From 6ee06562c87b67f026c9cc2bd64f9b8033e433b2 Mon Sep 17 00:00:00 2001 From: Nafiz Haider Date: Thu, 28 Jan 2021 20:11:09 +0000 Subject: [PATCH] Re-enable "feat(tls): Change Issuer to ClusterIssuer"" This reverts commit 8a79d7c51bdeec35d12194fe39672036c8bb1a5c. Reason for revert: resolved bug with cluster issuer versioning Co-authored-by: Sangeet Gupta Change-Id: I047cbfaa5aa9e7285a23e603074429180495557d --- ca-clusterissuer/Chart.yaml | 20 +++++++ ca-clusterissuer/requirements.yaml | 18 ++++++ .../templates/clusterissuer-ca.yaml | 28 ++++++++++ ca-clusterissuer/templates/secret-ca.yaml | 26 +++++++++ ca-clusterissuer/values.yaml | 27 +++++++++ helm-toolkit/Chart.yaml | 2 +- .../templates/manifests/_certificates.tpl | 56 +++++++++++++++++++ helm-toolkit/templates/manifests/_ingress.tpl | 11 ++-- mariadb/Chart.yaml | 2 +- mariadb/values_overrides/tls.yaml | 2 +- releasenotes/notes/ca-clusterissuer.yaml | 4 ++ releasenotes/notes/helm-toolkit.yaml | 1 + releasenotes/notes/mariadb.yaml | 1 + 13 files changed, 190 insertions(+), 8 deletions(-) create mode 100644 ca-clusterissuer/Chart.yaml create mode 100644 ca-clusterissuer/requirements.yaml create mode 100644 ca-clusterissuer/templates/clusterissuer-ca.yaml create mode 100644 ca-clusterissuer/templates/secret-ca.yaml create mode 100644 ca-clusterissuer/values.yaml create mode 100644 releasenotes/notes/ca-clusterissuer.yaml diff --git a/ca-clusterissuer/Chart.yaml b/ca-clusterissuer/Chart.yaml new file mode 100644 index 000000000..ee59e38d8 --- /dev/null +++ b/ca-clusterissuer/Chart.yaml @@ -0,0 +1,20 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +apiVersion: v1 +appVersion: "1.0" +description: Certificate Issuer chart for OSH +home: https://cert-manager.io/ +name: ca-clusterissuer +version: 0.1.0 +... diff --git a/ca-clusterissuer/requirements.yaml b/ca-clusterissuer/requirements.yaml new file mode 100644 index 000000000..19b0d6992 --- /dev/null +++ b/ca-clusterissuer/requirements.yaml @@ -0,0 +1,18 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +dependencies: + - name: helm-toolkit + repository: http://localhost:8879/charts + version: ">= 0.1.0" +... diff --git a/ca-clusterissuer/templates/clusterissuer-ca.yaml b/ca-clusterissuer/templates/clusterissuer-ca.yaml new file mode 100644 index 000000000..1f67d7b4a --- /dev/null +++ b/ca-clusterissuer/templates/clusterissuer-ca.yaml @@ -0,0 +1,28 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.clusterissuer }} +{{- $envAll := . }} +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: {{ .Values.conf.ca.issuer.name }} + labels: +{{ tuple $envAll "cert-manager" "clusterissuer" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +spec: + ca: + secretName: {{ .Values.conf.ca.secret.name }} +... +{{- end }} diff --git a/ca-clusterissuer/templates/secret-ca.yaml b/ca-clusterissuer/templates/secret-ca.yaml new file mode 100644 index 000000000..8c4472514 --- /dev/null +++ b/ca-clusterissuer/templates/secret-ca.yaml @@ -0,0 +1,26 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret_ca }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.conf.ca.secret.name }} + namespace: {{ .Values.conf.ca.secret.namespace }} +data: + tls.crt: {{ .Values.conf.ca.secret.crt | default "" | b64enc }} + tls.key: {{ .Values.conf.ca.secret.key | default "" | b64enc }} +... +{{- end }} diff --git a/ca-clusterissuer/values.yaml b/ca-clusterissuer/values.yaml new file mode 100644 index 000000000..a235a8d89 --- /dev/null +++ b/ca-clusterissuer/values.yaml @@ -0,0 +1,27 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +--- +conf: + ca: + issuer: + name: ca-clusterissuer + secret: + name: secret-name + # Namespace where cert-manager is deployed. + namespace: cert-manager + crt: null + key: null + +manifests: + clusterissuer: true + secret_ca: true +... diff --git a/helm-toolkit/Chart.yaml b/helm-toolkit/Chart.yaml index 780e151f4..038933aab 100644 --- a/helm-toolkit/Chart.yaml +++ b/helm-toolkit/Chart.yaml @@ -15,7 +15,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Helm-Toolkit name: helm-toolkit -version: 0.2.4 +version: 0.2.5 home: https://docs.openstack.org/openstack-helm icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png sources: diff --git a/helm-toolkit/templates/manifests/_certificates.tpl b/helm-toolkit/templates/manifests/_certificates.tpl index 3b6ab2b18..241e8b12d 100644 --- a/helm-toolkit/templates/manifests/_certificates.tpl +++ b/helm-toolkit/templates/manifests/_certificates.tpl @@ -41,6 +41,54 @@ examples: usage: | {{- $opts := dict "envAll" . "service" "dashboard" "type" "internal" -}} {{ $opts | include "helm-toolkit.manifests.certificates" }} + return: | + --- + apiVersion: cert-manager.io/v1 + kind: Certificate + metadata: + name: keystone-tls-api + namespace: NAMESPACE + spec: + commonName: keystone-api.openstack.svc.cluster.local + dnsNames: + - cluster.local + duration: 2160h + issuerRef: + name: ca-issuer + keySize: 2048 + organization: + - ACME + secretName: keystone-tls-api + usages: + - server auth + - client auth + + - values: | + cert_manager_version: v0.15.0 + endpoints: + dashboard: + host_fqdn_override: + default: + host: null + tls: + secretName: keystone-tls-api + issuerRef: + name: ca-issuer + duration: 2160h + organization: + - ACME + commonName: keystone-api.openstack.svc.cluster.local + keySize: 2048 + usages: + - server auth + - client auth + dnsNames: + - cluster.local + issuerRef: + name: ca-issuer + usage: | + {{- $opts := dict "envAll" . "service" "dashboard" "type" "internal" -}} + {{ $opts | include "helm-toolkit.manifests.certificates" }} return: | --- apiVersion: cert-manager.io/v1alpha3 @@ -93,8 +141,16 @@ examples: {{- if not (hasKey $slice "usages") -}} {{- $_ := (list "server auth" "client auth") | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "usages" -}} {{- end -}} +{{- $cert_manager_version := "v1.0.0" -}} +{{- if $envAll.Values.cert_manager_version -}} +{{- $cert_manager_version = $envAll.Values.cert_manager_version -}} +{{- end -}} --- +{{- if semverCompare "< v1.0.0" $cert_manager_version }} apiVersion: cert-manager.io/v1alpha3 +{{- else }} +apiVersion: cert-manager.io/v1 +{{- end }} kind: Certificate metadata: name: {{ index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "secretName" }} diff --git a/helm-toolkit/templates/manifests/_ingress.tpl b/helm-toolkit/templates/manifests/_ingress.tpl index e2426d3e4..853aa23e4 100644 --- a/helm-toolkit/templates/manifests/_ingress.tpl +++ b/helm-toolkit/templates/manifests/_ingress.tpl @@ -220,6 +220,7 @@ examples: serviceName: barbican-api servicePort: b-api - values: | + cert_issuer_type: issuer network: api: ingress: @@ -362,7 +363,7 @@ examples: name: ca-issuer kind: ClusterIssuer usage: | - {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer" "certIssuer" "cluster-issuer") -}} + {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer") -}} return: | --- apiVersion: networking.k8s.io/v1beta1 @@ -554,14 +555,14 @@ examples: {{- $backendPort := index . "backendPort" -}} {{- $endpoint := index . "endpoint" | default "public" -}} {{- $certIssuer := index . "certIssuer" | default "" -}} -{{- $certIssuerType := index . "certIssuerType" | default "issuer" -}} -{{- if and (ne $certIssuerType "issuer") (ne $certIssuerType "cluster-issuer") }} -{{- $certIssuerType = "issuer" -}} -{{- end }} {{- $ingressName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} {{- $backendName := tuple $backendServiceType "internal" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} {{- $hostName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} {{- $hostNameFull := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }} +{{- $certIssuerType := "cluster-issuer" -}} +{{- if $envAll.Values.cert_issuer_type }} +{{- $certIssuerType = $envAll.Values.cert_issuer_type }} +{{- end }} --- apiVersion: networking.k8s.io/v1beta1 kind: Ingress diff --git a/mariadb/Chart.yaml b/mariadb/Chart.yaml index a014a8d25..7feb54f33 100644 --- a/mariadb/Chart.yaml +++ b/mariadb/Chart.yaml @@ -15,7 +15,7 @@ apiVersion: v1 appVersion: v10.2.31 description: OpenStack-Helm MariaDB name: mariadb -version: 0.1.7 +version: 0.1.8 home: https://mariadb.com/kb/en/ icon: http://badges.mariadb.org/mariadb-badge-180x60.png sources: diff --git a/mariadb/values_overrides/tls.yaml b/mariadb/values_overrides/tls.yaml index f89d5e94b..b8da60f89 100644 --- a/mariadb/values_overrides/tls.yaml +++ b/mariadb/values_overrides/tls.yaml @@ -17,7 +17,7 @@ endpoints: secretName: mariadb-tls-direct issuerRef: name: ca-issuer - kind: Issuer + kind: ClusterIssuer manifests: certificates: true ... diff --git a/releasenotes/notes/ca-clusterissuer.yaml b/releasenotes/notes/ca-clusterissuer.yaml new file mode 100644 index 000000000..4e6c16fa1 --- /dev/null +++ b/releasenotes/notes/ca-clusterissuer.yaml @@ -0,0 +1,4 @@ +--- +ca-clusterissuer: + - 0.1.0 Initial Chart +... diff --git a/releasenotes/notes/helm-toolkit.yaml b/releasenotes/notes/helm-toolkit.yaml index ebc7cfa58..8497c0ba0 100644 --- a/releasenotes/notes/helm-toolkit.yaml +++ b/releasenotes/notes/helm-toolkit.yaml @@ -11,4 +11,5 @@ helm-toolkit: - 0.2.2 Revert Change Issuer to ClusterIssuer - 0.2.3 Allow openstack service list to retry in event of keystone connection issues - 0.2.4 Added detailed FiXME for ks-service script bug and code changes + - 0.2.5 Added logic to support cert-manager versioning ... diff --git a/releasenotes/notes/mariadb.yaml b/releasenotes/notes/mariadb.yaml index 5cd14222e..96ddc94f6 100644 --- a/releasenotes/notes/mariadb.yaml +++ b/releasenotes/notes/mariadb.yaml @@ -8,4 +8,5 @@ mariadb: - 0.1.5 Update to container image repo k8s.gcr.io - 0.1.6 Change Issuer to ClusterIssuer - 0.1.7 Revert - Change Issuer to ClusterIssuer + - 0.1.8 Change Issuer to ClusterIssuer with logic in place to support cert-manager versioning ...