GDB-14321: Updated TLS configurations

CHANGELOG.md

@@ -1,5 +1,12 @@
 # GraphDB Helm chart release notes
 
+## Version 12.3.3
+
+### Fixed
+
+- Updated all TLS related configurations to use the correct GraphDB v11 properties, see configmap-properties.yaml
+- Updated probes to use the correct HTTPS scheme when TLS is enabled
+
 ## Version 12.3.2
 
 ### New

Chart.yaml

@@ -5,7 +5,7 @@ apiVersion: v2
 name: graphdb
 description: GraphDB is a highly efficient, scalable and robust graph database with RDF and SPARQL support.
 type: application
-version: 12.3.2
+version: 12.3.3
 appVersion: 11.3.1
 kubeVersion: ^1.26.0-0
 home: https://graphdb.ontotext.com/

README.md

@@ -1,7 +1,7 @@
 # Helm Chart for GraphDB
 
 [![CI](https://github.com/Ontotext-AD/graphdb-helm/actions/workflows/ci.yml/badge.svg)](https://github.com/Ontotext-AD/graphdb-helm/actions/workflows/ci.yml)
-![Version: 12.3.2](https://img.shields.io/badge/Version-12.3.2-informational?style=flat-square)
+![Version: 12.3.3](https://img.shields.io/badge/Version-12.3.3-informational?style=flat-square)
 ![AppVersion: 11.3.1](https://img.shields.io/badge/AppVersion-11.3.1-informational?style=flat-square)
 
 <!--
@@ -384,12 +384,14 @@ IMPORTANT: This is generated by helm-docs, do not attempt modifying it on hand a
 | configuration.tls.keystore.keyAlias | string | `"graphdb"` |  |
 | configuration.tls.keystore.keystoreKey | string | `"keystore.jks"` |  |
 | configuration.tls.keystore.keystorePasswordKey | string | `"keystore_password"` |  |
+| configuration.tls.keystore.keystorePasswordSecret | string | `""` |  |
 | configuration.tls.keystore.keystoreProvider | string | `"SUN"` |  |
 | configuration.tls.keystore.keystoreType | string | `"JKS"` |  |
 | configuration.tls.mountPath | string | `"/etc/graphdb/tls/tomcat/"` |  |
 | configuration.tls.truststore.existingSecret | string | `""` |  |
 | configuration.tls.truststore.truststoreKey | string | `"truststore.jks"` |  |
 | configuration.tls.truststore.truststorePasswordKey | string | `"truststore_password"` |  |
+| configuration.tls.truststore.truststorePasswordSecret | string | `""` |  |
 | configuration.tls.truststore.truststoreProvider | string | `"SUN"` |  |
 | configuration.tls.truststore.truststoreType | string | `"JKS"` |  |
 | containerPorts.http | int | `7200` |  |

examples/tomcat-security/keystore.yaml

@@ -5,22 +5,3 @@ configuration:
       keystoreKey: keystore.jks
       keystorePasswordKey: keystore_password
       keyAlias: graphdb
-startupProbe:
-  httpGet:
-    scheme: HTTPS
-readinessProbe:
-  httpGet:
-    scheme: HTTPS
-livenessProbe:
-  httpGet:
-    scheme: HTTPS
-proxy:
-  startupProbe:
-    httpGet:
-      scheme: HTTPS
-  readinessProbe:
-    httpGet:
-      scheme: HTTPS
-  livenessProbe:
-    httpGet:
-      scheme: HTTPS

examples/tomcat-security/keystoreAndTruststore.yaml

@@ -9,22 +9,3 @@ configuration:
       existingSecret: my-truststore-secret
       truststoreKey: truststore.jks
       truststorePasswordKey: truststore_password
-startupProbe:
-  httpGet:
-    scheme: HTTPS
-readinessProbe:
-  httpGet:
-    scheme: HTTPS
-livenessProbe:
-  httpGet:
-    scheme: HTTPS
-proxy:
-  startupProbe:
-    httpGet:
-      scheme: HTTPS
-  readinessProbe:
-    httpGet:
-      scheme: HTTPS
-  livenessProbe:
-    httpGet:
-      scheme: HTTPS

