AUTO: Sync Helm Charts docs to ScalarDB Enterprise docs site repo (#232)

Co-authored-by: josh-wong <[email protected]>
scalar-labs · Apr 12, 2024 · ac62425 · ac62425
1 parent c823f35
commit ac62425
Show file tree

Hide file tree

Showing 7 changed files with 1,844 additions and 7 deletions.
diff --git a/docs/3.10/helm-charts/configure-custom-values-envoy.md b/docs/3.10/helm-charts/configure-custom-values-envoy.md
@@ -144,6 +144,77 @@ envoy:
     repository: <SCALAR_ENVOY_CONTAINER_IMAGE>
 ```
 
+If you're using AWS or Azure, please refer to the following documents for more details:
+
+* [How to install Scalar products through AWS Marketplace](https://github.com/scalar-labs/scalar-kubernetes/blob/master/docs/AwsMarketplaceGuide.md)
+* [How to install Scalar products through Azure Marketplace](https://github.com/scalar-labs/scalar-kubernetes/blob/master/docs/AzureMarketplaceGuide.md)
+
+### TLS configurations (optional based on your environment)
+
+You can enable TLS in:
+
+- Downstream connections between the client and Scalar Envoy.
+- Upstream connections between Scalar Envoy and Scalar products.
+
+#### Enable TLS in downstream connections
+
+You can enable TLS in downstream connections by using the following configurations:
+
+```yaml
+envoy:
+  tls:
+    downstream:
+      enabled: true
+      certChainSecret: "envoy-tls-cert"
+      privateKeySecret: "envoy-tls-key"
+```
+
+In this case, you have to create secret resources that include private key and certificate files for Scalar Envoy as follows:
+
+```console
+kubectl create secret generic envoy-tls-cert --from-file=cert-chain=/path/to/your/certificate/file -n <NAMESPACE>
+kubectl create secret generic envoy-tls-key --from-file=private-key=/path/to/your/private/key/file -n <NAMESPACE>
+```
+
+For more details on how to prepare private key and certificate files, see [How to create private key and certificate files for Scalar products](../scalar-kubernetes/HowToCreateKeyAndCertificateFiles.md).
+
+#### Enable TLS in upstream connections
+
+You can enable TLS in upstream connections by using the following configurations:
+
+```yaml
+envoy:
+  tls:
+    upstream:
+      enabled: true
+      overrideAuthority: "cluster.scalardb.example.com"
+      caRootCertSecret: "scalardb-cluster-tls-ca"
+```
+
+In this case, you have to create secret resources that include CA certificate files as follows. You must set the root CA certificate file based on the upstream that you use (ScalarDB Cluster, ScalarDL Ledger, or ScalarDL Auditor).
+
+* ScalarDB Cluster
+
+  ```console
+  kubectl create secret generic scalardb-cluster-tls-ca --from-file=ca-root-cert=/path/to/root/ca/cert/file/for/scalardb-cluster -n <NAMESPACE>
+  ```
+
+* ScalarDL Ledger
+
+  ```console
+  kubectl create secret generic scalardl-ledger-tls-ca --from-file=ca-root-cert=/path/to/root/ca/cert/file/for/scalardl-ledger -n <NAMESPACE>
+  ```
+
+* ScalarDL Auditor
+
+  ```console
+  kubectl create secret generic scalardl-auditor-tls-ca --from-file=ca-root-cert=/path/to/root/ca/cert/file/for/scalardl-auditor -n <NAMESPACE>
+  ```
+
+For more details on how to prepare private key and certificate files, see [How to create key and certificate files for Scalar products](../scalar-kubernetes/HowToCreateKeyAndCertificateFiles.md).
+
+Also, you can set the custom authority for TLS communication by using `envoy.tls.upstream.overrideAuthority`. This value doesn't change what host is actually connected. This value is intended for testing but may safely be used outside of tests as an alternative to DNS overrides. For example, you can specify the hostname presented in the certificate chain file that you set by using `scalardbCluster.tls.certChainSecret`, `ledger.tls.certChainSecret`, or `auditor.tls.certChainSecret`, depending on which product you're using. Envoy uses this value for verifying the certificate of the TLS connection with ScalarDB Cluster or ScalarDL.
+
 ### Replica configurations (Optional based on your environment)
 
 You can specify the number of replicas (pods) of Scalar Envoy using `envoy.replicaCount`.

diff --git a/docs/3.10/helm-charts/configure-custom-values-scalardb-cluster.md b/docs/3.10/helm-charts/configure-custom-values-scalardb-cluster.md
@@ -137,6 +137,39 @@ scalardbCluster:
     allowPrivilegeEscalation: false
 ```
 
