From 6b9207e27cbd88e0c8f978875b4e4dd1cd016fee Mon Sep 17 00:00:00 2001
From: tangyatsu <tangyatsu@yandex-team.com>
Date: Wed, 5 Feb 2025 20:27:46 +0300
Subject: [PATCH] [perforator][helm] move ca.crt to storage secret and add
 support for custom certs commit_hash:36abf6526cb02f16308e862d1d45953c0a84147e

---
 .../kubernetes/helm/perforator/Chart.yaml     |  2 +-
 .../helm/perforator/config/agent.yaml         |  2 +-
 .../helm/perforator/config/storage.yaml       |  4 +-
 .../helm/perforator/templates/_helpers.tpl    | 50 +++++++++++++++++--
 .../perforator/templates/agent/daemonset.yaml | 14 ++++--
 .../perforator/templates/internal/tls.yaml    | 10 +---
 .../templates/storage/deployment.yaml         |  6 +--
 .../kubernetes/helm/perforator/values.yaml    | 13 +++++
 perforator/deploy/kubernetes/helm/releases.md |  8 +++
 9 files changed, 84 insertions(+), 25 deletions(-)

diff --git a/perforator/deploy/kubernetes/helm/perforator/Chart.yaml b/perforator/deploy/kubernetes/helm/perforator/Chart.yaml
index 096f3e73f..5c96cc994 100644
--- a/perforator/deploy/kubernetes/helm/perforator/Chart.yaml
+++ b/perforator/deploy/kubernetes/helm/perforator/Chart.yaml
@@ -15,7 +15,7 @@ type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 # Versions are expected to follow Semantic Versioning (https://semver.org/)
-version: 0.2.2
+version: 0.2.3
 
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application. Versions are not expected to
diff --git a/perforator/deploy/kubernetes/helm/perforator/config/agent.yaml b/perforator/deploy/kubernetes/helm/perforator/config/agent.yaml
index d96eae312..d3ef4e1e8 100644
--- a/perforator/deploy/kubernetes/helm/perforator/config/agent.yaml
+++ b/perforator/deploy/kubernetes/helm/perforator/config/agent.yaml
@@ -6,7 +6,7 @@ process_discovery:
 egress:
   interval: "1m"
 storage:
-  ca_cert_path: {{ include "perforator.storage.certificateAuthorityPath" . }}
+  ca_cert_path: {{ include "perforator.storage.tlsCACert" . }}
   host: {{ include "perforator.storage.host" . }}
 upload_scheduler:
   max_opened_binaries_queue: 20
diff --git a/perforator/deploy/kubernetes/helm/perforator/config/storage.yaml b/perforator/deploy/kubernetes/helm/perforator/config/storage.yaml
index df3ae8ad7..706ec2bc9 100644
--- a/perforator/deploy/kubernetes/helm/perforator/config/storage.yaml
+++ b/perforator/deploy/kubernetes/helm/perforator/config/storage.yaml
@@ -35,8 +35,8 @@ storage:
     bucket: {{ .Values.databases.s3.buckets.binaries }}
   microscope: "postgres"
 tls:
-  certificate_file: "/etc/perforator/certificates/tls.crt"
-  key_file: "/etc/perforator/certificates/tls.key"
+  certificate_file: {{ include "perforator.storage.tlsCert" . }}
+  key_file: {{ include "perforator.storage.tlsCertKey" . }}
 microscope_puller:
   pull_interval: "30s"
   pull_batch_size: 1000
diff --git a/perforator/deploy/kubernetes/helm/perforator/templates/_helpers.tpl b/perforator/deploy/kubernetes/helm/perforator/templates/_helpers.tpl
index f20e7712d..8c1269f0c 100644
--- a/perforator/deploy/kubernetes/helm/perforator/templates/_helpers.tpl
+++ b/perforator/deploy/kubernetes/helm/perforator/templates/_helpers.tpl
@@ -145,6 +145,52 @@ key: {{ .Values.databases.clickhouse.secretKey }}
 {{- end }}
 {{- end }}
 
