TLS support for cannon and background-worker (#4410)

charts/background-worker/templates/_helpers.tpl

@@ -7,3 +7,19 @@
 {{- define "includeSecurityContext" -}}
   {{- (semverCompare ">= 1.24-0" (include "kubeVersion" .)) -}}
 {{- end -}}
+
+{{- define "useCassandraTLS" -}}
+{{ or (hasKey .cassandra "tlsCa") (hasKey .cassandra "tlsCaSecretRef") }}
+{{- end -}}
+
+{{/* Return a Dict of TLS CA secret name and key
+This is used to switch between provided secret (e.g. by cert-manager) and
+created one (in case the CA is provided as PEM string.)
+*/}}
+{{- define "tlsSecretRef" -}}
+{{- if .cassandra.tlsCaSecretRef -}}
+{{ .cassandra.tlsCaSecretRef | toYaml }}
+{{- else }}
+{{- dict "name" "background-worker-cassandra" "key" "ca.pem" | toYaml -}}
+{{- end -}}
+{{- end -}}

charts/background-worker/templates/cassandra-secret.yaml

@@ -0,0 +1,15 @@
+{{/* Secret for the provided Cassandra TLS CA. */}}
+{{- if not (empty .Values.config.cassandra.tlsCa) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: background-worker-cassandra
+  labels:
+    app: background-worker
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+type: Opaque
+data:
+  ca.pem: {{ .Values.config.cassandra.tlsCa | b64enc | quote }}
+{{- end }}

charts/background-worker/templates/configmap.yaml

@@ -26,6 +26,9 @@ data:
         host: {{ .cassandra.host }}
         port: 9042
       keyspace: gundeck
+      {{- if eq (include "useCassandraTLS" .) "true" }}
+      tlsCa: /etc/wire/background-worker/cassandra/{{- (include "tlsSecretRef" . | fromYaml).key }}
+      {{- end }}
 
     {{- with .rabbitmq }}
     rabbitmq:

charts/background-worker/templates/deployment.yaml

@@ -26,9 +26,10 @@ spec:
         # An annotation of the configmap checksum ensures changes to the configmap cause a redeployment upon `helm upgrade`
         checksum/configmap: {{ include (print .Template.BasePath "/configmap.yaml") . | sha256sum }}
         checksum/secret: {{ include (print .Template.BasePath "/secret.yaml") . | sha256sum }}
+        checksum/cassandra-secret: {{ include (print .Template.BasePath "/cassandra-secret.yaml") . | sha256sum }}
         fluentbit.io/parser: json
     spec:
-      serviceAccountName: {{ .Values.serviceAccount.name }}
+      automountServiceAccountToken: false
       volumes:
         - name: "background-worker-config"
           configMap:

charts/background-worker/values.yaml

@@ -37,14 +37,6 @@ config:
     pushBackoffMaxWait: 300000000 # microseconds, so 300s
     remotesRefreshInterval: 300000000 # microseconds, so 300s
 
-serviceAccount:
-  # When setting this to 'false', either make sure that a service account named
-  # 'background-worker' exists or change the 'name' field to 'default'
-  create: true
-  name: background-worker
-  annotations: {}
-  automountServiceAccountToken: true
-
 secrets: {}
 
 podSecurityContext:

charts/cannon/templates/_helpers.tpl

@@ -23,3 +23,19 @@ We truncate at 63 chars because some Kubernetes name fields are limited to this
 {{- define "includeSecurityContext" -}}
   {{- (semverCompare ">= 1.24-0" (include "kubeVersion" .)) -}}
 {{- end -}}
+
+{{- define "useCassandraTLS" -}}
+{{ or (hasKey .cassandra "tlsCa") (hasKey .cassandra "tlsCaSecretRef") }}
+{{- end -}}
+
+{{/* Return a Dict of TLS CA secret name and key
+This is used to switch between provided secret (e.g. by cert-manager) and
+created one (in case the CA is provided as PEM string.)
+*/}}
+{{- define "tlsSecretRef" -}}
+{{- if .cassandra.tlsCaSecretRef -}}
+{{ .cassandra.tlsCaSecretRef | toYaml }}
+{{- else }}
+{{- dict "name" "cannon-cassandra" "key" "ca.pem" | toYaml -}}
+{{- end -}}
+{{- end -}}

charts/cannon/templates/cassandra-secret.yaml

@@ -0,0 +1,15 @@
+{{/* Secret for the provided Cassandra TLS CA. */}}
+{{- if not (empty .Values.config.cassandra.tlsCa) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cannon-cassandra
+  labels:
+    app: cannon
+    chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
+    release: "{{ .Release.Name }}"
+    heritage: "{{ .Release.Service }}"
+type: Opaque
+data:
+  ca.pem: {{ .Values.config.cassandra.tlsCa | b64enc | quote }}
+{{- end }}

charts/cannon/templates/configmap.yaml

@@ -20,6 +20,9 @@ data:
         host: {{ .config.cassandra.host }}
         port: 9042
       keyspace: gundeck
+      {{- if eq (include "useCassandraTLS" .config) "true" }}
+      tlsCa: /etc/wire/cannon/cassandra/{{- (include "tlsSecretRef" .config | fromYaml).key }}
+      {{- end }}
 
     {{- with .config.rabbitmq }}
     rabbitmq:

charts/cannon/templates/statefulset.yaml

@@ -32,6 +32,7 @@ spec:
         {{- if .Values.service.nginz.enabled }}
         checksum/nginz-configmap: {{ include (print .Template.BasePath "/nginz-configmap.yaml") . | sha256sum }}
         {{- end }}
+        checksum/cassandra-secret: {{ include (print .Template.BasePath "/cassandra-secret.yaml") . | sha256sum }}
     spec:
       terminationGracePeriodSeconds: {{ add .Values.config.drainOpts.gracePeriodSeconds 5 }}
       topologySpreadConstraints:
@@ -117,6 +118,10 @@ spec:
         - name: rabbitmq-ca
           mountPath: "/etc/wire/cannon/rabbitmq-ca/"
         {{- end }}
+        {{- if eq (include "useCassandraTLS" .Values.config) "true" }}
+        - name: "cannon-cassandra"
+          mountPath: "/etc/wire/cannon/cassandra"
+        {{- end }}
         ports:
         - name: http
           containerPort: {{ .Values.service.internalPort }}
@@ -175,3 +180,8 @@ spec:
         secret:
           secretName: {{ .Values.config.rabbitmq.tlsCaSecretRef.name }}
       {{- end }}
+      {{- if eq (include "useCassandraTLS" .Values.config) "true" }}
+      - name: "cannon-cassandra"
+        secret:
+          secretName: {{ (include "tlsSecretRef" .Values.config | fromYaml).name }}
+      {{- end }}