Adding proxy user tls cert and key files upport.

impl #22 Signed-off-by: Vincent Du <[email protected]>
zilliztech · Oct 8, 2023 · 491289b · 491289b
1 parent e0cbc1a
commit 491289b
Show file tree

Hide file tree

Showing 6 changed files with 124 additions and 3 deletions.
diff --git a/charts/milvus/Chart.yaml b/charts/milvus/Chart.yaml
@@ -3,7 +3,7 @@ name: milvus
 appVersion: "2.3.1"
 kubeVersion: "^1.10.0-0"
 description: Milvus is an open-source vector database built to power AI applications and vector similarity search.
-version: 4.1.3
+version: 4.1.5
 keywords:
   - milvus
   - elastic

diff --git a/charts/milvus/README.md b/charts/milvus/README.md
@@ -125,6 +125,52 @@ helm install my-release milvus/milvus --set log.persistence.enabled=true --set l
 
 It will output log to `/milvus/logs/` directory.
 
+### Enable proxy tls connection
+By default the TLS connection to proxy service is false, to enable TLS with users' own certificate and privatge key, it can be specified in `extraConfigFiles` like this:
+
+```bash
+extraConfigFiles:
+  user.yaml: |+
+    #  Enable tlsMode and set the tls cert and key
+       tls:
+        serverPemPath: /etc/milvus/certs/tls.crt
+        serverKeyPath: /etc/milvus/certs/tls.key
+       common:
+         security:
+           tlsMode: 1
+
+```
+The path specified above are TLS secret data  mounted inside the proxy pod as files. To create a TLS secret, set `proxy.tls.enabled` to `true` then provide base64-encoded values for your certificate and private key files in values.yaml:
+
+```bash
+proxy:
+  enabled: true
+  tls:
+    enabled: true
+    secretName: milvus-tls
+  #expecting base64 encoded values here: i.e. $(cat tls.crt | base64 -w 0) and $(cat tls.key | base64 -w 0)
+    key: LS0tLS1C....
+    crt: LS0tLS1CR...
+```
+or in cli using --set:
+
+```bash
+  --set proxy.tls.enabled=true \
+  --set prox.tls.key=$(cat /path/to/private_key_file | base64 -w 0) \
+  --set prox.tls.crt=$(cat /path/to/certificate_file | base64 -w 0)
+```
+In case you want to use a different `secretName` or mount path inside pod, modify `prox.tls.secretName` above, and `serverPemPath` and `serverPemPath` in `extraConfigFles `accordingly, then in the `volume` and `volumeMounts` sections in values.yaml
+
+```bash
+  volumes:
+  - secret:
+      secretName: Your-tls-secret-name
+    name: milvus-tls
+  volumeMounts:
+  - mountPath: /Your/tls/files/path/
+    name: milvus-tls
+```
+
 ## Uninstall the Chart
 
 ```bash
@@ -269,8 +315,9 @@ The following table lists the configurable parameters of the Milvus Proxy compon
 | `proxy.heaptrack.enabled`                 | Whether to enable heaptrack                             | `false`                                          |
 | `proxy.profiling.enabled`                 | Whether to enable live profiling                   | `false`                                          |
 | `proxy.extraEnv`                          | Additional Milvus Proxy container environment variables | `[]`                                          |
-| `proxy.http.enabled`                          | Enable rest api for Milvus Proxy | `true`                                          |
-| `proxy.http.debugMode.enabled`                          | Enable debug mode for rest api | `false`                                          |
+| `proxy.http.enabled`                      | Enable rest api for Milvus Proxy | `true`                                          |
+| `proxy.http.debugMode.enabled`            | Enable debug mode for rest api | `false`                                          |
+| `proxy.tls.enabled`                       | Enable porxy tls connection | `false`                                          |
 
 ### Milvus Root Coordinator Deployment Configuration
 

diff --git a/charts/milvus/ci/cluster-values.yaml b/charts/milvus/ci/cluster-values.yaml
@@ -92,3 +92,31 @@ pulsar:
         -XX:+DisableExplicitGC
         -XX:-ResizePLAB
         -XX:+ExitOnOutOfMemoryError
+extraConfigFiles:
+  user.yaml: |+
+    #    For example enable rest http for milvus proxy
+    #    proxy:
+    #      http:
+    #        enabled: true
+    #  Enable tlsMode and set the tls cert and key
+       tls:
+         serverPemPath: /etc/milvus/certs/tls.crt
+         serverKeyPath: /etc/milvus/certs/tls.key
+       common:
+         security:
+           tlsMode: 1
+proxy:
+  # Mount a TLS secret into proxy pod
+  tls:
+    enabled: true
+    secretName: milvus-tls
+  #expecting base64 encoded values here: i.e. $(cat tls.crt | base64 -w 0) and $(cat tls.key | base64 -w 0)
+    key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2QUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktZd2dnU2lBZ0VBQW9JQkFRQ3lJN2Qvbmk1RnhaeGQKTWNsSnRqTUlMMktqeDI0WFRIR2NjZ1NSN3V5Wmc0QVdZME93ZXVMLzNqVGxRMjNOeWxxY3g5cEp5VFZ4Lzg0egptUE1ka1BJTzhyZGF4S2pxNGUzR2ZEZFB4L3dYQTJoNmRGa1k5US9IdjYxaWNZMEJKeWMrUXc2SjFkbC9aZ29UCkNmOVZBUDMvZWVheS80SnNENWhvY3R5cThaZWZ0cW9OdnBTUG9scndUbzd1UDBUU3R2aU0wTFNUdm9tWHo3ZEcKUWRsT2JqbDgycGZKU1pjcTFZekxVNkJqRTBqVDFqVEtqZ2FCTVR3cXBPMk5QNis2RCtkQy9kSEJZOC8zZkp6MApJY2RIbG1pZlhTUFFJMW44TEp2Wm1MUklHZHJLaU5ieWEwdnd5VEs5K2tNV2ttQW84TG1idVNDQzZGUTNYM2VVClJRODFVdWhqQWdNQkFBRUNnZ0VBZUtEOUVuc3dCR2xUZ0R4RmZSZlhLTlRGcS9oUlVZK2ZZM3hHSWZnejJhU1YKcVJOZzgvSFRJOGI1OU1JYmFmNThLNnlkNGRkUnpMZVhqNU1rRmtKZjE4VithZ1hBQ1FZaStJU0hCQXg5WmF3VwpKTTRDdzRhM1ArRkpiTjlOeDVrVzF1K2J1YlRKU3A3emRYOFFteVJIMjZkVmxLSzNVNnVmM2lMaDBSUTJRNXpSCkNjWkFET2Zydzd4TU4vanlkRjM2bTBtVkF1T25wUkhHbWZlU3VkWmtoQlJlY3BqZ0NRbDR6Q2NzQktKRllwTmMKN29LOWVjeTY4bUZ1eloyc1Nscm9JNVdaTHNBVWRDNjZ1OTJaTWY2alZWSG9qQ05BTnRLaHB0VHNKemc3bnBERgo1V1BDZnRGVDR3RkN5d3F6azJacjBQb0owdFRRd3RDVDg3RExqZE92Q1FLQmdRRG4zdDF2Q1VWaGRTZ25oa0V5CjBjQmxXd3ZWblVNeEkwbEZ6b1FQbGxSMTdVaHQ3S3BlWlkvemZOSFhwSzRaQVpva0pGMVBFR0xSSGNpWEdHMTgKWGJqN0FUZkgzalVqY0N1bVphb0VqMzUzUThKR2NGZ1laMnZvRVE0U1M2Tk4rbnR4WkJxTUJXYmVrOWx5a0RmYwowbnc4V1hGR2NpSDFZS3lrd0N2WHBERUVod0tCZ1FERXJXN01lY2hDUnBIZ2c2SldWMTlxNGZSK2NSQnlUTFBzCmgweElkOGYvemVOL0NpSXVJOGVxOWQ1VHZoT0tGK0VOZGI0YnN5R2JhYU9USGhiTFdVeGtmS0FTWFhlVXJLR3cKR2pzUjU5UXF1RkNWcVBaMFUzb3o2UldGV0VRMWxxWFZEMXBVOGZlTFNzbmVBUWo0eUo2THozNkcyWmgySEdRNgpxbVpHNXRuUVJRS0JnSGdFTVZXQjFQbW03SXZZdi9LUUF5ZnpRbUxsTFp4SGlXdXFnMHlXSVUyUTdrYUhrMytjCnppL1gwYjN1clhhZ0Q2clpiN3EyM284aS9Xckg2QlBSWnlmMDcyeHlwY3FjQ3R2c0QxNmc3M0xJRGN6cjVZMXMKS3J4SjU2Q3NxZkI0MEdCVzBpN2J0TzFNVmVjb291R1h5VnByYVdodk53aU5hNDh6TVA1RExHUU5Bb0dBQlAvcgpxeU1GWmpucEIyNFJPR1NzTmtsY0w4S3NDbHZNenh4NVlmWTVqVlVzalZReW5qMm1tNy80VU9TcUZuNlk2QUN3ClBvQUZRTEFreWw2ZmNiZnBhenlIelMrM0ZINTI5Y1VVNzFXWFhTYW1WY2VmekVFN0FBclMwenIxTU8rTmM2Y2EKUXNLTDZteVNTU1I1bCtseHJsZ3QvVHVXMXBuT0tuZWVkZnIwV29rQ2dZQXdRdjlkS2dVWHgwa3ZqWWpQS3NZZwpFYjBwd2ZHQk80bU40NDFmdlJyU0F3YWkvbjUybXJ6RldyUUM4dXdYKzRyQ1Uyc1NGa294QVNNTWdkak0rN3kyCjVQNmJ5Zi9QWnFWcVhCTUg4eEVGR0h6bGxhdUpTUW5YT2wxclJSZDQzR1BjTW90SHdkZm04bGt1TXBxanFwbE4KMUY5WGJ5MlNKOUdINlI5aWJCNTFVQT09Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K
+    crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURpekNDQW5PZ0F3SUJBZ0lVTkNlUXpqdlFraW5Kd1VnUTRxdUcwb3BIQUw0d0RRWUpLb1pJaHZjTkFRRUwKQlFBd1l6RUxNQWtHQTFVRUJoTUNRMDR4Q3pBSkJnTlZCQWdNQWtkYU1Rc3dDUVlEVlFRSERBSkhXakVTTUJBRwpBMVVFQ2d3SmNtOXVaWFJvYVc1bk1SSXdFQVlEVlFRTERBbHliMjVsZEdocGJtY3hFakFRQmdOVkJBTU1DV3h2ClkyRnNhRzl6ZERBZUZ3MHlNakExTURFd09EVTNNelJhRncwek1qQTBNamd3T0RVM016UmFNRWt4Q3pBSkJnTlYKQkFZVEFrTk9NUkl3RUFZRFZRUUtEQWx5YjI1bGRHaHBibWN4RWpBUUJnTlZCQXNNQ1hKdmJtVjBhR2x1WnpFUwpNQkFHQTFVRUF3d0piRzlqWVd4b2IzTjBNSUlCSWpBTkJna3Foa2lHOXcwQkFRRUZBQU9DQVE4QU1JSUJDZ0tDCkFRRUFzaU8zZjU0dVJjV2NYVEhKU2JZekNDOWlvOGR1RjB4eG5ISUVrZTdzbVlPQUZtTkRzSHJpLzk0MDVVTnQKemNwYW5NZmFTY2sxY2YvT001anpIWkR5RHZLM1dzU282dUh0eG53M1Q4ZjhGd05vZW5SWkdQVVB4Nyt0WW5HTgpBU2NuUGtNT2lkWFpmMllLRXduL1ZRRDkvM25tc3YrQ2JBK1lhSExjcXZHWG43YXFEYjZVajZKYThFNk83ajlFCjByYjRqTkMwazc2Smw4KzNSa0haVG00NWZOcVh5VW1YS3RXTXkxT2dZeE5JMDlZMHlvNEdnVEU4S3FUdGpUK3YKdWcvblF2M1J3V1BQOTN5YzlDSEhSNVpvbjEwajBDTlovQ3liMlppMFNCbmF5b2pXOG10TDhNa3l2ZnBERnBKZwpLUEM1bTdrZ2d1aFVOMTkzbEVVUE5WTG9Zd0lEQVFBQm8xRXdUekFKQmdOVkhSTUVBakFBTUFzR0ExVWREd1FFCkF3SUY0REExQmdOVkhSRUVMakFzZ2dsc2IyTmhiR2h2YzNTQ0Rpb3VjbTl1WlhSb2FXNW5MbU51Z2c4cUxuSnYKYm1WMGFHbHVaeTVqYjIwd0RRWUpLb1pJaHZjTkFRRUxCUUFEZ2dFQkFHMThzczNzTkpqTFhNdjlXbStkQnZNUQpla0dGdW5aM3VuTjY0MVJ4R3BVV2piVWo5NjN3b1h4OGVpTDZsSkZLaVU1MmFYckZSNCs2QlowdGJSc0x6NGU0CnBtQ2RPejRtQ2xtTlNrNm1TU3o3Vzh0bmh6K2gxanFVenA1d2hBaDFHajVRZGF1VHpnY0xGeEJ3M1BXVHQ4dHAKNHhHSXVad0FXeUI5TUhYTWtCdHNkaVAvb1VFb1ZYWUMyU0ErbzdkV3IwZDl3MEs2QkEwMFRaUitPSHNjZnBHUwprMGFEMUN1OGZ4aWNjblk3amNCTXovMnZWZzNMem9lVXFMN1RaYnBhbi9qek81RkFNVm9pMjFVRndFUWJCWU1iCnlVYlBlaTA2MEpRL3U3SDZDUjlPQ0NIS3NEdnRwSWZncGVBbWpjdUZTQ0YrUTNjSFRBc3RIcmxaV2FPQ05PND0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
