testkube-enterprise: add support for minio cert config

kubeshop · Mar 11, 2024 · ccbf9a3 · ccbf9a3
1 parent 9e2d795
commit ccbf9a3
Show file tree

Hide file tree

Showing 5 changed files with 81 additions and 3 deletions.
diff --git a/charts/testkube-cloud-api/README.md b/charts/testkube-cloud-api/README.md
@@ -34,22 +34,33 @@ A Helm chart for Testkube Cloud API
 | api.agent.healthcheck.lock | string | `"kv"` | Agent healthcheck distributed mode (one of mongo|kv) - used for pods sync to run healthchecks on single pod at once |
 | api.agent.hide | bool | `false` |  |
 | api.agent.host | string | `""` | Agent host with protocol (example `agent.testkube.xyz`) |
+| api.agent.keepAlive | bool | `false` | Toggle whether to enable agent grpc keepalive pings |
 | api.agent.port | string | `"443"` | Agent port |
 | api.apiAddress | string | `""` | API address (used in invitation emails) (example `https://api.testkube.xyz`) |
 | api.dashboardAddress | string | `""` | Dashboard address (used in invitation emails) (example `https://cloud.testkube.xyz`) |
+| api.debug.enableGrpcServerLogs | bool | `false` | Toggle whether to enable gRPC server logs |
+| api.debug.enableHttp2Logs | bool | `false` | Toggle whether to enable debug logs by setting the GODEBUG=http2debug=2 |
 | api.email.fromEmail | string | `"[email protected]"` |  |
 | api.email.fromName | string | `"Testkube Cloud"` |  |
 | api.inviteMode | string | `"email"` | Configure which invitation mode to use (email|auto-accept): email uses SMTP protocol to send email invites and auto-accept immediately adds them |
 | api.migrations.enabled | bool | `false` | Toggle whether to apply migrations for MongoDB |
 | api.migrations.ttlSecondsAfterFinished | int | `90` | TTL for the migration job |
 | api.migrations.useHelmHooks | bool | `true` | Toggle whether to enable pre-install & pre-upgrade hooks |
 | api.minio.accessKeyId | string | `""` | MinIO access key id |
+| api.minio.certSecret.baseMountPath | string | `"/etc/client-certs/storage"` | Base path to mount the client certificate secret |
+| api.minio.certSecret.caFile | string | `"ca.crt"` | Path to ca file (used for self-signed certificates) |
+| api.minio.certSecret.certFile | string | `"cert.crt"` | Path to client certificate file |
+| api.minio.certSecret.enabled | bool | `false` | Toggle whether to mount k8s secret which contains storage client certificate (cert.crt, cert.key, ca.crt) |
+| api.minio.certSecret.keyFile | string | `"cert.key"` | Path to client certificate key file |
+| api.minio.certSecret.name | string | `"storage-client-cert"` | Name of the storage client certificate secret |
 | api.minio.credsSecretRef | string | `""` | Credentials secret ref (secret should contain keys: root-user, root-password, token) (default is `testkube-cloud-minio-secret`) |
 | api.minio.endpoint | string | `"minio.testkube.svc.cluster.local:9000"` | MinIO endpoint |
 | api.minio.expirationPeriod | int | `0` | Expiration period in days |
+| api.minio.mountCACertificate | bool | `false` | If enabled, will also require a CA certificate to be provided |
 | api.minio.region | string | `""` | S3 region |
 | api.minio.secretAccessKey | string | `""` | MinIO secret access key |
 | api.minio.secure | bool | `false` | Should be set to `true` if MinIO is behind |
+| api.minio.skipVerify | bool | `false` | Toggle whether to verify TLS certificates |
 | api.minio.token | string | `""` | MinIO token |
 | api.mongo.database | string | `"testkubecloud"` | Mongo database name |
 | api.mongo.dsn | string | `"mongodb://mongodb.testkube.svc.cluster.local:27017"` | if mongoDsnSecretRef is empty (""), mongoDsn field will be used for setting the Mongo DSN connection string |
@@ -156,4 +167,4 @@ A Helm chart for Testkube Cloud API
 | websocketsIngress.labels | object | `{}` | Additional labels to add to the WebSocket Ingress resource |
 
 ----------------------------------------------
-Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)
+Autogenerated from chart metadata using [helm-docs v1.13.0](https://github.com/norwoodj/helm-docs/releases/v1.13.0)
diff --git a/charts/testkube-cloud-api/templates/deployment.yaml b/charts/testkube-cloud-api/templates/deployment.yaml
@@ -299,6 +299,18 @@ spec:
               {{- else }}
               value: "{{ .Values.api.minio.token }}"
               {{- end }}
+            - name: "MINIO_SKIP_VERIFY"
+              value: "{{ .Values.api.minio.skipVerify }}"
+            {{- if .Values.api.minio.certSecret.enabled }}
+            - name: "MINIO_CERT_FILE"
+              value: "{{ .Values.api.minio.certSecret.baseMountPath }}/{{ .Values.api.minio.certSecret.certFile }}"
+            - name: "MINIO_KEY_FILE"
+              value: "{{ .Values.api.minio.certSecret.baseMountPath }}/{{ .Values.api.minio.certSecret.keyFile }}"
+            {{- if .Values.api.minio.mountCACertificate }}
+            - name: "MINIO_CA_FILE"
+              value: "{{ .Values.api.minio.certSecret.baseMountPath }}/{{ .Values.api.minio.certSecret.caFile }}"
+            {{- end }}
+            {{- end }}
             {{- range $k, $v := .Values.additionalEnv }}
             - name: {{ $k }}
               value: "{{ $v }}"

diff --git a/charts/testkube-cloud-api/values.yaml b/charts/testkube-cloud-api/values.yaml
@@ -164,6 +164,23 @@ api:
     expirationPeriod: 0
     # -- Should be set to `true` if MinIO is behind
     secure: false
+    # -- Toggle whether to verify TLS certificates
+    skipVerify: false
+    # -- If enabled, will also require a CA certificate to be provided
+    mountCACertificate: false
+    certSecret:
+      # -- Toggle whether to mount k8s secret which contains storage client certificate (cert.crt, cert.key, ca.crt)
+      enabled: false
+      # -- Name of the storage client certificate secret
+      name: "storage-client-cert"
+      # -- Base path to mount the client certificate secret
+      baseMountPath: /etc/client-certs/storage
+      # -- Path to client certificate file
+      certFile: "cert.crt"
+      # -- Path to client certificate key file
+      keyFile: "cert.key"
+      # -- Path to ca file (used for self-signed certificates)
+      caFile: "ca.crt"
   sendgrid:
     # -- Sendgrid API key
     apiKey: ""

diff --git a/charts/testkube-enterprise/README.md b/charts/testkube-enterprise/README.md
@@ -18,6 +18,7 @@ A Helm chart for Testkube Enterprise
 |------------|------|---------|
 | file://../testkube-cloud-api | testkube-cloud-api | 1.32.1 |
 | file://../testkube-cloud-ui | testkube-cloud-ui | 1.27.0 |
+| file://../testkube-logs-service | testkube-logs-service | 1.0.0 |
 | file://../testkube-worker-service | testkube-worker-service | 1.29.0 |
 | https://charts.bitnami.com/bitnami | common | 2.13.3 |
 | https://charts.bitnami.com/bitnami | minio | 12.10.2 |
@@ -92,7 +93,7 @@ A Helm chart for Testkube Enterprise
 | minio.customIngress.labels | object | `{}` | Additional labels to add to the MinIO Ingress resource |
 | minio.customIngress.tls.tlsSecret | string | `"testkube-enterprise-minio-tls"` | TLS secret name which contains the certificate files |
 | minio.disableWebUI | bool | `false` | Disable MinIO Web UI |
-| minio.enabled | bool | `true` | To |
+| minio.enabled | bool | `true` | Toggle whether to install MinIO |
 | minio.extraEnvVars | list | `[]` |  |
 | minio.fullnameOverride | string | `"testkube-enterprise-minio"` |  |
 | minio.metrics.serviceMonitor.enabled | bool | `false` | Toggle whether to create ServiceMonitor resource for scraping metrics using Prometheus Operator |
@@ -135,19 +136,30 @@ A Helm chart for Testkube Enterprise
 | testkube-cloud-api.api.agent.healthcheck.lock | string | `"kv"` | Agent healthcheck distributed mode (one of mongo|kv) - used for pods sync to run healthchecks on single pod at once |
 | testkube-cloud-api.api.agent.hide | bool | `false` |  |
 | testkube-cloud-api.api.agent.host | string | `""` | Agent host (without protocol) is used for building agent install commands (if blank, api will autogenerate it based on the value of `global.domain`) |
+| testkube-cloud-api.api.agent.keepAlive | bool | `false` | Toggle whether to enable agent grpc keepalive pings |
 | testkube-cloud-api.api.agent.port | int | `443` | Agent port - used for building agent install commands |
+| testkube-cloud-api.api.debug.enableGrpcServerLogs | bool | `false` | Toggle whether to enable gRPC server logs |
+| testkube-cloud-api.api.debug.enableHttp2Logs | bool | `false` | Toggle whether to enable debug logs by setting the GODEBUG=http2debug=2 |
 | testkube-cloud-api.api.inviteMode | string | `"email"` | Configure which invitation mode to use (email|auto-accept): email uses SMTP protocol to send email invites and auto-accept immediately adds them |
 | testkube-cloud-api.api.migrations.enabled | bool | `false` | Toggle whether to run database migrations |
 | testkube-cloud-api.api.migrations.image.repository | string | `"testkubeenterprise/testkube-enterprise-api-migrations"` | Migrations image repository |
 | testkube-cloud-api.api.migrations.ttlSecondsAfterFinished | int | `90` |  |
 | testkube-cloud-api.api.migrations.useHelmHooks | bool | `false` | Toggle whether to enable pre-install & pre-upgrade hooks (should be disabled if mongo is installed using this chart) |
 | testkube-cloud-api.api.minio.accessKeyId | string | `"testkube-enterprise"` | MinIO access key id |
+| testkube-cloud-api.api.minio.certSecret.baseMountPath | string | `"/etc/client-certs/storage"` | Base path to mount the client certificate secret |
+| testkube-cloud-api.api.minio.certSecret.caFile | string | `"ca.crt"` | Path to ca file (used for self-signed certificates) |
+| testkube-cloud-api.api.minio.certSecret.certFile | string | `"cert.crt"` | Path to client certificate file |
+| testkube-cloud-api.api.minio.certSecret.enabled | bool | `false` | Toggle whether to mount k8s secret which contains storage client certificate (cert.crt, cert.key, ca.crt) |
+| testkube-cloud-api.api.minio.certSecret.keyFile | string | `"cert.key"` | Path to client certificate key file |
+| testkube-cloud-api.api.minio.certSecret.name | string | `"storage-client-cert"` | Name of the storage client certificate secret |
 | testkube-cloud-api.api.minio.credsSecretRef | string | `""` | Credentials secret ref (secret should contain keys: root-user, root-password, token) (default is `testkube-cloud-minio-secret`) |
 | testkube-cloud-api.api.minio.endpoint | string | `"{{ .Values.global.storageApiSubdomain }}.{{ .Values.global.domain }}"` | Define the MinIO service endpoint. Leave empty to auto-generate when using bundled MinIO. Specify if using an external MinIO service |
 | testkube-cloud-api.api.minio.expirationPeriod | int | `0` | Expiration period in days |
+| testkube-cloud-api.api.minio.mountCACertificate | bool | `false` | If enabled, will also require a CA certificate to be provided |
 | testkube-cloud-api.api.minio.region | string | `""` | S3 region |
 | testkube-cloud-api.api.minio.secretAccessKey | string | `"t3stkub3-3nt3rpr1s3"` | MinIO secret access key |
 | testkube-cloud-api.api.minio.secure | bool | `true` | Should be set to `true` if MinIO is exposed through HTTPS |
+| testkube-cloud-api.api.minio.skipVerify | bool | `false` | Toggle whether to verify TLS certificates |
 | testkube-cloud-api.api.minio.token | string | `""` | MinIO token |
 | testkube-cloud-api.api.mongo.database | string | `"testkubeEnterpriseDB"` | Mongo database name |
 | testkube-cloud-api.api.mongo.dsn | string | `"mongodb://testkube-enterprise-mongodb:27017"` | Mongo DSN connection string |
@@ -178,9 +190,18 @@ A Helm chart for Testkube Enterprise
 | testkube-cloud-ui.ingress.tlsSecretName | string | `"testkube-enterprise-ui-tls"` | Name of the TLS secret which contains the certificate files |
 | testkube-cloud-ui.ingressRedirect | object | `{"enabled":false}` | Toggle whether to enable redirect Ingress which allows having a different subdomain redirecting to the actual Dashboard UI Ingress URL |
 | testkube-cloud-ui.ui.authStrategy | string | `""` | Auth strategy to use (possible values: "" (default), "gitlab", "github"), setting to "" enables all auth strategies, if you use a custom Dex connector, set this to the id of the connector |
+| testkube-logs-service.api.mongo.database | string | `"testkubeEnterpriseDB"` | Mongo database name |
+| testkube-logs-service.api.mongo.dsn | string | `"mongodb://testkube-enterprise-mongodb:27017"` | Mongo DSN connection string |
+| testkube-logs-service.api.nats.uri | string | `"nats://testkube-enterprise-nats:4222"` | NATS URI |
+| testkube-logs-service.api.tls.certManager.issuerKind | string | `"ClusterIssuer"` | Certificate Issuer kind (only used if `provider` is set to `cert-manager`) |
+| testkube-logs-service.api.tls.serveHTTPS | bool | `false` |  |
+| testkube-logs-service.api.tls.tlsSecret | string | `"testkube-enterprise-api-tls"` |  |
+| testkube-logs-service.fullnameOverride | string | `"testkube-enterprise-logs-service"` |  |
+| testkube-logs-service.image.tag | string | `"v0-20240214-145418"` |  |
+| testkube-worker-service.api.nats.uri | string | `"nats://testkube-enterprise-nats:4222"` |  |
 | testkube-worker-service.fullnameOverride | string | `"testkube-enterprise-worker-service"` |  |
 | testkube-worker-service.image.repository | string | `"testkubeenterprise/testkube-enterprise-worker-service"` |  |
 | testkube-worker-service.image.tag | string | `"1.9.0-rc-e5167f6a"` |  |
 
 ----------------------------------------------
-Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0)
+Autogenerated from chart metadata using [helm-docs v1.13.0](https://github.com/norwoodj/helm-docs/releases/v1.13.0)
diff --git a/charts/testkube-enterprise/values.yaml b/charts/testkube-enterprise/values.yaml
@@ -193,6 +193,23 @@ testkube-cloud-api:
       expirationPeriod: 0
       # -- Should be set to `true` if MinIO is exposed through HTTPS
       secure: true
+      # -- Toggle whether to verify TLS certificates
+      skipVerify: false
+      # -- If enabled, will also require a CA certificate to be provided
+      mountCACertificate: false
+      certSecret:
+        # -- Toggle whether to mount k8s secret which contains storage client certificate (cert.crt, cert.key, ca.crt)
+        enabled: false
+        # -- Name of the storage client certificate secret
+        name: "storage-client-cert"
+        # -- Base path to mount the client certificate secret
+        baseMountPath: /etc/client-certs/storage
+        # -- Path to client certificate file
+        certFile: "cert.crt"
+        # -- Path to client certificate key file
+        keyFile: "cert.key"
+        # -- Path to ca file (used for self-signed certificates)
+        caFile: "ca.crt"
     sendgrid:
       # -- Sendgrid API key
       apiKey: ""