Container-terminated TLS support

README.md

@@ -1,13 +1,72 @@
 # benthos-helm-chart
 
+
 This is in WIP status, very basic functionality tested at the moment:
-- No in-app TLS configurable
 - Ingress not tested
 
-### Repository
+## Repository
+---
 
 To add this repo:
 ```
 helm repo add benthos https://difabion.github.io/benthos-helm-chart/
 ```
-Then `helm search repo benthos` for all charts.
+Then `helm search repo benthos` for all charts.
+
+## Configuration
+---
+### Common Parameters
+| Name             | Description                   | Value           |
+|------------------|-------------------------------|-----------------|
+| image.repository | Docker image repository       | jeffail/benthos |
+| image.pullPolicy | Docker image pull policy      | IfNotPresent    |
+| image.tag        | Docker image tag override     | ""              |
+| imagePullSecrets | Docker registry secrets array | []              |
+| service.type     | Kubernetes service type       | ClusterIP       |
+| service.port     | Kubernetes service port       | 80              |
+
+### Benthos Parameters
+
+For more information on configuring the HTTP component, refer to the [Benthos HTTP component documentation](https://www.benthos.dev/docs/components/http/about).
+| Name                     | Description                           | Value        |
+|--------------------------|---------------------------------------|--------------|
+| http.enabled             | Enables the HTTP server component     | true         |
+| http.address             | HTTP server component binding address | 0.0.0.0:4195 |
+| http.readTimeout         | HTTP server component read timeout    | 5s           |
+| http.rootPath            | General Benthos HTTP endpoint prefix  | /benthos     |
+| http.debugEndpoints      | Enables debugging endpoints           | false        |
+| http.cors.enabled        | Enables Cross-Origin Resource Sharing | false        |
+| http.cors.allowedOrigins | Allowed source domains for CORS       | ""           |
+| http.tls.enabled         | Enables TLS for all Benthos endpoints | false        |
+| http.tls.secretName      | `kubernetes.io/tls` secret name       | ""           |
+| config                   | Benthos component configuration       | ""           |
+
+## TLS
+
+Benthos can be instructed to serve all endpoints exlusively over HTTPS.  This means that TLS configured in this way is not terminated at an ingress controller, but handled "end-to-end" at the container/binary. Prerequisites to enable TLS:
+- Set `service.port` to 443 in values.yaml
+- Create a Kubernetes secret in the targeted namespace of type `kubernetes.io/tls`
+
+When TLS is enabled, the Kubernetes readiness and liveness probes will operate over HTTPS to the same container port (default 4195).
+
+## Config
+
+The config parameter should contain the configuration as it would be parsed by the Benthos binary.
+
+For example, the default Helm chart config block looks like this:
+
+```yaml
+# /benthos.yaml configuration
+config: |-
+  input:
+    label: "no_config_in"
+    generate:
+      mapping: root = "This Benthos instance is unconfigured!"
+      interval: 1m
+  output:
+    label: "no_config_out"
+    stdout:
+      codec: lines
+```
+
+Adding an `http` block here is not recommended, please use the Helm directives described above.

templates/configmap.yaml

@@ -8,5 +8,34 @@ metadata:
     {{- include "benthos.labels" . | nindent 4 }}
 data:
   benthos.yaml: |-
-{{ tpl .Values.config . | nindent 4 }}
-{{- end -}}
+  {{- if .Values.http.enabled }}
+    http:
+      enabled: true
+      {{- if .Values.http.address }}
+      address: {{ .Values.http.address | default "0.0.0.0:4195" }}
+      {{- end -}}
+      {{ if .Values.http.readTimeout }}
+      read_timeout: {{ .Values.http.readTimeout | default "5s" }}
+      {{- end -}}
+      {{ if .Values.http.rootPath }}
+      root_path: {{ .Values.http.rootPath | default "/benthos" }}
+      {{- end -}}
+      {{ if .Values.http.debugEndpoints }}
+      debug_endpoints: {{ .Values.http.debugEndpoints | default false }}
+      {{- end -}}
+      {{ if .Values.http.cors.enabled }}
+      cors:
+        enabled: true
+        {{- if .Values.http.cors.allowedOrigins }}
+        allowed_origins: {{- range .Values.http.cors.allowedOrigins }}
+          - {{ . }}
+          {{- end }}
+        {{- end }}
+      {{- end -}}
+      {{ if and .Values.http.tls.enabled .Values.http.tls.secretName }}
+      cert_file: "/tls/tls.crt"
+      key_file: "/tls/tls.key"
+      {{- end -}}
+  {{ tpl .Values.config . | nindent 4 }}
+  {{- end -}}
+{{- end -}}

templates/deployment.yaml

@@ -41,19 +41,30 @@ spec:
             httpGet:
               path: /ping
               port: http
+              {{- if .Values.http.tls.enabled }}
+              scheme: HTTPS
+              {{- end }}
           readinessProbe:
             httpGet:
               path: /ping
               port: http
+              {{- if .Values.http.tls.enabled }}
+              scheme: HTTPS
+              {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
-          {{- if .Values.config }}
           volumeMounts:
+            {{- if .Values.config }}
             - name: config
               mountPath: "/benthos.yaml"
               subPath: "benthos.yaml"
               readOnly: true
-          {{- end }}
+            {{- end }}
+            {{- if and .Values.http.tls.enabled .Values.http.tls.secretName }}
+            - name: tls
+              mountPath: "/tls"
+              readOnly: true
+            {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -66,9 +77,14 @@ spec:
       tolerations:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- if .Values.config }}
       volumes:
+        {{- if .Values.config }}
         - name: config
           configMap:
             name: {{ template "benthos.fullname" . }}-config
-      {{- end }}
+        {{- end }}
+        {{- if and .Values.http.tls.enabled .Values.http.tls.secretName }}
+        - name: tls
+          secret:
+            secretName: {{ .Values.http.tls.secretName }}
+        {{- end }}

templates/ingress.yaml

@@ -1,4 +1,4 @@
-{{- if .Values.ingress.enabled -}}
+{{- if and (.Values.http.enabled) (.Values.ingress.enabled) -}}
 {{- $fullName := include "benthos.fullname" . -}}
 {{- $svcPort := .Values.service.port -}}
 {{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}

templates/service.yaml

@@ -1,3 +1,4 @@
+{{- if .Values.http.enabled -}}
 apiVersion: v1
 kind: Service
 metadata:
@@ -13,3 +14,4 @@ spec:
       name: http
   selector:
     {{- include "benthos.selectorLabels" . | nindent 4 }}
+{{- end -}}

values.yaml

@@ -81,6 +81,26 @@ tolerations: []
 
 affinity: {}
 
+# /benthos.yaml HTTP configuration
+http:
+  # Disabling HTTP server will prevent service and ingress objects from being created.
+  enabled: true
+  ### These are the current defaults for the following HTTP component parameters;
+  ### uncomment and edit any that require adjustment
+  # address: 0.0.0.0:4195
+  # readTimeout: 5s
+  # rootPath: /benthos
+  # debugEndpoints: false
+  cors:
+    enabled: false
+    # Uncomment and provide list when .Values.http.cors.enabled is true
+    # allowedOrigins: []
+  tls:
+    enabled: false
+    # Create a secret of type `kubernetes.io/tls` in the same namespace and add the name here
+    # secretName: ""
+
+
 # /benthos.yaml configuration
 config: |-
   input:
@@ -91,4 +111,4 @@ config: |-
   output:
     label: "no_config_out"
     stdout:
-      codec: lines
+      codec: lines