From fc2207f237cf4a733fa00150c5f4e490bf9fc0af Mon Sep 17 00:00:00 2001 From: Vincent Du <94928978+VincentDu2021@users.noreply.github.com> Date: Wed, 15 Nov 2023 23:06:13 -0600 Subject: [PATCH] Adding proxy user tls cert and key files upport. (#25) impl #22 Signed-off-by: Vincent Du --- charts/milvus/README.md | 51 ++++++++++++++++++- charts/milvus/templates/proxy-deployment.yaml | 7 +++ charts/milvus/templates/proxy-tls-secret.yaml | 16 ++++++ charts/milvus/values.yaml | 23 +++++++++ 4 files changed, 95 insertions(+), 2 deletions(-) create mode 100644 charts/milvus/templates/proxy-tls-secret.yaml diff --git a/charts/milvus/README.md b/charts/milvus/README.md index 81934a9..0506342 100644 --- a/charts/milvus/README.md +++ b/charts/milvus/README.md @@ -127,6 +127,52 @@ helm install my-release milvus/milvus --set log.persistence.enabled=true --set l It will output log to `/milvus/logs/` directory. +### Enable proxy tls connection +By default the TLS connection to proxy service is false, to enable TLS with users' own certificate and privatge key, it can be specified in `extraConfigFiles` like this: + +```bash +extraConfigFiles: + user.yaml: |+ + # Enable tlsMode and set the tls cert and key + tls: + serverPemPath: /etc/milvus/certs/tls.crt + serverKeyPath: /etc/milvus/certs/tls.key + common: + security: + tlsMode: 1 + +``` +The path specified above are TLS secret data mounted inside the proxy pod as files. To create a TLS secret, set `proxy.tls.enabled` to `true` then provide base64-encoded values for your certificate and private key files in values.yaml: + +```bash +proxy: + enabled: true + tls: + enabled: true + secretName: milvus-tls + #expecting base64 encoded values here: i.e. $(cat tls.crt | base64 -w 0) and $(cat tls.key | base64 -w 0) + key: LS0tLS1C.... + crt: LS0tLS1CR... +``` +or in cli using --set: + +```bash + --set proxy.tls.enabled=true \ + --set prox.tls.key=$(cat /path/to/private_key_file | base64 -w 0) \ + --set prox.tls.crt=$(cat /path/to/certificate_file | base64 -w 0) +``` +In case you want to use a different `secretName` or mount path inside pod, modify `prox.tls.secretName` above, and `serverPemPath` and `serverPemPath` in `extraConfigFles `accordingly, then in the `volume` and `volumeMounts` sections in values.yaml + +```bash + volumes: + - secret: + secretName: Your-tls-secret-name + name: milvus-tls + volumeMounts: + - mountPath: /Your/tls/files/path/ + name: milvus-tls +``` + ## Uninstall the Chart ```bash @@ -265,8 +311,9 @@ The following table lists the configurable parameters of the Milvus Proxy compon | `proxy.heaptrack.enabled` | Whether to enable heaptrack | `false` | | `proxy.profiling.enabled` | Whether to enable live profiling | `false` | | `proxy.extraEnv` | Additional Milvus Proxy container environment variables | `[]` | -| `proxy.http.enabled` | Enable rest api for Milvus Proxy | `true` | -| `proxy.http.debugMode.enabled` | Enable debug mode for rest api | `false` | +| `proxy.http.enabled` | Enable rest api for Milvus Proxy | `true` | +| `proxy.http.debugMode.enabled` | Enable debug mode for rest api | `false` | +| `proxy.tls.enabled` | Enable porxy tls connection | `false` | ### Milvus Root Coordinator Deployment Configuration diff --git a/charts/milvus/templates/proxy-deployment.yaml b/charts/milvus/templates/proxy-deployment.yaml index 05f47c6..34d938c 100644 --- a/charts/milvus/templates/proxy-deployment.yaml +++ b/charts/milvus/templates/proxy-deployment.yaml @@ -128,6 +128,9 @@ spec: {{- end }} - mountPath: /milvus/tools name: tools + {{- if .Values.proxy.volumeMounts }} + {{- toYaml .Values.proxy.volumeMounts | nindent 8 }} + {{- end}} {{- if and (.Values.nodeSelector) (not .Values.proxy.nodeSelector) }} nodeSelector: @@ -165,4 +168,8 @@ spec: {{- end }} - name: tools emptyDir: {} + {{- if .Values.proxy.volumes }} +{{ toYaml .Values.proxy.volumes | indent 6 }} + {{- end}} + {{- end }} diff --git a/charts/milvus/templates/proxy-tls-secret.yaml b/charts/milvus/templates/proxy-tls-secret.yaml new file mode 100644 index 0000000..1e746f7 --- /dev/null +++ b/charts/milvus/templates/proxy-tls-secret.yaml @@ -0,0 +1,16 @@ +{{- if and (.Values.proxy.tls) (.Values.proxy.tls.enabled) }} + +{{- if and (.Values.proxy.tls.crt) (.Values.proxy.tls.key) }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.proxy.tls.secretName }} +data: + tls.crt: {{ .Values.proxy.tls.crt }} + tls.key: {{ .Values.proxy.tls.key }} +type: kubernetes.io/tls +{{- end }} + +{{- end -}} + diff --git a/charts/milvus/values.yaml b/charts/milvus/values.yaml index 82702ea..f665437 100644 --- a/charts/milvus/values.yaml +++ b/charts/milvus/values.yaml @@ -50,6 +50,13 @@ extraConfigFiles: # proxy: # http: # enabled: true + ## Enable tlsMode and set the tls cert and key + # tls: + # serverPemPath: /etc/milvus/certs/tls.crt + # serverKeyPath: /etc/milvus/certs/tls.key + # common: + # security: + # tlsMode: 1 ## Expose the Milvus service to be accessed from outside the cluster (LoadBalancer service). ## or access it from within the cluster (ClusterIP service). Set the service type and the port to serve it. @@ -230,6 +237,22 @@ proxy: enabled: true # whether to enable http rest server debugMode: enabled: false + # Mount a TLS secret into proxy pod + tls: + enabled: false +## when enabling proxy.tls, all items below should be uncommented and the key and crt values should be populated. +# enabled: true +# secretName: milvus-tls +## expecting base64 encoded values here: i.e. $(cat tls.crt | base64 -w 0) and $(cat tls.key | base64 -w 0) +# key: LS0tLS1CRUdJTiBQU--REDUCT +# crt: LS0tLS1CRUdJTiBDR--REDUCT +# volumes: +# - secret: +# secretName: milvus-tls +# name: milvus-tls +# volumeMounts: +# - mountPath: /etc/milvus/certs/ +# name: milvus-tls rootCoordinator: enabled: true