Skip to content

Commit

Permalink
[bitnami/milvus] feat: config external kafka tls client certs settings (
Browse files Browse the repository at this point in the history
#26110)

Signed-off-by: Chen Rao <[email protected]>
  • Loading branch information
chenraoCR committed May 21, 2024
1 parent 08dbac5 commit 76021be
Show file tree
Hide file tree
Showing 12 changed files with 164 additions and 28 deletions.
2 changes: 1 addition & 1 deletion bitnami/milvus/Chart.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -48,4 +48,4 @@ maintainers:
name: milvus
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/milvus
version: 7.0.5
version: 7.1.0
8 changes: 7 additions & 1 deletion bitnami/milvus/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -1743,7 +1743,7 @@ wrj2wDbCDCFmfqnSJ+dKI3vFLlEz44sAV8jX/kd4Y6ZTQhlLbYc=
### External Kafka parameters

| Name | Description | Value |
| ---------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ | --------------------- |
|------------------------------------------------|--------------------------------------------------------------------------------------------------------------------| --------------------- |
| `externalKafka.servers` | External Kafka brokers | `["localhost"]` |
| `externalKafka.port` | External Kafka port | `9092` |
| `externalKafka.listener.protocol` | Kafka listener protocol. Allowed protocols: PLAINTEXT, SASL_PLAINTEXT, SASL_SSL and SSL | `PLAINTEXT` |
Expand All @@ -1752,6 +1752,12 @@ wrj2wDbCDCFmfqnSJ+dKI3vFLlEz44sAV8jX/kd4Y6ZTQhlLbYc=
| `externalKafka.sasl.existingSecret` | Name of the existing secret containing a password for SASL authentication (under the key named "client-passwords") | `""` |
| `externalKafka.sasl.existingSecretPasswordKey` | Name of the secret key containing the Kafka client user password | `kafka-root-password` |
| `externalKafka.sasl.enabledMechanisms` | Kafka enabled SASL mechanisms | `PLAIN` |
| `externalKafka.tls.enabled` | Enable TLS for Kafka client connections. | `false` |
| `externalKafka.tls.existingSecret` | Name of the existing secret containing the TLS certificates for external kafka client communications. | `""` |
| `externalKafka.tls.cert` | The secret key from the existingSecret if 'cert' key different from the default (tls.crt) | `tls.crt` |
| `externalKafka.tls.key` | The secret key from the existingSecret if 'key' key different from the default (tls.key) | `tls.key` |
| `externalKafka.tls.caCert` | The secret key from the existingSecret if 'caCert' key different from the default (ca.crt) | `ca.crt` |
| `externalKafka.tls.keyPassword` | Password to access the password-protected PEM key if necessary. | `""` |

### etcd sub-chart parameters

Expand Down
35 changes: 27 additions & 8 deletions bitnami/milvus/templates/_helpers.tpl
Original file line number Diff line number Diff line change
Expand Up @@ -772,7 +772,7 @@ Init container definition for waiting for the database to be ready

echo "Connection success"
exit 0
{{- if and .Values.externalEtcd.tls.enabled (not (empty .Values.externalEtcd.tls.existingSecret)) }}
{{- if and .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }}
volumeMounts:
- name: etcd-client-certs
mountPath: /bitnami/milvus/conf/cert/etcd/client
Expand Down Expand Up @@ -990,22 +990,41 @@ Init container definition for waiting for the database to be ready
cp -r /opt/bitnami/milvus/configs/. /bitnami/milvus/rendered-conf
# Build final milvus.yaml with the sections of the different files
find /bitnami/milvus/conf -type f -name *.yaml -print0 | sort -z | xargs -0 yq eval-all '. as $item ireduce ({}; . * $item )' /bitnami/milvus/rendered-conf/milvus.yaml > /bitnami/milvus/rendered-conf/pre-render-config_00.yaml

