Adding support for creating secrets using certmanager

infinispan · Aug 13, 2024 · 05b105b · 05b105b
1 parent 7476e04
commit 05b105b
Show file tree

Hide file tree

Showing 6 changed files with 134 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -52,6 +52,11 @@ Configure your Infinispan cluster by specifying values in the `deploy.*` section
 | `deploy.securityContext` | Defines the securityContext settings used by the cluster's StatefulSet | `{}` | - |
 | `deploy.ssl.endpointSecretName` | Specifies the name of the secret that contains certificate for endpoint encryption | `""` | - |
 | `deploy.ssl.transportSecretName` | Specifies the name of the secret that contains certificate for transport encryption | `""` | - |
+| `deploy.ssl.certmanager.enabled` | Specifies if cert-manager should be used to issue certificates | `false` | - |
+| `deploy.ssl.certmanager.endpoint.enabled` | Switch to enable cert manager for creating secret endpointSecretName | `false` | - |
+| `deploy.ssl.certmanager.endpoint` | Cert manager specifications, like issueRef, commonName and others | `{}` | - |
+| `deploy.ssl.certmanager.transport.enabled` | Switch to enable cert manager for creating secret transportSecretName | `false` | - |
+| `deploy.ssl.certmanager.transport` | Cert manager specifications, like issueRef, commonName and others | `{}` | - |
 | `deploy.volumeMounts` | Add custome volume mounts to infinispan | `[]` | - |
 | `deploy.volumes` | Add custome volumes to infinispan | `[]` | - |
 | `deploy.infinispan` | Infinispan Server configuration. | - | You should not change the default socket bindings or the security realm and endpoints named "metrics". Modifying these default properties can result in unexpected behavior and loss of service. |
diff --git a/README.md.tpl b/README.md.tpl
@@ -52,6 +52,11 @@ Configure your {brandname} cluster by specifying values in the `deploy.*` sectio
 | `deploy.securityContext` | Defines the securityContext settings used by the cluster's StatefulSet | `{}` | - |
 | `deploy.ssl.endpointSecretName` | Specifies the name of the secret that contains certificate for endpoint encryption | `""` | - |
 | `deploy.ssl.transportSecretName` | Specifies the name of the secret that contains certificate for transport encryption | `""` | - |
+| `deploy.ssl.certmanager.enabled` | Specifies if cert-manager should be used to issue certificates | `false` | - |
+| `deploy.ssl.certmanager.endpoint.enabled` | Switch to enable cert manager for creating secret endpointSecretName | `false` | - |
+| `deploy.ssl.certmanager.endpoint` | Cert manager specifications, like issueRef, commonName and others | `{}` | - |
+| `deploy.ssl.certmanager.transport.enabled` | Switch to enable cert manager for creating secret transportSecretName | `false` | - |
+| `deploy.ssl.certmanager.transport` | Cert manager specifications, like issueRef, commonName and others | `{}` | - |
 | `deploy.volumeMounts` | Add custome volume mounts to infinispan | `[]` | - |
 | `deploy.volumes` | Add custome volumes to infinispan | `[]` | - |
 | `deploy.infinispan` | {brandname} Server configuration. | - | You should not change the default socket bindings or the security realm and endpoints named "metrics". Modifying these default properties can result in unexpected behavior and loss of service. |
diff --git a/templates/certificate.yaml b/templates/certificate.yaml
@@ -0,0 +1,37 @@
+---
+{{- if and ( .Capabilities.APIVersions.Has "cert-manager.io/v1/Certificate" ) (.Values.deploy.ssl.certmanager.enabled) }}
+{{- if .Values.deploy.ssl.certmanager.endpoint.enabled }}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ printf "%s-endpoint-cert" (include "infinispan-helm-charts.name" .) }}
+  annotations:
+    {{- include "infinispan-helm-charts.annotations" . | nindent 4 }}
+  labels:
+    app: infinispan-endpoint-cert
+    {{- include "infinispan-helm-charts.labels" . | nindent 4 }}
+spec:
+  secretName: {{ .Values.deploy.ssl.endpointSecretName }}
+  {{- with $_ := unset .Values.deploy.ssl.certmanager.endpoint "enabled" }}
+  {{- toYaml . | nindent 2 }}
+  {{- end }}
+{{- end }}
+
+---
+{{- if .Values.deploy.ssl.certmanager.transport.enabled }}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ printf "%s-transport-cert" (include "infinispan-helm-charts.name" .) }}
+  annotations:
+    {{- include "infinispan-helm-charts.annotations" . | nindent 4 }}
+  labels:
+    app: infinispan-transport-cert
+    {{- include "infinispan-helm-charts.labels" . | nindent 4 }}
+spec:
+  secretName: {{ .Values.deploy.ssl.transportSecretName }}
+  {{- with $_ := unset .Values.deploy.ssl.certmanager.transport "enabled" }}
+  {{- toYaml . | nindent 2 }}
+  {{- end }}
+{{- end }}
+{{- end }}
diff --git a/values.schema.json b/values.schema.json
@@ -195,6 +195,44 @@
                               "string",
                               "null"
                           ]
+                      },
+                      "transportSecretName": {
+                          "description": "Specifies the name of a secret that contains TLS certificate",
+                          "type": [
+                              "string",
+                              "null"
+                          ]
+                      },
+                      "certmanager": {
+                          "type": "object",
+                          "properties": {
+                            "enabled": {
+                                "description": "Specifies the name of a secret that contains TLS certificate",
+                                "type": "boolean"
+                            },
+                            "endpoint": {
+                                "description": "Cert manager sepc",
+                                "type": "object",
+                                "properties": {
+                                    "enabled": {
+                                        "description": "Specify if certmanager should create the secret",
+                                        "type": "boolean"
+                                    }
+                                },
+                                "additionalProperties": true
+                            },
+                            "transport": {
+                                "description": "Cert manager spec",
+                                "type": "object",
+                                "properties": {
+                                    "enabled": {
+                                        "description": "Specifies if certmanager should create the secret",
+                                        "type": "boolean"
+                                    }
+                                },
+                                "additionalProperties": true
+                            }
+                          }
                       }
                      }
                   },

