Merge "feat(tls): add certificate tooling"
This commit is contained in:
commit
a2623cb672
103
helm-toolkit/templates/manifests/_certificates.tpl
Normal file
103
helm-toolkit/templates/manifests/_certificates.tpl
Normal file
@ -0,0 +1,103 @@
|
|||||||
|
{{/*
|
||||||
|
Licensed under the Apache License, Version 2.0 (the "License");
|
||||||
|
you may not use this file except in compliance with the License.
|
||||||
|
You may obtain a copy of the License at
|
||||||
|
|
||||||
|
http://www.apache.org/licenses/LICENSE-2.0
|
||||||
|
|
||||||
|
Unless required by applicable law or agreed to in writing, software
|
||||||
|
distributed under the License is distributed on an "AS IS" BASIS,
|
||||||
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
|
See the License for the specific language governing permissions and
|
||||||
|
limitations under the License.
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
abstract: |
|
||||||
|
Creates a certificate using jetstack
|
||||||
|
examples:
|
||||||
|
- values: |
|
||||||
|
endpoints:
|
||||||
|
dashboard:
|
||||||
|
certs:
|
||||||
|
horizon-internal-cert:
|
||||||
|
secretName: horizon-tls-apache
|
||||||
|
duration: 2160h
|
||||||
|
organization:
|
||||||
|
- ACME
|
||||||
|
commonName: horizon-int.openstack.svc.cluster.local
|
||||||
|
keySize: 2048
|
||||||
|
usages:
|
||||||
|
- server auth
|
||||||
|
- client auth
|
||||||
|
dnsNames:
|
||||||
|
- cluster.local
|
||||||
|
issuerRef:
|
||||||
|
name: ca-issuer
|
||||||
|
kind: Issuer
|
||||||
|
usage: |
|
||||||
|
{{- $opts := dict "envAll" . "service" "dashboard" "type" "internal" "certName" "horizon-internal-cert" -}}
|
||||||
|
{{ $opts | include "helm-toolkit.manifests.certificates" }}
|
||||||
|
return: |
|
||||||
|
---
|
||||||
|
apiVersion: cert-manager.io/v1alpha3
|
||||||
|
kind: Certificate
|
||||||
|
metadata:
|
||||||
|
name: horizon_internal_cert
|
||||||
|
namespace: NAMESPACE
|
||||||
|
spec:
|
||||||
|
commonName: horizon-int.openstack.svc.cluster.local
|
||||||
|
dnsNames:
|
||||||
|
- cluster.local
|
||||||
|
duration: 2160h
|
||||||
|
issuerRef:
|
||||||
|
kind: Issuer
|
||||||
|
name: ca-issuer
|
||||||
|
keySize: 2048
|
||||||
|
organization:
|
||||||
|
- ACME
|
||||||
|
secretName: horizon-tls-apache
|
||||||
|
usages:
|
||||||
|
- server auth
|
||||||
|
- client auth
|
||||||
|
*/}}
|
||||||
|
|
||||||
|
{{- define "helm-toolkit.manifests.certificates" -}}
|
||||||
|
{{- $envAll := index . "envAll" -}}
|
||||||
|
{{- $service := index . "service" -}}
|
||||||
|
{{- $type := index . "type" | default "" -}}
|
||||||
|
{{- $name := index . "certName" -}}
|
||||||
|
{{- $slice := index $envAll.Values.endpoints $service "certs" $name -}}
|
||||||
|
{{/* Put in some sensible default value if one is not provided by values.yaml */}}
|
||||||
|
{{/* If a dnsNames list is not in the values.yaml, it can be overridden by a passed-in parameter.
|
||||||
|
This allows user to use other HTK method to determine the URI and pass that into this method.*/}}
|
||||||
|
{{- if not (hasKey $slice "dnsNames") -}}
|
||||||
|
{{- $hostName := tuple $service $type $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
|
||||||
|
{{- $dnsNames := list $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) -}}
|
||||||
|
{{- $_ := $dnsNames | set (index $envAll.Values.endpoints $service "certs" $name) "dnsNames" -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{/* Default keySize to 4096. This can be overridden. */}}
|
||||||
|
{{- if not (hasKey $slice "keySize") -}}
|
||||||
|
{{- $_ := ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "certs" $name) "keySize" -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{/* Default keySize to 3 months. Note the min is 720h. This can be overridden. */}}
|
||||||
|
{{- if not (hasKey $slice "duration") -}}
|
||||||
|
{{- $_ := printf "%s" "2190h" | set (index $envAll.Values.endpoints $service "certs" $name) "duration" -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{/* Default renewBefore to 15 days. This can be overridden. */}}
|
||||||
|
{{- if not (hasKey $slice "renewBefore") -}}
|
||||||
|
{{- $_ := printf "%s" "360h" | set (index $envAll.Values.endpoints $service "certs" $name) "renewBefore" -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{/* Default the usage to server auth and client auth. This can be overridden. */}}
|
||||||
|
{{- if not (hasKey $slice "usages") -}}
|
||||||
|
{{- $_ := (list "server auth" "client auth") | set (index $envAll.Values.endpoints $service "certs" $name) "usages" -}}
|
||||||
|
{{- end -}}
|
||||||
|
---
|
||||||
|
apiVersion: cert-manager.io/v1alpha3
|
||||||
|
kind: Certificate
|
||||||
|
metadata:
|
||||||
|
name: {{ $name | replace "_" "-" }}
|
||||||
|
namespace: {{ $envAll.Release.Namespace }}
|
||||||
|
spec:
|
||||||
|
{{ $slice | toYaml | indent 2 }}
|
||||||
|
{{- end -}}
|
Loading…
Reference in New Issue
Block a user