Skip to content

Commit

Permalink
Add support for custom CA certs and volumes (#38)
Browse files Browse the repository at this point in the history 
* Add support for custom CA certs and volumes
  • Loading branch information
@alfespa17
alfespa17 committed Oct 1, 2022
1 parent 416d945 commit 3220a9d
Show file tree
Hide file tree
Showing 6 changed files with 205 additions and 1 deletion.
128 changes: 127 additions & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -202,6 +202,7 @@ Once you have completed the above steps you can complete the file values.yaml to
| security.dexClientScope | Yes | Use "email openid profile offline_access groups" |
| security.dexIssuerUri | Yes | Should be "https://apiDomain/dex" |
| security.gcpCredentials | No | JSON Credentials for Google Identity Authentication |
| security.caCerts | No | Custom CA certificates to be added at runtime |
| storage.gcp.projectId | No | GCP Project Id for the storage |
| storage.gcp.bucketName | No | GCP Bucket name for the storage |
| storage.gcp.credentials | No | GCP JSON Credentials for the storage |
Expand All @@ -225,6 +226,9 @@ Once you have completed the above steps you can complete the file values.yaml to
| api.version | Yes | Terrakube API version |
| api.replicaCount | Yes | |
| api.serviceType | Yes | |
| api.env | No | |
| api.volumes | No | |
| api.volumeMounts | No | |
| api.properties.databaseType | Yes | H2/SQL_AZURE/POSTGRESQL/MYSQL |
| api.properties.databaseHostname | No | |
| api.properties.databaseName | No | |
Expand All @@ -234,12 +238,18 @@ Once you have completed the above steps you can complete the file values.yaml to
| executor.version | Yes | Terrakube Executor version |
| executor.replicaCount | Yes | |
| executor.serviceType | Yes | ClusterIP/NodePort/LoadBalancer/ExternalName |
| executor.env | No | |
| executor.volumes | No | |
| executor.volumeMounts | No | |
| executor.properties.toolsRepository | Yes | Example: https://github.com/AzBuilder/terrakube-extensions |
| executor.properties.toolsBranch | Yes | Example: main |
| registry.enabled | Yes | |
| registry.version | Yes | |
| registry.replicaCount | Yes | |
| registry.serviceType | Yes | ClusterIP/NodePort/LoadBalancer/ExternalName |
| registry.env | No | |
| registry.volumes | No | |
| registry.volumeMounts | No | |
| ui.enabled | Yes | true/false |
| ui.version | Yes | |
| ui.replicaCount | Yes | |
Expand Down Expand Up @@ -308,7 +318,123 @@ api:
databaseType: "H2"
```
### 5. Deploy Terrakube using helm chart
### 5. Custom CA certificates at runtime
To add custom CA certificate to Terrakube components use the folowing configuration example:
Example property ***security.caCerts***
```
security:
.....
caCerts:
terrakubeDemo1.pem: |
-----BEGIN CERTIFICATE-----
CERTIFICATE DATA
-----END CERTIFICATE-----
terrakubeDemo2.pem: |
-----BEGIN CERTIFICATE-----
CERTIFICATE DATA
-----END CERTIFICATE-----
....
```

Terrakube components configuration with custom CA certificates:

```yaml
## API properties
api:
enabled: true
version: "2.7.0"
replicaCount: "1"
serviceType: "ClusterIP"
env:
- name: SERVICE_BINDING_ROOT
value: /mnt/platform/bindings
volumes:
- name: ca-certs
secret:
secretName: terrakube-ca-secrets
items:
- key: "terrakubeDemo1.pem"
path: "terrakubeDemo1.pem"
- key: "terrakubeDemo2.pem"
path: "terrakubeDemo2.pem"
- key: "type"
path: "type"
volumeMounts:
- name: ca-certs
mountPath: /mnt/platform/bindings/ca-certificates
readOnly: true
properties:
databaseType: "H2"


## Executor properties
executor:
enabled: true
version: "2.7.0"
replicaCount: "1"
serviceType: "ClusterIP"
env:
- name: SERVICE_BINDING_ROOT
value: /mnt/platform/bindings
volumes:
- name: ca-certs
secret:
secretName: terrakube-ca-secrets
items:
- key: "terrakubeDemo1.pem"
path: "terrakubeDemo1.pem"
- key: "terrakubeDemo2.pem"
path: "terrakubeDemo2.pem"
- key: "type"
path: "type"
volumeMounts:
- name: ca-certs
mountPath: /mnt/platform/bindings/ca-certificates
readOnly: true
properties:
toolsRepository: "https://github.com/AzBuilder/terrakube-extensions"
toolsBranch: "main"