diff --git a/values.schema.json.tpl b/values.schema.json.tpl
@@ -195,6 +195,44 @@
                               "string",
                               "null"
                           ]
+                      },
+                      "transportSecretName": {
+                          "description": "Specifies the name of a secret that contains TLS certificate",
+                          "type": [
+                              "string",
+                              "null"
+                          ]
+                      },
+                      "certmanager": {
+                          "type": "object",
+                          "properties": {
+                            "enabled": {
+                                "description": "Specifies the name of a secret that contains TLS certificate",
+                                "type": "boolean"
+                            },
+                            "endpoint": {
+                                "description": "Cert manager sepc",
+                                "type": "object",
+                                "properties": {
+                                    "enabled": {
+                                        "description": "Specify if certmanager should create the secret",
+                                        "type": "boolean"
+                                    }
+                                },
+                                "additionalProperties": true
+                            },
+                            "transport": {
+                                "description": "Cert manager spec",
+                                "type": "object",
+                                "properties": {
+                                    "enabled": {
+                                        "description": "Specifies if certmanager should create the secret",
+                                        "type": "boolean"
+                                    }
+                                },
+                                "additionalProperties": true
+                            }
+                          }
                       }
                      }
                   },

diff --git a/values.yaml b/values.yaml
@@ -115,6 +115,17 @@ deploy:
   ssl:
     endpointSecretName: ""
     transportSecretName: ""
+    certmanager:
+      enabled: false
+      endpoint:
+        enabled: false
+        # docs https://cert-manager.io/docs/usage/certificate/
+        #issuerRef:
+        #  name: selfsigned
+        #  kind: ClusterIssuer
+        # commonName: 'example-infinispan'
+      transport:
+        enabled: false
 
   infinispan:
     cacheContainer: