[bitnami/solr] Add support for autogenerated certs (#6645)

* [bitnami/solr] Add support for autogenerated certs * Include changes requested * Move resources from tls.image.resources to tls.resources * Delete tls.image dependency to use solr default one * Delete solr.tls.image helper function * Include tls resources to use them in the initContainer init-certs * Include truststore and keystore keys and an auto generate secret to use it * Remove unneeded check in solr.tlsPasswordsSecret helper function
2026-03-07 16:17:21 +08:00 · 2021-06-17 12:09:10 +02:00
parent 3cb886ef78
commit 00b1ad4fc8
7 changed files with 184 additions and 9 deletions
--- a/bitnami/solr/Chart.yaml
+++ b/bitnami/solr/Chart.yaml
@@ -27,4 +27,4 @@ name: solr
 sources:
  - https://github.com/bitnami/bitnami-docker-solr
  - https://lucene.apache.org/solr/
-version: 0.3.5
+version: 0.4.0
--- a/bitnami/solr/README.md
+++ b/bitnami/solr/README.md
@@ -158,8 +158,14 @@ The following tables lists the configurable parameters of the solr chart and the
 | Parameter                              | Description                                                  | Default                            |
 | -------------------------------------- | ------------------------------------------------------------ | ---------------------------------- |
 | `tls.enabled`                          | Enable the TLS/SSL configuration                             | `false`                            |
+| `tls.autoGenerated`                    | Generate automatically self-signed TLS certificates          | `false`                            |
 | `tls.certificatesSecretName`           | Set the name of the secret that contains the certificates. It should contains two keys called "keystore.p12" and "truststore.12"                                                  | `nil`                             |
 | `tls.passwordsSecretName`              | Set the name of the secret that contains the passwords for the certificate files. It should contains two keys called "tls-keystore-password" and "tls-truststore-password".       | `nil`                             |
+| `tls.keystorePassword`                 | Password to access KeyStore if needed                                                                                                                                            | `nil`                              |
+| `tls.truststorePassword`               | Password to access TrustStore if needed                                                                                                                                          | `nil`                              |
+| `tls.resources.limits`                 | The resources limits for the TLS init container                                                                                                                                  | `{}`                               |
+| `tls.resources.requests`               | The requested resources for the TLS init container                                                                                                                               | `{}`                               |
+

