server - make gateway cert configurable

SAP · Nov 21, 2024 · 43c7bfe · 43c7bfe
1 parent bc5dbca
commit 43c7bfe
Show file tree

Hide file tree

Showing 5 changed files with 33 additions and 60 deletions.
diff --git a/chart/templates/server-deployment.yaml b/chart/templates/server-deployment.yaml
@@ -55,21 +55,9 @@ spec:
       topologySpreadConstraints:
         {{- toYaml . | nindent 8 }}
       {{- end }}
-      {{- if or .Values.subscriptionServer.volumes .Values.subscriptionServer.certManager.enabled }}
+      {{- with .Values.subscriptionServer.volumes }}
       volumes:
-        {{- with .Values.subscriptionServer.volumes }}
         {{- toYaml . | nindent 8 }}
-        {{- end }}
-        {{- if .Values.subscriptionServer.certManager.enabled }}
-        - name: ssl
-          secret:
-            secretName: {{.Release.Name}}-subscription-server-tls-managed
-            items:
-            - key: tls.key
-              path: tls.key
-            - key: tls.crt
-              path: tls.crt
-        {{- end }}
       {{- end }}
       containers:
         - name: server
@@ -81,24 +69,9 @@ spec:
           {{- end }}
           resources:
             {{- toYaml .Values.subscriptionServer.resources | nindent 12 }}
-          {{- if .Values.subscriptionServer.certManager.enabled }}
-          env:
-            - name: TLS_ENABLED
-              value: "true"
-            - name: TLS_KEY
-              value: "/app/etc/ssl/tls.key"
-            - name: TLS_CERT
-              value: "/app/etc/ssl/tls.crt"
-          {{- end }}
-          {{- if or .Values.subscriptionServer.volumeMounts .Values.subscriptionServer.certManager.enabled }}
+          {{- with .Values.subscriptionServer.volumeMounts }}
           volumeMounts:
-            {{- with .Values.subscriptionServer.volumeMounts }}
             {{- toYaml . | nindent 12 }}
-            {{- end }}
-            {{- if .Values.subscriptionServer.certManager.enabled }}
-            - name: ssl
-              mountPath: /app/etc/ssl
-            {{- end }}
           {{- end }}
           ports:
             - name: server-port

diff --git a/chart/templates/server-networking.yaml b/chart/templates/server-networking.yaml
@@ -1,4 +1,4 @@
-{{- if .Capabilities.APIVersions.Has "cert.gardener.cloud/v1alpha1" }}
+{{- if and (.Capabilities.APIVersions.Has "cert.gardener.cloud/v1alpha1") .Values.subscriptionServer.gardener.enabled }}
 ---
 apiVersion: cert.gardener.cloud/v1alpha1
 kind: Certificate
@@ -8,7 +8,14 @@ metadata:
 spec:
   commonName: {{.Values.subscriptionServer.domain}}
   secretName: {{.Release.Name}}-subscription-server
-{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1" }}
+  {{- if .Values.subscriptionServer.gardener.issuerName }}
+  issuerRef:
+    name: {{.Values.subscriptionServer.gardener.issuerName}}
+    {{- if .Values.subscriptionServer.gardener.issuerNamespace }}
+    namespace: {{.Values.subscriptionServer.gardener.issuerNamespace}}
+    {{- end }}
+  {{- end }}
+{{- else if and (.Capabilities.APIVersions.Has "cert-manager.io/v1") .Values.subscriptionServer.certManager.enabled }}
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
@@ -18,9 +25,20 @@ metadata:
 spec:
   commonName: {{.Values.subscriptionServer.domain}}
   secretName: {{.Release.Name}}-subscription-server
+  {{- if .Values.subscriptionServer.certManager.issuerName }}
+  issuerRef:
+    name: {{.Values.subscriptionServer.certManager.issuerName}}
+    {{- if .Values.subscriptionServer.certManager.issuerKind }}
+    kind: {{.Values.subscriptionServer.certManager.issuerKind}}
+    {{- end }}
+    {{- if .Values.subscriptionServer.certManager.issuerGroup }}
+    group: {{.Values.subscriptionServer.certManager.issuerGroup}}
+    {{- end }}
+  {{- else }}
   issuerRef:
     kind: ClusterIssuer
     name: cluster-ca
+  {{- end }}
 {{- end }}
 {{- if .Capabilities.APIVersions.Has "dns.gardener.cloud/v1alpha1" }}
 ---

diff --git a/chart/templates/server-tls.yaml b/chart/templates/server-tls.yaml
diff --git a/chart/templates/webhook-config.yaml b/chart/templates/webhook-config.yaml
@@ -17,7 +17,6 @@ spec:
   - {{.Release.Name}}-webhook.{{ .Release.Namespace }}
   - {{.Release.Name}}-webhook.{{ .Release.Namespace }}.svc
   - {{.Release.Name}}-webhook.{{ .Release.Namespace }}.svc.cluster.local
-  duration: 3650h
   issuerRef:
     {{- with .Values.webhook.certManager.issuerGroup }}
     group: {{ . }}

diff --git a/chart/values.yaml b/chart/values.yaml
@@ -140,13 +140,21 @@ subscriptionServer:
   dnsTarget: public-ingress.clusters.cs.services.sap # replace with the actual cluster domain
   # -- The domain under which the cap operator subscription server would be available
   domain: cap-operator.clusters.cs.services.sap # replace with actual cluster domain
+  # -- Gardener
+  gardener:
+    # -- Whether to use gardener to manage server certificates
+    enabled: true
+    # -- Issuer name (only relevant if enabled is true)
+    issuerName: ""
+    # -- Issuer namespace (only relevant if enabled is true)
+    issuerNamespace: ""
   # -- Cert Manager
   certManager:
-    # -- Whether to use cert-manager to manage webhook tls
+    # -- Whether to use cert-manager to manage server certificates
     enabled: false
-    # -- Issuer name (only relevant if enabled is true)
+    # -- Issuer name (only relevant if enabled is true; if unset, 'cluster-ca' is used)
     issuerName: ""
-    # -- Issuer kind (only relevant if enabled is true)
+    # -- Issuer kind (only relevant if enabled is true; if unset, 'ClusterIssuer' is used)
     issuerKind: ""
     # -- Issuer group (only relevant if enabled is true)
     issuerGroup: ""