# Kafka settings
{{- if (include "milvus.kafka.deployed" .context) }}
# HACK: In order to enable Kafka we need to remove all Pulsar settings from the configuration file
# https://github.com/milvus-io/milvus/blob/master/configs/milvus.yaml#L110
yq 'del(.pulsar)' /bitnami/milvus/rendered-conf/pre-render-config_00.yaml > /bitnami/milvus/rendered-conf/pre-render-config_01.yaml
yq e -i '.common.security.tlsMode = {{ .context.Values.proxy.tls.mode }}' /bitnami/milvus/rendered-conf/pre-render-config_01.yaml
{{- if ne (int .context.Values.proxy.tls.mode) 0 }}
yq e -i '.tls.serverPemPath = "/opt/bitnami/milvus/configs/cert/milvus/{{ .context.Values.proxy.tls.cert }}"' /bitnami/milvus/rendered-conf/pre-render-config_01.yaml
yq e -i '.tls.serverKeyPath = "/opt/bitnami/milvus/configs/cert/milvus/{{ .context.Values.proxy.tls.key }}"' /bitnami/milvus/rendered-conf/pre-render-config_01.yaml
{{- if eq (int .context.Values.proxy.tls.mode) 2 }}
yq e -i '.tls.caPemPath = "/opt/bitnami/milvus/configs/cert/milvus/{{ .context.Values.proxy.tls.caCert }}"' /bitnami/milvus/rendered-conf/pre-render-config_01.yaml
# Kafka TLS settings
{{- if and (not .context.Values.kafka.enabled) .context.Values.externalKafka.tls.enabled .context.Values.externalKafka.tls.existingSecret }}
yq e -i '.kafka.ssl.enabled = true' /bitnami/milvus/rendered-conf/pre-render-config_01.yaml
{{- if and .context.Values.externalKafka.tls.cert .context.Values.externalKafka.tls.key }}
yq e -i '.kafka.ssl.tlsCert = "/opt/bitnami/milvus/configs/cert/kafka/client/{{ .context.Values.externalKafka.tls.cert }}"' /bitnami/milvus/rendered-conf/pre-render-config_01.yaml
yq e -i '.kafka.ssl.tlsKey = "/opt/bitnami/milvus/configs/cert/kafka/client/{{ .context.Values.externalKafka.tls.key }}"' /bitnami/milvus/rendered-conf/pre-render-config_01.yaml
{{- end }}
{{- if .context.Values.externalKafka.tls.caCert }}
yq e -i '.kafka.ssl.tlsCaCert = "/opt/bitnami/milvus/configs/cert/kafka/client/{{ .context.Values.externalKafka.tls.caCert }}"' /bitnami/milvus/rendered-conf/pre-render-config_01.yaml
{{- end }}
{{- if .context.Values.externalKafka.tls.keyPassword }}
yq e -i '.kafka.ssl.tlsKeyPassword = "{{ .context.Values.externalKafka.tls.keyPassword }}"' /bitnami/milvus/rendered-conf/pre-render-config_01.yaml
{{- end }}
{{- end }}
{{- else }}
mv /bitnami/milvus/rendered-conf/pre-render-config_00.yaml /bitnami/milvus/rendered-conf/pre-render-config_01.yaml
{{- end }}
render-template /bitnami/milvus/rendered-conf/pre-render-config_01.yaml > /bitnami/milvus/rendered-conf/milvus.yaml

# Milvus server TLS settings
yq e '.common.security.tlsMode = {{ .context.Values.proxy.tls.mode }}' /bitnami/milvus/rendered-conf/pre-render-config_01.yaml > /bitnami/milvus/rendered-conf/pre-render-config_02.yaml
{{- if ne (int .context.Values.proxy.tls.mode) 0 }}
yq e -i '.tls.serverPemPath = "/opt/bitnami/milvus/configs/cert/milvus/{{ .context.Values.proxy.tls.cert }}"' /bitnami/milvus/rendered-conf/pre-render-config_02.yaml
yq e -i '.tls.serverKeyPath = "/opt/bitnami/milvus/configs/cert/milvus/{{ .context.Values.proxy.tls.key }}"' /bitnami/milvus/rendered-conf/pre-render-config_02.yaml
{{- if eq (int .context.Values.proxy.tls.mode) 2 }}
yq e -i '.tls.caPemPath = "/opt/bitnami/milvus/configs/cert/milvus/{{ .context.Values.proxy.tls.caCert }}"' /bitnami/milvus/rendered-conf/pre-render-config_02.yaml
{{- end }}
{{- end }}

