OPS-971 - Allow Redis SSL Certificate to be passed in

CHANGELOG.md

@@ -20,23 +20,37 @@ The types of changes are:
 
 ### Added
 
+### Fixed
+
+## [0.17.0](https://github.com/ethyca/fides-helm/compare/fides-0.16.1...fides-0.17.0)
+
+### Added
+
+- Add support for Redis SSL CA certificates via a new `fides.configuration.redisCaSecretName` value [#81](https://github.com/ethyca/fides-helm/pull/81)
+
+### Changed
+
+- Upgrade Fides version to [`2.64.0`](https://github.com/ethyca/fides/releases/tag/2.64.0) [#81](https://github.com/ethyca/fides-helm/pull/81)
+- Convert configuration variables to use named templates to improve consistency [#81](https://github.com/ethyca/fides-helm/pull/81)
 
 ### Fixed
 
+- `test-connection` pod did not use security context defined in the values file [#80](https://github.com/ethyca/fides-helm/pull/80)
+
 ## [0.16.1](https://github.com/ethyca/fides-helm/compare/fides-0.15.0...fides-0.16.1)
 
 ### Added
+
 - Ability to set replica count for Fides Webservers and Fides Privacy Center [#79](https://github.com/ethyca/fides-helm/pull/79)
 
 ### Changed
-- Upgrade Fides version to [`2.48.1`](https://github.com/ethyca/fides/releases/tag/2.48.1) [#79](https://github.com/ethyca/fides-helm/pull/79)
 
-
-### Changed
+- Upgrade Fides version to [`2.48.1`](https://github.com/ethyca/fides/releases/tag/2.48.1) [#79](https://github.com/ethyca/fides-helm/pull/79)
 
 ## [0.15.1](https://github.com/ethyca/fides-helm/compare/fides-0.15.0...fides-0.15.1)
 
 ### Changed
+
 - Upgrade Fides version to [`2.36.0`](https://github.com/ethyca/fides/releases/tag/2.36.0) [#77](https://github.com/ethyca/fides-helm/pull/77)
 - Synchronize chart versions between `fides` and `fides-minimal` [#77](https://github.com/ethyca/fides-helm/pull/77)
 - Move CHANGELOG.md to root of directory [#77](https://github.com/ethyca/fides-helm/pull/77)
@@ -45,51 +59,62 @@ The types of changes are:
 ## [0.15.0](https://github.com/ethyca/fides-helm/compare/fides-0.14.1...fides-0.15.0)
 
 ### Changed
+
 - Upgrade Fides version to [`2.20.1`](https://github.com/ethyca/fides/releases/tag/2.20.1) [#73](https://github.com/ethyca/fides-helm/pull/73)
 - Allow Fides Worker resources to be allocated separately from Fides Webserver resources [#73](https://github.com/ethyca/fides-helm/pull/73)
 
 ## [0.14.1](https://github.com/ethyca/fides-helm/compare/fides-0.14.0...fides-0.14.1)
 
 ### Changed
+
 - Upgrade Fides version to [`2.19.1`](https://github.com/ethyca/fides/releases/tag/2.19.1) [#70](https://github.com/ethyca/fides-helm/pull/70)
 
 ## [0.14.0](https://github.com/ethyca/fides-helm/compare/fides-0.13.8...fides-0.14.0)
 
 ### Changed
+
 - **Breaking** Resources now specified at the fides and privacyCenter level. [#68](https://github.com/ethyca/fides-helm/pull/68)
 
 ## [0.13.8](https://github.com/ethyca/fides-helm/compare/fides-0.13.7...fides-0.13.8)
 
 ### Changed
+
 - Upgrade Fides version to [`2.18.0`](https://github.com/ethyca/fides/releases/tag/2.18.0) [#67](https://github.com/ethyca/fides-helm/pull/67)
+
 ## [0.13.7](https://github.com/ethyca/fides-helm/compare/fides-0.13.6...fides-0.13.7)
 
