search

redpanda-data / helm-charts

Redpanda Helm Chart
http://redpanda.com
Apache License 2.0
73 stars 96 forks source link

Add support for Certificate Revocation Lists (CRL) #1429

Open JakeSCahill opened 1 month ago

JakeSCahill commented 1 month ago

What would you like to be added?

In 24.2, Redpanda will support Certificate Revocation Lists (CRLs) for TLS-encrypted connections. To support CRLs in the Helm chart, we require some changes.

Changes Required

Update values.yaml to add new fields under the tls section for each listener to specify the CRL paths. For example:

tls:
  enabled: true
  certs:
    default:
      caEnabled: true
    external:
      caEnabled: true

  # Global CRL field
  crlFile:
    secretKeyRef:
      key:
      name:

listeners:
  admin:
    port: 9644
    tls:
      cert: default
      requireClientAuth: false
      crlFile:
        secretKeyRef:
          key:
          name:
    external:
      default:
        port: 9645
        tls:
          cert: external
          crlFile:
            secretKeyRef:
              key:
              name:
  kafka:
    port: 9093
    authenticationMethod: "sasl"
    tls:
      cert: default
      requireClientAuth: false
      crlFile:
        secretKeyRef:
          key:
          name:
    external:
      default:
        port: 9094
        tls:
          cert: external
          crlFile:
            secretKeyRef:
              key:
              name:

  # Other listeners...

Why is this needed?

To support the new CRL crl_file field in Redpanda >=24.2

JIRA Link: K8S-298

chrisseto commented 1 month ago

I would lean toward following the same pattern as truststore_file: https://github.com/redpanda-data/helm-charts/pull/1373/files#diff-9816759f5552bf9796d055b4dd5bb21fe21633582b33349ba828ac5d4092ffe2R422-R426

JakeSCahill commented 1 month ago

Updated the example to reflect the same pattern as truststore_file