Add support for extra certs for SCRAM proxy (#30)

* Add support for extra certs for SCRAM proxy

* Bump version and fix docs

* Remove unnecessary empty lines

* Fix lint

* Create helper for cert name generation

* Remove neon-proxy.certificate and make neon-proxy.certificate-secret a function

* Fix --certs-dir argument in scram-proxy

---------

Co-authored-by: Stas Kelvich <[email protected]>

charts/neon-proxy/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: neon-proxy
 description: Neon Proxy
 type: application
-version: 1.6.2
+version: 1.6.3
 appVersion: "0.1.0"
 kubeVersion: "^1.18.x-x"
 home: https://neon.tech

charts/neon-proxy/README.md

@@ -1,6 +1,6 @@
 # neon-proxy
 
-![Version: 1.6.2](https://img.shields.io/badge/Version-1.6.2-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) [![Lint and Test Charts](https://github.com/neondatabase/helm-charts/actions/workflows/lint-test.yaml/badge.svg)](https://github.com/neondatabase/helm-charts/actions/workflows/lint-test.yaml)
+![Version: 1.6.3](https://img.shields.io/badge/Version-1.6.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) [![Lint and Test Charts](https://github.com/neondatabase/helm-charts/actions/workflows/lint-test.yaml/badge.svg)](https://github.com/neondatabase/helm-charts/actions/workflows/lint-test.yaml)
 
 Neon Proxy
 
@@ -64,6 +64,7 @@ Kubernetes: `^1.18.x-x`
 | settings.authBackend | string | `"link"` | auth method used (console|link|postgres) |
 | settings.authEndpoint | string | `""` | auth endpoint, e.g. "http://console.neon/authenticate_proxy_request/" |
 | settings.domain | string | `""` | domain used in TLS cert for client postgres connections |
+| settings.extraDomains | list | `[]` | domains used in extra TLS certs for client postgres connections |
 | settings.metricCollectionEndpoint | string | `""` | (url) endpoint used to send metrics to. If null, metrics will not be sent. |
 | settings.metricCollectionInterval | string | `""` | (string) how often metrics should be sent. |
 | settings.sentryEnvironment | string | `"development"` | "development" or "production". It will be visible in sentry in order to filter issues |

charts/neon-proxy/templates/_helpers.tpl

@@ -64,9 +64,9 @@ Create the name of the service account to use
 {{/*
 Create the name for TLS certificate and it's secret
 */}}
-{{- define "neon-proxy.certificate" -}}
-{{- .Values.settings.domain | replace "." "-" | replace "*" "wildcard" }}
-{{- end }}
+{{- define "neon-proxy.certificate-name" -}}
+{{- . | replace "." "-" | replace "*" "wildcard" -}}
+{{- end -}}
 {{- define "neon-proxy.certificate-secret" -}}
-{{ include "neon-proxy.certificate" . }}-tls
+{{ include "neon-proxy.certificate-name" . }}-tls
 {{- end }}

charts/neon-proxy/templates/certificate.yaml

@@ -2,7 +2,7 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: {{ include "neon-proxy.certificate" . }}
+  name: {{ include "neon-proxy.certificate-name" .Values.settings.domain }}
 spec:
   commonName: {{ .Values.settings.domain | quote }}
   dnsNames:
@@ -11,7 +11,7 @@ spec:
     group: cert-manager.io
     kind: ClusterIssuer
     name: cert-manager-clusterissuer
-  secretName: {{ include "neon-proxy.certificate-secret" . }}
+  secretName: {{ include "neon-proxy.certificate-secret" .Values.settings.domain }}
   privateKey: 
     encoding: PKCS8
 {{- end }}

charts/neon-proxy/templates/certificates-extra.yaml

@@ -0,0 +1,17 @@
+{{ range .Values.settings.extraDomains }}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ include "neon-proxy.certificate-name" . }}
+spec:
+  commonName: {{ . | quote }}
+  dnsNames:
+  - {{ . | quote }}
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: cert-manager-clusterissuer
+  secretName: {{ include "neon-proxy.certificate-secret" . }}
+  privateKey: 
+    encoding: PKCS8
+{{ end }}

charts/neon-proxy/templates/deployment.yaml

@@ -86,7 +86,11 @@ spec:
             - /certs/tls.key
             - --tls-cert
             - /certs/tls.crt
-            {{ end }}
+            {{- end }}
+            {{- if .Values.settings.extraDomains }}
+            - --certs-dir
+            - /certs-extra
+            {{- end }}
           {{- if .Values.settings }}
           env:
             {{- with .Values.settings.sentryUrl }}
@@ -103,6 +107,11 @@ spec:
             - mountPath: "/certs"
               name: certs
               readOnly: true
+            {{- range .Values.settings.extraDomains }}
+            - mountPath: '/certs-extra/{{ include "neon-proxy.certificate-name" . }}'
+              name: {{ include "neon-proxy.certificate-name" . }}
+              readOnly: true
+            {{- end }}
           {{- end }}
           ports:
             - name: proxy
@@ -150,8 +159,13 @@ spec:
       {{- if .Values.settings.domain }}
       volumes:
         - name: certs
+          secret:
+            secretName: {{ include "neon-proxy.certificate-secret" .Values.settings.domain }}
+        {{- range .Values.settings.extraDomains }}
+        - name: {{ include "neon-proxy.certificate-name" . }}
           secret:
             secretName: {{ include "neon-proxy.certificate-secret" . }}
+        {{- end }}
       {{ end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:

charts/neon-proxy/values.yaml

@@ -37,6 +37,8 @@ settings:
   authBackend: "link"
   # settings.domain -- domain used in TLS cert for client postgres connections
   domain: ""
+  # settings.extraDomains -- domains used in extra TLS certs for client postgres connections
+  extraDomains: []
   # settings.sentryUrl -- url (will be converted into `SENTRY_DSN` environment variable) used by sentry to collect error/panic events in neon-proxy
   sentryUrl: ""
   # settings.sentryEnvironment -- "development" or "production". It will be visible in sentry in order to filter issues