feat(chart): typed tls.* knob mounts mTLS Secret (#301)#411
Conversation
Closes A13 in horizon roadmap by adding a first-class `tls.*` chart
surface so operators wire cert-manager-issued client/server material
without a custom DaemonSet patch overlay.
Knobs (additive; default OFF):
- tls.enabled — bool, default false
- tls.certificateRef — kubernetes.io/tls Secret name; required when
enabled (helm-template render fails closed
with a clear error otherwise)
- tls.mountPath — absolute dir; schema-validated `^/`;
default /etc/tracecore/tls
DaemonSet projects the Secret read-only (defaultMode 0400). The chart
does NOT inject `tls:` clauses into the rendered config — operators
wire `cert_file` / `key_file` / `ca_file` / `client_ca_file` via the
free-form `config:` block referencing the projected file literals.
cert-manager mTLS recipe (docs/integrations/cert-manager-mtls.md)
loses the "requires a patch overlay" workaround and gains an
aggregation-side example showing `client_ca_file` placement.
CI gates (.github/workflows/chart.yml): five-step falsifier suite
covering default-OFF render, fail-closed without ref, mount path
projection, custom mountPath, and schema rejection of relative paths.
NetworkPolicy template + opt-in `networkPolicy.enabled` (also #301)
shipped earlier in #338 and stays unchanged here.
Signed-off-by: Tri Lam <tri@maydow.com>
Independent Review: #411 — feat(chart): typed tls.* knob mounts mTLS SecretVerdict: SHIP — No blockers found. Fail-closed gates work correctly, test coverage is thorough, and docs include the security-critical client_ca_file falsifier. Key Findings
Non-blocking observations
|
Summary
Closes #301 by adding a first-class
tls.*chart surface so operatorswire cert-manager-issued mTLS material without a custom DaemonSet
patch overlay. The NetworkPolicy half of the issue (opt-in
networkPolicy.enabled) landed earlier in #338; this PR closes theremaining gap.
tls.enabled(bool, default false),tls.certificateRef(kubernetes.io/tls Secret name; required when enabled — helm-template
render fails closed with a clear error otherwise),
tls.mountPath(absolute dir, schema-validated
^/, default/etc/tracecore/tls).defaultMode: 0400); thechart does NOT inject
tls:clauses into the rendered config —operators wire
cert_file/key_file/ca_file/client_ca_filevia the free-formconfig:block referencing theprojected file literals.
docs/integrations/cert-manager-mtls.mdloses the "requires a patchoverlay" workaround and gains an aggregation-side example showing
client_ca_fileplacement (the falsifier for silentone-way-TLS downgrade).
Root cause
Issue #301 lists
tls.enabledandtls.certificateRefas requiredvalues knobs. The chart never shipped them — the cert-manager mtls
recipe instead carried prose telling operators to "patch overlay" the
DaemonSet template, which is precisely the kind of friction the
chart-surface knob exists to eliminate. This PR fixes the root cause
(no typed knob) rather than refreshing the workaround prose.
Test plan
helm lint install/kubernetes/tracecore— clean.helm lint install/kubernetes/tracecore -f values-production.yaml— clean.helm templatedefault render — zerotlsvolumes.helm template --set tls.enabled=true— fails closed withoperator-visible error naming
tls.certificateRef.helm template --set tls.enabled=true --set tls.certificateRef=foo— projects
tlsSecret volume +volumeMountat default/etc/tracecore/tls, readOnly true, mode 0400.helm template --set tls.mountPath=not-absolute— schema rejectswith
Does not match pattern '^/'..github/workflows/chart.ymlrender-job has a five-stepfalsifier suite covering all of the above.
make lint,make vet,go mod verify,attribute-namespace-check, hit-line-format-stable, and
no-autoupdate-check all green at commit time.