Adding proxy user tls cert and key files upport. (#25)

impl #22 Signed-off-by: Vincent Du <[email protected]>
zilliztech · Nov 16, 2023 · fc2207f · fc2207f
1 parent c5d650f
commit fc2207f
Show file tree

Hide file tree

Showing 4 changed files with 95 additions and 2 deletions.
diff --git a/charts/milvus/README.md b/charts/milvus/README.md
@@ -127,6 +127,52 @@ helm install my-release milvus/milvus --set log.persistence.enabled=true --set l
 
 It will output log to `/milvus/logs/` directory.
 
+### Enable proxy tls connection
+By default the TLS connection to proxy service is false, to enable TLS with users' own certificate and privatge key, it can be specified in `extraConfigFiles` like this:
+
+```bash
+extraConfigFiles:
+  user.yaml: |+
+    #  Enable tlsMode and set the tls cert and key
+       tls:
+        serverPemPath: /etc/milvus/certs/tls.crt
+        serverKeyPath: /etc/milvus/certs/tls.key
+       common:
+         security:
+           tlsMode: 1
+
+```
+The path specified above are TLS secret data  mounted inside the proxy pod as files. To create a TLS secret, set `proxy.tls.enabled` to `true` then provide base64-encoded values for your certificate and private key files in values.yaml:
+
+```bash
+proxy:
+  enabled: true
+  tls:
+    enabled: true
+    secretName: milvus-tls
+  #expecting base64 encoded values here: i.e. $(cat tls.crt | base64 -w 0) and $(cat tls.key | base64 -w 0)
+    key: LS0tLS1C....
+    crt: LS0tLS1CR...
+```
+or in cli using --set:
+
+```bash
+  --set proxy.tls.enabled=true \
+  --set prox.tls.key=$(cat /path/to/private_key_file | base64 -w 0) \
+  --set prox.tls.crt=$(cat /path/to/certificate_file | base64 -w 0)
+```
+In case you want to use a different `secretName` or mount path inside pod, modify `prox.tls.secretName` above, and `serverPemPath` and `serverPemPath` in `extraConfigFles `accordingly, then in the `volume` and `volumeMounts` sections in values.yaml
+
+```bash
+  volumes:
+  - secret:
+      secretName: Your-tls-secret-name
+    name: milvus-tls
+  volumeMounts:
+  - mountPath: /Your/tls/files/path/
+    name: milvus-tls
+```
+
 ## Uninstall the Chart
 
 ```bash
@@ -265,8 +311,9 @@ The following table lists the configurable parameters of the Milvus Proxy compon
 | `proxy.heaptrack.enabled`                 | Whether to enable heaptrack                             | `false`                                          |
 | `proxy.profiling.enabled`                 | Whether to enable live profiling                   | `false`                                          |
 | `proxy.extraEnv`                          | Additional Milvus Proxy container environment variables | `[]`                                          |
-| `proxy.http.enabled`                          | Enable rest api for Milvus Proxy | `true`                                          |
-| `proxy.http.debugMode.enabled`                          | Enable debug mode for rest api | `false`                                          |
+| `proxy.http.enabled`                      | Enable rest api for Milvus Proxy | `true`                                          |
+| `proxy.http.debugMode.enabled`            | Enable debug mode for rest api | `false`                                          |
+| `proxy.tls.enabled`                       | Enable porxy tls connection | `false`                                          |
 
 ### Milvus Root Coordinator Deployment Configuration
 

diff --git a/charts/milvus/templates/proxy-deployment.yaml b/charts/milvus/templates/proxy-deployment.yaml
@@ -128,6 +128,9 @@ spec:
         {{- end }}
         - mountPath: /milvus/tools
           name: tools
+        {{- if .Values.proxy.volumeMounts }}
+          {{- toYaml .Values.proxy.volumeMounts | nindent 8 }}
+        {{- end}}
 
     {{- if and (.Values.nodeSelector) (not .Values.proxy.nodeSelector) }}
       nodeSelector:
@@ -165,4 +168,8 @@ spec:
       {{- end }}
       - name: tools
         emptyDir: {}
+      {{- if .Values.proxy.volumes }}
+{{ toYaml .Values.proxy.volumes | indent 6 }}
+      {{- end}}
+
 {{- end }}
diff --git a/charts/milvus/templates/proxy-tls-secret.yaml b/charts/milvus/templates/proxy-tls-secret.yaml
@@ -0,0 +1,16 @@
+{{- if and (.Values.proxy.tls) (.Values.proxy.tls.enabled) }}
+
+{{- if and (.Values.proxy.tls.crt) (.Values.proxy.tls.key) }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.proxy.tls.secretName }}
+data:
+  tls.crt: {{ .Values.proxy.tls.crt }}
+  tls.key: {{ .Values.proxy.tls.key }}
+type: kubernetes.io/tls
+{{- end }}
+
+{{- end -}}
+
diff --git a/charts/milvus/values.yaml b/charts/milvus/values.yaml
@@ -50,6 +50,13 @@ extraConfigFiles:
     #    proxy:
     #      http:
     #        enabled: true
+    ##  Enable tlsMode and set the tls cert and key
+    #  tls:
+    #    serverPemPath: /etc/milvus/certs/tls.crt
+    #    serverKeyPath: /etc/milvus/certs/tls.key
+    #   common:
+    #     security:
+    #       tlsMode: 1
 
 ## Expose the Milvus service to be accessed from outside the cluster (LoadBalancer service).
 ## or access it from within the cluster (ClusterIP service). Set the service type and the port to serve it.
@@ -230,6 +237,22 @@ proxy:
     enabled: true  # whether to enable http rest server
     debugMode:
       enabled: false
+  # Mount a TLS secret into proxy pod
+  tls:
+    enabled: false
+## when enabling proxy.tls, all items below should be uncommented and the key and crt values should be populated.
+#    enabled: true
+#    secretName: milvus-tls
+## expecting base64 encoded values here: i.e. $(cat tls.crt | base64 -w 0) and $(cat tls.key | base64 -w 0)
+#    key: LS0tLS1CRUdJTiBQU--REDUCT
+#    crt: LS0tLS1CRUdJTiBDR--REDUCT
+#  volumes:
+#  - secret:
+#      secretName: milvus-tls
+#    name: milvus-tls
+#  volumeMounts:
+#  - mountPath: /etc/milvus/certs/
+#    name: milvus-tls
 
 rootCoordinator:
   enabled: true