From ccbf9a39dd3fd7850e8d72ee7d33ed4a1b16e830 Mon Sep 17 00:00:00 2001 From: Dejan Pejchev Date: Mon, 11 Mar 2024 14:55:26 +0100 Subject: [PATCH] testkube-enterprise: add support for minio cert config --- charts/testkube-cloud-api/README.md | 13 +++++++++- .../templates/deployment.yaml | 12 +++++++++ charts/testkube-cloud-api/values.yaml | 17 +++++++++++++ charts/testkube-enterprise/README.md | 25 +++++++++++++++++-- charts/testkube-enterprise/values.yaml | 17 +++++++++++++ 5 files changed, 81 insertions(+), 3 deletions(-) diff --git a/charts/testkube-cloud-api/README.md b/charts/testkube-cloud-api/README.md index 3f8514dce..04561fbef 100644 --- a/charts/testkube-cloud-api/README.md +++ b/charts/testkube-cloud-api/README.md @@ -34,9 +34,12 @@ A Helm chart for Testkube Cloud API | api.agent.healthcheck.lock | string | `"kv"` | Agent healthcheck distributed mode (one of mongo|kv) - used for pods sync to run healthchecks on single pod at once | | api.agent.hide | bool | `false` | | | api.agent.host | string | `""` | Agent host with protocol (example `agent.testkube.xyz`) | +| api.agent.keepAlive | bool | `false` | Toggle whether to enable agent grpc keepalive pings | | api.agent.port | string | `"443"` | Agent port | | api.apiAddress | string | `""` | API address (used in invitation emails) (example `https://api.testkube.xyz`) | | api.dashboardAddress | string | `""` | Dashboard address (used in invitation emails) (example `https://cloud.testkube.xyz`) | +| api.debug.enableGrpcServerLogs | bool | `false` | Toggle whether to enable gRPC server logs | +| api.debug.enableHttp2Logs | bool | `false` | Toggle whether to enable debug logs by setting the GODEBUG=http2debug=2 | | api.email.fromEmail | string | `"noreply@kubeshop.io"` | | | api.email.fromName | string | `"Testkube Cloud"` | | | api.inviteMode | string | `"email"` | Configure which invitation mode to use (email|auto-accept): email uses SMTP protocol to send email invites and auto-accept immediately adds them | @@ -44,12 +47,20 @@ A Helm chart for Testkube Cloud API | api.migrations.ttlSecondsAfterFinished | int | `90` | TTL for the migration job | | api.migrations.useHelmHooks | bool | `true` | Toggle whether to enable pre-install & pre-upgrade hooks | | api.minio.accessKeyId | string | `""` | MinIO access key id | +| api.minio.certSecret.baseMountPath | string | `"/etc/client-certs/storage"` | Base path to mount the client certificate secret | +| api.minio.certSecret.caFile | string | `"ca.crt"` | Path to ca file (used for self-signed certificates) | +| api.minio.certSecret.certFile | string | `"cert.crt"` | Path to client certificate file | +| api.minio.certSecret.enabled | bool | `false` | Toggle whether to mount k8s secret which contains storage client certificate (cert.crt, cert.key, ca.crt) | +| api.minio.certSecret.keyFile | string | `"cert.key"` | Path to client certificate key file | +| api.minio.certSecret.name | string | `"storage-client-cert"` | Name of the storage client certificate secret | | api.minio.credsSecretRef | string | `""` | Credentials secret ref (secret should contain keys: root-user, root-password, token) (default is `testkube-cloud-minio-secret`) | | api.minio.endpoint | string | `"minio.testkube.svc.cluster.local:9000"` | MinIO endpoint | | api.minio.expirationPeriod | int | `0` | Expiration period in days | +| api.minio.mountCACertificate | bool | `false` | If enabled, will also require a CA certificate to be provided | | api.minio.region | string | `""` | S3 region | | api.minio.secretAccessKey | string | `""` | MinIO secret access key | | api.minio.secure | bool | `false` | Should be set to `true` if MinIO is behind | +| api.minio.skipVerify | bool | `false` | Toggle whether to verify TLS certificates | | api.minio.token | string | `""` | MinIO token | | api.mongo.database | string | `"testkubecloud"` | Mongo database name | | api.mongo.dsn | string | `"mongodb://mongodb.testkube.svc.cluster.local:27017"` | if mongoDsnSecretRef is empty (""), mongoDsn field will be used for setting the Mongo DSN connection string | @@ -156,4 +167,4 @@ A Helm chart for Testkube Cloud API | websocketsIngress.labels | object | `{}` | Additional labels to add to the WebSocket Ingress resource | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) +Autogenerated from chart metadata using [helm-docs v1.13.0](https://github.com/norwoodj/helm-docs/releases/v1.13.0) diff --git a/charts/testkube-cloud-api/templates/deployment.yaml b/charts/testkube-cloud-api/templates/deployment.yaml index c45f11fad..8c5e7068e 100644 --- a/charts/testkube-cloud-api/templates/deployment.yaml +++ b/charts/testkube-cloud-api/templates/deployment.yaml @@ -299,6 +299,18 @@ spec: {{- else }} value: "{{ .Values.api.minio.token }}" {{- end }} + - name: "MINIO_SKIP_VERIFY" + value: "{{ .Values.api.minio.skipVerify }}" + {{- if .Values.api.minio.certSecret.enabled }} + - name: "MINIO_CERT_FILE" + value: "{{ .Values.api.minio.certSecret.baseMountPath }}/{{ .Values.api.minio.certSecret.certFile }}" + - name: "MINIO_KEY_FILE" + value: "{{ .Values.api.minio.certSecret.baseMountPath }}/{{ .Values.api.minio.certSecret.keyFile }}" + {{- if .Values.api.minio.mountCACertificate }} + - name: "MINIO_CA_FILE" + value: "{{ .Values.api.minio.certSecret.baseMountPath }}/{{ .Values.api.minio.certSecret.caFile }}" + {{- end }} + {{- end }} {{- range $k, $v := .Values.additionalEnv }} - name: {{ $k }} value: "{{ $v }}" diff --git a/charts/testkube-cloud-api/values.yaml b/charts/testkube-cloud-api/values.yaml index ad3bac0c5..b5930e595 100644 --- a/charts/testkube-cloud-api/values.yaml +++ b/charts/testkube-cloud-api/values.yaml @@ -164,6 +164,23 @@ api: expirationPeriod: 0 # -- Should be set to `true` if MinIO is behind secure: false + # -- Toggle whether to verify TLS certificates + skipVerify: false + # -- If enabled, will also require a CA certificate to be provided + mountCACertificate: false + certSecret: + # -- Toggle whether to mount k8s secret which contains storage client certificate (cert.crt, cert.key, ca.crt) + enabled: false + # -- Name of the storage client certificate secret + name: "storage-client-cert" + # -- Base path to mount the client certificate secret + baseMountPath: /etc/client-certs/storage + # -- Path to client certificate file + certFile: "cert.crt" + # -- Path to client certificate key file + keyFile: "cert.key" + # -- Path to ca file (used for self-signed certificates) + caFile: "ca.crt" sendgrid: # -- Sendgrid API key apiKey: "" diff --git a/charts/testkube-enterprise/README.md b/charts/testkube-enterprise/README.md index ab8488d03..0f0caa345 100644 --- a/charts/testkube-enterprise/README.md +++ b/charts/testkube-enterprise/README.md @@ -18,6 +18,7 @@ A Helm chart for Testkube Enterprise |------------|------|---------| | file://../testkube-cloud-api | testkube-cloud-api | 1.32.1 | | file://../testkube-cloud-ui | testkube-cloud-ui | 1.27.0 | +| file://../testkube-logs-service | testkube-logs-service | 1.0.0 | | file://../testkube-worker-service | testkube-worker-service | 1.29.0 | | https://charts.bitnami.com/bitnami | common | 2.13.3 | | https://charts.bitnami.com/bitnami | minio | 12.10.2 | @@ -92,7 +93,7 @@ A Helm chart for Testkube Enterprise | minio.customIngress.labels | object | `{}` | Additional labels to add to the MinIO Ingress resource | | minio.customIngress.tls.tlsSecret | string | `"testkube-enterprise-minio-tls"` | TLS secret name which contains the certificate files | | minio.disableWebUI | bool | `false` | Disable MinIO Web UI | -| minio.enabled | bool | `true` | To | +| minio.enabled | bool | `true` | Toggle whether to install MinIO | | minio.extraEnvVars | list | `[]` | | | minio.fullnameOverride | string | `"testkube-enterprise-minio"` | | | minio.metrics.serviceMonitor.enabled | bool | `false` | Toggle whether to create ServiceMonitor resource for scraping metrics using Prometheus Operator | @@ -135,19 +136,30 @@ A Helm chart for Testkube Enterprise | testkube-cloud-api.api.agent.healthcheck.lock | string | `"kv"` | Agent healthcheck distributed mode (one of mongo|kv) - used for pods sync to run healthchecks on single pod at once | | testkube-cloud-api.api.agent.hide | bool | `false` | | | testkube-cloud-api.api.agent.host | string | `""` | Agent host (without protocol) is used for building agent install commands (if blank, api will autogenerate it based on the value of `global.domain`) | +| testkube-cloud-api.api.agent.keepAlive | bool | `false` | Toggle whether to enable agent grpc keepalive pings | | testkube-cloud-api.api.agent.port | int | `443` | Agent port - used for building agent install commands | +| testkube-cloud-api.api.debug.enableGrpcServerLogs | bool | `false` | Toggle whether to enable gRPC server logs | +| testkube-cloud-api.api.debug.enableHttp2Logs | bool | `false` | Toggle whether to enable debug logs by setting the GODEBUG=http2debug=2 | | testkube-cloud-api.api.inviteMode | string | `"email"` | Configure which invitation mode to use (email|auto-accept): email uses SMTP protocol to send email invites and auto-accept immediately adds them | | testkube-cloud-api.api.migrations.enabled | bool | `false` | Toggle whether to run database migrations | | testkube-cloud-api.api.migrations.image.repository | string | `"testkubeenterprise/testkube-enterprise-api-migrations"` | Migrations image repository | | testkube-cloud-api.api.migrations.ttlSecondsAfterFinished | int | `90` | | | testkube-cloud-api.api.migrations.useHelmHooks | bool | `false` | Toggle whether to enable pre-install & pre-upgrade hooks (should be disabled if mongo is installed using this chart) | | testkube-cloud-api.api.minio.accessKeyId | string | `"testkube-enterprise"` | MinIO access key id | +| testkube-cloud-api.api.minio.certSecret.baseMountPath | string | `"/etc/client-certs/storage"` | Base path to mount the client certificate secret | +| testkube-cloud-api.api.minio.certSecret.caFile | string | `"ca.crt"` | Path to ca file (used for self-signed certificates) | +| testkube-cloud-api.api.minio.certSecret.certFile | string | `"cert.crt"` | Path to client certificate file | +| testkube-cloud-api.api.minio.certSecret.enabled | bool | `false` | Toggle whether to mount k8s secret which contains storage client certificate (cert.crt, cert.key, ca.crt) | +| testkube-cloud-api.api.minio.certSecret.keyFile | string | `"cert.key"` | Path to client certificate key file | +| testkube-cloud-api.api.minio.certSecret.name | string | `"storage-client-cert"` | Name of the storage client certificate secret | | testkube-cloud-api.api.minio.credsSecretRef | string | `""` | Credentials secret ref (secret should contain keys: root-user, root-password, token) (default is `testkube-cloud-minio-secret`) | | testkube-cloud-api.api.minio.endpoint | string | `"{{ .Values.global.storageApiSubdomain }}.{{ .Values.global.domain }}"` | Define the MinIO service endpoint. Leave empty to auto-generate when using bundled MinIO. Specify if using an external MinIO service | | testkube-cloud-api.api.minio.expirationPeriod | int | `0` | Expiration period in days | +| testkube-cloud-api.api.minio.mountCACertificate | bool | `false` | If enabled, will also require a CA certificate to be provided | | testkube-cloud-api.api.minio.region | string | `""` | S3 region | | testkube-cloud-api.api.minio.secretAccessKey | string | `"t3stkub3-3nt3rpr1s3"` | MinIO secret access key | | testkube-cloud-api.api.minio.secure | bool | `true` | Should be set to `true` if MinIO is exposed through HTTPS | +| testkube-cloud-api.api.minio.skipVerify | bool | `false` | Toggle whether to verify TLS certificates | | testkube-cloud-api.api.minio.token | string | `""` | MinIO token | | testkube-cloud-api.api.mongo.database | string | `"testkubeEnterpriseDB"` | Mongo database name | | testkube-cloud-api.api.mongo.dsn | string | `"mongodb://testkube-enterprise-mongodb:27017"` | Mongo DSN connection string | @@ -178,9 +190,18 @@ A Helm chart for Testkube Enterprise | testkube-cloud-ui.ingress.tlsSecretName | string | `"testkube-enterprise-ui-tls"` | Name of the TLS secret which contains the certificate files | | testkube-cloud-ui.ingressRedirect | object | `{"enabled":false}` | Toggle whether to enable redirect Ingress which allows having a different subdomain redirecting to the actual Dashboard UI Ingress URL | | testkube-cloud-ui.ui.authStrategy | string | `""` | Auth strategy to use (possible values: "" (default), "gitlab", "github"), setting to "" enables all auth strategies, if you use a custom Dex connector, set this to the id of the connector | +| testkube-logs-service.api.mongo.database | string | `"testkubeEnterpriseDB"` | Mongo database name | +| testkube-logs-service.api.mongo.dsn | string | `"mongodb://testkube-enterprise-mongodb:27017"` | Mongo DSN connection string | +| testkube-logs-service.api.nats.uri | string | `"nats://testkube-enterprise-nats:4222"` | NATS URI | +| testkube-logs-service.api.tls.certManager.issuerKind | string | `"ClusterIssuer"` | Certificate Issuer kind (only used if `provider` is set to `cert-manager`) | +| testkube-logs-service.api.tls.serveHTTPS | bool | `false` | | +| testkube-logs-service.api.tls.tlsSecret | string | `"testkube-enterprise-api-tls"` | | +| testkube-logs-service.fullnameOverride | string | `"testkube-enterprise-logs-service"` | | +| testkube-logs-service.image.tag | string | `"v0-20240214-145418"` | | +| testkube-worker-service.api.nats.uri | string | `"nats://testkube-enterprise-nats:4222"` | | | testkube-worker-service.fullnameOverride | string | `"testkube-enterprise-worker-service"` | | | testkube-worker-service.image.repository | string | `"testkubeenterprise/testkube-enterprise-worker-service"` | | | testkube-worker-service.image.tag | string | `"1.9.0-rc-e5167f6a"` | | ---------------------------------------------- -Autogenerated from chart metadata using [helm-docs v1.11.0](https://github.com/norwoodj/helm-docs/releases/v1.11.0) +Autogenerated from chart metadata using [helm-docs v1.13.0](https://github.com/norwoodj/helm-docs/releases/v1.13.0) diff --git a/charts/testkube-enterprise/values.yaml b/charts/testkube-enterprise/values.yaml index 14dfc5e03..81720c6c3 100644 --- a/charts/testkube-enterprise/values.yaml +++ b/charts/testkube-enterprise/values.yaml @@ -193,6 +193,23 @@ testkube-cloud-api: expirationPeriod: 0 # -- Should be set to `true` if MinIO is exposed through HTTPS secure: true + # -- Toggle whether to verify TLS certificates + skipVerify: false + # -- If enabled, will also require a CA certificate to be provided + mountCACertificate: false + certSecret: + # -- Toggle whether to mount k8s secret which contains storage client certificate (cert.crt, cert.key, ca.crt) + enabled: false + # -- Name of the storage client certificate secret + name: "storage-client-cert" + # -- Base path to mount the client certificate secret + baseMountPath: /etc/client-certs/storage + # -- Path to client certificate file + certFile: "cert.crt" + # -- Path to client certificate key file + keyFile: "cert.key" + # -- Path to ca file (used for self-signed certificates) + caFile: "ca.crt" sendgrid: # -- Sendgrid API key apiKey: ""