diff options
Diffstat (limited to 'kubernetes/common/certManagerCertificate/templates/_certificate.tpl')
| -rw-r--r-- | kubernetes/common/certManagerCertificate/templates/_certificate.tpl | 89 |
1 files changed, 81 insertions, 8 deletions
diff --git a/kubernetes/common/certManagerCertificate/templates/_certificate.tpl b/kubernetes/common/certManagerCertificate/templates/_certificate.tpl index f820c30ca9..2b9461e50e 100644 --- a/kubernetes/common/certManagerCertificate/templates/_certificate.tpl +++ b/kubernetes/common/certManagerCertificate/templates/_certificate.tpl @@ -18,7 +18,7 @@ # # To request a certificate following steps are to be done: # - create an object 'certificates' in the values.yaml -# - create a file templates/certificates.yaml and invoke the function "certManagerCertificate.certificate". +# - create a file templates/certificate.yaml and invoke the function "certManagerCertificate.certificate". # # Here is an example of the certificate request for a component: # @@ -53,6 +53,7 @@ # passwordSecretRef: # name: secret-name # key: secret-key +# create: true # # Fields 'name', 'secretName' and 'commonName' are mandatory and required to be defined. # Other mandatory fields for the certificate definition do not have to be defined directly, @@ -74,7 +75,7 @@ {{/*# General certifiacate attributes #*/}} {{- $name := include "common.fullname" $dot -}} {{- $certName := default (printf "%s-cert-%d" $name $i) $certificate.name -}} -{{- $secretName := default (printf "%s-secret-%d" $name $i) $certificate.secretName -}} +{{- $secretName := default (printf "%s-secret-%d" $name $i) (tpl (default "" $certificate.secretName) $ ) -}} {{- $commonName := (required "'commonName' for Certificate is required." $certificate.commonName) -}} {{- $renewBefore := default $subchartGlobal.certificate.default.renewBefore $certificate.renewBefore -}} {{- $duration := default $subchartGlobal.certificate.default.duration $certificate.duration -}} @@ -94,10 +95,11 @@ {{- if $certificate.issuer -}} {{- $issuer = $certificate.issuer -}} {{- end -}} ---- -{{- if $certificate.keystore }} +{{/*# Secret #*/}} +{{ if $certificate.keystore -}} {{- $passwordSecretRef := $certificate.keystore.passwordSecretRef -}} - {{- $password := include "common.createPassword" (dict "dot" $dot "uid" $certName) | quote }} + {{- $password := include "common.createPassword" (dict "dot" $dot "uid" $certName) | quote -}} + {{- if $passwordSecretRef.create }} apiVersion: v1 kind: Secret metadata: @@ -106,7 +108,8 @@ metadata: type: Opaque stringData: {{ $passwordSecretRef.key }}: {{ $password }} -{{- end }} + {{- end }} +{{ end -}} --- apiVersion: cert-manager.io/v1 kind: Certificate @@ -120,6 +123,15 @@ spec: {{- if $duration }} duration: {{ $duration }} {{- end }} + {{- if $certificate.isCA }} + isCA: {{ $certificate.isCA }} + {{- end }} + {{- if $certificate.usages }} + usages: + {{- range $usage := $certificate.usages }} + - {{ $usage }} + {{- end }} + {{- end }} subject: organizations: - {{ $subject.organization }} @@ -156,7 +168,9 @@ spec: {{- end }} {{- end }} issuerRef: + {{- if not (eq $issuer.kind "Issuer" ) }} group: {{ $issuer.group }} + {{- end }} kind: {{ $issuer.kind }} name: {{ $issuer.name }} {{- if $certificate.keystore }} @@ -168,13 +182,15 @@ spec: {{ $outputType }}: create: true passwordSecretRef: - name: {{ $certificate.keystore.passwordSecretRef.name }} + name: {{ tpl (default "" $certificate.keystore.passwordSecretRef.name) $ }} key: {{ $certificate.keystore.passwordSecretRef.key }} {{- end }} {{- end }} {{ end }} {{- end -}} +{{/*Using templates below allows read and write access to volume mounted at $mountPath*/}} + {{- define "common.certManager.volumeMounts" -}} {{- $dot := default . .dot -}} {{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}} @@ -203,8 +219,14 @@ spec: sources: - secret: name: {{ $certificatesSecretName }} - {{- if $certificate.keystore }} items: + - key: tls.key + path: key.pem + - key: tls.crt + path: cert.pem + - key: ca.crt + path: cacert.pem + {{- if $certificate.keystore }} {{- range $outputType := $certificate.keystore.outputType }} - key: keystore.{{ $outputType }} path: keystore.{{ $outputType }} @@ -235,3 +257,54 @@ spec: {{- end -}} {{ $certsLinkCommand }} {{- end -}} + +{{/*Using templates below allows only read access to volume mounted at $mountPath*/}} + +{{- define "common.certManager.volumeMountsReadOnly" -}} +{{- $dot := default . .dot -}} +{{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}} +{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} + {{- range $i, $certificate := $dot.Values.certificates -}} + {{- $mountPath := $certificate.mountPath -}} +- mountPath: {{ $mountPath }} + name: certmanager-certs-volume-{{ $i }} + {{- end -}} +{{- end -}} + +{{- define "common.certManager.volumesReadOnly" -}} +{{- $dot := default . .dot -}} +{{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}} +{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} +{{- $certificates := $dot.Values.certificates -}} + {{- range $i, $certificate := $certificates -}} + {{- $name := include "common.fullname" $dot -}} + {{- $certificatesSecretName := default (printf "%s-secret-%d" $name $i) $certificate.secretName -}} +- name: certmanager-certs-volume-{{ $i }} + projected: + sources: + - secret: + name: {{ $certificatesSecretName }} + items: + - key: tls.key + path: key.pem + - key: tls.crt + path: cert.pem + - key: ca.crt + path: cacert.pem + {{- if $certificate.keystore }} + {{- range $outputType := $certificate.keystore.outputType }} + - key: keystore.{{ $outputType }} + path: keystore.{{ $outputType }} + - key: truststore.{{ $outputType }} + path: truststore.{{ $outputType }} + {{- end }} + - secret: + name: {{ $certificate.keystore.passwordSecretRef.name }} + items: + - key: {{ $certificate.keystore.passwordSecretRef.key }} + path: keystore.pass + - key: {{ $certificate.keystore.passwordSecretRef.key }} + path: truststore.pass + {{- end }} + {{- end -}} +{{- end -}} |