-
Notifications
You must be signed in to change notification settings - Fork 10
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #155 from warpstreamlabs/bettercerts
easy certificates and mtls
- Loading branch information
Showing
8 changed files
with
256 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
46 changes: 46 additions & 0 deletions
46
charts/warpstream-agent/ci/playground-sts-cert-mtls-values.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,46 @@ | ||
# Need override os we have a static release name for certificates while testing | ||
fullnameOverride: "playground-sts-cert" | ||
|
||
config: | ||
playground: true | ||
|
||
# testing with statefulset | ||
deploymentKind: StatefulSet | ||
|
||
certificate: | ||
# Set to true to enable TLS termination on the WarpStream agent | ||
# see TLS documentation for details https://docs.warpstream.com/warpstream/byoc/advanced-agent-deployment-options/protect-data-in-motion-with-tls-encryption#tls-encryption-overview | ||
enableTLS: true | ||
|
||
# The Kubernetes TLS secret that contains a certificate and private key | ||
# see https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets | ||
secretName: "ci-certificate" | ||
|
||
mtls: | ||
# Set to true to enable mutual TLS on the WarpStream agent, requires enableTLS set to true | ||
# see mTLS documentation for details https://docs.warpstream.com/warpstream/byoc/authentication/mutual-tls-mtls | ||
enabled: true | ||
|
||
# The secret key reference for the certificate authority public key | ||
# If not set, the container's root certificate pool will be used for mtls client certificate verification | ||
# It is recommend to always set this to your CA's public key and not rely on the root certificate pool | ||
# see mTLS documentation for details on why using the root certificate pool is not recommended | ||
certificateAuthoritySecretKeyRef: | ||
name: "ci-certificate-ca" | ||
key: "ca.crt" | ||
|
||
# overriding resources so it fits on a runner | ||
resources: | ||
requests: | ||
cpu: 1 | ||
memory: 4Gi | ||
# we do not need the disk space, but Kubernetes will count some logs that it emits | ||
# about our containers towards our containers ephemeral usage and if we requested | ||
# 0 storage we could end up getting evicted unnecessarily when the node is under disk pressure. | ||
ephemeral-storage: "100Mi" | ||
limits: | ||
memory: 4Gi | ||
|
||
extraEnv: | ||
- name: WARPSTREAM_ADVERTISE_HOSTNAME_STRATEGY | ||
value: auto-ip4 # playground mode defaults to local so we need to override it for tests to pass |
33 changes: 33 additions & 0 deletions
33
charts/warpstream-agent/ci/playground-sts-cert-values.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,33 @@ | ||
# Need override os we have a static release name for certificates while testing | ||
fullnameOverride: "playground-sts-cert" | ||
|
||
config: | ||
playground: true | ||
|
||
# testing with statefulset | ||
deploymentKind: StatefulSet | ||
|
||
certificate: | ||
# Set to true to enable TLS termination on the WarpStream agent | ||
# see TLS documentation for details https://docs.warpstream.com/warpstream/byoc/advanced-agent-deployment-options/protect-data-in-motion-with-tls-encryption#tls-encryption-overview | ||
enableTLS: true | ||
|
||
# The Kubernetes TLS secret that contains a certificate and private key | ||
# see https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets | ||
secretName: "ci-certificate" | ||
|
||
# overriding resources so it fits on a runner | ||
resources: | ||
requests: | ||
cpu: 1 | ||
memory: 4Gi | ||
# we do not need the disk space, but Kubernetes will count some logs that it emits | ||
# about our containers towards our containers ephemeral usage and if we requested | ||
# 0 storage we could end up getting evicted unnecessarily when the node is under disk pressure. | ||
ephemeral-storage: "100Mi" | ||
limits: | ||
memory: 4Gi | ||
|
||
extraEnv: | ||
- name: WARPSTREAM_ADVERTISE_HOSTNAME_STRATEGY | ||
value: auto-ip4 # playground mode defaults to local so we need to override it for tests to pass |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters