diff --git a/CHANGELOG.md b/CHANGELOG.md index 0d36d802..27e82b1b 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,20 @@ - Added `license.mountPath` to configure where the license volume is mounted - Added `license.optional` to configure the license volume as optional if needed - Added `license.readOnly` to configure the read/write mode of the license volume mount +- Added new configuration properties for GraphDB Tomcat connector SSL/TLS + - Added `configuration.tls.keystore` to configure a keystore with its properties + - Added `configuration.tls.truststore` to configure a truststore with its properties + - Added `configuration.tls.certificateRevocationList` to configure a certificate revocation list +- Added new configuration properties for configuring GraphDB cluster security (SSL/TLS) + - Added `cluster.tls.mode` to configure cluster security mode + - Added `cluster.tls.keystore` to configure a keystore with its properties + - Added `cluster.tls.truststore` to configure a truststore with its properties + - Added `cluster.tls.certificate` to configure a certificate + - Added `cluster.tls.certificateChain` to configure a certificate chain + - Added `cluster.tls.certificateKey` to configure a private key with its properties + - Added `cluster.tls.rootCerts` to configure root certificates to be trusted + - Added `cluster.tls.certificateRevocationList` to configure a certificate revocation list +- Updated jobs and scripts to use `https` or `http` depending on whether the Tomcat connector security is configured ### Updated @@ -16,6 +30,11 @@ mount. This allows kubelet to update the license when the Secret has been updated. - Changed the license volume mount as read-only by default with `license.readOnly` +### Fixed + +- Removed the `quotes` tag from graphdb and proxy `configmap-properties` and `secret-properties` templates + which caused invalid rendering of extra properties. + ## Version 11.2.2 ### New @@ -56,7 +75,7 @@ ### Improvement - Added GraphDB configuration examples -- Added GraphDB security configration examples +- Added GraphDB security configuration examples ## Version 11.1.4 diff --git a/README.md b/README.md index 115618c0..b39de19e 100644 --- a/README.md +++ b/README.md @@ -335,6 +335,30 @@ IMPORTANT: This is generated by helm-docs, do not attempt modifying it on hand a | cluster.jobs.createCluster.enabled | bool | `true` | | | cluster.jobs.patchCluster.enabled | bool | `true` | | | cluster.jobs.scaleCluster.enabled | bool | `true` | | +| cluster.tls.certificate.certificateKey | string | `"certificate.pem"` | | +| cluster.tls.certificate.existingSecret | string | `""` | | +| cluster.tls.certificateChain.certificateChainKey | string | `"certChain.pem"` | | +| cluster.tls.certificateChain.existingSecret | string | `""` | | +| cluster.tls.certificateKey.existingSecret | string | `""` | | +| cluster.tls.certificateKey.privateKeyKey | string | `"privatekey.pem"` | | +| cluster.tls.certificateKey.privateKeyPasswordKey | string | `"privatekey_password"` | | +| cluster.tls.certificateRevocationList.certificateRevocationListKey | string | `"crl.pem"` | | +| cluster.tls.certificateRevocationList.existingSecret | string | `""` | | +| cluster.tls.keystore.existingSecret | string | `""` | | +| cluster.tls.keystore.keyAlias | string | `"graphdb"` | | +| cluster.tls.keystore.keystoreKey | string | `"keystore.jks"` | | +| cluster.tls.keystore.keystorePasswordKey | string | `"keystore_password"` | | +| cluster.tls.keystore.keystoreProvider | string | `"SUN"` | | +| cluster.tls.keystore.keystoreType | string | `"JKS"` | | +| cluster.tls.mode | string | `"DEFAULT"` | | +| cluster.tls.mountPath | string | `"/etc/graphdb/tls/grpc/"` | | +| cluster.tls.rootCerts.existingSecret | string | `""` | | +| cluster.tls.rootCerts.rootCertsKey | string | `"rootCerts.pem"` | | +| cluster.tls.truststore.existingSecret | string | `""` | | +| cluster.tls.truststore.truststoreKey | string | `"truststore.jks"` | | +| cluster.tls.truststore.truststorePasswordKey | string | `"truststore_password"` | | +| cluster.tls.truststore.truststoreProvider | string | `"SUN"` | | +| cluster.tls.truststore.truststoreType | string | `"JKS"` | | | cluster.token.existingSecret | string | `""` | | | cluster.token.secret | string | `"s3cr37"` | | | cluster.token.secretKey | string | `""` | | @@ -352,6 +376,20 @@ IMPORTANT: This is generated by helm-docs, do not attempt modifying it on hand a | configuration.logback.existingConfigmap | string | `""` | | | configuration.properties | object | `{}` | | | configuration.secretProperties | object | `{}` | | +| configuration.tls.certificateRevocationList.certificateRevocationListKey | string | `"crl.pem"` | | +| configuration.tls.certificateRevocationList.existingSecret | string | `""` | | +| configuration.tls.keystore.existingSecret | string | `""` | | +| configuration.tls.keystore.keyAlias | string | `"graphdb"` | | +| configuration.tls.keystore.keystoreKey | string | `"keystore.jks"` | | +| configuration.tls.keystore.keystorePasswordKey | string | `"keystore_password"` | | +| configuration.tls.keystore.keystoreProvider | string | `"SUN"` | | +| configuration.tls.keystore.keystoreType | string | `"JKS"` | | +| configuration.tls.mountPath | string | `"/etc/graphdb/tls/tomcat/"` | | +| configuration.tls.truststore.existingSecret | string | `""` | | +| configuration.tls.truststore.truststoreKey | string | `"truststore.jks"` | | +| configuration.tls.truststore.truststorePasswordKey | string | `"truststore_password"` | | +| configuration.tls.truststore.truststoreProvider | string | `"SUN"` | | +| configuration.tls.truststore.truststoreType | string | `"JKS"` | | | containerPorts.http | int | `7200` | | | containerPorts.rpc | int | `7300` | | | dnsConfig | object | `{}` | | diff --git a/files/scripts/graphdb.sh b/files/scripts/graphdb.sh index c7a1caf0..e58f8341 100755 --- a/files/scripts/graphdb.sh +++ b/files/scripts/graphdb.sh @@ -21,12 +21,12 @@ function createCluster { echo "Creating cluster" response=$(mktemp) - curl -o "$response" -isSL -m "${timeout}" -X POST \ + curl -k -o "$response" -isSL -m "${timeout}" -X POST \ -d @"$configLocation" \ --header "Authorization: Basic ${GRAPHDB_AUTH_TOKEN}" \ --header 'Content-Type: application/json' \ --header 'Accept: */*' \ - "http://${GRAPHDB_POD_NAME}-0.${GRAPHDB_SERVICE_NAME}:${GRAPHDB_SERVICE_PORT}/rest/cluster/config" + "${GRAPHDB_PROTOCOL}://${GRAPHDB_POD_NAME}-0.${GRAPHDB_SERVICE_NAME}:${GRAPHDB_SERVICE_PORT}/rest/cluster/config" if grep -q 'HTTP/1.1 201' "$response"; then echo "Cluster creation successful!" @@ -47,7 +47,7 @@ function waitService { local max_attempts=100 echo "Waiting for ${address}" - until curl --output /dev/null -fsSL -m 5 -H "Authorization: Basic ${GRAPHDB_AUTH_TOKEN}" --silent --fail "${address}"; do + until curl -k --output /dev/null -fsSL -m 5 -H "Authorization: Basic ${GRAPHDB_AUTH_TOKEN}" --silent --fail "${address}"; do if [[ ${attempt_counter} -eq ${max_attempts} ]];then echo "Max attempts reached" exit 1 @@ -65,7 +65,7 @@ function waitAllNodes { for (( c=node_count; c>0; c )) do c=$((c-1)) - waitService "http://${GRAPHDB_POD_NAME}-$c.${GRAPHDB_SERVICE_NAME}:${GRAPHDB_SERVICE_PORT}/rest/repositories" + waitService "${GRAPHDB_PROTOCOL}://${GRAPHDB_POD_NAME}-$c.${GRAPHDB_SERVICE_NAME}:${GRAPHDB_SERVICE_PORT}/rest/repositories" done } @@ -83,11 +83,11 @@ function createRepositoryFromFile { echo "Provisioning repository ${repositoryName}" response=$( - curl -X POST --connect-timeout 60 --retry 3 --retry-all-errors --retry-delay 10 \ + curl -k -X POST --connect-timeout 60 --retry 3 --retry-all-errors --retry-delay 10 \ -F config=@"${filename}" \ -H "Authorization: Basic ${GRAPHDB_AUTH_TOKEN}" \ -H 'Content-Type: multipart/form-data' \ - "http://${GRAPHDB_POD_NAME}-0.${GRAPHDB_SERVICE_NAME}:${GRAPHDB_SERVICE_PORT}/rest/repositories" + "${GRAPHDB_PROTOCOL}://${GRAPHDB_POD_NAME}-0.${GRAPHDB_SERVICE_NAME}:${GRAPHDB_SERVICE_PORT}/rest/repositories" ) if [ -z "$response" ]; then @@ -135,7 +135,7 @@ function cloudBackup { local response= local response_status response=$(mktemp) - response_status=$(curl -X POST \ + response_status=$(curl -k -X POST \ -isSL \ -o "${response}" \ -w "Status=%{response_code}" \ @@ -143,7 +143,7 @@ function cloudBackup { --header 'Content-Type: application/json' \ --header 'Accept: application/json' \ --data-binary "${backup_options}" \ - --url "http://${GRAPHDB_SERVICE_NAME}:${GRAPHDB_SERVICE_PORT}/rest/recovery/cloud-backup") + --url "${GRAPHDB_PROTOCOL}://${GRAPHDB_SERVICE_NAME}:${GRAPHDB_SERVICE_PORT}/rest/recovery/cloud-backup") if ! echo "${response_status}" | grep -q 'Status=200' ; then log "ERROR: Backup ${BACKUP_NAME} creation failed, response: ${response_status}" @@ -168,7 +168,7 @@ function localBackup() { log "Creating local backup ${backup_path}" local response - response=$(curl -X POST \ + response=$(curl -k -X POST \ -sSL \ -o "${backup_path}" \ -w "Status=%{response_code}" \ @@ -176,7 +176,7 @@ function localBackup() { --header 'Content-Type: application/json' \ --header 'Accept: application/json' \ --data-binary "${backup_options}" \ - --url "http://${GRAPHDB_SERVICE_NAME}:${GRAPHDB_SERVICE_PORT}/rest/recovery/backup") + --url "${GRAPHDB_PROTOCOL}://${GRAPHDB_SERVICE_NAME}:${GRAPHDB_SERVICE_PORT}/rest/recovery/backup") if ! echo "${response}" | grep -q 'Status=200' ; then log "ERROR: Backup ${BACKUP_NAME} creation failed, response: ${response}" diff --git a/files/scripts/update-cluster.sh b/files/scripts/update-cluster.sh index c21283eb..a0efaa8d 100644 --- a/files/scripts/update-cluster.sh +++ b/files/scripts/update-cluster.sh @@ -9,16 +9,16 @@ function patchCluster { local timeout=$2 local response - waitService "http://${GRAPHDB_PROXY_SERVICE_NAME}:${GRAPHDB_PROXY_SERVICE_PORT}/proxy/ready" + waitService "${GRAPHDB_PROTOCOL}://${GRAPHDB_PROXY_SERVICE_NAME}:${GRAPHDB_PROXY_SERVICE_PORT}/proxy/ready" echo "Patching cluster" response=$(mktemp) - curl -o "$response" -isSL -m "$timeout" -X PATCH \ + curl -k -o "$response" -isSL -m "$timeout" -X PATCH \ --header "Authorization: Basic ${GRAPHDB_AUTH_TOKEN}" \ --header 'Content-Type: application/json' \ --header 'Accept: application/json' \ -d @"$configLocation" \ - "http://${GRAPHDB_PROXY_SERVICE_NAME}:${GRAPHDB_PROXY_SERVICE_PORT}/rest/cluster/config" + "${GRAPHDB_PROTOCOL}://${GRAPHDB_PROXY_SERVICE_NAME}:${GRAPHDB_PROXY_SERVICE_PORT}/rest/cluster/config" if grep -q 'HTTP/1.1 200' "$response"; then echo "Patch successful" @@ -65,16 +65,16 @@ function removeNodes { done nodes=\{\"nodes\":\[${nodes}\]\} - waitService "http://${GRAPHDB_PROXY_SERVICE_NAME}:${GRAPHDB_PROXY_SERVICE_PORT}/proxy/ready" + waitService "${GRAPHDB_PROTOCOL}://${GRAPHDB_PROXY_SERVICE_NAME}:${GRAPHDB_PROXY_SERVICE_PORT}/proxy/ready" echo "Scaling the cluster down" response=$(mktemp) - curl -o "$response" -isSL -m 15 -X DELETE \ + curl -k -o "$response" -isSL -m 15 -X DELETE \ --header 'Content-Type: application/json' \ --header 'Accept: application/json' \ --header "Authorization: Basic ${GRAPHDB_AUTH_TOKEN}" \ -d "${nodes}" \ - "http://${GRAPHDB_PROXY_SERVICE_NAME}:${GRAPHDB_PROXY_SERVICE_PORT}/rest/cluster/config/node" + "${GRAPHDB_PROTOCOL}://${GRAPHDB_PROXY_SERVICE_NAME}:${GRAPHDB_PROXY_SERVICE_PORT}/rest/cluster/config/node" if grep -q 'HTTP/1.1 200' "$response"; then echo "Scaling down successful." @@ -113,16 +113,16 @@ function addNodes { done nodes=\{\"nodes\":\[${nodes}\]\} - waitService "http://${GRAPHDB_PROXY_SERVICE_NAME}:${GRAPHDB_PROXY_SERVICE_PORT}/proxy/ready" + waitService "${GRAPHDB_PROTOCOL}://${GRAPHDB_PROXY_SERVICE_NAME}:${GRAPHDB_PROXY_SERVICE_PORT}/proxy/ready" echo "Scaling the cluster up" response=$(mktemp) - curl -o "$response" -isSL -m "${timeout}" -X POST \ + curl -k -o "$response" -isSL -m "${timeout}" -X POST \ --header 'Content-Type: application/json' \ --header 'Accept: application/json' \ --header "Authorization: Basic ${GRAPHDB_AUTH_TOKEN}" \ -d "${nodes}" \ - "http://${GRAPHDB_PROXY_SERVICE_NAME}:${GRAPHDB_PROXY_SERVICE_PORT}/rest/cluster/config/node" + "${GRAPHDB_PROTOCOL}://${GRAPHDB_PROXY_SERVICE_NAME}:${GRAPHDB_PROXY_SERVICE_PORT}/rest/cluster/config/node" if grep -q 'HTTP/1.1 200' "$response"; then echo "Scaling successful." @@ -141,14 +141,14 @@ function addNodes { } function deleteCluster { - waitService "http://${GRAPHDB_POD_NAME}-0.${GRAPHDB_SERVICE_NAME}:${GRAPHDB_SERVICE_PORT}/rest/repositories" + waitService "${GRAPHDB_PROTOCOL}://${GRAPHDB_POD_NAME}-0.${GRAPHDB_SERVICE_NAME}:${GRAPHDB_SERVICE_PORT}/rest/repositories" local response response=$(mktemp) - curl -o "$response" -isSL -m 15 -X DELETE \ + curl -k -o "$response" -isSL -m 15 -X DELETE \ --header "Authorization: Basic ${GRAPHDB_AUTH_TOKEN}" \ --header 'Accept: */*' \ - "http://${GRAPHDB_POD_NAME}-0.${GRAPHDB_SERVICE_NAME}:${GRAPHDB_SERVICE_PORT}/rest/cluster/config?force=false" + "${GRAPHDB_PROTOCOL}://${GRAPHDB_POD_NAME}-0.${GRAPHDB_SERVICE_NAME}:${GRAPHDB_SERVICE_PORT}/rest/cluster/config?force=false" if grep -q 'HTTP/1.1 200' "$response"; then echo "Cluster deletion successful!" @@ -163,13 +163,13 @@ function deleteCluster { } function getNodeCountInCurrentCluster { - local node_address="http://${GRAPHDB_POD_NAME}-0.${GRAPHDB_SERVICE_NAME}:${GRAPHDB_SERVICE_PORT}" + local node_address="${GRAPHDB_PROTOCOL}://${GRAPHDB_POD_NAME}-0.${GRAPHDB_SERVICE_NAME}:${GRAPHDB_SERVICE_PORT}" waitService "${node_address}/rest/repositories" local response response=$(mktemp) - curl -o "$response" -isSL -m 15 -X GET \ + curl -k -o "$response" -isSL -m 15 -X GET \ --header 'Content-Type: application/json' \ --header "Authorization: Basic ${GRAPHDB_AUTH_TOKEN}" \ --header 'Accept: */*' \ @@ -183,7 +183,7 @@ function waitService { local attempt_counter=0 local max_attempts=100 - until curl --output /dev/null -fsSL -m 5 -H "Authorization: Basic ${GRAPHDB_AUTH_TOKEN}" --silent --fail "${address}"; do + until curl -k --output /dev/null -fsSL -m 5 -H "Authorization: Basic ${GRAPHDB_AUTH_TOKEN}" --silent --fail "${address}"; do if [[ ${attempt_counter} -eq ${max_attempts} ]]; then echo "Max attempts reached" exit 1 diff --git a/templates/_helpers.tpl b/templates/_helpers.tpl index d55768e1..3cd84931 100644 --- a/templates/_helpers.tpl +++ b/templates/_helpers.tpl @@ -32,6 +32,13 @@ Renders the external URL for GraphDB. {{- tpl .Values.configuration.externalUrl . -}} {{- end -}} +{{/* +Render the protocol of the Tomcat connector. +*/}} +{{- define "graphdb.tomcat.protocol" -}} +{{- ternary "http" "https" (eq (.Values.configuration.tls.keystore.existingSecret | default "" | trim) "") -}} +{{- end -}} + {{/* Renders the gRPC address of each GraphDB node that is part of the cluster as a JSON array. Used in the cluster JSON config. */}} @@ -57,8 +64,9 @@ Renders the HTTP address of each GraphDB node that is part of the cluster, joine {{- $namespace := include "graphdb.namespace" . -}} {{- $cluster_domain := .Values.global.clusterDomain -}} {{- $service_http_port := .Values.headlessService.ports.http -}} + {{- $protocol := include "graphdb.tomcat.protocol" . }} {{- range $i, $node_index := until (int .Values.replicas) -}} - http://{{ $pod_name }}-{{ $node_index }}.{{ $service_name }}.{{ $namespace }}.svc.{{ $cluster_domain }}:{{ $service_http_port }} + {{ $protocol }}://{{ $pod_name }}-{{ $node_index }}.{{ $service_name }}.{{ $namespace }}.svc.{{ $cluster_domain }}:{{ $service_http_port }} {{- if gt (sub (int $.Values.replicas) 1) $node_index -}} {{- ", " -}} {{- end -}} diff --git a/templates/graphdb/configmap-properties.yaml b/templates/graphdb/configmap-properties.yaml index f7ba9104..3500a914 100644 --- a/templates/graphdb/configmap-properties.yaml +++ b/templates/graphdb/configmap-properties.yaml @@ -22,11 +22,65 @@ data: {{- if eq (int .Values.replicas) 1}} graphdb.external-url={{ include "graphdb.external-url" . }} {{- end }} + {{- if .Values.configuration.tls.keystore.existingSecret }} + # Tomcat keystore configurations + graphdb.connector.SSLEnabled=true + graphdb.connector.scheme=https + graphdb.connector.secure=true + graphdb.connector.keystoreFile={{ .Values.configuration.tls.mountPath | trimSuffix "/" }}/{{ .Values.configuration.tls.keystore.keystoreKey }} + graphdb.connector.keyAlias={{ .Values.configuration.tls.keystore.keyAlias }} + graphdb.connector.keystoreProvider={{ .Values.configuration.tls.keystore.keystoreProvider }} + graphdb.connector.keystoreType={{ .Values.configuration.tls.keystore.keystoreType }} + graphdb.connector.keystorePass@file={{ .Values.configuration.tls.keystore.keystorePasswordKey }} + {{- end }} + {{- if .Values.configuration.tls.truststore.existingSecret }} + # Tomcat truststore configurations + graphdb.connector.truststoreFile={{ .Values.configuration.tls.mountPath | trimSuffix "/" }}/{{ .Values.configuration.tls.truststore.truststoreKey }} + graphdb.connector.truststoreProvider={{ .Values.configuration.tls.truststore.truststoreProvider }} + graphdb.connector.truststoreType={{ .Values.configuration.tls.truststore.truststoreType }} + graphdb.connector.truststorePass@file={{ .Values.configuration.tls.truststore.truststorePasswordKey }} + {{- end }} + {{- if .Values.configuration.tls.certificateRevocationList.existingSecret}} + # Tomcat truststore CRL + graphdb.connector.certificateRevocationListFile={{ .Values.configuration.tls.mountPath | trimSuffix "/" }}/{{ .Values.configuration.tls.certificateRevocationList.certificateRevocationListKey }} + {{- end }} + graphdb.raft.security.mode={{ .Values.cluster.tls.mode }} + {{- if .Values.cluster.tls.keystore.existingSecret }} + # Cluster gRPC TLS keystore configurations + graphdb.raft.security.keystoreFile={{ .Values.cluster.tls.mountPath | trimSuffix "/" }}/{{ .Values.cluster.tls.keystore.keystoreKey }} + graphdb.raft.security.keyAlias={{ .Values.cluster.tls.keystore.keyAlias }} + graphdb.raft.security.keystoreProvider={{ .Values.cluster.tls.keystore.keystoreProvider }} + graphdb.raft.security.keystoreType={{ .Values.cluster.tls.keystore.keystoreType }} + graphdb.raft.security.keystorePass@file={{ .Values.cluster.tls.keystore.keystorePasswordKey }} + {{- end }} + {{- if .Values.cluster.tls.truststore.existingSecret }} + # Cluster gRPC TLS truststore configurations + graphdb.raft.security.truststoreFile={{ .Values.cluster.tls.mountPath | trimSuffix "/" }}/{{ .Values.cluster.tls.truststore.truststoreKey }} + graphdb.raft.security.truststoreProvider={{ .Values.cluster.tls.truststore.truststoreProvider }} + graphdb.raft.security.truststoreType={{ .Values.cluster.tls.truststore.truststoreType }} + graphdb.raft.security.truststorePass@file={{ .Values.cluster.tls.truststore.truststorePasswordKey }} + {{- end }} + {{- if .Values.cluster.tls.certificateKey.existingSecret }} + graphdb.raft.security.certificateKeyFile={{ .Values.cluster.tls.mountPath | trimSuffix "/" }}/{{ .Values.cluster.tls.certificateKey.privateKeyKey }} + graphdb.raft.security.certificateKeyPassword@file={{ .Values.cluster.tls.certificateKey.privateKeyPasswordKey }} + {{- end }} + {{- if .Values.cluster.tls.certificate.existingSecret }} + graphdb.raft.security.certificateFile={{ .Values.cluster.tls.mountPath | trimSuffix "/" }}/{{ .Values.cluster.tls.certificate.certificateKey }} + {{- end }} + {{- if .Values.cluster.tls.certificateChain.existingSecret }} + graphdb.raft.security.certificateChainFile={{ .Values.cluster.tls.mountPath | trimSuffix "/" }}/{{ .Values.cluster.tls.certificateChain.certificateChainKey }} + {{- end }} + {{- if .Values.cluster.tls.rootCerts.existingSecret }} + graphdb.raft.security.rootCerts={{ .Values.cluster.tls.mountPath | trimSuffix "/" }}/{{ .Values.cluster.tls.rootCerts.rootCertsKey }} + {{- end }} + {{- if .Values.cluster.tls.certificateRevocationList.existingSecret }} + graphdb.raft.security.certificateRevocationListFile={{ .Values.cluster.tls.mountPath | trimSuffix "/" }}/{{ .Values.cluster.tls.certificateRevocationList.certificateRevocationListKey }} + {{- end }} {{- if .Values.configuration.properties }} ##### Overrides from values.yaml ##### {{- range $key, $val := .Values.configuration.properties -}} {{- if ne $val nil }} - {{ $key }}={{ tpl ($val | toString) $ | quote }} + {{ $key }}={{ tpl ($val | toString) $ }} {{- end }} {{- end -}} {{- end -}} diff --git a/templates/graphdb/secret-properties.yaml b/templates/graphdb/secret-properties.yaml index 54e13ba5..444ef0ed 100644 --- a/templates/graphdb/secret-properties.yaml +++ b/templates/graphdb/secret-properties.yaml @@ -20,7 +20,7 @@ stringData: ##### Secrets overrides from values.yaml ##### {{- range $key, $val := .Values.configuration.secretProperties -}} {{- if ne $val nil }} - {{ $key }}={{ tpl ($val | toString) $ | quote }} + {{ $key }}={{ tpl ($val | toString) $ }} {{- end }} {{- end -}} {{- end -}} diff --git a/templates/graphdb/statefulset.yaml b/templates/graphdb/statefulset.yaml index 3aca1d86..e4fe9c53 100644 --- a/templates/graphdb/statefulset.yaml +++ b/templates/graphdb/statefulset.yaml @@ -127,6 +127,93 @@ spec: secret: secretName: {{ (tpl .Values.security.initialUsers.existingSecret .) | default (include "graphdb.fullname.secret.initial-users" .) }} {{- end }} + - name: graphdb-tomcat-tls + projected: + defaultMode: 400 + sources: + {{- if .Values.configuration.tls.keystore.existingSecret }} + - secret: + name: {{ tpl .Values.configuration.tls.keystore.existingSecret . }} + items: + - key: {{ .Values.configuration.tls.keystore.keystoreKey }} + path: {{ .Values.configuration.tls.keystore.keystoreKey }} + - key: {{ .Values.configuration.tls.keystore.keystorePasswordKey }} + path: {{ .Values.configuration.tls.keystore.keystorePasswordKey }} + {{- end }} + {{- if .Values.configuration.tls.truststore.existingSecret }} + - secret: + name: {{ tpl .Values.configuration.tls.truststore.existingSecret . }} + items: + - key: {{ .Values.configuration.tls.truststore.truststoreKey }} + path: {{ .Values.configuration.tls.truststore.truststoreKey }} + - key: {{ .Values.configuration.tls.truststore.truststorePasswordKey }} + path: {{ .Values.configuration.tls.truststore.truststorePasswordKey }} + {{- end }} + {{- if .Values.configuration.tls.certificateRevocationList.existingSecret }} + - secret: + name: {{ tpl .Values.configuration.tls.certificateRevocationList.existingSecret . }} + items: + - key: {{ .Values.configuration.tls.certificateRevocationList.certificateRevocationListKey }} + path: {{ .Values.configuration.tls.certificateRevocationList.certificateRevocationListKey }} + {{- end }} + - name: graphdb-grpc-tls + projected: + sources: + {{- if .Values.cluster.tls.keystore.existingSecret }} + - secret: + name: {{ tpl .Values.cluster.tls.keystore.existingSecret . }} + items: + - key: {{ .Values.cluster.tls.keystore.keystoreKey }} + path: {{ .Values.cluster.tls.keystore.keystoreKey }} + - key: {{ .Values.cluster.tls.keystore.keystorePasswordKey }} + path: {{ .Values.cluster.tls.keystore.keystorePasswordKey }} + {{- end }} + {{- if .Values.cluster.tls.truststore.existingSecret }} + - secret: + name: {{ tpl .Values.cluster.tls.truststore.existingSecret . }} + items: + - key: {{ .Values.cluster.tls.truststore.truststoreKey }} + path: {{ .Values.cluster.tls.truststore.truststoreKey }} + - key: {{ .Values.cluster.tls.truststore.truststorePasswordKey }} + path: {{ .Values.cluster.tls.truststore.truststorePasswordKey }} + {{- end }} + {{- if .Values.cluster.tls.certificateKey.existingSecret }} + - secret: + name: {{ tpl .Values.cluster.tls.certificateKey.existingSecret . }} + items: + - key: {{ .Values.cluster.tls.certificateKey.privateKeyKey }} + path: {{ .Values.cluster.tls.certificateKey.privateKeyKey }} + - key: {{ .Values.cluster.tls.certificateKey.privateKeyPasswordKey }} + path: {{ .Values.cluster.tls.certificateKey.privateKeyPasswordKey }} + {{- end }} + {{- if .Values.cluster.tls.certificate.existingSecret }} + - secret: + name: {{ tpl .Values.cluster.tls.certificate.existingSecret . }} + items: + - key: {{ .Values.cluster.tls.certificate.certificateKey }} + path: {{ .Values.cluster.tls.certificate.certificateKey }} + {{- end }} + {{- if .Values.cluster.tls.certificateChain.existingSecret }} + - secret: + name: {{ tpl .Values.cluster.tls.certificateChain.existingSecret . }} + items: + - key: {{ .Values.cluster.tls.certificateChain.certificateChainKey }} + path: {{ .Values.cluster.tls.certificateChain.certificateChainKey }} + {{- end }} + {{- if .Values.cluster.tls.rootCerts.existingSecret }} + - secret: + name: {{ tpl .Values.cluster.tls.rootCerts.existingSecret . }} + items: + - key: {{ .Values.cluster.tls.rootCerts.rootCertsKey }} + path: {{ .Values.cluster.tls.rootCerts.rootCertsKey }} + {{- end }} + {{- if .Values.cluster.tls.certificateRevocationList.existingSecret }} + - secret: + name: {{ tpl .Values.cluster.tls.certificateRevocationList.existingSecret . }} + items: + - key: {{ .Values.cluster.tls.certificateRevocationList.certificateRevocationListKey }} + path: {{ .Values.cluster.tls.certificateRevocationList.certificateRevocationListKey }} + {{- end }} {{- with .Values.extraVolumes }} {{- tpl (toYaml .) $ | nindent 8 }} {{- end }} @@ -359,6 +446,10 @@ spec: - name: {{ .Values.import.volumeMount.volumeClaimTemplate.name }} mountPath: /opt/graphdb/home/graphdb-import {{- end }} + - name: graphdb-tomcat-tls + mountPath: {{ .Values.configuration.tls.mountPath }} + - name: graphdb-grpc-tls + mountPath: {{ .Values.cluster.tls.mountPath }} {{- with .Values.extraVolumeMounts }} {{- tpl (toYaml .) $ | nindent 12 }} {{- end }} diff --git a/templates/jobs/cronjob-backup.yaml b/templates/jobs/cronjob-backup.yaml index 43d84f1b..acb9c7f6 100644 --- a/templates/jobs/cronjob-backup.yaml +++ b/templates/jobs/cronjob-backup.yaml @@ -88,6 +88,8 @@ spec: - name: GRAPHDB_SERVICE_PORT value: {{ .Values.service.ports.http | quote }} {{- end }} + - name: GRAPHDB_PROTOCOL + value: {{ include "graphdb.tomcat.protocol" . }} - name: GRAPHDB_AUTH_TOKEN valueFrom: secretKeyRef: diff --git a/templates/jobs/job-create-cluster.yaml b/templates/jobs/job-create-cluster.yaml index ca4a5ccc..cbd6c7c9 100644 --- a/templates/jobs/job-create-cluster.yaml +++ b/templates/jobs/job-create-cluster.yaml @@ -71,6 +71,8 @@ spec: value: {{ include "graphdb.fullname.service.headless" . }} - name: GRAPHDB_SERVICE_PORT value: {{ .Values.headlessService.ports.http | quote }} + - name: GRAPHDB_PROTOCOL + value: {{ include "graphdb.tomcat.protocol" . }} - name: GRAPHDB_AUTH_TOKEN valueFrom: secretKeyRef: diff --git a/templates/jobs/job-patch-cluster.yaml b/templates/jobs/job-patch-cluster.yaml index 80e0fe05..863683ba 100644 --- a/templates/jobs/job-patch-cluster.yaml +++ b/templates/jobs/job-patch-cluster.yaml @@ -75,6 +75,8 @@ spec: value: {{ include "graphdb-proxy.fullname" . }} - name: GRAPHDB_PROXY_SERVICE_PORT value: {{ .Values.proxy.headlessService.ports.http | quote }} + - name: GRAPHDB_PROTOCOL + value: {{ include "graphdb.tomcat.protocol" . }} - name: GRAPHDB_AUTH_TOKEN valueFrom: secretKeyRef: diff --git a/templates/jobs/job-provision-repositories.yaml b/templates/jobs/job-provision-repositories.yaml index 70e540ad..aed2469c 100644 --- a/templates/jobs/job-provision-repositories.yaml +++ b/templates/jobs/job-provision-repositories.yaml @@ -71,6 +71,8 @@ spec: value: {{ include "graphdb.fullname.service.headless" . }} - name: GRAPHDB_SERVICE_PORT value: {{ .Values.headlessService.ports.http | quote }} + - name: GRAPHDB_PROTOCOL + value: {{ include "graphdb.tomcat.protocol" . }} - name: GRAPHDB_AUTH_TOKEN valueFrom: secretKeyRef: diff --git a/templates/jobs/job-scale-down-cluster.yaml b/templates/jobs/job-scale-down-cluster.yaml index 623be45b..e074ad5e 100644 --- a/templates/jobs/job-scale-down-cluster.yaml +++ b/templates/jobs/job-scale-down-cluster.yaml @@ -73,6 +73,8 @@ spec: value: {{ include "graphdb-proxy.fullname" . }} - name: GRAPHDB_PROXY_SERVICE_PORT value: {{ .Values.proxy.headlessService.ports.http | quote }} + - name: GRAPHDB_PROTOCOL + value: {{ include "graphdb.tomcat.protocol" . }} - name: GRAPHDB_AUTH_TOKEN valueFrom: secretKeyRef: diff --git a/templates/jobs/job-scale-up-cluster.yaml b/templates/jobs/job-scale-up-cluster.yaml index b7770230..199a6218 100644 --- a/templates/jobs/job-scale-up-cluster.yaml +++ b/templates/jobs/job-scale-up-cluster.yaml @@ -74,6 +74,8 @@ spec: value: {{ include "graphdb-proxy.fullname" . }} - name: GRAPHDB_PROXY_SERVICE_PORT value: {{ .Values.proxy.headlessService.ports.http | quote }} + - name: GRAPHDB_PROTOCOL + value: {{ include "graphdb.tomcat.protocol" . }} - name: GRAPHDB_AUTH_TOKEN valueFrom: secretKeyRef: diff --git a/templates/proxy/configmap-properties.yaml b/templates/proxy/configmap-properties.yaml index 8f572855..126c8aa6 100644 --- a/templates/proxy/configmap-properties.yaml +++ b/templates/proxy/configmap-properties.yaml @@ -16,11 +16,65 @@ data: # See https://graphdb.ontotext.com/documentation/ for supported properties graphdb.connector.port={{ .Values.proxy.containerPorts.http }} graphdb.proxy.hosts={{ include "graphdb-proxy.cluster.nodes" . }} + {{- if .Values.configuration.tls.keystore.existingSecret }} + # Tomcat keystore configurations + graphdb.connector.SSLEnabled=true + graphdb.connector.scheme=https + graphdb.connector.secure=true + graphdb.connector.keystoreFile={{ .Values.configuration.tls.mountPath | trimSuffix "/" }}/{{ .Values.configuration.tls.keystore.keystoreKey }} + graphdb.connector.keyAlias={{ .Values.configuration.tls.keystore.keyAlias }} + graphdb.connector.keystoreProvider={{ .Values.configuration.tls.keystore.keystoreProvider }} + graphdb.connector.keystoreType={{ .Values.configuration.tls.keystore.keystoreType }} + graphdb.connector.keystorePass@file={{ .Values.configuration.tls.keystore.keystorePasswordKey }} + {{- end }} + {{- if .Values.configuration.tls.truststore.existingSecret }} + # Tomcat truststore configurations + graphdb.connector.truststoreFile={{ .Values.configuration.tls.mountPath | trimSuffix "/" }}/{{ .Values.configuration.tls.truststore.truststoreKey }} + graphdb.connector.truststoreProvider={{ .Values.configuration.tls.truststore.truststoreProvider }} + graphdb.connector.truststoreType={{ .Values.configuration.tls.truststore.truststoreType }} + graphdb.connector.truststorePass@file={{ .Values.configuration.tls.truststore.truststorePasswordKey }} + {{- end }} + {{- if .Values.configuration.tls.certificateRevocationList.existingSecret}} + # Tomcat truststore CRL + graphdb.connector.certificateRevocationListFile={{ .Values.configuration.tls.mountPath | trimSuffix "/" }}/{{ .Values.configuration.tls.certificateRevocationList.certificateRevocationListKey }} + {{- end }} + graphdb.raft.security.mode={{ .Values.cluster.tls.mode }} + {{- if .Values.cluster.tls.keystore.existingSecret }} + # Cluster gRPC TLS keystore configurations + graphdb.raft.security.keystoreFile={{ .Values.cluster.tls.mountPath | trimSuffix "/" }}/{{ .Values.cluster.tls.keystore.keystoreKey }} + graphdb.raft.security.keyAlias={{ .Values.cluster.tls.keystore.keyAlias }} + graphdb.raft.security.keystoreProvider={{ .Values.cluster.tls.keystore.keystoreProvider }} + graphdb.raft.security.keystoreType={{ .Values.cluster.tls.keystore.keystoreType }} + graphdb.raft.security.keystorePass@file={{ .Values.cluster.tls.keystore.keystorePasswordKey }} + {{- end }} + {{- if .Values.cluster.tls.truststore.existingSecret }} + # Cluster gRPC TLS truststore configurations + graphdb.raft.security.truststoreFile={{ .Values.cluster.tls.mountPath | trimSuffix "/" }}/{{ .Values.cluster.tls.truststore.truststoreKey }} + graphdb.raft.security.truststoreProvider={{ .Values.cluster.tls.truststore.truststoreProvider }} + graphdb.raft.security.truststoreType={{ .Values.cluster.tls.truststore.truststoreType }} + graphdb.raft.security.truststorePass@file={{ .Values.cluster.tls.truststore.truststorePasswordKey }} + {{- end }} + {{- if .Values.cluster.tls.certificateKey.existingSecret }} + graphdb.raft.security.certificateKeyFile={{ .Values.cluster.tls.mountPath | trimSuffix "/" }}/{{ .Values.cluster.tls.certificateKey.privateKeyKey }} + graphdb.raft.security.certificateKeyPassword@file={{ .Values.cluster.tls.certificateKey.privateKeyPasswordKey }} + {{- end }} + {{- if .Values.cluster.tls.certificate.existingSecret }} + graphdb.raft.security.certificateFile={{ .Values.cluster.tls.mountPath | trimSuffix "/" }}/{{ .Values.cluster.tls.certificate.certificateKey }} + {{- end }} + {{- if .Values.cluster.tls.certificateChain.existingSecret }} + graphdb.raft.security.certificateChainFile={{ .Values.cluster.tls.mountPath | trimSuffix "/" }}/{{ .Values.cluster.tls.certificateChain.certificateChainKey }} + {{- end }} + {{- if .Values.cluster.tls.rootCerts.existingSecret }} + graphdb.raft.security.rootCerts={{ .Values.cluster.tls.mountPath | trimSuffix "/" }}/{{ .Values.cluster.tls.rootCerts.rootCertsKey }} + {{- end }} + {{- if .Values.cluster.tls.certificateRevocationList.existingSecret }} + graphdb.raft.security.certificateRevocationListFile={{ .Values.cluster.tls.mountPath | trimSuffix "/" }}/{{ .Values.cluster.tls.certificateRevocationList.certificateRevocationListKey }} + {{- end }} {{- if .Values.proxy.configuration.properties }} ##### Overrides from values.yaml ##### {{- range $key, $val := .Values.proxy.configuration.properties -}} {{- if ne $val nil }} - {{ $key }}={{ tpl ($val | toString) $ | quote }} + {{ $key }}={{ tpl ($val | toString) $ }} {{- end }} {{- end -}} {{- end -}} diff --git a/templates/proxy/secret-properties.yaml b/templates/proxy/secret-properties.yaml index f2c079c5..968f66b3 100644 --- a/templates/proxy/secret-properties.yaml +++ b/templates/proxy/secret-properties.yaml @@ -21,7 +21,7 @@ stringData: ##### Secrets overrides from values.yaml ##### {{- range $key, $val := .Values.proxy.configuration.secretProperties -}} {{- if ne $val nil }} - {{ $key }}={{ tpl ($val | toString) $ | quote }} + {{ $key }}={{ tpl ($val | toString) $ }} {{- end }} {{- end -}} {{- end -}} diff --git a/templates/proxy/statefulset.yaml b/templates/proxy/statefulset.yaml index 71eaf102..acfc0f4b 100644 --- a/templates/proxy/statefulset.yaml +++ b/templates/proxy/statefulset.yaml @@ -90,14 +90,101 @@ spec: secret: secretName: {{ tpl .Values.proxy.configuration.extraProperties.existingSecret . }} {{- end }} - {{- if .Values.proxy.configuration.logback.existingConfigmap }} + {{- if .Values.proxy.configuration.logback.existingConfigmap }} - name: graphdb-proxy-logback-config configMap: name: {{ tpl .Values.proxy.configuration.logback.existingConfigmap . }} - {{- end }} - {{- with .Values.proxy.extraVolumes }} - {{- tpl (toYaml .) $ | nindent 8 }} - {{- end }} + {{- end }} + - name: graphdb-tomcat-tls + projected: + defaultMode: 400 + sources: + {{- if .Values.configuration.tls.keystore.existingSecret }} + - secret: + name: {{ tpl .Values.configuration.tls.keystore.existingSecret . }} + items: + - key: {{ .Values.configuration.tls.keystore.keystoreKey }} + path: {{ .Values.configuration.tls.keystore.keystoreKey }} + - key: {{ .Values.configuration.tls.keystore.keystorePasswordKey }} + path: {{ .Values.configuration.tls.keystore.keystorePasswordKey }} + {{- end }} + {{- if .Values.configuration.tls.truststore.existingSecret }} + - secret: + name: {{ tpl .Values.configuration.tls.truststore.existingSecret . }} + items: + - key: {{ .Values.configuration.tls.truststore.truststoreKey }} + path: {{ .Values.configuration.tls.truststore.truststoreKey }} + - key: {{ .Values.configuration.tls.truststore.truststorePasswordKey }} + path: {{ .Values.configuration.tls.truststore.truststorePasswordKey }} + {{- end }} + {{- if .Values.configuration.tls.certificateRevocationList.existingSecret }} + - secret: + name: {{ tpl .Values.configuration.tls.certificateRevocationList.existingSecret . }} + items: + - key: {{ .Values.configuration.tls.certificateRevocationList.certificateRevocationListKey }} + path: {{ .Values.configuration.tls.certificateRevocationList.certificateRevocationListKey }} + {{- end }} + - name: graphdb-grpc-tls + projected: + sources: + {{- if .Values.cluster.tls.keystore.existingSecret }} + - secret: + name: {{ tpl .Values.cluster.tls.keystore.existingSecret . }} + items: + - key: {{ .Values.cluster.tls.keystore.keystoreKey }} + path: {{ .Values.cluster.tls.keystore.keystoreKey }} + - key: {{ .Values.cluster.tls.keystore.keystorePasswordKey }} + path: {{ .Values.cluster.tls.keystore.keystorePasswordKey }} + {{- end }} + {{- if .Values.cluster.tls.truststore.existingSecret }} + - secret: + name: {{ tpl .Values.cluster.tls.truststore.existingSecret . }} + items: + - key: {{ .Values.cluster.tls.truststore.truststoreKey }} + path: {{ .Values.cluster.tls.truststore.truststoreKey }} + - key: {{ .Values.cluster.tls.truststore.truststorePasswordKey }} + path: {{ .Values.cluster.tls.truststore.truststorePasswordKey }} + {{- end }} + {{- if .Values.cluster.tls.certificateKey.existingSecret }} + - secret: + name: {{ tpl .Values.cluster.tls.certificateKey.existingSecret . }} + items: + - key: {{ .Values.cluster.tls.certificateKey.privateKeyKey }} + path: {{ .Values.cluster.tls.certificateKey.privateKeyKey }} + - key: {{ .Values.cluster.tls.certificateKey.privateKeyPasswordKey }} + path: {{ .Values.cluster.tls.certificateKey.privateKeyPasswordKey }} + {{- end }} + {{- if .Values.cluster.tls.certificate.existingSecret }} + - secret: + name: {{ tpl .Values.cluster.tls.certificate.existingSecret . }} + items: + - key: {{ .Values.cluster.tls.certificate.certificateKey }} + path: {{ .Values.cluster.tls.certificate.certificateKey }} + {{- end }} + {{- if .Values.cluster.tls.certificateChain.existingSecret }} + - secret: + name: {{ tpl .Values.cluster.tls.certificateChain.existingSecret . }} + items: + - key: {{ .Values.cluster.tls.certificateChain.certificateChainKey }} + path: {{ .Values.cluster.tls.certificateChain.certificateChainKey }} + {{- end }} + {{- if .Values.cluster.tls.rootCerts.existingSecret }} + - secret: + name: {{ tpl .Values.cluster.tls.rootCerts.existingSecret . }} + items: + - key: {{ .Values.cluster.tls.rootCerts.rootCertsKey }} + path: {{ .Values.cluster.tls.rootCerts.rootCertsKey }} + {{- end }} + {{- if .Values.cluster.tls.certificateRevocationList.existingSecret }} + - secret: + name: {{ tpl .Values.cluster.tls.certificateRevocationList.existingSecret . }} + items: + - key: {{ .Values.cluster.tls.certificateRevocationList.certificateRevocationListKey }} + path: {{ .Values.cluster.tls.certificateRevocationList.certificateRevocationListKey }} + {{- end }} + {{- with .Values.proxy.extraVolumes }} + {{- tpl (toYaml .) $ | nindent 8 }} + {{- end }} {{- with .Values.proxy.nodeSelector }} nodeSelector: {{- tpl (toYaml .) $ | nindent 8 }} {{- end }} @@ -296,6 +383,10 @@ spec: mountPath: /opt/graphdb/home/conf/logback.xml subPath: {{ .Values.proxy.configuration.logback.configmapKey }} {{- end }} + - name: graphdb-tomcat-tls + mountPath: {{ .Values.configuration.tls.mountPath }} + - name: graphdb-grpc-tls + mountPath: {{ .Values.cluster.tls.mountPath }} {{- with .Values.proxy.extraVolumeMounts }} {{- toYaml . | nindent 12 }} {{- end }} diff --git a/values.yaml b/values.yaml index 021cbb79..5b949818 100644 --- a/values.yaml +++ b/values.yaml @@ -209,6 +209,72 @@ configuration: # The value is processed as a Helm template. javaArguments: "" + # Security SSL/TLS configurations for the embedded Tomcat server. + # + # GraphDB uses the Java implementation of SSL, which requires a configured key in the Java keystore. + # There are 3 scenarios for configuring the security of the GraphDB instance: + # - By providing a keystore and its corresponding properties. + # - By providing keystore and truststore and their corresponding properties - used to configure mTLS. + # - By providing only a truststore in cases where GraphDB should trust an external service. + # + # NOTE: Since the GraphDB container and proxy container probes also have to use https, they need to be manually configured, e.g.: + # startupProbe: + # httpGet: + # scheme: HTTPS # Add scheme + # Configurations for the liveness and readiness probes need to be added as well. + # + # If the GraphDB instance is configured with SSL, the cluster security properties will + # default to the values defined in the connector unless explicitly specified otherwise with .Values.cluster.tls + # + # References + # - Tomcat docs: https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_Connector_-_NIO_and_NIO2_(deprecated) + # - GraphDB docs: https://graphdb.ontotext.com/documentation/10.7/encryption.html#configuring-graphdb-instance-with-ssl + tls: + # If keystore secret is provided, it enables connector security by setting the following GraphDB properties: + # graphdb.connector.SSLEnabled = true + # graphdb.connector.scheme = https + # graphdb.connector.secure = true + keystore: + # Reference to an existing Secret resource containing the keystore for configuring GraphDB's Tomcat connector. + # The value is processed as a Helm template. + existingSecret: "" + # Key in the existing Secret that holds the keystore file where you have stored the server certificate and key to be loaded. + keystoreKey: keystore.jks + # Key in the existing Secret that holds the password to use to access the keystore containing + # the server's private key and certificate. + keystorePasswordKey: keystore_password + # The alias used for the server key and certificate in the keystore. + keyAlias: graphdb + # The name of the keystore provider to be used for the server certificate. + keystoreProvider: SUN + # The type of keystore file to be used for the server certificate. + keystoreType: JKS + + truststore: + # Reference to an existing Secret resource containing the trust store for configuring GraphDB's Tomcat connector. + # The value is processed as a Helm template. + existingSecret: "" + # Key in the existing Secret that holds the trust store file to use to validate client certificates. + truststoreKey: truststore.jks + # Key in the existing Secret that holds the password to access the trust store. + truststorePasswordKey: truststore_password + # The name of the truststore provider to be used for the server certificate. + # If not explicitly defined, it will be created. + truststoreProvider: SUN + # The type of key store used for the trust store. + # If not explicitly defined, it will be created. + truststoreType: JKS + + certificateRevocationList: + # Reference to an existing Secret resource containing the certificate revocation list for configuring GraphDB's Tomcat connector. + # The value is processed as a Helm template. + existingSecret: "" + # Key in the existing Secret that holds the certificate revocation list file. + certificateRevocationListKey: crl.pem + + # The path where the keystore/truststore will be mounted inside the container. + mountPath: /etc/graphdb/tls/tomcat/ + # Configurations for GraphDB's Logback # Ref: https://graphdb.ontotext.com/documentation/10.7/diagnosing-and-reporting-critical-errors.html#logs # @@ -330,6 +396,109 @@ cluster: # Timeout for cURL queries used for the cluster creation and update. clusterCreationTimeout: 60 + # Dedicated configurations for configuring the raft cluster TLS security. + # + # There are 3 combinations of TLS assets that could be provided in order to set up cluster security: + # - Using JSSE: By providing keystore and truststore and their corresponding properties. + # - Using OpenSSL: By providing certificate file, certificate chain and private key and their corresponding properties. + # - Using a certificate without chain path: By providing certificate file and private key and their corresponding properties. + # + # If the TLS assets for all scenarios are provided at once, GraphDB startup will result in an error! + tls: + # There are 3 types of security mode configurations + # - NONE: Unsecured communication will be used for the gRPC client-server communications. If mode is not specified it will use this one by default. + # - DEFAULT: TLS encryption will be used if the TLS assets for configuring the security communications are found. + # - TLS: TLS encryption will be enforced for the cluster communication. TLS assets need to be provided and If not properly configured the server will fail to start! + # + # Most of the possible properties can be seen from the official tomcat connector documentation without the graphdb.raft.security prefix. + # - Tomcat docs: https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_Certificate + # - GraphDB docs: https://graphdb.ontotext.com/documentation/10.7/directories-and-config-properties.html#cluster-properties + mode: DEFAULT + + keystore: + # Reference to an existing Secret resource containing the keystore for configuring the gRPC security. + # The value is processed as a Helm template. + existingSecret: "" + # Key in the existing Secret that holds the keystore file where you have stored the + # server certificate and key to be loaded. + keystoreKey: keystore.jks + # Key in the existing Secret that holds the password to use to access the keystore containing + # the server's private key and certificate. If not specified, a default of "changeit" will be used. + keystorePasswordKey: keystore_password + # The alias used for the server key and certificate in the keystore. + keyAlias: graphdb + # The name of the keystore provider to be used for the server certificate. + # If it isn't set the list of registered providers is traversed in preference + # order and the first provider that supports the keystoreType is used. + keystoreProvider: SUN + # The type of keystore file to be used for the server certificate. + # If not set a default value of "JKS" is used. + keystoreType: JKS + + truststore: + # Reference to an existing Secret resource containing the trust store for configuring the gRPC security. + # The value is processed as a Helm template. + existingSecret: "" + # Key in the existing Secret that holds the trust store file to use to validate client certificates. + truststoreKey: truststore.jks + # Key in the existing Secret that holds the password to access the trust store. + truststorePasswordKey: truststore_password + # The name of the truststore provider to be used for the server certificate. + # If it isn't set the list of registered providers is traversed in preference + # order and the first provider that supports the truststoreProvider is used. + truststoreProvider: SUN + # The type of key store used for the trust store. + # If not set a default value of "JKS" is used. + truststoreType: JKS + + certificate: + # Reference to an existing Secret resource containing the certificate for configuring the gRPC security. + # The value is processed as a Helm template. + existingSecret: "" + # Key in the existing Secret that holds the file that contains the server certificate. + # The format is PEM-encoded. + certificateKey: certificate.pem + + certificateChain: + # Reference to an existing Secret resource containing the certificate chain for configuring the gRPC security. + # The value is processed as a Helm template. + existingSecret: "" + # Key in the existing Secret that holds the file that contains the certificate chain associated with + # the server certificate used. + # The format is PEM-encoded. + certificateChainKey: certChain.pem + + certificateKey: + # Reference to an existing Secret resource containing the certificate private key for configuring the gRPC security. + # The value is processed as a Helm template. + existingSecret: "" + # Key in the existing Secret that holds the file that contains the server private key. + # The format is PEM-encoded. + privateKeyKey: privatekey.pem + # The key in the existing Secret that holds the password used to access the private key associated + # with the server certificate from the specified file. + privateKeyPasswordKey: privatekey_password + + # Specifies the root certificates that the system should trust when establishing security connections. + rootCerts: + # Reference to an existing Secret resource containing the root certificates for configuring the gRPC security. + # The value is processed as a Helm template. + existingSecret: "" + # Key in the existing Secret that holds the root certs file. + rootCertsKey: rootCerts.pem + + # Determines a list of digital certificates that have been revoked by the issuing certificate authority (CA) + # before their actual or assigned expiration date. + certificateRevocationList: + # Reference to an existing Secret resource containing the certificate revocation list for configuring the gRPC security. + # The value is processed as a Helm template. + existingSecret: "" + # Key in the existing Secret that holds the certificate revocation list file. + certificateRevocationListKey: crl.pem + + # The path where the TLS files will be mounted inside the container. + mountPath: /etc/graphdb/tls/grpc/ + # Cluster configuration parameters. # Changing the parameters would trigger a Job that patches the configuration. # Ref: https://graphdb.ontotext.com/documentation/10.7/creating-a-cluster.html#creation-parameters