+### TLS configurations (optional based on your environment)
+
+You can enable TLS in all ScalarDB Cluster connections by using the following configurations:
+
+```yaml
+scalardbCluster:
+  scalardbClusterNodeProperties: |
+    ...(omit)...
+    scalar.db.cluster.tls.enabled=true
+    scalar.db.cluster.tls.ca_root_cert_path=/tls/certs/ca-root-cert.pem
+    scalar.db.cluster.node.tls.cert_chain_path=/tls/certs/cert-chain.pem
+    scalar.db.cluster.node.tls.private_key_path=/tls/certs/private-key.pem
+    scalar.db.cluster.tls.override_authority=cluster.scalardb.example.com
+  tls:
+    enabled: true
+    overrideAuthority: "cluster.scalardb.example.com"
+    caRootCertSecret: "scalardb-cluster-tls-ca"
+    certChainSecret: "scalardb-cluster-tls-cert"
+    privateKeySecret: "scalardb-cluster-tls-key"
+```
+
+In this case, you have to create secret resources that include private key and certificate files for ScalarDB Cluster as follows:
+
+```console
+kubectl create secret generic scalardb-cluster-tls-ca --from-file=ca-root-cert=/path/to/your/ca/certificate/file -n <NAMESPACE>
+kubectl create secret generic scalardb-cluster-tls-cert --from-file=cert-chain=/path/to/your/certificate/file -n <NAMESPACE>
+kubectl create secret generic scalardb-cluster-tls-key --from-file=private-key=/path/to/your/private/key/file -n <NAMESPACE>
+```
+
+For more details on how to prepare private key and certificate files, see [How to create private key and certificate files for Scalar products](../scalar-kubernetes/HowToCreateKeyAndCertificateFiles.md).
+
+Also, you can set the custom authority for TLS communication by using `scalardbCluster.tls.overrideAuthority`. This value doesn't change what host is actually connected. This value is intended for testing but may safely be used outside of tests as an alternative to DNS overrides. For example, you can specify the hostname presented in the certificate chain file that you set by using `scalardbCluster.tls.certChainSecret`. This chart uses this value for `startupProbe` and `livenessProbe`.
+
 ### Replica configurations (optional based on your environment)
 
 You can specify the number of ScalarDB Cluster replicas (pods) by using `scalardbCluster.replicaCount`.

diff --git a/docs/3.10/helm-charts/configure-custom-values-scalardl-auditor.md b/docs/3.10/helm-charts/configure-custom-values-scalardl-auditor.md
@@ -153,6 +153,41 @@ auditor:
     allowPrivilegeEscalation: false
 ```
 
+### TLS configurations (optional based on your environment)
+
+You can enable TLS in all ScalarDL Auditor connections by using the following configurations:
+
+```yaml
+auditor:
+  auditorProperties: |
+    scalar.dl.auditor.server.tls.enabled=true
+    scalar.dl.auditor.server.tls.cert_chain_path=/tls/certs/cert-chain.pem
+    scalar.dl.auditor.server.tls.private_key_path=/tls/certs/private-key.pem
+    scalar.dl.auditor.tls.enabled=true
+    scalar.dl.auditor.tls.ca_root_cert_path=/tls/certs/ca-root-cert-for-ledger.pem
+    scalar.dl.auditor.tls.override_authority=envoy.scalar.example.com
+  tls:
+    enabled: true
+    overrideAuthority: "auditor.scalardl.example.com"
+    caRootCertSecret: "scalardl-auditor-tls-ca"
+    certChainSecret: "scalardl-auditor-tls-cert"
+    privateKeySecret: "scalardl-auditor-tls-key"
+    caRootCertForLedgerSecret: "scalardl-auditor-tls-ca-for-ledger"
+```
+
+In this case, you have to create secret resources that include private key and certificate files for ScalarDL Ledger and ScalarDL Auditor as follows:
+
+```console
+kubectl create secret generic scalardl-auditor-tls-ca --from-file=ca-root-cert=/path/to/your/ca/certificate/file/for/auditor -n <NAMESPACE>
+kubectl create secret generic scalardl-auditor-tls-cert --from-file=cert-chain=/path/to/your/auditor/certificate/file -n <NAMESPACE>
+kubectl create secret generic scalardl-auditor-tls-key --from-file=private-key=/path/to/your/auditor/private/key/file -n <NAMESPACE>
+kubectl create secret generic scalardl-auditor-tls-ca-for-ledger --from-file=ca-root-cert-for-ledger=/path/to/your/ca/certificate/file/for/ledger -n <NAMESPACE>
+```
+
+For more details on how to prepare private key and certificate files, see [How to create private key and certificate files for Scalar products](../scalar-kubernetes/HowToCreateKeyAndCertificateFiles.md).
+
+Also, you can set the custom authority for TLS communication by using `auditor.tls.overrideAuthority`. This value doesn't change what host is actually connected. This value is intended for testing but may safely be used outside of tests as an alternative to DNS overrides. For example, you can specify the hostname presented in the certificate chain file that you set by using `auditor.tls.certChainSecret`. This chart uses this value for `startupProbe` and `livenessProbe`.
+
 ### Replica configurations (Optional based on your environment)
 
 You can specify the number of replicas (pods) of ScalarDL Auditor using `auditor.replicaCount`.

diff --git a/docs/3.10/helm-charts/configure-custom-values-scalardl-ledger.md b/docs/3.10/helm-charts/configure-custom-values-scalardl-ledger.md
@@ -153,7 +153,37 @@ ledger:
     allowPrivilegeEscalation: false
 ```
 