+{{/*
+//////////////////////////////////////////////////////////////////////////////////////////// 
+*/}}
+
+{{- define "perforator.storage.tlsSecretName" -}}
+{{- if .Values.storageAgentTLS.autoGenerated -}}
+    {{- printf "%s-storage-crt" (include "perforator.fullname" .) -}}
+{{- else -}}
+    {{- required "Existing secret with certificates must be specified when autoGenerated option is turned off" .Values.storageAgentTLS.storage.existingSecret | printf "%s" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the path to the perforator storage cert file.
+*/}}
+{{- define "perforator.storage.tlsCert" -}}
+{{- if .Values.storageAgentTLS.autoGenerated -}}
+    {{- printf "/etc/perforator/certificates/%s" "tls.crt" -}}
+{{- else -}}
+    {{- required "Certificate filename must be specified when autoGenerated option is turned off" .Values.storageAgentTLS.storage.certFilename | printf "/etc/perforator/certificates/%s" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the path to the perforator storage cert key file.
+*/}}
+{{- define "perforator.storage.tlsCertKey" -}}
+{{- if .Values.storageAgentTLS.autoGenerated -}}
+    {{- printf "/etc/perforator/certificates/%s" "tls.key" -}}
+{{- else -}}
+    {{- required "Certificate Key filename must be specified when autoGenerated option is turned off" .Values.storageAgentTLS.storage.certKeyFilename | printf "/etc/perforator/certificates/%s" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Return the path to the CA cert file signing the perforator storage cert.
+*/}}
+{{- define "perforator.storage.tlsCACert" -}}
+{{- if .Values.storageAgentTLS.autoGenerated -}}
+    {{- printf "/etc/perforator/certificates/%s" "ca.crt" -}}
+{{- else if .Values.storageAgentTLS.storage.certCAFilename -}}
+    {{- printf "/etc/perforator/certificates/%s" .Values.storageAgentTLS.storage.certCAFilename -}}
+{{- else -}}
+    {{- printf "" -}}
+{{- end -}}
+{{- end -}}
 
 {{/*
 //////////////////////////////////////////////////////////////////////////////////////////// 
@@ -166,10 +212,6 @@ key: {{ .Values.databases.clickhouse.secretKey }}
 {{ printf "%s-storage-service" (include "perforator.fullname" .) }}
 {{- end }}
 
