feat(tls): add certificate tooling
This patch set adds in a manifest method in helm toolkit to generate certificates and places them into a secret. Change-Id: I50300afb0fc0ab92169ad9dd9ba66a56454fbc46 Signed-off-by: Tin Lam <tin@irrational.io>
This commit is contained in:
Tin Lam
parent
934d7946be
commit
03a5ae7210
103
helm-toolkit/templates/manifests/_certificates.tpl
Normal file
103
helm-toolkit/templates/manifests/_certificates.tpl
Normal file
@ -0,0 +1,103 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{/*
|
||||
abstract: |
|
||||
Creates a certificate using jetstack
|
||||
examples:
|
||||
- values: |
|
||||
endpoints:
|
||||
dashboard:
|
||||
certs:
|
||||
horizon-internal-cert:
|
||||
secretName: horizon-tls-apache
|
||||
duration: 2160h
|
||||
organization:
|
||||
- ACME
|
||||
commonName: horizon-int.openstack.svc.cluster.local
|
||||
keySize: 2048
|
||||
usages:
|
||||
- server auth
|
||||
- client auth
|
||||
dnsNames:
|
||||
- cluster.local
|
||||
issuerRef:
|
||||
name: ca-issuer
|
||||
kind: Issuer
|
||||
usage: |
|
||||
{{- $opts := dict "envAll" . "service" "dashboard" "type" "internal" "certName" "horizon-internal-cert" -}}
|
||||
{{ $opts | include "helm-toolkit.manifests.certificates" }}
|
||||
return: |
|
||||
---
|
||||
apiVersion: cert-manager.io/v1alpha3
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: horizon_internal_cert
|
||||
namespace: NAMESPACE
|
||||
spec:
|
||||
commonName: horizon-int.openstack.svc.cluster.local
|
||||
dnsNames:
|
||||
- cluster.local
|
||||
duration: 2160h
|
||||
issuerRef:
|
||||
kind: Issuer
|
||||
name: ca-issuer
|
||||
keySize: 2048
|
||||
organization:
|
||||
- ACME
|
||||
secretName: horizon-tls-apache
|
||||
usages:
|
||||
- server auth
|
||||
- client auth
|
||||
*/}}
|
||||
|
||||
{{- define "helm-toolkit.manifests.certificates" -}}
|
||||
{{- $envAll := index . "envAll" -}}
|
||||
{{- $service := index . "service" -}}
|
||||
{{- $type := index . "type" | default "" -}}
|
||||
{{- $name := index . "certName" -}}
|
||||
{{- $slice := index $envAll.Values.endpoints $service "certs" $name -}}
|
||||
{{/* Put in some sensible default value if one is not provided by values.yaml */}}
|
||||
{{/* If a dnsNames list is not in the values.yaml, it can be overridden by a passed-in parameter.
|
||||
This allows user to use other HTK method to determine the URI and pass that into this method.*/}}
|
||||
{{- if not (hasKey $slice "dnsNames") -}}
|
||||
{{- $hostName := tuple $service $type $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
|
||||
{{- $dnsNames := list $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) -}}
|
||||
{{- $_ := $dnsNames | set (index $envAll.Values.endpoints $service "certs" $name) "dnsNames" -}}
|
||||
{{- end -}}
|
||||
{{/* Default keySize to 4096. This can be overridden. */}}
|
||||
{{- if not (hasKey $slice "keySize") -}}
|
||||
{{- $_ := ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "certs" $name) "keySize" -}}
|
||||
{{- end -}}
|
||||
{{/* Default keySize to 3 months. Note the min is 720h. This can be overridden. */}}
|
||||
{{- if not (hasKey $slice "duration") -}}
|
||||
{{- $_ := printf "%s" "2190h" | set (index $envAll.Values.endpoints $service "certs" $name) "duration" -}}
|
||||
{{- end -}}
|
||||
{{/* Default renewBefore to 15 days. This can be overridden. */}}
|
||||
{{- if not (hasKey $slice "renewBefore") -}}
|
||||
{{- $_ := printf "%s" "360h" | set (index $envAll.Values.endpoints $service "certs" $name) "renewBefore" -}}
|
||||
{{- end -}}
|
||||
{{/* Default the usage to server auth and client auth. This can be overridden. */}}
|
||||
{{- if not (hasKey $slice "usages") -}}
|
||||
{{- $_ := (list "server auth" "client auth") | set (index $envAll.Values.endpoints $service "certs" $name) "usages" -}}
|
||||
{{- end -}}
|
||||
---
|
||||
apiVersion: cert-manager.io/v1alpha3
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: {{ $name | replace "_" "-" }}
|
||||
namespace: {{ $envAll.Release.Namespace }}
|
||||
spec:
|
||||
{{ $slice | toYaml | indent 2 }}
|
||||
{{- end -}}
|
||||
Loading…
Reference in New Issue
Block a user