feat(tls): Enables tls certificates to be provided (#11)

charts/seq-input-gelf/README.md

@@ -35,6 +35,10 @@ A Helm chart for deploying seq-input-gelf to Kubernetes
 | seq.apiKey.secretName | string | `"seq-api-key"` | The name of the Kubernetes secret containing the Seq API key |
 | seq.diagnosticLogging | bool | `true` | Whether to enable diagnostic logging |
 | seq.rustBackTrace | int | `0` | Whether to enable backtrace logging (used for debugging). 0 = disabled, 1 = enabled. |
+| seq.tls.certificateSecretKey | string | `"tls.crt"` | The key in the Kubernetes secret containing the TLS certificate |
+| seq.tls.enabled | bool | `false` | If true it enables TLS for the connection to gelf-input-seq. This will only be enabled if `service.protocol` is 'TCP'. |
+| seq.tls.privateKeySecretKey | string | `"tls.key"` | The key in the Kubernetes secret containing the TLS private key |
+| seq.tls.secretName | string | `"seq-tls"` | The name of the Kubernetes secret containing the TLS certificate |
 | seq.url | string | `"http://seq:5341"` | The URL of the Seq server to send events to |
 | service.port | int | `12201` | The port on which seq-input-gelf will listen for GELF messages |
 | service.protocol | string | `"TCP"` | The protocol (either TCP or UDP) used by seq-input-gelf to listen for GELF messages |

charts/seq-input-gelf/templates/deployment.yaml

@@ -66,20 +66,31 @@ spec:
               value: {{ printf "%s://0.0.0.0:%d" ( lower .Values.service.protocol ) ( .Values.service.port | int ) }}
             - name: GELF_ENABLE_DIAGNOSTICS
               value: {{ .Values.seq.diagnosticLogging | quote }}
-            # TODO support mounting of certificates from secrets
-            # - name: GELF_CERTIFICATE_PATH
-            #   value: /certs/seq-input-gelf.crt
-            # - name: GELF_CERTIFICATE_PRIVATE_KEY_PATH
-            #   value: /certs/seq-input-gelf.key
+            {{- if (and (eq (lower .Values.service.protocol) "tcp" ) .Values.seq.tls.enabled ) }}
+            - name: GELF_CERTIFICATE_PATH
+              value: {{ printf "/certs/%s" .Values.seq.tls.certificateSecretKey }}
+            - name: GELF_CERTIFICATE_PRIVATE_KEY_PATH
+              value: {{ printf "/certs/%s" .Values.seq.tls.privateKeySecretKey }}
+            {{- end }}
             - name: RUST_BACKTRACE
               value: {{ .Values.seq.rustBackTrace | quote }}
           volumeMounts:
             # mount an empty dir to /tmp to prevent errors as readOnlyRootFilesystem is true
             - mountPath: /tmp
               name: tmp
+            {{- if (and (eq (lower .Values.service.protocol) "tcp" ) .Values.seq.tls.enabled ) }}
+            - mountPath: /certs
+              name: certs
+              readOnly: true
+            {{- end }}
       volumes:
         - name: tmp
           emptyDir: {}
+        {{- if (and (eq (lower .Values.service.protocol) "tcp" ) .Values.seq.tls.enabled ) }}
+        - name: certs
+          secret:
+            secretName: {{ .Values.seq.tls.secretName }}
+        {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

charts/seq-input-gelf/values.yaml

@@ -13,6 +13,15 @@ seq:
   diagnosticLogging: true
   # -- Whether to enable backtrace logging (used for debugging). 0 = disabled, 1 = enabled.
   rustBackTrace: 0
+  tls:
+    # -- If true it enables TLS for the connection to gelf-input-seq. This will only be enabled if `service.protocol` is 'TCP'.
+    enabled: false
+    # -- The name of the Kubernetes secret containing the TLS certificate
+    secretName: seq-tls
+    # -- The key in the Kubernetes secret containing the TLS certificate
+    certificateSecretKey: tls.crt
+    # -- The key in the Kubernetes secret containing the TLS private key
+    privateKeySecretKey: tls.key
 
 image:
   repository: datalust/seq-input-gelf