From 7a56257573749b42ae472993a1d7ae8f7f2c1253 Mon Sep 17 00:00:00 2001 From: Kirill Salnikov Date: Wed, 11 Dec 2024 17:35:36 +0300 Subject: [PATCH 1/2] =?UTF-8?q?GEFEST-856=20=D0=9A=D0=BE=D0=BD=D1=84=D0=B8?= =?UTF-8?q?=D0=B3=D1=83=D1=80=D0=B0=D1=86=D0=B8=D1=8F=20TLS=20=D0=B4=D0=BB?= =?UTF-8?q?=D1=8F=20Kafka=20=D0=B2=20=D1=87=D0=B0=D1=80=D1=82=D0=B5=20Keys?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- charts/keys/Chart.yaml | 2 +- charts/keys/README.md | 26 ++++--- charts/keys/templates/api/deployment.yaml | 1 - .../keys/templates/dispatcher/deployment.yaml | 39 +++++++++- charts/keys/templates/helpers.tpl | 72 +++++++++++++++---- charts/keys/templates/secret-kafka.yaml | 20 ++++++ charts/keys/values.yaml | 31 +++++--- 7 files changed, 154 insertions(+), 37 deletions(-) create mode 100644 charts/keys/templates/secret-kafka.yaml diff --git a/charts/keys/Chart.yaml b/charts/keys/Chart.yaml index a8acd5144..02d73ff49 100644 --- a/charts/keys/Chart.yaml +++ b/charts/keys/Chart.yaml @@ -4,7 +4,7 @@ type: application description: A Helm chart for Kubernetes to deploy API Keys service version: 1.31.0 -appVersion: 1.89.0 +appVersion: 1.102.3 maintainers: - name: 2gis diff --git a/charts/keys/README.md b/charts/keys/README.md index b6043e648..b1844b233 100644 --- a/charts/keys/README.md +++ b/charts/keys/README.md @@ -31,7 +31,7 @@ See the [documentation](https://docs.2gis.com/en/on-premise/keys) to learn about | `imagePullSecrets` | Kubernetes image pull secrets. | `[]` | | `imagePullPolicy` | Pull policy. | `IfNotPresent` | | `backend.image.repository` | Backend service image repository. | `2gis-on-premise/keys-backend` | -| `backend.image.tag` | Backend service image tag. | `1.89.0` | +| `backend.image.tag` | Backend service image tag. | `1.102.3` | | `admin.image.repository` | Admin service image repository. | `2gis-on-premise/keys-ui` | | `admin.image.tag` | Admin service image tag. | `0.10.3` | | `redis.image.repository` | Redis image repository. | `2gis-on-premise/keys-redis` | @@ -226,15 +226,21 @@ See the [documentation](https://docs.2gis.com/en/on-premise/keys) to learn about ### Kafka settings -| Name | Description | Value | -| ------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | ------ | -| `kafka.audit` | **Settings for sending audit messages.** | | -| `kafka.audit.bootstrapServers` | Comma-separated list of host and port pairs that are the addresses of the Kafka brokers (e.g. 'localhost:9092,localhost:9093'). | `""` | -| `kafka.audit.username` | Username for authorization (SASL/PLAINTEXT SHA-512). | `""` | -| `kafka.audit.password` | Password for authorization (SASL/PLAINTEXT SHA-512). | `""` | -| `kafka.audit.topic` | Topic to produce audit messages. | `""` | -| `kafka.audit.produce.retryCount` | Number of retries to produce a message. | `5` | -| `kafka.audit.produce.idempotentWrite` | Flag to enable/disable [idempotent write](https://docs.confluent.io/platform/current/installation/configuration/producer-configs.html#enable-idempotence). | `true` | +| Name | Description | Value | +| --------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------- | +| `kafka.bootstrapServers` | Comma-separated list of host and port pairs that are the addresses of the Kafka brokers (e.g. 'localhost:9092,localhost:9093'). **Required** | `""` | +| `kafka.securityProtocol` | Protocol used to communicate with brokers. Valid values are: PLAINTEXT, SSL, SASL_PLAINTEXT, SASL_SSL. Default: PLAINTEXT. | `PLAINTEXT` | +| `kafka.saslMechanism` | Authentication mechanism when security_protocol is configured for SASL_PLAINTEXT or SASL_SSL. Valid values are: PLAIN, SCRAM-SHA-256, SCRAM-SHA-512. | `PLAIN` | +| `kafka.username` | Username for authorization (SASL). | `""` | +| `kafka.password` | Password for authorization (SASL). | `""` | +| `kafka.tls.skipServerCertificateVerify` | Controls whether a client verifies the server's certificate chain and host name. | `false` | +| `kafka.tls.rootCert` | Root certificate. | `""` | +| `kafka.tls.cert` | Client certificate. | `""` | +| `kafka.tls.key` | Client key. | `""` | +| `kafka.audit` | **Settings for sending audit messages.