Improve cluster configuration when enableTls is true #169
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation
Improve the basic functionality of
enabledTls
flag. Setting the flag to true means that the broker, proxy, and function worker will all enable TLS, but not use it unless configured. See the README update for more details.Changes
.Values.tls.<component>.enableHostnameVerification
flag that makes it possible to enable hostname verification for upstream connections. The default is false for now (old deployments that usekind: Deployment
for broker would break otherwise). We will update totrue
in the next major version bump.dev-values-tls.yaml
to deploy a broker stateful set (this is necessary for hostname verification to work)brokerSts
component name, since statefulsets are the only way to ensure full-featured TLS connections.