templates/_helpers.tpl

@@ -115,3 +115,40 @@ Calculate provisoner's bcrypt-hashed password
 {{- define "graphdb.security.provisioner.passwordHash" -}}
   {{- printf "%s" ( htpasswd .Values.security.provisioner.username .Values.security.provisioner.password | trimPrefix (printf "%s:" .Values.security.provisioner.username)) -}}
 {{- end -}}
+
+{{/*
+Calculates the correct probe scheme based on TLS settings.
+*/}}
+{{- define "graphdb.renderProbe" -}}
+  {{- $root := index . 0 -}}
+  {{- $probe := deepCopy (index . 1) -}}
+  {{- $keystore := $root.Values.configuration.tls.keystore.existingSecret -}}
+  {{- if and $keystore $probe.httpGet (not (hasKey $probe.httpGet "scheme")) -}}
+    {{- $_ := set $probe.httpGet "scheme" "HTTPS" -}}
+  {{- end -}}
+  {{- toYaml $probe -}}
+{{- end -}}
+
+{{- define "graphdb.probes.startup" -}}
+  {{- include "graphdb.renderProbe" (list $ .Values.startupProbe) -}}
+{{- end -}}
+
+{{- define "graphdb.probes.readiness" -}}
+  {{- include "graphdb.renderProbe" (list $ .Values.readinessProbe) -}}
+{{- end -}}
+
+{{- define "graphdb.probes.liveness" -}}
+  {{- include "graphdb.renderProbe" (list $ .Values.livenessProbe) -}}
+{{- end -}}
+
+{{- define "graphdb-proxy.probes.startup" -}}
+  {{- include "graphdb.renderProbe" (list $ .Values.proxy.startupProbe) -}}
+{{- end -}}
+
+{{- define "graphdb-proxy.probes.readiness" -}}
+  {{- include "graphdb.renderProbe" (list $ .Values.proxy.readinessProbe) -}}
+{{- end -}}
+
+{{- define "graphdb-proxy.probes.liveness" -}}
+  {{- include "graphdb.renderProbe" (list $ .Values.proxy.livenessProbe) -}}
+{{- end -}}

templates/graphdb/configmap-properties.yaml

@@ -26,21 +26,19 @@ data:
     {{- end }}
     {{- if .Values.configuration.tls.keystore.existingSecret }}
     # Tomcat keystore configurations
-    graphdb.connector.SSLEnabled=true
-    graphdb.connector.scheme=https
-    graphdb.connector.secure=true
-    graphdb.connector.keystoreFile={{ .Values.configuration.tls.mountPath | trimSuffix "/" }}/keystore/{{ .Values.configuration.tls.keystore.keystoreKey }}
-    graphdb.connector.keyAlias={{ .Values.configuration.tls.keystore.keyAlias }}
-    graphdb.connector.keystoreProvider={{ .Values.configuration.tls.keystore.keystoreProvider }}
-    graphdb.connector.keystoreType={{ .Values.configuration.tls.keystore.keystoreType }}
-    graphdb.connector.keystorePass@file={{ .Values.configuration.tls.mountPath | trimSuffix "/" }}/keystore/{{ .Values.configuration.tls.keystore.keystorePasswordKey }}
+    graphdb.connector.ssl.enabled=true
+    graphdb.connector.ssl.certificateKeystoreFile={{ .Values.configuration.tls.mountPath | trimSuffix "/" }}/keystore/{{ .Values.configuration.tls.keystore.keystoreKey }}
+    graphdb.connector.ssl.certificateKeyAlias={{ .Values.configuration.tls.keystore.keyAlias }}
+    graphdb.connector.ssl.certificateKeystoreProvider={{ .Values.configuration.tls.keystore.keystoreProvider }}
+    graphdb.connector.ssl.certificateKeystoreType={{ .Values.configuration.tls.keystore.keystoreType }}
+    graphdb.connector.ssl.certificateKeyPassword@file={{ .Values.configuration.tls.mountPath | trimSuffix "/" }}/keystore/{{ .Values.configuration.tls.keystore.keystorePasswordKey }}
     {{- end }}
     {{- if .Values.configuration.tls.truststore.existingSecret }}
     # Tomcat truststore configurations
-    graphdb.connector.truststoreFile={{ .Values.configuration.tls.mountPath | trimSuffix "/" }}/truststore/{{ .Values.configuration.tls.truststore.truststoreKey }}
-    graphdb.connector.truststoreProvider={{ .Values.configuration.tls.truststore.truststoreProvider }}
-    graphdb.connector.truststoreType={{ .Values.configuration.tls.truststore.truststoreType }}
-    graphdb.connector.truststorePass@file={{ .Values.configuration.tls.mountPath | trimSuffix "/" }}/truststore/{{ .Values.configuration.tls.truststore.truststorePasswordKey }}
+    graphdb.connector.ssl.truststoreFile={{ .Values.configuration.tls.mountPath | trimSuffix "/" }}/truststore/{{ .Values.configuration.tls.truststore.truststoreKey }}
+    graphdb.connector.ssl.truststoreProvider={{ .Values.configuration.tls.truststore.truststoreProvider }}
+    graphdb.connector.ssl.truststoreType={{ .Values.configuration.tls.truststore.truststoreType }}
+    graphdb.connector.ssl.truststorePassword@file={{ .Values.configuration.tls.mountPath | trimSuffix "/" }}/truststore/{{ .Values.configuration.tls.truststore.truststorePasswordKey }}
     {{- end }}
     {{- if .Values.configuration.tls.certificateRevocationList.existingSecret}}
     # Tomcat truststore CRL

templates/graphdb/statefulset.yaml

@@ -138,6 +138,9 @@ spec:
                   items:
                     - key: {{ .Values.configuration.tls.keystore.keystoreKey }}
                       path: keystore/{{ .Values.configuration.tls.keystore.keystoreKey }}
+              - secret:
+                  name: {{ coalesce (tpl .Values.configuration.tls.keystore.keystorePasswordSecret .) (tpl .Values.configuration.tls.keystore.existingSecret .) }}
+                  items:
                     - key: {{ .Values.configuration.tls.keystore.keystorePasswordKey }}
                       path: keystore/{{ .Values.configuration.tls.keystore.keystorePasswordKey }}
               {{- end }}
@@ -147,6 +150,9 @@ spec:
                   items:
                     - key: {{ .Values.configuration.tls.truststore.truststoreKey }}
                       path: truststore/{{ .Values.configuration.tls.truststore.truststoreKey }}
+              - secret:
+                  name: {{ coalesce (tpl .Values.configuration.tls.truststore.truststorePasswordSecret .) (tpl .Values.configuration.tls.truststore.existingSecret .) }}
+                  items:
                     - key: {{ .Values.configuration.tls.truststore.truststorePasswordKey }}
                       path: truststore/{{ .Values.configuration.tls.truststore.truststorePasswordKey }}
               {{- end }}
@@ -474,14 +480,14 @@ spec:
           {{- with .Values.securityContext }}
           securityContext: {{- toYaml . | nindent 12 }}
           {{- end }}
-          {{- with .Values.startupProbe }}
-          startupProbe: {{- toYaml . | nindent 12 }}
+          {{- if .Values.startupProbe }}
+          startupProbe: {{- include "graphdb.probes.startup" . | nindent 12 }}
           {{- end }}
-          {{- with .Values.readinessProbe }}
-          readinessProbe: {{- toYaml . | nindent 12 }}
+          {{- if .Values.readinessProbe }}
+          readinessProbe: {{- include "graphdb.probes.readiness" . | nindent 12 }}
           {{- end }}
-          {{- with .Values.livenessProbe }}
-          livenessProbe: {{- toYaml . | nindent 12 }}
+          {{- if .Values.livenessProbe }}
+          livenessProbe: {{- include "graphdb.probes.liveness" . | nindent 12 }}
           {{- end }}
         {{- with .Values.extraContainers }}
           {{ tpl (toYaml .) $ | nindent 8 }}

templates/proxy/configmap-properties.yaml

@@ -18,21 +18,19 @@ data:
     graphdb.proxy.hosts={{ include "graphdb-proxy.cluster.nodes" . }}
     {{- if .Values.configuration.tls.keystore.existingSecret }}
     # Tomcat keystore configurations
-    graphdb.connector.SSLEnabled=true
-    graphdb.connector.scheme=https
-    graphdb.connector.secure=true
-    graphdb.connector.keystoreFile={{ .Values.configuration.tls.mountPath | trimSuffix "/" }}/keystore/{{ .Values.configuration.tls.keystore.keystoreKey }}
-    graphdb.connector.keyAlias={{ .Values.configuration.tls.keystore.keyAlias }}
-    graphdb.connector.keystoreProvider={{ .Values.configuration.tls.keystore.keystoreProvider }}
-    graphdb.connector.keystoreType={{ .Values.configuration.tls.keystore.keystoreType }}
-    graphdb.connector.keystorePass@file={{ .Values.configuration.tls.mountPath | trimSuffix "/" }}/keystore/{{ .Values.configuration.tls.keystore.keystorePasswordKey }}
+    graphdb.connector.ssl.enabled=true
+    graphdb.connector.ssl.certificateKeystoreFile={{ .Values.configuration.tls.mountPath | trimSuffix "/" }}/keystore/{{ .Values.configuration.tls.keystore.keystoreKey }}
+    graphdb.connector.ssl.certificateKeyAlias={{ .Values.configuration.tls.keystore.keyAlias }}
+    graphdb.connector.ssl.certificateKeystoreProvider={{ .Values.configuration.tls.keystore.keystoreProvider }}
+    graphdb.connector.ssl.certificateKeystoreType={{ .Values.configuration.tls.keystore.keystoreType }}
+    graphdb.connector.ssl.certificateKeyPassword@file={{ .Values.configuration.tls.mountPath | trimSuffix "/" }}/keystore/{{ .Values.configuration.tls.keystore.keystorePasswordKey }}
     {{- end }}
     {{- if .Values.configuration.tls.truststore.existingSecret }}
     # Tomcat truststore configurations
-    graphdb.connector.truststoreFile={{ .Values.configuration.tls.mountPath | trimSuffix "/" }}/truststore/{{ .Values.configuration.tls.truststore.truststoreKey }}
-    graphdb.connector.truststoreProvider={{ .Values.configuration.tls.truststore.truststoreProvider }}
-    graphdb.connector.truststoreType={{ .Values.configuration.tls.truststore.truststoreType }}
-    graphdb.connector.truststorePass@file={{ .Values.configuration.tls.mountPath | trimSuffix "/" }}/truststore/{{ .Values.configuration.tls.truststore.truststorePasswordKey }}
+    graphdb.connector.ssl.truststoreFile={{ .Values.configuration.tls.mountPath | trimSuffix "/" }}/truststore/{{ .Values.configuration.tls.truststore.truststoreKey }}
+    graphdb.connector.ssl.truststoreProvider={{ .Values.configuration.tls.truststore.truststoreProvider }}
+    graphdb.connector.ssl.truststoreType={{ .Values.configuration.tls.truststore.truststoreType }}
+    graphdb.connector.ssl.truststorePassword@file={{ .Values.configuration.tls.mountPath | trimSuffix "/" }}/truststore/{{ .Values.configuration.tls.truststore.truststorePasswordKey }}
     {{- end }}
     {{- if .Values.configuration.tls.certificateRevocationList.existingSecret}}
     # Tomcat truststore CRL

