Merge pull request #10 from rqlite/topic/ca-cert-secret

Support CA certs from external secrets
rqlite · Jan 11, 2024 · 4e3228e · 4e3228e
2 parents bfbf80c + 9a49f97
commit 4e3228e
Show file tree

Hide file tree

Showing 2 changed files with 54 additions and 5 deletions.
diff --git a/charts/rqlite/templates/_statefulset.tpl b/charts/rqlite/templates/_statefulset.tpl
@@ -105,12 +105,24 @@ spec:
             secretName: {{ $config.tls.node.secretName }}
             defaultMode: 288 # 0400
       {{- end }}
+      {{- if $config.tls.node.caSecretName }}
+        - name: node-tls-ca
+          secret:
+            secretName: {{ $config.tls.node.caSecretName }}
+            defaultMode: 288 # 0400
+      {{- end }}
       {{- if $config.tls.client.secretName }}
         - name: client-tls
           secret:
             secretName: {{ $config.tls.client.secretName }}
             defaultMode: 288 # 0400
       {{- end }}
+      {{- if $config.tls.client.caSecretName }}
+        - name: client-tls-ca
+          secret:
+            secretName: {{ $config.tls.client.caSecretName }}
+            defaultMode: 288 # 0400
+      {{- end }}
       {{- if not (dig "persistence" "enabled" $.Values.persistence.enabled $values) }}
         - name: storage
           emptyDir: {}
@@ -159,7 +171,9 @@ spec:
             {{- else if kindIs "invalid" $config.tls.node.verifyServerName }}
               {{- fail "config.tls.node.verifyServerName must be defined when config.tls.node.enabled is true" }}
             {{- end }}
-            {{- if $config.tls.node.ca }}
+            {{- if $config.tls.node.caSecretName }}
+            - -node-ca-cert=/config/node-tls-ca/ca.crt
+            {{- else if $config.tls.node.ca }}
             - -node-ca-cert=/config/sensitive/node-ca.crt
             {{- end }}
             {{- if $config.tls.node.mutual }}
@@ -174,7 +188,9 @@ spec:
             {{- $basefile := empty $config.tls.client.secretName | ternary "/config/sensitive/client" "/config/client-tls/tls" }}
             - -http-cert={{ $basefile }}.crt
             - -http-key={{ $basefile }}.key
-            {{- if $config.tls.client.ca }}
+            {{- if $config.tls.client.caSecretName }}
+            - -http-ca-cert=/config/client-tls-ca/ca.crt
+            {{- else if $config.tls.client.ca }}
             - -http-ca-cert=/config/sensitive/client-ca.crt
             {{- end }}
             {{- if $config.tls.client.mutual }}
@@ -280,10 +296,18 @@ spec:
             - name: node-tls
               mountPath: /config/node-tls
             {{- end }}
+            {{- if $config.tls.node.caSecretName }}
+            - name: node-tls-ca
+              mountPath: /config/node-tls-ca
+            {{- end }}
             {{- if $config.tls.client.secretName }}
             - name: client-tls
               mountPath: /config/client-tls
             {{- end }}
+            {{- if $config.tls.client.caSecretName }}
+            - name: client-tls-ca
+              mountPath: /config/client-tls-ca
+            {{- end }}
   {{- $persistence := dig "persistence" $.Values.persistence $values }}
   {{- if $persistence.enabled }}
   volumeClaimTemplates:

diff --git a/charts/rqlite/values.yaml b/charts/rqlite/values.yaml
@@ -434,10 +434,27 @@ config:
       cert: ""
       # Server private key in PEM format. This is ignored if secretName is defined.
       key: ""
-      # Optional root CA certificate(s) used to validate certificates presented by other
-      # nodes. If not defined, the system's default trust store will be used. Mandatory if
-      # using a non-public CA.
+      # Optional PEM-formatted root CA certificate(s) used to validate certificates
+      # presented by other nodes. If not defined, the system's default trust store will be
+      # used. Mandatory if using a non-public CA. Multiple PEM certificates may be
+      # concatenated in this string to trust more than one authority.
+      #
+      # This value is unused if "mutual" above is false.
       ca: ""
+      # As an alternative to directly specifying the CA certificates in the "ca" field
+      # above, the CA(s) can be sourced from a Kubernetes Secret. The Secret must be
+      # pre-created in the same namespace, must contain a key "ca.crt" whose value is in
+      # PEM format.
+      #
+      # For example, if using cert-manager to generate certificates, some issuer types
+      # will include a ca.crt field in the Secret holding generated certificate. In this
+      # scenario, because rqlite uses the same certificate for both server and client
+      # certificates when mutual TLS is enabled, you may find it convenient to use the
+      # same Kubernetes Secret as "secretName" above.
+      #
+      # This value takes precedence over "ca" if defined, and is unused if "mutual" above
+      # is false.
+      caSecretName: null
 
     # TLS configuration for clients of the HTTP API.
     #
@@ -462,6 +479,14 @@ config:
       # when mutual TLS is in use. If not defined, the system's default trust store will
       # be used.
       ca: ""
+      # As an alternative to directly specifying the CA certificates in the "ca" field
+      # above, the CA(s) can be sourced from a Kubernetes Secret. The Secret must be
+      # pre-created in the same namespace, must contain a key "ca.crt" whose value is in
+      # PEM format.
+      #
+      # This value takes precedence over "ca" if defined, and is unused if "mutual" above
+      # is false.
+      caSecretName: null
 
 
   # When the users array is defined, HTTP basic authentication is enabled on rqlite. The