Skip to content

Commit

Permalink
Added support for root certificates,certificates,private key,certific…
Browse files Browse the repository at this point in the history 
…ate chain and keystore/truststore provider and type.
  • Loading branch information
@Secchol
Secchol committed Sep 25, 2024
1 parent 2c843b9 commit 3ea29cb
Show file tree
Hide file tree
Showing 3 changed files with 66 additions and 24 deletions.
31 changes: 23 additions & 8 deletions templates/graphdb/configmap-properties.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,21 +23,36 @@ data:
{{- with .Values.cluster.config.tls }}
{{- if ne .mode "NONE" }}
graphdb.raft.security.mode={{ .mode }}
{{- if .keystore.secretName}}
{{- if .privateKey.secretName }}
graphdb.raft.security.certificateKeyFile=/opt/graphdb/home/conf/private-key.pem
{{- end }}
{{- if .certificate.secretName }}
graphdb.raft.security.certificateFile=/opt/graphdb/home/conf/certificate.pem
{{- end }}
{{- if .certificateChain.secretName }}
graphdb.raft.security.certificateChainFile=/opt/graphdb/home/conf/certificate-chain.pem
{{- end }}
{{- if .keystore.secretName }}
graphdb.raft.security.keystoreFile=/opt/graphdb/home/conf/keystore.jks
graphdb.raft.security.keyAlias={{ .keystore.keyAlias }}
{{- if .keystore.keystoreProvider }}
graphdb.raft.security.keystoreProvider={{ .keystore.keystoreProvider }}
{{- end }}
{{- if .truststore.secretName}}
{{- if .keystore.keystoreType }}
graphdb.raft.security.keystoreType={{ .keystore.keystoreType }}
{{- end }}
{{- end }}
{{- if .truststore.secretName }}
graphdb.raft.security.truststoreFile=/opt/graphdb/home/conf/truststore.jks
{{- if .truststore.truststoreProvider }}
graphdb.raft.security.truststoreProvider={{ .truststore.truststoreProvider }}
{{- end }}
{{- if .privateKey.secretName }}
graphdb.raft.security.certificateKeyFile=/opt/graphdb/home/conf/privatekey.pem
{{- if .truststore.truststoreType }}
graphdb.raft.security.truststoreType={{ .truststore.truststoreType }}
{{- end }}
{{- if .certificate.secretName }}
graphdb.raft.security.certificateFile=/opt/graphdb/home/conf/certificate.pem
{{- end }}
{{- if .certificateChain.secretName }}
graphdb.raft.security.certificateChainFile=/opt/graphdb/home/conf/certificatechain.pem
{{- if .rootCerts.secretName }}
graphdb.raft.security.rootCerts=/opt/graphdb/home/conf/root-certs.pem
{{- end }}
{{- end }}
{{- end }}
Expand Down
34 changes: 22 additions & 12 deletions templates/graphdb/statefulset.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -139,7 +139,7 @@ spec:
secretName: {{ .truststore.secretName }}
{{- end }}
{{- if .privateKey.secretName }}
- name: graphdb-privatekey-properties
- name: graphdb-private-key-properties
secret:
secretName: {{ .privateKey.secretName }}
{{- end }}
Expand All @@ -149,10 +149,15 @@ spec:
secretName: {{ .certificate.secretName }}
{{- end }}
{{- if .certificateChain.secretName }}
- name: graphdb-certificatechain-properties
- name: graphdb-certificate-chain-properties
secret:
secretName: {{ .certificateChain.secretName }}
{{- end }}
{{- if .rootCerts.secretName }}
- name: graphdb-root-certs-properties
secret:
secretName: {{ .rootCerts.secretName }}
{{- end }}
{{- end }}
{{- end }}
{{- with .Values.extraVolumes }}
Expand Down Expand Up @@ -365,9 +370,6 @@ spec:
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
env:
{{- with .Values.extraEnv }}
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
{{- with .Values.cluster.config.tls }}
{{- if ne .mode "NONE" }}
{{- if .keystore.secretName }}
Expand All @@ -389,10 +391,13 @@ spec:
valueFrom:
secretKeyRef:
name: {{ .privateKey.secretName }}
key: {{ .privateKey.privatekeyPasswordKey }}
key: {{ .privateKey.privateKeyPasswordKey }}
{{- end }}
{{- end }}
