Skip to content

Commit

Permalink
AUTO: Sync Helm Charts docs to ScalarDB Enterprise docs site repo
Browse files Browse the repository at this point in the history
  • Loading branch information
josh-wong committed Apr 12, 2024
1 parent 15fcab7 commit 51d5033
Show file tree
Hide file tree
Showing 7 changed files with 1,844 additions and 7 deletions.
71 changes: 71 additions & 0 deletions docs/latest/helm-charts/configure-custom-values-envoy.md
Original file line number Diff line number Diff line change
Expand Up @@ -144,6 +144,77 @@ envoy:
repository: <SCALAR_ENVOY_CONTAINER_IMAGE>
```

If you're using AWS or Azure, please refer to the following documents for more details:

* [How to install Scalar products through AWS Marketplace](https://github.com/scalar-labs/scalar-kubernetes/blob/master/docs/AwsMarketplaceGuide.md)
* [How to install Scalar products through Azure Marketplace](https://github.com/scalar-labs/scalar-kubernetes/blob/master/docs/AzureMarketplaceGuide.md)

### TLS configurations (optional based on your environment)

You can enable TLS in:

- Downstream connections between the client and Scalar Envoy.
- Upstream connections between Scalar Envoy and Scalar products.

#### Enable TLS in downstream connections

You can enable TLS in downstream connections by using the following configurations:

```yaml
envoy:
tls:
downstream:
enabled: true
certChainSecret: "envoy-tls-cert"
privateKeySecret: "envoy-tls-key"
```

In this case, you have to create secret resources that include private key and certificate files for Scalar Envoy as follows:

```console
kubectl create secret generic envoy-tls-cert --from-file=cert-chain=/path/to/your/certificate/file -n <NAMESPACE>
kubectl create secret generic envoy-tls-key --from-file=private-key=/path/to/your/private/key/file -n <NAMESPACE>
```

For more details on how to prepare private key and certificate files, see [How to create private key and certificate files for Scalar products](../scalar-kubernetes/HowToCreateKeyAndCertificateFiles.md).

#### Enable TLS in upstream connections

You can enable TLS in upstream connections by using the following configurations:

```yaml
envoy:
tls:
upstream:
enabled: true
overrideAuthority: "cluster.scalardb.example.com"
caRootCertSecret: "scalardb-cluster-tls-ca"
```

In this case, you have to create secret resources that include CA certificate files as follows. You must set the root CA certificate file based on the upstream that you use (ScalarDB Cluster, ScalarDL Ledger, or ScalarDL Auditor).

* ScalarDB Cluster

```console
kubectl create secret generic scalardb-cluster-tls-ca --from-file=ca-root-cert=/path/to/root/ca/cert/file/for/scalardb-cluster -n <NAMESPACE>
```

* ScalarDL Ledger

```console
kubectl create secret generic scalardl-ledger-tls-ca --from-file=ca-root-cert=/path/to/root/ca/cert/file/for/scalardl-ledger -n <NAMESPACE>
```

* ScalarDL Auditor

```console
kubectl create secret generic scalardl-auditor-tls-ca --from-file=ca-root-cert=/path/to/root/ca/cert/file/for/scalardl-auditor -n <NAMESPACE>
```

For more details on how to prepare private key and certificate files, see [How to create key and certificate files for Scalar products](../scalar-kubernetes/HowToCreateKeyAndCertificateFiles.md).

Also, you can set the custom authority for TLS communication by using `envoy.tls.upstream.overrideAuthority`. This value doesn't change what host is actually connected. This value is intended for testing but may safely be used outside of tests as an alternative to DNS overrides. For example, you can specify the hostname presented in the certificate chain file that you set by using `scalardbCluster.tls.certChainSecret`, `ledger.tls.certChainSecret`, or `auditor.tls.certChainSecret`, depending on which product you're using. Envoy uses this value for verifying the certificate of the TLS connection with ScalarDB Cluster or ScalarDL.

### Replica configurations (Optional based on your environment)

You can specify the number of replicas (pods) of Scalar Envoy using `envoy.replicaCount`.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -137,6 +137,39 @@ scalardbCluster:
allowPrivilegeEscalation: false
```

### TLS configurations (optional based on your environment)

You can enable TLS in all ScalarDB Cluster connections by using the following configurations:

```yaml
scalardbCluster:
scalardbClusterNodeProperties: |
...(omit)...
scalar.db.cluster.tls.enabled=true
scalar.db.cluster.tls.ca_root_cert_path=/tls/certs/ca-root-cert.pem
scalar.db.cluster.node.tls.cert_chain_path=/tls/certs/cert-chain.pem
scalar.db.cluster.node.tls.private_key_path=/tls/certs/private-key.pem
scalar.db.cluster.tls.override_authority=cluster.scalardb.example.com
tls:
enabled: true
overrideAuthority: "cluster.scalardb.example.com"
caRootCertSecret: "scalardb-cluster-tls-ca"
certChainSecret: "scalardb-cluster-tls-cert"
privateKeySecret: "scalardb-cluster-tls-key"
```

