feat: allow user providing custom certificate

castai · Jan 16, 2025 · 1f5364f · 1f5364f
1 parent ab4cebd
commit 1f5364f
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 2 deletions.
diff --git a/charts/castai-db-optimizer/Chart.yaml b/charts/castai-db-optimizer/Chart.yaml
@@ -2,4 +2,4 @@ apiVersion: v2
 name: castai-db-optimizer
 description: CAST AI database cache deployment.
 type: application
-version: 0.4.0
+version: 0.5.0
diff --git a/charts/castai-db-optimizer/README.md b/charts/castai-db-optimizer/README.md
@@ -1,6 +1,6 @@
 # castai-db-optimizer
 
-![Version: 0.4.0](https://img.shields.io/badge/Version-0.4.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.5.0](https://img.shields.io/badge/Version-0.5.0-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 CAST AI database cache deployment.
 
@@ -17,6 +17,11 @@ CAST AI database cache deployment.
 | nodeSelector | object | `{}` | Pod node selector rules. Ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/ |
 | podAnnotations | object | `{}` | Extra annotations to add to the pod. |
 | podLabels | object | `{}` | Extra labels to add to the pod. |
+| proxy.certificates | object | `{"listener":{"secret":"","serverCert":"","serverKey":""}}` | Defines custom certifcates provided by the user. |
+| proxy.certificates.listener | object | `{"secret":"","serverCert":"","serverKey":""}` | Defines certificate for the listener. |
+| proxy.certificates.listener.secret | string | `""` | Defines name of the secret containing the certificate and the key that will be attached to the proxy. |
+| proxy.certificates.listener.serverCert | string | `""` | Defines filename of the certificate provided in the secret. |
+| proxy.certificates.listener.serverKey | string | `""` | Defines filename of the key provided in the secret. |
 | proxy.concurrency | int | `12` | Number of parallel processing streams. This needs to be balanced with cpu resoures for proxy and QP. |
 | proxy.dataStorageMedium | string | `nil` | Defines "emptyDir.medium" value for data storage volume. Set to "Memory" for tmpfs disk |
 | proxy.dnsLookupFamily | string | `"V4_PREFERRED"` | DNS lookup mode when communicating to outside. will prioritize IPV4 addresses. change to V6_ONLY to use v6 addresses instead. |

diff --git a/charts/castai-db-optimizer/templates/deployment.yaml b/charts/castai-db-optimizer/templates/deployment.yaml
@@ -50,6 +50,11 @@ spec:
         - name: envoy-config
           configMap:
             name: {{ include "name" . }}-envoy-config
+        {{ if ((((.Values.proxy).certificates).listener).secret) }}
+        - name: envoy-listener-certificate
+          secret:
+            secretName: {{ .Values.proxy.certificates.listener.secret }}
+        {{ end }}
         - name: temp-storage
           emptyDir: {}
         - name: data-storage
@@ -178,3 +183,7 @@ spec:
               mountPath: /tmp
             - name: data-storage
               mountPath: /data
+            {{ if ((((.Values.proxy).certificates).listener).secret) }}
+            - name: envoy-listener-certificate
+              mountPath: /home/polyscale/certs
+            {{ end }}
diff --git a/charts/castai-db-optimizer/templates/envoy_config.yaml b/charts/castai-db-optimizer/templates/envoy_config.yaml
@@ -80,10 +80,17 @@ data:
                   tls_socket_config:
                     common_tls_context:
                       tls_certificates:
+                      {{ if not (((.Values.proxy).certificates).listener.secret | empty) }}
+                        - certificate_chain:
+                            filename: certs/{{ .Values.proxy.certificates.listener.serverCert | required "serverCert must be provided" }}
+                          private_key:
+                            filename: certs/{{ .Values.proxy.certificates.listener.serverKey  | required "serverKey must be provided" }}
+                      {{ else }}
                         - certificate_chain:
                             filename: "cert.pem"
                           private_key:
                             filename: "key.pem"
+                      {{ end }}
           socket_options:
             - description: "enable keep-alive"
               level: 1 # means socket level options

diff --git a/charts/castai-db-optimizer/values.yaml b/charts/castai-db-optimizer/values.yaml
@@ -50,6 +50,17 @@ proxy:
   # -- Defines "emptyDir.medium" value for data storage volume. Set to "Memory" for tmpfs disk
   dataStorageMedium:
 
+  # -- Defines custom certifcates provided by the user.
+  certificates:
+    # -- Defines certificate for the listener.
+    listener:
+      # -- Defines name of the secret containing the certificate and the key that will be attached to the proxy.
+      secret: ""
+      # -- Defines filename of the certificate provided in the secret.
+      serverCert: ""
+      # -- Defines filename of the key provided in the secret.
+      serverKey: ""
+
 
 queryProcessor:
   # -- Default query-processor log level.