{{- end }}
{{- with .Values.extraEnv }}
{{- tpl (toYaml .) $ | nindent 12 }}
{{- end }}
volumeMounts:
- name: {{ .Values.persistence.volumeClaimTemplate.name }}
mountPath: /opt/graphdb/home
Expand Down Expand Up @@ -425,20 +430,25 @@ spec:
subPath: {{ .truststore.truststoreKey }}
{{- end }}
{{- if .privateKey.secretName }}
- name: graphdb-privatekey-properties
mountPath: /opt/graphdb/home/conf/privatekey.pem
subPath: {{ .privateKey.privatekeyKey }}
- name: graphdb-private-key-properties
mountPath: /opt/graphdb/home/conf/private-key.pem
subPath: {{ .privateKey.privateKeyKey }}
{{- end }}
{{- if .certificate.secretName }}
- name: graphdb-certificate-properties
mountPath: /opt/graphdb/home/conf/certificate.pem
subPath: {{ .certificate.secretName }}
subPath: {{ .certificate.certificateKey }}
{{- end }}
{{- if .certificateChain.secretName }}
- name: graphdb-certificatechain-properties
mountPath: /opt/graphdb/home/conf/certificatechain.pem
- name: graphdb-certificate-chain-properties
mountPath: /opt/graphdb/home/conf/certificate-chain.pem
subPath: {{ .certificateChain.certificateChainKey }}
{{- end }}
{{- if .rootCerts.secretName }}
- name: graphdb-root-certs-properties
mountPath: /opt/graphdb/home/conf/root-certs.pem
subPath: {{ .rootCerts.rootCertsKey }}
{{- end }}
{{- end }}
{{- end }}
{{- with .Values.extraVolumeMounts }}
Expand Down
25 changes: 21 additions & 4 deletions values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -350,19 +350,23 @@ cluster:
# TLS
# TLS encryption will be enforced for the cluster communication.
# TLS assets need to be provided and If not properly configured the server will fail to start!
# Most of the possible properties can be seen from the official tomcat connector documentation without
# the graphdb.raft.security prefix.
# Tomcat docs: https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_Certificate
# Official GraphDB docs: https://graphdb.ontotext.com/documentation/10.7/directories-and-config-properties.html#cluster-properties
mode: DEFAULT
privateKey:
# The value is processed as a helm template
secretName: ""
# Key in the existing Secret that holds the private key value
privatekeyKey: ""
privateKeyKey: ""
# Key in the existing Secret that holds the private key password
privatekeyPasswordKey: ""
privateKeyPasswordKey: ""
certificate:
# The value is processed as a helm template
secretName: ""
# Key in the existing Secret that holds the certificate value
secretKey: ""
certificateKey: ""
certificateChain:
# The value is processed as a helm template
secretName:
Expand All @@ -377,14 +381,27 @@ cluster:
keystorePasswordKey: ""
# Alias of the certificate inside the keystore
keyAlias: ""
# If not explicitly defined, it will be created.
keystoreProvider: ""
# If not explicitly defined, it will be created.
keystoreType: ""
truststore:
# The value is processed as a helm template
# If the secret name is not specified the default java trust store will be used
secretName: ""
# Key in the existing Secret that holds the trust store value
truststoreKey: ""
# Key in the existing Secret that holds the trust store password value
truststorePasswordKey: ""
# If not explicitly defined, it will be created.
truststoreProvider: ""
# If not explicitly defined, it will be created.
truststoreType: ""
# Specifies the root certificates that the system should trust when establishing security connections.
rootCerts:
# The value is processed as a helm template
secretName: ""
# Key in the existing Secret that holds the root certs value
rootCertsKey: ""

# Configurations for the cluster automation Jobs.
# Note that there are common configurations under jobs.<> as well.
Expand Down

0 comments on commit 3ea29cb

Please sign in to comment.