Trillian: Add ability to specify custom storage system

Currently, the Trillian installation is hard-coded to use the mysql storage system. While this is mostly fine (it is the most common and used storage system for Trillian after all!), this makes it non trivial to try custom backends for Trillian. There is work on the way to introduce [a CockroachDB storage system for Trillian](google/trillian#2834). And, while this is currently not usable using the mainline Trillian image, it is possible to try out if one specifies a custom image for trillian. To enable this, some variables were introduced: * `storageSystem.driver`: defines the storage backend to use for both the log signer and the log server. Defaults to `mysql`. * `storageSystem.envCredentials`: is the kubernetes deployment definition of environment variables to aide the log signer in connecting to the desired database. When set to `null` it defaults to the environment variables used by MySQL: A values file that would take this work into use would look as follows: ```yaml storageSystem: driver: crdb envCredentials: - name: CRDB_USER valueFrom: secretKeyRef: name: mySecret key: crdb-user - name: CRDB_PASSWORD valueFrom: secretKeyRef: name: mySecret key: crdb-password - name: CRDB_HOST value: crdb.trillian.svc.cluster.local logServer: image: registry: ghcr.io repository: equinixmetal-security/trillian-log-server version: latest extraArgs: - "--crdb-uri=postgres://$(CRDB_USER):$(CRDB_PASSWORD)@$(CRDB_HOST):26257/" logSigner: image: registry: ghcr.io repository: equinixmetal-security/trillian-log-signer version: latest extraArgs: - "--crdb-uri=postgres://$(CRDB_USER):$(CRDB_PASSWORD)@$(CRDB_HOST):26257/" mysql: enabled: false ``` Signed-off-by: Juan Antonio Osorio <[email protected]>
JAORMX · Nov 17, 2022 · 7ef8acc · 7ef8acc
1 parent e1faa4e
commit 7ef8acc
Show file tree

Hide file tree

Showing 6 changed files with 55 additions and 42 deletions.
diff --git a/charts/trillian/README.md b/charts/trillian/README.md
@@ -2,7 +2,7 @@
 
 <!-- This README.md is generated. Please edit README.md.gotmpl -->
 
-![Version: 0.1.12](https://img.shields.io/badge/Version-0.1.12-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
+![Version: 0.1.13](https://img.shields.io/badge/Version-0.1.13-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 Trillian is a log that stores an accurate, immutable and verifiable history of activity.
 
@@ -167,3 +167,5 @@ helm uninstall [RELEASE_NAME]
 | mysql.strategy.type | string | `"Recreate"` |  |
 | namespace.create | bool | `false` |  |
 | namespace.name | string | `"trillian-system"` |  |
+| storageSystem.driver | string | `"mysql"` |  |
+| storageSystem.envCredentials | string | `nil` |  |
diff --git a/charts/trillian/templates/_helpers.tpl b/charts/trillian/templates/_helpers.tpl
@@ -23,6 +23,13 @@ If release name contains chart name it will be used as a full name.
 {{- end }}
 {{- end }}
 