** | | +| `kafka.audit.topic` | Topic to produce audit messages. **Required** | `""` | +| `kafka.audit.produce.retryCount` | Number of retries to produce a message. | `5` | +| `kafka.audit.produce.idempotentWrite` | Flag to enable/disable [idempotent write](https://docs.confluent.io/platform/current/installation/configuration/producer-configs.html#enable-idempotence). | `true` | ### LDAP connection settings diff --git a/charts/keys/templates/api/deployment.yaml b/charts/keys/templates/api/deployment.yaml index e9d1d4f56..d9b4e9a4d 100644 --- a/charts/keys/templates/api/deployment.yaml +++ b/charts/keys/templates/api/deployment.yaml @@ -58,7 +58,6 @@ spec: {{- include "keys.env.db.deploys" . | nindent 12 }} {{- include "keys.env.redis" . | nindent 12 }} {{- include "keys.env.auth" . | nindent 12 }} - {{- include "keys.env.kafka.audit" . | nindent 12 }} {{- if .Values.customCAs.bundle }} {{- include "keys.env.custom.ca.path" . | nindent 12 }} {{- end }} diff --git a/charts/keys/templates/dispatcher/deployment.yaml b/charts/keys/templates/dispatcher/deployment.yaml index a66518f38..05836a539 100644 --- a/charts/keys/templates/dispatcher/deployment.yaml +++ b/charts/keys/templates/dispatcher/deployment.yaml @@ -36,6 +36,26 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} spec: + {{ $kafkaSslEnabled := include "kafka.ssl.enabled" .}} + {{- if $kafkaSslEnabled }} + initContainers: + - name: copy-kafka-certs + image: {{ required "A valid .Values.dgctlDockerRegistry entry required" .Values.dgctlDockerRegistry }}/{{ .Values.backend.image.repository }}:{{ .Values.backend.image.tag | default .Chart.AppVersion }} + imagePullPolicy: {{ .Values.imagePullPolicy }} + resources: + {{- toYaml .Values.api.resources | nindent 12 }} + command: + - /bin/sh + - -ec + - | + cp /tmp/certs/* /etc/2gis/secret/kafka/ + chmod 600 /etc/2gis/secret/kafka/client.key + volumeMounts: + - name: {{ include "keys.kafka-raw.name" . | quote }} + mountPath: /tmp/certs + - name: {{ include "keys.kafka.name" . | quote }} + mountPath: /etc/2gis/secret/kafka + {{- end }} containers: - name: dispatcher image: {{ required "A valid .Values.dgctlDockerRegistry entry required" .Values.dgctlDockerRegistry }}/{{ .Values.backend.image.repository }}:{{ .Values.backend.image.tag }} @@ -51,13 +71,28 @@ spec: {{- if .Values.customCAs.bundle }} {{- include "keys.env.custom.ca.path" . | nindent 12 }} {{- end }} - {{- if .Values.customCAs.bundle }} + {{- if or .Values.customCAs.bundle $kafkaSslEnabled }} volumeMounts: + {{- if .Values.customCAs.bundle }} {{- include "keys.custom.ca.volumeMounts" . | nindent 12 }} + {{- end }} + {{- if $kafkaSslEnabled }} + - name: {{ include "keys.kafka.name" . | quote }} + mountPath: /etc/2gis/secret/kafka + {{- end }} {{- end }} - {{- if .Values.customCAs.bundle }} + {{- if or .Values.customCAs.bundle $kafkaSslEnabled }} volumes: + {{- if .Values.customCAs.bundle }} {{- include "keys.custom.ca.deploys.volumes" . | nindent 8 }} + {{- end }} + {{- if $kafkaSslEnabled }} + - name: {{ include "keys.kafka-raw.name" . | quote }} + secret: + secretName: {{ include "keys.kafka.name" . | quote }} + - name: {{ include "keys.kafka.name" . | quote }} + emptyDir: {} + {{- end }} {{- end }} {{- with .Values.dispatcher.nodeSelector }} nodeSelector: diff --git a/charts/keys/templates/helpers.tpl b/charts/keys/templates/helpers.tpl index 