-
Notifications
You must be signed in to change notification settings - Fork 96
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: mTLS support #512
feat: mTLS support #512
Conversation
We should merge #447 first. |
@@ -100,6 +103,10 @@ spec: | |||
{{- range $name, $cert := .Values.tls.certs }} | |||
- name: redpanda-{{ $name }}-cert | |||
mountPath: {{ printf "/etc/tls/certs/%s" $name }} | |||
{{- if (include "mtls-enabled" $ | fromJson).bool }} | |||
- name: redpanda-{{ $name }}-usercert-{{ $adminUser }} | |||
mountPath: {{ printf "/etc/tls/user-certs/%s/%s" $name $adminUser }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't see this path is used
@@ -97,6 +101,10 @@ spec: | |||
{{- range $name, $cert := .Values.tls.certs }} | |||
- name: redpanda-{{ $name }}-cert | |||
mountPath: {{ printf "/etc/tls/certs/%s" $name }} | |||
{{- if (include "mtls-enabled" $ | fromJson).bool }} | |||
- name: redpanda-{{ $name }}-usercert-{{ $adminUser }} | |||
mountPath: {{ printf "/etc/tls/user-certs/%s/%s" $name $adminUser }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't see this path is used
@@ -308,6 +313,10 @@ spec: | |||
{{- range $name, $cert := .Values.tls.certs }} | |||
- name: redpanda-{{ $name }}-cert | |||
mountPath: {{ printf "/etc/tls/certs/%s" $name }} | |||
{{- if (include "mtls-enabled" $ | fromJson).bool }} | |||
- name: redpanda-{{ $name }}-usercert-{{ $adminUser }} | |||
mountPath: {{ printf "/etc/tls/user-certs/%s/%s" $name $adminUser }} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't see this path is used
charts/redpanda/values.schema.json
Outdated
"pandaProxyClient": { | ||
"type": "object", | ||
"required": ["brokers"], | ||
"properties": { | ||
"brokers": {"type": "array"}, | ||
"broker_tls": { | ||
"type": "object", | ||
"required": ["enabled"], | ||
"properties": { | ||
"enabled": {"type": "boolean"}, | ||
"require_client_auth": {"type": "boolean"}, | ||
"cert_file": {"type": "string"}, | ||
"key_file": {"type": "string"}, | ||
"truststore_file": {"type": "string"} | ||
} | ||
}, | ||
"retries": {"type": "integer", "default": 5}, | ||
"produce_batch_record_count": {"type": "integer", "default": 1000}, | ||
"produce_batch_size_bytes": {"type": "integer", "default": 1048576}, | ||
"produce_batch_delay_ms": {"type": "integer", "default": 100}, | ||
"consumer_request_timeout_ms": {"type": "integer", "default": 100}, | ||
"consumer_request_max_bytes": {"type": "integer", "default": 1048576}, | ||
"consumer_session_timeout_ms": {"type": "integer", "default": 10000}, | ||
"consumer_rebalance_timeout_ms": {"type": "integer", "default": 2000}, | ||
"consumer_heartbeat_interval_ms": {"type": "integer", "default": 500}, | ||
"sasl_mechanism": {"type": "string"}, | ||
"scram_username": {"type": "string"}, | ||
"scram_password": {"type": "string"} | ||
} | ||
}, | ||
"schemaRegistryClient": { | ||
"type": "object", | ||
"required": ["brokers"], | ||
"properties": { | ||
"brokers": {"type": "array"}, | ||
"broker_tls": { | ||
"type": "object", | ||
"required": ["enabled"], | ||
"properties": { | ||
"enabled": {"type": "boolean"}, | ||
"require_client_auth": {"type": "boolean"}, | ||
"cert_file": {"type": "string"}, | ||
"key_file": {"type": "string"}, | ||
"truststore_file": {"type": "string"} | ||
} | ||
}, | ||
"retries": {"type": "integer", "default": 5}, | ||
"produce_batch_record_count": {"type": "integer", "default": 1000}, | ||
"produce_batch_size_bytes": {"type": "integer", "default": 1048576}, | ||
"produce_batch_delay_ms": {"type": "integer", "default": 100}, | ||
"consumer_request_timeout_ms": {"type": "integer", "default": 100}, | ||
"consumer_request_max_bytes": {"type": "integer", "default": 1048576}, | ||
"consumer_session_timeout_ms": {"type": "integer", "default": 10000}, | ||
"consumer_rebalance_timeout_ms": {"type": "integer", "default": 2000}, | ||
"consumer_heartbeat_interval_ms": {"type": "integer", "default": 500}, | ||
"sasl_mechanism": {"type": "string"}, | ||
"scram_username": {"type": "string"}, | ||
"scram_password": {"type": "string"} | ||
} | ||
}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for this definition. Internally we would like to not constraint users as Redpanda might change this definition in future.
d71fbff
to
4b9f63f
Compare
Change-Id: I90f61317b47062cffff6af0c92db7feff2232aa4
This is very out-of-date and should be fixed now. I'm going to close this. There's a nice feature, though, around creating the list of user certificates that I've added an issue (#775) for. |
Change-Id: I90f61317b47062cffff6af0c92db7feff2232aa4
Fixes for #65