From 41f650c37fa033f64668fb2f1c42e38036dce43b Mon Sep 17 00:00:00 2001 From: Iain Sproat <68657+iainsproat@users.noreply.github.com> Date: Thu, 9 Feb 2023 10:29:38 +0000 Subject: [PATCH] feat(tls): Enables tls certificates to be provided (#11) --- charts/seq-input-gelf/README.md | 4 ++++ .../seq-input-gelf/templates/deployment.yaml | 21 ++++++++++++++----- charts/seq-input-gelf/values.yaml | 9 ++++++++ 3 files changed, 29 insertions(+), 5 deletions(-) diff --git a/charts/seq-input-gelf/README.md b/charts/seq-input-gelf/README.md index 409725a..7a3f9bd 100644 --- a/charts/seq-input-gelf/README.md +++ b/charts/seq-input-gelf/README.md @@ -35,6 +35,10 @@ A Helm chart for deploying seq-input-gelf to Kubernetes | seq.apiKey.secretName | string | `"seq-api-key"` | The name of the Kubernetes secret containing the Seq API key | | seq.diagnosticLogging | bool | `true` | Whether to enable diagnostic logging | | seq.rustBackTrace | int | `0` | Whether to enable backtrace logging (used for debugging). 0 = disabled, 1 = enabled. | +| seq.tls.certificateSecretKey | string | `"tls.crt"` | The key in the Kubernetes secret containing the TLS certificate | +| seq.tls.enabled | bool | `false` | If true it enables TLS for the connection to gelf-input-seq. This will only be enabled if `service.protocol` is 'TCP'. | +| seq.tls.privateKeySecretKey | string | `"tls.key"` | The key in the Kubernetes secret containing the TLS private key | +| seq.tls.secretName | string | `"seq-tls"` | The name of the Kubernetes secret containing the TLS certificate | | seq.url | string | `"http://seq:5341"` | The URL of the Seq server to send events to | | service.port | int | `12201` | The port on which seq-input-gelf will listen for GELF messages | | service.protocol | string | `"TCP"` | The protocol (either TCP or UDP) used by seq-input-gelf to listen for GELF messages | diff --git a/charts/seq-input-gelf/templates/deployment.yaml b/charts/seq-input-gelf/templates/deployment.yaml index b8673d3..53b2bbe 100644 --- a/charts/seq-input-gelf/templates/deployment.yaml +++ b/charts/seq-input-gelf/templates/deployment.yaml @@ -66,20 +66,31 @@ spec: value: {{ printf "%s://0.0.0.0:%d" ( lower .Values.service.protocol ) ( .Values.service.port | int ) }} - name: GELF_ENABLE_DIAGNOSTICS value: {{ .Values.seq.diagnosticLogging | quote }} - # TODO support mounting of certificates from secrets - # - name: GELF_CERTIFICATE_PATH - # value: /certs/seq-input-gelf.crt - # - name: GELF_CERTIFICATE_PRIVATE_KEY_PATH - # value: /certs/seq-input-gelf.key + {{- if (and (eq (lower .Values.service.protocol) "tcp" ) .Values.seq.tls.enabled ) }} + - name: GELF_CERTIFICATE_PATH + value: {{ printf "/certs/%s" .Values.seq.tls.certificateSecretKey }} + - name: GELF_CERTIFICATE_PRIVATE_KEY_PATH + value: {{ printf "/certs/%s" .Values.seq.tls.privateKeySecretKey }} + {{- end }} - name: RUST_BACKTRACE value: {{ .Values.seq.rustBackTrace | quote }} volumeMounts: # mount an empty dir to /tmp to prevent errors as readOnlyRootFilesystem is true - mountPath: /tmp name: tmp + {{- if (and (eq (lower .Values.service.protocol) "tcp" ) .Values.seq.tls.enabled ) }} + - mountPath: /certs + name: certs + readOnly: true + {{- end }} volumes: - name: tmp emptyDir: {} + {{- if (and (eq (lower .Values.service.protocol) "tcp" ) .Values.seq.tls.enabled ) }} + - name: certs + secret: + secretName: {{ .Values.seq.tls.secretName }} + {{- end }} {{- with .Values.nodeSelector }} nodeSelector: {{- toYaml . | nindent 8 }} diff --git a/charts/seq-input-gelf/values.yaml b/charts/seq-input-gelf/values.yaml index 633ff32..a157208 100644 --- a/charts/seq-input-gelf/values.yaml +++ b/charts/seq-input-gelf/values.yaml @@ -13,6 +13,15 @@ seq: diagnosticLogging: true # -- Whether to enable backtrace logging (used for debugging). 0 = disabled, 1 = enabled. rustBackTrace: 0 + tls: + # -- If true it enables TLS for the connection to gelf-input-seq. This will only be enabled if `service.protocol` is 'TCP'. + enabled: false + # -- The name of the Kubernetes secret containing the TLS certificate + secretName: seq-tls + # -- The key in the Kubernetes secret containing the TLS certificate + certificateSecretKey: tls.crt + # -- The key in the Kubernetes secret containing the TLS private key + privateKeySecretKey: tls.key image: repository: datalust/seq-input-gelf