Add TLS support in scram-proxy (#12)

* Add TLS support in scram-proxy * Bump chart version * review fix: quote domain Co-authored-by: Stas Kelvich <[email protected]>
neondatabase · May 5, 2022 · e69c245 · e69c245
1 parent 05bb526
commit e69c245
Show file tree

Hide file tree

Showing 6 changed files with 50 additions and 2 deletions.
diff --git a/charts/neon-proxy/Chart.yaml b/charts/neon-proxy/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: neon-proxy
 description: Neon Proxy
 type: application
-version: 1.2.3
+version: 1.2.4
 appVersion: "0.1.0"
 kubeVersion: "^1.18.x-x"
 home: https://neon.tech

diff --git a/charts/neon-proxy/README.md b/charts/neon-proxy/README.md
@@ -1,6 +1,6 @@
 # neon-proxy
 
-![Version: 1.2.3](https://img.shields.io/badge/Version-1.2.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) [![Lint and Test Charts](https://github.com/neondatabase/helm-charts/actions/workflows/lint-test.yaml/badge.svg)](https://github.com/neondatabase/helm-charts/actions/workflows/lint-test.yaml)
+![Version: 1.2.4](https://img.shields.io/badge/Version-1.2.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) [![Lint and Test Charts](https://github.com/neondatabase/helm-charts/actions/workflows/lint-test.yaml/badge.svg)](https://github.com/neondatabase/helm-charts/actions/workflows/lint-test.yaml)
 
 Neon Proxy
 
@@ -59,6 +59,7 @@ Kubernetes: `^1.18.x-x`
 | serviceAccount.name | string | `""` |  |
 | settings.authBackend | string | `"legacy"` | auth method used (legacy|console|link|postgres) |
 | settings.authEndpoint | string | `""` | auth endpoint, e.g. "http://console.neon/authenticate_proxy_request/" |
+| settings.domain | string | `""` | domain used in TLS cert for client postgres connections |
 | settings.uri | string | `""` |  |
 | tolerations | list | `[]` | Tolerations for pod assignment. |
 

diff --git a/charts/neon-proxy/templates/_helpers.tpl b/charts/neon-proxy/templates/_helpers.tpl
@@ -60,3 +60,13 @@ Create the name of the service account to use
 {{- default "default" .Values.serviceAccount.name }}
 {{- end }}
 {{- end }}
+
+{{/*
+Create the name for TLS certificate and it's secret
+*/}}
+{{- define "neon-proxy.certificate" -}}
+{{- .Values.settings.domain | replace "." "-" | replace "*" "wildcard" }}
+{{- end }}
+{{- define "neon-proxy.certificate-secret" -}}
+{{ include "neon-proxy.certificate" . }}-tls
+{{- end }}
diff --git a/charts/neon-proxy/templates/certificate.yaml b/charts/neon-proxy/templates/certificate.yaml
@@ -0,0 +1,17 @@
+{{- if .Values.settings.domain }}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ include "neon-proxy.certificate" . }}
+spec:
+  commonName: '{{ .Values.settings.domain | quote }}'
+  dnsNames:
+  - '{{ .Values.settings.domain }}'
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: cert-manager-clusterissuer
+  secretName: {{ include "neon-proxy.certificate-secret" . }}
+  privateKey: 
+    encoding: PKCS8
+{{- end }}
diff --git a/charts/neon-proxy/templates/deployment.yaml b/charts/neon-proxy/templates/deployment.yaml
@@ -68,6 +68,18 @@ spec:
             - {{ . }}
             {{- end }}
             {{- end }}
+            {{- if .Values.settings.domain }}
+            - --tls-key
+            - /certs/tls.key
+            - --tls-cert
+            - /certs/tls.crt
+            {{ end }}
+          {{- if .Values.settings.domain }}
+          volumeMounts:
+            - mountPath: "/certs"
+              name: certs
+              readOnly: true
+          {{- end }}
           ports:
             - name: proxy
               containerPort: 5432
@@ -100,6 +112,12 @@ spec:
             timeoutSeconds: 10
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
+      {{- if .Values.settings.domain }}
+      volumes:
+        - name: certs
+          secret:
+            secretName: {{ include "neon-proxy.certificate-secret" . }}
+      {{ end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

diff --git a/charts/neon-proxy/values.yaml b/charts/neon-proxy/values.yaml
@@ -28,6 +28,8 @@ settings:
   uri: ""
   # settings.authBackend -- auth method used (legacy|console|link|postgres)
   authBackend: "legacy"
+  # settings.domain -- domain used in TLS cert for client postgres connections
+  domain: ""
 
 serviceAccount:
   # serviceAccount.create - Specifies whether a service account should be created