-### Replica configurations (Optional based on your environment)
+### TLS configurations (optional based on your environment)
+
+You can enable TLS in all ScalarDL Ledger connections by using the following configurations:
+
+```yaml
+ledger:
+  ledgerProperties: |
+    scalar.dl.ledger.server.tls.enabled=true
+    scalar.dl.ledger.server.tls.cert_chain_path=/tls/certs/cert-chain.pem
+    scalar.dl.ledger.server.tls.private_key_path=/tls/certs/private-key.pem
+  tls:
+    enabled: true
+    overrideAuthority: "ledger.scalardl.example.com"
+    caRootCertSecret: "scalardl-ledger-tls-ca"
+    certChainSecret: "scalardl-ledger-tls-cert"
+    privateKeySecret: "scalardl-ledger-tls-key"
+```
+
+In this case, you have to create secret resources that include private key and certificate files for ScalarDL Ledger as follows:
+
+```console
+kubectl create secret generic scalardl-ledger-tls-ca --from-file=ca-root-cert=/path/to/your/ca/certificate/file -n <NAMESPACE>
+kubectl create secret generic scalardl-ledger-tls-cert --from-file=cert-chain=/path/to/your/certificate/file -n <NAMESPACE>
+kubectl create secret generic scalardl-ledger-tls-key --from-file=private-key=/path/to/your/private/key/file -n <NAMESPACE>
+```
+
+For more details on how to prepare private key and certificate files, see [How to create private key and certificate files for Scalar products](../scalar-kubernetes/HowToCreateKeyAndCertificateFiles.md).
+
+Also, you can set the custom authority for TLS communication by using `ledger.tls.overrideAuthority`. This value doesn't change what host is actually connected. This value is intended for testing but may safely be used outside of tests as an alternative to DNS overrides. For example, you can specify the hostname presented in the certificate chain file that you set by using `ledger.tls.certChainSecret`. This chart uses this value for `startupProbe` and `livenessProbe`.
+
+### Replica configurations (optional based on your environment)
 
 You can specify the number of replicas (pods) of ScalarDL Ledger using `ledger.replicaCount`.
 

diff --git a/docs/3.10/helm-charts/getting-started-scalar-helm-charts.md b/docs/3.10/helm-charts/getting-started-scalar-helm-charts.md
@@ -15,15 +15,27 @@ We will use the following tools for testing.
 
 First, you need to install the following tools used in this guide.
 
-1. Install the minikube according to the [minikube document](https://minikube.sigs.k8s.io/docs/start/)  
+1. Install the `minikube` command according to the [minikube documentation](https://minikube.sigs.k8s.io/docs/start/)
 
-1. Install the kubectl according to the [Kubernetes document](https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/)  
+1. Install the `kubectl` command according to the [Kubernetes documentation](https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/)
 
-1. Install the helm command according to the [Helm document](https://helm.sh/docs/intro/install/)  
+1. Install the `helm` command according to the [Helm documentation](https://helm.sh/docs/intro/install/)
 
-1. Install the cfssl and cfssljson according to the [CFSSL document](https://github.com/cloudflare/cfssl)
-   * Note:
-        * You need the cfssl and cfssljson when you try ScalarDL. If you try Scalar Helm Charts other than ScalarDL (e.g., ScalarDB, Monitoring, Logging, etc...), the cfssl and cfssljson are not necessary.
+1. Install the `cfssl` and `cfssljson` according to the [CFSSL documentation](https://github.com/cloudflare/cfssl)
+
+{% capture notice--info %}
+**Note**
+
+You need to install the `cfssl` and `cfssljson` command when following these getting started guides:
+
+* [ScalarDB Cluster with TLS](getting-started-scalardb-cluster-tls.md)
+* [ScalarDL Ledger and Auditor with TLS (Auditor mode)](getting-started-scalardl-auditor-tls.md)
+* [ScalarDL Ledger (Ledger only)](getting-started-scalardl-ledger.md)
+* [ScalarDL Ledger and Auditor (Auditor mode)](getting-started-scalardl-auditor.md)
+
+{% endcapture %}
+
+<div class="notice--info">{{ notice--info | markdownify }}</div>
 
 ## Step 2. Start minikube with docker driver (Optional / If you use minikube)
 
@@ -53,7 +65,9 @@ First, you need to install the following tools used in this guide.
 
 After the Kubernetes cluster starts, you can try each Scalar Helm Charts on it. Please refer to the following documents for more details.
 
+* [ScalarDB Cluster with TLS](getting-started-scalardb-cluster-tls.md)
 * [ScalarDB Analytics with PostgreSQL](getting-started-scalardb-analytics-postgresql.md)
+* [ScalarDL Ledger and Auditor with TLS (Auditor mode)](getting-started-scalardl-auditor-tls.md)
 * [ScalarDL Ledger (Ledger only)](getting-started-scalardl-ledger.md)
 * [ScalarDL Ledger and Auditor (Auditor mode)](getting-started-scalardl-auditor.md)
 * [Monitoring using Prometheus Operator](getting-started-monitoring.md)