Add options to mount ssl and etcd ssl certificates from host

charts/healthz/Chart.yaml

@@ -1,5 +1,5 @@
 name: healthz
-version: 0.0.1
+version: 0.0.2
 description: Simple monitoring agent for K8S cluster
 keywords:
  - monitoring

charts/healthz/README.md

@@ -20,28 +20,35 @@ $ helm install --name my-release charts/healthz
 
 The following tables lists the configurable parameters of the Healthz chart and their default values.
 
-| Parameter | Description | Default |
-| ----------------------------- | --------------------------------------------------------- | --------------------------------------------- |
-| `healthz.name` | Base chart resources name | `healthz` |
-| `healthz.accesskey` | Access key to fetch status from healthz | `akey` |
-| `healthz.debug` | Enable/disable debug log level | `true` |
-| `healthz.checkinterval` | K8S and ETCD services check interval (Go duration format) | `1m` |
-| `healthz.kube.addr` | K8S API endpoint | `http://localhost:8080` |
-| `healthz.kube.nodesThreshold` | Lower limit of number of K8S nodes available | `3` |
-| `healthz.image.repo` | Image repo | `quay.io/gravitational/satellite` |
-| `healthz.image.tag` | Image tag | `stable` |
-| `healthz.image.pullPolicy` | Image pull policy | `IfNotPresent` |
-| `healthz.servicePort` | External service port | `8080` |
-| `healthz.nodePort` | Port to allocate on node for healthz container | `8080` |
-| `healthz.ssl.enabled` | Enable/disable SSL on service port | `false` |
-| `healthz.ssl.cert` | External service SSL certificate | `` |
-| `healthz.ssl.key` | External service SSL key | `` |
-| `healthz.ssl.ca` | External service SSL CA | `` |
-| `healthz.etcd.peers` | Comma-separated ETCD service endpoints to check | `http://localhost:4001,http://localhost:2380` |
-| `healthz.etcd.cert` | ETCD service SSL certificate | `` |
-| `healthz.etcd.key` | ETCD service SSL key | `` |
-| `healthz.etcd.ca` | ETCD service SSL CA | `` |
-| `healthz.etcd.skipVerify` | Skip ETCD service SSL certificate verification | `false` |
+| Parameter | Description | Default |
+| ----------------------------- | ---------------------------------------------------------- | --------------------------------------------- |
+| `healthz.name` | Base chart resources name | `healthz` |
+| `healthz.accesskey` | Access key to fetch status from healthz | `akey` |
+| `healthz.debug` | Enable/disable debug log level | `true` |
+| `healthz.checkinterval` | K8S and ETCD services check interval (Go duration format) | `1m` |
+| `healthz.kube.addr` | K8S API endpoint | `http://localhost:8080` |
+| `healthz.kube.nodesThreshold` | Lower limit of number of K8S nodes available | `3` |
+| `healthz.image.repo` | Image repo | `quay.io/gravitational/satellite` |
+| `healthz.image.tag` | Image tag | `stable` |
+| `healthz.image.pullPolicy` | Image pull policy | `IfNotPresent` |
+| `healthz.servicePort` | External service port | `8080` |
+| `healthz.nodePort` | Port to allocate on node for healthz container | `8080` |
+| `healthz.nodeSelector` | Specify labels to select nodes where pod able to reside | {} |
+| `healthz.ssl.enabled` | Enable/disable SSL on service port | `false` |
+| `healthz.ssl.cert` | External service SSL cert | `` |
+| `healthz.ssl.key` | External service SSL key | `` |
+| `healthz.ssl.ca` | External service SSL CA | `` |
+| `healthz.ssl.certPath` | External service SSL cert (overrides `healthz.ssl.cert`) | `` |
+| `healthz.ssl.keyPath` | External service SSL key (overrides `healthz.ssl.key`) | `` |
+| `healthz.ssl.caPath` | External service SSL CA (overrides `healthz.ssl.ca`) | `` |
+| `healthz.etcd.peers` | Comma-separated ETCD service endpoints to check | `http://localhost:4001,http://localhost:2380` |
+| `healthz.etcd.cert` | ETCD service SSL cert | `` |
+| `healthz.etcd.key` | ETCD service SSL key | `` |
+| `healthz.etcd.ca` | ETCD service SSL CA | `` |
+| `healthz.etcd.certPath` | ETCD service SSL cert path (overrides `healthz.etcd.cert`) | `` |
+| `healthz.etcd.keyPath` | ETCD service SSL key path (overrides `healthz.etcd.key`) | `` |
+| `healthz.etcd.caPath` | ETCD service SSL CA path (overrides `healthz.etcd.ca`) | `` |
+| `healthz.etcd.skipVerify` | Skip ETCD service SSL cert verification | `false` |
 
