Skip to content

Commit 71cd602

Browse files
jk464jk464
committed
Enabled internal TLS between k8s pods by default
1 parent 44aa43a commit 71cd602

9 files changed

+324
-8
lines changed

templates/_helpers.tpl

+18
Original file line numberDiff line numberDiff line change
@@ -411,3 +411,21 @@ Create the custom env list for each deployment
411411
value: {{ $value | quote }}
412412
{{- end }}
413413
{{- end -}}
414+
415+
{{/*
416+
Set up values for Internal TLS
417+
*/}}
418+
{{- define "stackstorm-ha.internal_tls.cert_volume.mount" -}}
419+
{{- if or .Values.st2.tls.enabled .Values.mongodb.tls.enabled .Values.rabbitmq.tls.enabled }}
420+
- name: {{ .Values.st2.tls.secretName }}
421+
mountPath: {{ .Values.st2.tls.mountPath }}/
422+
readOnly: true
423+
{{- end }}
424+
{{- end -}}
425+
{{- define "stackstorm-ha.internal_tls.cert_volume.volume" -}}
426+
{{- if or .Values.st2.tls.enabled .Values.mongodb.tls.enabled .Values.rabbitmq.tls.enabled }}
427+
- name: {{ .Values.st2.tls.secretName }}
428+
secret:
429+
secretName: {{ .Values.st2.tls.secretName }}
430+
{{- end }}
431+
{{- end -}}

templates/ca.yaml

+21
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
{{- if not ( .Values.st2.tls.certificate_issuer.existing ) -}}
2+
---
3+
apiVersion: cert-manager.io/v1
4+
kind: Issuer
5+
metadata:
6+
name: {{ .Values.st2.tls.certificate_issuer.name }}
7+
namespace: "{{ $.Release.Namespace }}"
8+
spec:
9+
ca:
10+
secretName: {{ .Values.st2.tls.certificate_issuer.name }}-tls
11+
---
12+
apiVersion: v1
13+
data:
14+
tls.crt: "{{ .Values.secret.ca.crt }}"
15+
tls.key: "{{ .Values.secret.ca.key }}"
16+
kind: Secret
17+
metadata:
18+
name: {{ .Values.st2.tls.certificate_issuer.name }}-tls
19+
namespace: "{{ $.Release.Namespace }}"
20+
type: kubernetes.io/tls
21+
{{- end -}}

templates/certificate.yaml

+28
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,28 @@
1+
{{- if or .Values.st2.tls.enabled .Values.mongodb.tls.enabled .Values.rabbitmq.tls.enabled }}
2+
---
3+
apiVersion: cert-manager.io/v1
4+
kind: Certificate
5+
metadata:
6+
name: {{ .Values.st2.tls.secretName }}
7+
labels:
8+
app: stackstorm
9+
heritage: {{.Release.Service | quote}}
10+
release: {{.Release.Name | quote}}
11+
chart: {{ replace "+" "_" .Chart.Version | printf "%s-%s" .Chart.Name }}
12+
spec:
13+
secretName: {{ .Values.st2.tls.secretName }}
14+
dnsNames:
15+
- "*.{{ $.Release.Namespace }}.svc.{{ $.Values.clusterDomain }}"
16+
{{ include "stackstorm-ha.mongodb-nodes" $ | splitList "," | toYaml | indent 4 }}
17+
ipAddresses:
18+
- "127.0.0.1"
19+
renewBefore: 360h # 15d
20+
privateKey:
21+
rotationPolicy: Always
22+
algorithm: RSA
23+
size: 3072
24+
issuerRef:
25+
name: {{ .Values.st2.tls.certificate_issuer.name }}
26+
kind: Issuer
27+
group: cert-manager.io
28+
{{- end -}}

templates/configmaps_st2-conf.yaml

+8
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,11 @@ data:
1111
# The order of merging: st2.conf < st2.docker.conf < st2.user.conf
1212
st2.docker.conf: |
1313
[auth]
14+
{{- if .Values.rabbitmq.tls.enabled }}
15+
api_url = https://{{ .Release.Name }}-st2api:9111/
16+
{{- else }}
1417
api_url = http://{{ .Release.Name }}-st2api:9101/
18+
{{- end -}}
1519
[system_user]
1620
user = {{ .Values.st2.system_user.user }}
1721
ssh_key_file = {{ tpl .Values.st2.system_user.ssh_key_file . }}
@@ -21,7 +25,11 @@ data:
2125
{{- end }}
2226
{{- if index .Values "rabbitmq" "enabled" }}
2327
[messaging]
28+
{{- if .Values.rabbitmq.tls.enabled }}
29+
url = amqp://{{ required "rabbitmq.auth.username is required!" (index .Values "rabbitmq" "auth" "username") }}:{{ required "rabbitmq.auth.password is required!" (index .Values "rabbitmq" "auth" "password") }}@{{ .Release.Name }}-rabbitmq:5671{{ required "rabbitmq.ingress.path is required!" (index .Values "rabbitmq" "ingress" "path") }}
30+
{{- else }}
2431
url = amqp://{{ required "rabbitmq.auth.username is required!" (index .Values "rabbitmq" "auth" "username") }}:{{ required "rabbitmq.auth.password is required!" (index .Values "rabbitmq" "auth" "password") }}@{{ .Release.Name }}-rabbitmq:5672{{ required "rabbitmq.ingress.path is required!" (index .Values "rabbitmq" "ingress" "path") }}
32+
{{- end -}}
2533
{{- end }}
2634
{{- if index .Values "mongodb" "enabled" }}
2735
[database]

templates/configmaps_st2-urls.yaml

+12
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,18 @@ metadata:
77
description: StackStorm service URLs, used across entire st2 cluster
88
labels: {{- include "stackstorm-ha.labels" (list $ "st2") | nindent 4 }}
99
data:
10+
{{- if and .Values.st2.tls.enabled .Values.st2auth.tls.enabled }}
11+
ST2_AUTH_URL: https://{{ .Release.Name }}-st2auth:9100/
12+
{{- else }}
1013
ST2_AUTH_URL: http://{{ .Release.Name }}-st2auth:9100/
14+
{{- end }}
15+
{{- if and .Values.st2.tls.enabled .Values.st2api.tls.enabled }}
16+
ST2_API_URL: https://{{ .Release.Name }}-st2api:9111/
17+
{{- else }}
1118
ST2_API_URL: http://{{ .Release.Name }}-st2api:9101/
19+
{{- end }}
20+
{{- if and .Values.st2.tls.enabled .Values.st2stream.tls.enabled }}
21+
ST2_STREAM_URL: https://{{ .Release.Name }}-st2stream:9112/
22+
{{- else }}
1223
ST2_STREAM_URL: http://{{ .Release.Name }}-st2stream:9102/
24+
{{- end }}

0 commit comments

Comments
 (0)