From 186155c2961969e3fb43370d4bcd0e0978a313c0 Mon Sep 17 00:00:00 2001 From: "Gupta, Sangeet (sg774j)" Date: Wed, 3 Nov 2021 14:25:08 +0000 Subject: [PATCH] Correct private key size input for Certificates and remove minor version support In cert-manager v1 API, the private key size "keySize" was updated to "size" under "privateKey". Support of minor (less than v1) API version is also removed for certificates. Change-Id: If3fa0e296b8a1c2ab473e67b24d4465fe42a5268 --- helm-toolkit/Chart.yaml | 2 +- .../templates/manifests/_certificates.tpl | 72 +++---------------- releasenotes/notes/helm-toolkit.yaml | 1 + 3 files changed, 12 insertions(+), 63 deletions(-) diff --git a/helm-toolkit/Chart.yaml b/helm-toolkit/Chart.yaml index d0af6c793..fb1999d8a 100644 --- a/helm-toolkit/Chart.yaml +++ b/helm-toolkit/Chart.yaml @@ -15,7 +15,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Helm-Toolkit name: helm-toolkit -version: 0.2.26 +version: 0.2.27 home: https://docs.openstack.org/openstack-helm icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png sources: diff --git a/helm-toolkit/templates/manifests/_certificates.tpl b/helm-toolkit/templates/manifests/_certificates.tpl index 241e8b12d..8be771e6c 100644 --- a/helm-toolkit/templates/manifests/_certificates.tpl +++ b/helm-toolkit/templates/manifests/_certificates.tpl @@ -30,7 +30,8 @@ examples: organization: - ACME commonName: keystone-api.openstack.svc.cluster.local - keySize: 2048 + privateKey: + size: 2048 usages: - server auth - client auth @@ -55,55 +56,8 @@ examples: duration: 2160h issuerRef: name: ca-issuer - keySize: 2048 - organization: - - ACME - secretName: keystone-tls-api - usages: - - server auth - - client auth - - - values: | - cert_manager_version: v0.15.0 - endpoints: - dashboard: - host_fqdn_override: - default: - host: null - tls: - secretName: keystone-tls-api - issuerRef: - name: ca-issuer - duration: 2160h - organization: - - ACME - commonName: keystone-api.openstack.svc.cluster.local - keySize: 2048 - usages: - - server auth - - client auth - dnsNames: - - cluster.local - issuerRef: - name: ca-issuer - usage: | - {{- $opts := dict "envAll" . "service" "dashboard" "type" "internal" -}} - {{ $opts | include "helm-toolkit.manifests.certificates" }} - return: | - --- - apiVersion: cert-manager.io/v1alpha3 - kind: Certificate - metadata: - name: keystone-tls-api - namespace: NAMESPACE - spec: - commonName: keystone-api.openstack.svc.cluster.local - dnsNames: - - cluster.local - duration: 2160h - issuerRef: - name: ca-issuer - keySize: 2048 + privateKey: + size: 2048 organization: - ACME secretName: keystone-tls-api @@ -125,11 +79,13 @@ examples: {{- $dnsNames := list $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) -}} {{- $_ := $dnsNames | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "dnsNames" -}} {{- end -}} -{{/* Default keySize to 4096. This can be overridden. */}} -{{- if not (hasKey $slice "keySize") -}} -{{- $_ := ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "keySize" -}} +{{/* Default privateKey size to 4096. This can be overridden. */}} +{{- if not (hasKey $slice "privateKey") -}} +{{- $_ := dict "size" ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "privateKey" -}} +{{- else if empty (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey" "size") -}} +{{- $_ := ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "privateKey") "size" -}} {{- end -}} -{{/* Default keySize to 3 months. Note the min is 720h. This can be overridden. */}} +{{/* Default duration to 3 months. Note the min is 720h. This can be overridden. */}} {{- if not (hasKey $slice "duration") -}} {{- $_ := printf "%s" "2190h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "duration" -}} {{- end -}} @@ -141,16 +97,8 @@ examples: {{- if not (hasKey $slice "usages") -}} {{- $_ := (list "server auth" "client auth") | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "usages" -}} {{- end -}} -{{- $cert_manager_version := "v1.0.0" -}} -{{- if $envAll.Values.cert_manager_version -}} -{{- $cert_manager_version = $envAll.Values.cert_manager_version -}} -{{- end -}} --- -{{- if semverCompare "< v1.0.0" $cert_manager_version }} -apiVersion: cert-manager.io/v1alpha3 -{{- else }} apiVersion: cert-manager.io/v1 -{{- end }} kind: Certificate metadata: name: {{ index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "secretName" }} diff --git a/releasenotes/notes/helm-toolkit.yaml b/releasenotes/notes/helm-toolkit.yaml index 725b9c5fe..519366fbe 100644 --- a/releasenotes/notes/helm-toolkit.yaml +++ b/releasenotes/notes/helm-toolkit.yaml @@ -33,4 +33,5 @@ helm-toolkit: - 0.2.24 Migrate Ingress resources to networking.k8s.io/v1 - 0.2.25 Set Security Context to ks-user job - 0.2.26 Revert Set Security Context to ks-user job + - 0.2.27 Correct private key size input for Certificates and remove minor version support ...