+{{/*
+Return the 
+*/}}
+{{- define "trillian.storageSystem" -}}
+{{- default "mysql" .Values.storageSystem.driver }}
+{{- end -}}
+
 {{/*
 Return the hostname for mysql
 */}}
@@ -173,8 +180,10 @@ Create the name of the service account to use for the Trillian Log Signer compon
 Log Server Arguments
 */}}
 {{- define "trillian.logServer.args" -}}
-- "--storage_system=mysql"
+- {{ printf "--storage_system=%s" (include "trillian.storageSystem" .) | quote }}
+{{- if eq (include "trillian.storageSystem" .) "mysql" }}
 - "--mysql_uri=$(MYSQL_USER):$(MYSQL_PASSWORD)@tcp($(MYSQL_HOSTNAME):$(MYSQL_PORT))/$(MYSQL_DATABASE)"
+{{- end }}
 - {{ printf "--rpc_endpoint=0.0.0.0:%d" (.Values.logServer.portRPC | int) | quote }}
 - {{ printf "--http_endpoint=0.0.0.0:%d" (.Values.logServer.portHTTP | int) | quote }}
 - "--alsologtostderr"
@@ -187,8 +196,10 @@ Log Server Arguments
 Log Signer Arguments
 */}}
 {{- define "trillian.logSigner.args" -}}
-- "--storage_system=mysql"
+- {{ printf "--storage_system=%s" (include "trillian.storageSystem" .) | quote }}
+{{- if eq (include "trillian.storageSystem" .) "mysql" }}
 - "--mysql_uri=$(MYSQL_USER):$(MYSQL_PASSWORD)@tcp($(MYSQL_HOSTNAME):$(MYSQL_PORT))/$(MYSQL_DATABASE)"
+{{- end }}
 - {{ printf "--rpc_endpoint=0.0.0.0:%d" (.Values.logSigner.portRPC | int) | quote }}
 - {{ printf "--http_endpoint=0.0.0.0:%d" (.Values.logSigner.portHTTP | int) | quote }}
 - {{ printf "--force_master=%t" (default true .Values.logSigner.forceMaster) | quote }}
@@ -311,3 +322,32 @@ Create Container Ports based on Service Ports
   protocol: {{ default "TCP" .protocol }}
 {{- end -}}
 {{- end -}}
+
+{{/*
+Place default environment credentials setup
+*/}}
+{{- define "trillian.storageSystem.envCredentials" -}}
+{{- if .Values.storageSystem.envCredentials }}
+{{ toYaml .Values.storageSystem.envCredentials }}
+{{- else }}
+- name: MYSQL_USER
+  valueFrom:
+    secretKeyRef:
+        name: {{ template "mysql.secretName" . }}
+        key: mysql-user
+- name: MYSQL_PASSWORD
+  valueFrom:
+    secretKeyRef:
+        name: {{ template "mysql.secretName" . }}
+        key: mysql-password
+- name: MYSQL_DATABASE
+  valueFrom:
+    secretKeyRef:
+        name: {{ template "mysql.secretName" . }}
+        key: mysql-database
+- name: MYSQL_HOSTNAME
+  value: {{ template "mysql.hostname" . }}
+- name: MYSQL_PORT
+  value: {{ .Values.mysql.port | quote }}
+{{- end }}
+{{- end -}}
diff --git a/charts/trillian/templates/trillian-log-server/deployment.yaml b/charts/trillian/templates/trillian-log-server/deployment.yaml
@@ -68,25 +68,7 @@ spec:
           args:
 {{  include "trillian.logServer.args" . | indent 12 }}
           env:
-            - name: MYSQL_USER
-              valueFrom:
-                secretKeyRef:
-                  name: {{ template "mysql.secretName" . }}
-                  key: mysql-user
-            - name: MYSQL_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: {{ template "mysql.secretName" . }}
-                  key: mysql-password
-            - name: MYSQL_DATABASE
-              valueFrom:
-                secretKeyRef:
-                  name: {{ template "mysql.secretName" . }}
-                  key: mysql-database
-            - name: MYSQL_HOSTNAME
-              value: {{ template "mysql.hostname" . }}
-            - name: MYSQL_PORT
-              value: {{ .Values.mysql.port | quote }}
+{{- include "trillian.storageSystem.envCredentials" . | indent 12}}
           ports:
 {{- include "trillian.containerPorts" .Values.logServer.service.ports | indent 12 }}
 {{- if .Values.logServer.livenessProbe }}

diff --git a/charts/trillian/templates/trillian-log-signer/deployment.yaml b/charts/trillian/templates/trillian-log-signer/deployment.yaml
@@ -68,25 +68,7 @@ spec:
           args:
 {{  include "trillian.logSigner.args" . | indent 12 }}
           env:
-            - name: MYSQL_USER
-              valueFrom:
-                secretKeyRef:
-                  name: {{ template "mysql.secretName" . }}
-                  key: mysql-user
-            - name: MYSQL_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: {{ template "mysql.secretName" . }}
-                  key: mysql-password
-            - name: MYSQL_DATABASE
-              valueFrom:
-                secretKeyRef:
-                  name: {{ template "mysql.secretName" . }}
-                  key: mysql-database
-            - name: MYSQL_HOSTNAME
-              value: {{ template "mysql.hostname" . }}
-            - name: MYSQL_PORT
-              value: {{ .Values.mysql.port | quote }}
+{{- include "trillian.storageSystem.envCredentials" . | indent 12}}
           ports:
 {{- include "trillian.containerPorts" .Values.logSigner.service.ports | indent 12 }}
 {{- if .Values.logSigner.livenessProbe }}

diff --git a/charts/trillian/values.schema.json b/charts/trillian/values.schema.json
@@ -195,5 +195,9 @@
             "annotations": {}
         }
     },
-    "forceNamespace": ""
+    "forceNamespace": "",
+    "storageSystem": {
+        "driver": "mysql",
+        "envCredentials": null
+    }
 }
diff --git a/charts/trillian/values.yaml b/charts/trillian/values.yaml
@@ -15,6 +15,9 @@ initContainerImage:
     version: "sha256:7d921b6d368fb1736cb0832c6f57e426c161593c075847af3378eb3185801cea"
     imagePullPolicy: IfNotPresent
 
+storageSystem:
+  driver: mysql
+  envCredentials: null
 mysql:
   gcp:
     enabled: false