centralcloud/oncall-engine
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
oncall-engine/engine/settings
History
Andre Buryndin d9c3d084be
feature: Hardening the Helm deployment with Redis and Postgres TLS (#3029) 
# What this PR does

Short summary: this PR improves security and configuration management
for Helm deployment. Please take a look at the details below.

## Which issue(s) this PR fixes

Issues:
- Cannot explicitly define redis database (only 0 and 1 numbers are
used)
- Cannot securely use TLS for Redis (cannot set CA certificate; cannot
set client certificates)
- Cannot securely use TLS for Postgres (cannot set CA certificate;
cannot set client certificates; cannot set `verify-full` validation)
- ~~Chart option `securityContext.readOnlyRootFilesystem: true` issues
CrashLoopBack pod state~~ will be moved to new PR

## Checklist

- [x] ~~Unit, integration, and e2e (if applicable) tests updated~~ (not
required)
- [x] Documentation added (or `pr:no public docs` PR label added if not
required)
- [x] `CHANGELOG.md` updated (or `pr:no changelog` PR label added if not
required)

- [x] Helm tests are fixed and updated
- [x] Manually verified the features:
  - [x] postgres TLS connection with `verify-full` validation
  - [x] redis TLS connection with `cert_required` validation
  - [x] redis protocol and database number controls
  - [x] all containers properly work in read-only root filesystem
- [x] all changes are backward compatible (doesn't break old
deployments)

## Changelog

- Fixed helm tests
- Added configuration options for secure TLS communication with
dependencies like Redis, MySQL, and Postgres
- ~~Added configuration option for relocating `celerybeat` database file
(read-only root filesystem issue)~~ will be moved to new PR
- Improved redis database configuration options
- Now only single redis database is used
- Added ability to mount custom volumes (with CA certificates, for
example) into Helm chart
- ~~Fixed issue with read-only root filesystem for Helm chart~~ will be
moved to new PR
- Add ability to work with Redis ACL (and AWS ElastiCache)
2023-10-03 09:25:28 -04:00
..
__init__.py World, meet OnCall! 2022-06-03 08:09:47 -06:00
base.py feature: Hardening the Helm deployment with Redis and Postgres TLS (#3029) 2023-10-03 09:25:28 -04:00
celery_task_routes.py Notify user when their shift swap request is taken (#2992) 2023-09-07 14:59:54 +00:00
ci-test.py remove shift swap feature flag (#2755) 2023-08-04 16:12:33 +02:00
dev.py continue addressing mypy violations (#2170) 2023-06-27 10:23:08 +00:00
helm.py Allow multiple database and celery broker types (#582) 2022-10-04 09:25:53 +01:00
hobby.py Allow multiple database and celery broker types (#582) 2022-10-04 09:25:53 +01:00
prod_without_db.py Test celery tasks have queue assignment (#2922) 2023-08-31 18:42:08 +00:00