From f60c94fc16f81d220cfc32098cf518ae62afa99a Mon Sep 17 00:00:00 2001 From: sgupta Date: Wed, 9 Dec 2020 23:03:30 +0000 Subject: [PATCH] feat(tls): Change Issuer to ClusterIssuer ClusterIssuer does not belong to a single namespace (unlike Issuer) and can be referenced by Certificate resources from multiple different namespaces. When internal TLS is added to multiple namespaces, same ClusterIssuer can be used instead of one Issuer per namespace. Change-Id: I1576f486f30d693c4bc6b15e25c238d8004b4568 --- ca-clusterissuer/Chart.yaml | 20 +++++++++++++ ca-clusterissuer/requirements.yaml | 18 ++++++++++++ .../templates/clusterissuer-ca.yaml | 28 +++++++++++++++++++ ca-clusterissuer/templates/secret-ca.yaml | 26 +++++++++++++++++ ca-clusterissuer/values.yaml | 27 ++++++++++++++++++ ca-issuer/Chart.yaml | 2 +- ca-issuer/templates/issuer-ca.yaml | 2 +- helm-toolkit/Chart.yaml | 2 +- .../templates/manifests/_certificates.tpl | 4 +-- helm-toolkit/templates/manifests/_ingress.tpl | 4 +-- mariadb/Chart.yaml | 2 +- mariadb/values_overrides/tls.yaml | 2 +- 12 files changed, 128 insertions(+), 9 deletions(-) create mode 100644 ca-clusterissuer/Chart.yaml create mode 100644 ca-clusterissuer/requirements.yaml create mode 100644 ca-clusterissuer/templates/clusterissuer-ca.yaml create mode 100644 ca-clusterissuer/templates/secret-ca.yaml create mode 100644 ca-clusterissuer/values.yaml diff --git a/ca-clusterissuer/Chart.yaml b/ca-clusterissuer/Chart.yaml new file mode 100644 index 000000000..ee59e38d8 --- /dev/null +++ b/ca-clusterissuer/Chart.yaml @@ -0,0 +1,20 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +apiVersion: v1 +appVersion: "1.0" +description: Certificate Issuer chart for OSH +home: https://cert-manager.io/ +name: ca-clusterissuer +version: 0.1.0 +... diff --git a/ca-clusterissuer/requirements.yaml b/ca-clusterissuer/requirements.yaml new file mode 100644 index 000000000..19b0d6992 --- /dev/null +++ b/ca-clusterissuer/requirements.yaml @@ -0,0 +1,18 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +--- +dependencies: + - name: helm-toolkit + repository: http://localhost:8879/charts + version: ">= 0.1.0" +... diff --git a/ca-clusterissuer/templates/clusterissuer-ca.yaml b/ca-clusterissuer/templates/clusterissuer-ca.yaml new file mode 100644 index 000000000..1f67d7b4a --- /dev/null +++ b/ca-clusterissuer/templates/clusterissuer-ca.yaml @@ -0,0 +1,28 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.clusterissuer }} +{{- $envAll := . }} +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: {{ .Values.conf.ca.issuer.name }} + labels: +{{ tuple $envAll "cert-manager" "clusterissuer" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }} +spec: + ca: + secretName: {{ .Values.conf.ca.secret.name }} +... +{{- end }} diff --git a/ca-clusterissuer/templates/secret-ca.yaml b/ca-clusterissuer/templates/secret-ca.yaml new file mode 100644 index 000000000..8c4472514 --- /dev/null +++ b/ca-clusterissuer/templates/secret-ca.yaml @@ -0,0 +1,26 @@ +{{/* +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/}} + +{{- if .Values.manifests.secret_ca }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: {{ .Values.conf.ca.secret.name }} + namespace: {{ .Values.conf.ca.secret.namespace }} +data: + tls.crt: {{ .Values.conf.ca.secret.crt | default "" | b64enc }} + tls.key: {{ .Values.conf.ca.secret.key | default "" | b64enc }} +... +{{- end }} diff --git a/ca-clusterissuer/values.yaml b/ca-clusterissuer/values.yaml new file mode 100644 index 000000000..eefe92bba --- /dev/null +++ b/ca-clusterissuer/values.yaml @@ -0,0 +1,27 @@ +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +--- +conf: + ca: + issuer: + name: ca-issuer + secret: + name: secret-name + # Namespace where cert-manager is deployed. + namespace: cert-manager + crt: null + key: null + +manifests: + clusterissuer: true + secret_ca: true +... diff --git a/ca-issuer/Chart.yaml b/ca-issuer/Chart.yaml index b4eff6650..b5543746a 100644 --- a/ca-issuer/Chart.yaml +++ b/ca-issuer/Chart.yaml @@ -16,5 +16,5 @@ appVersion: "1.0" description: Certificate Issuer chart for OSH home: https://cert-manager.io/ name: ca-issuer -version: 0.1.1 +version: 0.1.2 ... diff --git a/ca-issuer/templates/issuer-ca.yaml b/ca-issuer/templates/issuer-ca.yaml index 01af5f337..a93713554 100644 --- a/ca-issuer/templates/issuer-ca.yaml +++ b/ca-issuer/templates/issuer-ca.yaml @@ -15,7 +15,7 @@ limitations under the License. {{- if .Values.manifests.issuer }} {{- $envAll := . }} --- -apiVersion: cert-manager.io/v1alpha3 +apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: {{ .Values.conf.ca.issuer.name }} diff --git a/helm-toolkit/Chart.yaml b/helm-toolkit/Chart.yaml index ffb8cf39e..7ece3309f 100644 --- a/helm-toolkit/Chart.yaml +++ b/helm-toolkit/Chart.yaml @@ -15,7 +15,7 @@ apiVersion: v1 appVersion: v1.0.0 description: OpenStack-Helm Helm-Toolkit name: helm-toolkit -version: 0.2.0 +version: 0.2.1 home: https://docs.openstack.org/openstack-helm icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png sources: diff --git a/helm-toolkit/templates/manifests/_certificates.tpl b/helm-toolkit/templates/manifests/_certificates.tpl index 3b6ab2b18..68fe583f2 100644 --- a/helm-toolkit/templates/manifests/_certificates.tpl +++ b/helm-toolkit/templates/manifests/_certificates.tpl @@ -43,7 +43,7 @@ examples: {{ $opts | include "helm-toolkit.manifests.certificates" }} return: | --- - apiVersion: cert-manager.io/v1alpha3 + apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: keystone-tls-api @@ -94,7 +94,7 @@ examples: {{- $_ := (list "server auth" "client auth") | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "usages" -}} {{- end -}} --- -apiVersion: cert-manager.io/v1alpha3 +apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: {{ index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "secretName" }} diff --git a/helm-toolkit/templates/manifests/_ingress.tpl b/helm-toolkit/templates/manifests/_ingress.tpl index e2426d3e4..7588c7938 100644 --- a/helm-toolkit/templates/manifests/_ingress.tpl +++ b/helm-toolkit/templates/manifests/_ingress.tpl @@ -554,9 +554,9 @@ examples: {{- $backendPort := index . "backendPort" -}} {{- $endpoint := index . "endpoint" | default "public" -}} {{- $certIssuer := index . "certIssuer" | default "" -}} -{{- $certIssuerType := index . "certIssuerType" | default "issuer" -}} +{{- $certIssuerType := index . "certIssuerType" | default "cluster-issuer" -}} {{- if and (ne $certIssuerType "issuer") (ne $certIssuerType "cluster-issuer") }} -{{- $certIssuerType = "issuer" -}} +{{- $certIssuerType = "cluster-issuer" -}} {{- end }} {{- $ingressName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} {{- $backendName := tuple $backendServiceType "internal" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }} diff --git a/mariadb/Chart.yaml b/mariadb/Chart.yaml index cf9f6da76..c9f563784 100644 --- a/mariadb/Chart.yaml +++ b/mariadb/Chart.yaml @@ -15,7 +15,7 @@ apiVersion: v1 appVersion: v10.2.31 description: OpenStack-Helm MariaDB name: mariadb -version: 0.1.5 +version: 0.1.6 home: https://mariadb.com/kb/en/ icon: http://badges.mariadb.org/mariadb-badge-180x60.png sources: diff --git a/mariadb/values_overrides/tls.yaml b/mariadb/values_overrides/tls.yaml index f89d5e94b..b8da60f89 100644 --- a/mariadb/values_overrides/tls.yaml +++ b/mariadb/values_overrides/tls.yaml @@ -17,7 +17,7 @@ endpoints: secretName: mariadb-tls-direct issuerRef: name: ca-issuer - kind: Issuer + kind: ClusterIssuer manifests: certificates: true ...