 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.
 

charts/healthz/templates/deployment.yaml

@@ -17,6 +17,12 @@ spec:
  app: {{.Values.healthz.name | default "healthz"}}
  release: {{.Release.Name | quote }}
  spec:
+{{if .Values.healthz.nodeSelector}}
+ nodeSelector:
+ {{range $key, $val := .Values.healthz.nodeSelector}}
+ {{$key}}: {{$val}}
+ {{end}}
+{{end}}
  containers:
  - name: healthz
  image: {{.Values.healthz.image.repo | default "healthz"}}:{{.Values.healthz.image.tag | default "stable"}}
@@ -33,22 +39,22 @@ spec:
  - name: ETCDCTL_PEERS
  value: {{.Values.healthz.etcd.peers | default "http://localhost:4001,http://localhost:2380"}}
  - name: ETCDCTL_CERT_FILE
- value: /healthz-secret/etcdctl-cert.pem
+ value: /healthz-{{if ne .Values.healthz.etcd.certPath ""}}host-{{end}}secret/etcd-cert.pem
  - name: ETCDCTL_KEY_FILE
- value: /healthz-secret/etcdctl-key.pem
+ value: /healthz-{{if ne .Values.healthz.etcd.keyPath ""}}host-{{end}}secret/etcd-key.pem
  - name: ETCDCTL_CA_FILE
- value: /healthz-secret/etcdctl-ca.pem
+ value: /healthz-{{if ne .Values.healthz.etcd.caPath ""}}host-{{end}}secret/etcd-ca.pem
 {{if .Values.healthz.etcd.skipVerify}}
  - name: ETCDCTL_SKIP_VERIFY
  value: "true"
 {{end}}
 {{if .Values.healthz.ssl.enabled}}
  - name: HEALTH_CERT_FILE
- value: /healthz-secret/cert.pem
+ value: /healthz-{{if ne .Values.healthz.ssl.certPath ""}}host-{{end}}secret/ssl-cert.pem
  - name: HEALTH_KEY_FILE
- value: /healthz-secret/key.pem
+ value: /healthz-{{if ne .Values.healthz.ssl.keyPath ""}}host-{{end}}secret/ssl-key.pem
  - name: HEALTH_CA_FILE
- value: /healthz-secret/ca.pem
+ value: /healthz-{{if ne .Values.healthz.ssl.caPath ""}}host-{{end}}secret/ssl-ca.pem
 {{end}}
  - name: HEALTH_CHECK_INTERVAL
  value: {{.Values.healthz.checkInterval | default "1m"}}
@@ -69,8 +75,62 @@ spec:
  - name: healthz-secret
  mountPath: /healthz-secret
  readOnly: true
+{{if ne .Values.healthz.etcd.caPath ""}}
+ - name: etcd-ca
+ mountPath: /healthz-host-secret/etcd-ca.pem
+{{end}}
+{{if ne .Values.healthz.etcd.certPath ""}}
+ - name: etcd-cert
+ mountPath: /healthz-host-secret/etcd-cert.pem
+{{end}}
+{{if ne .Values.healthz.etcd.keyPath ""}}
+ - name: etcd-key
+ mountPath: /healthz-host-secret/etcd-key.pem
+{{end}}
+{{if ne .Values.healthz.ssl.caPath ""}}
+ - name: ssl-ca
+ mountPath: /healthz-host-secret/ssl-ca.pem
+{{end}}
+{{if ne .Values.healthz.ssl.certPath ""}}
+ - name: ssl-cert
+ mountPath: /healthz-host-secret/ssl-cert.pem
+{{end}}
+{{if ne .Values.healthz.ssl.keyPath ""}}
+ - name: ssl-key
+ mountPath: /healthz-host-secret/ssl-key.pem
+{{end}}
  volumes:
  - name: healthz-secret
  secret:
  secretName: {{.Values.healthz.name | default "healthz"}}
+{{if ne .Values.healthz.etcd.caPath ""}}
+ - name: etcd-ca
+ hostPath:
+ path: {{.Values.healthz.etcd.caPath | quote}}
+{{end}}
+{{if ne .Values.healthz.etcd.certPath ""}}
+ - name: etcd-cert
+ hostPath:
+ path: {{.Values.healthz.etcd.certPath | quote}}
+{{end}}
+{{if ne .Values.healthz.etcd.keyPath ""}}
+ - name: etcd-key
+ hostPath:
+ path: {{.Values.healthz.etcd.keyPath | quote}}
+{{end}}
+{{if ne .Values.healthz.ssl.caPath ""}}
+ - name: ssl-ca
+ hostPath:
+ path: {{.Values.healthz.ssl.caPath | quote}}
+{{end}}
+{{if ne .Values.healthz.ssl.certPath ""}}
+ - name: ssl-cert
+ hostPath:
+ path: {{.Values.healthz.ssl.certPath | quote}}
+{{end}}
+{{if ne .Values.healthz.ssl.keyPath ""}}
+ - name: ssl-key
+ hostPath:
+ path: {{.Values.healthz.ssl.keyPath | quote}}
+{{end}}
  hostNetwork: true