In this case, you have to create secret resources that include private key and certificate files for ScalarDB Cluster as follows:

```console
kubectl create secret generic scalardb-cluster-tls-ca --from-file=ca-root-cert=/path/to/your/ca/certificate/file -n <NAMESPACE>
kubectl create secret generic scalardb-cluster-tls-cert --from-file=cert-chain=/path/to/your/certificate/file -n <NAMESPACE>
kubectl create secret generic scalardb-cluster-tls-key --from-file=private-key=/path/to/your/private/key/file -n <NAMESPACE>
```

For more details on how to prepare private key and certificate files, see [How to create private key and certificate files for Scalar products](../scalar-kubernetes/HowToCreateKeyAndCertificateFiles.md).

Also, you can set the custom authority for TLS communication by using `scalardbCluster.tls.overrideAuthority`. This value doesn't change what host is actually connected. This value is intended for testing but may safely be used outside of tests as an alternative to DNS overrides. For example, you can specify the hostname presented in the certificate chain file that you set by using `scalardbCluster.tls.certChainSecret`. This chart uses this value for `startupProbe` and `livenessProbe`.

### Replica configurations (optional based on your environment)

You can specify the number of ScalarDB Cluster replicas (pods) by using `scalardbCluster.replicaCount`.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -153,6 +153,41 @@ auditor:
allowPrivilegeEscalation: false
```

### TLS configurations (optional based on your environment)

You can enable TLS in all ScalarDL Auditor connections by using the following configurations:

```yaml
auditor:
auditorProperties: |
scalar.dl.auditor.server.tls.enabled=true
scalar.dl.auditor.server.tls.cert_chain_path=/tls/certs/cert-chain.pem
scalar.dl.auditor.server.tls.private_key_path=/tls/certs/private-key.pem
scalar.dl.auditor.tls.enabled=true
scalar.dl.auditor.tls.ca_root_cert_path=/tls/certs/ca-root-cert-for-ledger.pem
scalar.dl.auditor.tls.override_authority=envoy.scalar.example.com
tls:
enabled: true
overrideAuthority: "auditor.scalardl.example.com"
caRootCertSecret: "scalardl-auditor-tls-ca"
certChainSecret: "scalardl-auditor-tls-cert"
privateKeySecret: "scalardl-auditor-tls-key"
caRootCertForLedgerSecret: "scalardl-auditor-tls-ca-for-ledger"
```

In this case, you have to create secret resources that include private key and certificate files for ScalarDL Ledger and ScalarDL Auditor as follows:

```console
kubectl create secret generic scalardl-auditor-tls-ca --from-file=ca-root-cert=/path/to/your/ca/certificate/file/for/auditor -n <NAMESPACE>
kubectl create secret generic scalardl-auditor-tls-cert --from-file=cert-chain=/path/to/your/auditor/certificate/file -n <NAMESPACE>
kubectl create secret generic scalardl-auditor-tls-key --from-file=private-key=/path/to/your/auditor/private/key/file -n <NAMESPACE>
kubectl create secret generic scalardl-auditor-tls-ca-for-ledger --from-file=ca-root-cert-for-ledger=/path/to/your/ca/certificate/file/for/ledger -n <NAMESPACE>
```

For more details on how to prepare private key and certificate files, see [How to create private key and certificate files for Scalar products](../scalar-kubernetes/HowToCreateKeyAndCertificateFiles.md).

Also, you can set the custom authority for TLS communication by using `auditor.tls.overrideAuthority`. This value doesn't change what host is actually connected. This value is intended for testing but may safely be used outside of tests as an alternative to DNS overrides. For example, you can specify the hostname presented in the certificate chain file that you set by using `auditor.tls.certChainSecret`. This chart uses this value for `startupProbe` and `livenessProbe`.

### Replica configurations (Optional based on your environment)

You can specify the number of replicas (pods) of ScalarDL Auditor using `auditor.replicaCount`.
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -153,7 +153,37 @@ ledger:
allowPrivilegeEscalation: false
```

### Replica configurations (Optional based on your environment)
### TLS configurations (optional based on your environment)

