From 14301b6e7e9ffdf4564c6346a00d930d431f35cd Mon Sep 17 00:00:00 2001 From: Maciej Pasternacki Date: Wed, 15 Nov 2023 19:50:35 +0100 Subject: [PATCH 1/2] sentry: support TLS for Redis --- charts/sentry/Chart.yaml | 2 +- charts/sentry/templates/_helper.tpl | 11 +++++++++++ charts/sentry/templates/configmap-relay.yaml | 5 +++-- charts/sentry/templates/configmap-sentry.yaml | 9 +++++++-- charts/sentry/templates/configmap-snuba.yaml | 4 ++++ charts/sentry/values.yaml | 1 + 6 files changed, 27 insertions(+), 5 deletions(-) diff --git a/charts/sentry/Chart.yaml b/charts/sentry/Chart.yaml index 09c6dd7..5e58678 100644 --- a/charts/sentry/Chart.yaml +++ b/charts/sentry/Chart.yaml @@ -39,4 +39,4 @@ maintainers: - name: sentry-kubernetes name: sentry type: application -version: 19.4.0 +version: 19.4.0+1 diff --git a/charts/sentry/templates/_helper.tpl b/charts/sentry/templates/_helper.tpl index 19d495e..e20e501 100644 --- a/charts/sentry/templates/_helper.tpl +++ b/charts/sentry/templates/_helper.tpl @@ -275,6 +275,17 @@ Set redis port {{- end -}} {{- end -}} +{{/* +Set redis protocol (rediss for TLS, redis for plaintext) +*/}} +{{- define "sentry.redis.protocol" -}} +{{- if .Values.redis.enabled | ternary .Values.redis.tls.enabled .Values.externalRedis.tls -}} +rediss +{{- else -}} +redis +{{- end -}} +{{- end -}} + {{/* Set redis password */}} diff --git a/charts/sentry/templates/configmap-relay.yaml b/charts/sentry/templates/configmap-relay.yaml index 52713f8..59004d4 100644 --- a/charts/sentry/templates/configmap-relay.yaml +++ b/charts/sentry/templates/configmap-relay.yaml @@ -1,6 +1,7 @@ {{- $redisHost := include "sentry.redis.host" . -}} {{- $redisPort := include "sentry.redis.port" . -}} {{- $redisPass := include "sentry.redis.password" . -}} +{{- $redisProtocol := include "sentry.redis.protocol" . -}} apiVersion: v1 kind: ConfigMap metadata: @@ -33,9 +34,9 @@ data: value: 50000000 # 50MB or bust {{- if $redisPass }} - redis: "redis://:{{ $redisPass }}@{{ $redisHost }}:{{ $redisPort }}" + redis: {{ $redisProtocol }}://:{{ $redisPass }}@{{ $redisHost }}:{{ $redisPort }}" {{- else }} - redis: "redis://{{ $redisHost }}:{{ $redisPort }}" + redis: {{ $redisProtocol }}://{{ $redisHost }}:{{ $redisPort }}" {{- end }} topics: metrics_transactions: ingest-performance-metrics diff --git a/charts/sentry/templates/configmap-sentry.yaml b/charts/sentry/templates/configmap-sentry.yaml index f345053..5517780 100644 --- a/charts/sentry/templates/configmap-sentry.yaml +++ b/charts/sentry/templates/configmap-sentry.yaml @@ -1,6 +1,8 @@ {{- $redisHost := include "sentry.redis.host" . -}} {{- $redisPort := include "sentry.redis.port" . -}} {{- $redisPass := include "sentry.redis.password" . -}} +{{- $redisProtocol := include "sentry.redis.protocol" . -}} +{{- $redisTls := eq "rediss" $redisProtocol -}} apiVersion: v1 kind: ConfigMap metadata: @@ -81,6 +83,9 @@ data: {{- if $redisPass }} password: {{ $redisPass | quote }} {{- end }} + {{- if $redisTls }} + ssl: true + {{- end }} ################ # File storage # @@ -211,9 +216,9 @@ data: {{- if or (.Values.rabbitmq.enabled) (.Values.rabbitmq.host) }} BROKER_URL = os.environ.get("BROKER_URL", "amqp://{{ .Values.rabbitmq.auth.username }}:{{ .Values.rabbitmq.auth.password }}@{{ template "sentry.rabbitmq.host" . }}:5672/{{ .Values.rabbitmq.vhost }}") {{- else if $redisPass }} - BROKER_URL = os.environ.get("BROKER_URL", "redis://:{{ $redisPass }}@{{ $redisHost }}:{{ $redisPort }}/0") + BROKER_URL = os.environ.get("BROKER_URL", "{{ $redisProtocol }}://:{{ $redisPass }}@{{ $redisHost }}:{{ $redisPort }}/0") {{- else }} - BROKER_URL = os.environ.get("BROKER_URL", "redis://{{ $redisHost }}:{{ $redisPort }}/0") + BROKER_URL = os.environ.get("BROKER_URL", "{{ $redisProtocol }}://{{ $redisHost }}:{{ $redisPort }}/0") {{- end }} ######### diff --git a/charts/sentry/templates/configmap-snuba.yaml b/charts/sentry/templates/configmap-snuba.yaml index f4897c0..8150c0c 100644 --- a/charts/sentry/templates/configmap-snuba.yaml +++ b/charts/sentry/templates/configmap-snuba.yaml @@ -1,4 +1,5 @@ {{- $redisPass := include "sentry.redis.password" . -}} +{{- $redisTls := eq "rediss" (include "sentry.redis.protocol" .) -}} apiVersion: v1 kind: ConfigMap metadata: @@ -70,6 +71,9 @@ data: REDIS_PASSWORD = {{ $redisPass | quote }} {{- end }} REDIS_DB = int(env("REDIS_DB", 1)) + {{- if $redisTls }} + REDIS_SSL = True + {{- end }} {{- if .Values.metrics.enabled }} DOGSTATSD_HOST = "{{ template "sentry.fullname" . }}-metrics" diff --git a/charts/sentry/values.yaml b/charts/sentry/values.yaml index 8df0ecb..046fdbf 100644 --- a/charts/sentry/values.yaml +++ b/charts/sentry/values.yaml @@ -226,6 +226,7 @@ externalPostgresql: username: postgres externalRedis: port: 6379 + tls: false filestore: backend: filesystem filesystem: From 73e9259e8180102742e9a73b4fadebb56e0b7775 Mon Sep 17 00:00:00 2001 From: Maciej Pasternacki <52241383+maciejp-ro@users.noreply.github.com> Date: Wed, 15 Nov 2023 22:09:58 +0100 Subject: [PATCH 2/2] Sentry: use prerelease version suffix to try to calm the linter down --- charts/sentry/Chart.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/sentry/Chart.yaml b/charts/sentry/Chart.yaml index 5e58678..3e77460 100644 --- a/charts/sentry/Chart.yaml +++ b/charts/sentry/Chart.yaml @@ -39,4 +39,4 @@ maintainers: - name: sentry-kubernetes name: sentry type: application -version: 19.4.0+1 +version: 19.4.0-plural1