[bitnami/solr] Add support for autogenerated certs (#6645)

* [bitnami/solr] Add support for autogenerated certs * Include changes requested * Move resources from tls.image.resources to tls.resources * Delete tls.image dependency to use solr default one * Delete solr.tls.image helper function * Include tls resources to use them in the initContainer init-certs * Include truststore and keystore keys and an auto generate secret to use it * Remove unneeded check in solr.tlsPasswordsSecret helper function
2026-03-15 14:57:16 +08:00 · 2021-06-17 12:09:10 +02:00
parent 3cb886ef78
commit 00b1ad4fc8
7 changed files with 184 additions and 9 deletions
--- a/bitnami/solr/templates/_helpers.tpl
+++ b/bitnami/solr/templates/_helpers.tpl
@@ -82,3 +82,36 @@ Return  the proper Storage Class
 {{- printf "%s-%s" .Release.Name "zookeeper" -}}:{{- .Values.zookeeper.port -}}
 {{- end -}}
 {{- end -}}
+
+{{/*
+Return true if a TLS secret object should be created
+*/}}
+{{- define "solr.createTlsSecret" -}}
+{{- if and .Values.tls.enabled .Values.tls.autoGenerated }}
+    {{- true -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the Solr TLS credentials secret
+*/}}
+{{- define "solr.tlsSecretName" -}}
+{{- $secretName := .Values.tls.certificatesSecretName -}}
+{{- if $secretName -}}
+    {{- printf "%s" (tpl $secretName $) -}}
+{{- else -}}
+    {{- printf "%s-crt" (include "common.names.fullname" .) -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return true if a TLS credentials secret object should be created
+*/}}
+{{- define "solr.tlsPasswordsSecret" -}}
+{{- $secretName := .Values.tls.passwordsSecretName -}}
+{{- if $secretName -}}
+    {{- printf "%s" (tpl $secretName $) -}}
+{{- else -}}
+    {{- printf "%s-tls-pass" (include "common.names.fullname" .) -}}
+{{- end -}}
+{{- end -}}
--- a/bitnami/solr/templates/secret.yaml
+++ b/bitnami/solr/templates/secret.yaml
@@ -18,4 +18,28 @@ data:
  {{ else }}
  solr-password: {{ randAlphaNum 10 | b64enc | quote }}
  {{ end }}
-{{- end }}
+---
+{{- end }}
+{{- if and .Values.tls.enabled (not .Values.tls.passwordsSecretName) (or .Values.tls.keystorePassword .Values.tls.truststorePassword .Values.tls.autoGenerated) -}}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ printf "%s-tls-pass" (include "common.names.fullname" .) }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels: {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.commonLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+type: Opaque
+data:
+  {{- if or .Values.tls.keystorePassword .Values.tls.autoGenerated }}
+  tls-keystore-password: {{ (.Values.tls.keystorePassword | default (randAlphaNum 10)) | b64enc | quote }}
+  {{- end }}
+  {{- if or .Values.tls.truststorePassword .Values.tls.autoGenerated }}
+  tls-truststore-password: {{ (.Values.tls.truststorePassword | default (randAlphaNum 10))| b64enc | quote }}
+  {{- end }}
+---
+{{- end }}
--- a/bitnami/solr/templates/statefulset.yaml
+++ b/bitnami/solr/templates/statefulset.yaml
@@ -84,6 +84,61 @@ spec:
        {{- if .Values.initContainers }}
          {{- include "common.tplvalues.render" (dict "value" .Values.initContainers "context" $) | nindent 8 }}
        {{- end }}
+        {{- if .Values.tls.enabled}}
+        {{- $fullname := include "solr.fullname" . }}
+        - name: init-certs
+          image: {{ include "solr.image" . }}
+          imagePullPolicy: {{ .Values.image.pullPolicy | quote }}
+          {{- if .Values.containerSecurityContext.enabled }}
+          securityContext: {{- omit .Values.containerSecurityContext "enabled" | toYaml | nindent 12 }}
+          {{- end }}
+          command:
+          - /bin/bash
+          - -ec
+          - |-
+            if [[ -f "/certs/ca.crt" ]] && [[ -f "/certs/tls.key" ]] && [[ -f "/certs/tls.crt" ]]; then
+              openssl pkcs12 -export -in "/certs/tls.crt" \
+                  -inkey "/certs/tls.key" -out "/tmp/keystore.p12" \
+                  -passin pass:"/certs/tls.key" -passout pass:"${SOLR_SSL_KEY_STORE_PASSWORD}"
+
+              keytool -importkeystore -srckeystore "/tmp/keystore.p12" \
+                  -srcstoretype PKCS12 \
+                  -srcstorepass "${SOLR_SSL_KEY_STORE_PASSWORD}" \
+                  -deststorepass "${SOLR_SSL_KEY_STORE_PASSWORD}" \
+                  -destkeystore "/opt/bitnami/solr/certs/keystore.p12"
+
+              rm "/tmp/keystore.p12"
+
+              keytool -import -file "/certs/ca.crt" -keystore "/opt/bitnami/solr/certs/truststore.p12" -storepass "${SOLR_SSL_TRUST_STORE_PASSWORD}" -noprompt
+            else
+              cp "/certs/keystore.p12" "/opt/bitnami/solr/certs/keystore.p12"
+              cp "/certs/truststore.p12" "/opt/bitnami/solr/certs/truststore.p12"
+            fi
+          env:
+          - name: MY_POD_NAME
+            valueFrom:
+              fieldRef:
+                apiVersion: v1
+                fieldPath: metadata.name
+          - name: SOLR_SSL_KEY_STORE_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "solr.tlsPasswordsSecret" . }}
+                key: tls-keystore-password
+          - name: SOLR_SSL_TRUST_STORE_PASSWORD
+            valueFrom:
+              secretKeyRef:
+                name: {{ include "solr.tlsPasswordsSecret" . }}
+                key: tls-truststore-password
+          {{- if .Values.resources }}
+          resources: {{- include "common.tplvalues.render" (dict "value" .Values.tls.resources "context" $) | nindent 12 }}
+          {{- end }}
+          volumeMounts:
+          - name: certs
+            mountPath: '/certs'
+          - name: certs-shared
+            mountPath: '/opt/bitnami/solr/certs'
+        {{- end }}
      containers:
        - name: solr
          image: {{ include "solr.image" . }}
@@ -162,19 +217,25 @@ spec:
            {{- if .Values.tls.enabled }}
            - name: SOLR_SSL_ENABLED
              value: "yes"
+            {{- if (include "solr.createTlsSecret" .) }}
+            - name: SOLR_SSL_KEY_STORE_TYPE
+              value: "JKS"
+            - name: SOLR_SSL_TRUST_STORE_TYPE
+              value: "JKS"
+            {{- end }}
            - name: SOLR_SSL_KEY_STORE
              value: /opt/bitnami/solr/certs/keystore.p12
            - name: SOLR_SSL_KEY_STORE_PASSWORD
              valueFrom:
                secretKeyRef:
-                  name: {{ .Values.tls.passwordsSecretName | quote }}
+                  name: {{ include "solr.tlsPasswordsSecret" . }}
                  key: tls-keystore-password
            - name: SOLR_SSL_TRUST_STORE
              value: /opt/bitnami/solr/certs/truststore.p12
            - name: SOLR_SSL_TRUST_STORE_PASSWORD
              valueFrom:
                secretKeyRef:
-                  name: {{ .Values.tls.passwordsSecretName | quote }}
+                  name: {{ include "solr.tlsPasswordsSecret" . }}
                  key: tls-truststore-password
            - name: SOLR_SSL_CHECK_PEER_NAME
              value: "false"
@@ -236,10 +297,11 @@ spec:
          volumeMounts:
            - name: data
              mountPath: {{ .Values.persistence.mountPath }}
-            {{- if .Values.tls.certificatesSecretName }}
-            - name: certs
+            {{- if .Values.tls.enabled }}
+            - name: certs-shared
              mountPath: '/opt/bitnami/solr/certs'
-              readOnly: true
+            - name: certs
+              mountPath: '/certs'
            {{- end }}

          {{- if .Values.extraVolumeMounts }}
@@ -260,10 +322,12 @@ spec:
        - name: data
          emptyDir: {}
        {{- end }}
-        {{- if .Values.tls.certificatesSecretName }}
+        {{- if .Values.tls.enabled }}
        - name: certs
          secret:
-            secretName: {{ .Values.tls.certificatesSecretName }}
+            secretName: {{ include "solr.tlsSecretName" . }}
+        - name: certs-shared
+          emptyDir: {}
        {{- end }}
  {{- if and .Values.persistence.enabled (not .Values.persistence.existingClaim) }}
  volumeClaimTemplates:
--- a/bitnami/solr/templates/tls-auto-secrets.yaml
+++ b/bitnami/solr/templates/tls-auto-secrets.yaml
@@ -0,0 +1,25 @@
+{{- if (include "solr.createTlsSecret" .) }}
+{{- $ca := genCA "solr-ca" 365 }}
+{{- $releaseNamespace := .Release.Namespace }}
+{{- $clusterDomain := .Values.clusterDomain }}
+{{- $serviceName := include "common.names.fullname" . }}
+{{- $headlessServiceName := printf "%s-headless" (include "common.names.fullname" .) }}
+{{- $altNames := list (printf "*.%s.%s.svc.%s" $serviceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $serviceName $releaseNamespace $clusterDomain) (printf "*.%s.%s.svc.%s" $headlessServiceName $releaseNamespace $clusterDomain) (printf "%s.%s.svc.%s" $headlessServiceName $releaseNamespace $clusterDomain) $serviceName }}
+{{- $crt := genSignedCert $serviceName nil $altNames 365 $ca }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "common.names.fullname" . }}-crt
+  labels: {{- include "common.labels.standard" . | nindent 4 }}
+    {{- if .Values.commonLabels }}
+    {{- include "common.tplvalues.render" ( dict "value" .Values.commonLabels "context" $ ) | nindent 4 }}
+    {{- end }}
+  {{- if .Values.commonAnnotations }}
+  annotations: {{- include "common.tplvalues.render" ( dict "value" .Values.commonAnnotations "context" $ ) | nindent 4 }}
+  {{- end }}
+type: kubernetes.io/tls
+data:
+  ca.crt: {{ $ca.Cert | b64enc | quote }}
+  tls.crt: {{ $crt.Cert | b64enc | quote }}
+  tls.key: {{ $crt.Key | b64enc | quote }}
+{{- end }}