Skip to content

Commit

Permalink
TT-11204: add support for new redis configuration in component charts (
Browse files Browse the repository at this point in the history 
…#231)

* TT-11204: fix conflcit

* TT-11204: rebase with main

* TT-11204: update component template

* TT-11204: remove secret spec in volumeMount

* TT-11204: change redis gateway env names

* TT-11204: update redis ssl key and cert names

* TT-11204: add redis config to umbrella charts

* TT-11204: add redis config to umbrella charts

* TT-11204: update redis tls configuration for min and max version

---------

Co-authored-by: Burak Sekili <[email protected]>
  • Loading branch information
@olamilekan000 @buraksekili
olamilekan000 and buraksekili authored Mar 5, 2024
1 parent ec7c706 commit d4d1c9e
Show file tree
Hide file tree
Showing 16 changed files with 438 additions and 22 deletions.
4 changes: 4 additions & 0 deletions Makefile
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
ct:
ct lint --config ct.yaml --all

.PHONY: ct
1 change: 0 additions & 1 deletion components/tyk-bootstrap/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,4 +18,3 @@ type: application
version: 1.0.0
sources:
- https://github.com/TykTechnologies/tyk-charts/tree/main/components/tyk-bootstrap

41 changes: 40 additions & 1 deletion components/tyk-dashboard/templates/deployment-dashboard.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -155,6 +155,30 @@ spec:

- name: TYK_DB_REDISADDRS
value: {{ include "tyk-dashboard.redis_url" . | quote }}

{{- if .Values.global.redis.useSSL }}
- name: TYK_DB_REDISTLSMAXVERSION
value: "{{ .Values.global.redis.tlsMaxVersion }}"
- name: TYK_DB_REDISTLSMINVERSION
value: "{{ .Values.global.redis.tlsMinVersion }}"
{{- end}}

{{- with .Values.global.redis }}
{{- if and .useSSL .caFile }}
- name: TYK_DB_REDISCAFILE
value: "{{ .caFile }}"
{{- end }}
{{- end }}

{{- with .Values.global.redis }}
{{- if and .useSSL .certFile .keyFile }}
- name: TYK_DB_REDISCERTFILE
value: "{{ .certFile }}"
- name: TYK_DB_REDISKEYFILE
value: "{{ .keyFile }}"
{{- end }}
{{- end }}

- name: TYK_DB_ENABLECLUSTER
value: "{{ default "false" .Values.global.redis.enableCluster }}"
- name: TYK_DB_REDISPASSWORD
Expand All @@ -165,7 +189,7 @@ spec:
- name: TYK_DB_REDISUSESSL
value: "{{ default "false" .Values.global.redis.useSSL }}"
- name: TYK_DB_REDISSSLINSECURESKIPVERIFY
value: "true"
value: "{{ .Values.global.redis.sslInsecureSkipVerify }}"

- name: TYK_DB_HTTPSERVEROPTIONS_USESSL
value: "{{ .Values.global.tls.dashboard }}"
Expand Down Expand Up @@ -236,6 +260,13 @@ spec:
ports:
- containerPort: {{ .Values.global.servicePorts.dashboard }}
volumeMounts:
{{- with .Values.global.redis }}
{{- if and .useSSL .volumeName .certificatesMountPath }}
- name: {{ .volumeName }}
mountPath: {{ .certificatesMountPath }}
{{- end }}
{{- end }}

{{- if semverCompare "<=5.0.2" .Values.dashboard.image.tag }}
- name: analytics-conf
mountPath: /etc/tyk-dashboard
Expand Down Expand Up @@ -270,6 +301,14 @@ spec:
{{- toYaml .Values.dashboard.securityContext | nindent 10 }}
{{- end }}
volumes:
{{- with .Values.global.redis }}
{{- if and .useSSL .secretName .volumeName }}
- name: {{ .volumeName }}
secret:
secretName: {{ .secretName }}
{{- end }}
{{- end }}

{{- if semverCompare "<=5.0.2" .Values.dashboard.image.tag }}
- name: analytics-conf
emptyDir: {}
Expand Down
37 changes: 35 additions & 2 deletions components/tyk-dashboard/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -109,7 +109,40 @@ global:

# Enables SSL for Redis connection. Redis instance will have to support that.
# Default value: false
# useSSL: true
useSSL: false

# Set this to `true` to tell Dashboard to ignore database's cert validation.
# Default value: true
sslInsecureSkipVerify: true

# Path to the CA file.
caFile: "/etc/certs/ca.crt"

# The Volume mount path
# Default value: /etc/certs
certificatesMountPath: "/etc/certs"

# Path to the cert file.
certFile: "/etc/certs/redis.crt"

# Path to the key file.
keyFile: "/etc/certs/redis.key"

# Maximum supported TLS version. Valid values are TLS 1.0, 1.1, 1.2, 1.3.
# Default value: 1.3
tlsMaxVersion: "1.3"

# Minimum supported TLS version. Valid values are TLS 1.0, 1.1, 1.2, 1.3.
# Default value: 1.2
tlsMinVersion: "1.2"

# Name of the tls secret. A secret needs to be created for this manually using the name as specified here
# Default value: db-tls-secret
secretName: "db-tls-secret"

# Name of the volume where the secret will be mounted
# Default value: db-tls-secret-volume
volumeName: "db-tls-secret-volume"

# The enableCluster value will allow you to indicate to Tyk whether you are
# running a Redis cluster or not.
Expand Down Expand Up @@ -401,4 +434,4 @@ portal:
# tib is used to configure Tyk Identity Broker(TIB) connection details
tib:
# enabled is used to enable/disable embedded TIB
enabled: false
enabled: false
2 changes: 1 addition & 1 deletion components/tyk-gateway/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,4 +27,4 @@ annotations:
- name: docs
url: https://tyk.io/docs/
- name: support
url: https://community.tyk.io/
url: https://community.tyk.io/
45 changes: 45 additions & 0 deletions components/tyk-gateway/templates/deployment-gw-repset.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -99,6 +99,37 @@ spec:
value: "{{ .Values.global.oasValidateExamples }}"
- name: TYK_GW_OAS_VALIDATE_SCHEMA_DEFAULTS
value: "{{ .Values.global.oasValidateSchemaDefaults }}"

- name: TYK_GW_ENABLE_LEAKY_BUCKET_RATE_LIMITER
value: "{{ .Values.gateway.enableLeakyBucketRateLimiter }}"

- name: TYK_GW_STORAGE_SSLINSECURESKIPVERIFY
value: "{{ .Values.global.redis.sslInsecureSkipVerify }}"

# Redis TLS configurations
{{- if .Values.global.redis.useSSL }}
- name: TYK_GW_STORAGE_TLSMAXVERSION
value: "{{ .Values.global.redis.tlsMaxVersion }}"
- name: TYK_GW_STORAGE_TLSMINVERSION
value: "{{ .Values.global.redis.tlsMinVersion }}"
{{- end }}

{{- with .Values.global.redis }}
{{- if and .useSSL .caFile }}
- name: TYK_GW_STORAGE_CAFILE
value: "{{ .caFile }}"
{{- end }}
{{- end }}

{{- with .Values.global.redis }}
{{- if and .useSSL .certFile .keyFile }}
- name: TYK_GW_STORAGE_CERTFILE
value: "{{ .certFile }}"
- name: TYK_GW_STORAGE_KEYFILE
value: "{{ .keyFile }}"
{{- end }}
{{- end }}

# Legacy support for Redis Cluster driver. Driver dropped in v3.0.0.
- name: REDIGOCLUSTER_SHARDCOUNT
value: "128"
Expand Down Expand Up @@ -344,6 +375,13 @@ spec:
mountPath: {{ .Values.gateway.tls.certificatesMountPath }}
{{ end }}

{{- with .Values.global.redis }}
{{- if and .useSSL .volumeName .certificatesMountPath }}
- name: {{ .volumeName }}
mountPath: {{ .certificatesMountPath }}
{{- end }}
{{- end }}

