From 553f88664562d6dc715a9c31760170e51e0b2e13 Mon Sep 17 00:00:00 2001 From: omkar Date: Tue, 13 Aug 2024 18:34:16 +0530 Subject: [PATCH] added tls configuration for elasticsearch --- .../temporal/templates/server-configmap.yaml | 19 ++++++++++++--- .../temporal/templates/server-deployment.yaml | 23 ++++++++++++++++--- charts/temporal/templates/server-job.yaml | 23 ++++++++++++++----- charts/temporal/values.yaml | 6 +++++ .../temporal/values/values.elasticsearch.yaml | 2 ++ 5 files changed, 61 insertions(+), 12 deletions(-) diff --git a/charts/temporal/templates/server-configmap.yaml b/charts/temporal/templates/server-configmap.yaml index e7f93dfd..80e704ea 100644 --- a/charts/temporal/templates/server-configmap.yaml +++ b/charts/temporal/templates/server-configmap.yaml @@ -52,13 +52,26 @@ data: elasticsearch: version: "{{ $elasticsearch.version }}" url: - scheme: "{{ $elasticsearch.scheme }}" - host: "{{ $elasticsearch.host }}:{{ $elasticsearch.port }}" + scheme: "{{ $elasticsearch.scheme }}" + host: "{{ $elasticsearch.host }}:{{ $elasticsearch.port }}" username: "{{ $elasticsearch.username }}" password: {{ `{{ .Env.TEMPORAL_VISIBILITY_STORE_PASSWORD | quote }}` }} logLevel: "{{ $elasticsearch.logLevel }}" + {{- if $elasticsearch.tls.enabled }} + tls: + enabled: {{ $elasticsearch.tls.enabled }} + {{- if $elasticsearch.tls.cert }} + certFile: "/etc/temporal/elasticsearch-certs/{{ $elasticsearch.tls.cert }}" + {{- end }} + {{- if $elasticsearch.tls.key }} + keyFile: "/etc/temporal/elasticsearch-certs/{{ $elasticsearch.tls.key }}" + {{- end }} + {{- if $elasticsearch.tls.ca }} + caFile: "/etc/temporal/elasticsearch-certs/{{ $elasticsearch.tls.ca }}" + {{- end }} + {{- end }} indices: - visibility: "{{ $elasticsearch.visibilityIndex }}" + visibility: "{{ $elasticsearch.visibilityIndex }}" {{- else if eq (include "temporal.persistence.driver" (list $ "visibility")) "sql" }} sql: pluginName: "{{ include "temporal.persistence.sql.driver" (list $ "visibility") }}" diff --git a/charts/temporal/templates/server-deployment.yaml b/charts/temporal/templates/server-deployment.yaml index 13e0814f..6947c1ce 100644 --- a/charts/temporal/templates/server-deployment.yaml +++ b/charts/temporal/templates/server-deployment.yaml @@ -1,6 +1,7 @@ {{- if $.Values.server.enabled }} {{- range $service := (list "frontend" "history" "matching" "worker") }} {{ $serviceValues := index $.Values.server $service }} +{{- $elasticsearch := $.Values.elasticsearch -}} apiVersion: apps/v1 kind: Deployment metadata: @@ -36,7 +37,7 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} {{- end }} - {{- if or $.Values.cassandra.enabled (or $.Values.elasticsearch.enabled $.Values.elasticsearch.external)}} + {{- if or $.Values.cassandra.enabled (or $elasticsearch.enabled $elasticsearch.external)}} initContainers: {{- if $.Values.cassandra.enabled }} - name: check-cassandra-service @@ -51,11 +52,17 @@ spec: imagePullPolicy: {{ $.Values.cassandra.image.pullPolicy }} command: ['sh', '-c', 'until cqlsh {{ include "cassandra.host" $ }} {{ $.Values.cassandra.config.ports.cql }} -e "SELECT keyspace_name FROM system_schema.keyspaces" | grep {{ $.Values.server.config.persistence.default.cassandra.keyspace }}$; do echo waiting for default keyspace to become ready; sleep 1; done;'] {{- end }} - {{- if or $.Values.elasticsearch.enabled $.Values.elasticsearch.external }} + {{- if or $elasticsearch.enabled $elasticsearch.external }} - name: check-elasticsearch-index image: "{{ $.Values.admintools.image.repository }}:{{ $.Values.admintools.image.tag }}" imagePullPolicy: {{ $.Values.admintools.image.pullPolicy }} - command: ['sh', '-c', 'until curl --silent --fail {{- if and $.Values.elasticsearch.username $.Values.elasticsearch.password }} --user "{{ $.Values.elasticsearch.username }}:{{ $.Values.elasticsearch.password }}" {{- end }} {{ $.Values.elasticsearch.scheme }}://{{ $.Values.elasticsearch.host }}:{{ $.Values.elasticsearch.port }}/{{ $.Values.elasticsearch.visibilityIndex }} 2>&1 > /dev/null; do echo waiting for elasticsearch index to become ready; sleep 1; done;'] + {{- if $elasticsearch.tls.enabled }} + volumeMounts: + - name: elasticsearch-certs + mountPath: /etc/temporal/elasticsearch-certs + readOnly: true + {{- end }} + command: ['sh', '-c', 'until curl {{- if and $elasticsearch.tls.enabled $elasticsearch.tls.ca }} --cacert /etc/temporal/elasticsearch-certs/{{ $elasticsearch.tls.ca }} {{- end }} --silent --fail {{- if and $elasticsearch.username $elasticsearch.password }} --user "{{ $elasticsearch.username }}:{{ $elasticsearch.password }}" {{- end }} {{ $elasticsearch.scheme }}://{{ $elasticsearch.host }}:{{ $elasticsearch.port }}/{{ $elasticsearch.visibilityIndex }} 2>&1 > /dev/null; do echo waiting for elasticsearch index to become ready; sleep 1; done;'] {{- end }} {{- end }} containers: @@ -112,6 +119,11 @@ spec: subPath: config_template.yaml - name: dynamic-config mountPath: /etc/temporal/dynamic_config + {{- if $elasticsearch.tls.secretName }} + - name: elasticsearch-certs + mountPath: /etc/temporal/elasticsearch-certs + readOnly: true + {{- end }} {{- if $.Values.server.additionalVolumeMounts }} {{- toYaml $.Values.server.additionalVolumeMounts | nindent 12}} {{- end }} @@ -129,6 +141,11 @@ spec: {{- toYaml . | nindent 8 }} {{- end }} volumes: + {{- if and $elasticsearch.tls.enabled $elasticsearch.tls.secretName }} + - name: elasticsearch-certs + secret: + secretName: {{ $elasticsearch.tls.secretName | quote }} + {{- end }} - name: config configMap: name: "{{ include "temporal.fullname" $ }}-config" diff --git a/charts/temporal/templates/server-job.yaml b/charts/temporal/templates/server-job.yaml index 1893b97e..5e1bbe3f 100644 --- a/charts/temporal/templates/server-job.yaml +++ b/charts/temporal/templates/server-job.yaml @@ -1,4 +1,5 @@ {{- if $.Values.server.enabled }}{{- if or $.Values.schema.createDatabase.enabled $.Values.schema.setup.enabled $.Values.schema.update.enabled }} +{{- $elasticsearch := $.Values.elasticsearch -}} apiVersion: batch/v1 kind: Job metadata: @@ -30,7 +31,7 @@ spec: - name: check-elasticsearch image: "{{ $.Values.admintools.image.repository }}:{{ $.Values.admintools.image.tag }}" imagePullPolicy: {{ $.Values.admintools.image.pullPolicy }} - command: ['sh', '-c', 'until curl --silent --fail --user "$ES_USER:$ES_PWD" $ES_SCHEME://$ES_HOST:$ES_PORT 2>&1 > /dev/null; do echo waiting for elasticsearch to start; sleep 1; done;'] + command: ['sh', '-c', 'until curl --silent --fail {{- if and $elasticsearch.tls.enabled $elasticsearch.tls.ca }} --cacert /etc/temporal/elasticsearch-certs/{{ $elasticsearch.tls.ca }} {{- end }} --user "$ES_USER:$ES_PWD" $ES_SCHEME://$ES_HOST:$ES_PORT 2>&1 > /dev/null; do echo waiting for elasticsearch to start; sleep 1; done;'] env: {{- include "temporal.admintools-env" (list $ "visibility") | nindent 12 }} {{- end }} @@ -70,15 +71,20 @@ spec: {{- else if eq $driver "elasticsearch" }} command: ['sh', '-c'] args: - - 'curl -X PUT --fail --user "$ES_USER:$ES_PWD" $ES_SCHEME://$ES_HOST:$ES_PORT/_template/temporal_visibility_v1_template -H "Content-Type: application/json" --data-binary "@schema/elasticsearch/visibility/index_template_$ES_VERSION.json" 2>&1 && - curl -X PUT --fail --user "$ES_USER:$ES_PWD" $ES_SCHEME://$ES_HOST:$ES_PORT/$ES_VISIBILITY_INDEX 2>&1' + - 'curl -X PUT --fail {{- if and $elasticsearch.tls.enabled $elasticsearch.tls.ca }} --cacert /etc/temporal/elasticsearch-certs/{{ $elasticsearch.tls.ca }} {{- end }} --user "$ES_USER:$ES_PWD" $ES_SCHEME://$ES_HOST:$ES_PORT/_template/temporal_visibility_v1_template -H "Content-Type: application/json" --data-binary "@schema/elasticsearch/visibility/index_template_$ES_VERSION.json" 2>&1 && + curl -X PUT --fail {{- if and $elasticsearch.tls.enabled $elasticsearch.tls.ca }} --cacert /etc/temporal/elasticsearch-certs/{{ $elasticsearch.tls.ca }} {{- end }} --user "$ES_USER:$ES_PWD" $ES_SCHEME://$ES_HOST:$ES_PORT/$ES_VISIBILITY_INDEX 2>&1' {{- end }} env: {{- include "temporal.admintools-env" (list $ $store) | nindent 12 }} - {{- with $.Values.server.additionalVolumeMounts }} volumeMounts: + {{- with $.Values.server.additionalVolumeMounts }} {{- toYaml . | nindent 12 }} {{- end }} + {{- if and $elasticsearch.tls.enabled $elasticsearch.tls.secretName }} + - name: elasticsearch-certs + mountPath: /etc/temporal/elasticsearch-certs + readOnly: true + {{- end }} {{- with $.Values.schema.resources }} resources: {{- toYaml . | nindent 12 }} @@ -158,8 +164,13 @@ spec: tolerations: {{- toYaml . | nindent 8 }} {{- end }} - {{- with $.Values.server.additionalVolumes }} volumes: + {{- if $elasticsearch.tls.secretName }} + - name: elasticsearch-certs + secret: + secretName: {{ $elasticsearch.tls.secretName | quote }} + {{- end }} + {{- with $.Values.server.additionalVolumes }} {{- toYaml . | nindent 8 }} {{- end }} -{{- end -}}{{- end -}} \ No newline at end of file +{{- end -}}{{- end -}} diff --git a/charts/temporal/values.yaml b/charts/temporal/values.yaml index 39d91edb..9dbbf6ed 100644 --- a/charts/temporal/values.yaml +++ b/charts/temporal/values.yaml @@ -384,6 +384,12 @@ elasticsearch: username: "" password: "" visibilityIndex: "temporal_visibility_v1_dev" + tls: + enabled: false + secretName: "" + cert: "" + key: "" + ca: "" prometheus: enabled: true nodeExporter: diff --git a/charts/temporal/values/values.elasticsearch.yaml b/charts/temporal/values/values.elasticsearch.yaml index bd16922b..835b5d91 100644 --- a/charts/temporal/values/values.elasticsearch.yaml +++ b/charts/temporal/values/values.elasticsearch.yaml @@ -6,3 +6,5 @@ elasticsearch: version: "v7" scheme: "http" logLevel: "error" + tls: + enabled: false