+  volumes:
+  - secret:
+      secretName: milvus-tls
+    name: milvus-tls
+  volumeMounts:
+  - mountPath: /etc/milvus/certs/
+    name: milvus-tls
diff --git a/charts/milvus/templates/proxy-deployment.yaml b/charts/milvus/templates/proxy-deployment.yaml
@@ -126,6 +126,9 @@ spec:
         {{- end }}
         - mountPath: /milvus/tools
           name: tools
+        {{- if .Values.proxy.volumeMounts }}
+          {{- toYaml .Values.proxy.volumeMounts | nindent 8 }}
+        {{- end}}
 
     {{- if and (.Values.nodeSelector) (not .Values.proxy.nodeSelector) }}
       nodeSelector:
@@ -163,4 +166,8 @@ spec:
       {{- end }}
       - name: tools
         emptyDir: {}
+      {{- if .Values.proxy.volumes }}
+{{ toYaml .Values.proxy.volumes | indent 6 }}
+      {{- end}}
+
 {{- end }}
diff --git a/charts/milvus/templates/proxy-tls-secret.yaml b/charts/milvus/templates/proxy-tls-secret.yaml
@@ -0,0 +1,16 @@
+{{- if and (.Values.proxy.tls) (.Values.proxy.tls.enabled) }}
+
+{{- if and (.Values.proxy.tls.crt) (.Values.proxy.tls.key) }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.proxy.tls.secretName }}
+data:
+  tls.crt: {{ .Values.proxy.tls.crt }}
+  tls.key: {{ .Values.proxy.tls.key }}
+type: kubernetes.io/tls
+{{- end }}
+
+{{- end -}}
+
diff --git a/charts/milvus/values.yaml b/charts/milvus/values.yaml
@@ -50,6 +50,13 @@ extraConfigFiles:
     #    proxy:
     #      http:
     #        enabled: true
+    ##  Enable tlsMode and set the tls cert and key
+    #  tls:
+    #    serverPemPath: /etc/milvus/certs/tls.crt
+    #    serverKeyPath: /etc/milvus/certs/tls.key
+    #   common:
+    #     security:
+    #       tlsMode: 1
 
 ## Expose the Milvus service to be accessed from outside the cluster (LoadBalancer service).
 ## or access it from within the cluster (ClusterIP service). Set the service type and the port to serve it.
@@ -229,6 +236,22 @@ proxy:
     enabled: true  # whether to enable http rest server
     debugMode:
       enabled: false
+  # Mount a TLS secret into proxy pod
+  tls:
+    enabled: false
+## when enabling proxy.tls, all items below should be uncommented and the key and crt values should be populated.
+#    enabled: true
+#    secretName: milvus-tls
+## expecting base64 encoded values here: i.e. $(cat tls.crt | base64 -w 0) and $(cat tls.key | base64 -w 0)
+#    key: LS0tLS1CRUdJTiBQU--REDUCT
+#    crt: LS0tLS1CRUdJTiBDR--REDUCT
+#  volumes:
+#  - secret:
+#      secretName: milvus-tls
+#    name: milvus-tls
+#  volumeMounts:
+#  - mountPath: /etc/milvus/certs/
+#    name: milvus-tls
 
 rootCoordinator:
   enabled: true