From e69c245f7dd2d92c1af38c8d234702f3155bcc53 Mon Sep 17 00:00:00 2001 From: Sergey Melnikov Date: Thu, 5 May 2022 22:48:04 +0300 Subject: [PATCH] Add TLS support in scram-proxy (#12) * Add TLS support in scram-proxy * Bump chart version * review fix: quote domain Co-authored-by: Stas Kelvich --- charts/neon-proxy/Chart.yaml | 2 +- charts/neon-proxy/README.md | 3 ++- charts/neon-proxy/templates/_helpers.tpl | 10 ++++++++++ charts/neon-proxy/templates/certificate.yaml | 17 +++++++++++++++++ charts/neon-proxy/templates/deployment.yaml | 18 ++++++++++++++++++ charts/neon-proxy/values.yaml | 2 ++ 6 files changed, 50 insertions(+), 2 deletions(-) create mode 100644 charts/neon-proxy/templates/certificate.yaml diff --git a/charts/neon-proxy/Chart.yaml b/charts/neon-proxy/Chart.yaml index 1ca06f6..44f5dfa 100644 --- a/charts/neon-proxy/Chart.yaml +++ b/charts/neon-proxy/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: neon-proxy description: Neon Proxy type: application -version: 1.2.3 +version: 1.2.4 appVersion: "0.1.0" kubeVersion: "^1.18.x-x" home: https://neon.tech diff --git a/charts/neon-proxy/README.md b/charts/neon-proxy/README.md index 9f53cf7..9c12914 100644 --- a/charts/neon-proxy/README.md +++ b/charts/neon-proxy/README.md @@ -1,6 +1,6 @@ # neon-proxy -![Version: 1.2.3](https://img.shields.io/badge/Version-1.2.3-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) [![Lint and Test Charts](https://github.com/neondatabase/helm-charts/actions/workflows/lint-test.yaml/badge.svg)](https://github.com/neondatabase/helm-charts/actions/workflows/lint-test.yaml) +![Version: 1.2.4](https://img.shields.io/badge/Version-1.2.4-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) [![Lint and Test Charts](https://github.com/neondatabase/helm-charts/actions/workflows/lint-test.yaml/badge.svg)](https://github.com/neondatabase/helm-charts/actions/workflows/lint-test.yaml) Neon Proxy @@ -59,6 +59,7 @@ Kubernetes: `^1.18.x-x` | serviceAccount.name | string | `""` | | | settings.authBackend | string | `"legacy"` | auth method used (legacy|console|link|postgres) | | settings.authEndpoint | string | `""` | auth endpoint, e.g. "http://console.neon/authenticate_proxy_request/" | +| settings.domain | string | `""` | domain used in TLS cert for client postgres connections | | settings.uri | string | `""` | | | tolerations | list | `[]` | Tolerations for pod assignment. | diff --git a/charts/neon-proxy/templates/_helpers.tpl b/charts/neon-proxy/templates/_helpers.tpl index 8f8d688..11453a1 100644 --- a/charts/neon-proxy/templates/_helpers.tpl +++ b/charts/neon-proxy/templates/_helpers.tpl @@ -60,3 +60,13 @@ Create the name of the service account to use {{- default "default" .Values.serviceAccount.name }} {{- end }} {{- end }} + +{{/* +Create the name for TLS certificate and it's secret +*/}} +{{- define "neon-proxy.certificate" -}} +{{- .Values.settings.domain | replace "." "-" | replace "*" "wildcard" }} +{{- end }} +{{- define "neon-proxy.certificate-secret" -}} +{{ include "neon-proxy.certificate" . }}-tls +{{- end }} diff --git a/charts/neon-proxy/templates/certificate.yaml b/charts/neon-proxy/templates/certificate.yaml new file mode 100644 index 0000000..da8f8bf --- /dev/null +++ b/charts/neon-proxy/templates/certificate.yaml @@ -0,0 +1,17 @@ +{{- if .Values.settings.domain }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ include "neon-proxy.certificate" . }} +spec: + commonName: '{{ .Values.settings.domain | quote }}' + dnsNames: + - '{{ .Values.settings.domain }}' + issuerRef: + group: cert-manager.io + kind: ClusterIssuer + name: cert-manager-clusterissuer + secretName: {{ include "neon-proxy.certificate-secret" . }} + privateKey: + encoding: PKCS8 +{{- end }} diff --git a/charts/neon-proxy/templates/deployment.yaml b/charts/neon-proxy/templates/deployment.yaml index 0250a8f..e7580c4 100644 --- a/charts/neon-proxy/templates/deployment.yaml +++ b/charts/neon-proxy/templates/deployment.yaml @@ -68,6 +68,18 @@ spec: - {{ . }} {{- end }} {{- end }} + {{- if .Values.settings.domain }} + - --tls-key + - /certs/tls.key + - --tls-cert + - /certs/tls.crt + {{ end }} + {{- if .Values.settings.domain }} + volumeMounts: + - mountPath: "/certs" + name: certs + readOnly: true + {{- end }} ports: - name: proxy containerPort: 5432 @@ -100,6 +112,12 @@ spec: timeoutSeconds: 10 resources: {{- toYaml .Values.resources | nindent 12 }} + {{- if .Values.settings.domain }} + volumes: + - name: certs + secret: + secretName: {{ include "neon-proxy.certificate-secret" . }} + {{ end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/neon-proxy/values.yaml b/charts/neon-proxy/values.yaml index bf9d4ed..215d919 100644 --- a/charts/neon-proxy/values.yaml +++ b/charts/neon-proxy/values.yaml @@ -28,6 +28,8 @@ settings: uri: "" # settings.authBackend -- auth method used (legacy|console|link|postgres) authBackend: "legacy" + # settings.domain -- domain used in TLS cert for client postgres connections + domain: "" serviceAccount: # serviceAccount.create - Specifies whether a service account should be created