feat(0.1.4): STM-117: TLS between Stream & the reverse proxy

evertrust · Feb 28, 2023 · 3c3de95 · 3c3de95
1 parent 8f8a251
commit 3c3de95
Show file tree

Hide file tree

Showing 4 changed files with 26 additions and 2 deletions.
diff --git a/templates/deployment.yml b/templates/deployment.yml
@@ -135,12 +135,19 @@ spec:
           volumeMounts:
             - name: {{ .Release.Name }}-etc
               mountPath: /opt/stream/etc
+            {{- if .Values.tls.secretName }}
+            - name: tls-cert
+              mountPath: /opt/stream/ssl/cert.p12
+              subPath: {{ .Values.tls.secretKey }}
+            {{- end }}
             {{- if .Values.extraVolumeMounts }}
             {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumeMounts "context" $) | nindent 12 }}
             {{- end }}
           ports:
             - name: http
               containerPort: 9000
+            - name: https
+              containerPort: 9443
             - name: management
               containerPort: 8558
             - name: artery
@@ -154,6 +161,11 @@ spec:
         - name: {{ .Release.Name }}-etc
           configMap:
             name: {{ printf "%s-config" (include "common.names.fullname" $) }}
+        {{- if .Values.tls.secretName }}
+        - name: tls-cert
+          secret:
+            secretName: {{ .Values.tls.secretName }}
+        {{- end }}
         {{- if .Values.extraVolumes }}
         {{- include "common.tplvalues.render" (dict "value" .Values.extraVolumes "context" $) | nindent 8 }}
         {{- end }}
diff --git a/templates/ingress.yml b/templates/ingress.yml
@@ -32,7 +32,7 @@ spec:
             {{- if eq "true" (include "common.ingress.supportsPathType" .) }}
             pathType: {{ .Values.ingress.pathType }}
             {{- end }}
-            backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" $) "servicePort" "http" "context" $)  | nindent 14 }}
+            backend: {{- include "common.ingress.backend" (dict "serviceName" (include "common.names.fullname" $) "servicePort" (ternary "https" "http" .Values.tls.enabled) "context" $)  | nindent 14 }}
     {{- end }}
     {{- range .Values.ingress.extraHosts }}
     - host: {{ .name | quote }}

diff --git a/templates/service.yml b/templates/service.yml
@@ -33,7 +33,11 @@ spec:
     - name: http
       protocol: TCP
       port: 9000
-      targetPort: 9000
+      targetPort: http
+    - name: https
+      protocol: TCP
+      port: 9443
+      targetPort: https
     - name: kamon
       protocol: TCP
       port: 9095

diff --git a/values.yaml b/values.yaml
@@ -429,6 +429,14 @@ keyset:
 ## @param logFormat Format in which logs will be outputted. Can be set either to "console" or "json" for structured logging.
 logFormat: console
 
+## @param tls.enabled Whether to use the HTTPS port by default on ingresses and other services
+## @param tls.secretName Existing secret name where a PKCS12 certificate is stored
+## @param tls.secretKey Existing secret key where the PKCS12 certificate is stored
+tls:
+  enabled: false
+  secretName: ""
+  secretKey: ""
+
 ## @param leases.enabled Whether leases should be used when launching multiple replicas of Stream pods. This requires the leases.akka.io CRD to be installed.
 leases:
   enabled: true