charts/healthz/templates/secret.yaml

@@ -4,11 +4,9 @@ metadata:
  name: {{.Values.healthz.name | default "healthz"}}
 data:
  accesskey: {{.Values.healthz.accesskey | default "" | b64enc | quote}}
-{{if .Values.healthz.ssl.enabled}}
- cert.pem: {{.Values.healthz.ssl.cert | default "" | b64enc | quote}}
- key.pem: {{.Values.healthz.ssl.key | default "" | b64enc | quote}}
- ca.pem: {{.Values.healthz.ssl.ca | default "" | b64enc | quote}}
-{{end}}
- etcdctl-cert.pem: {{.Values.healthz.etcd.cert | default "" | b64enc | quote}}
- etcdctl-key.pem: {{.Values.healthz.etcd.key | default "" | b64enc | quote}}
- etcdctl-ca.pem: {{.Values.healthz.etcd.ca | default "" | b64enc | quote}}
+ ssl-cert.pem: {{.Values.healthz.ssl.cert | default "" | b64enc | quote}}
+ ssl-key.pem: {{.Values.healthz.ssl.key | default "" | b64enc | quote}}
+ ssl-ca.pem: {{.Values.healthz.ssl.ca | default "" | b64enc | quote}}
+ etcd-cert.pem: {{.Values.healthz.etcd.cert | default "" | b64enc | quote}}
+ etcd-key.pem: {{.Values.healthz.etcd.key | default "" | b64enc | quote}}
+ etcd-ca.pem: {{.Values.healthz.etcd.ca | default "" | b64enc | quote}}

charts/healthz/values.yaml

@@ -7,6 +7,7 @@ healthz:
  accesskey: "akey"
  debug: true
  checkInterval: 1m
+ nodeSelector: {}
  kube:
  addr: "http://localhost:8080"
  nodesThreshold: "3"
@@ -21,9 +22,15 @@ healthz:
  cert: ""
  key: ""
  ca: ""
+ certPath: ""
+ keyPath: ""
+ caPath: ""
  etcd:
  peers: "http://localhost:4001,http://localhost:2380"
  cert: ""
  key: ""
  ca: ""
+ certPath: ""
+ keyPath: ""
+ caPath: ""
  skipVerify: false