[scalardb-cluster] Support Encryption in ScalarDB Cluster chart (#274)

charts/scalardb-cluster/README.md

@@ -29,6 +29,12 @@ Current chart version is `2.0.0-SNAPSHOT`
 | global.platform | string | `""` | Specify the platform that you use. This configuration is for internal use. |
 | nameOverride | string | `""` | String to partially override scalardb-cluster.fullname template (will maintain the release name) |
 | scalardbCluster.affinity | object | `{}` | The affinity/anti-affinity feature, greatly expands the types of constraints you can express. |
+| scalardbCluster.encryption.enabled | bool | `false` | Enable encryption at rest. You must set this to `true` if you're using the encryption feature in ScalarDB Cluster. |
+| scalardbCluster.encryption.type | string | `""` | Type of encryption. You must set this value to the same value as "scalar.db.cluster.encryption.type" for ScalarDB Cluster. |
+| scalardbCluster.encryption.vault | object | `{"tls":{"caRootCertSecret":"","enabled":false}}` | Vault-specific configurations. |
+| scalardbCluster.encryption.vault.tls | object | `{"caRootCertSecret":"","enabled":false}` | TLS configurations to provide access from ScalarDB Cluster to Vault by using TLS. If you're using HashiCorp Cloud Platform (HCP) Vault Dedicated, you don't need to set these TLS configurations because HCP Vault Dedicated uses a trusted, well-known CA and ScalarDB Cluster can validate the certificate that is provided by HCP Vault Dedicated. You need to set these TLS configurations only if you need to set a custom CA root certificate, for example, you're using your private CA together with HashiCorp Vault deployments other than HCP Vault Dedicated, like a self-hosted HashiCorp Vault. |
+| scalardbCluster.encryption.vault.tls.caRootCertSecret | string | `""` | Name of the Secret containing the custom CA root certificate for TLS communication between ScalarDB Cluster and Vault. The certificate file will be mounted under the `/encryption/vault/tls/certs/` directory in the ScalarDB Cluster pod. |
+| scalardbCluster.encryption.vault.tls.enabled | bool | `false` | Enable TLS between ScalarDB Cluster and Vault. Note that you must enable the TLS feature on the Vault side. |
 | scalardbCluster.extraVolumeMounts | list | `[]` | Defines additional volume mounts. If you want to get a heap dump of the ScalarDB Cluster node, you need to mount a volume to make the dump file persistent. |
 | scalardbCluster.extraVolumes | list | `[]` | Defines additional volumes. If you want to get a heap dump of the ScalarDB Cluster node, you need to mount a volume to make the dump file persistent. |
 | scalardbCluster.grafanaDashboard.enabled | bool | `false` | Enable grafana dashboard. |

charts/scalardb-cluster/templates/scalardb-cluster/deployment.yaml

@@ -59,6 +59,10 @@ spec:
             value: {{ include "scalardb-cluster.fullname" . }}-headless
           - name: SCALAR_DB_CLUSTER_LOG_LEVEL
             value: "{{ .Values.scalardbCluster.logLevel }}"
+          {{- if and (.Values.scalardbCluster.encryption.enabled) (eq .Values.scalardbCluster.encryption.type "self") }}
+          - name: SCALAR_DB_CLUSTER_ENCRYPTION_SELF_KUBERNETES_SECRET_NAMESPACE_NAME
+            value: {{ .Release.Namespace }}
+          {{- end }}
           {{- if .Values.scalardbCluster.secretName }}
           envFrom:
           - secretRef:
@@ -104,6 +108,10 @@ spec:
             - name: scalardb-cluster-tls-volume
               mountPath: /tls/scalardb-cluster/certs
             {{- end }}
+            {{- if and (.Values.scalardbCluster.encryption.enabled) (eq .Values.scalardbCluster.encryption.type "vault") (.Values.scalardbCluster.encryption.vault.tls.enabled) }}
+            - name: scalardb-cluster-encryption-vault-tls-volume
+              mountPath: /encryption/vault/tls/certs
+            {{- end }}
           {{- with .Values.scalardbCluster.extraVolumeMounts }}
             {{- toYaml . | nindent 12 }}
           {{- end }}
@@ -127,6 +135,11 @@ spec:
               - secret:
                   name: {{ .Values.scalardbCluster.tls.privateKeySecret }}
         {{- end }}
+        {{- if and (.Values.scalardbCluster.encryption.enabled) (eq .Values.scalardbCluster.encryption.type "vault") (.Values.scalardbCluster.encryption.vault.tls.enabled) }}
+        - name: scalardb-cluster-encryption-vault-tls-volume
+          secret:
+            secretName: {{ .Values.scalardbCluster.encryption.vault.tls.caRootCertSecret }}
+        {{- end }}
       {{- with .Values.scalardbCluster.extraVolumes }}
         {{- toYaml . | nindent 8 }}
       {{- end }}

charts/scalardb-cluster/templates/scalardb-cluster/role.yaml

@@ -7,3 +7,8 @@ rules:
   - apiGroups: [""]
     resources: ["endpoints"]
     verbs: ["get", "watch", "list"]
+  {{- if and (.Values.scalardbCluster.encryption.enabled) (eq .Values.scalardbCluster.encryption.type "self") }}
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "create", "delete"]
+  {{- end }}

charts/scalardb-cluster/values.schema.json

@@ -117,6 +117,33 @@
                 "affinity": {
                     "type": "object"
                 },
+                "encryption": {
+                    "type": "object",
+                    "properties": {
+                        "enabled": {
+                            "type": "boolean"
+                        },
+                        "type": {
+                            "type": "string"
+                        },
+                        "vault": {
+                            "type": "object",
+                            "properties": {
+                                "tls": {
+                                    "type": "object",
+                                    "properties": {
+                                        "caRootCertSecret": {
+                                            "type": "string"
+                                        },
+                                        "enabled": {
+                                            "type": "boolean"
+                                        }
+                                    }
+                                }
+                            }
+                        }
+                    }
+                },
                 "extraVolumeMounts": {
                     "type": "array"
                 },

charts/scalardb-cluster/values.yaml

@@ -334,3 +334,17 @@ scalardbCluster:
         - localhost
       # -- Issuer references of cert-manager.
       issuerRef: {}
+
+  encryption:
+    # -- Enable encryption at rest. You must set this to `true` if you're using the encryption feature in ScalarDB Cluster.
+    enabled: false
+    # -- Type of encryption. You must set this value to the same value as "scalar.db.cluster.encryption.type" for ScalarDB Cluster.
+    type: ""
+    # -- Vault-specific configurations.
+    vault:
+      # -- TLS configurations to provide access from ScalarDB Cluster to Vault by using TLS. If you're using HashiCorp Cloud Platform (HCP) Vault Dedicated, you don't need to set these TLS configurations because HCP Vault Dedicated uses a trusted, well-known CA and ScalarDB Cluster can validate the certificate that is provided by HCP Vault Dedicated. You need to set these TLS configurations only if you need to set a custom CA root certificate, for example, you're using your private CA together with HashiCorp Vault deployments other than HCP Vault Dedicated, like a self-hosted HashiCorp Vault.
+      tls:
+        # -- Enable TLS between ScalarDB Cluster and Vault. Note that you must enable the TLS feature on the Vault side.
+        enabled: false
+        # -- Name of the Secret containing the custom CA root certificate for TLS communication between ScalarDB Cluster and Vault. The certificate file will be mounted under the `/encryption/vault/tls/certs/` directory in the ScalarDB Cluster pod.
+        caRootCertSecret: ""