{{- if (.Values.gateway.opentelemetry.tls).certificateSecretName}}
- name: {{.Values.gateway.opentelemetry.tls.certificateSecretName}}
mountPath: "/etc/ssl/certs/"
Expand Down Expand Up @@ -400,3 +438,10 @@ spec:
secret:
secretName: {{ .Values.gateway.opentelemetry.tls.certificateSecretName }}
{{- end }}
{{- with .Values.global.redis }}
{{- if and .useSSL .secretName .volumeName }}
- name: {{ .volumeName }}
secret:
secretName: {{ .secretName }}
{{- end }}
{{- end }}
36 changes: 35 additions & 1 deletion components/tyk-gateway/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -71,7 +71,41 @@ global:

# Enables SSL for Redis connection. Redis instance will have to support that.
# Default value: false
# useSSL: true
useSSL: false

# Set this to `true` to tell Gateway to ignore database's cert validation.
# This should also be set to true if you're using a self signed certificate.
# Default value: true
sslInsecureSkipVerify: true

# The Volume mount path
# Default value: /tls
certificatesMountPath: "/tls"

# Path to the CA file.
caFile: "/tls/ca.crt"

# Path to the cert file.
certFile: "/tls/redis.crt"

# Path to the key file.
keyFile: "/tls/redis.key"

# Name of the tls secret. A secret needs to be created for this manually using the name as specified here
# Default value: gw-tls-secret
secretName: "gw-tls-secret"

# Name of the volume where the secret will be mounted
# Default value: gw-tls-secret-volume
volumeName: "gw-tls-secret-volume"

# Maximum supported TLS version. Valid values are TLS 1.0, 1.1, 1.2, 1.3.
# Default value: 1.3
tlsMaxVersion: "1.3"

# Minimum supported TLS version. Valid values are TLS 1.0, 1.1, 1.2, 1.3.
# Default value: 1.2
tlsMinVersion: "1.2"

# If using "Redis Cluster" set enableCluster to true
# (e.g. if using bitnami/redis-cluster)
Expand Down
48 changes: 45 additions & 3 deletions components/tyk-mdcb/templates/deployment-mdcb.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,15 @@ spec:
{{- if .Values.mdcb.tls.useSSL }}
- name: {{ .Values.mdcb.tls.volumeName }}
mountPath: {{ .Values.mdcb.tls.certificatesMountPath }}
{{- end }}
{{- end }}

{{- with .Values.global.redis }}
{{- if and .useSSL .volumeName .certificatesMountPath }}
- name: {{ .volumeName }}
mountPath: {{ .certificatesMountPath }}
{{- end }}
{{- end }}

- name: mdcb-conf
mountPath: /etc/tyk-sink
{{- if .Values.mdcb.extraVolumeMounts }}
Expand All @@ -83,6 +91,31 @@ spec:
value: {{ include "mdcb.redis_url" . | quote }}
- name: TYK_MDCB_HASHKEYS
value: "{{ .Values.global.hashKeys }}"

# Redis TLS configurations
{{- if .Values.global.redis.useSSL }}
- name: TYK_MDCB_STORAGE_REDISSSLMAXVERSION
value: "{{ .Values.global.redis.sslMaxVersion }}"
- name: TYK_MDCB_STORAGE_REDISSSLMINVERSION
value: "{{ .Values.global.redis.sslMinVersion }}"
{{- end }}

{{- with .Values.global.redis }}
{{- if and .useSSL .sslCAFile }}
- name: TYK_MDCB_STORAGE_REDISSSLCAFILE
value: "{{ .sslCAFile }}"
{{- end }}
{{- end }}

{{- with .Values.global.redis }}
{{- if and .useSSL .sslCertFile .sslKeyFile }}
- name: TYK_MDCB_STORAGE_REDISSSLCERTFILE
value: "{{ .sslCertFile }}"
- name: TYK_MDCB_STORAGE_REDISSSLKEYFILE
value: "{{ .sslKeyFile }}"
{{- end }}
{{- end }}

{{- if .Values.mdcb.tls.useSSL }}
- name: TYK_MDCB_SERVEROPTIONS_USESSL
value: "{{ .Values.mdcb.tls.useSSL }}"
Expand All @@ -103,7 +136,7 @@ spec:
- name: TYK_MDCB_STORAGE_REDISUSESSL
value: "{{ default "false" .Values.global.redis.useSSL }}"
- name: TYK_MDCB_STORAGE_REDISSSLINSECURESKIPVERIFY
value: "{{ .Values.mdcb.redisSSLInsecureSkipVerify }}"
value: "{{ .Values.global.redis.sslInsecureSkipVerify }}"
- name: TYK_MDCB_FORWARDANALYTICSTOPUMP
value: "{{ .Values.mdcb.forwardAnalyticsToPump }}"
- name: TYK_MDCB_LICENSE
Expand Down Expand Up @@ -145,7 +178,16 @@ spec:
- name: {{ .Values.mdcb.tls.volumeName }}
secret:
secretName: {{ .Values.mdcb.tls.secretName }}
{{- end }}
{{- end }}

{{- with .Values.global.redis }}
{{- if and .useSSL .secretName .volumeName }}
- name: {{ .volumeName }}
secret:
secretName: {{ .secretName }}
{{- end }}
{{- end }}

- name: mdcb-conf
configMap:
name: mdcb-conf-{{ include "tyk-mdcb.fullname" . }}
Expand Down
41 changes: 35 additions & 6 deletions components/tyk-mdcb/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -70,7 +70,40 @@ global:

# Enables SSL for Redis connection. Redis instance will have to support that.
# Default value: false
# useSSL: true
useSSL: false

# Allows usage of self-signed certificates when connecting to an encrypted Redis database.
# It is used to set TYK_MDCB_STORAGE_REDISSSLINSECURESKIPVERIFY
sslInsecureSkipVerify: false

# Path to the CA file.
sslCAFile: "/etc/certs/ca.crt"

# The Volume mount path
# Default value: /etc/certs
certificatesMountPath: "/etc/certs"

# Path to the cert file.
sslCertFile: "/etc/certs/redis.crt"

# Path to the key file.
sslKeyFile: "/etc/certs/redis.key"

# Maximum supported TLS version. Valid values are TLS 1.0, 1.1, 1.2, 1.3.
# Default value: 1.3
sslMaxVersion: "1.3"

# Minimum supported TLS version. Valid values are TLS 1.0, 1.1, 1.2, 1.3.
# Default value: 1.2
sslMinVersion: "1.2"

# Name of the tls secret. A secret needs to be created for this manually using the name as specified here
# Default value: mdcb-tls-secret
secretName: "mdcb-tls-secret"

# Name of the volume where the secret will be mounted
# Default value: mdcb-tls-secret-volume
volumeName: "mdcb-tls-secret-volume"

# If using "Redis Cluster" set enableCluster to true
# (e.g. if using bitnami/redis-cluster)
Expand Down Expand Up @@ -125,10 +158,6 @@ mdcb:
# It is used to set TYK_MDCB_LISTENPORT
listenPort: 9090

# Allows usage of self-signed certificates when connecting to an encrypted Redis database.
# It is used to set TYK_MDCB_STORAGE_REDISSSLINSECURESKIPVERIFY
redisSSLInsecureSkipVerify: false

# When it is set to true, instead of sending analytics directly to MongoDB,
# MDCB can send analytics to Redis. This will allow tyk-pump to pull
# analytics from Redis and send to your own data sinks.
Expand Down Expand Up @@ -304,4 +333,4 @@ mdcb:
secretName: "mdcb-tls-secret"

# the name of the volume
volumeName: "mdcb-tls-secret-volume"
volumeName: "mdcb-tls-secret-volume"
2 changes: 1 addition & 1 deletion components/tyk-pump/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -21,4 +21,4 @@ annotations:
- name: docs
url: https://tyk.io/docs/
- name: support
url: https://community.tyk.io/
url: https://community.tyk.io/
Loading

0 comments on commit d4d1c9e

Please sign in to comment.