Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve cluster configuration when enableTls is true #169

Merged
merged 1 commit into from
Apr 4, 2022
Merged

Improve cluster configuration when enableTls is true #169

merged 1 commit into from
Apr 4, 2022

Conversation

michaeljmarshall
Copy link
Member

@michaeljmarshall michaeljmarshall commented Apr 4, 2022
edited
Loading

Motivation

Improve the basic functionality of enabledTls flag. Setting the flag to true means that the broker, proxy, and function worker will all enable TLS, but not use it unless configured. See the README update for more details.

Changes

  • Add documentation to README.
  • Add .Values.tls.<component>.enableHostnameVerification flag that makes it possible to enable hostname verification for upstream connections. The default is false for now (old deployments that use kind: Deployment for broker would break otherwise). We will update to true in the next major version bump.
  • Update dev-values-tls.yaml to deploy a broker stateful set (this is necessary for hostname verification to work)
  • Improve bastion's client configuration to utilize TLS and to use the proxy, since that will ensure the function worker is integrated correctly
  • Update hostnames in the self signed certificate to support broker and function worker correctly
  • Update zookeeper initialization script to use the brokerSts component name, since statefulsets are the only way to ensure full-featured TLS connections.

@michaeljmarshall michaeljmarshall force-pushed the improve-enable-tls-flag branch 6 times, most recently from 2319c43 to 7bd2be7 Compare April 4, 2022 20:46
@michaeljmarshall michaeljmarshall merged commit 9584392 into master Apr 4, 2022
@michaeljmarshall michaeljmarshall deleted the improve-enable-tls-flag branch April 4, 2022 21:01
@michaeljmarshall michaeljmarshall mentioned this pull request Apr 4, 2022
Merged
michaeljmarshall added a commit that referenced this pull request Apr 4, 2022
@michaeljmarshall
Improve naming of TLS values for proxy, function worker, websocket pr…
425ed0a 
…oxy (#170)

# Motivation

In #169, I attempted to improve the `enableTls` configuration. I realized shortly after merging that PR that the usage of `enabled` was problematic and a bit confusing. Instead, I am going to deprecate those usages in favor of a more descriptive value: `enableTlsWithBroker`.

This change is backwards compatible.
@michaeljmarshall michaeljmarshall mentioned this pull request Apr 26, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lhotari lhotari Awaiting requested review from lhotari

@eolivelli eolivelli Awaiting requested review from eolivelli

@cdbartholomew cdbartholomew Awaiting requested review from cdbartholomew

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
1 participant
@michaeljmarshall