feat: support TLS with cert-manager and secrets

64098d3a · David McKay · 1a68f3a4 · 64098d3a · 64098d3a · 64098d3a
Commit 64098d3a authored Jul 07, 2020 by David McKay
12 changed files
--- a/.github/workflows/helm-charts-test.yaml
+++ b/.github/workflows/helm-charts-test.yaml
@@ -29,9 +29,12 @@ jobs:
      # Our Enterprise chart requires some resources created
      - name: Create Enterprise Test Resources
        run: |
+          kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.15.1/cert-manager.yaml
          kubectl apply -f ./charts/influxdb-enterprise/example-resources.yaml

      - name: Run chart-testing (install)
        uses: helm/chart-testing-action@v1.0.0-rc.1
        with:
          command: install
+        env:
+          INFLUXDB_ENTERPRISE_LICENSE_KEY: "${{ secrets.INFLUXDB_ENTERPRISE_LICENSE_KEY }}"
--- a/charts/influxdb-enterprise/README.md
+++ b/charts/influxdb-enterprise/README.md
@@ -64,6 +64,34 @@ bootstrap:
    secretName: auth
 ```

+#### TLS (Optional)
+
+If you want to configure TLS for your meta and/or data nodes, you must enable TLS inside the `values.yaml`. An example is below, but you'll need to replicate for the data nodes too:
+
+```yaml
+meta:
+  https:
+    enabled: true
+```
+
+If you want to use CertManager to provision the TLS certificates, you can add:
+
+```yaml
+meta:
+  https:
+    useCertManager: true
+    insecure: true # This chart uses an untrusted CA, so we need to mark the keys as insecure
+```
+
+Otherwise, you need to provide a secret with the keys `tls.crt` and `tls.key`. An example exists inside the [example resources](./example-resources.yaml).
+
+```yaml
+meta:
+  https:
+    secretName: my-tls-secret
+    insecure: true # Only enable if your CA isn't trusted
+```
+
 #### DDL/DML (Optional)

 If you wish to create databases or import data after installation, we've provided this DDL/DML hook. Your config map must contain the keys `ddl` and `dml`.

--- a/charts/influxdb-enterprise/example-resources.yaml
+++ b/charts/influxdb-enterprise/example-resources.yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: license
-stringData:
-  json: YOUR JSON KEY
+# apiVersion: v1
+# kind: Secret
+# metadata:
+#   name: license
+# stringData:
+#   json: YOUR JSON KEY
 ---
 apiVersion: v1
 kind: Secret
@@ -20,12 +20,22 @@ metadata:
 stringData:
  secret: MY RANDOM STRING
 ---
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: ddl-dml
-data:
-  ddl: |
-    CREATE DATABASE original
-    CREATE RETENTION POLICY oneday ON original DURATION 1d REPLICATION 1
-  dml: ""
+# apiVersion: v1
+# kind: Secret
+# metadata:
+#   name: tls
+# stringData:
+#   tls.crt: |
+#     SOME CERTIFICATE
+#   tls.key: |
+#     SOME KEY
+---
+# apiVersion: v1
+# kind: ConfigMap
+# metadata:
+#   name: ddl-dml
+# data:
+#   ddl: |
+#     CREATE DATABASE original
+#     CREATE RETENTION POLICY oneday ON original DURATION 1d REPLICATION 1
+#   dml: ""
--- a/charts/influxdb-enterprise/templates/certmanager-issuer.yaml
+++ b/charts/influxdb-enterprise/templates/certmanager-issuer.yaml
+{{- if or .Values.data.https.useCertManager .Values.meta.https.useCertManager -}}
+apiVersion: cert-manager.io/v1alpha2
+kind: Issuer
+metadata:
+  name: {{ include "influxdb-enterprise.fullname" . }}
+  labels:
+    {{- include "influxdb-enterprise.labels" . | nindent 4 }}
+spec:
+  selfSigned: {}
+{{- end -}}
--- a/charts/influxdb-enterprise/templates/data-certmanager.yaml
+++ b/charts/influxdb-enterprise/templates/data-certmanager.yaml
+{{- if and .Values.data.https.enabled .Values.data.https.useCertManager -}}
+apiVersion: cert-manager.io/v1alpha2
+kind: Certificate
+metadata:
+  name: {{ include "influxdb-enterprise.fullname" . }}-data
+  labels:
+    {{- include "influxdb-enterprise.labels" . | nindent 4 }}
+spec:
+  {{- $replicas := (int $.Values.data.replicas) }}
+  {{- $fullname := include "influxdb-enterprise.fullname" . }}
+  {{- $namespace := .Release.Namespace }}
+
+  dnsNames:
+  - {{ $fullname }}-data
+  - {{ $fullname }}-data.{{ .Release.Namespace }}.svc
+
+  {{- range $i := until $replicas }}
+  - {{ $fullname }}-data-{{ $i | toString }}.{{ $fullname }}-data
+  - {{ $fullname }}-data-{{ $i | toString }}.{{ $fullname }}-data.{{ $namespace }}
+  - {{ $fullname }}-data-{{ $i | toString }}.{{ $fullname }}-data.{{ $namespace }}.svc
+  {{ end }}
+  
+  isCA: true
+  issuerRef:
+    kind: Issuer
+    name: {{ include "influxdb-enterprise.fullname" . }}
+  secretName: {{ include "influxdb-enterprise.fullname" . }}-data-tls
+{{- end -}}
--- a/charts/influxdb-enterprise/templates/data-configmap.yaml
+++ b/charts/influxdb-enterprise/templates/data-configmap.yaml
@@ -24,9 +24,30 @@ data:
      license-path = "/var/run/secrets/influxdb/license.json"
      {{ end }}

+    [cluster]
+    {{ if .Values.data.https.enabled }}
+    https-enabled = true
+
+    https-certificate = "/var/run/secrets/tls/tls.crt"
+    https-private-key = "/var/run/secrets/tls/tls.key"
+
+    {{ if .Values.data.https.insecure }}
+    https-insecure-tls = true
+    {{ end }}
+    {{ end }}
+
    [meta]
      dir = "/var/lib/influxdb/meta"

+      {{ if and .Values.meta.https.enabled }}
+      meta-tls-enabled = true
+
+      {{ if .Values.meta.https.insecure }}
+      meta-insecure-tls = true
+      {{ end }}
+
+      {{ end }}
+
    [hinted-handoff]
      dir = "/var/lib/influxdb/hh"

@@ -53,7 +74,11 @@ data:
    $SIG{KILL} = sub { kill 'KILL', $pid };

    # Register data node with meta leader
-    my $protocol = $ENV{HTTP_PROTOCOL};
+    {{ if .Values.meta.https.enabled }}
+    my $protocol = "https";
+    {{ else }}
+    my $protocol = "http";
+    {{ end }}
    my $meta_service = $ENV{RELEASE_NAME} . "-meta";

    # We're not going to define an exit strategy for failure here.
@@ -61,7 +86,7 @@ data:
    while (true) {
      # There's no LWP/Simple available in our images, so forking out to curl 😥
      print "\n\n\nREGISTER WITH META SERVICE\n\n\n";
-      $exit_code = system('curl', '-XPOST', '-v', '--silent', '--fail', '--retry', '5', '--retry-delay', '0', "-Faddr=$ENV{INFLUXDB_HOSTNAME}:8088", "$protocol://$meta_service:8091/add-data");
+      $exit_code = system('curl', {{ if .Values.meta.https.insecure }}'-k',{{ end }} '-XPOST', '-v', '--silent', '--fail', '--retry', '5', '--retry-delay', '0', "-Faddr=$ENV{INFLUXDB_HOSTNAME}:8088", "$protocol://$meta_service:8091/add-data");


      if ($exit_code == 0) {

--- a/charts/influxdb-enterprise/templates/data-statefulset.yaml
+++ b/charts/influxdb-enterprise/templates/data-statefulset.yaml
@@ -37,6 +37,15 @@ spec:
        secret:
          secretName: {{ .Values.license.secret.name }}
      {{- end }}
+      {{- if .Values.data.https.enabled }}
+      - name: tls
+        secret:
+          {{- if .Values.data.https.useCertManager }}
+          secretName: {{ include "influxdb-enterprise.fullname" . }}-data-tls
+          {{ else }}
+          secretName: {{ .Values.data.https.secretName }}
+          {{ end }}
+      {{ end }}
      containers:
        - name: {{ .Chart.Name }}
          command:
@@ -48,8 +57,6 @@ spec:
          image: "{{ .Values.data.image.repository | default "influxdb" }}:{{ .Values.data.image.tag | default (printf "%s-%s" .Chart.AppVersion "data") }}"
          imagePullPolicy: {{ .Values.data.image.pullPolicy }}
          env:
-          - name: HTTP_PROTOCOL
-            value: http
          - name: RELEASE_NAME
            value: {{ include "influxdb-enterprise.fullname" . }}
          ports:
@@ -63,11 +70,17 @@ spec:
            httpGet:
              path: /ping
              port: http
+              {{- if .Values.data.https.enabled }}
+              scheme: HTTPS
+              {{- end }}
          readinessProbe:
            initialDelaySeconds: 30
            httpGet:
              path: /ping
              port: http
+              {{- if .Values.data.https.enabled }}
+              scheme: HTTPS
+              {{- end }}
          volumeMounts:
          - name: config
            mountPath: /etc/influxdb
@@ -78,6 +91,10 @@ spec:
            mountPath: /var/run/secrets/influxdb/license.json
            subPath: json
          {{- end }}
+          {{- if .Values.data.https.enabled }}
+          - name: tls
+            mountPath: /var/run/secrets/tls/
+          {{ end }}
          resources:
            {{- toYaml .Values.data.resources | nindent 12 }}
      {{- with .Values.data.nodeSelector }}

--- a/charts/influxdb-enterprise/templates/meta-certmanager.yaml
+++ b/charts/influxdb-enterprise/templates/meta-certmanager.yaml
+{{- if and .Values.meta.https.enabled .Values.meta.https.useCertManager -}}
+apiVersion: cert-manager.io/v1alpha2
+kind: Certificate
+metadata:
+  name: {{ include "influxdb-enterprise.fullname" . }}-meta
+  labels:
+    {{- include "influxdb-enterprise.labels" . | nindent 4 }}
+spec:
+  {{- $replicas := (int $.Values.meta.replicas) }}
+  {{- $fullname := include "influxdb-enterprise.fullname" . }}
+  {{- $namespace := .Release.Namespace }}
+  
+  dnsNames:
+  - {{ $fullname }}-meta
+  - {{ $fullname }}-meta.{{ .Release.Namespace }}.svc
+  
+  {{- range $i := until $replicas }}
+  - {{ $fullname }}-meta-{{ $i | toString }}.{{ $fullname }}-meta
+  - {{ $fullname }}-meta-{{ $i | toString }}.{{ $fullname }}-meta.{{ $namespace }}
+  - {{ $fullname }}-meta-{{ $i | toString }}.{{ $fullname }}-meta.{{ $namespace }}.svc
+  {{ end }}
+    
+  isCA: true
+  issuerRef:
+    kind: Issuer
+    name: {{ include "influxdb-enterprise.fullname" . }}
+  secretName: {{ include "influxdb-enterprise.fullname" . }}-meta-tls
+{{- end -}}
--- a/charts/influxdb-enterprise/templates/meta-configmap.yaml
+++ b/charts/influxdb-enterprise/templates/meta-configmap.yaml
@@ -22,6 +22,27 @@ data:
    [meta]
      dir = "/var/lib/influxdb/meta"

+      {{ if .Values.meta.https.enabled }}
+      https-enabled = true
+
+      https-certificate = "/var/run/secrets/tls/tls.crt"
+      https-private-key = "/var/run/secrets/tls/tls.key"
+
+      {{ if .Values.meta.https.insecure }}
+      https-insecure-tls = true
+      {{ end }}
+
+      {{ end }}
+
+      {{ if and .Values.data.https.enabled }}
+      data-use-tls = true
+
+      {{ if .Values.data.https.insecure }}
+      data-insecure-tls = true
+      {{ end }}
+
+      {{ end }}
+
  entrypoint.pl: |+
    #!/usr/bin/env perl
    $ENV{INFLUXDB_HOSTNAME} = `hostname -f`;
@@ -47,9 +68,9 @@ data:
    # This should be handled by the probes on the pods
    while (true) {
      if($meta_leader eq $ENV{INFLUXDB_HOSTNAME}) {
-        system('influxd-ctl', 'add-meta', "$ENV{INFLUXDB_HOSTNAME}:8091");
+        system('influxd-ctl', {{ if .Values.meta.https.enabled }}'-bind-tls',{{ end }}{{ if .Values.meta.https.insecure }}'-k',{{ end }} 'add-meta', "$ENV{INFLUXDB_HOSTNAME}:8091");
      } else {
-        system('influxd-ctl', 'join', "$meta_leader:8091");
+        system('influxd-ctl', {{ if .Values.meta.https.enabled }}'-bind-tls',{{ end }}{{ if .Values.meta.https.insecure }}'-k',{{ end }} 'join', "$meta_leader:8091");
      }

      if ($? == 0) {

--- a/charts/influxdb-enterprise/templates/meta-statefulset.yaml
+++ b/charts/influxdb-enterprise/templates/meta-statefulset.yaml
@@ -39,6 +39,15 @@ spec:
        secret:
          secretName: {{ .Values.license.secret.name }}
      {{- end }}
+      {{- if .Values.meta.https.enabled }}
+      - name: tls
+        secret:
+          {{- if .Values.meta.https.useCertManager }}
+          secretName: {{ include "influxdb-enterprise.fullname" . }}-meta-tls
+          {{ else }}
+          secretName: {{ .Values.meta.https.secretName }}
+          {{ end }}
+      {{ end }}
      containers:
        - name: {{ .Chart.Name }}
          command:
@@ -66,10 +75,16 @@ spec:
            httpGet:
              path: /ping
              port: http
+              {{- if .Values.meta.https.enabled }}
+              scheme: HTTPS
+              {{- end }}
          readinessProbe:
            httpGet:
              path: /ping
              port: http
+              {{- if .Values.meta.https.enabled }}
+              scheme: HTTPS
+              {{- end }}
          volumeMounts:
          - name: config
            mountPath: /etc/influxdb
@@ -80,6 +95,10 @@ spec:
            mountPath: /var/run/secrets/influxdb/license.json
            subPath: json
          {{- end }}
+          {{- if .Values.meta.https.enabled }}
+          - name: tls
+            mountPath: /var/run/secrets/tls/
+          {{ end }}
          resources:
            {{- toYaml .Values.meta.resources | nindent 12 }}
      {{- with .Values.meta.nodeSelector }}

--- a/charts/influxdb-enterprise/values.yaml
+++ b/charts/influxdb-enterprise/values.yaml
@@ -10,7 +10,7 @@ license:
  # You can put your license key here for testing this chart out,
  # but we STRONGLY recommend using a license file stored in a secret
  # when you ship to production.
-  key: ""
+  key: "fbe954a4-69c2-4b7e-bf69-cad2c2e5e6b9"
  # secret:
  #   name: license
  #   key: json
@@ -30,16 +30,16 @@ bootstrap:
  # and password for your "admin" account.
  # A secret should be provided, which will have the keys
  # "username" and "password" available.
-  auth: {}
-  #   secretName: auth
+  auth: #{}
+    secretName: auth
  # This section allows you to use DDL and DML to define
  # databases, retention policies, and inject some data.
  # When using the configMap setting, the keys "ddl" and "dml"
  # must exist, even if one of them is empty.
  # DDL is executed before DML, to enforce databases and retention policies
  # to exist.
-  ddldml: {}
-  #   configMap: ddl-dml
+  ddldml: #{}
+    configMap: ddl-dml

 meta:
  replicas: 3
@@ -92,6 +92,14 @@ meta:
  podDisruptionBudget:
    # maxUnavailable: 2
    minAvailable: 2
+  https:
+    enabled: true
+    # The `useCertManager` option, when set to true, will
+    # automatically create the certificate resources for you.
+    # You do not need to set the secretName when using this flag.
+    useCertManager: true
+    # secretName: tls-secret
+    insecure: true


 data:
@@ -133,3 +141,11 @@ data:
    # annotations:
    accessMode: ReadWriteOnce
    size: 8Gi
+  https:
+    enabled: true
+    # The `useCertManager` option, when set to true, will
+    # automatically create the certificate resources for you.
+    # You do not need to set the secretName when using this flag.
+    useCertManager: true
+    # secretName: tls-secret
+    insecure: true
--- a/ct.yaml
+++ b/ct.yaml
@@ -4,4 +4,6 @@ chart-dirs:
  - charts
 chart-repos:
  - "jetstack=https://charts.jetstack.io"
+helm-extra-args:
+  - "--set license.key=${INFLUXDB_ENTERPRISE_LICENSE_KEY}"
 debug: true