Merge pull request #15 from elastiflow/ENG-1780-add-tls-certificate

FEAT: Add kafla tls support
elastiflow · Apr 30, 2024 · 106b8c2 · 106b8c2
2 parents b7ba3da + 8bb0ca5
commit 106b8c2
Show file tree

Hide file tree

Showing 3 changed files with 53 additions and 5 deletions.
diff --git a/charts/netobserv/Chart.yaml b/charts/netobserv/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: netobserv
 description: ElastiFlow NetObserv
 type: application
-version: 0.0.13
+version: 0.0.14
 appVersion: 6.4.3
 
 keywords:

diff --git a/charts/netobserv/templates/deployment.yaml b/charts/netobserv/templates/deployment.yaml
@@ -76,6 +76,18 @@ spec:
                   name: netobserv-license
                   key: license
           {{- end }}
+          {{- if .Values.kafka.enabled }}
+          - name: EF_OUTPUT_KAFKA_ENABLE
+            value: 'true'
+          - name: "EF_OUTPUT_KAFKA_BROKERS"
+            value: {{ .Values.kafka.brokers }}
+          {{- if .Values.kafka.tls.enabled }}
+            - name: EF_OUTPUT_KAFKA_TLS_ENABLE
+              value: 'true'
+            - name: "EF_OUTPUT_KAFKA_TLS_CA_CERT_FILEPATH"
+              value: "{{ .Values.kafka.tls.caMountPath }}/{{ .Values.kafka.tls.caFilename }}"
+          {{- end }}
+          {{- end }}
           ports:
             - name: udp
               containerPort: {{ .Values.service.port }}
@@ -90,10 +102,17 @@ spec:
           {{- end }}
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
-          {{- if or .Values.maxmind.asnEnabled .Values.maxmind.geoipEnabled }}
+          {{- if or .Values.maxmind.asnEnabled .Values.maxmind.geoipEnabled .Values.kafka.tls.enabled }}
           volumeMounts:
+            {{- if or .Values.maxmind.asnEnabled .Values.maxmind.geoipEnabled }}
             - name: geolite2-data
               mountPath: /etc/elastiflow/maxmind
+            {{- end }}
+            {{- if .Values.kafka.tls.enabled }}
+            - name: {{ .Values.kafka.tls.caConfigMap }}
+              mountPath: {{ .Values.kafka.tls.caMountPath }}
+              readOnly: True
+            {{- end }}
           {{- end }}
         {{- if or .Values.maxmind.asnEnabled .Values.maxmind.geoipEnabled }}
         - name: maxmind-geoipupdate
@@ -123,10 +142,20 @@ spec:
             - name: geolite2-data
               mountPath: /data
         {{- end }}
-      {{- if or .Values.maxmind.asnEnabled .Values.maxmind.geoipEnabled }}
+      {{- if or .Values.maxmind.asnEnabled .Values.maxmind.geoipEnabled .Values.kafka.tls.enabled }}
       volumes:
+        {{- if or .Values.maxmind.asnEnabled .Values.maxmind.geoipEnabled }}
         - name: geolite2-data
           emptyDir: {}
+        {{- end }}
+        {{- if .Values.kafka.tls.enabled }}
+        - name: {{ .Values.kafka.tls.caFileName }}
+          configMap:
+            name: {{ .Values.kafka.tls.caConfigMap }}
+            items:
+              - key: {{ .Values.kafka.tls.caConfigMapKey }}
+                path: {{ .Values.kafka.tls.caFileName }}
+        {{- end }}
       {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:

diff --git a/charts/netobserv/values.yaml b/charts/netobserv/values.yaml
@@ -56,8 +56,6 @@ env:
   # EF_OUTPUT_SPLUNK_HEC_ENABLE: 'false'
   # EF_OUTPUT_SPLUNK_HEC_ADDRESSES: '127.0.0.1:8088'
   # EF_OUTPUT_SPLUNK_HEC_TOKEN: ''
-  # EF_OUTPUT_KAFKA_ENABLE: 'false'
-  # EF_OUTPUT_KAFKA_BROKERS: ''
   # EF_OUTPUT_KAFKA_SASL_ENABLE: 'false'
   # EF_OUTPUT_CRIBL_ENABLE: 'false'
   # EF_OUTPUT_CRIBL_ADDRESSES: '127.0.0.1:10080'
@@ -67,6 +65,27 @@ env:
   # EF_OUTPUT_GENERIC_HTTP_ADDRESSES: ''
   # EF_OUTPUT_RISKIQ_ENABLE: 'false'
 
+# The Kafka output can be used to send records to Apache Kafka, Confluent Platform,
+# Confluent Cloud, Redpanda and Amazon Managed Streaming for Apache Kafka (Amazon MSK).
+# https://docs.elastiflow.com/docs/output-kafka
+kafka:
+  # Enable/disable TLS connections to Kafka.
+  enabled: false
+  # A comma-separated list of brokers, IP address and port number, to which the collector is to connect.
+  # Example: "192.0.2.11:9092,192.0.2.12:9092,192.0.2.13:9092"
+  brokers: ""
+  tls:
+    # Enable/disable TLS connections to Kafka.
+    enabled: false
+    # The name of the config map that contains the CA certificate.
+    caConfigMap: ""
+    # The path to the CA certificate file.
+    caMountPath: ""
+    # The key in the config map that contains the CA certificate.
+    caConfigMapKey: "ca.crt"
+    # The name of the file that contains the CA certificate.
+    caFileName: "ca.crt"
+
 license:
   # Specifies whether a secret should be created. If you don't have a license, no need to create a license secret.
   createSecret: false