 ### Solr Traffic Exposure Parameters

--- a/bitnami/solr/templates/_helpers.tpl
+++ b/bitnami/solr/templates/_helpers.tpl
@@ -82,3 +82,36 @@ Return  the proper Storage Class
 {{- printf "%s-%s" .Release.Name "zookeeper" -}}:{{- .Values.zookeeper.port -}}
 {{- end -}}
 {{- end -}}
+
+{{/*
+Return true if a TLS secret object should be created
+*/}}
+{{- define "solr.createTlsSecret" -}}
+{{- if and .Values.tls.enabled .Values.tls.autoGenerated }}
+    {{- true -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the Solr TLS credentials secret
+*/}}
+{{- define "solr.tlsSecretName" -}}
+{{- $secretName := .Values.tls.certificatesSecretName -}}
+{{- if $secretName -}}
+    {{- printf "%s" (tpl $secretName $) -}}
+{{- else -}}
+    {{- printf "%s-crt" (include "common.names.fullname" .) -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return true if a TLS credentials secret object should be created
+*/}}
+{{- define "solr.tlsPasswordsSecret" -}}
+{{- $secretName := .Values.tls.passwordsSecretName -}}
+{{- if $secretName -}}
+    {{- printf "%s" (tpl $secretName $) -}}
+{{- else -}}
+    {{- printf "%s-tls-pass" (include "common.names.fullname" .) -}}
+{{- end -}}
+{{- end -}}
--- a/bitnami/solr/templates/secret.yaml
+++ b/bitnami/solr/templates/secret.yaml
@@ -18,4 +18,28 @@ data:
  {{ else }}
  solr-password: {{ randAlphaNum 10 | b64enc | quote }}
  {{ end }}
-{{- end }}
+---
+{{- end }}
+{{- if and .Values.tls.enabled (not .Values.tls.passwordsSecretName) (or .Values.tls.keystorePassword .Values.tls.truststorePassword .Values.tls.autoGenerated) -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ printf "%s-tls-pass" (include "common.names.fullname" .) }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels: {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.commonLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+type: Opaque
+data:
+  {{- if or .Values.tls.keystorePassword .Values.tls.autoGenerated }}
+  tls-keystore-password: {{ (.Values.tls.keystorePassword | default (randAlphaNum 10)) | b64enc | quote }}
+  {{- end }}
+  {{- if or .Values.tls.truststorePassword .Values.tls.autoGenerated }}
+  tls-truststore-password: {{ (.Values.tls.truststorePassword | default (randAlphaNum 10))| b64enc | quote }}
+  {{- end }}
+---
+{{- end }}
--- a/bitnami/solr/templates/statefulset.yaml
+++ b/bitnami/solr/templates/statefulset.yaml
@@ -84,6 +84,61 @@ spec:
        {{- if .Values.initContainers }}
          {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }}
        {{- end }}
+        {{- if .Values.tls.enabled}}
+        {{- $fullname := include "solr.fullname" . }}
+        - name: init-certs
+          image: {{ include "solr.image" . }}
+          imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
+          {{- if .Values.containerSecurityContext.enabled }}
+          securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+          {{- end }}
+          command:
+          - /bin/bash
+          - -ec
+          - |-
+            if [[ -f "/certs/ca.crt" ]] && [[ -f "/certs/tls.key" ]] && [[ -f "/certs/tls.crt" ]]; then
+              openssl pkcs12 -export -in "/certs/tls.crt" \
+                  -inkey "/certs/tls.key" -out "/tmp/keystore.p12" \
+                  -passin pass:"/certs/tls.key" -passout pass:"${SOLR_SSL_KEY_STORE_PASSWORD}"
+
+              keytool -importkeystore -srckeystore "/tmp/keystore.p12" \
+                  -srcstoretype PKCS12 \
+                  -srcstorepass "${SOLR_SSL_KEY_STORE_PASSWORD}" \
+                  -deststorepass "${SOLR_SSL_KEY_STORE_PASSWORD}" \
+                  -destkeystore "/opt/bitnami/solr/certs/keystore.p12"
+
+              rm "/tmp/keystore.p12"
+
+              keytool -import -file "/certs/ca.crt" -keystore "/opt/bitnami/solr/certs/truststore.p12" -storepass "${SOLR_SSL_TRUST_STORE_PASSWORD}" -noprompt
+            else
+              cp "/certs/keystore.p12" "/opt/bitnami/solr/certs/keystore.p12"
+              cp "/certs/truststore.p12" "/opt/bitnami/solr/certs/truststore.p12"
+            fi
+          env:
+          - name: MY_POD_NAME
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: metadata.name
+          - name: SOLR_SSL_KEY_STORE_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "solr.tlsPasswordsSecret" . }}
+                key: tls-keystore-password
+          - name: SOLR_SSL_TRUST_STORE_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "solr.tlsPasswordsSecret" . }}
+                key: tls-truststore-password
+          {{- if .Values.resources }}
+          resources: {{- include "common.tplvalues.render" (dict "value" .Values.tls.resources "context" $) | nindent 12 }}
+          {{- end }}
+          volumeMounts:
+          - name: certs
+            mountPath: '/certs'
+          - name: certs-shared
+            mountPath: '/opt/bitnami/solr/certs'
+        {{- end }}
      containers:
        - name: solr
          image: {{ include "solr.image" . }}
@@ -162,19 +217,25 @@ spec:
            {{- if .Values.tls.enabled }}
            - name: SOLR_SSL_ENABLED
              value: "yes"
+            {{- if (include "solr.createTlsSecret" .) }}
+            - name: SOLR_SSL_KEY_STORE_TYPE
+              value: "JKS"
+            - name: SOLR_SSL_TRUST_STORE_TYPE
+              value: "JKS"
+            {{- end }}
            - name: SOLR_SSL_KEY_STORE
              value: /opt/bitnami/solr/certs/keystore.p12
            - name: SOLR_SSL_KEY_STORE_PASSWORD
              valueFrom:
                secretKeyRef:
-                  name: {{ .Values.tls.passwordsSecretName | quote }}
+                  name: {{ include "solr.tlsPasswordsSecret" . }}
                  key: tls-keystore-password
            - name: SOLR_SSL_TRUST_STORE
              value: /opt/bitnami/solr/certs/truststore.p12
            - name: SOLR_SSL_TRUST_STORE_PASSWORD
              valueFrom:
                secretKeyRef:
-                  name: {{ .Values.tls.passwordsSecretName | quote }}
+                  name: {{ include "solr.tlsPasswordsSecret" . }}
                  key: tls-truststore-password
            - name: SOLR_SSL_CHECK_PEER_NAME
              value: "false"
@@ -236,10 +297,11 @@ spec:
          volumeMounts:
            - name: data
              mountPath: {{ .Values.persistence.mountPath }}
-            {{- if .Values.tls.certificatesSecretName }}
-            - name: certs
+            {{- if .Values.tls.enabled }}
+            - name: certs-shared
              mountPath: '/opt/bitnami/solr/certs'
-              readOnly: true
+            - name: certs
+              mountPath: '/certs'
            {{- end }}

          {{- if .Values.extraVolumeMounts }}
@@ -260,10 +322,12 @@ spec:
        - name: data
          emptyDir: {}
        {{- end }}
-        {{- if .Values.tls.certificatesSecretName }}
+        {{- if .Values.tls.enabled }}
        - name: certs
          secret:
-            secretName: {{ .Values.tls.certificatesSecretName }}
+            secretName: {{ include "solr.tlsSecretName" . }}
+        - name: certs-shared
+          emptyDir: {}
        {{- end }}
  {{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }}
  volumeClaimTemplates:
--- a/bitnami/solr/templates/tls-auto-secrets.yaml
+++ b/bitnami/solr/templates/tls-auto-secrets.yaml
@@ -0,0 +1,25 @@
+{{- if (include "solr.createTlsSecret" .) }}
+{{- $ca := genCA "solr-ca" 365 }}
+{{- $releaseNamespace := .Release.Namespace }}
+{{- $clusterDomain := .Values.clusterDomain }}
+{{- $serviceName := include "common.names.fullname" . }}
+{{- $headlessServiceName := printf "%s-headless" (include "common.names.fullname" .) }}
+{{- $altNames := list (printf "*.%s.%s.svc.%s" $serviceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $serviceName $releaseNamespace $clusterDomain) (printf "*.%s.%s.svc.%s" $headlessServiceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $headlessServiceName $releaseNamespace $clusterDomain) $serviceName }}
+{{- $crt := genSignedCert $serviceName nil $altNames 365 $ca }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "common.names.fullname" . }}-crt
+  labels: {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.commonLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+type: kubernetes.io/tls
+data:
+  ca.crt: {{ $ca.Cert | b64enc | quote }}
+  tls.crt: {{ $crt.Cert | b64enc | quote }}
+  tls.key: {{ $crt.Key | b64enc | quote }}
+{{- end }}
--- a/bitnami/solr/values.yaml
+++ b/bitnami/solr/values.yaml
@@ -147,6 +147,9 @@ authentication:
 tls:
  ## Enable TLS traffic
  enabled: false
+  ## Create self-signed TLS certificates. Currently only supports PEM certificates.
+  ##
+  autoGenerated: false
  ## Name of the secret that contains the certificates
  ## It should contains two keys called "keystore.p12" and "trustore.p12" with the files in JKS or P12 format.
  ##   certificatesSecretName: cert-files
@@ -157,6 +160,26 @@ tls:
  ## passwordsSecretName: my-passwords
  # passwordsSecretName:

+  ## Keystore and Truststore Password
+  ##
+  keystorePassword: ''
+  truststorePassword: ''
+
+  resources:
+    ## We usually recommend not to specify default resources and to leave this as a conscious
+    ## choice for the user. This also increases chances charts run on environments with little
+    ## resources, such as Minikube. If you do want to specify resources, uncomment the following
+    ## lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+    ##
+    limits: {}
+    ##   cpu: 100m
+    ##   memory: 128Mi
+    ##
+    requests: {}
+    ##   cpu: 100m
+    ##   memory: 128Mi
+    ##
+
 ## Container Command (set to default if not set).
 ##
 command: []