 ### Changed
+
 - Upgrade Fides version to [`2.17.1`](https://github.com/ethyca/fides/releases/tag/2.17.1) [#66](https://github.com/ethyca/fides-helm/pull/66)
 
 ## [0.13.6](https://github.com/ethyca/fides-helm/compare/fides-0.13.5...fides-0.13.6)
 
 ### Changed
+
 - Upgrade Fides version to [`2.17.0`](https://github.com/ethyca/fides/releases/tag/2.17.0) [#64](https://github.com/ethyca/fides-helm/pull/64)
 
 ## [0.13.5](https://github.com/ethyca/fides-helm/compare/fides-0.13.4...fides-0.13.5)
 
 ### Changed
+
 - Upgrade Fides version to [`2.16.0`](https://github.com/ethyca/fides/releases/tag/2.16.0) [#63](https://github.com/ethyca/fides-helm/pull/63)
 
 ## [0.13.4](https://github.com/ethyca/fides-helm/compare/fides-0.13.3...fides-0.13.4)
 
 ### Changed
+
 - Upgrade Fides version to [`2.15.1`](https://github.com/ethyca/fides/releases/tag/2.15.1) [#62](https://github.com/ethyca/fides-helm/pull/62)
 
 ## [0.13.3](https://github.com/ethyca/fides-helm/compare/fides-0.13.2...fides-0.13.3)
 
 ### Changed
+
 - Upgrade Fides version to [`2.15.0`](https://github.com/ethyca/fides/releases/tag/2.15.0) [#61](https://github.com/ethyca/fides-helm/pull/61)
 
 ## [0.13.2](https://github.com/ethyca/fides-helm/compare/fides-0.13.1...fides-0.13.2)
 
 ### Changed
+
 - Upgrade Fides version to [`2.14.2`](https://github.com/ethyca/fides/releases/tag/2.14.2) [#60](https://github.com/ethyca/fides-helm/pull/60)
 
 ## [0.13.1](https://github.com/ethyca/fides-helm/compare/fides-0.13.0...fides-0.13.1)
@@ -98,7 +123,6 @@ The types of changes are:
 
 ### Changed
 
-
 ## [0.13.0](https://github.com/ethyca/fides-helm/compare/fides-0.12.0...fides-0.13.0)
 
 ### Added
@@ -120,4 +144,3 @@ The types of changes are:
 ### Fixed
 
 - Fixed the `LivenessProbe` for the worker, following a code change in Fides [#56](https://github.com/ethyca/fides-helm/pull/56)
-

README.md

@@ -2,18 +2,20 @@
 
 This repository contains Helm charts and code examples to deploy [Fides](https://ethyca.github.io/fides).
 
-To use the charts in this repository, first add the chart repository with the following commands: 
+To use the charts in this repository, first add the chart repository with the following commands:
 
 ```sh
 helm repo add ethyca https://helm.ethyca.com
 ```
 
 ## Helm Charts
 
-* [Fides Helm Chart](./fides/) - Deploy Fides to Kubernetes
+- [Fides Helm Chart](./fides/) - Deploy Fides to Kubernetes
+- [Fides Minimal Helm Chart](./fides-minimal/) - Deploy Fides without lookups or other advanced features
 
 ## :balance_scale: License
+
 The [Fides](https://github.com/ethyca/fides) ecosystem of tools are licensed under the [Apache Software License Version 2.0](https://www.apache.org/licenses/LICENSE-2.0).
 Fides tools are built on [fideslang](https://github.com/ethyca/privacy-taxonomy), the Fides language specification, which is licensed under [CC by 4](https://github.com/ethyca/privacy-taxonomy/blob/main/LICENSE).
 