6f6f7c3b5..cd50b57ec 100644 --- a/charts/keys/templates/helpers.tpl +++ b/charts/keys/templates/helpers.tpl @@ -42,6 +42,22 @@ {{ include "keys.name" . }}-jobs {{- end }} +{{- /* +Name for kafka intermediate volume for copy secrets +*/ -}} + +{{- define "keys.kafka-raw.name" -}} +{{- printf "%s-kafka-raw" (include "keys.name" .) -}} +{{- end }} + +{{- /* +Name for kafka secret and volume +*/ -}} + +{{- define "keys.kafka.name" -}} +{{- printf "%s-kafka" (include "keys.name" .) -}} +{{- end }} + {{- define "keys.selectorLabels" -}} app.kubernetes.io/name: {{ .Chart.Name }} app.kubernetes.io/instance: {{ .Release.Name }} @@ -199,10 +215,10 @@ app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} value: "{{ .Values.postgres.rw.schema }}" - name: KEYS_DB_RW_USERNAME value: "{{ required "A valid .Values.postgres.rw.username required" .Values.postgres.rw.username }}" -{{- end }} +{{- end -}} {{- define "keys.env.db.deploys" -}} -{{ include "keys.env.db" . }} +{{- include "keys.env.db" . }} - name: KEYS_DB_RO_PASSWORD valueFrom: secretKeyRef: @@ -213,10 +229,10 @@ app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} secretKeyRef: name: {{ include "keys.secret.deploys.name" . }} key: dbRWPassword -{{- end }} +{{- end -}} {{- define "keys.env.db.jobs" -}} -{{ include "keys.env.db" . }} +{{- include "keys.env.db" . }} - name: KEYS_DB_RO_PASSWORD valueFrom: secretKeyRef: @@ -227,18 +243,18 @@ app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} secretKeyRef: name: {{ include "keys.secret.jobs.name" . }} key: dbRWPassword -{{- end }} +{{- end -}} {{- define "keys.env.redis" -}} -{{- if .Values.redis.useExternalRedis }} +{{- if .Values.redis.useExternalRedis -}} - name: KEYS_REDIS_HOST value: "{{ .Values.redis.host }}" - name: KEYS_REDIS_DB value: "{{ .Values.redis.db }}" -{{- else }} +{{- else -}} - name: KEYS_REDIS_HOST value: "{{ include "keys.redis.name" . }}" -{{- end }} +{{- end }} - name: KEYS_REDIS_PORT value: "{{ .Values.redis.port }}" {{- if .Values.redis.password }} @@ -247,11 +263,11 @@ app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} secretKeyRef: name: {{ include "keys.secret.deploys.name" . }} key: redisPassword -{{- end }} -{{- end }} +{{- end -}} +{{- end -}} {{- define "keys.env.auth" -}} -{{- if .Values.api.adminUsers }} +{{- if .Values.api.adminUsers -}} - name: KEYS_ADMIN_USERS valueFrom: secretKeyRef: @@ -346,13 +362,32 @@ app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} {{- define "keys.env.kafka.audit" -}} - name: KEYS_KAFKA_AUDIT_BROKERS - value: "{{ .Values.kafka.audit.bootstrapServers }}" + value: "{{ required "A valid .Values.kafka.bootstrapServers entry required" .Values.kafka.bootstrapServers }}" - name: KEYS_KAFKA_AUDIT_USERNAME - value: "{{ .Values.kafka.audit.username }}" + value: "{{ .Values.kafka.username }}" +{{- if .Values.kafka.password }} - name: KEYS_KAFKA_AUDIT_PASSWORD - value: "{{ .Values.kafka.audit.password }}" + valueFrom: + secretKeyRef: + name: {{ include "keys.kafka.name" . }} + key: password +{{- end }} +- name: KEYS_KAFKA_AUDIT_SECURITY_PROTOCOL + value: "{{ .Values.kafka.securityProtocol }}" +- name: KEYS_KAFKA_AUDIT_SASL_MECHANISM + value: "{{ .Values.kafka.saslMechanism }}" +{{- if (include "kafka.ssl.enabled" .) }} +- name: KEYS_KAFKA_AUDIT_TLS_SKIP_SERVER_CERTIFICATE_VERIFY + value: "{{ .Values.kafka.tls.skipServerCertificateVerify }}" +- name: KEYS_KAFKA_AUDIT_TLS_CLIENT_CERTIFICATE_PATH + value: "/etc/2gis/secret/kafka/client.crt" +- name: KEYS_KAFKA_AUDIT_TLS_CLIENT_KEY_PATH + value: "/etc/2gis/secret/kafka/client.key" +- name: KEYS_KAFKA_AUDIT_TLS_CA_CERT_PATH + value: "/etc/2gis/secret/kafka/ca.crt" +{{- end }} - name: KEYS_KAFKA_AUDIT_TOPIC - value: "{{ .Values.kafka.audit.topic }}" + value: "{{ required "A valid .Values.kafka.audit.topic entry required" .Values.kafka.audit.topic }}" - name: KEYS_KAFKA_AUDIT_PRODUCE_RETRY_COUNT value: "{{ .Values.kafka.audit.produce.retryCount }}" - name: KEYS_KAFKA_AUDIT_PRODUCE_IDEMPOTENT_WRITE @@ -424,3 +459,10 @@ Return the appropriate apiVersion for Horizontal Pod Autoscaler. {{- define "keys.configmap.deploys.name" -}} {{ include "keys.name" . }}-configmap-deploys {{- end -}} + +{{- define "kafka.ssl.enabled" }} +{{- $securityProtocol := index .Values.kafka.securityProtocol -}} +{{- $isEnabled := or (eq $securityProtocol "SSL") (eq $securityProtocol "SASL_SSL") -}} +{{/* Converting bool to "thruthy" string cause "include" can only return string. */}} +{{- ternary "true" "" $isEnabled }} +{{- end -}} diff --git a/charts/keys/templates/secret-kafka.yaml b/charts/keys/templates/secret-kafka.yaml new file mode 100644 index 000000000..0ca240089 --- /dev/null +++ b/charts/keys/templates/secret-kafka.yaml @@ -0,0 +1,20 @@ +{{- $sslEnabled := include "kafka.ssl.enabled" . }} +{{- $password := .Values.kafka.password }} +{{- if or ($sslEnabled) (not (empty $password)) }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "keys.kafka.name" . | quote }} + labels: + {{- include "keys.labels" . | nindent 4 }} +type: Opaque +data: + {{- if $sslEnabled }} + client.crt: {{ required "A valid kafka.tls.cert entry required" .Values.kafka.tls.cert | b64enc | quote }} + client.key: {{ required "A valid kafka.tls.key entry required" .Values.kafka.tls.key | b64enc | quote }} + ca.crt: {{ required "A valid kafka.tls.rootCert entry required" .Values.kafka.tls.rootCert | b64enc | quote }} + {{- end }} + {{- with $password }} + password: {{ $password | b64enc }} + {{- end }} +{{- end }} diff --git a/charts/keys/values.yaml b/charts/keys/values.yaml index 9d5c391ec..c35525251 100644 --- a/charts/keys/values.yaml +++ b/charts/keys/values.yaml @@ -31,7 +31,7 @@ featureFlags: backend: image: repository: 2gis-on-premise/keys-backend - tag: 1.89.0 + tag: 1.102.3 # @section Admin service settings @@ -538,19 +538,34 @@ postgres: kafka: + # @param kafka.bootstrapServers Comma-separated list of host and port pairs that are the addresses of the Kafka brokers (e.g. 'localhost:9092,localhost:9093'). **Required** + # @param kafka.securityProtocol Protocol used to communicate with brokers. Valid values are: PLAINTEXT, SSL, SASL_PLAINTEXT, SASL_SSL. Default: PLAINTEXT. + # @param kafka.saslMechanism Authentication mechanism when security_protocol is configured for SASL_PLAINTEXT or SASL_SSL. Valid values are: PLAIN, SCRAM-SHA-256, SCRAM-SHA-512. + # @param kafka.username Username for authorization (SASL). + # @param kafka.password Password for authorization (SASL). + # @param kafka.tls.skipServerCertificateVerify Controls whether a client verifies the server's certificate chain and host name. + # @param kafka.tls.rootCert Root certificate. + # @param kafka.tls.cert Client certificate. + # @param kafka.tls.key Client key. + + bootstrapServers: '' + securityProtocol: PLAINTEXT + saslMechanism: PLAIN + username: '' + password: '' + tls: + skipServerCertificateVerify: false + rootCert: '' + cert: '' + key: '' + # @extra kafka.audit **Settings for sending audit messages.** - # @param kafka.audit.bootstrapServers Comma-separated list of host and port pairs that are the addresses of the Kafka brokers (e.g. 'localhost:9092,localhost:9093'). - # @param kafka.audit.username Username for authorization (SASL/PLAINTEXT SHA-512). - # @param kafka.audit.password Password for authorization (SASL/PLAINTEXT SHA-512). - # @param kafka.audit.topic Topic to produce audit messages. + # @param kafka.audit.topic Topic to produce audit messages. **Required** # @param kafka.audit.produce.retryCount Number of retries to produce a message. # @param kafka.audit.produce.idempotentWrite Flag to enable/disable [idempotent write](https://docs.confluent.io/platform/current/installation/configuration/producer-configs.html#enable-idempotence). audit: - bootstrapServers: '' - username: '' - password: '' topic: '' produce: retryCount: 5 From e4269f3a2e4e5cfc5bcc0826f7f02f5914200483 Mon Sep 17 00:00:00 2001 From: Kirill Salnikov Date: Thu, 12 Dec 2024 13:20:50 +0300 Subject: [PATCH 2/2] rename kafka tls params --- charts/keys/README.md | 6 +++--- charts/keys/templates/secret-kafka.yaml | 6 +++--- charts/keys/values.yaml | 12 ++++++------ 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/charts/keys/README.md b/charts/keys/README.md index b1844b233..6569526ca 100644 --- a/charts/keys/README.md +++ b/charts/keys/README.md @@ -234,9 +234,9 @@ See the [documentation](https://docs.2gis.com/en/on-premise/keys) to learn about | `kafka.username` | Username for authorization (SASL). | `""` | | `kafka.password` | Password for authorization (SASL). | `""` | | `kafka.tls.skipServerCertificateVerify` | Controls whether a client verifies the server's certificate chain and host name. | `false` | -| `kafka.tls.rootCert` | Root certificate. | `""` | -| `kafka.tls.cert` | Client certificate. | `""` | -| `kafka.tls.key` | Client key. | `""` | +| `kafka.tls.serverCA` | Server's root certificate. | `""` | +| `kafka.tls.clientCert` | Client certificate. | `""` | +| `kafka.tls.clientKey` | Client key. | `""` | | `kafka.audit` | **Settings for sending audit messages.** | | | `kafka.audit.topic` | Topic to produce audit messages. **Required** | `""` | | `kafka.audit.produce.retryCount` | Number of retries to produce a message. | `5` | diff --git a/charts/keys/templates/secret-kafka.yaml b/charts/keys/templates/secret-kafka.yaml index 0ca240089..a216f627a 100644 --- a/charts/keys/templates/secret-kafka.yaml +++ b/charts/keys/templates/secret-kafka.yaml @@ -10,9 +10,9 @@ metadata: type: Opaque data: {{- if $sslEnabled }} - client.crt: {{ required "A valid kafka.tls.cert entry required" .Values.kafka.tls.cert | b64enc | quote }} - client.key: {{ required "A valid kafka.tls.key entry required" .Values.kafka.tls.key | b64enc | quote }} - ca.crt: {{ required "A valid kafka.tls.rootCert entry required" .Values.kafka.tls.rootCert | b64enc | quote }} + client.crt: {{ required "A valid kafka.tls.clientCert entry required" .Values.kafka.tls.clientCert | b64enc | quote }} + client.key: {{ required "A valid kafka.tls.clientKey entry required" .Values.kafka.tls.clientKey | b64enc | quote }} + ca.crt: {{ required "A valid kafka.tls.serverCA entry required" .Values.kafka.tls.serverCA | b64enc | quote }} {{- end }} {{- with $password }} password: {{ $password | b64enc }} diff --git a/charts/keys/values.yaml b/charts/keys/values.yaml index c35525251..0e9d22933 100644 --- a/charts/keys/values.yaml +++ b/charts/keys/values.yaml @@ -544,9 +544,9 @@ kafka: # @param kafka.username Username for authorization (SASL). # @param kafka.password Password for authorization (SASL). # @param kafka.tls.skipServerCertificateVerify Controls whether a client verifies the server's certificate chain and host name. - # @param kafka.tls.rootCert Root certificate. - # @param kafka.tls.cert Client certificate. - # @param kafka.tls.key Client key. + # @param kafka.tls.serverCA Server's root certificate. + # @param kafka.tls.clientCert Client certificate. + # @param kafka.tls.clientKey Client key. bootstrapServers: '' securityProtocol: PLAINTEXT @@ -555,9 +555,9 @@ kafka: password: '' tls: skipServerCertificateVerify: false - rootCert: '' - cert: '' - key: '' + serverCA: '' + clientCert: '' + clientKey: '' # @extra kafka.audit **Settings for sending audit messages.**