## Registry properties
registry:
enabled: true
version: "2.7.0"
replicaCount: "1"
serviceType: "ClusterIP"
env:
- name: SERVICE_BINDING_ROOT
value: /mnt/platform/bindings
volumes:
- name: ca-certs
secret:
secretName: terrakube-ca-secrets
items:
- key: "terrakubeDemo1.pem"
path: "terrakubeDemo1.pem"
- key: "terrakubeDemo2.pem"
path: "terrakubeDemo2.pem"
- key: "type"
path: "type"
volumeMounts:
- name: ca-certs
mountPath: /mnt/platform/bindings/ca-certificates
readOnly: true
```
If the configuration is correct the pods log will show something like this:
```
Added 2 additional CA certificate(s) to system truststore
```

### 6. Deploy Terrakube using helm chart

Now you have all the information to deploy Terrakube, you can use the following example:

Expand Down
8 changes: 8 additions & 0 deletions templates/deployment-api.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,10 @@ spec:
env:
{{- toYaml . | nindent 8 }}
{{- end }}
volumeMounts:
{{- with .Values.api.volumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
envFrom:
- secretRef:
name: terrakube-api-secrets
Expand Down Expand Up @@ -60,4 +64,8 @@ spec:
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.api.volumes }}
volumes:
{{- toYaml . | nindent 6 }}
{{- end }}
{{ end }}
8 changes: 8 additions & 0 deletions templates/deployment-executor.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,10 @@ spec:
env:
{{- toYaml . | nindent 8 }}
{{- end }}
volumeMounts:
{{- with .Values.executor.volumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
envFrom:
- secretRef:
name: terrakube-executor-secrets
Expand Down Expand Up @@ -60,4 +64,8 @@ spec:
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.executor.volumes }}
volumes:
{{- toYaml . | nindent 6 }}
{{- end }}
{{ end }}
8 changes: 8 additions & 0 deletions templates/deployment-registry.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,10 @@ spec:
env:
{{- toYaml . | nindent 8 }}
{{- end }}
volumeMounts:
{{- with .Values.registry.volumeMounts }}
{{- toYaml . | nindent 12 }}
{{- end }}
envFrom:
- secretRef:
name: terrakube-registry-secrets
Expand Down Expand Up @@ -60,4 +64,8 @@ spec:
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.registry.volumes }}
volumes:
{{- toYaml . | nindent 6 }}
{{- end }}
{{ end }}
12 changes: 12 additions & 0 deletions templates/secrets-certs.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,12 @@
apiVersion: v1
kind: Secret
metadata:
name: terrakube-ca-secrets
type: Opaque
stringData:
type: |
ca-certificates
{{- with .Values.security.caCerts }}
{{- toYaml . | nindent 2 }}
{{- end }}
42 changes: 42 additions & 0 deletions values.schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,12 @@
"adminGroup": {
"description": "Terrakube Administrators Group",
"type": "string"
},
"caCerts": {
"type": "object",
"items": {
"type": "object"
}
}
}
},
Expand Down Expand Up @@ -206,6 +212,18 @@
"type": "object"
}
},
"volumes": {
"type": "array",
"items": {
"type": "object"
}
},
"volumeMounts": {
"type": "array",
"items": {
"type": "object"
}
},
"properties": {
"type": "object",
"required": ["databaseType", "databaseHostname", "databaseName", "databaseUser", "databasePassword"],
Expand Down Expand Up @@ -275,6 +293,18 @@
"type": "object"
}
},
"volumes": {
"type": "array",
"items": {
"type": "object"
}
},
"volumeMounts": {
"type": "array",
"items": {
"type": "object"
}
},
"properties": {
"type": "object",
"required": ["toolsRepository", "toolsBranch"],
Expand Down Expand Up @@ -330,6 +360,18 @@
"items": {
"type": "object"
}
},
"volumes": {
"type": "array",
"items": {
"type": "object"
}
},
"volumeMounts": {
"type": "array",
"items": {
"type": "object"
}
}
}
}
Expand Down

0 comments on commit 3220a9d

Please sign in to comment.