You can enable TLS in all ScalarDL Ledger connections by using the following configurations:

```yaml
ledger:
ledgerProperties: |
scalar.dl.ledger.server.tls.enabled=true
scalar.dl.ledger.server.tls.cert_chain_path=/tls/certs/cert-chain.pem
scalar.dl.ledger.server.tls.private_key_path=/tls/certs/private-key.pem
tls:
enabled: true
overrideAuthority: "ledger.scalardl.example.com"
caRootCertSecret: "scalardl-ledger-tls-ca"
certChainSecret: "scalardl-ledger-tls-cert"
privateKeySecret: "scalardl-ledger-tls-key"
```

In this case, you have to create secret resources that include private key and certificate files for ScalarDL Ledger as follows:

```console
kubectl create secret generic scalardl-ledger-tls-ca --from-file=ca-root-cert=/path/to/your/ca/certificate/file -n <NAMESPACE>
kubectl create secret generic scalardl-ledger-tls-cert --from-file=cert-chain=/path/to/your/certificate/file -n <NAMESPACE>
kubectl create secret generic scalardl-ledger-tls-key --from-file=private-key=/path/to/your/private/key/file -n <NAMESPACE>
```

For more details on how to prepare private key and certificate files, see [How to create private key and certificate files for Scalar products](../scalar-kubernetes/HowToCreateKeyAndCertificateFiles.md).

Also, you can set the custom authority for TLS communication by using `ledger.tls.overrideAuthority`. This value doesn't change what host is actually connected. This value is intended for testing but may safely be used outside of tests as an alternative to DNS overrides. For example, you can specify the hostname presented in the certificate chain file that you set by using `ledger.tls.certChainSecret`. This chart uses this value for `startupProbe` and `livenessProbe`.

### Replica configurations (optional based on your environment)

You can specify the number of replicas (pods) of ScalarDL Ledger using `ledger.replicaCount`.

Expand Down
26 changes: 20 additions & 6 deletions docs/latest/helm-charts/getting-started-scalar-helm-charts.md
Original file line number Diff line number Diff line change
Expand Up @@ -15,15 +15,27 @@ We will use the following tools for testing.

First, you need to install the following tools used in this guide.

1. Install the minikube according to the [minikube document](https://minikube.sigs.k8s.io/docs/start/)
1. Install the `minikube` command according to the [minikube documentation](https://minikube.sigs.k8s.io/docs/start/)

1. Install the kubectl according to the [Kubernetes document](https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/)
1. Install the `kubectl` command according to the [Kubernetes documentation](https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/)

1. Install the helm command according to the [Helm document](https://helm.sh/docs/intro/install/)
1. Install the `helm` command according to the [Helm documentation](https://helm.sh/docs/intro/install/)

1. Install the cfssl and cfssljson according to the [CFSSL document](https://github.com/cloudflare/cfssl)
* Note:
* You need the cfssl and cfssljson when you try ScalarDL. If you try Scalar Helm Charts other than ScalarDL (e.g., ScalarDB, Monitoring, Logging, etc...), the cfssl and cfssljson are not necessary.
1. Install the `cfssl` and `cfssljson` according to the [CFSSL documentation](https://github.com/cloudflare/cfssl)

{% capture notice--info %}
**Note**

You need to install the `cfssl` and `cfssljson` command when following these getting started guides:

* [ScalarDB Cluster with TLS](getting-started-scalardb-cluster-tls.md)
* [ScalarDL Ledger and Auditor with TLS (Auditor mode)](getting-started-scalardl-auditor-tls.md)
* [ScalarDL Ledger (Ledger only)](getting-started-scalardl-ledger.md)
* [ScalarDL Ledger and Auditor (Auditor mode)](getting-started-scalardl-auditor.md)

{% endcapture %}

<div class="notice--info">{{ notice--info | markdownify }}</div>

## Step 2. Start minikube with docker driver (Optional / If you use minikube)

Expand Down Expand Up @@ -53,7 +65,9 @@ First, you need to install the following tools used in this guide.

After the Kubernetes cluster starts, you can try each Scalar Helm Charts on it. Please refer to the following documents for more details.

* [ScalarDB Cluster with TLS](getting-started-scalardb-cluster-tls.md)
* [ScalarDB Analytics with PostgreSQL](getting-started-scalardb-analytics-postgresql.md)
* [ScalarDL Ledger and Auditor with TLS (Auditor mode)](getting-started-scalardl-auditor-tls.md)
* [ScalarDL Ledger (Ledger only)](getting-started-scalardl-ledger.md)
* [ScalarDL Ledger and Auditor (Auditor mode)](getting-started-scalardl-auditor.md)
* [Monitoring using Prometheus Operator](getting-started-monitoring.md)
Expand Down
Loading

0 comments on commit 51d5033

Please sign in to comment.