From 05b105b6524361897e83d64bc87a2880fa5ecdb3 Mon Sep 17 00:00:00 2001 From: Anders Nierhoff Date: Tue, 13 Aug 2024 14:40:03 +0200 Subject: [PATCH] Adding support for creating secrets using certmanager --- README.md | 5 +++++ README.md.tpl | 5 +++++ templates/certificate.yaml | 37 +++++++++++++++++++++++++++++++++++++ values.schema.json | 38 ++++++++++++++++++++++++++++++++++++++ values.schema.json.tpl | 38 ++++++++++++++++++++++++++++++++++++++ values.yaml | 11 +++++++++++ 6 files changed, 134 insertions(+) create mode 100644 templates/certificate.yaml diff --git a/README.md b/README.md index f40e994..cb31e6b 100644 --- a/README.md +++ b/README.md @@ -52,6 +52,11 @@ Configure your Infinispan cluster by specifying values in the `deploy.*` section | `deploy.securityContext` | Defines the securityContext settings used by the cluster's StatefulSet | `{}` | - | | `deploy.ssl.endpointSecretName` | Specifies the name of the secret that contains certificate for endpoint encryption | `""` | - | | `deploy.ssl.transportSecretName` | Specifies the name of the secret that contains certificate for transport encryption | `""` | - | +| `deploy.ssl.certmanager.enabled` | Specifies if cert-manager should be used to issue certificates | `false` | - | +| `deploy.ssl.certmanager.endpoint.enabled` | Switch to enable cert manager for creating secret endpointSecretName | `false` | - | +| `deploy.ssl.certmanager.endpoint` | Cert manager specifications, like issueRef, commonName and others | `{}` | - | +| `deploy.ssl.certmanager.transport.enabled` | Switch to enable cert manager for creating secret transportSecretName | `false` | - | +| `deploy.ssl.certmanager.transport` | Cert manager specifications, like issueRef, commonName and others | `{}` | - | | `deploy.volumeMounts` | Add custome volume mounts to infinispan | `[]` | - | | `deploy.volumes` | Add custome volumes to infinispan | `[]` | - | | `deploy.infinispan` | Infinispan Server configuration. | - | You should not change the default socket bindings or the security realm and endpoints named "metrics". Modifying these default properties can result in unexpected behavior and loss of service. | diff --git a/README.md.tpl b/README.md.tpl index c6b6236..f3c5dd9 100644 --- a/README.md.tpl +++ b/README.md.tpl @@ -52,6 +52,11 @@ Configure your {brandname} cluster by specifying values in the `deploy.*` sectio | `deploy.securityContext` | Defines the securityContext settings used by the cluster's StatefulSet | `{}` | - | | `deploy.ssl.endpointSecretName` | Specifies the name of the secret that contains certificate for endpoint encryption | `""` | - | | `deploy.ssl.transportSecretName` | Specifies the name of the secret that contains certificate for transport encryption | `""` | - | +| `deploy.ssl.certmanager.enabled` | Specifies if cert-manager should be used to issue certificates | `false` | - | +| `deploy.ssl.certmanager.endpoint.enabled` | Switch to enable cert manager for creating secret endpointSecretName | `false` | - | +| `deploy.ssl.certmanager.endpoint` | Cert manager specifications, like issueRef, commonName and others | `{}` | - | +| `deploy.ssl.certmanager.transport.enabled` | Switch to enable cert manager for creating secret transportSecretName | `false` | - | +| `deploy.ssl.certmanager.transport` | Cert manager specifications, like issueRef, commonName and others | `{}` | - | | `deploy.volumeMounts` | Add custome volume mounts to infinispan | `[]` | - | | `deploy.volumes` | Add custome volumes to infinispan | `[]` | - | | `deploy.infinispan` | {brandname} Server configuration. | - | You should not change the default socket bindings or the security realm and endpoints named "metrics". Modifying these default properties can result in unexpected behavior and loss of service. | diff --git a/templates/certificate.yaml b/templates/certificate.yaml new file mode 100644 index 0000000..9cbf6e1 --- /dev/null +++ b/templates/certificate.yaml @@ -0,0 +1,37 @@ +--- +{{- if and ( .Capabilities.APIVersions.Has "cert-manager.io/v1/Certificate" ) (.Values.deploy.ssl.certmanager.enabled) }} +{{- if .Values.deploy.ssl.certmanager.endpoint.enabled }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ printf "%s-endpoint-cert" (include "infinispan-helm-charts.name" .) }} + annotations: + {{- include "infinispan-helm-charts.annotations" . | nindent 4 }} + labels: + app: infinispan-endpoint-cert + {{- include "infinispan-helm-charts.labels" . | nindent 4 }} +spec: + secretName: {{ .Values.deploy.ssl.endpointSecretName }} + {{- with $_ := unset .Values.deploy.ssl.certmanager.endpoint "enabled" }} + {{- toYaml . | nindent 2 }} + {{- end }} +{{- end }} + +--- +{{- if .Values.deploy.ssl.certmanager.transport.enabled }} +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: {{ printf "%s-transport-cert" (include "infinispan-helm-charts.name" .) }} + annotations: + {{- include "infinispan-helm-charts.annotations" . | nindent 4 }} + labels: + app: infinispan-transport-cert + {{- include "infinispan-helm-charts.labels" . | nindent 4 }} +spec: + secretName: {{ .Values.deploy.ssl.transportSecretName }} + {{- with $_ := unset .Values.deploy.ssl.certmanager.transport "enabled" }} + {{- toYaml . | nindent 2 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/values.schema.json b/values.schema.json index d344332..d374a2f 100644 --- a/values.schema.json +++ b/values.schema.json @@ -195,6 +195,44 @@ "string", "null" ] + }, + "transportSecretName": { + "description": "Specifies the name of a secret that contains TLS certificate", + "type": [ + "string", + "null" + ] + }, + "certmanager": { + "type": "object", + "properties": { + "enabled": { + "description": "Specifies the name of a secret that contains TLS certificate", + "type": "boolean" + }, + "endpoint": { + "description": "Cert manager sepc", + "type": "object", + "properties": { + "enabled": { + "description": "Specify if certmanager should create the secret", + "type": "boolean" + } + }, + "additionalProperties": true + }, + "transport": { + "description": "Cert manager spec", + "type": "object", + "properties": { + "enabled": { + "description": "Specifies if certmanager should create the secret", + "type": "boolean" + } + }, + "additionalProperties": true + } + } } } }, diff --git a/values.schema.json.tpl b/values.schema.json.tpl index fe4b58b..bba10b3 100644 --- a/values.schema.json.tpl +++ b/values.schema.json.tpl @@ -195,6 +195,44 @@ "string", "null" ] + }, + "transportSecretName": { + "description": "Specifies the name of a secret that contains TLS certificate", + "type": [ + "string", + "null" + ] + }, + "certmanager": { + "type": "object", + "properties": { + "enabled": { + "description": "Specifies the name of a secret that contains TLS certificate", + "type": "boolean" + }, + "endpoint": { + "description": "Cert manager sepc", + "type": "object", + "properties": { + "enabled": { + "description": "Specify if certmanager should create the secret", + "type": "boolean" + } + }, + "additionalProperties": true + }, + "transport": { + "description": "Cert manager spec", + "type": "object", + "properties": { + "enabled": { + "description": "Specifies if certmanager should create the secret", + "type": "boolean" + } + }, + "additionalProperties": true + } + } } } }, diff --git a/values.yaml b/values.yaml index c29153c..9b0a4ef 100644 --- a/values.yaml +++ b/values.yaml @@ -115,6 +115,17 @@ deploy: ssl: endpointSecretName: "" transportSecretName: "" + certmanager: + enabled: false + endpoint: + enabled: false + # docs https://cert-manager.io/docs/usage/certificate/ + #issuerRef: + # name: selfsigned + # kind: ClusterIssuer + # commonName: 'example-infinispan' + transport: + enabled: false infinispan: cacheContainer: