feat: support TLS with cert-manager and secrets

.github/workflows/helm-charts-test.yaml

@@ -29,9 +29,12 @@ jobs:
       # Our Enterprise chart requires some resources created
       - name: Create Enterprise Test Resources
         run: |
+          kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.15.1/cert-manager.yaml
           kubectl apply -f ./charts/influxdb-enterprise/example-resources.yaml
 
       - name: Run chart-testing (install)
         uses: helm/chart-testing-action@v1.0.0-rc.1
         with:
           command: install
+        env:
+          INFLUXDB_ENTERPRISE_LICENSE_KEY: "${{ secrets.INFLUXDB_ENTERPRISE_LICENSE_KEY }}"

charts/influxdb-enterprise/README.md

@@ -64,6 +64,34 @@ bootstrap:
     secretName: auth
 ```
 
+#### TLS (Optional)
+
+If you want to configure TLS for your meta and/or data nodes, you must enable TLS inside the `values.yaml`. An example is below, but you'll need to replicate for the data nodes too:
+
+```yaml
+meta:
+  https:
+    enabled: true
+```
+
+If you want to use CertManager to provision the TLS certificates, you can add:
+
+```yaml
+meta:
+  https:
+    useCertManager: true
+    insecure: true # This chart uses an untrusted CA, so we need to mark the keys as insecure
+```
+
+Otherwise, you need to provide a secret with the keys `tls.crt` and `tls.key`. An example exists inside the [example resources](./example-resources.yaml).
+
+```yaml
+meta:
+  https:
+    secretName: my-tls-secret
+    insecure: true # Only enable if your CA isn't trusted
+```
+
 #### DDL/DML (Optional)
 
 If you wish to create databases or import data after installation, we've provided this DDL/DML hook. Your config map must contain the keys `ddl` and `dml`.

charts/influxdb-enterprise/example-resources.yaml

-apiVersion: v1
-kind: Secret
-metadata:
-  name: license
-stringData:
-  json: YOUR JSON KEY
+# apiVersion: v1
+# kind: Secret
+# metadata:
+#   name: license
+# stringData:
+#   json: YOUR JSON KEY
 ---
 apiVersion: v1
 kind: Secret
@@ -20,12 +20,22 @@ metadata:
 stringData:
   secret: MY RANDOM STRING
 ---
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: ddl-dml
-data:
-  ddl: |
-    CREATE DATABASE original
-    CREATE RETENTION POLICY oneday ON original DURATION 1d REPLICATION 1
-  dml: ""
+# apiVersion: v1
+# kind: Secret
+# metadata:
+#   name: tls
+# stringData:
+#   tls.crt: |
+#     SOME CERTIFICATE
+#   tls.key: |
+#     SOME KEY
+---
+# apiVersion: v1
+# kind: ConfigMap
+# metadata:
+#   name: ddl-dml
+# data:
+#   ddl: |
+#     CREATE DATABASE original
+#     CREATE RETENTION POLICY oneday ON original DURATION 1d REPLICATION 1
+#   dml: ""

charts/influxdb-enterprise/templates/certmanager-issuer.yaml

+{{- if or .Values.data.https.useCertManager .Values.meta.https.useCertManager -}}
+apiVersion: cert-manager.io/v1alpha2
+kind: Issuer
+metadata:
+  name: {{ include "influxdb-enterprise.fullname" . }}
+  labels:
+    {{- include "influxdb-enterprise.labels" . | nindent 4 }}
+spec:
+  selfSigned: {}
+{{- end -}}

charts/influxdb-enterprise/templates/data-certmanager.yaml

+{{- if and .Values.data.https.enabled .Values.data.https.useCertManager -}}
+apiVersion: cert-manager.io/v1alpha2
+kind: Certificate
+metadata:
+  name: {{ include "influxdb-enterprise.fullname" . }}-data
+  labels:
+    {{- include "influxdb-enterprise.labels" . | nindent 4 }}
+spec:
+  {{- $replicas := (int $.Values.data.replicas) }}
+  {{- $fullname := include "influxdb-enterprise.fullname" . }}
+  {{- $namespace := .Release.Namespace }}
+
+  dnsNames:
+  - {{ $fullname }}-data
+  - {{ $fullname }}-data.{{ .Release.Namespace }}.svc
+
+  {{- range $i := until $replicas }}
+  - {{ $fullname }}-data-{{ $i | toString }}.{{ $fullname }}-data
+  - {{ $fullname }}-data-{{ $i | toString }}.{{ $fullname }}-data.{{ $namespace }}
+  - {{ $fullname }}-data-{{ $i | toString }}.{{ $fullname }}-data.{{ $namespace }}.svc
+  {{ end }}
+  
+  isCA: true
+  issuerRef:
+    kind: Issuer
+    name: {{ include "influxdb-enterprise.fullname" . }}
+  secretName: {{ include "influxdb-enterprise.fullname" . }}-data-tls
+{{- end -}}

charts/influxdb-enterprise/templates/data-configmap.yaml

@@ -24,9 +24,30 @@ data:
       license-path = "/var/run/secrets/influxdb/license.json"
       {{ end }}
 
+    [cluster]
+    {{ if .Values.data.https.enabled }}
+    https-enabled = true
+
+    https-certificate = "/var/run/secrets/tls/tls.crt"
+    https-private-key = "/var/run/secrets/tls/tls.key"
+
+    {{ if .Values.data.https.insecure }}
+    https-insecure-tls = true
+    {{ end }}
+    {{ end }}
+
     [meta]
       dir = "/var/lib/influxdb/meta"
 
+      {{ if and .Values.meta.https.enabled }}
+      meta-tls-enabled = true
+
+      {{ if .Values.meta.https.insecure }}
+      meta-insecure-tls = true
+      {{ end }}
+
+      {{ end }}
+
     [hinted-handoff]
       dir = "/var/lib/influxdb/hh"
 
@@ -53,7 +74,11 @@ data:
     $SIG{KILL} = sub { kill 'KILL', $pid };
 
     # Register data node with meta leader
-    my $protocol = $ENV{HTTP_PROTOCOL};
+    {{ if .Values.meta.https.enabled }}
+    my $protocol = "https";
+    {{ else }}
+    my $protocol = "http";
+    {{ end }}
     my $meta_service = $ENV{RELEASE_NAME} . "-meta";
 
     # We're not going to define an exit strategy for failure here.
@@ -61,7 +86,7 @@ data:
     while (true) {
       # There's no LWP/Simple available in our images, so forking out to curl 😥
       print "\n\n\nREGISTER WITH META SERVICE\n\n\n";
-      $exit_code = system('curl', '-XPOST', '-v', '--silent', '--fail', '--retry', '5', '--retry-delay', '0', "-Faddr=$ENV{INFLUXDB_HOSTNAME}:8088", "$protocol://$meta_service:8091/add-data");
+      $exit_code = system('curl', {{ if .Values.meta.https.insecure }}'-k',{{ end }} '-XPOST', '-v', '--silent', '--fail', '--retry', '5', '--retry-delay', '0', "-Faddr=$ENV{INFLUXDB_HOSTNAME}:8088", "$protocol://$meta_service:8091/add-data");
 
 
       if ($exit_code == 0) {

charts/influxdb-enterprise/templates/data-statefulset.yaml

@@ -37,6 +37,15 @@ spec:
         secret:
           secretName: {{ .Values.license.secret.name }}
       {{- end }}
+      {{- if .Values.data.https.enabled }}
+      - name: tls
+        secret:
+          {{- if .Values.data.https.useCertManager }}
+          secretName: {{ include "influxdb-enterprise.fullname" . }}-data-tls
+          {{ else }}
+          secretName: {{ .Values.data.https.secretName }}
+          {{ end }}
+      {{ end }}
       containers:
         - name: {{ .Chart.Name }}
           command:
@@ -48,8 +57,6 @@ spec:
           image: "{{ .Values.data.image.repository | default "influxdb" }}:{{ .Values.data.image.tag | default (printf "%s-%s" .Chart.AppVersion "data") }}"
           imagePullPolicy: {{ .Values.data.image.pullPolicy }}
           env:
-          - name: HTTP_PROTOCOL
-            value: http
           - name: RELEASE_NAME
             value: {{ include "influxdb-enterprise.fullname" . }}
           ports:
@@ -63,11 +70,17 @@ spec:
             httpGet:
               path: /ping
               port: http
+              {{- if .Values.data.https.enabled }}
+              scheme: HTTPS
+              {{- end }}
           readinessProbe:
             initialDelaySeconds: 30
             httpGet:
               path: /ping
               port: http
+              {{- if .Values.data.https.enabled }}
+              scheme: HTTPS
+              {{- end }}
           volumeMounts:
           - name: config
             mountPath: /etc/influxdb
@@ -78,6 +91,10 @@ spec:
             mountPath: /var/run/secrets/influxdb/license.json
             subPath: json
           {{- end }}
+          {{- if .Values.data.https.enabled }}
+          - name: tls
+            mountPath: /var/run/secrets/tls/
+          {{ end }}
           resources:
             {{- toYaml .Values.data.resources | nindent 12 }}
       {{- with .Values.data.nodeSelector }}

charts/influxdb-enterprise/templates/meta-certmanager.yaml

+{{- if and .Values.meta.https.enabled .Values.meta.https.useCertManager -}}
+apiVersion: cert-manager.io/v1alpha2
+kind: Certificate
+metadata:
+  name: {{ include "influxdb-enterprise.fullname" . }}-meta
+  labels:
+    {{- include "influxdb-enterprise.labels" . | nindent 4 }}
+spec:
+  {{- $replicas := (int $.Values.meta.replicas) }}
+  {{- $fullname := include "influxdb-enterprise.fullname" . }}
+  {{- $namespace := .Release.Namespace }}
+  
+  dnsNames:
+  - {{ $fullname }}-meta
+  - {{ $fullname }}-meta.{{ .Release.Namespace }}.svc
+  
+  {{- range $i := until $replicas }}
+  - {{ $fullname }}-meta-{{ $i | toString }}.{{ $fullname }}-meta
+  - {{ $fullname }}-meta-{{ $i | toString }}.{{ $fullname }}-meta.{{ $namespace }}
+  - {{ $fullname }}-meta-{{ $i | toString }}.{{ $fullname }}-meta.{{ $namespace }}.svc
+  {{ end }}
+    
+  isCA: true
+  issuerRef:
+    kind: Issuer
+    name: {{ include "influxdb-enterprise.fullname" . }}
+  secretName: {{ include "influxdb-enterprise.fullname" . }}-meta-tls
+{{- end -}}

charts/influxdb-enterprise/templates/meta-configmap.yaml

@@ -22,6 +22,27 @@ data:
     [meta]
       dir = "/var/lib/influxdb/meta"
 
+      {{ if .Values.meta.https.enabled }}
+      https-enabled = true
+
+      https-certificate = "/var/run/secrets/tls/tls.crt"
+      https-private-key = "/var/run/secrets/tls/tls.key"
+
+      {{ if .Values.meta.https.insecure }}
+      https-insecure-tls = true
+      {{ end }}
+
+      {{ end }}
+
+      {{ if and .Values.data.https.enabled }}
+      data-use-tls = true
+
+      {{ if .Values.data.https.insecure }}
+      data-insecure-tls = true
+      {{ end }}
+
+      {{ end }}
+
   entrypoint.pl: |+
     #!/usr/bin/env perl
     $ENV{INFLUXDB_HOSTNAME} = `hostname -f`;
@@ -47,9 +68,9 @@ data:
     # This should be handled by the probes on the pods
     while (true) {
       if($meta_leader eq $ENV{INFLUXDB_HOSTNAME}) {
-        system('influxd-ctl', 'add-meta', "$ENV{INFLUXDB_HOSTNAME}:8091");
+        system('influxd-ctl', {{ if .Values.meta.https.enabled }}'-bind-tls',{{ end }}{{ if .Values.meta.https.insecure }}'-k',{{ end }} 'add-meta', "$ENV{INFLUXDB_HOSTNAME}:8091");
       } else {
-        system('influxd-ctl', 'join', "$meta_leader:8091");
+        system('influxd-ctl', {{ if .Values.meta.https.enabled }}'-bind-tls',{{ end }}{{ if .Values.meta.https.insecure }}'-k',{{ end }} 'join', "$meta_leader:8091");
       }
 
       if ($? == 0) {

charts/influxdb-enterprise/templates/meta-statefulset.yaml

@@ -39,6 +39,15 @@ spec:
         secret:
           secretName: {{ .Values.license.secret.name }}
       {{- end }}
+      {{- if .Values.meta.https.enabled }}
+      - name: tls
+        secret:
+          {{- if .Values.meta.https.useCertManager }}
+          secretName: {{ include "influxdb-enterprise.fullname" . }}-meta-tls
+          {{ else }}
+          secretName: {{ .Values.meta.https.secretName }}
+          {{ end }}
+      {{ end }}
       containers:
         - name: {{ .Chart.Name }}
           command:
@@ -66,10 +75,16 @@ spec:
             httpGet:
               path: /ping
               port: http
+              {{- if .Values.meta.https.enabled }}
+              scheme: HTTPS
+              {{- end }}
           readinessProbe:
             httpGet:
               path: /ping
               port: http
+              {{- if .Values.meta.https.enabled }}
+              scheme: HTTPS
+              {{- end }}
           volumeMounts:
           - name: config
             mountPath: /etc/influxdb
@@ -80,6 +95,10 @@ spec:
             mountPath: /var/run/secrets/influxdb/license.json
             subPath: json
           {{- end }}
+          {{- if .Values.meta.https.enabled }}
+          - name: tls
+            mountPath: /var/run/secrets/tls/
+          {{ end }}
           resources:
             {{- toYaml .Values.meta.resources | nindent 12 }}
       {{- with .Values.meta.nodeSelector }}

charts/influxdb-enterprise/values.yaml

@@ -10,7 +10,7 @@ license:
   # You can put your license key here for testing this chart out,
   # but we STRONGLY recommend using a license file stored in a secret
   # when you ship to production.
-  key: ""
+  key: "fbe954a4-69c2-4b7e-bf69-cad2c2e5e6b9"
   # secret:
   #   name: license
   #   key: json
@@ -30,16 +30,16 @@ bootstrap:
   # and password for your "admin" account.
   # A secret should be provided, which will have the keys
   # "username" and "password" available.
-  auth: {}
-  #   secretName: auth
+  auth: #{}
+    secretName: auth
   # This section allows you to use DDL and DML to define
   # databases, retention policies, and inject some data.
   # When using the configMap setting, the keys "ddl" and "dml"
   # must exist, even if one of them is empty.
   # DDL is executed before DML, to enforce databases and retention policies
   # to exist.
-  ddldml: {}
-  #   configMap: ddl-dml
+  ddldml: #{}
+    configMap: ddl-dml
 
 meta:
   replicas: 3
@@ -92,6 +92,14 @@ meta:
   podDisruptionBudget:
     # maxUnavailable: 2
     minAvailable: 2
+  https:
+    enabled: true
+    # The `useCertManager` option, when set to true, will
+    # automatically create the certificate resources for you.
+    # You do not need to set the secretName when using this flag.
+    useCertManager: true
+    # secretName: tls-secret
+    insecure: true
 
 
 data:
@@ -133,3 +141,11 @@ data:
     # annotations:
     accessMode: ReadWriteOnce
     size: 8Gi
+  https:
+    enabled: true
+    # The `useCertManager` option, when set to true, will
+    # automatically create the certificate resources for you.
+    # You do not need to set the secretName when using this flag.
+    useCertManager: true
+    # secretName: tls-secret
+    insecure: true

ct.yaml

@@ -4,4 +4,6 @@ chart-dirs:
   - charts
 chart-repos:
   - "jetstack=https://charts.jetstack.io"
+helm-extra-args:
+  - "--set license.key=${INFLUXDB_ENTERPRISE_LICENSE_KEY}"
 debug: true