diff --git a/stable/yugaware/templates/_helpers.tpl b/stable/yugaware/templates/_helpers.tpl index b995b6e83e..dc7c250894 100644 --- a/stable/yugaware/templates/_helpers.tpl +++ b/stable/yugaware/templates/_helpers.tpl @@ -143,15 +143,21 @@ Get or generate server cert and key {{- if and $root.Values.tls.certificate $root.Values.tls.key -}} server.key: {{ $root.Values.tls.key }} server.crt: {{ $root.Values.tls.certificate }} + {{- if $root.Values.tls.ca_certificate -}} +ca.crt: {{ $root.Values.tls.ca_certificate }} + {{- end -}} {{- else -}} {{- $result := (lookup "v1" "Secret" .Namespace .Name).data -}} - {{- if $result -}} + {{- if and $result (index $result "server.pem") (index $result "ca.pem") -}} server.key: {{ index $result "server.key" }} server.crt: {{ index $result "server.crt" }} +ca.crt: {{ index $result "ca.crt" }} {{- else -}} - {{- $cert := genSelfSignedCert $root.Values.tls.hostname nil nil 3560 -}} + {{- $caCert := genCA $root.Values.tls.hostname 3650 -}} + {{- $cert := genSignedCert $root.Values.tls.hostname nil nil 3650 $caCert -}} server.key: {{ $cert.Key | b64enc }} server.crt: {{ $cert.Cert | b64enc }} +ca.crt: {{ $caCert.Cert | b64enc }} {{- end -}} {{- end -}} {{- end -}} @@ -166,17 +172,27 @@ Get or generate server key cert in pem format {{- $decodedCert := $root.Values.tls.certificate | b64dec -}} {{- $serverPemContentTemp := ( printf "%s\n%s" $decodedKey $decodedCert ) -}} {{- $serverPemContent := $serverPemContentTemp | b64enc -}} + {{- if $root.Values.tls.ca_certificate -}} + {{- $caPemContent := $root.Values.tls.ca_certificate -}} +ca.pem: {{ $caPemContent }} + {{- end}} server.pem: {{ $serverPemContent }} {{- else -}} {{- $result := (lookup "v1" "Secret" .Namespace .Name).data -}} - {{- if $result -}} -{{- $serverPemContent := ( index $result "server.pem" ) -}} -server.pem: {{ $serverPemContent }} + {{- if and $result (index $result "server.pem") (index $result "ca.pem") -}} + {{- $serverPemContent := ( index $result "server.pem" ) -}} + {{- $caPemContent := ( index $result "ca.pem" ) -}} + ca.pem: {{ $caPemContent }} + server.pem: {{ $serverPemContent }} {{- else -}} - {{- $cert := genSelfSignedCert $root.Values.tls.hostname nil nil 3560 -}} -{{- $serverPemContentTemp := ( printf "%s\n%s" $cert.Key $cert.Cert ) -}} -{{- $serverPemContent := $serverPemContentTemp | b64enc -}} + {{- $caCert := genCA $root.Values.tls.hostname 3650 -}} + {{- $cert := genSignedCert $root.Values.tls.hostname nil nil 3650 $caCert -}} + {{- $serverPemContentTemp := ( printf "%s\n%s" $cert.Key $cert.Cert ) -}} + {{- $serverPemContent := $serverPemContentTemp | b64enc -}} + {{- $caPemContentTemp := ( printf "%s" $caCert.Cert ) -}} + {{- $caPemContent := $caPemContentTemp | b64enc -}} server.pem: {{ $serverPemContent }} +ca.pem: {{ $caPemContent }} {{- end -}} {{- end -}} {{- end -}} @@ -274,4 +290,4 @@ Make list of custom http headers {{- end -}} {{- end -}} ] -{{- end -}} \ No newline at end of file +{{- end -}} diff --git a/stable/yugaware/templates/statefulset.yaml b/stable/yugaware/templates/statefulset.yaml index 8073b72d92..48146cfe00 100644 --- a/stable/yugaware/templates/statefulset.yaml +++ b/stable/yugaware/templates/statefulset.yaml @@ -129,9 +129,6 @@ spec: - name: {{ .Release.Name }}-yugaware-tls-pem secret: secretName: {{ .Release.Name }}-yugaware-tls-pem - items: - - key: server.pem - path: server.pem {{- end }} {{- if .Values.prometheus.remoteWrite.tls.enabled }} - name: {{ .Release.Name }}-yugaware-prometheus-remote-write-tls diff --git a/stable/yugaware/values.yaml b/stable/yugaware/values.yaml index b6e75cbc50..ff9118c8c7 100644 --- a/stable/yugaware/values.yaml +++ b/stable/yugaware/values.yaml @@ -272,9 +272,14 @@ yugabytedb: tls: enabled: false hostname: "localhost" - ## Expects base 64 encoded values for certificate and key. + ## Expects base64 encoded certificate, key, and CA certificate. + ## Populate these for non-self-signed certificates. + ## All three values should be base64 encoded. + ## These will be used to create server.pem and ca.pem files. + ## Note: The validity of the provided certificates is not verified. certificate: "" key: "" + ca_certificate: "" sslProtocols: "" # if set, override default Nginx SSL protocols setting ## cert-manager values ## If cert-manager is enabled: