Skip to content

Commit

Permalink
cleanup TLS defintions
Browse files Browse the repository at this point in the history
  • Loading branch information
@DylanGuedes
DylanGuedes committed Feb 23, 2024
1 parent 3f5f69e commit 5d54647
Showing 1 changed file with 84 additions and 217 deletions.
301 changes: 84 additions & 217 deletions tools/dev/k3d/environments/helm-cluster/values/loki-distributed-tls.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,42 @@
---
common_client_crt: &common_client_crt /var/client-tls/tls.crt
common_client_key: &common_client_key /var/client-tls/tls.key
common_ca_crt: &common_ca_crt /var/root-tls/tls.crt
common_server_crt: &common_server_crt /var/tls/tls.crt
common_server_key: &common_server_key /var/tls/tls.key
common_ca_secret: &common_ca_secret ca-tls
common_client_secret: &common_client_secret client-tls
common_server_secret: &common_server_secret my-demo-app-tls

base_grpc_tls: &base_grpc_tls
tls_cert_path: *common_client_crt
tls_key_path: *common_client_key
tls_ca_path: *common_ca_crt

base_grpc_tls_with_server_name: &base_grpc_tls_with_server_name
tls_server_name: loki-memberlist
<<: *base_grpc_tls

base_extra_volume_mounts: &base_extra_volume_mounts
extraVolumeMounts:
- name: tls-cert
mountPath: /var/tls
- name: root-tls-cert
mountPath: /var/root-tls
- name: client-tls
mountPath: /var/client-tls

base_extra_volumes: &base_extra_volumes
extraVolumes:
- name: tls-cert
secret:
secretName: *common_server_secret
- name: root-tls-cert
secret:
secretName: *common_ca_secret
- name: client-tls
secret:
secretName: *common_client_secret

test:
enabled: false

Expand All @@ -14,9 +52,9 @@ monitoring:
logsInstance:
clients:
- name: loki
url: https://loki-gateway.default.svc.cluster.local/loki/api/v1/push
external_labels:
cluster: loki
url: https://loki-gateway.default.svc.cluster.local/loki/api/v1/push
tlsConfig:
insecureSkipVerify: false
cert:
Expand All @@ -40,28 +78,13 @@ monitoring:
labels:
release: "prometheus"
lokiCanary:
<<: *base_extra_volumes
<<: *base_extra_volume_mounts
extraArgs:
- -ca-file=/var/root-tls/tls.crt
- -cert-file=/var/tls/tls.crt
- -key-file=/var/tls/tls.key
- -tls=true
extraVolumeMounts:
- name: tls-cert
mountPath: /var/tls
- name: root-tls-cert
mountPath: /var/root-tls
- name: client-tls
mountPath: /var/client-tls
extraVolumes:
- name: tls-cert
secret:
secretName: my-demo-app-tls
- name: root-tls-cert
secret:
secretName: ca-tls
- name: client-tls
secret:
secretName: client-tls
minio:
enabled: true
backend:
Expand All @@ -74,6 +97,8 @@ singleBinary:
replicas: 0

gateway:
<<: *base_extra_volume_mounts
<<: *base_extra_volumes
readinessProbe:
httpGet:
path: /
Expand All @@ -94,182 +119,53 @@ gateway:
ssl_trusted_certificate /var/root-tls/tls.crt;
server_name loki-memberlist;
schema: https
extraVolumeMounts:
- name: tls-cert
mountPath: /var/tls
- name: root-tls-cert
mountPath: /var/root-tls
- name: client-tls
mountPath: /var/client-tls
extraVolumes:
- name: tls-cert
secret:
secretName: my-demo-app-tls
- name: root-tls-cert
secret:
secretName: ca-tls
- name: client-tls
secret:
secretName: client-tls

compactor:
replicas: 1
enabled: true
extraVolumeMounts:
- name: tls-cert
mountPath: /var/tls
- name: root-tls-cert
mountPath: /var/root-tls
- name: client-tls
mountPath: /var/client-tls
extraVolumes:
- name: tls-cert
secret:
secretName: my-demo-app-tls
- name: root-tls-cert
secret:
secretName: ca-tls
- name: client-tls
secret:
secretName: client-tls
<<: *base_extra_volume_mounts
<<: *base_extra_volumes

distributor:
replicas: 1
extraVolumeMounts:
- name: tls-cert
mountPath: /var/tls
- name: root-tls-cert
mountPath: /var/root-tls
- name: client-tls
mountPath: /var/client-tls
extraVolumes:
- name: tls-cert
secret:
secretName: my-demo-app-tls
- name: root-tls-cert
secret:
secretName: ca-tls
- name: client-tls
secret:
secretName: client-tls
<<: *base_extra_volume_mounts
<<: *base_extra_volumes

indexGateway:
replicas: 1
enabled: true
extraVolumeMounts:
- name: tls-cert
mountPath: /var/tls
- name: root-tls-cert
mountPath: /var/root-tls
- name: client-tls
mountPath: /var/client-tls
extraVolumes:
- name: tls-cert
secret:
secretName: my-demo-app-tls
- name: root-tls-cert
secret:
secretName: ca-tls
- name: client-tls
secret:
secretName: client-tls
<<: *base_extra_volume_mounts
<<: *base_extra_volumes

ingester:
replicas: 3
maxUnavailable: 1
extraVolumeMounts:
- name: tls-cert
mountPath: /var/tls
- name: root-tls-cert
mountPath: /var/root-tls
- name: client-tls
mountPath: /var/client-tls
extraVolumes:
- name: tls-cert
secret:
secretName: my-demo-app-tls
- name: root-tls-cert
secret:
secretName: ca-tls
- name: client-tls
secret:
secretName: client-tls
<<: *base_extra_volume_mounts
<<: *base_extra_volumes

querier:
replicas: 3
maxUnavailable: 1
extraVolumeMounts:
- name: tls-cert
mountPath: /var/tls
- name: root-tls-cert
mountPath: /var/root-tls
- name: client-tls
mountPath: /var/client-tls
extraVolumes:
- name: tls-cert
secret:
secretName: my-demo-app-tls
- name: root-tls-cert
secret:
secretName: ca-tls
- name: client-tls
secret:
secretName: client-tls
<<: *base_extra_volume_mounts
<<: *base_extra_volumes

queryFrontend:
replicas: 1
extraVolumeMounts:
- name: tls-cert
mountPath: /var/tls
- name: root-tls-cert
mountPath: /var/root-tls
- name: client-tls
mountPath: /var/client-tls
extraVolumes:
- name: tls-cert
secret:
secretName: my-demo-app-tls
- name: root-tls-cert
secret:
secretName: ca-tls
- name: client-tls
secret:
secretName: client-tls
<<: *base_extra_volume_mounts
<<: *base_extra_volumes

queryScheduler:
replicas: 2
enabled: true
extraVolumeMounts:
- name: tls-cert
mountPath: /var/tls
- name: root-tls-cert
mountPath: /var/root-tls
- name: client-tls
mountPath: /var/client-tls
extraVolumes:
- name: tls-cert
secret:
secretName: my-demo-app-tls
- name: root-tls-cert
secret:
secretName: ca-tls
- name: client-tls
secret:
secretName: client-tls
<<: *base_extra_volume_mounts
<<: *base_extra_volumes

ruler:
replicas: 1
enabled: true
extraVolumeMounts:
- name: tls-cert
mountPath: /var/tls
- name: root-tls-cert
mountPath: /var/root-tls
- name: client-tls
mountPath: /var/client-tls
extraVolumes:
- name: tls-cert
secret:
secretName: my-demo-app-tls
- name: root-tls-cert
secret:
secretName: ca-tls
- name: client-tls
secret:
secretName: client-tls
<<: *base_extra_volume_mounts
<<: *base_extra_volumes

loki:
schemaConfig:
configs:
Expand All @@ -291,76 +187,47 @@ loki:
server:
log_level: debug
http_tls_config:
cert_file: /var/tls/tls.crt
key_file: /var/tls/tls.key
cert_file: *common_server_crt
key_file: *common_server_key
client_ca_file: *common_ca_crt
client_auth_type: VerifyClientCertIfGiven
client_ca_file: /var/root-tls/tls.crt
grpc_tls_config:
cert_file: /var/tls/tls.crt
key_file: /var/tls/tls.key
cert_file: *common_server_crt
key_file: *common_server_key
client_ca_file: *common_ca_crt
client_auth_type: VerifyClientCertIfGiven
client_ca_file: /var/root-tls/tls.crt
ingester_client:
grpc_client_config:
<<: *base_grpc_tls_with_server_name
tls_enabled: true
tls_cert_path: /var/client-tls/tls.crt
tls_key_path: /var/client-tls/tls.key
tls_ca_path: /var/root-tls/tls.crt
tls_server_name: loki-memberlist
query_scheduler:
grpc_client_config:
<<: *base_grpc_tls_with_server_name
tls_enabled: true
tls_cert_path: /var/client-tls/tls.crt
tls_key_path: /var/client-tls/tls.key
tls_ca_path: /var/root-tls/tls.crt
tls_server_name: loki-memberlist
frontend:
tail_tls_config:
tls_cert_path: /var/client-tls/tls.crt
tls_key_path: /var/client-tls/tls.key
tls_ca_path: /var/root-tls/tls.crt
tls_server_name: loki-memberlist
<<: *base_grpc_tls_with_server_name
grpc_client_config:
<<: *base_grpc_tls_with_server_name
tls_enabled: true
tls_cert_path: /var/client-tls/tls.crt
tls_key_path: /var/client-tls/tls.key
tls_ca_path: /var/root-tls/tls.crt
tls_server_name: loki-memberlist
storage_config:
tsdb_shipper:
index_gateway_client:
grpc_client_config:
<<: *base_grpc_tls_with_server_name
tls_enabled: true
tls_cert_path: /var/client-tls/tls.crt
tls_key_path: /var/client-tls/tls.key
tls_ca_path: /var/root-tls/tls.crt
tls_server_name: loki-memberlist
frontend_worker:
grpc_client_config:
<<: *base_grpc_tls_with_server_name
tls_enabled: true
tls_cert_path: /var/client-tls/tls.crt
tls_key_path: /var/client-tls/tls.key
tls_ca_path: /var/root-tls/tls.crt
tls_server_name: loki-memberlist
memberlist:
bind_addr:
- 0.0.0.0
<<: *base_grpc_tls_with_server_name
tls_enabled: true
tls_cert_path: /var/tls/tls.crt
tls_key_path: /var/tls/tls.key
tls_ca_path: /var/root-tls/tls.crt
tls_server_name: loki-memberlist
ruler:
ruler_client:
<<: *base_grpc_tls_with_server_name
tls_enabled: true
tls_cert_path: /var/client-tls/tls.crt
tls_key_path: /var/client-tls/tls.key
tls_ca_path: /var/root-tls/tls.crt
tls_server_name: loki-memberlist
evaluation:
query_frontend:
tls_enabled: true
tls_cert_path: /var/client-tls/tls.crt
tls_key_path: /var/client-tls/tls.key
tls_ca_path: /var/root-tls/tls.crt
tls_server_name: loki-memberlist
<<: *base_grpc_tls_with_server_name
tls_enabled: true

0 comments on commit 5d54647

Please sign in to comment.