render-template /bitnami/milvus/rendered-conf/pre-render-config_02.yaml > /bitnami/milvus/rendered-conf/milvus.yaml
rm /bitnami/milvus/rendered-conf/pre-render-config*
chmod 644 /bitnami/milvus/rendered-conf/milvus.yaml
env:
Expand Down
15 changes: 13 additions & 2 deletions bitnami/milvus/templates/data-coordinator/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -176,11 +176,16 @@ spec:
- name: empty-dir
mountPath: /bitnami/milvus/data
subPath: app-data-dir
{{- if and .Values.externalEtcd.tls.enabled (not (empty .Values.externalEtcd.tls.existingSecret)) }}
{{- if and .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }}
- name: etcd-client-certs
mountPath: /opt/bitnami/milvus/configs/cert/etcd/client
readOnly: true
{{- end }}
{{- if and (not .Values.kafka.enabled) .Values.externalKafka.tls.enabled .Values.externalKafka.tls.existingSecret }}
- name: kafka-client-certs
mountPath: /opt/bitnami/milvus/configs/cert/kafka/client
readOnly: true
{{- end }}
{{- if .Values.dataCoord.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.dataCoord.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
Expand All @@ -206,12 +211,18 @@ spec:
configMap:
name: {{ template "milvus.data-coordinator.extraConfigmapName" . }}
{{- end }}
{{- if and .Values.externalEtcd.tls.enabled (not (empty .Values.externalEtcd.tls.existingSecret)) }}
{{- if and .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }}
- name: etcd-client-certs
secret:
secretName: {{ .Values.externalEtcd.tls.existingSecret }}
defaultMode: 256
{{- end }}
{{- if and (not .Values.kafka.enabled) .Values.externalKafka.tls.enabled .Values.externalKafka.tls.existingSecret }}
- name: kafka-client-certs
secret:
secretName: {{ .Values.externalKafka.tls.existingSecret }}
defaultMode: 256
{{- end }}
{{- if .Values.dataCoord.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.dataCoord.extraVolumes "context" $) | nindent 8 }}
{{- end }}
Expand Down
15 changes: 13 additions & 2 deletions bitnami/milvus/templates/data-node/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -176,11 +176,16 @@ spec:
- name: empty-dir
mountPath: /bitnami/milvus/data
subPath: app-data-dir
{{- if and .Values.externalEtcd.tls.enabled (not (empty .Values.externalEtcd.tls.existingSecret)) }}
{{- if and .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }}
- name: etcd-client-certs
mountPath: /opt/bitnami/milvus/configs/cert/etcd/client
readOnly: true
{{- end }}
{{- if and (not .Values.kafka.enabled) .Values.externalKafka.tls.enabled .Values.externalKafka.tls.existingSecret }}
- name: kafka-client-certs
mountPath: /opt/bitnami/milvus/configs/cert/kafka/client
readOnly: true
{{- end }}
{{- if .Values.dataNode.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.dataNode.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
Expand All @@ -206,12 +211,18 @@ spec:
configMap:
name: {{ template "milvus.data-node.extraConfigmapName" . }}
{{- end }}
{{- if and .Values.externalEtcd.tls.enabled (not (empty .Values.externalEtcd.tls.existingSecret)) }}
{{- if and .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }}
- name: etcd-client-certs
secret:
secretName: {{ .Values.externalEtcd.tls.existingSecret }}
defaultMode: 256
{{- end }}
{{- if and (not .Values.kafka.enabled) .Values.externalKafka.tls.enabled .Values.externalKafka.tls.existingSecret }}
- name: kafka-client-certs
secret:
secretName: {{ .Values.externalKafka.tls.existingSecret }}
defaultMode: 256
{{- end }}
{{- if .Values.dataNode.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.dataNode.extraVolumes "context" $) | nindent 8 }}
{{- end }}
Expand Down
15 changes: 13 additions & 2 deletions bitnami/milvus/templates/index-coordinator/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -176,11 +176,16 @@ spec:
- name: empty-dir
mountPath: /bitnami/milvus/data
subPath: app-data-dir
{{- if and .Values.externalEtcd.tls.enabled (not (empty .Values.externalEtcd.tls.existingSecret)) }}
{{- if and .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }}
- name: etcd-client-certs
mountPath: /opt/bitnami/milvus/configs/cert/etcd/client
readOnly: true
{{- end }}
{{- if and (not .Values.kafka.enabled) .Values.externalKafka.tls.enabled .Values.externalKafka.tls.existingSecret }}
- name: kafka-client-certs
mountPath: /opt/bitnami/milvus/configs/cert/kafka/client
readOnly: true
{{- end }}
{{- if .Values.indexCoord.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.indexCoord.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
Expand All @@ -206,12 +211,18 @@ spec:
configMap:
name: {{ template "milvus.index-coordinator.extraConfigmapName" . }}
