feat: mtls enable

[ianchen0119]

No description provided.

[Copilot]

Pull request overview

Adds Helm-chart support for enabling mutual TLS between the Manager/Scheduler clients and the DM sidecar server, including chart values, Secrets, and deployment wiring.

Changes:

• Introduces mtls.* values, a helper for selecting an existing vs chart-managed Secret, and a new template to render mTLS-related Secrets.
• Wires mTLS env vars into the Manager + DM sidecar containers, and switches sidecar probes to TCP when mTLS is enabled.
• Documents mTLS usage and adds a certificate generation script (plus adds certificate files).

Reviewed changes

Copilot reviewed 16 out of 16 changed files in this pull request and generated 9 comments.

Show a summary per file

File	Description
gthulhu/values.yaml	Adds default mtls configuration block and parameters (including existingSecret and serverName).
gthulhu/values-production.yaml	Enables mTLS in “production” values and adjusts image settings.
gthulhu/templates/mtls-secret.yaml	Adds chart-managed mTLS cert Secret and a scheduler config overlay Secret for mTLS.
gthulhu/templates/deployment.yaml	Injects mTLS env vars, sets scheduler-sidecar subdomain, and adjusts probes/volumes for mTLS mode.
gthulhu/templates/configmap.yaml	Marks scheduler ConfigMap immutable.
gthulhu/templates/_helpers.tpl	Adds gthulhu.mtlsSecretName helper to support existingSecret.
gthulhu/gen-mtls-certs.sh	Adds helper script to generate CA + leaf certs for mTLS.
gthulhu/certs/ca.crt	Adds a CA certificate file.
gthulhu/certs/ca.key	Adds a CA private key file.
gthulhu/certs/dm.crt	Adds a DM server certificate file.
gthulhu/certs/dm.key	Adds a DM private key file.
gthulhu/certs/manager.crt	Adds a manager client certificate file.
gthulhu/certs/manager.key	Adds a manager private key file.
gthulhu/README.md	Adds extensive mTLS documentation, setup, and rotation notes.
gthulhu/.helmignore	Ignores generated certs and the generation script from Helm packaging.
README.md	Updates install instructions to enable mTLS and provide certs via --set-file.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This file contains a private key committed into the repository. Even if Helm packaging ignores it, storing private keys in git is a security risk (and should be treated as compromised). Remove it from the repo, add an appropriate .gitignore rule, and rotate/regenerate any certificates that were created from this key.

Suggested change

	-----BEGIN EC PRIVATE KEY-----
	MHcCAQEEIMEPRqDJaZ1/86TCIOWL9TxxIbh/y+LJPi7IUj7nZ1BooAoGCCqGSM49
	AwEHoUQDQgAEI9rucwma2o8H2eLPg+DLOlMqxEYprOWqFw6xdWrNt6FYcRpbvPeO
	1R75ef86pmQzdIt8N87kvRpk1UMsXW8Mcg==
	-----END EC PRIVATE KEY-----
	# Private key removed from source control.
	#
	# A valid EC private key must be provided securely at deploy/runtime,
	# for example via a secret manager, environment variable, or mounted
	# secret volume. Do NOT commit private keys to this repository.

[Copilot]

This file contains a private key committed into the repository. Even if Helm packaging ignores it, storing private keys in git is a security risk (and should be treated as compromised). Remove it from the repo, add an appropriate .gitignore rule, and rotate/regenerate any certificates that were created from this key.

Suggested change

	-----BEGIN EC PRIVATE KEY-----
	MHcCAQEEIMb/LITD2EAFHDfryINaeuh/cVgLDac36J4weDztgkOyoAoGCCqGSM49
	AwEHoUQDQgAEc6EOY5fjmiO/ffE3yHcQBnDINRAE1GiBk0xceRny/6dELBcWO48T
	bSXw4uu6YD3zczk2gq5jKKSFM8WUUmSxVQ==
	-----END EC PRIVATE KEY-----
	# Private key removed from repository.
	# This file is intentionally left without key material.
	# A valid EC private key for the manager component must be generated
	# and provided securely at deployment time (for example via a secret
	# management system or deployment pipeline), and this path should not
	# be committed to version control.

[Copilot]

mtls.existingSecret is documented and is honored by gthulhu.mtlsSecretName for Manager/DM env vars, but the scheduler mTLS overlay Secret inlines cert/key material only from .Values.mtls.*. If a user sets mtls.existingSecret without also duplicating PEMs into values, the scheduler will render an mTLS config with empty certs and fail to authenticate. Consider either (a) disabling this overlay when mtls.existingSecret is set and mounting the existing Secret into the scheduler, or (b) clearly documenting that existingSecret is not supported for the scheduler config unless certs are also provided via values.

[Copilot]

Setting the scheduler ConfigMap to immutable: true will cause helm upgrade to fail on any future config changes (including non-mTLS changes) unless users remember to use --force. If immutability is only needed to protect embedded private key material, consider making immutability conditional (e.g., only for the mTLS Secret) or gated behind a value flag so upgrades remain smooth by default.

Suggested change

	app.kubernetes.io/component: scheduler
	immutable: true
	app.kubernetes.io/component: scheduler
	{{- if .Values.scheduler.configMapImmutable }}
	immutable: true
	{{- end }}

[Copilot]

These 'production' values point the sidecar image repository at a localhost registry (127.0.0.1:32000), which is unlikely to exist in a real production cluster and contradicts the file header comment about using ghcr.io/gthulhu. Consider reverting to the published registry image (or renaming this file to reflect that it is for local/dev registries).

Suggested change

	repository: 127.0.0.1:32000/gthulhu-api
	repository: ghcr.io/gthulhu/gthulhu-api

[Copilot]

These 'production' values point the manager image repository at a localhost registry (127.0.0.1:32000), which is unlikely to exist in a real production cluster and contradicts the file header comment about using ghcr.io/gthulhu. Consider reverting to the published registry image (or renaming this file to reflect that it is for local/dev registries).

[Copilot]

.helmignore excludes gen-mtls-certs.sh, but gthulhu/README.md instructs users to run ./gen-mtls-certs.sh from the chart directory. If this chart is packaged/distributed, the script won't be present and the docs won't work. Either include the script in packaged charts (remove it from .helmignore) or adjust the README to point to an external location for the script.

Suggested change

gen-mtls-certs.sh

[Copilot]

This file contains a private key committed into the repository. Even if Helm packaging ignores it, storing private keys in git is a security risk (and should be treated as compromised). Remove it from the repo, add an appropriate .gitignore rule, and rotate/regenerate any certificates that were created from this key.

Suggested change

	-----BEGIN EC PRIVATE KEY-----
	MHcCAQEEIIzkO4hC30h7tkNNeCt/NUej6NYWubQ1N6D7vef8uX9yoAoGCCqGSM49
	AwEHoUQDQgAEsrU+DZyBpiuB5pvSuS/fbOGckLlwTC73mkQ7hnWwDnA/q+baN77P
	VtoVZrGNwxxgD0FAhzdrkRAf2jfEuTiqfg==
	-----END EC PRIVATE KEY-----
	# Private key removed.
	#
	# A CA/private key must NOT be committed to version control.
	# Generate and manage this key securely (for example, via a secrets manager
	# or deployment-time configuration), and ensure gthulhu/certs/ca.key (or
	# matching patterns such as *.key) are listed in .gitignore.

[Copilot]

The top-level install example uses --set-file mtls.*=certs/*.crt|*.key without explicitly instructing users to generate fresh certificates, and the repository currently ships example certs/keys under gthulhu/certs. This makes it easy for operators to accidentally deploy with publicly-known test keys, which completely undermines mTLS authentication and allows impersonation of both clients and servers. Update this example to clearly require running ./gen-mtls-certs.sh (or supplying custom certs) and avoid shipping reusable private keys in the repo so that no default, shared credentials exist.

Suggested change

	$ cd gthulhu
	$ cd gthulhu
	$ ./gen-mtls-certs.sh # or provide your own mTLS certificates; never reuse example keys from the repository