feat(tls): Enables tls certificates to be provided (#11 )

feat(helm chart): liveness and readiness probes (#10 )
Fix enabling of diagnostics (#8 )
2023-02-09 10:29:38 +00:00 · 2023-02-09 10:12:44 +00:00 · 2023-02-08 23:04:56 +00:00
4 changed files with 40 additions and 17 deletions
@@ -35,6 +35,10 @@ A Helm chart for deploying seq-input-gelf to Kubernetes
 | seq.apiKey.secretName | string | `"seq-api-key"` | The name of the Kubernetes secret containing the Seq API key |
 | seq.diagnosticLogging | bool | `true` | Whether to enable diagnostic logging |
 | seq.rustBackTrace | int | `0` | Whether to enable backtrace logging (used for debugging). 0 = disabled, 1 = enabled. |
+| seq.tls.certificateSecretKey | string | `"tls.crt"` | The key in the Kubernetes secret containing the TLS certificate |
+| seq.tls.enabled | bool | `false` | If true it enables TLS for the connection to gelf-input-seq. This will only be enabled if `service.protocol` is 'TCP'. |
+| seq.tls.privateKeySecretKey | string | `"tls.key"` | The key in the Kubernetes secret containing the TLS private key |
+| seq.tls.secretName | string | `"seq-tls"` | The name of the Kubernetes secret containing the TLS certificate |
 | seq.url | string | `"http://seq:5341"` | The URL of the Seq server to send events to |
 | service.port | int | `12201` | The port on which seq-input-gelf will listen for GELF messages |
 | service.protocol | string | `"TCP"` | The protocol (either TCP or UDP) used by seq-input-gelf to listen for GELF messages |
@@ -42,15 +42,16 @@ spec:
            - name: gelf
              containerPort: {{ .Values.service.port }}
              protocol: {{ .Values.service.protocol }}
-          # TODO: docker image does not yet support liveness and readiness probes
-          # livenessProbe:
-          #   httpGet:
-          #     path: /
-          #     port: http
-          # readinessProbe:
-          #   httpGet:
-          #     path: /
-          #     port: http
+          readinessProbe:
+            tcpSocket:
+              port: gelf
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          livenessProbe:
+            tcpSocket:
+              port: gelf
+            initialDelaySeconds: 15
+            periodSeconds: 20
          resources:
            {{- toYaml .Values.resources | nindent 12 }}
          env:
@@ -64,21 +65,32 @@ spec:
            - name: GELF_ADDRESS
              value: {{ printf "%s://0.0.0.0:%d" ( lower .Values.service.protocol ) ( .Values.service.port | int ) }}
            - name: GELF_ENABLE_DIAGNOSTICS
-              value: {{ .Values.seq.enableDiagnostics | quote }}
-            # TODO support mounting of certificates from secrets
-            # - name: GELF_CERTIFICATE_PATH
-            #   value: /certs/seq-input-gelf.crt
-            # - name: GELF_CERTIFICATE_PRIVATE_KEY_PATH
-            #   value: /certs/seq-input-gelf.key
+              value: {{ .Values.seq.diagnosticLogging | quote }}
+            {{- if (and (eq (lower .Values.service.protocol) "tcp" ) .Values.seq.tls.enabled ) }}
+            - name: GELF_CERTIFICATE_PATH
+              value: {{ printf "/certs/%s" .Values.seq.tls.certificateSecretKey }}
+            - name: GELF_CERTIFICATE_PRIVATE_KEY_PATH
+              value: {{ printf "/certs/%s" .Values.seq.tls.privateKeySecretKey }}
+            {{- end }}
            - name: RUST_BACKTRACE
              value: {{ .Values.seq.rustBackTrace | quote }}
          volumeMounts:
            # mount an empty dir to /tmp to prevent errors as readOnlyRootFilesystem is true
            - mountPath: /tmp
              name: tmp
+            {{- if (and (eq (lower .Values.service.protocol) "tcp" ) .Values.seq.tls.enabled ) }}
+            - mountPath: /certs
+              name: certs
+              readOnly: true
+            {{- end }}
      volumes:
        - name: tmp
          emptyDir: {}
+        {{- if (and (eq (lower .Values.service.protocol) "tcp" ) .Values.seq.tls.enabled ) }}
+        - name: certs
+          secret:
+            secretName: {{ .Values.seq.tls.secretName }}
+        {{- end }}
      {{- with .Values.nodeSelector }}
      nodeSelector:
        {{- toYaml . | nindent 8 }}
@@ -14,8 +14,6 @@ spec:
      annotations:
        {{- toYaml . | nindent 8 }}
      {{- end }}
-      labels:
-        {{- include "seq-input-gelf.selectorLabels" . | nindent 8 }}
    spec:
      securityContext:
        fsGroup: 2000
@@ -13,6 +13,15 @@ seq:
  diagnosticLogging: true
  # -- Whether to enable backtrace logging (used for debugging). 0 = disabled, 1 = enabled.
  rustBackTrace: 0
+  tls:
+    # -- If true it enables TLS for the connection to gelf-input-seq. This will only be enabled if `service.protocol` is 'TCP'.
+    enabled: false
+    # -- The name of the Kubernetes secret containing the TLS certificate
+    secretName: seq-tls
+    # -- The key in the Kubernetes secret containing the TLS certificate
+    certificateSecretKey: tls.crt
+    # -- The key in the Kubernetes secret containing the TLS private key
+    privateKeySecretKey: tls.key

 image:
  repository: datalust/seq-input-gelf
Author	SHA1	Message	Date
Iain Sproat	41f650c37f	feat(tls): Enables tls certificates to be provided (#11 )	2023-02-09 10:29:38 +00:00
Iain Sproat	038ebbe456	feat(helm chart): liveness and readiness probes (#10 )	2023-02-09 10:12:44 +00:00
Iain Sproat	a50e031c13	Fix enabling of diagnostics (#8 ) * fix(deployment): use correct value name to enable diagnostic logging * Remove the selector label as the job pod was being selected by the deployment	2023-02-08 23:04:56 +00:00