Merge pull request #205 from vihangm/vihang/tls_probes

bug: Update default probes to work with tls enabled

Author: jeremy-albuixech

charts/openfga/templates/deployment.yaml

@@ -402,25 +402,58 @@ spec:
           readinessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customReadinessProbe "context" $) | nindent 12 }}
           {{- else if .Values.readinessProbe.enabled }}
           readinessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.readinessProbe "enabled") "context" $) | nindent 12 }}
+          {{- if .Values.grpc.tls.enabled }}
             exec:
-              command: ["grpc_health_probe", "-addr={{ .Values.grpc.addr }}"]
+              command:
+              - grpc_health_probe
+              - -addr={{ .Values.grpc.addr }}
+              - -tls
+              - -tls-ca-cert={{ .Values.grpc.tls.ca }}
+              - -tls-client-cert={{ .Values.grpc.tls.cert }}
+              - -client-tls-key={{ .Values.grpc.tls.key }}
+          {{- else }}
+            grpc:
+              port: {{ (split ":" .Values.grpc.addr)._1 }}
+          {{- end }}
           {{- end }}
 
           {{- if .Values.customLivenessProbe }}
           livenessProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customLivenessProbe "context" $) | nindent 12 }}
           {{- else if .Values.livenessProbe.enabled }}
           livenessProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.livenessProbe "enabled") "context" $) | nindent 12 }}
+          {{- if .Values.grpc.tls.enabled }}
+            exec:
+              command:
+              - grpc_health_probe
+              - -addr={{ .Values.grpc.addr }}
+              - -tls
+              - -tls-ca-cert={{ .Values.grpc.tls.ca }}
+              - -tls-client-cert={{ .Values.grpc.tls.cert }}
+              - -tls-client-key={{ .Values.grpc.tls.key }}
+          {{- else }}
             grpc:
               port: {{ (split ":" .Values.grpc.addr)._1 }}
           {{- end }}
+          {{- end }}
 
           {{- if .Values.customStartupProbe }}
           startupProbe: {{- include "common.tplvalues.render" (dict "value" .Values.customStartupProbe "context" $) | nindent 12 }}
           {{- else if .Values.startupProbe.enabled }}
           startupProbe: {{- include "common.tplvalues.render" (dict "value" (omit .Values.startupProbe "enabled") "context" $) | nindent 12 }}
+          {{- if .Values.grpc.tls.enabled }}
+            exec:
+              command:
+              - grpc_health_probe
+              - -addr={{ .Values.grpc.addr }}
+              - -tls
+              - -tls-ca-cert={{ .Values.grpc.tls.ca }}
+              - -tls-client-cert={{ .Values.grpc.tls.cert }}
+              - -tls-client-key={{ .Values.grpc.tls.key }}
+          {{- else }}
             grpc:
               port: {{ (split ":" .Values.grpc.addr)._1 }}
           {{- end }}
+          {{- end }}
 
           resources:
             {{- toYaml .Values.resources | nindent 12 }}

charts/openfga/values.schema.json

@@ -402,6 +402,13 @@
                             "description": "enables or disables transport layer security (TLS)",
                             "default": false
                         },
+                        "ca": {
+                            "type": [
+                                "string",
+                                "null"
+                            ],
+                            "description": "the (absolute) file path of the CA certificate to use for the TLS connection"
+                        },
                         "cert": {
                             "type": [
                                 "string",

charts/openfga/values.yaml

@@ -227,6 +227,7 @@ grpc:
     enabled: false
     cert:
     key:
+    ca:
 
 http:
   enabled: true