Add TLS support to the Scalar Manager Helm chart

charts/scalar-manager/README.md

@@ -33,6 +33,39 @@ Current chart version is `3.0.0-SNAPSHOT`
 | scalarManager.securityContext.runAsNonRoot | bool | `true` |  |
 | scalarManager.serviceAccount.automountServiceAccountToken | bool | `true` |  |
 | scalarManager.serviceAccount.serviceAccountName | string | `""` |  |
+| scalarManager.tls | object | `{"certManager":{"dnsNames":["localhost","scalar-manager"],"duration":"8760h0m0s","enabled":false,"issuerRef":{},"privateKey":{"algorithm":"RSA","encoding":"PKCS8","size":2048},"renewBefore":"360h0m0s","selfSigned":{"enabled":false,"type":"ca"},"usages":["server auth","key encipherment","signing"]},"downstream":{"caRootCertSecret":"","certChainSecret":"","enabled":false,"privateKeySecret":""},"upstream":{"grafana":{"caRootCertSecret":"","enabled":false,"overrideAuthority":""},"prometheus":{"caRootCertSecret":"","enabled":false,"overrideAuthority":""},"scalardb":{"caRootCertSecret":"","enabled":false,"overrideAuthority":""},"scalardl":{"caRootCertSecret":"","enabled":false,"overrideAuthority":""}}}` | Unified TLS configuration for both API and Web components. |
+| scalarManager.tls.certManager | object | `{"dnsNames":["localhost","scalar-manager"],"duration":"8760h0m0s","enabled":false,"issuerRef":{},"privateKey":{"algorithm":"RSA","encoding":"PKCS8","size":2048},"renewBefore":"360h0m0s","selfSigned":{"enabled":false,"type":"ca"},"usages":["server auth","key encipherment","signing"]}` | Cert-manager integration for automatic certificate management. |
+| scalarManager.tls.certManager.dnsNames | list | `["localhost","scalar-manager"]` | DNS names for the certificate. |
+| scalarManager.tls.certManager.duration | string | `"8760h0m0s"` | Duration of the certificate. |
+| scalarManager.tls.certManager.enabled | bool | `false` | Enable cert-manager integration. |
+| scalarManager.tls.certManager.issuerRef | object | `{}` | Reference to the issuer for the certificate. |
+| scalarManager.tls.certManager.privateKey | object | `{"algorithm":"RSA","encoding":"PKCS8","size":2048}` | Private key configurations. |
+| scalarManager.tls.certManager.renewBefore | string | `"360h0m0s"` | How long before expiry the certificate should be renewed. |
+| scalarManager.tls.certManager.selfSigned | object | `{"enabled":false,"type":"ca"}` | Use a self-signed certificate. |
+| scalarManager.tls.certManager.selfSigned.type | string | `"ca"` | Type of self-signed issuer (ca or selfSigned). |
+| scalarManager.tls.certManager.usages | list | `["server auth","key encipherment","signing"]` | Usages for the certificate. |
+| scalarManager.tls.downstream | object | `{"caRootCertSecret":"","certChainSecret":"","enabled":false,"privateKeySecret":""}` | Enable downstream TLS for Scalar Manager (applies to both API and Web components). |
+| scalarManager.tls.downstream.caRootCertSecret | string | `""` | Secret containing the CA root certificate for web-to-API communication (Web needs to validate API's TLS certificate). |
+| scalarManager.tls.downstream.certChainSecret | string | `""` | Secret containing the certificate for downstream TLS. |
+| scalarManager.tls.downstream.enabled | bool | `false` | Enable downstream TLS (Web and API share the same certificate). |
+| scalarManager.tls.downstream.privateKeySecret | string | `""` | Secret containing the private key for downstream TLS. |
+| scalarManager.tls.upstream | object | `{"grafana":{"caRootCertSecret":"","enabled":false,"overrideAuthority":""},"prometheus":{"caRootCertSecret":"","enabled":false,"overrideAuthority":""},"scalardb":{"caRootCertSecret":"","enabled":false,"overrideAuthority":""},"scalardl":{"caRootCertSecret":"","enabled":false,"overrideAuthority":""}}` | Upstream TLS configuration for external service connections. |
+| scalarManager.tls.upstream.grafana | object | `{"caRootCertSecret":"","enabled":false,"overrideAuthority":""}` | Grafana TLS configuration. |
+| scalarManager.tls.upstream.grafana.caRootCertSecret | string | `""` | Secret containing the CA root certificate for validating Grafana SSL certificates. |
+| scalarManager.tls.upstream.grafana.enabled | bool | `false` | Enable TLS for Grafana proxy connections. |
+| scalarManager.tls.upstream.grafana.overrideAuthority | string | `""` | Override the hostname for TLS SNI when connecting to Grafana. |
+| scalarManager.tls.upstream.prometheus | object | `{"caRootCertSecret":"","enabled":false,"overrideAuthority":""}` | Prometheus TLS configuration. |
+| scalarManager.tls.upstream.prometheus.caRootCertSecret | string | `""` | Secret containing the CA root certificate for validating Prometheus SSL certificates. |
+| scalarManager.tls.upstream.prometheus.enabled | bool | `false` | Enable TLS for Prometheus connections. |
+| scalarManager.tls.upstream.prometheus.overrideAuthority | string | `""` | Override the hostname for TLS SNI when connecting to Prometheus. |
+| scalarManager.tls.upstream.scalardb | object | `{"caRootCertSecret":"","enabled":false,"overrideAuthority":""}` | ScalarDB TLS configuration. |
+| scalarManager.tls.upstream.scalardb.caRootCertSecret | string | `""` | Secret containing the CA root certificate for validating ScalarDB SSL certificates. |
+| scalarManager.tls.upstream.scalardb.enabled | bool | `false` | Enable TLS for ScalarDB connections. |
+| scalarManager.tls.upstream.scalardb.overrideAuthority | string | `""` | Override the hostname for TLS SNI when connecting to ScalarDB. |
+| scalarManager.tls.upstream.scalardl | object | `{"caRootCertSecret":"","enabled":false,"overrideAuthority":""}` | ScalarDL TLS configuration. |
+| scalarManager.tls.upstream.scalardl.caRootCertSecret | string | `""` | Secret containing the CA root certificate for validating ScalarDL SSL certificates. |
+| scalarManager.tls.upstream.scalardl.enabled | bool | `false` | Enable TLS for ScalarDL connections. |
+| scalarManager.tls.upstream.scalardl.overrideAuthority | string | `""` | Override the hostname for TLS SNI when connecting to ScalarDL. |
 | scalarManager.tolerations | list | `[]` |  |
 | scalarManager.web.env | list | `[{"name":"GRAFANA_SERVER_URL","value":"http://scalardb-cluster-monitoring-grafana:3000"}]` | The environment variables for Scalar Manager web container. If you want to customize environment variables, you can override this value with your environment variables. |
 | scalarManager.web.image.pullPolicy | string | `"IfNotPresent"` |  |

charts/scalar-manager/templates/scalar-manager/certmanager.yaml

@@ -0,0 +1,96 @@
+{{- if and .Values.scalarManager.tls.downstream.enabled .Values.scalarManager.tls.certManager.enabled }}
+{{- if .Values.scalarManager.tls.certManager.selfSigned.enabled }}
+  {{- if eq .Values.scalarManager.tls.certManager.selfSigned.type "ca" }}
+---
+# This issuer is for creating the self-signed CA certificate.
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ include "scalar-manager.fullname" . }}-bootstrap-selfsigned-issuer
+  namespace: {{ .Release.Namespace }}
+spec:
+  selfSigned: {}
+---
+# This is the CA certificate.
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ include "scalar-manager.fullname" . }}-ca-cert
+  namespace: {{ .Release.Namespace }}
+spec:
+  isCA: true
+  commonName: {{ include "scalar-manager.fullname" . }}-ca
+  secretName: {{ include "scalar-manager.fullname" . }}-ca-cert
+  duration: {{ .Values.scalarManager.tls.certManager.duration }}
+  renewBefore: {{ .Values.scalarManager.tls.certManager.renewBefore }}
+  privateKey:
+    algorithm: {{ .Values.scalarManager.tls.certManager.privateKey.algorithm }}
+    encoding: {{ .Values.scalarManager.tls.certManager.privateKey.encoding }}
+    size: {{ .Values.scalarManager.tls.certManager.privateKey.size }}
+  issuerRef:
+    name: {{ include "scalar-manager.fullname" . }}-bootstrap-selfsigned-issuer
+    kind: Issuer
+---
+# This issuer uses the CA certificate to sign other certificates.
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ include "scalar-manager.fullname" . }}-ca-issuer
+  namespace: {{ .Release.Namespace }}
+spec:
+  ca:
+    secretName: {{ include "scalar-manager.fullname" . }}-ca-cert
+  {{- else }}
+---
+# This is a self-signed issuer for non-CA self-signed certificates.
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ include "scalar-manager.fullname" . }}-self-signed-issuer
+  namespace: {{ .Release.Namespace }}
+spec:
+  selfSigned: {}
+  {{- end }}
+{{- end }}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ include "scalar-manager.fullname" . }}-tls-cert
+  namespace: {{ .Release.Namespace }}
+spec:
+  secretName: {{ include "scalar-manager.fullname" . }}-tls-cert
+  commonName: {{ include "scalar-manager.fullname" . }}
+  {{- with .Values.scalarManager.tls.certManager.dnsNames }}
+  dnsNames:
+    {{- range . }}
+    - {{ . | quote }}
+    {{- end }}
+  {{- end }}
+  duration: {{ .Values.scalarManager.tls.certManager.duration }}
+  renewBefore: {{ .Values.scalarManager.tls.certManager.renewBefore }}
+  {{- with .Values.scalarManager.tls.certManager.usages }}
+  usages:
+    {{- range . }}
+    - {{ . | quote }}
+    {{- end }}
+  {{- end }}
+  privateKey:
+    algorithm: {{ .Values.scalarManager.tls.certManager.privateKey.algorithm }}
+    encoding: {{ .Values.scalarManager.tls.certManager.privateKey.encoding }}
+    size: {{ .Values.scalarManager.tls.certManager.privateKey.size }}
+  issuerRef:
+    {{- if .Values.scalarManager.tls.certManager.selfSigned.enabled }}
+      {{- if eq .Values.scalarManager.tls.certManager.selfSigned.type "ca" }}
+    name: {{ include "scalar-manager.fullname" . }}-ca-issuer
+      {{- else }}
+    name: {{ include "scalar-manager.fullname" . }}-self-signed-issuer
+      {{- end }}
+    kind: Issuer
+    {{- else }}
+      {{- if not (len .Values.scalarManager.tls.certManager.issuerRef) }}
+        {{- fail "When using cert-manager with an external issuer, scalarManager.tls.certManager.issuerRef must be configured." -}}
+      {{- end }}
+      {{- toYaml .Values.scalarManager.tls.certManager.issuerRef | nindent 4 }}
+    {{- end }}
+{{- end }}