Skip to content

Commit

Permalink
Allow a password to be supplied for the truststore (#3)
Browse files Browse the repository at this point in the history
This adds a new helm chart parameter to allow you to specify a password
for the truststore.

This also fixes a bug where the extra JVM opts were not included if
specified.
  • Loading branch information
spilchen authored Dec 2, 2023
1 parent b707618 commit 7eed331
Show file tree
Hide file tree
Showing 6 changed files with 100 additions and 29 deletions.
2 changes: 1 addition & 1 deletion Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ apiVersion: v2
name: vertica-kafka-scheduler
description: Deploys the Vertica Kafka Scheduler in Kubernetes
type: application
version: 0.1.5
version: 0.1.6
# The appVersion corresponds to the Vertica version
appVersion: "23.4.0"
icon: https://raw.githubusercontent.com/vertica/kafka-scheduler-chart/main/vertica-logo.png
Expand Down
13 changes: 7 additions & 6 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -25,11 +25,12 @@ This helm chart will deploy the vertica kafka scheduler. It will deploy the vert
| serviceAccount.create | If true, a ServiceAccount is created as part of the deployment | true |
| serviceAccount.name | Name of the service account. If not set and create is true, a name is generated using the fullname template | |
| tls.enabled | If true, we setup with the assumption that TLS authentication will be used. | false |
| tls.keyStoreMountPath | Directory name where the keystore will be mounted in the pod | |
| tls.keyStorePassword | The password to use along with the keystore | |
| tls.keyStoreSecretKey | A key within the tls.keyStoreSecretName that will be used as the keystore file name. If this is omitted, then no keystore information is included. | |
| tls.keyStoreSecretName | Name of an existing Secret that contains the keystore | |
| tls.trustStoreMountPath | Directory name where the truststore will be mounted in the pod | |
| tls.trustStoreSecretKey | A key within tls.trustStoreSecretName that will be used as the truststore file name | |
| tls.keyStoreMountPath | Directory name where the keystore will be mounted in the pod. This controls the name of the keystore within the pod. The full path to the keystore will be constructed by combining this parameter with tls.keyStoreSecretKey. | |
| tls.keyStorePassword | The password to use along with the keystore. If omitted, then no password is used. | |
| tls.keyStoreSecretKey | A key within tls.keyStoreSecretName that will be used as the keystore file name. This is used along with tls.keyStoreMountPath to form the full path to the key in the pod. | |
| tls.keyStoreSecretName | Name of an existing Secret that contains the keystore. If this is omitted, then no keystore information is included. | |
| tls.trustStoreMountPath | Directory name where the truststore will be mounted in the pod. This controls the name of the truststore within the pod. The full path to the truststore will be constructed by combining this parameter with tls.trustStoreSecretKey. | |
| tls.trustStorePassword | The password to use along with the truststore. If omitted, then no password is used. | |
| tls.trustStoreSecretKey | A key within tls.trustStoreSecretName that will be used as the truststore file name. This is used along with tls.trustStoreMountPath to form the full path to the key in the pod. | |
| tls.trustStoreSecretName | Name of an existing Secret that contains the truststore. If this is omitted, then no truststore information is included. | |
| tolerations | Tolerations to use with the pods to control where it is scheduled | |
32 changes: 27 additions & 5 deletions templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -103,9 +103,31 @@ Create the name of the service account to use
Generate te value for VKCONFIG_JVM_OPTS based on values.yaml
*/}}
{{- define "vertica-kafka-scheduler.jvmOpts" -}}
{{- if .Values.tls.enabled -}}
"{{ if .Values.tls.trustStoreSecretName }}-Djavax.net.ssl.trustStore={{ .Values.tls.trustStoreMountPath }}/{{ .Values.tls.trustStoreSecretKey }}{{ end }}{{ if .Values.tls.keyStoreSecretName }} -Djavax.net.ssl.keyStore={{ .Values.tls.keyStoreMountPath }}/{{ .Values.tls.keyStoreSecretKey }} -Djavax.net.ssl.keyStorePassword={{ .Values.tls.keyStorePassword }} {{ .Values.jvmOpts }}{{ end }}"
{{- else -}}
{{ default (quote "") .Values.jvmOpts }}
{{- end }}
{{- $opts := list ( include "vertica-kafka-scheduler.trustStore" . ) ( include "vertica-kafka-scheduler.trustStorePassword" . ) ( include "vertica-kafka-scheduler.keyStore" . ) ( include "vertica-kafka-scheduler.keyStorePassword" . ) .Values.jvmOpts -}}
{{- $opts := compact $opts -}}
{{ join " " $opts | quote }}
{{- end }}

{{- define "vertica-kafka-scheduler.trustStore" -}}
{{- if .Values.tls.enabled -}}
{{ if .Values.tls.trustStoreSecretName }}-Djavax.net.ssl.trustStore={{ .Values.tls.trustStoreMountPath }}/{{ .Values.tls.trustStoreSecretKey }}{{ end -}}
{{- end -}}
{{- end -}}

{{- define "vertica-kafka-scheduler.trustStorePassword" -}}
{{- if .Values.tls.enabled -}}
{{ if .Values.tls.trustStorePassword }}-Djavax.net.ssl.trustStorePassword={{ .Values.tls.trustStorePassword }}{{ end -}}
{{- end -}}
{{- end -}}

{{- define "vertica-kafka-scheduler.keyStore" -}}
{{- if .Values.tls.enabled -}}
{{ if .Values.tls.keyStoreSecretName }}-Djavax.net.ssl.keyStore={{ .Values.tls.keyStoreMountPath }}/{{ .Values.tls.keyStoreSecretKey }}{{ end }}
{{- end -}}
{{- end -}}

{{- define "vertica-kafka-scheduler.keyStorePassword" -}}
{{- if .Values.tls.enabled -}}
{{ if .Values.tls.keyStorePassword }}-Djavax.net.ssl.keyStorePassword={{ .Values.tls.keyStorePassword }}{{ end -}}
{{- end -}}
{{- end -}}
53 changes: 51 additions & 2 deletions tests/tls_test.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,19 @@ tests:
content:
name: VKCONFIG_JVM_OPTS
value: ""
- it: should have only JVM opts set if TLS is disabled
set:
tls.enabled: false
jvmOpts: "-Dspecial-fix=true"
launcherEnabled: true
asserts:
- isKind:
of: Deployment
- contains:
path: spec.template.spec.containers[0].env
content:
name: VKCONFIG_JVM_OPTS
value: "-Dspecial-fix=true"
- it: should have JVM opts set if TLS is configured with all opts
set:
tls:
Expand Down Expand Up @@ -45,7 +58,7 @@ tests:
path: spec.template.spec.containers[0].env
content:
name: VKCONFIG_JVM_OPTS
value: '-Djavax.net.ssl.trustStore=/truststore/truststore -Djavax.net.ssl.keyStore=/keystore/keystore -Djavax.net.ssl.keyStorePassword=pwd '
value: '-Djavax.net.ssl.trustStore=/truststore/truststore -Djavax.net.ssl.keyStore=/keystore/keystore -Djavax.net.ssl.keyStorePassword=pwd'
- it: should have JVM opts set if TLS is configured with just truststore
set:
tls:
Expand Down Expand Up @@ -120,4 +133,40 @@ tests:
path: spec.template.spec.containers[0].env
content:
name: VKCONFIG_JVM_OPTS
value: ' -Djavax.net.ssl.keyStore=/keystore/keystore -Djavax.net.ssl.keyStorePassword=my-secret '
value: '-Djavax.net.ssl.keyStore=/keystore/keystore -Djavax.net.ssl.keyStorePassword=my-secret'
- it: should concatenate custom JVM opts from TLS config
set:
tls:
enabled: true
keyStoreMountPath: /keystore
keyStoreSecretKey: keystore
keyStoreSecretName: keystore-secret
keyStorePassword: my-secret
jvmOpts: "-Dmy-special-opt"
launcherEnabled: true
asserts:
- isKind:
of: Deployment
- contains:
path: spec.template.spec.containers[0].env
content:
name: VKCONFIG_JVM_OPTS
value: '-Djavax.net.ssl.keyStore=/keystore/keystore -Djavax.net.ssl.keyStorePassword=my-secret -Dmy-special-opt'
- it: should allow truststore password to be set in TLS config
set:
tls:
enabled: true
trustStoreMountPath: /truststore
trustStoreSecretKey: my-truststore.jks
trustStoreSecretName: trust-store-secret
trustStorePassword: abcdef123
launcherEnabled: true
jvmOpts: "-Dextra-opt"
asserts:
- isKind:
of: Deployment
- contains:
path: spec.template.spec.containers[0].env
content:
name: VKCONFIG_JVM_OPTS
value: '-Djavax.net.ssl.trustStore=/truststore/my-truststore.jks -Djavax.net.ssl.trustStorePassword=abcdef123 -Dextra-opt'
27 changes: 12 additions & 15 deletions values.schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -111,43 +111,40 @@
"default": false
},
"trustStoreSecretName": {
"description": "Name of a preexisting Secret that contains the truststore to use.",
"description": "Name of an existing Secret that contains the keystore. If this is omitted, then no keystore information is included.",
"type": "string"
},
"trustStoreMountPath": {
"description": "The directory mount for the trustStoreSecretName",
"description": "Directory name where the truststore will be mounted in the pod. This controls the name of the truststore within the pod. The full path to the truststore will be constructed by combining this parameter with trustStoreSecretKey.",
"type": "string"
},
"trustStoreSecretKey": {
"description": "The key within trustStoreSecretName that has the truststore to use. This will be mounted as a file within the pod",
"description": "A key within tls.trustStoreSecretName that will be used as the truststore file name. This is used along with tls.trustStoreMountPath to form the full path to the key in the pod.",
"type": "string"
},
"trustStorePassword": {
"description": "The password to use along with the truststore. If omitted, then no password is used.",
"type": "string"
},
"keyStoreSecretName": {
"description": "Name of a preexisting Secret that contains the keystore to use",
"description": "Name of an existing Secret that contains the keystore. If this is omitted, then no keystore informiation is included.",
"type": "string"
},
"keyStoreMountPath": {
"description": "The directory mount for the keyStoreSecretName",
"description": "Directory name where the keystore will be mounted in the pod. This controls the name of the keystore within the pod. The full path to the keystore will be constructed by combining this parameter with keyStoreSecretKey.",
"type": "string"
},
"keyStoreSecretKey": {
"description": "The key within keyStoreSecretName that has the keystore to use. This will be mounted as a file within the pod.",
"description": "A key within keyStoreSecretName that will be used as the keystore file name. This is used along with tls.keyStoreMountPath to form the full path to the key in the pod.",
"type": "string"
},
"keyStorePassword": {
"description": "The password to access the keystore",
"description": "The password to use along with the keystore. If omitted, then no password is used.",
"type": "string"
}
},
"required": [
"enabled",
"keyStoreMountPath",
"keyStorePassword",
"keyStoreSecretKey",
"keyStoreSecretName",
"trustStoreMountPath",
"trustStoreSecretKey",
"trustStoreSecretName"
"enabled"
],
"title": "TLS"
},
Expand Down
2 changes: 2 additions & 0 deletions values.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -80,6 +80,8 @@ tls:
# The key within trustStoreSecretName that has the truststore to use. This
# will be mounted as a file within the pod.
trustStoreSecretKey: ""
# The password to access the truststore
trustStorePassword: ""
# Name of a preexisting Secret that contains the keystore to use.
keyStoreSecretName: ""
# The next two control the name of the key store. The path will be:
Expand Down

0 comments on commit 7eed331

Please sign in to comment.