Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enabling secrets for ES certs and credentials #696

Merged
merged 5 commits into from
Feb 6, 2024
Merged

Enabling secrets for ES certs and credentials #696

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
81a6bc1
Enabling secrets for ES certs and credentials
bhowd1 Feb 1, 2024
a230d2d
Added secrets for basic-auth
bhowd1 Feb 2, 2024
4f0025c
Updated the docs
bhowd1 Feb 2, 2024
1d530b2
Fixed lint issues
bhowd1 Feb 2, 2024
eaf29f6
Addresed review comments
bhowd1 Feb 6, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 9 additions & 0 deletions charts/backingservices/charts/srs/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -129,6 +129,8 @@ To configure a secure connection between SRS and an external Elasticsearch clust
| `tls` | Set to `true` to enable the SRS service to authenticate to your organization's available Elasticsearch service. |
| `certificateName` | Enter the tls certificate name. Default certificate name will be "elastic-certificates.p12" if not used. |
| `certificatePassword` | Enter the tls certificate password if any. Default value will be empty if not used. |
| `certsSecret` | To specify a certificate using a secret, uncomment the certsSecret parameter and provide the secret name containing your certificate and certificate password. Use the full name of the certificate file (together with file extension, for example, “certificate.p12” or“certificate.jks”) as a key name in the secret. Use this key name to configure the “certificateName”parameter.Use a key name “password” to provide the certificate password in the secret. Defaults to "srs-certificates".|
| `authSecret` | Specify the secret with your Elasticsearch credentials. Use “username” and “password” as keys for your secret.This parameter applies to both basic authentication and TLS-based authentication. Defaults to "srs-elastic-credentials".|
| `esCredentials.username` | Enter the username for your available Elasticsearch service. This username value must match the values you set in the connection info section of esCredentials. |
| `esCredentials.password` | Enter the required password for your available Elasticsearch service. This password value must match the values you set in the connection info section of esCredentials. |
| `srsStorage.provisionInternalESCluster` | <ol><li>Set the `srsStorage.provisionInternalESCluster` parameter to `false` to disable the internally provisioned Elasticsearch cluster and connect to your available external Elasticsearch service.</li><li>To secure the connection between SRS and your external Elasticsearch service, you must provide the appropriate TLS certificates in an accessible location, for example, /home/certs.</li><li>To pass the required certificates to the cluster using a secrets file, run the following command: <p>`$ make external-es-secrets NAMESPACE=<NAMESPACE_USED_FOR_DEPLOYMENT> ELASTICSEARCH_VERSION=<ELASTICSEARCH_VERSION> PATH_TO_CERTIFICATE=<PATH_TO_CERTS>`</p><p>Where NAMESPACE references your deployment namespace of the SRS cluster, `ELASTICSEARCH_VERSION` matches the Elasticsearch version you want to use, and `PATH_TO_CERTIFICATE` points to the location where you copied the required certificates on your location machine, for example:</p><p>`$ make external-es-secrets NAMESPACE=pegabackingservices ELASTICSEARCH_VERSION=7.10.2 PATH_TO_CERTIFICATE=/home/certs/truststore.jks`</p></li><li>To update the SRS and External Elasticsearch certificates, use the following command: <p>`$ make update-external-es-secrets NAMESPACE=<NAMESPACE_OF EXISTING_DEPLOYMENT> PATH_TO_CERTIFICATE=<PATH_TO_THE_UPDATED_CERTIFICATES>`</p></li></ol> |
Expand Down Expand Up @@ -197,13 +199,20 @@ srs:
# Default certificatePassword value will be empty if not used.
# certificateName: "Certificate_Name"
# certificatePassword: "password"
# To specify a certificate using a secret, uncomment the certsSecret parameter and provide the secret name containing your certificate and certificate password.
# Use the full name of the certificate file (together with file extension, for example, “certificate.p12” or “certificate.jks”) as a key name in the secret. Use this key name to configure the “certificateName” parameter.
# Use a key name “password” to provide the certificate password in the secret.
# certsSecret: srs-certificates
# Set srs.srsStorage.basicAuthentication.enabled: true to enable the use of basic authentication to your Elasticsearch service whether is it running as an internalized or externalized service in your SRS cluster.
basicAuthentication:
enabled: true
# To configure basic authentication or TLS-based authentication to your externally-managed Elasticsearch service in your SRS cluster, uncomment and add the parameter details: srs.srsStorage.esCredentials.username and srs.srsStorage.esCredentials.password.
# esCredentials:
# username: "username"
# password: "password"
# To use a secret to configure basic authentication or TLS-based authentication between your external Elasticsearch service and SRS,
# uncomment the authSecret parameter and set it to the secret name. Use "username" and "password" as keys for your secret.
# authSecret: srs-elastic-credentials
# To configure AWS IAM role-based authentication to your externally-managed Elasticsearch cluster, uncomment
# and add the parameter details: srs.srsStorage.awsIAM and its associated region, srs.srsStorage.awsIAM.region
# awsIAM:
Expand Down
2 changes: 1 addition & 1 deletion charts/backingservices/charts/srs/templates/elasticsearchsecret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{{- if or (eq (include "elasticsearch.authProvider" .) "basic-authentication") (eq (include "elasticsearch.authProvider" .) "tls")}}
{{- if and (not .Values.srsStorage.authSecret) (or (eq (include "elasticsearch.authProvider" .) "basic-authentication") (eq (include "elasticsearch.authProvider" .) "tls"))}}
apiVersion: v1
kind: Secret
metadata:
Expand Down
20 changes: 14 additions & 6 deletions charts/backingservices/charts/srs/templates/srsservice_deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,30 +60,38 @@ spec:
{{- if eq (include "elasticsearch.authProvider" $) "basic-authentication" }}
- name: ELASTICSEARCH_USERNAME
valueFrom:
secretKeyRef:
name: srs-elastic-credentials
secretKeyRef:
name: "{{ .Values.srsStorage.authSecret | default "srs-elastic-credentials"}}"
key: username
- name: ELASTICSEARCH_PASSWORD
valueFrom:
secretKeyRef:
name: srs-elastic-credentials
name: "{{ .Values.srsStorage.authSecret | default "srs-elastic-credentials"}}"
key: password
{{- end}}
{{- if eq (include "elasticsearch.authProvider" $) "tls" }}
- name: ELASTICSEARCH_USERNAME
valueFrom:
secretKeyRef:
name: srs-elastic-credentials
name: "{{ .Values.srsStorage.authSecret | default "srs-elastic-credentials"}}"
key: username
- name: ELASTICSEARCH_PASSWORD
valueFrom:
secretKeyRef:
name: srs-elastic-credentials
name: "{{ .Values.srsStorage.authSecret | default "srs-elastic-credentials"}}"
key: password
- name: PATH_TO_TRUSTSTORE
value: "/usr/share/{{ .Values.srsStorage.certificateName | default "elastic-certificates.p12"}}"
{{ if not .Values.srsStorage.certsSecret }}
- name: PATH_TO_KEYSTORE
value: "{{ .Values.srsStorage.certificatePassword | default ""}}"
{{ else }}
- name: PATH_TO_KEYSTORE
valueFrom:
secretKeyRef:
name: "{{ .Values.srsStorage.certsSecret | default "srs-certificates"}}"
key: password
{{- end }}
{{- end}}
- name: APPLICATION_HOST
value: "0.0.0.0"
Expand All @@ -101,7 +109,7 @@ spec:
volumes:
- name: srs-certificates
secret:
secretName: srs-certificates
secretName: "{{ .Values.srsStorage.certsSecret | default "srs-certificates"}}"
{{ end }}
{{- if .Values.srsStorage.provisionInternalESCluster }}
initContainers:
Expand Down
7 changes: 7 additions & 0 deletions charts/backingservices/values.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,10 @@ srs:
# Default certificatePassword value will be empty if not used.
# certificateName: "Certificate_Name"
# certificatePassword: "password"
# To specify a certificate using a secret, uncomment the certsSecret parameter and provide the secret name containing your certificate and certificate password.
# Use the full name of the certificate file (together with file extension, for example, “certificate.p12” or “certificate.jks”) as a key name in the secret. Use this key name
# to configure the “certificateName” parameter. Use a key name “password” to provide the certificate password in the secret.
# certsSecret: srs-certificates
# Set srs.srsStorage.basicAuthentication.enabled: true to enable the use of basic authentication to your Elasticsearch service
# whether is it running as an internalized or externalized service in your SRS cluster.
basicAuthentication:
Expand All @@ -70,6 +74,9 @@ srs:
# esCredentials:
# username: "username"
# password: "password"
# To use a secret to configure basic authentication or TLS-based authentication between your external Elasticsearch service and SRS,
# uncomment the authSecret parameter and set it to the secret name. Use "username" and "password" as keys for your secret.
# authSecret: srs-elastic-credentials
# To configure AWS IAM role-based authentication to your externally-managed Elasticsearch cluster, uncomment
# and add the parameter details: srs.srsStorage.awsIAM and its associated region, srs.srsStorage.awsIAM.region
# awsIAM:
Expand Down
Loading