA. |
| auditor.tls.certManager.usages | list | `["server auth","key encipherment","signing"]` | List of key usages. |
| auditor.tls.enabled | bool | `false` | Enable TLS. You need to enable TLS when you use wire encryption feature of ScalarDL Auditor. |
| auditor.tls.overrideAuthority | string | `""` | The custom authority for TLS communication. This doesn't change what host is actually connected. This is intended for testing, but may safely be used outside of tests as an alternative to DNS overrides. For example, you can specify the hostname presented in the certificate chain file that you set by using `auditor.tls.certChainSecret`. This chart uses this value for startupProbe and livenessProbe. |
| auditor.tls.privateKeySecret | string | `""` | Name of the Secret containing the private key file used for TLS communication. |
Expand Down
84 changes: 84 additions & 0 deletions charts/scalardl-audit/templates/auditor/certmanager.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,84 @@
{{- if .Values.auditor.tls.certManager.enabled }}
{{- if .Values.auditor.tls.certManager.selfSigned.enabled }}
# Self-signed root CA
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: {{ include "scalardl-audit.fullname" . }}-self-signed-issuer
namespace: {{ .Release.Namespace }}
labels:
{{- include "scalardl-audit-auditor.labels" . | nindent 4 }}
spec:
selfSigned: {}
---
# Generate a CA Certificate used to sign certificates for the ScalarDL Auditor
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ include "scalardl-audit.fullname" . }}-root-ca-cert
namespace: {{ .Release.Namespace }}
labels:
{{- include "scalardl-audit-auditor.labels" . | nindent 4 }}
spec:
isCA: true
secretName: {{ include "scalardl-audit.fullname" . }}-root-ca-cert
secretTemplate:
labels:
{{- include "scalardl-audit-auditor.labels" . | nindent 6 }}
commonName: self-signed-ca
duration: {{ .Values.auditor.tls.certManager.selfSigned.caRootCert.duration | quote }}
renewBefore: {{ .Values.auditor.tls.certManager.selfSigned.caRootCert.renewBefore | quote }}
privateKey:
algorithm: ECDSA
size: 256
issuerRef:
name: {{ include "scalardl-audit.fullname" . }}-self-signed-issuer
kind: Issuer
group: cert-manager.io
---
# Create an Issuer that uses the above generated CA certificate to issue certs
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: {{ include "scalardl-audit.fullname" . }}-ca-issuer
namespace: {{ .Release.Namespace }}
labels:
{{- include "scalardl-audit-auditor.labels" . | nindent 4 }}
spec:
ca:
secretName: {{ include "scalardl-audit.fullname" . }}-root-ca-cert
{{- end }}
---
# Generate a server certificate for the ScalarDL Auditor
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: {{ include "scalardl-audit.fullname" . }}-tls-cert
namespace: {{ .Release.Namespace }}
labels:
{{- include "scalardl-audit-auditor.labels" . | nindent 4 }}
spec:
secretName: {{ include "scalardl-audit.fullname" . }}-tls-cert
secretTemplate:
labels:
{{- include "scalardl-audit-auditor.labels" . | nindent 6 }}
duration: {{ .Values.auditor.tls.certManager.duration | quote }}
renewBefore: {{ .Values.auditor.tls.certManager.renewBefore | quote }}
privateKey:
{{- toYaml .Values.auditor.tls.certManager.privateKey | nindent 4 }}
usages:
{{- range .Values.auditor.tls.certManager.usages }}
- {{ . | quote }}
{{- end }}
dnsNames:
{{- range .Values.auditor.tls.certManager.dnsNames }}
- {{ . | quote }}
{{- end }}
issuerRef:
# If and only if you set `auditor.tls.certManager.selfSigned.enabled=true`, this chart automatically generates a self-signed CA and uses it.
{{- if .Values.auditor.tls.certManager.selfSigned.enabled }}
name: {{ include "scalardl-audit.fullname" . }}-ca-issuer
{{- else }}
{{- toYaml .Values.auditor.tls.certManager.issuerRef | nindent 4 }}
{{- end }}
{{- end }}
65 changes: 26 additions & 39 deletions charts/scalardl-audit/templates/auditor/deployment.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,25 +41,30 @@ spec:
- name: scalardl-auditor-properties-volume
configMap:
name: {{ include "scalardl-audit.fullname" . }}-auditor-properties
{{- if .Values.auditor.tls.caRootCertSecret }}
- name: scalardl-auditor-tls-ca-root-volume
{{- if and .Values.auditor.tls.enabled .Values.auditor.tls.certManager.enabled }}
- name: scalardl-auditor-tls-volume
secret:
secretName: {{ .Values.auditor.tls.caRootCertSecret }}
secretName: {{ include "scalardl-audit.fullname" . }}-tls-cert
{{- end }}
{{- if .Values.auditor.tls.certChainSecret }}
- name: scalardl-auditor-tls-cert-chain-volume
secret:
secretName: {{ .Values.auditor.tls.certChainSecret }}
{{- end }}
{{- if .Values.auditor.tls.privateKeySecret }}
- name: scalardl-auditor-tls-private-key-volume
secret:
secretName: {{ .Values.auditor.tls.privateKeySecret }}
{{- if and (.Values.auditor.tls.enabled) (not .Values.auditor.tls.certManager.enabled) }}
- name: scalardl-auditor-tls-volume
projected:
sources:
- secret:
name: {{ .Values.auditor.tls.caRootCertSecret }}
- secret:
name: {{ .Values.auditor.tls.certChainSecret }}
- secret:
name: {{ .Values.auditor.tls.privateKeySecret }}
{{- end }}
{{- if .Values.auditor.tls.caRootCertForLedgerSecret }}
- name: scalardl-auditor-tls-ca-root-for-ledger-volume
{{- if .Values.auditor.tls.enabled }}
- name: scalardl-auditor-tls-for-ledger-volume
secret:
{{- if .Values.auditor.tls.caRootCertForLedgerSecret }}
secretName: {{ .Values.auditor.tls.caRootCertForLedgerSecret }}
{{- else }}
secretName: {{ include "scalardl-audit.fullname" . }}-tls-cert
{{- end }}
{{- end }}
{{- with .Values.auditor.extraVolumes }}
{{- toYaml . | nindent 8 }}
Expand All @@ -81,25 +86,11 @@ spec:
- name: scalardl-auditor-properties-volume
mountPath: /scalar/auditor/auditor.properties
subPath: auditor.properties
{{- if .Values.auditor.tls.caRootCertSecret }}
- name: scalardl-auditor-tls-ca-root-volume
mountPath: /tls/certs/ca-root-cert.pem
subPath: ca-root-cert
{{- end }}
{{- if .Values.auditor.tls.certChainSecret }}
- name: scalardl-auditor-tls-cert-chain-volume
mountPath: /tls/certs/cert-chain.pem
subPath: cert-chain
{{- end }}
{{- if .Values.auditor.tls.privateKeySecret }}
- name: scalardl-auditor-tls-private-key-volume
mountPath: /tls/certs/private-key.pem
subPath: private-key
{{- end }}
{{- if .Values.auditor.tls.caRootCertSecret }}
- name: scalardl-auditor-tls-ca-root-for-ledger-volume
mountPath: /tls/certs/ca-root-cert-for-ledger.pem
subPath: ca-root-cert-for-ledger
{{- if .Values.auditor.tls.enabled }}
- name: scalardl-auditor-tls-volume
mountPath: /tls/scalardl-auditor/certs
- name: scalardl-auditor-tls-for-ledger-volume
mountPath: /tls/scalardl-ledger/certs
{{- end }}
{{- with .Values.auditor.extraVolumeMounts }}
{{- toYaml . | nindent 12 }}
Expand Down Expand Up @@ -164,9 +155,7 @@ spec:
- -addr=localhost:40051
{{- if .Values.auditor.tls.enabled }}
- -tls
{{- if .Values.auditor.tls.caRootCertSecret }}
- -tls-ca-cert=/tls/certs/ca-root-cert.pem
{{- end }}
- -tls-ca-cert=/tls/scalardl-auditor/certs/ca.crt
{{- if .Values.auditor.tls.overrideAuthority }}
- -tls-server-name={{ .Values.auditor.tls.overrideAuthority }}
{{- end }}
Expand All @@ -180,9 +169,7 @@ spec:
- -addr=localhost:40051
{{- if .Values.auditor.tls.enabled }}
- -tls
{{- if .Values.auditor.tls.caRootCertSecret }}
- -tls-ca-cert=/tls/certs/ca-root-cert.pem
{{- end }}
- -tls-ca-cert=/tls/scalardl-auditor/certs/ca.crt
{{- if .Values.auditor.tls.overrideAuthority }}
- -tls-server-name={{ .Values.auditor.tls.overrideAuthority }}
{{- end }}
Expand Down
62 changes: 62 additions & 0 deletions charts/scalardl-audit/values.schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -278,6 +278,68 @@
"certChainSecret": {
"type": "string"
},
"certManager": {
"type": "object",
"properties": {
"dnsNames": {
"type": "array",
"items": {
"type": "string"
}
},
"duration": {
"type": "string"
},
"enabled": {
"type": "boolean"
},
"issuerRef": {
"type": "object"
},
"privateKey": {
"type": "object",
"properties": {
"algorithm": {
"type": "string"
},
"encoding": {
"type": "string"
},
"size": {
"type": "integer"
}
}
},
"renewBefore": {
"type": "string"
},
"selfSigned": {
"type": "object",
"properties": {
"caRootCert": {
"type": "object",
"properties": {
"duration": {
"type": "string"
},
"renewBefore": {
"type": "string"
}
}
},
"enabled": {
"type": "boolean"
}
}
},
"usages": {
"type": "array",
"items": {
"type": "string"
}
}
}
},
"enabled": {
"type": "boolean"
},
Expand Down
30 changes: 30 additions & 0 deletions charts/scalardl-audit/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -280,3 +280,33 @@ auditor:
privateKeySecret: ""
# -- Name of the Secret containing the custom CA root certificate for TLS communication between Auditor and Ledger.
caRootCertForLedgerSecret: ""
certManager:
# -- Use cert-manager to manage private key and certificate files.
enabled: false
selfSigned:
# -- Use self-signed CA.
enabled: false
caRootCert:
# -- Duration of a self-signed CA certificate.
duration: "8760h0m0s"
# -- How long before expiry a self-signed CA certificate should be renewed.
renewBefore: "360h0m0s"
# -- Duration of a certificate.
duration: "8760h0m0s"
# -- How long before expiry a certificate should be renewed.
renewBefore: "360h0m0s"
# -- Configuration of a private key.
privateKey:
algorithm: ECDSA
encoding: PKCS1
size: 256
# -- List of key usages.
usages:
- server auth
- key encipherment
- signing
# -- Subject Alternative Name (SAN) of a certificate.
dnsNames:
- localhost
# -- Issuer references of cert-manager.
issuerRef: {}

0 comments on commit 9e77976

Please sign in to comment.