templates/proxy/statefulset.yaml

@@ -106,6 +106,9 @@ spec:
                   items:
                     - key: {{ .Values.configuration.tls.keystore.keystoreKey }}
                       path: keystore/{{ .Values.configuration.tls.keystore.keystoreKey }}
+              - secret:
+                  name: {{ coalesce (tpl .Values.configuration.tls.keystore.keystorePasswordSecret .) (tpl .Values.configuration.tls.keystore.existingSecret .) }}
+                  items:
                     - key: {{ .Values.configuration.tls.keystore.keystorePasswordKey }}
                       path: keystore/{{ .Values.configuration.tls.keystore.keystorePasswordKey }}
               {{- end }}
@@ -115,6 +118,9 @@ spec:
                   items:
                     - key: {{ .Values.configuration.tls.truststore.truststoreKey }}
                       path: truststore/{{ .Values.configuration.tls.truststore.truststoreKey }}
+              - secret:
+                  name: {{ coalesce (tpl .Values.configuration.tls.truststore.truststorePasswordSecret .) (tpl .Values.configuration.tls.truststore.existingSecret .) }}
+                  items:
                     - key: {{ .Values.configuration.tls.truststore.truststorePasswordKey }}
                       path: truststore/{{ .Values.configuration.tls.truststore.truststorePasswordKey }}
               {{- end }}
@@ -404,14 +410,14 @@ spec:
           {{- with .Values.proxy.securityContext }}
           securityContext: {{- toYaml . | nindent 12 }}
           {{- end }}
-          {{- with .Values.proxy.startupProbe }}
-          startupProbe: {{- toYaml . | nindent 12 }}
+          {{- if .Values.proxy.startupProbe }}
+          startupProbe: {{- include "graphdb-proxy.probes.startup" . | nindent 12 }}
           {{- end }}
-          {{- with .Values.proxy.readinessProbe }}
-          readinessProbe: {{- toYaml . | nindent 12 }}
+          {{- if .Values.proxy.readinessProbe }}
+          readinessProbe: {{- include "graphdb-proxy.probes.readiness" . | nindent 12 }}
           {{- end }}
-          {{- with .Values.proxy.livenessProbe }}
-          livenessProbe: {{- toYaml . | nindent 12 }}
+          {{- if .Values.proxy.livenessProbe }}
+          livenessProbe: {{- include "graphdb-proxy.probes.liveness" . | nindent 12 }}
           {{- end }}
         {{- with .Values.proxy.extraContainers }}
           {{ tpl (toYaml .) $ | nindent 8 }}

values.yaml

@@ -241,6 +241,9 @@ configuration:
       existingSecret: ""
       # Key in the existing Secret that holds the keystore file where you have stored the server certificate and key to be loaded.
       keystoreKey: keystore.jks
+      # Reference to an existing Secret resource containing the keystore password.
+      # If not provided, the chart defaults to keystore.existingSecret
+      keystorePasswordSecret: ""
       # Key in the existing Secret that holds the password to use to access the keystore containing
       # the server's private key and certificate.
       keystorePasswordKey: keystore_password
@@ -257,6 +260,9 @@ configuration:
       existingSecret: ""
       # Key in the existing Secret that holds the trust store file to use to validate client certificates.
       truststoreKey: truststore.jks
+      # Reference to an existing Secret resource containing the truststore password.
+      # If not provided, the chart defaults to truststore.existingSecret
+      truststorePasswordSecret: ""
       # Key in the existing Secret that holds the password to access the trust store.
       truststorePasswordKey: truststore_password
       # The name of the truststore provider to be used for the server certificate.