From 5ac23c5d9f6d6bed1a5127fd5eb51e62f8628b64 Mon Sep 17 00:00:00 2001 From: Christophe de Carvalho Date: Thu, 31 Aug 2023 10:50:58 +0100 Subject: [PATCH] feat(deployment): allow to configure TLS certificate for gRPC servers The helm chart now allows to specify a sercret name where a TLS certificate and key are store. If specified, it mounts the secret in the pods and update the configuration to enable TLS on the servers. Signed-off-by: Christophe de Carvalho --- .../chainloop/templates/cas/config.configmap.yaml | 7 ++++++- deployment/chainloop/templates/cas/deployment.yaml | 9 +++++++++ .../templates/controlplane/config.configmap.yaml | 5 +++++ .../chainloop/templates/controlplane/deployment.yaml | 9 +++++++++ deployment/chainloop/values.yaml | 12 ++++++++++++ 5 files changed, 41 insertions(+), 1 deletion(-) diff --git a/deployment/chainloop/templates/cas/config.configmap.yaml b/deployment/chainloop/templates/cas/config.configmap.yaml index 6170961a7..8ada6006c 100644 --- a/deployment/chainloop/templates/cas/config.configmap.yaml +++ b/deployment/chainloop/templates/cas/config.configmap.yaml @@ -11,7 +11,12 @@ data: addr: 0.0.0.0:8000 timeout: 1s grpc: + {{- if .Values.cas.tlsConfig.secret.name }} + tls_config: + certificate: /data/server-certs/tls.crt + private_key: /data/server-certs/tls.key + {{- end }} addr: 0.0.0.0:9000 timeout: 1s http_metrics: - addr: 0.0.0.0:5000 \ No newline at end of file + addr: 0.0.0.0:5000 diff --git a/deployment/chainloop/templates/cas/deployment.yaml b/deployment/chainloop/templates/cas/deployment.yaml index b61490f1c..222e9bbe7 100644 --- a/deployment/chainloop/templates/cas/deployment.yaml +++ b/deployment/chainloop/templates/cas/deployment.yaml @@ -62,6 +62,10 @@ spec: - name: gcp-secretmanager-serviceaccountkey mountPath: /gcp-secrets {{- end }} + {{- if .Values.cas.tlsConfig.secret.name }} + - name: server-certs + mountPath: /data/server-certs + {{- end }} volumes: - name: config projected: @@ -73,6 +77,11 @@ spec: - name: jwt-public-key secret: secretName: {{ include "chainloop.cas.fullname" . }}-jwt-public-key + {{- if .Values.cas.tlsConfig.secret.name }} + - name: server-certs + secret: + secretName: {{ .Values.cas.tlsConfig.secret.name }} + {{- end }} {{- if eq "gcpSecretManager" .Values.secretsBackend.backend }} - name: gcp-secretmanager-serviceaccountkey secret: diff --git a/deployment/chainloop/templates/controlplane/config.configmap.yaml b/deployment/chainloop/templates/controlplane/config.configmap.yaml index 6c02de6c5..d52fdcd47 100644 --- a/deployment/chainloop/templates/controlplane/config.configmap.yaml +++ b/deployment/chainloop/templates/controlplane/config.configmap.yaml @@ -24,6 +24,11 @@ data: grpc: addr: 0.0.0.0:9000 timeout: 10s + {{- if .Values.controlplane.tlsConfig.secret.name }} + tls_config: + certificate: /data/server-certs/tls.crt + private_key: /data/server-certs/tls.key + {{- end }} cas_server: grpc: addr: {{ printf "%s-api:%.0f" (include "chainloop.cas.fullname" .) .Values.cas.serviceAPI.port }} diff --git a/deployment/chainloop/templates/controlplane/deployment.yaml b/deployment/chainloop/templates/controlplane/deployment.yaml index 28240856a..3a5b65504 100644 --- a/deployment/chainloop/templates/controlplane/deployment.yaml +++ b/deployment/chainloop/templates/controlplane/deployment.yaml @@ -85,6 +85,10 @@ spec: mountPath: /tmp - name: jwt-cas-private-key mountPath: /secrets + {{- if .Values.controlplane.tlsConfig.secret.name }} + - name: server-certs + mountPath: /data/server-certs + {{- end }} {{- if eq "gcpSecretManager" .Values.secretsBackend.backend }} - name: gcp-secretmanager-serviceaccountkey mountPath: /gcp-secrets @@ -103,6 +107,11 @@ spec: - name: jwt-cas-private-key secret: secretName: {{ include "chainloop.controlplane.fullname" . }}-jwt-cas + {{- if .Values.controlplane.tlsConfig.secret.name }} + - name: server-certs + secret: + secretName: {{ .Values.controlplane.tlsConfig.secret.name }} + {{- end }} {{- if eq "gcpSecretManager" .Values.secretsBackend.backend }} - name: gcp-secretmanager-serviceaccountkey secret: diff --git a/deployment/chainloop/values.yaml b/deployment/chainloop/values.yaml index 0c8ab775e..a3cef47fa 100644 --- a/deployment/chainloop/values.yaml +++ b/deployment/chainloop/values.yaml @@ -103,6 +103,12 @@ controlplane: # Overrides the image tag whose default is the chart appVersion. # tag: latest + ## @param controlplane.secret.name name of a secret containing TLS certificate to be used by the controlplane grpc server. + tlsConfig: + secret: + # the secret must contains 2 keys: tls.crt and tls.key respectively containing the certificate and private key. + name: "" + ## @param controlplane.pluginsDir Directory where to look for plugins pluginsDir: /plugins @@ -443,6 +449,12 @@ cas: # Overrides the image tag whose default is the chart appVersion. # tag: latest + ## @param cas.tlsConfig.secret.name name of a secret containing TLS certificate to be used by the controlplane grpc server. + tlsConfig: + secret: + # the secret must contains 2 keys: tls.crt and tls.key respectively containing the certificate and private key. + name: "" + ## @skip cas.serviceAccount serviceAccount: # Specifies whether a service account should be created