-{{- define "perforator.storage.certificateAuthorityPath" -}}
-{{ printf "%s/%s" (.Values.agent.mounts.certificate) "ca.crt" }}
-{{- end }}
-
 {{/*
 //////////////////////////////////////////////////////////////////////////////////////////// 
 */}}
diff --git a/perforator/deploy/kubernetes/helm/perforator/templates/agent/daemonset.yaml b/perforator/deploy/kubernetes/helm/perforator/templates/agent/daemonset.yaml
index 1ab700f5b..ac391330e 100644
--- a/perforator/deploy/kubernetes/helm/perforator/templates/agent/daemonset.yaml
+++ b/perforator/deploy/kubernetes/helm/perforator/templates/agent/daemonset.yaml
@@ -74,8 +74,10 @@ spec:
           mountPath: /sys
         - name: config
           mountPath: /etc/perforator
-        - name: ca-cert
-          mountPath: {{ .Values.agent.mounts.certificate }}
+        {{- if include "perforator.storage.tlsCACert" . }}
+        - name: storage-ca-cert
+          mountPath: "/etc/perforator/certificates"
+        {{- end }}
         {{- if .Values.agent.mounts.varlog }}
         - name: varlog
           mountPath: /var/log
@@ -103,9 +105,11 @@ spec:
       - name: config
         configMap:
           name: {{ include "perforator.fullname" . }}-agent-config
-      - name: ca-cert
-        configMap:
-          name: {{ include "perforator.fullname" . }}-storage-ca.crt
+      {{- if include "perforator.storage.tlsCACert" . }}
+      - name: storage-ca-cert
+        secret:
+          secretName: {{ include "perforator.storage.tlsSecretName" . }}
+      {{- end }}
       {{- if .Values.agent.mounts.varlog }}
       - name: varlog
         hostPath:
diff --git a/perforator/deploy/kubernetes/helm/perforator/templates/internal/tls.yaml b/perforator/deploy/kubernetes/helm/perforator/templates/internal/tls.yaml
index 3dd39dca6..a190bdfbc 100644
--- a/perforator/deploy/kubernetes/helm/perforator/templates/internal/tls.yaml
+++ b/perforator/deploy/kubernetes/helm/perforator/templates/internal/tls.yaml
@@ -2,18 +2,10 @@
 {{- $storageCert := genSignedCert (printf "%s-storage-service" (include "perforator.fullname" .)) nil (list (printf "%s-storage-service" (include "perforator.fullname" .))) 3650 $ca }}
 {{- $storageSecretName := printf "%s-storage-crt" (include "perforator.fullname" .) }}
 apiVersion: v1
-data:
-  ca.crt: |-
-{{ $ca.Cert | indent 4 }}
-kind: ConfigMap
-metadata:
-  name: {{ include "perforator.fullname" . }}-storage-ca.crt
-  namespace: {{ .Release.Namespace }}
----
-apiVersion: v1
 data:
   tls.crt: {{ include "perforator.secrets.lookup" (dict "nameSpace" .Release.Namespace "secretName" $storageSecretName "key" "tls.crt" "defaultVal" $storageCert.Cert) }}
   tls.key: {{ include "perforator.secrets.lookup" (dict "nameSpace" .Release.Namespace "secretName" $storageSecretName "key" "tls.key" "defaultVal" $storageCert.Key) }}
+  ca.crt: {{ include "perforator.secrets.lookup" (dict "nameSpace" .Release.Namespace "secretName" $storageSecretName "key" "ca.crt" "defaultVal" $ca.Cert) }}
 kind: Secret
 metadata:
   name: {{ $storageSecretName }}
diff --git a/perforator/deploy/kubernetes/helm/perforator/templates/storage/deployment.yaml b/perforator/deploy/kubernetes/helm/perforator/templates/storage/deployment.yaml
index a46d4a0df..db960f5b5 100644
--- a/perforator/deploy/kubernetes/helm/perforator/templates/storage/deployment.yaml
+++ b/perforator/deploy/kubernetes/helm/perforator/templates/storage/deployment.yaml
@@ -66,7 +66,7 @@ spec:
         - containerPort: {{ .Values.storage.containerPorts.metrics }}
           name: metrics
         volumeMounts:
-        - name: storage-cert
+        - name: storage-tls
           mountPath: "/etc/perforator/certificates"
         - name: storage-s3-keys
           mountPath: "/etc/perforator/s3"
@@ -96,9 +96,9 @@ spec:
           valueFrom:
             secretKeyRef: {{ include "perforator.secretKeyRef.postgresql" . | nindent 14 }}
       volumes:
-      - name: storage-cert
+      - name: storage-tls
         secret:
-          secretName: {{ printf "%s-storage-crt" (include "perforator.fullname" .) }}
+          secretName: {{ include "perforator.storage.tlsSecretName" . }}
       - name: storage-s3-keys
         secret:
           secretName: {{ include "perforator.secretName.s3" . }}
diff --git a/perforator/deploy/kubernetes/helm/perforator/values.yaml b/perforator/deploy/kubernetes/helm/perforator/values.yaml
index a5876f7bb..147558d2f 100644
--- a/perforator/deploy/kubernetes/helm/perforator/values.yaml
+++ b/perforator/deploy/kubernetes/helm/perforator/values.yaml
@@ -73,6 +73,19 @@ databases:
     # Root certificate for SSL
     ca_cert_path: null
 
+storageAgentTLS:
+  # Automatically generate self-signed TLS certificate.
+  autoGenerated: true
+  storage:
+    # The name of the existing secret to get TLS perforator storage certificates from.
+    existingSecret: ""
+    # Certificate filename in the existing secret.
+    certFilename: ""
+    # Certificate key filename in the existing secret.
+    certKeyFilename: ""
+    # CA Certificate filename in the existing secret to be trusted by agent. If empty agent will use system trusted CAs.
+    certCAFilename: ""
+
 agent:
   config:
     # Create a new user provided config for the agent.
diff --git a/perforator/deploy/kubernetes/helm/releases.md b/perforator/deploy/kubernetes/helm/releases.md
index ec3bc08ca..ed6fb68f1 100644
--- a/perforator/deploy/kubernetes/helm/releases.md
+++ b/perforator/deploy/kubernetes/helm/releases.md
@@ -1,3 +1,11 @@
+# 0.2.3
+
+Fixes:
++ Fix CA certificate recreating on helm upgrade 
+
+Enhancements:
++ Support custom CA for agent-storage communication 
+
 # 0.2.2
 
 Enhancements: