Skip to content

Commit

Permalink
Add option to allow TLS termination by load balancers (#437)
Browse files Browse the repository at this point in the history 
Signed-off-by: nathan.ribelin <[email protected]>
  • Loading branch information
@nate-ribelin
nate-ribelin authored Apr 22, 2024
1 parent 0c3cd7e commit 3d710b9
Show file tree
Hide file tree
Showing 4 changed files with 14 additions and 1 deletion.
2 changes: 2 additions & 0 deletions deploy/charts/vault-operator/crds/crd.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -775,6 +775,8 @@ spec:
type: string
raftLeaderAddress:
type: string
raftLeaderApiSchemeOverride:
type: string
resources:
properties:
bankVaults:
Expand Down
2 changes: 2 additions & 0 deletions deploy/crd/bases/vault.banzaicloud.com_vaults.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -775,6 +775,8 @@ spec:
type: string
raftLeaderAddress:
type: string
raftLeaderApiSchemeOverride:
type: string
resources:
properties:
bankVaults:
Expand Down
5 changes: 5 additions & 0 deletions pkg/apis/vault/v1alpha1/vault_types.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -206,6 +206,11 @@ type VaultSpec struct {
// default: ""
RaftLeaderAddress string `json:"raftLeaderAddress,omitempty"`

// RaftLeaderApiSchemeOverride will override the value provided from TLS defined values in order
// to handle TLS being terminated by an external reverse proxy, load balancer, etc.
// default: ""
RaftLeaderApiSchemeOverride string `json:"raftLeaderApiSchemeOverride,omitempty"`

// ServicePorts is an extra map of ports that should be exposed by the Vault Service.
// default:
ServicePorts map[string]int32 `json:"servicePorts,omitempty"`
Expand Down
6 changes: 5 additions & 1 deletion pkg/controller/vault/vault_controller.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1163,11 +1163,15 @@ func statefulSetForVault(v *vaultv1alpha1.Vault, externalSecretsToWatchItems []c

if v.Spec.IsRaftStorage() {
raftLeaderAddress := v.Name
raftApiScheme := v.Spec.GetAPIScheme()
if v.Spec.IsRaftBootstrapFollower() {
raftLeaderAddress = v.Spec.RaftLeaderAddress
if v.Spec.RaftLeaderApiSchemeOverride != "" {
raftApiScheme = v.Spec.RaftLeaderApiSchemeOverride
}
}

unsealCommand = append(unsealCommand, "--raft", "--raft-leader-address", v.Spec.GetAPIScheme()+"://"+raftLeaderAddress+":8200")
unsealCommand = append(unsealCommand, "--raft", "--raft-leader-address", raftApiScheme+"://"+raftLeaderAddress+":8200")

if v.Spec.IsRaftBootstrapFollower() {
unsealCommand = append(unsealCommand, "--raft-secondary")
Expand Down

0 comments on commit 3d710b9

Please sign in to comment.