Skip to content

WIP: Add full TLS support #300

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 27 commits into
base: main
Choose a base branch
from
Open

WIP: Add full TLS support #300

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
27 commits
Select commit Hold shift + click to select a range
fbce18a
WIP: Prepare internal https support
micheelengronne Feb 5, 2025
7213cbe
Add more params to https handling
micheelengronne Feb 5, 2025
a542c5b
indentation
micheelengronne Feb 5, 2025
dcec332
Add tlsPort for service
micheelengronne Feb 5, 2025
bfd8153
add services ports
micheelengronne Feb 6, 2025
d83edbe
same logic for http and https ports
micheelengronne Feb 6, 2025
1959173
small doc
micheelengronne Feb 6, 2025
5503105
correct port bindings
micheelengronne Feb 6, 2025
e0c46c5
ingress tlsService
micheelengronne Feb 6, 2025
fcf4ce0
out of loop typo
micheelengronne Feb 6, 2025
fe9fbb7
doc for ingress and tls
micheelengronne Feb 6, 2025
7b8b6b6
http-server.process-forwarded enabled with ingress
micheelengronne Feb 6, 2025
2938137
test validate values
micheelengronne Feb 6, 2025
166f937
debug validation
micheelengronne Feb 6, 2025
65c1e9d
add validations for all tls variables
micheelengronne Feb 6, 2025
d1af4d6
test https only
micheelengronne Feb 6, 2025
6b82304
livenessProbe port
micheelengronne Feb 6, 2025
00be2b3
livenessProbe scheme missing
micheelengronne Feb 6, 2025
6a44da9
test discovery.uri with ip
micheelengronne Feb 6, 2025
4a20b12
typo
micheelengronne Feb 6, 2025
be49cc4
fullnameEnv specific template
micheelengronne Feb 6, 2025
a3c7cb2
hostname validation unchecked
micheelengronne Feb 6, 2025
55d2314
softcoded TLS passwords
micheelengronne Feb 6, 2025
6e7ee30
check Values.env emptiness
micheelengronne Feb 6, 2025
1c2655d
tpl secrets call
micheelengronne Feb 6, 2025
fee1a3e
typo
micheelengronne Feb 6, 2025
5a492cc
Merge branch 'main' into patch-1
micheelengronne Feb 18, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions charts/trino/templates/NOTES.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,3 +8,5 @@ Get the application URL by running these commands:
echo "Visit http://127.0.0.1:8080 to use your application"
kubectl port-forward $POD_NAME 8080:8080
{{- end }}

{{- include "trino.validateValues" . }}
69 changes: 69 additions & 0 deletions charts/trino/templates/_helpers.tpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,19 @@ If release name contains chart name it will be used as a full name.
{{- end }}
{{- end }}

{{- define "trino.fullnameEnv" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" | upper | replace "-" "_" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if hasPrefix .Release.Name $name }}
{{- $name | trunc 63 | trimSuffix "-" | upper | replace "-" "_" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" | upper | replace "-" "_" }}
{{- end }}
{{- end }}
{{- end }}

{{/*
Create chart name and version as used by the chart label.
*/}}
Expand Down Expand Up @@ -155,3 +168,59 @@ Create the secret name for the group-provider file
{{- end }}
{{- end }}
{{- end }}

{{/* Compile all validation warnings into a single message and call fail. */}}
{{- define "trino.validateValues" -}}
{{- $messages := list -}}
{{- $messages = append $messages (include "trino.validateValues.ingresstlsservice.enabled" .) -}}
{{- $messages = append $messages (include "trino.validateValues.internal.enabled" .) -}}
{{- $messages = append $messages (include "trino.validateValues.httpsonly.enabled" .) -}}
{{- $messages = append $messages (include "trino.validateValues.httpsonly.internal" .) -}}
{{- $messages = append $messages (include "trino.validateValues.httpsonly.ingresstlsservice" .) -}}
{{- $messages = without $messages "" -}}
{{- $message := join "\n" $messages -}}

{{- if $message -}}
{{- printf "\nVALUES VALIDATION:\n%s" $message | fail -}}
{{- end -}}
{{- end -}}

{{/* Validate value of .Values.server.config.https.enabled for .Values.ingress.tlsService */}}
{{- define "trino.validateValues.ingresstlsservice.enabled" -}}
{{- if and .Values.ingress.tlsService (not .Values.server.config.https.enabled) -}}
trino: .Values.ingress.tlsService
`.Values.ingress.tlsService` requires `.Values.server.config.https.enabled`
{{- end -}}
{{- end -}}

{{/* Validate value of .Values.server.config.https.enabled for .Values.server.config.https.internal */}}
{{- define "trino.validateValues.internal.enabled" -}}
{{- if and .Values.server.config.https.internal (not .Values.server.config.https.enabled) -}}
trino: .Values.server.config.https.internal
`.Values.server.config.https.internal` requires `.Values.server.config.https.enabled`
{{- end -}}
{{- end -}}

{{/* Validate value of .Values.server.config.https.enabled for .Values.server.config.https.only */}}
{{- define "trino.validateValues.httpsonly.enabled" -}}
{{- if and .Values.server.config.https.only (not .Values.server.config.https.enabled) -}}
trino: .Values.server.config.https.only
`.Values.server.config.https.only` requires `.Values.server.config.https.enabled`
{{- end -}}
{{- end -}}

{{/* Validate value of .Values.server.config.https.internal for .Values.server.config.https.only */}}
{{- define "trino.validateValues.httpsonly.internal" -}}
{{- if and .Values.server.config.https.only (not .Values.server.config.https.internal) -}}
trino: .Values.server.config.https.only
`.Values.server.config.https.only` requires `.Values.server.config.https.internal`
{{- end -}}
{{- end -}}

{{/* Validate value of .Values.ingress.tlsService for .Values.server.config.https.only */}}
{{- define "trino.validateValues.httpsonly.ingresstlsservice" -}}
{{- if and .Values.server.config.https.only (not .Values.ingress.tlsService) -}}
trino: .Values.server.config.https.only
`.Values.server.config.https.only` requires `.Values.ingress.tlsService`
{{- end -}}
{{- end -}}
55 changes: 49 additions & 6 deletions charts/trino/templates/configmap-coordinator.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,24 +51,67 @@ data:
config.properties: |
coordinator=true
node-scheduler.include-coordinator={{ .Values.coordinator.config.nodeScheduler.includeCoordinator }}
{{- if .Values.server.config.https.only }}
http-server.http.enabled=false
{{- else }}
http-server.http.port={{ .Values.service.port }}
{{- end }}
{{- if .Values.server.config.https.internal }}
discovery.uri=https://localhost:{{ .Values.service.tlsPort }}
internal-communication.https.required=true
# Taken from https://github.com/trinodb/trino/issues/5230#issuecomment-2062013346
# Not checking the hostnames may seems like an issue but tls works and is already an additional layer
# of security compared to the shared secret
discovery.http-client.trust-store-path={{ .Values.server.config.https.truststore.path }}
dynamic.http-client.trust-store-path={{ .Values.server.config.https.truststore.path }}
exchange.http-client.trust-store-path={{ .Values.server.config.https.truststore.path }}
failure-detector.http-client.trust-store-path={{ .Values.server.config.https.truststore.path }}
memoryManager.http-client.trust-store-path={{ .Values.server.config.https.truststore.path }}
node-manager.http-client.trust-store-path={{ .Values.server.config.https.truststore.path }}
scheduler.http-client.trust-store-path={{ .Values.server.config.https.truststore.path }}
workerInfo.http-client.trust-store-path={{ .Values.server.config.https.truststore.path }}
discovery.http-client.trust-store-password=${ENV:TRINO_HTTPS_TRUSTSTORE_SECRET}
dynamic.http-client.trust-store-password=${ENV:TRINO_HTTPS_TRUSTSTORE_SECRET}
exchange.http-client.trust-store-password=${ENV:TRINO_HTTPS_TRUSTSTORE_SECRET}
failure-detector.http-client.trust-store-password=${ENV:TRINO_HTTPS_TRUSTSTORE_SECRET}
memoryManager.http-client.trust-store-password=${ENV:TRINO_HTTPS_TRUSTSTORE_SECRET}
node-manager.http-client.trust-store-password=${ENV:TRINO_HTTPS_TRUSTSTORE_SECRET}
scheduler.http-client.trust-store-password=${ENV:TRINO_HTTPS_TRUSTSTORE_SECRET}
workerInfo.http-client.trust-store-password=${ENV:TRINO_HTTPS_TRUSTSTORE_SECRET}
discovery.http-client.https.hostname-verification=false
dynamic.http-client.https.hostname-verification=false
exchange.http-client.https.hostname-verification=false
failure-detector.http-client.https.hostname-verification=false
memoryManager.http-client.https.hostname-verification=false
node-manager.http-client.https.hostname-verification=false
scheduler.http-client.https.hostname-verification=false
workerInfo.http-client.https.hostname-verification=false
{{- else }}
discovery.uri=http://localhost:{{ .Values.service.port }}
{{- end }}
{{- if .Values.server.config.https.enabled }}
http-server.https.enabled=true
http-server.https.port={{ .Values.service.tlsPort }}
http-server.https.keystore.path={{ .Values.server.config.https.keystore.path }}
http-server.https.keystore.key=${ENV:TRINO_HTTPS_KEYSTORE_SECRET}
http-server.https.keymanager.password=${ENV:TRINO_HTTPS_KEYMANAGER_SECRET}
http-server.https.truststore.path={{ .Values.server.config.https.truststore.path }}
http-server.https.truststore.key=${ENV:TRINO_HTTPS_TRUSTSTORE_SECRET}
{{- end }}
{{- if .Values.ingress.enabled }}
http-server.process-forwarded=true
{{- end }}
query.max-memory={{ .Values.server.config.query.maxMemory }}
query.max-memory-per-node={{ .Values.coordinator.config.query.maxMemoryPerNode }}
{{- if .Values.coordinator.config.memory.heapHeadroomPerNode }}
memory.heap-headroom-per-node={{ .Values.coordinator.config.memory.heapHeadroomPerNode }}
{{- end }}
discovery.uri=http://localhost:{{ .Values.service.port }}
{{- if .Values.server.config.authenticationType }}
http-server.authentication.type={{ .Values.server.config.authenticationType }}
{{- end }}
{{- range $configValue := .Values.additionalConfigProperties }}
{{ $configValue }}
{{- end }}
{{- if .Values.server.config.https.enabled }}
http-server.https.enabled=true
http-server.https.port={{ .Values.server.config.https.port }}
http-server.https.keystore.path={{ .Values.server.config.https.keystore.path }}
{{- end }}
{{- if $coordinatorJmx.enabled }}
jmx.rmiregistry.port={{- $coordinatorJmx.registryPort }}
jmx.rmiserver.port={{- $coordinatorJmx.serverPort }}
Expand Down
30 changes: 29 additions & 1 deletion charts/trino/templates/configmap-worker.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,13 +51,41 @@ data:

config.properties: |
coordinator=false
{{- if .Values.server.config.https.only }}
http-server.http.enabled=false
{{- else }}
http-server.http.port={{ .Values.service.port }}
{{- end }}
{{- if .Values.server.config.https.internal }}
internal-communication.https.required=true
discovery.uri=https://{{ template "trino.fullname" . }}:{{ .Values.service.tlsPort }}
http-server.https.enabled=true
http-server.https.port={{ .Values.service.tlsPort }}
http-server.https.keystore.path={{ .Values.server.config.https.workers.keystore.path }}
http-server.https.keystore.key=${ENV:TRINO_HTTPS_KEYSTORE_SECRET}
http-server.https.keymanager.password=${ENV:TRINO_HTTPS_KEYMANAGER_SECRET}
http-server.https.truststore.path={{ .Values.server.config.https.truststore.path }}
http-server.https.truststore.key=${ENV:TRINO_HTTPS_TRUSTSTORE_SECRET}
# Taken from https://github.com/trinodb/trino/issues/5230#issuecomment-2062013346
# Not checking the hostnames may seems like an issue but tls works and is already an additional layer
# of security compared to the shared secret
discovery.http-client.trust-store-path={{ .Values.server.config.https.truststore.path }}
exchange.http-client.trust-store-path={{ .Values.server.config.https.truststore.path }}
node-manager.http-client.trust-store-path={{ .Values.server.config.https.truststore.path }}
discovery.http-client.trust-store-password=${ENV:TRINO_HTTPS_TRUSTSTORE_SECRET}
exchange.http-client.trust-store-password=${ENV:TRINO_HTTPS_TRUSTSTORE_SECRET}
node-manager.http-client.trust-store-password=${ENV:TRINO_HTTPS_TRUSTSTORE_SECRET}
discovery.http-client.https.hostname-verification=false
exchange.http-client.https.hostname-verification=false
node-manager.http-client.https.hostname-verification=false
{{- else }}
discovery.uri=http://{{ template "trino.fullname" . }}:{{ .Values.service.port }}
{{- end }}
query.max-memory={{ .Values.server.config.query.maxMemory }}
query.max-memory-per-node={{ .Values.worker.config.query.maxMemoryPerNode }}
{{- if .Values.worker.config.memory.heapHeadroomPerNode }}
memory.heap-headroom-per-node={{ .Values.worker.config.memory.heapHeadroomPerNode }}
{{- end }}
discovery.uri=http://{{ template "trino.fullname" . }}:{{ .Values.service.port }}
{{- range $configValue := .Values.additionalConfigProperties }}
{{ $configValue }}
{{- end }}
Expand Down
35 changes: 35 additions & 0 deletions charts/trino/templates/deployment-coordinator.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,7 @@
{{- $coordinatorJmx := merge .Values.jmx.coordinator (omit .Values.jmx "coordinator" "worker") -}}
{{- $truststorePasswordSecretRef := .Values.server.config.https.truststore.passwordSecretRef.name -}}
{{- $keystorePasswordSecretRef := .Values.server.config.https.keystore.passwordSecretRef.name -}}
{{- $keymanagerPasswordSecretRef := .Values.server.config.https.keymanager.passwordSecretRef.name -}}
apiVersion: apps/v1
kind: Deployment
metadata:
Expand Down Expand Up @@ -134,7 +137,26 @@ spec:
securityContext:
{{- toYaml .Values.containerSecurityContext | nindent 12 }}
env:
{{- if .Values.env }}
{{- toYaml .Values.env | nindent 12 }}
{{- end }}
{{- if .Values.server.config.https.enabled }}
- name: TRINO_HTTPS_TRUSTSTORE_SECRET
valueFrom:
secretKeyRef:
name: {{ tpl $truststorePasswordSecretRef . }}
key: {{ .Values.server.config.https.truststore.passwordSecretRef.key }}
- name: TRINO_HTTPS_KEYSTORE_SECRET
valueFrom:
secretKeyRef:
name: {{ tpl $keystorePasswordSecretRef . }}
key: {{ .Values.server.config.https.keystore.passwordSecretRef.key }}
- name: TRINO_HTTPS_KEYMANAGER_SECRET
valueFrom:
secretKeyRef:
name: {{ tpl $keymanagerPasswordSecretRef . }}
key: {{ .Values.server.config.https.keymanager.passwordSecretRef.key }}
{{- end }}
envFrom:
{{- tpl (toYaml .Values.envFrom) . | nindent 12 }}
volumeMounts:
Expand Down Expand Up @@ -194,9 +216,16 @@ spec:
{{- . | toYaml | nindent 12 }}
{{- end }}
ports:
{{- if not .Values.server.config.https.only }}
- name: http
containerPort: {{ .Values.service.port }}
protocol: TCP
{{- end }}
{{- if .Values.server.config.https.enabled }}
- name: https
containerPort: {{ .Values.service.tlsPort }}
protocol: TCP
{{- end }}
{{- if $coordinatorJmx.enabled }}
- name: jmx-registry
containerPort: {{ $coordinatorJmx.registryPort }}
Expand All @@ -213,7 +242,13 @@ spec:
livenessProbe:
httpGet:
path: /v1/info
{{- if .Values.server.config.https.only }}
port: https
scheme: HTTPS
{{- else }}
port: http
scheme: HTTP
{{- end }}
initialDelaySeconds: {{ .Values.coordinator.livenessProbe.initialDelaySeconds | default 30 }}
periodSeconds: {{ .Values.coordinator.livenessProbe.periodSeconds | default 10 }}
timeoutSeconds: {{ .Values.coordinator.livenessProbe.timeoutSeconds | default 5 }}
Expand Down
39 changes: 39 additions & 0 deletions charts/trino/templates/deployment-worker.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,7 @@
{{- $workerJmx := merge .Values.jmx.worker (omit .Values.jmx "coordinator" "worker") -}}
{{- $truststorePasswordSecretRef := .Values.server.config.https.truststore.passwordSecretRef.name -}}
{{- $keystorePasswordSecretRef := .Values.server.config.https.workers.keystore.passwordSecretRef.name -}}
{{- $keymanagerPasswordSecretRef := .Values.server.config.https.workers.keymanager.passwordSecretRef.name -}}
{{- if or .Values.server.keda.enabled (gt (int .Values.server.workers) 0) }}
apiVersion: apps/v1
kind: Deployment
Expand Down Expand Up @@ -120,7 +123,26 @@ spec:
securityContext:
{{- toYaml .Values.containerSecurityContext | nindent 12 }}
env:
{{- if .Values.env }}
{{- toYaml .Values.env | nindent 12 }}
{{- end }}
{{- if .Values.server.config.https.internal }}
- name: TRINO_HTTPS_TRUSTSTORE_SECRET
valueFrom:
secretKeyRef:
name: {{ tpl $truststorePasswordSecretRef . }}
key: {{ .Values.server.config.https.truststore.passwordSecretRef.key }}
- name: TRINO_HTTPS_KEYSTORE_SECRET
valueFrom:
secretKeyRef:
name: {{ tpl $keystorePasswordSecretRef . }}
key: {{ .Values.server.config.https.workers.keystore.passwordSecretRef.key }}
- name: TRINO_HTTPS_KEYMANAGER_SECRET
valueFrom:
secretKeyRef:
name: {{ tpl $keymanagerPasswordSecretRef . }}
key: {{ .Values.server.config.https.workers.keymanager.passwordSecretRef.key }}
{{- end }}
envFrom:
{{- tpl (toYaml .Values.envFrom) . | nindent 12 }}
volumeMounts:
Expand Down Expand Up @@ -168,9 +190,16 @@ spec:
{{- . | toYaml | nindent 12 }}
{{- end }}
ports:
{{- if not .Values.server.config.https.only }}
- name: http
containerPort: {{ .Values.service.port }}
protocol: TCP
{{- end }}
{{- if .Values.server.config.https.enabled }}
- name: https
containerPort: {{ .Values.service.tlsPort }}
protocol: TCP
{{- end }}
{{- if $workerJmx.enabled }}
- name: jmx-registry
containerPort: {{ $workerJmx.registryPort }}
Expand All @@ -187,7 +216,13 @@ spec:
livenessProbe:
httpGet:
path: /v1/info
{{- if .Values.server.config.https.only }}
port: https
scheme: HTTPS
{{- else }}
port: http
scheme: HTTP
{{- end }}
initialDelaySeconds: {{ .Values.worker.livenessProbe.initialDelaySeconds | default 30 }}
periodSeconds: {{ .Values.worker.livenessProbe.periodSeconds | default 10 }}
timeoutSeconds: {{ .Values.worker.livenessProbe.timeoutSeconds | default 5 }}
Expand Down Expand Up @@ -218,7 +253,11 @@ spec:
-d '"SHUTTING_DOWN"'
-H 'Content-type: application/json'
-H 'X-Trino-User: admin'
{{- if .Values.server.config.https.only }}
https://localhost:{{- .Values.service.tlsPort -}}/v1/info/state
{{- else }}
http://localhost:{{- .Values.service.port -}}/v1/info/state
{{- end }}
{{- end }}
resources:
{{- toYaml .Values.worker.resources | nindent 12 }}
Expand Down
4 changes: 4 additions & 0 deletions charts/trino/templates/ingress.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,11 @@ spec:
service:
name: {{ include "trino.fullname" $ }}
port:
{{- if $.Values.ingress.tlsService }}
number: {{ $.Values.service.tlsPort }}
{{- else }}
number: {{ $.Values.service.port }}
{{- end }}
{{- end }}
{{- end }}
{{- end }}
8 changes: 8 additions & 0 deletions charts/trino/templates/service-coordinator.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,13 +12,21 @@ metadata:
spec:
type: {{ .Values.service.type }}
ports:
{{- if not .Values.server.config.https.only }}
- port: {{ .Values.service.port }}
targetPort: http
protocol: TCP
name: http
{{- if .Values.service.nodePort }}
nodePort: {{ .Values.service.nodePort }}
{{- end }}
{{- end }}
{{- if .Values.server.config.https.enabled }}
- port: {{ .Values.service.tlsPort }}
targetPort: https
protocol: TCP
name: https
{{- end }}
{{- if $coordinatorJmx.exporter.enabled }}
- port: {{ $coordinatorJmx.exporter.port }}
targetPort: jmx-exporter
Expand Down
Loading