{{- end }}
{{- if and .Values.externalEtcd.tls.enabled (not (empty .Values.externalEtcd.tls.existingSecret)) }}
{{- if and .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }}
- name: etcd-client-certs
secret:
secretName: {{ .Values.externalEtcd.tls.existingSecret }}
defaultMode: 256
{{- end }}
{{- if and (not .Values.kafka.enabled) .Values.externalKafka.tls.enabled .Values.externalKafka.tls.existingSecret }}
- name: kafka-client-certs
secret:
secretName: {{ .Values.externalKafka.tls.existingSecret }}
defaultMode: 256
{{- end }}
{{- if .Values.indexCoord.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.indexCoord.extraVolumes "context" $) | nindent 8 }}
{{- end }}
Expand Down
15 changes: 13 additions & 2 deletions bitnami/milvus/templates/index-node/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -176,11 +176,16 @@ spec:
- name: empty-dir
mountPath: /bitnami/milvus/data
subPath: app-data-dir
{{- if and .Values.externalEtcd.tls.enabled (not (empty .Values.externalEtcd.tls.existingSecret)) }}
{{- if and .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }}
- name: etcd-client-certs
mountPath: /opt/bitnami/milvus/configs/cert/etcd/client
readOnly: true
{{- end }}
{{- if and (not .Values.kafka.enabled) .Values.externalKafka.tls.enabled .Values.externalKafka.tls.existingSecret }}
- name: kafka-client-certs
mountPath: /opt/bitnami/milvus/configs/cert/kafka/client
readOnly: true
{{- end }}
{{- if .Values.indexNode.extraVolumeMounts }}
{{- include "common.tplvalues.render" (dict "value" .Values.indexNode.extraVolumeMounts "context" $) | nindent 12 }}
{{- end }}
Expand All @@ -206,12 +211,18 @@ spec:
configMap:
name: {{ template "milvus.index-node.extraConfigmapName" . }}
{{- end }}
{{- if and .Values.externalEtcd.tls.enabled (not (empty .Values.externalEtcd.tls.existingSecret)) }}
{{- if and .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }}
- name: etcd-client-certs
secret:
secretName: {{ .Values.externalEtcd.tls.existingSecret }}
defaultMode: 256
{{- end }}
{{- if and (not .Values.kafka.enabled) .Values.externalKafka.tls.enabled .Values.externalKafka.tls.existingSecret }}
- name: kafka-client-certs
secret:
secretName: {{ .Values.externalKafka.tls.existingSecret }}
defaultMode: 256
{{- end }}
{{- if .Values.indexNode.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.indexNode.extraVolumes "context" $) | nindent 8 }}
{{- end }}
Expand Down
19 changes: 15 additions & 4 deletions bitnami/milvus/templates/proxy/deployment.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -178,12 +178,17 @@ spec:
- name: empty-dir
mountPath: /bitnami/milvus/data
subPath: app-data-dir
{{- if and .Values.externalEtcd.tls.enabled (not (empty .Values.externalEtcd.tls.existingSecret)) }}
{{- if and .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }}
- name: etcd-client-certs
mountPath: /opt/bitnami/milvus/configs/cert/etcd/client
readOnly: true
{{- end }}
{{- if and (ne (int .Values.proxy.tls.mode) 0) (not (empty .Values.proxy.tls.existingSecret)) }}
{{- if and (not .Values.kafka.enabled) .Values.externalKafka.tls.enabled .Values.externalKafka.tls.existingSecret }}
- name: kafka-client-certs
mountPath: /opt/bitnami/milvus/configs/cert/kafka/client
readOnly: true
{{- end }}
{{- if and (ne (int .Values.proxy.tls.mode) 0) .Values.proxy.tls.existingSecret }}
- name: milvus-certs
mountPath: /opt/bitnami/milvus/configs/cert/milvus
readOnly: true
Expand Down Expand Up @@ -213,18 +218,24 @@ spec:
configMap:
name: {{ template "milvus.proxy.extraConfigmapName" . }}
{{- end }}
{{- if and .Values.externalEtcd.tls.enabled (not (empty .Values.externalEtcd.tls.existingSecret)) }}
{{- if and .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }}
- name: etcd-client-certs
secret:
secretName: {{ .Values.externalEtcd.tls.existingSecret }}
defaultMode: 256
{{- end }}
{{- if and (ne (int .Values.proxy.tls.mode) 0) (not (empty .Values.proxy.tls.existingSecret)) }}
{{- if and (ne (int .Values.proxy.tls.mode) 0) .Values.proxy.tls.existingSecret }}
- name: milvus-certs
secret:
secretName: {{ .Values.proxy.tls.existingSecret }}
defaultMode: 256
{{- end }}
{{- if and (not .Values.kafka.enabled) .Values.externalKafka.tls.enabled .Values.externalKafka.tls.existingSecret }}
- name: kafka-client-certs
secret:
secretName: {{ .Values.externalKafka.tls.existingSecret }}
defaultMode: 256
{{- end }}
{{- if .Values.proxy.extraVolumes }}
{{- include "common.tplvalues.render" (dict "value" .Values.proxy.extraVolumes "context" $) | nindent 8 }}
{{- end }}
Expand Down
Loading

0 comments on commit 76021be

Please sign in to comment.