From 43c7bfeaa690b773fe5b4fde721dd52baceb2da6 Mon Sep 17 00:00:00 2001 From: i325261 Date: Thu, 21 Nov 2024 14:47:39 +0100 Subject: [PATCH] server - make gateway cert configurable --- chart/templates/server-deployment.yaml | 31 ++------------------------ chart/templates/server-networking.yaml | 22 ++++++++++++++++-- chart/templates/server-tls.yaml | 25 --------------------- chart/templates/webhook-config.yaml | 1 - chart/values.yaml | 14 +++++++++--- 5 files changed, 33 insertions(+), 60 deletions(-) delete mode 100644 chart/templates/server-tls.yaml diff --git a/chart/templates/server-deployment.yaml b/chart/templates/server-deployment.yaml index e3f3095..0a20272 100644 --- a/chart/templates/server-deployment.yaml +++ b/chart/templates/server-deployment.yaml @@ -55,21 +55,9 @@ spec: topologySpreadConstraints: {{- toYaml . | nindent 8 }} {{- end }} - {{- if or .Values.subscriptionServer.volumes .Values.subscriptionServer.certManager.enabled }} + {{- with .Values.subscriptionServer.volumes }} volumes: - {{- with .Values.subscriptionServer.volumes }} {{- toYaml . | nindent 8 }} - {{- end }} - {{- if .Values.subscriptionServer.certManager.enabled }} - - name: ssl - secret: - secretName: {{.Release.Name}}-subscription-server-tls-managed - items: - - key: tls.key - path: tls.key - - key: tls.crt - path: tls.crt - {{- end }} {{- end }} containers: - name: server @@ -81,24 +69,9 @@ spec: {{- end }} resources: {{- toYaml .Values.subscriptionServer.resources | nindent 12 }} - {{- if .Values.subscriptionServer.certManager.enabled }} - env: - - name: TLS_ENABLED - value: "true" - - name: TLS_KEY - value: "/app/etc/ssl/tls.key" - - name: TLS_CERT - value: "/app/etc/ssl/tls.crt" - {{- end }} - {{- if or .Values.subscriptionServer.volumeMounts .Values.subscriptionServer.certManager.enabled }} + {{- with .Values.subscriptionServer.volumeMounts }} volumeMounts: - {{- with .Values.subscriptionServer.volumeMounts }} {{- toYaml . | nindent 12 }} - {{- end }} - {{- if .Values.subscriptionServer.certManager.enabled }} - - name: ssl - mountPath: /app/etc/ssl - {{- end }} {{- end }} ports: - name: server-port diff --git a/chart/templates/server-networking.yaml b/chart/templates/server-networking.yaml index c9d24ef..21c2adb 100644 --- a/chart/templates/server-networking.yaml +++ b/chart/templates/server-networking.yaml @@ -1,4 +1,4 @@ -{{- if .Capabilities.APIVersions.Has "cert.gardener.cloud/v1alpha1" }} +{{- if and (.Capabilities.APIVersions.Has "cert.gardener.cloud/v1alpha1") .Values.subscriptionServer.gardener.enabled }} --- apiVersion: cert.gardener.cloud/v1alpha1 kind: Certificate @@ -8,7 +8,14 @@ metadata: spec: commonName: {{.Values.subscriptionServer.domain}} secretName: {{.Release.Name}}-subscription-server -{{- else if .Capabilities.APIVersions.Has "cert-manager.io/v1" }} + {{- if .Values.subscriptionServer.gardener.issuerName }} + issuerRef: + name: {{.Values.subscriptionServer.gardener.issuerName}} + {{- if .Values.subscriptionServer.gardener.issuerNamespace }} + namespace: {{.Values.subscriptionServer.gardener.issuerNamespace}} + {{- end }} + {{- end }} +{{- else if and (.Capabilities.APIVersions.Has "cert-manager.io/v1") .Values.subscriptionServer.certManager.enabled }} --- apiVersion: cert-manager.io/v1 kind: Certificate @@ -18,9 +25,20 @@ metadata: spec: commonName: {{.Values.subscriptionServer.domain}} secretName: {{.Release.Name}}-subscription-server + {{- if .Values.subscriptionServer.certManager.issuerName }} + issuerRef: + name: {{.Values.subscriptionServer.certManager.issuerName}} + {{- if .Values.subscriptionServer.certManager.issuerKind }} + kind: {{.Values.subscriptionServer.certManager.issuerKind}} + {{- end }} + {{- if .Values.subscriptionServer.certManager.issuerGroup }} + group: {{.Values.subscriptionServer.certManager.issuerGroup}} + {{- end }} + {{- else }} issuerRef: kind: ClusterIssuer name: cluster-ca + {{- end }} {{- end }} {{- if .Capabilities.APIVersions.Has "dns.gardener.cloud/v1alpha1" }} --- diff --git a/chart/templates/server-tls.yaml b/chart/templates/server-tls.yaml deleted file mode 100644 index b09f682..0000000 --- a/chart/templates/server-tls.yaml +++ /dev/null @@ -1,25 +0,0 @@ -{{- if and (gt (int .Values.subscriptionServer.replicas) 0) .Values.subscriptionServer.certManager.enabled }} ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: {{.Release.Name}}-subscription-server-cert - labels: - operator.sme.sap.com/app: subscription-server - operator.sme.sap.com/category: controller - operator.sme.sap.com/release: {{.Release.Name}} -spec: - commonName: {{.Values.subscriptionServer.domain}} - duration: 3650h - issuerRef: - {{- with .Values.subscriptionServer.certManager.issuerGroup }} - group: {{ . }} - {{- end }} - {{- with .Values.subscriptionServer.certManager.issuerKind }} - kind: {{ . }} - {{- end }} - {{- with .Values.subscriptionServer.certManager.issuerName }} - name: {{ . }} - {{- end }} - secretName: {{.Release.Name}}-subscription-server-tls-managed -{{- end }} diff --git a/chart/templates/webhook-config.yaml b/chart/templates/webhook-config.yaml index ce67827..7dfbf6a 100644 --- a/chart/templates/webhook-config.yaml +++ b/chart/templates/webhook-config.yaml @@ -17,7 +17,6 @@ spec: - {{.Release.Name}}-webhook.{{ .Release.Namespace }} - {{.Release.Name}}-webhook.{{ .Release.Namespace }}.svc - {{.Release.Name}}-webhook.{{ .Release.Namespace }}.svc.cluster.local - duration: 3650h issuerRef: {{- with .Values.webhook.certManager.issuerGroup }} group: {{ . }} diff --git a/chart/values.yaml b/chart/values.yaml index 3c0f002..602506f 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -140,13 +140,21 @@ subscriptionServer: dnsTarget: public-ingress.clusters.cs.services.sap # replace with the actual cluster domain # -- The domain under which the cap operator subscription server would be available domain: cap-operator.clusters.cs.services.sap # replace with actual cluster domain + # -- Gardener + gardener: + # -- Whether to use gardener to manage server certificates + enabled: true + # -- Issuer name (only relevant if enabled is true) + issuerName: "" + # -- Issuer namespace (only relevant if enabled is true) + issuerNamespace: "" # -- Cert Manager certManager: - # -- Whether to use cert-manager to manage webhook tls + # -- Whether to use cert-manager to manage server certificates enabled: false - # -- Issuer name (only relevant if enabled is true) + # -- Issuer name (only relevant if enabled is true; if unset, 'cluster-ca' is used) issuerName: "" - # -- Issuer kind (only relevant if enabled is true) + # -- Issuer kind (only relevant if enabled is true; if unset, 'ClusterIssuer' is used) issuerKind: "" # -- Issuer group (only relevant if enabled is true) issuerGroup: ""