[scalardb-cluster] Support cert-manager in ScalarDB Cluster chart

[kota2and3kan]

Description

This PR updates ScalarDB Cluster chart to support cert-manager.

Please take a look!

Related issues and/or PRs

• https://github.com/scalar-labs/docs-internal-orchestration/pull/24
  • You can see the documents that describe how to use these new features in this PR.
• [envoy] Support cert-manager in Scalar Envoy chart #262
  • If you use self-signed CA, this chart deploy self-signed CA. And, Scalar Envoy chart refer it to generate certificate for Envoy.

Changes made

Mainly, this PR adds/updates the following features (manifests):

1. Deploy a Certificate resource for cert-manager by using charts/scalardb-cluster/templates/scalardb-cluster/certmanager.yaml.

2. Deploy self-signed CA and create certificate for ScalarDB Cluster if you don't specify any Issuer resources in issuerRef configuration.

   • If you deploy Scalar Envoy as a sub chart of this ScalarDB Cluster chart without issuerRef configuration, the Envoy chart will use self-signed CA that is deployed by this chart to create certificate for Envoy.

   [ScalarDB Cluster chart (this chart)] ---(Deploy)---> [Issuer (self-signed CA)] <---(Refer via issuerRef configuration)--- [Certificate resource] <---(Deploy)--- [Envoy chart]
   

3. Update deployment.spec.template.spec.volumes and deployment.spec.template.spec.containers.volumeMounts to remove subPath configuration.

   • Cert-manager creates a secret resource that includes private key and certificate, and we use them by mounting them on pods. And, cert-manager automatically renew (update) the certificate in the secret resource before the certificate will be expired. However, if we use subPath to specify the mounted file name, Kubernetes does not apply the changes of the secret resource. So, to take advantage of cert-manager's automatically renew feature, we should not use subPath. This is because I removed subPath from the volumeMounts configuration.

4. Update file names of private key and certificate.

   • From the perspective of cert-manager specification (strictly, TLS Secrets specification of Kubernetes), we must use the fixed names for private key and certificate files. This is because cert-manager creates a secret resource that includes private key and certificate files with fixed names based on the TLS Secrets specification. So, I updated the file names in existing manifests.
     • cert.pem -> tls.crt
     • key.pem -> tls.key
     • ca.pem -> ca.crt

Checklist

• I have commented my code, particularly in hard-to-understand areas.
• I have updated the documentation to reflect the changes.
• Any remaining open issues linked to this PR are documented and up-to-date (Jira, GitHub, etc.).
• Tests (unit, integration, etc.) have been added for the changes.
• My changes generate no new warnings.
• Any dependent changes in other PRs have been merged and published.

Additional notes (optional)

N/A

Release notes

Support cert-manager in ScalarDB Cluster chart. You can manage private key and certificate for TLS connections by using cert-manager.

[kota2and3kan]

If you don't specify Issuer in the issurRef configuration, this chart deploys self-signed CA to generate certificates.

If you specify the issuerRef configuration, this chart doesn't deploy self-signed CA.

[kota2and3kan]

If you specify issuerRef, this chart uses that configuration in the Certificate resource. If you don't specify issuerRef, this chart uses a self-signed CA that is deployed by this chart.

[kota2and3kan]

When you enable TLS, the -tls-ca-cert option is mandatory. In other words, {{- if .Values.scalardbCluster.tls.caRootCertSecret }} does not make sense. So, I removed that unnecessary condition.

[kota2and3kan]

I combine all private keys and certificates into one volume to remove the subPath configuration.

[kota2and3kan]

If you use cert-manager, it creates one secret resource that includes all private keys and certificates. So, it's enough to mount that one secret here.

[kota2and3kan]

If you don't use cert-manager (and you want to manage each file separately), you have to create three secrets for the private key, certificate, and CA certificate.

In this case, I want to combine them into one volume to mount them easily under the same directory in the container. So, I use projected volume here.

[kota2and3kan]

I set localhost as a default value of the dnsNames. This is because:

• The grpc_health_probe command accesses ScalarDB Cluster by specifying localhost like -addr=localhost:60053.
• The grpc_health_probe command verifies the certificate by using Subject Alternative Name (SAN) instead of Common Name (CN) of the certificate. In other words, at least one SAN configuration is necessary. (I will update the document in another PR.)

[komamitsu]

LGTM! 👍
I didn't thoroughly review it, though.

[brfrn169]

LGTM! Thank you!

[feeblefakie]

LGTM! Thank you!