-Fides is created and sponsored by Ethyca: a developer tools company building the trust infrastructure of the internet. If you have questions or need assistance getting started, let us know at fides@ethyca.com!
+Fides is created and sponsored by Ethyca: a developer tools company building the trust infrastructure of the internet. If you have questions or need assistance getting started, let us know at fides@ethyca.com!

fides/Chart.yaml

@@ -1,7 +1,7 @@
 apiVersion: v2
 name: fides
-version: 0.16.1
-appVersion: "2.48.1"
+version: 0.17.0
+appVersion: "2.64.0"
 description: Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in your runtime environment, and the enforcement of privacy regulations in your code.
 type: application
 keywords:

fides/config/privacyCenterConfig.json

@@ -64,4 +64,4 @@
       }
     ]
   }
-}
+}

fides/templates/NOTES.txt

@@ -11,4 +11,4 @@ For more information, check out the following resources:
   - Documentation and guides https://fid.es/docs
   - Configuration reference: https://fid.es/config
   - Slack community: https://fid.es/slack
-{{- end }}
+{{- end }}

fides/templates/_helpers.tpl

@@ -230,6 +230,10 @@ The set of environment variables for Fides and workers
       name: {{ .redisSecretName }}
       key: REDIS_PORT
 {{- end }}
+{{- if $.Values.fides.configuration.redisCaSecretName }}
+- name: FIDES__REDIS__SSL_CA_CERTS
+  value: {{ printf "%s/ca.crt" (include "fides.redisCaPath" $) }}
+{{- end }}
 - name: FIDES__REDIS__PASSWORD
   valueFrom:
     secretKeyRef:
@@ -243,6 +247,34 @@ The set of environment variables for Fides and workers
 {{- end }}
 {{- end }}
 
+{{/*
+Config volume name
+*/}}
+{{- define "fides.configVolume" -}}
+config
+{{- end }}
+
+{{/*
+Config path
+*/}}
+{{- define "fides.configPath" -}}
+/etc/fides/config
+{{- end }}
+
+{{/*
+Redis CA volume name
+*/}}
+{{- define "fides.redisCaVolume" -}}
+redis-ca
+{{- end }}
+
+{{/*
+Redis CA path
+*/}}
+{{- define "fides.redisCaPath" -}}
+/etc/fides/redis-ca
+{{- end }}
+
 {{/* User defined Fides secrets */}}
 {{- define "custom_fides_secrets" }}
   # Dynamically created secret envs

fides/templates/fides/fides-deployment.yaml

@@ -1,5 +1,4 @@
-{{- $volume := "config" }}
-{{- $configPath := "/etc/fides/config" }}
+
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -37,7 +36,7 @@ spec:
           imagePullPolicy: {{ .Values.fides.image.pullPolicy }}
           env:
             - name: FIDES__CONFIG_PATH
-              value: {{ printf "%s/fides.toml" $configPath }}
+              value: {{ printf "%s/fides.toml" (include "fides.configPath" .) }}
             {{- include "fides.env" . | nindent 12 }}
             {{- include "custom_fides_secrets" . | indent 10 }}
           envFrom:
@@ -66,14 +65,20 @@ spec:
             periodSeconds: 10
             timeoutSeconds: {{ .Values.fides.healthCheckTimeoutSeconds | default 5 }}
           volumeMounts:
-          - name: {{ $volume }}
-            mountPath: {{ $configPath }}
+          - name: {{ include "fides.configVolume" . }}
+            mountPath: {{ include "fides.configPath" . }}
+          - name: {{ include "fides.redisCaVolume" . }}
+            mountPath: {{ include "fides.redisCaPath" . }}
+            readOnly: true
           resources:
             {{- toYaml .Values.fides.resources | nindent 12 }}
       volumes:
-        - name: {{ $volume }}
+        - name: {{ include "fides.configVolume" . }}
           configMap:
             name: {{ include "fides.tomlConfigMapName" . }}
+        - name: {{ include "fides.redisCaVolume" . }}
+          secret:
+            secretName: {{ .Values.fides.configuration.redisCaSecretName }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

fides/templates/fides/fides-secrets.yaml

@@ -21,4 +21,4 @@ data:
   FIDES__SECURITY__OAUTH_ROOT_CLIENT_SECRET: {{ index $existing_secret.data "FIDES__SECURITY__OAUTH_ROOT_CLIENT_SECRET" }}
   FIDES__SECURITY__DRP_JWT_SECRET: {{ index $existing_secret.data "FIDES__SECURITY__DRP_JWT_SECRET" }}
   {{- end }}
-{{- end }}
+{{- end }}

fides/templates/fides/worker-config.yaml

@@ -28,4 +28,4 @@ data:
     [admin_ui]
 
     [notifications]
-{{- end }}
+{{- end }}

fides/templates/fides/worker-deployment.yaml

@@ -1,7 +1,5 @@
 {{- $_ := set $ "worker" ( ge (.Values.fides.workers.count | int) 1) }}
 {{- if $.worker }}
-{{- $volume := "config" }}
-{{- $configPath := "/etc/fides/config" }}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -41,7 +39,7 @@ spec:
           args: ["worker"]
           env:
             - name: FIDES__CONFIG_PATH
-              value: {{ printf "%s/fides.toml" $configPath }}
+              value: {{ printf "%s/fides.toml" (include "fides.configPath" .) }}
             {{- include "fides.env" . | nindent 12 }}
             {{- include "custom_fides_secrets" . | indent 10 }}
           envFrom:
@@ -62,14 +60,20 @@ spec:
             periodSeconds: 60
             timeoutSeconds: {{ .Values.fides.healthCheckTimeoutSeconds | default 5 }}
           volumeMounts:
-          - name: {{ $volume }}
-            mountPath: {{ $configPath }}
+          - name: {{ include "fides.configVolume" . }}
+            mountPath: {{ include "fides.configPath" . }}
+          - name: {{ include "fides.redisCaVolume" . }}
+            mountPath: {{ include "fides.redisCaPath" . }}
+            readOnly: true
           resources:
             {{- toYaml .Values.fides.workers.resources | nindent 12 }}
       volumes:
-        - name: {{ $volume }}
+        - name: {{ include "fides.configVolume" . }}
           configMap:
             name: {{ include "fides.worker.tomlConfigMapName" . }}
+        - name: {{ include "fides.redisCaVolume" . }}
+          secret:
+            secretName: {{ .Values.fides.configuration.redisCaSecretName }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

fides/templates/privacy-center/config.yaml

@@ -11,4 +11,4 @@ data:
 {{- $config := .Files.Get (default "config/privacyCenterConfig.json" .Values.privacyCenter.configuration.configJsonPath) | fromJson }}
 {{- $_ := set $config "server_url_production" ( printf "https://%s/api/v1" .Values.fides.publicHostname ) }}
 {{- $config  | toJson | toString | nindent 4 }}
-{{- end -}}
+{{- end -}}

fides/templates/s3/s3-bucket.yaml

@@ -29,4 +29,4 @@ spec:
 {{- else -}}
 {{- fail "ACK must be installed to manage S3 buckets. For more information, see README.md." -}}
 {{- end -}}
-{{- end -}}
+{{- end -}}

fides/values.yaml

@@ -16,6 +16,9 @@ fides:
     # This secret should have at least the following keys: REDIS_HOST, REDIS_PORT, REDIS_PASSWORD. This value is required if
     # the value of redis.deployRedis is false.
     redisSecretName: ""
+    # fides.configuration.redisCaSecretName is the name of the Kubernetes secret containing the Redis CA certificate.
+    # This secret should have at least the following keys: ca.crt. This value is required if the value of redis.deployRedis is true.
+    redisCaSecretName: ""
     # fides.configure.additionalEnvVar adds arbitrary environment variables to the Fides configuration, in addition to those set
     # by the Helm chart. See https://ethyca.github.io/fides/installation/configuration/ for all possible values.
     additionalEnvVars: