helm-charts icon indicating copy to clipboard operation
helm-charts copied to clipboard

Published 20 hours ago verified publisher icon redpanda-data

Add support for Certificate Revocation Lists (CRL)

Open JakeSCahill opened this issue 1 year ago • 2 comments

What would you like to be added?

In 24.2, Redpanda will support Certificate Revocation Lists (CRLs) for TLS-encrypted connections. To support CRLs in the Helm chart, we require some changes.

Changes Required

Update values.yaml to add new fields under the tls section for each listener to specify the CRL paths. For example:

tls:
  enabled: true
  certs:
    default:
      caEnabled: true
    external:
      caEnabled: true

  # Global CRL field
  crlFile:
    secretKeyRef:
      key:
      name:

listeners:
  admin:
    port: 9644
    tls:
      cert: default
      requireClientAuth: false
      crlFile:
        secretKeyRef:
          key:
          name:
    external:
      default:
        port: 9645
        tls:
          cert: external
          crlFile:
            secretKeyRef:
              key:
              name:
  kafka:
    port: 9093
    authenticationMethod: "sasl"
    tls:
      cert: default
      requireClientAuth: false
      crlFile:
        secretKeyRef:
          key:
          name:
    external:
      default:
        port: 9094
        tls:
          cert: external
          crlFile:
            secretKeyRef:
              key:
              name:

  # Other listeners...

Why is this needed?

To support the new CRL crl_file field in Redpanda >=24.2

JIRA Link: K8S-298

JakeSCahill avatar Jul 18 '24 08:07 JakeSCahill

I would lean toward following the same pattern as truststore_file: https://github.com/redpanda-data/helm-charts/pull/1373/files#diff-9816759f5552bf9796d055b4dd5bb21fe21633582b33349ba828ac5d4092ffe2R422-R426

chrisseto avatar Jul 18 '24 13:07 chrisseto

Updated the example to reflect the same pattern as truststore_file

JakeSCahill avatar Jul 18 '24 16:07 JakeSCahill