From 76021bed0893ecc2868c11a5de277d97bf52edf8 Mon Sep 17 00:00:00 2001 From: Chen Rao Date: Mon, 20 May 2024 17:18:06 +0800 Subject: [PATCH] [bitnami/milvus] feat: config external kafka tls client certs settings (bitnami#26110) Signed-off-by: Chen Rao --- bitnami/milvus/Chart.yaml | 2 +- bitnami/milvus/README.md | 8 ++++- bitnami/milvus/templates/_helpers.tpl | 35 ++++++++++++++----- .../data-coordinator/deployment.yaml | 15 ++++++-- .../templates/data-node/deployment.yaml | 15 ++++++-- .../index-coordinator/deployment.yaml | 15 ++++++-- .../templates/index-node/deployment.yaml | 15 ++++++-- .../milvus/templates/proxy/deployment.yaml | 19 +++++++--- .../query-coordinator/deployment.yaml | 15 ++++++-- .../templates/query-node/deployment.yaml | 15 ++++++-- .../root-coordinator/deployment.yaml | 15 ++++++-- bitnami/milvus/values.yaml | 23 ++++++++++++ 12 files changed, 164 insertions(+), 28 deletions(-) diff --git a/bitnami/milvus/Chart.yaml b/bitnami/milvus/Chart.yaml index d67d4c31aa4737..46aacdcaa48260 100644 --- a/bitnami/milvus/Chart.yaml +++ b/bitnami/milvus/Chart.yaml @@ -48,4 +48,4 @@ maintainers: name: milvus sources: - https://github.com/bitnami/charts/tree/main/bitnami/milvus -version: 7.0.5 +version: 7.1.0 diff --git a/bitnami/milvus/README.md b/bitnami/milvus/README.md index 322fd96cc01556..d3a4b622ec7e09 100644 --- a/bitnami/milvus/README.md +++ b/bitnami/milvus/README.md @@ -1743,7 +1743,7 @@ wrj2wDbCDCFmfqnSJ+dKI3vFLlEz44sAV8jX/kd4Y6ZTQhlLbYc= ### External Kafka parameters | Name | Description | Value | -| ---------------------------------------------- | ------------------------------------------------------------------------------------------------------------------ | --------------------- | +|------------------------------------------------|--------------------------------------------------------------------------------------------------------------------| --------------------- | | `externalKafka.servers` | External Kafka brokers | `["localhost"]` | | `externalKafka.port` | External Kafka port | `9092` | | `externalKafka.listener.protocol` | Kafka listener protocol. Allowed protocols: PLAINTEXT, SASL_PLAINTEXT, SASL_SSL and SSL | `PLAINTEXT` | @@ -1752,6 +1752,12 @@ wrj2wDbCDCFmfqnSJ+dKI3vFLlEz44sAV8jX/kd4Y6ZTQhlLbYc= | `externalKafka.sasl.existingSecret` | Name of the existing secret containing a password for SASL authentication (under the key named "client-passwords") | `""` | | `externalKafka.sasl.existingSecretPasswordKey` | Name of the secret key containing the Kafka client user password | `kafka-root-password` | | `externalKafka.sasl.enabledMechanisms` | Kafka enabled SASL mechanisms | `PLAIN` | +| `externalKafka.tls.enabled` | Enable TLS for Kafka client connections. | `false` | +| `externalKafka.tls.existingSecret` | Name of the existing secret containing the TLS certificates for external kafka client communications. | `""` | +| `externalKafka.tls.cert` | The secret key from the existingSecret if 'cert' key different from the default (tls.crt) | `tls.crt` | +| `externalKafka.tls.key` | The secret key from the existingSecret if 'key' key different from the default (tls.key) | `tls.key` | +| `externalKafka.tls.caCert` | The secret key from the existingSecret if 'caCert' key different from the default (ca.crt) | `ca.crt` | +| `externalKafka.tls.keyPassword` | Password to access the password-protected PEM key if necessary. | `""` | ### etcd sub-chart parameters diff --git a/bitnami/milvus/templates/_helpers.tpl b/bitnami/milvus/templates/_helpers.tpl index 4614bdd21598d4..a1f0ea3f881f44 100644 --- a/bitnami/milvus/templates/_helpers.tpl +++ b/bitnami/milvus/templates/_helpers.tpl @@ -772,7 +772,7 @@ Init container definition for waiting for the database to be ready echo "Connection success" exit 0 - {{- if and .Values.externalEtcd.tls.enabled (not (empty .Values.externalEtcd.tls.existingSecret)) }} + {{- if and .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }} volumeMounts: - name: etcd-client-certs mountPath: /bitnami/milvus/conf/cert/etcd/client @@ -990,22 +990,41 @@ Init container definition for waiting for the database to be ready cp -r /opt/bitnami/milvus/configs/. /bitnami/milvus/rendered-conf # Build final milvus.yaml with the sections of the different files find /bitnami/milvus/conf -type f -name *.yaml -print0 | sort -z | xargs -0 yq eval-all '. as $item ireduce ({}; . * $item )' /bitnami/milvus/rendered-conf/milvus.yaml > /bitnami/milvus/rendered-conf/pre-render-config_00.yaml + + # Kafka settings {{- if (include "milvus.kafka.deployed" .context) }} # HACK: In order to enable Kafka we need to remove all Pulsar settings from the configuration file # https://github.com/milvus-io/milvus/blob/master/configs/milvus.yaml#L110 yq 'del(.pulsar)' /bitnami/milvus/rendered-conf/pre-render-config_00.yaml > /bitnami/milvus/rendered-conf/pre-render-config_01.yaml - yq e -i '.common.security.tlsMode = {{ .context.Values.proxy.tls.mode }}' /bitnami/milvus/rendered-conf/pre-render-config_01.yaml - {{- if ne (int .context.Values.proxy.tls.mode) 0 }} - yq e -i '.tls.serverPemPath = "/opt/bitnami/milvus/configs/cert/milvus/{{ .context.Values.proxy.tls.cert }}"' /bitnami/milvus/rendered-conf/pre-render-config_01.yaml - yq e -i '.tls.serverKeyPath = "/opt/bitnami/milvus/configs/cert/milvus/{{ .context.Values.proxy.tls.key }}"' /bitnami/milvus/rendered-conf/pre-render-config_01.yaml - {{- if eq (int .context.Values.proxy.tls.mode) 2 }} - yq e -i '.tls.caPemPath = "/opt/bitnami/milvus/configs/cert/milvus/{{ .context.Values.proxy.tls.caCert }}"' /bitnami/milvus/rendered-conf/pre-render-config_01.yaml + # Kafka TLS settings + {{- if and (not .context.Values.kafka.enabled) .context.Values.externalKafka.tls.enabled .context.Values.externalKafka.tls.existingSecret }} + yq e -i '.kafka.ssl.enabled = true' /bitnami/milvus/rendered-conf/pre-render-config_01.yaml + {{- if and .context.Values.externalKafka.tls.cert .context.Values.externalKafka.tls.key }} + yq e -i '.kafka.ssl.tlsCert = "/opt/bitnami/milvus/configs/cert/kafka/client/{{ .context.Values.externalKafka.tls.cert }}"' /bitnami/milvus/rendered-conf/pre-render-config_01.yaml + yq e -i '.kafka.ssl.tlsKey = "/opt/bitnami/milvus/configs/cert/kafka/client/{{ .context.Values.externalKafka.tls.key }}"' /bitnami/milvus/rendered-conf/pre-render-config_01.yaml + {{- end }} + {{- if .context.Values.externalKafka.tls.caCert }} + yq e -i '.kafka.ssl.tlsCaCert = "/opt/bitnami/milvus/configs/cert/kafka/client/{{ .context.Values.externalKafka.tls.caCert }}"' /bitnami/milvus/rendered-conf/pre-render-config_01.yaml + {{- end }} + {{- if .context.Values.externalKafka.tls.keyPassword }} + yq e -i '.kafka.ssl.tlsKeyPassword = "{{ .context.Values.externalKafka.tls.keyPassword }}"' /bitnami/milvus/rendered-conf/pre-render-config_01.yaml {{- end }} {{- end }} {{- else }} mv /bitnami/milvus/rendered-conf/pre-render-config_00.yaml /bitnami/milvus/rendered-conf/pre-render-config_01.yaml {{- end }} - render-template /bitnami/milvus/rendered-conf/pre-render-config_01.yaml > /bitnami/milvus/rendered-conf/milvus.yaml + + # Milvus server TLS settings + yq e '.common.security.tlsMode = {{ .context.Values.proxy.tls.mode }}' /bitnami/milvus/rendered-conf/pre-render-config_01.yaml > /bitnami/milvus/rendered-conf/pre-render-config_02.yaml + {{- if ne (int .context.Values.proxy.tls.mode) 0 }} + yq e -i '.tls.serverPemPath = "/opt/bitnami/milvus/configs/cert/milvus/{{ .context.Values.proxy.tls.cert }}"' /bitnami/milvus/rendered-conf/pre-render-config_02.yaml + yq e -i '.tls.serverKeyPath = "/opt/bitnami/milvus/configs/cert/milvus/{{ .context.Values.proxy.tls.key }}"' /bitnami/milvus/rendered-conf/pre-render-config_02.yaml + {{- if eq (int .context.Values.proxy.tls.mode) 2 }} + yq e -i '.tls.caPemPath = "/opt/bitnami/milvus/configs/cert/milvus/{{ .context.Values.proxy.tls.caCert }}"' /bitnami/milvus/rendered-conf/pre-render-config_02.yaml + {{- end }} + {{- end }} + + render-template /bitnami/milvus/rendered-conf/pre-render-config_02.yaml > /bitnami/milvus/rendered-conf/milvus.yaml rm /bitnami/milvus/rendered-conf/pre-render-config* chmod 644 /bitnami/milvus/rendered-conf/milvus.yaml env: diff --git a/bitnami/milvus/templates/data-coordinator/deployment.yaml b/bitnami/milvus/templates/data-coordinator/deployment.yaml index c17a8f25e12d9c..a04cf8b3266d04 100644 --- a/bitnami/milvus/templates/data-coordinator/deployment.yaml +++ b/bitnami/milvus/templates/data-coordinator/deployment.yaml @@ -176,11 +176,16 @@ spec: - name: empty-dir mountPath: /bitnami/milvus/data subPath: app-data-dir - {{- if and .Values.externalEtcd.tls.enabled (not (empty .Values.externalEtcd.tls.existingSecret)) }} + {{- if and .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }} - name: etcd-client-certs mountPath: /opt/bitnami/milvus/configs/cert/etcd/client readOnly: true {{- end }} + {{- if and (not .Values.kafka.enabled) .Values.externalKafka.tls.enabled .Values.externalKafka.tls.existingSecret }} + - name: kafka-client-certs + mountPath: /opt/bitnami/milvus/configs/cert/kafka/client + readOnly: true + {{- end }} {{- if .Values.dataCoord.extraVolumeMounts }} {{- include "common.tplvalues.render" (dict "value" .Values.dataCoord.extraVolumeMounts "context" $) | nindent 12 }} {{- end }} @@ -206,12 +211,18 @@ spec: configMap: name: {{ template "milvus.data-coordinator.extraConfigmapName" . }} {{- end }} - {{- if and .Values.externalEtcd.tls.enabled (not (empty .Values.externalEtcd.tls.existingSecret)) }} + {{- if and .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }} - name: etcd-client-certs secret: secretName: {{ .Values.externalEtcd.tls.existingSecret }} defaultMode: 256 {{- end }} + {{- if and (not .Values.kafka.enabled) .Values.externalKafka.tls.enabled .Values.externalKafka.tls.existingSecret }} + - name: kafka-client-certs + secret: + secretName: {{ .Values.externalKafka.tls.existingSecret }} + defaultMode: 256 + {{- end }} {{- if .Values.dataCoord.extraVolumes }} {{- include "common.tplvalues.render" (dict "value" .Values.dataCoord.extraVolumes "context" $) | nindent 8 }} {{- end }} diff --git a/bitnami/milvus/templates/data-node/deployment.yaml b/bitnami/milvus/templates/data-node/deployment.yaml index b04b20be2176e9..41a20a44fee077 100644 --- a/bitnami/milvus/templates/data-node/deployment.yaml +++ b/bitnami/milvus/templates/data-node/deployment.yaml @@ -176,11 +176,16 @@ spec: - name: empty-dir mountPath: /bitnami/milvus/data subPath: app-data-dir - {{- if and .Values.externalEtcd.tls.enabled (not (empty .Values.externalEtcd.tls.existingSecret)) }} + {{- if and .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }} - name: etcd-client-certs mountPath: /opt/bitnami/milvus/configs/cert/etcd/client readOnly: true {{- end }} + {{- if and (not .Values.kafka.enabled) .Values.externalKafka.tls.enabled .Values.externalKafka.tls.existingSecret }} + - name: kafka-client-certs + mountPath: /opt/bitnami/milvus/configs/cert/kafka/client + readOnly: true + {{- end }} {{- if .Values.dataNode.extraVolumeMounts }} {{- include "common.tplvalues.render" (dict "value" .Values.dataNode.extraVolumeMounts "context" $) | nindent 12 }} {{- end }} @@ -206,12 +211,18 @@ spec: configMap: name: {{ template "milvus.data-node.extraConfigmapName" . }} {{- end }} - {{- if and .Values.externalEtcd.tls.enabled (not (empty .Values.externalEtcd.tls.existingSecret)) }} + {{- if and .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }} - name: etcd-client-certs secret: secretName: {{ .Values.externalEtcd.tls.existingSecret }} defaultMode: 256 {{- end }} + {{- if and (not .Values.kafka.enabled) .Values.externalKafka.tls.enabled .Values.externalKafka.tls.existingSecret }} + - name: kafka-client-certs + secret: + secretName: {{ .Values.externalKafka.tls.existingSecret }} + defaultMode: 256 + {{- end }} {{- if .Values.dataNode.extraVolumes }} {{- include "common.tplvalues.render" (dict "value" .Values.dataNode.extraVolumes "context" $) | nindent 8 }} {{- end }} diff --git a/bitnami/milvus/templates/index-coordinator/deployment.yaml b/bitnami/milvus/templates/index-coordinator/deployment.yaml index cf103cd2269aaf..5bf5e889af4f97 100644 --- a/bitnami/milvus/templates/index-coordinator/deployment.yaml +++ b/bitnami/milvus/templates/index-coordinator/deployment.yaml @@ -176,11 +176,16 @@ spec: - name: empty-dir mountPath: /bitnami/milvus/data subPath: app-data-dir - {{- if and .Values.externalEtcd.tls.enabled (not (empty .Values.externalEtcd.tls.existingSecret)) }} + {{- if and .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }} - name: etcd-client-certs mountPath: /opt/bitnami/milvus/configs/cert/etcd/client readOnly: true {{- end }} + {{- if and (not .Values.kafka.enabled) .Values.externalKafka.tls.enabled .Values.externalKafka.tls.existingSecret }} + - name: kafka-client-certs + mountPath: /opt/bitnami/milvus/configs/cert/kafka/client + readOnly: true + {{- end }} {{- if .Values.indexCoord.extraVolumeMounts }} {{- include "common.tplvalues.render" (dict "value" .Values.indexCoord.extraVolumeMounts "context" $) | nindent 12 }} {{- end }} @@ -206,12 +211,18 @@ spec: configMap: name: {{ template "milvus.index-coordinator.extraConfigmapName" . }} {{- end }} - {{- if and .Values.externalEtcd.tls.enabled (not (empty .Values.externalEtcd.tls.existingSecret)) }} + {{- if and .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }} - name: etcd-client-certs secret: secretName: {{ .Values.externalEtcd.tls.existingSecret }} defaultMode: 256 {{- end }} + {{- if and (not .Values.kafka.enabled) .Values.externalKafka.tls.enabled .Values.externalKafka.tls.existingSecret }} + - name: kafka-client-certs + secret: + secretName: {{ .Values.externalKafka.tls.existingSecret }} + defaultMode: 256 + {{- end }} {{- if .Values.indexCoord.extraVolumes }} {{- include "common.tplvalues.render" (dict "value" .Values.indexCoord.extraVolumes "context" $) | nindent 8 }} {{- end }} diff --git a/bitnami/milvus/templates/index-node/deployment.yaml b/bitnami/milvus/templates/index-node/deployment.yaml index 26f1ff248633ed..303fe5bf2a0ba8 100644 --- a/bitnami/milvus/templates/index-node/deployment.yaml +++ b/bitnami/milvus/templates/index-node/deployment.yaml @@ -176,11 +176,16 @@ spec: - name: empty-dir mountPath: /bitnami/milvus/data subPath: app-data-dir - {{- if and .Values.externalEtcd.tls.enabled (not (empty .Values.externalEtcd.tls.existingSecret)) }} + {{- if and .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }} - name: etcd-client-certs mountPath: /opt/bitnami/milvus/configs/cert/etcd/client readOnly: true {{- end }} + {{- if and (not .Values.kafka.enabled) .Values.externalKafka.tls.enabled .Values.externalKafka.tls.existingSecret }} + - name: kafka-client-certs + mountPath: /opt/bitnami/milvus/configs/cert/kafka/client + readOnly: true + {{- end }} {{- if .Values.indexNode.extraVolumeMounts }} {{- include "common.tplvalues.render" (dict "value" .Values.indexNode.extraVolumeMounts "context" $) | nindent 12 }} {{- end }} @@ -206,12 +211,18 @@ spec: configMap: name: {{ template "milvus.index-node.extraConfigmapName" . }} {{- end }} - {{- if and .Values.externalEtcd.tls.enabled (not (empty .Values.externalEtcd.tls.existingSecret)) }} + {{- if and .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }} - name: etcd-client-certs secret: secretName: {{ .Values.externalEtcd.tls.existingSecret }} defaultMode: 256 {{- end }} + {{- if and (not .Values.kafka.enabled) .Values.externalKafka.tls.enabled .Values.externalKafka.tls.existingSecret }} + - name: kafka-client-certs + secret: + secretName: {{ .Values.externalKafka.tls.existingSecret }} + defaultMode: 256 + {{- end }} {{- if .Values.indexNode.extraVolumes }} {{- include "common.tplvalues.render" (dict "value" .Values.indexNode.extraVolumes "context" $) | nindent 8 }} {{- end }} diff --git a/bitnami/milvus/templates/proxy/deployment.yaml b/bitnami/milvus/templates/proxy/deployment.yaml index a1d554dd6d7fc4..1a26be7af99a25 100644 --- a/bitnami/milvus/templates/proxy/deployment.yaml +++ b/bitnami/milvus/templates/proxy/deployment.yaml @@ -178,12 +178,17 @@ spec: - name: empty-dir mountPath: /bitnami/milvus/data subPath: app-data-dir - {{- if and .Values.externalEtcd.tls.enabled (not (empty .Values.externalEtcd.tls.existingSecret)) }} + {{- if and .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }} - name: etcd-client-certs mountPath: /opt/bitnami/milvus/configs/cert/etcd/client readOnly: true {{- end }} - {{- if and (ne (int .Values.proxy.tls.mode) 0) (not (empty .Values.proxy.tls.existingSecret)) }} + {{- if and (not .Values.kafka.enabled) .Values.externalKafka.tls.enabled .Values.externalKafka.tls.existingSecret }} + - name: kafka-client-certs + mountPath: /opt/bitnami/milvus/configs/cert/kafka/client + readOnly: true + {{- end }} + {{- if and (ne (int .Values.proxy.tls.mode) 0) .Values.proxy.tls.existingSecret }} - name: milvus-certs mountPath: /opt/bitnami/milvus/configs/cert/milvus readOnly: true @@ -213,18 +218,24 @@ spec: configMap: name: {{ template "milvus.proxy.extraConfigmapName" . }} {{- end }} - {{- if and .Values.externalEtcd.tls.enabled (not (empty .Values.externalEtcd.tls.existingSecret)) }} + {{- if and .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }} - name: etcd-client-certs secret: secretName: {{ .Values.externalEtcd.tls.existingSecret }} defaultMode: 256 {{- end }} - {{- if and (ne (int .Values.proxy.tls.mode) 0) (not (empty .Values.proxy.tls.existingSecret)) }} + {{- if and (ne (int .Values.proxy.tls.mode) 0) .Values.proxy.tls.existingSecret }} - name: milvus-certs secret: secretName: {{ .Values.proxy.tls.existingSecret }} defaultMode: 256 {{- end }} + {{- if and (not .Values.kafka.enabled) .Values.externalKafka.tls.enabled .Values.externalKafka.tls.existingSecret }} + - name: kafka-client-certs + secret: + secretName: {{ .Values.externalKafka.tls.existingSecret }} + defaultMode: 256 + {{- end }} {{- if .Values.proxy.extraVolumes }} {{- include "common.tplvalues.render" (dict "value" .Values.proxy.extraVolumes "context" $) | nindent 8 }} {{- end }} diff --git a/bitnami/milvus/templates/query-coordinator/deployment.yaml b/bitnami/milvus/templates/query-coordinator/deployment.yaml index 69bd23e20f2d25..fb7b1c61974eb4 100644 --- a/bitnami/milvus/templates/query-coordinator/deployment.yaml +++ b/bitnami/milvus/templates/query-coordinator/deployment.yaml @@ -176,11 +176,16 @@ spec: - name: empty-dir mountPath: /bitnami/milvus/data subPath: app-data-dir - {{- if and .Values.externalEtcd.tls.enabled (not (empty .Values.externalEtcd.tls.existingSecret)) }} + {{- if and .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }} - name: etcd-client-certs mountPath: /opt/bitnami/milvus/configs/cert/etcd/client readOnly: true {{- end }} + {{- if and (not .Values.kafka.enabled) .Values.externalKafka.tls.enabled .Values.externalKafka.tls.existingSecret }} + - name: kafka-client-certs + mountPath: /opt/bitnami/milvus/configs/cert/kafka/client + readOnly: true + {{- end }} {{- if .Values.queryCoord.extraVolumeMounts }} {{- include "common.tplvalues.render" (dict "value" .Values.queryCoord.extraVolumeMounts "context" $) | nindent 12 }} {{- end }} @@ -206,12 +211,18 @@ spec: configMap: name: {{ template "milvus.query-coordinator.extraConfigmapName" . }} {{- end }} - {{- if and .Values.externalEtcd.tls.enabled (not (empty .Values.externalEtcd.tls.existingSecret)) }} + {{- if and .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }} - name: etcd-client-certs secret: secretName: {{ .Values.externalEtcd.tls.existingSecret }} defaultMode: 256 {{- end }} + {{- if and (not .Values.kafka.enabled) .Values.externalKafka.tls.enabled .Values.externalKafka.tls.existingSecret }} + - name: kafka-client-certs + secret: + secretName: {{ .Values.externalKafka.tls.existingSecret }} + defaultMode: 256 + {{- end }} {{- if .Values.queryCoord.extraVolumes }} {{- include "common.tplvalues.render" (dict "value" .Values.queryCoord.extraVolumes "context" $) | nindent 8 }} {{- end }} diff --git a/bitnami/milvus/templates/query-node/deployment.yaml b/bitnami/milvus/templates/query-node/deployment.yaml index 8ba3945d7cabdc..6ccdc6d7ef791a 100644 --- a/bitnami/milvus/templates/query-node/deployment.yaml +++ b/bitnami/milvus/templates/query-node/deployment.yaml @@ -176,11 +176,16 @@ spec: - name: empty-dir mountPath: /bitnami/milvus/data subPath: app-data-dir - {{- if and .Values.externalEtcd.tls.enabled (not (empty .Values.externalEtcd.tls.existingSecret)) }} + {{- if and .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }} - name: etcd-client-certs mountPath: /opt/bitnami/milvus/configs/cert/etcd/client readOnly: true {{- end }} + {{- if and (not .Values.kafka.enabled) .Values.externalKafka.tls.enabled .Values.externalKafka.tls.existingSecret }} + - name: kafka-client-certs + mountPath: /opt/bitnami/milvus/configs/cert/kafka/client + readOnly: true + {{- end }} {{- if .Values.queryNode.extraVolumeMounts }} {{- include "common.tplvalues.render" (dict "value" .Values.queryNode.extraVolumeMounts "context" $) | nindent 12 }} {{- end }} @@ -206,12 +211,18 @@ spec: configMap: name: {{ template "milvus.query-node.extraConfigmapName" . }} {{- end }} - {{- if and .Values.externalEtcd.tls.enabled (not (empty .Values.externalEtcd.tls.existingSecret)) }} + {{- if and .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }} - name: etcd-client-certs secret: secretName: {{ .Values.externalEtcd.tls.existingSecret }} defaultMode: 256 {{- end }} + {{- if and (not .Values.kafka.enabled) .Values.externalKafka.tls.enabled .Values.externalKafka.tls.existingSecret }} + - name: kafka-client-certs + secret: + secretName: {{ .Values.externalKafka.tls.existingSecret }} + defaultMode: 256 + {{- end }} {{- if .Values.queryNode.extraVolumes }} {{- include "common.tplvalues.render" (dict "value" .Values.queryNode.extraVolumes "context" $) | nindent 8 }} {{- end }} diff --git a/bitnami/milvus/templates/root-coordinator/deployment.yaml b/bitnami/milvus/templates/root-coordinator/deployment.yaml index 573cd190fcd9a8..053aac680eb8da 100644 --- a/bitnami/milvus/templates/root-coordinator/deployment.yaml +++ b/bitnami/milvus/templates/root-coordinator/deployment.yaml @@ -176,11 +176,16 @@ spec: - name: empty-dir mountPath: /bitnami/milvus/data subPath: app-data-dir - {{- if and .Values.externalEtcd.tls.enabled (not (empty .Values.externalEtcd.tls.existingSecret)) }} + {{- if and .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }} - name: etcd-client-certs mountPath: /opt/bitnami/milvus/configs/cert/etcd/client readOnly: true {{- end }} + {{- if and (not .Values.kafka.enabled) .Values.externalKafka.tls.enabled .Values.externalKafka.tls.existingSecret }} + - name: kafka-client-certs + mountPath: /opt/bitnami/milvus/configs/cert/kafka/client + readOnly: true + {{- end }} {{- if .Values.rootCoord.extraVolumeMounts }} {{- include "common.tplvalues.render" (dict "value" .Values.rootCoord.extraVolumeMounts "context" $) | nindent 12 }} {{- end }} @@ -206,12 +211,18 @@ spec: configMap: name: {{ template "milvus.root-coordinator.extraConfigmapName" . }} {{- end }} - {{- if and .Values.externalEtcd.tls.enabled (not (empty .Values.externalEtcd.tls.existingSecret)) }} + {{- if and .Values.externalEtcd.tls.enabled .Values.externalEtcd.tls.existingSecret }} - name: etcd-client-certs secret: secretName: {{ .Values.externalEtcd.tls.existingSecret }} defaultMode: 256 {{- end }} + {{- if and (not .Values.kafka.enabled) .Values.externalKafka.tls.enabled .Values.externalKafka.tls.existingSecret }} + - name: kafka-client-certs + secret: + secretName: {{ .Values.externalKafka.tls.existingSecret }} + defaultMode: 256 + {{- end }} {{- if .Values.rootCoord.extraVolumes }} {{- include "common.tplvalues.render" (dict "value" .Values.rootCoord.extraVolumes "context" $) | nindent 8 }} {{- end }} diff --git a/bitnami/milvus/values.yaml b/bitnami/milvus/values.yaml index 94e1b1a07423e1..6fff6eb12ded86 100644 --- a/bitnami/milvus/values.yaml +++ b/bitnami/milvus/values.yaml @@ -5318,6 +5318,29 @@ externalKafka: existingSecret: "" existingSecretPasswordKey: "kafka-root-password" enabledMechanisms: "PLAIN" + ## External kafka TLS connection configuration + ## + tls: + ## @param externalKafka.tls.enabled Enable TLS for kafka client connections. + ## + enabled: false + ## @param externalKafka.tls.existingSecret Name of the existing secret containing the TLS certificates for external kafka client communications. + ## + existingSecret: "" + ## @param externalKafka.tls.cert The secret key from the existingSecret if 'cert' key different from the default (tls.crt) + ## + cert: tls.crt + ## @param externalKafka.tls.key The secret key from the existingSecret if 'key' key different from the default (tls.key) + ## + key: tls.key + ## @param externalKafka.tls.caCert The secret key from the existingSecret if 'caCert' key different from the default (ca.crt) + ## + caCert: ca.crt + ## @param externalKafka.tls.keyPassword Password to access the password-protected PEM key if necessary. + ## + keyPassword: "" + + ## @section etcd sub-chart parameters ## etcd: