Merge pull request #138 from synthesized-io/internal-tls-improvements

yruchin · web-flow · commit ead2b4c73c05 · 2026-02-17T19:59:00.000Z
Internal TLS improvements
diff --git a/charts/governor/templates/_helpers.tpl b/charts/governor/templates/_helpers.tpl
@@ -1,6 +1,6 @@
 {{/*
 Envoy sidecar container template
-Usage: {{ include "governor.tlsInternal.sidecar" (dict "componentName" "api" "config" .Values.api "tlsInternal" .Values.envoy "hasHttpPort" true "hasGrpcPort" true) }}
+Usage: {{ include "governor.tlsInternal.sidecar" (dict "componentName" "api" "config" .Values.api "tlsInternal" .Values.tlsInternal "hasHttpPort" true "hasGrpcPort" true) }}
 */}}
 {{- define "governor.tlsInternal.sidecar" -}}
 - name: envoy-sidecar
@@ -46,6 +46,9 @@ Usage: {{ include "governor.tlsInternal.sidecar" (dict "componentName" "api" "co
     - name: tls-certs
       mountPath: /etc/envoy/certs
       readOnly: true
+    - name: ca-cert
+      mountPath: /etc/envoy/ca
+      readOnly: true
 {{- end }}
 
 {{/*
@@ -54,13 +57,17 @@ Usage: {{ include "governor.tlsInternal.initContainer" . }}
 */}}
 {{- define "governor.tlsInternal.initContainer" -}}
 - name: wait-for-certs
-  image: busybox:1.36
+  {{/*
+  We use the same image as the main sidecar, because convenience images such as 'busybox' might
+  not be readily available in the target environment.
+  */}}
+  image: "{{ .Values.tlsInternal.image.repository }}:{{ .Values.tlsInternal.image.tag }}"
   command:
     - /bin/sh
     - -c
     - |
       echo "Waiting for TLS certificates..."
-      while [ ! -f /etc/envoy/certs/tls.crt ] || [ ! -f /etc/envoy/certs/tls.key ]; do
+      while [ ! -f /etc/envoy/certs/tls.crt ] || [ ! -f /etc/envoy/certs/tls.key ] || [ ! -f /etc/envoy/ca/ca.crt ]; do
         echo "Certificates not ready, waiting..."
         sleep 2
       done
@@ -69,11 +76,14 @@ Usage: {{ include "governor.tlsInternal.initContainer" . }}
     - name: tls-certs
       mountPath: /etc/envoy/certs
       readOnly: true
+    - name: ca-cert
+      mountPath: /etc/envoy/ca
+      readOnly: true
 {{- end }}
 
 {{/*
 Envoy volumes template
-Usage: {{ include "governor.tlsInternal.volumes" (dict "componentName" "api" "config" .Values.api "tlsInternal" .Values.envoy) }}
+Usage: {{ include "governor.tlsInternal.volumes" (dict "componentName" "api" "config" .Values.api "tlsInternal" .Values.tlsInternal) }}
 */}}
 {{- define "governor.tlsInternal.volumes" -}}
 - name: envoy-config
@@ -82,6 +92,19 @@ Usage: {{ include "governor.tlsInternal.volumes" (dict "componentName" "api" "co
 - name: tls-certs
   secret:
     secretName: {{ .config.name }}-tls
+- name: ca-cert
+  secret:
+    {{- if .tlsInternal.certificates.ca.bundled }}
+    secretName: {{ .config.name }}-tls
+    items:
+      - key: ca.crt
+        path: ca.crt
+    {{- else }}
+    secretName: {{ .tlsInternal.certificates.ca.secretName }}
+    items:
+      - key: {{ .tlsInternal.certificates.ca.key }}
+        path: ca.crt
+    {{- end }}
 {{- end }}
 
 {{/*
@@ -120,7 +143,7 @@ transport_socket:
     common_tls_context:
       validation_context:
         trusted_ca:
-          filename: /etc/envoy/certs/ca.crt
+          filename: /etc/envoy/ca/ca.crt
 {{- end }}
 
 {{/*
diff --git a/charts/governor/templates/certificates.yaml b/charts/governor/templates/certificates.yaml
@@ -14,14 +14,21 @@ spec:
   privateKey:
     algorithm: {{ .Values.tlsInternal.certificates.privateKey.algorithm }}
     size: {{ .Values.tlsInternal.certificates.privateKey.size }}
+    encoding: {{ .Values.tlsInternal.certificates.privateKey.encoding }}
   usages:
     - server auth
     - client auth
+  {{- if .Values.api.tlsInternal.certificate }}
+  {{- with .Values.api.tlsInternal.certificate.commonName }}
+  commonName: {{ . }}
+  {{- end }}
+  {{- end }}
   dnsNames:
-    - {{ .Values.api.name }}
-    - {{ .Values.api.name }}.{{ .Release.Namespace }}
-    - {{ .Values.api.name }}.{{ .Release.Namespace }}.svc
+    {{- if and .Values.api.tlsInternal.certificate .Values.api.tlsInternal.certificate.dnsNames }}
+    {{- toYaml .Values.api.tlsInternal.certificate.dnsNames | nindent 4 }}
+    {{- else }}
     - {{ .Values.api.name }}.{{ .Release.Namespace }}.svc.cluster.local
+    {{- end }}
   issuerRef:
     name: {{ .Values.tlsInternal.certificates.issuerRef.name }}
     kind: {{ .Values.tlsInternal.certificates.issuerRef.kind }}
@@ -40,14 +47,21 @@ spec:
   privateKey:
     algorithm: {{ .Values.tlsInternal.certificates.privateKey.algorithm }}
     size: {{ .Values.tlsInternal.certificates.privateKey.size }}
+    encoding: {{ .Values.tlsInternal.certificates.privateKey.encoding }}
   usages:
     - server auth
     - client auth
+  {{- if .Values.front.tlsInternal.certificate }}
+  {{- with .Values.front.tlsInternal.certificate.commonName }}
+  commonName: {{ . }}
+  {{- end }}
+  {{- end }}
   dnsNames:
-    - {{ .Values.front.name }}
-    - {{ .Values.front.name }}.{{ .Release.Namespace }}
-    - {{ .Values.front.name }}.{{ .Release.Namespace }}.svc
+    {{- if and .Values.front.tlsInternal.certificate .Values.front.tlsInternal.certificate.dnsNames }}
+    {{- toYaml .Values.front.tlsInternal.certificate.dnsNames | nindent 4 }}
+    {{- else }}
     - {{ .Values.front.name }}.{{ .Release.Namespace }}.svc.cluster.local
+    {{- end }}
   issuerRef:
     name: {{ .Values.tlsInternal.certificates.issuerRef.name }}
     kind: {{ .Values.tlsInternal.certificates.issuerRef.kind }}
@@ -66,10 +80,20 @@ spec:
   privateKey:
     algorithm: {{ .Values.tlsInternal.certificates.privateKey.algorithm }}
     size: {{ .Values.tlsInternal.certificates.privateKey.size }}
+    encoding: {{ .Values.tlsInternal.certificates.privateKey.encoding }}
   usages:
     - client auth
+  {{- if .Values.agent.tlsInternal.certificate }}
+  {{- with .Values.agent.tlsInternal.certificate.commonName }}
+  commonName: {{ . }}
+  {{- end }}
+  {{- end }}
   dnsNames:
-    - {{ .Values.agent.name }}
+    {{- if and .Values.agent.tlsInternal.certificate .Values.agent.tlsInternal.certificate.dnsNames }}
+    {{- toYaml .Values.agent.tlsInternal.certificate.dnsNames | nindent 4 }}
+    {{- else }}
+    - {{ .Values.agent.name }}.{{ .Release.Namespace }}.svc.cluster.local
+    {{- end }}
   issuerRef:
     name: {{ .Values.tlsInternal.certificates.issuerRef.name }}
     kind: {{ .Values.tlsInternal.certificates.issuerRef.kind }}
diff --git a/charts/governor/values.yaml b/charts/governor/values.yaml
@@ -21,10 +21,19 @@ tlsInternal:
     privateKey:
       algorithm: ECDSA
       size: 256
+      encoding: PKCS8
     # Duration of certificates
     duration: 8760h  # 1 year
     # Renew before expiry
     renewBefore: 720h  # 30 days
+    # CA certificate for upstream TLS validation.
+    # By default, ca.crt is read from a separate secret (e.g. copied from the CA
+    # or provided by an external PKI). Set bundled=true to fall back to using
+    # the ca.crt that cert-manager bundles into each per-component TLS secret.
+    ca:
+      bundled: false
+      secretName: "internal-ca-cert"
+      key: "ca.crt"
   # Port mappings for Envoy listeners
   ports:
     # Envoy admin port (for health checks)
@@ -78,6 +87,11 @@ api:
     type: ClusterIP
     port: 80
     grpcPort: 50055
+  tlsInternal:
+    certificate:
+      # commonName: governor-api
+      # dnsNames:
+      #   - governor-api.governor.svc.cluster.local
 
 front:
   name: governor-front
@@ -107,6 +121,11 @@ front:
   service:
     type: ClusterIP
     port: 80
+  tlsInternal:
+    certificate:
+      # commonName: governor-front
+      # dnsNames:
+      #   - governor-front.governor.svc.cluster.local
 
 agent:
   name: governor-agent
@@ -135,6 +154,11 @@ agent:
     mountPath: /app/rocksdb
     claimName: agent-pvc
     size: 10Gi
+  tlsInternal:
+    certificate:
+      # commonName: governor-agent
+      # dnsNames:
+      #   - governor-agent.governor.svc.cluster.local
 
 director:
   name: governor-director
