[helm nats 1.x] add tlsCA option (#763)

Signed-off-by: Caleb Lloyd <caleb@synadia.com>
nats-io · Jul 14, 2023 · 2fe57f7 · 2fe57f7
1 parent 5ce75a5
commit 2fe57f7
Show file tree

Hide file tree

Showing 13 changed files with 466 additions and 239 deletions.
diff --git a/helm/charts/nats/files/config/config.yaml b/helm/charts/nats/files/config/config.yaml
@@ -75,9 +75,13 @@ gateway:
 ########################################
 {{- with .monitor }}
 {{- if .enabled }}
+{{- if .tls.enabled }}
+https_port: {{ .port }}
+{{- else }}
 http_port: {{ .port }}
 {{- end }}
 {{- end }}
+{{- end }}
 
 ########################################
 # profiling

diff --git a/helm/charts/nats/files/config/tls.yaml b/helm/charts/nats/files/config/tls.yaml
@@ -1,7 +1,16 @@
+# tls
 {{- with .tls }}
 {{- if .secretName }}
 {{- $dir := trimSuffix "/" .dir }}
-cert_file: {{ printf "%s/%s" $dir .cert }}
-key_file: {{ printf "%s/%s" $dir .key }}
+cert_file: {{ printf "%s/%s" $dir (.cert | default "tls.crt") | quote }}
+key_file: {{ printf "%s/%s" $dir (.key | default "tls.key") | quote }}
+{{- end }}
+{{- end }}
+
+# tlsCA
+{{- with $.Values.tlsCA }}
+{{- if and .enabled (or .configMapName .secretName) }}
+{{- $dir := trimSuffix "/" .dir }}
+ca_file: {{ printf "%s/%s" $dir (.key | default "ca.crt") | quote }}
 {{- end }}
 {{- end }}
diff --git a/helm/charts/nats/files/headless-service.yaml b/helm/charts/nats/files/headless-service.yaml
@@ -17,8 +17,6 @@ spec:
   {{- $tlsEnabled := false }}
   {{- if hasKey $configProtocol "tls" }}
     {{- $tlsEnabled = $configProtocol.tls.enabled }}
-  {{- else if eq $protocol "monitor" }}
-    {{- $tlsEnabled = $.Values.config.nats.tls.enabled }}
   {{- end }}
   {{- $appProtocol := or (eq $protocol "websocket") (eq $protocol "monitor") | ternary ($tlsEnabled | ternary "https" "http") ($tlsEnabled | ternary "tls" "tcp") }}
   - {{ dict "name" $protocol "port" $configProtocol.port "targetPort" $protocol "appProtocol" $appProtocol | toYaml | nindent 4 }}

diff --git a/helm/charts/nats/files/nats-box/contexts-secret/context.yaml b/helm/charts/nats/files/nats-box/contexts-secret/context.yaml
@@ -15,7 +15,7 @@ url: nats://{{ .Values.headlessService.name }}
 creds: /etc/nats-contents/{{ $contextName }}.creds
 {{- else if .secretName }}
 {{- $dir := trimSuffix "/" .dir }}
-creds: {{ $dir }}/{{ .key }}
+creds: {{ printf "%s/%s" $dir (.key | default "nats.creds") | quote }}
 {{- end }}
 {{- end }}
 
@@ -25,16 +25,24 @@ creds: {{ $dir }}/{{ .key }}
 nkey: /etc/nats-contents/{{ $contextName }}.nk
 {{- else if .secretName }}
 {{- $dir := trimSuffix "/" .dir }}
-nkey: {{ $dir }}/{{ .key }}
+nkey: {{ printf "%s/%s" $dir (.key | default "nats.nk") | quote }}
 {{- end }}
 {{- end }}
 
 # tls
 {{- with .tls }}
 {{- if .secretName }}
 {{- $dir := trimSuffix "/" .dir }}
-cert: {{ $dir }}/{{ .cert | default "tls.crt" }}
-key: {{ $dir }}/{{ .key | default "tls.key" }}
+cert: {{ printf "%s/%s" $dir (.cert | default "tls.crt") | quote }}
+key: {{ printf "%s/%s" $dir (.key | default "tls.key") | quote }}
+{{- end }}
+{{- end }}
+
+# tlsCA
+{{- with $.Values.tlsCA }}
+{{- if and .enabled (or .configMapName .secretName) }}
+{{- $dir := trimSuffix "/" .dir }}
+ca: {{ printf "%s/%s" $dir (.key | default "ca.crt") | quote }}
 {{- end }}
 {{- end }}
 

diff --git a/helm/charts/nats/files/nats-box/deployment/container.yaml b/helm/charts/nats/files/nats-box/deployment/container.yaml
@@ -26,12 +26,17 @@ command:
 args:
 - trap true INT TERM; sleep infinity & wait
 volumeMounts:
+# contexts secret
 - name: contexts
   mountPath: /etc/nats-contexts
+# contents secret
 {{- if .hasContentsSecret }}
 - name: contents
   mountPath: /etc/nats-contents
 {{- end }}
+# tlsCA
+{{- include "nats.tlsCAVolumeMount" $ }}
+# secrets
 {{- range (include "natsBox.secretNames" $ | fromJson).secretNames }}
 - name: {{ .name | quote }}
   mountPath: {{ .dir | quote }}

diff --git a/helm/charts/nats/files/nats-box/deployment/pod-template.yaml b/helm/charts/nats/files/nats-box/deployment/pod-template.yaml
@@ -27,6 +27,8 @@ spec:
     secret:
       secretName: {{ .Values.natsBox.contentsSecret.name }}
   {{- end }}
+  # tlsCA
+  {{- include "nats.tlsCAVolume" $ | nindent 2 }}
   # secrets
   {{- range (include "natsBox.secretNames" $ | fromJson).secretNames }}
   - name: {{ .name | quote }}

diff --git a/helm/charts/nats/files/service.yaml b/helm/charts/nats/files/service.yaml
@@ -16,8 +16,6 @@ spec:
   {{- $tlsEnabled := false }}
   {{- if hasKey $configProtocol "tls" }}
     {{- $tlsEnabled = $configProtocol.tls.enabled }}
-  {{- else if eq $protocol "monitor" }}
-    {{- $tlsEnabled = $.Values.config.nats.tls.enabled }}
   {{- end }}
   {{- $appProtocol := or (eq $protocol "websocket") (eq $protocol "monitor") | ternary ($tlsEnabled | ternary "https" "http") ($tlsEnabled | ternary "tls" "tcp") }}
   - {{ merge (dict "name" $protocol "targetPort" $protocol "appProtocol" $appProtocol) (omit $servicePort "enabled") (dict "port" $configProtocol.port) | toYaml | nindent 4 }}

diff --git a/helm/charts/nats/files/stateful-set/nats-container.yaml b/helm/charts/nats/files/stateful-set/nats-container.yaml
@@ -65,12 +65,15 @@ livenessProbe:
 {{- end }}
 
 volumeMounts:
+# nats config
 - name: config
   mountPath: /etc/nats-config
+# PID volume
 {{- if .Values.reloader.enabled }}
 - name: pid
   mountPath: /var/run/nats
 {{- end}}
+# JetStream PVC
 {{- with .Values.config.jetstream }}
 {{- if and .enabled .fileStore.enabled .fileStore.pvc.enabled }}
 {{- with .fileStore }}
@@ -79,12 +82,16 @@ volumeMounts:
 {{- end }}
 {{- end }}
 {{- end }}
+# resolver PVC
 {{- with .Values.config.resolver }}
 {{- if and .enabled .pvc.enabled }}
 - name: {{ .pvc.name }}
   mountPath: {{ .dir | quote }}
 {{- end }}
 {{- end }}
+# tlsCA
+{{- include "nats.tlsCAVolumeMount" $ }}
+# secrets
 {{- range (include "nats.secretNames" $ | fromJson).secretNames }}
 - name: {{ .name | quote }}
   mountPath: {{ .dir | quote }}

diff --git a/helm/charts/nats/files/stateful-set/pod-template.yaml b/helm/charts/nats/files/stateful-set/pod-template.yaml
@@ -49,6 +49,8 @@ spec:
   - name: pid
     emptyDir: {}
   {{- end }}
+  # tlsCA
+  {{- include "nats.tlsCAVolume" $ | nindent 2 }}
   # secrets
   {{- range (include "nats.secretNames" $ | fromJson).secretNames }}
   - name: {{ .name | quote }}

diff --git a/helm/charts/nats/templates/_helpers.tpl b/helm/charts/nats/templates/_helpers.tpl
@@ -181,6 +181,30 @@ imagePullPolicy: {{ .pullPolicy | default .global.image.pullPolicy }}
 {{- toJson (dict "secretNames" $secrets) }}
 {{- end }}
 
+{{- define "nats.tlsCAVolume" -}}
+{{- with .Values.tlsCA }}
+{{- if and .enabled (or .configMapName .secretName) }}
+- name: tls-ca
+{{- if .configMapName }}
+  configMap:
+    name: {{ .configMapName | quote }}
+{{- else if .secretName }}
+  secret:
+    secretName: {{ .secretName | quote }}
+{{- end }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{- define "nats.tlsCAVolumeMount" -}}
+{{- with .Values.tlsCA }}
+{{- if and .enabled (or .configMapName .secretName) }}
+- name: tls-ca
+  mountPath: {{ .dir | quote }}
+{{- end }}
+{{- end }}
+{{- end }}
+
 {{/*
 translates env var map to list
 */}}