Re-enable "feat(tls): Change Issuer to ClusterIssuer""

This reverts commit 8a79d7c51b.

Reason for revert: resolved bug with cluster issuer versioning

Co-authored-by: Sangeet Gupta <sg774j@att.com>

Change-Id: I047cbfaa5aa9e7285a23e603074429180495557d

ca-clusterissuer/Chart.yaml

@@ -0,0 +1,20 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+apiVersion: v1
+appVersion: "1.0"
+description: Certificate Issuer chart for OSH
+home: https://cert-manager.io/
+name: ca-clusterissuer
+version: 0.1.0
+...

ca-clusterissuer/requirements.yaml

@@ -0,0 +1,18 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+---
+dependencies:
+  - name: helm-toolkit
+    repository: http://localhost:8879/charts
+    version: ">= 0.1.0"
+...

ca-clusterissuer/templates/clusterissuer-ca.yaml

@@ -0,0 +1,28 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.clusterissuer }}
+{{- $envAll := . }}
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: {{ .Values.conf.ca.issuer.name }}
+  labels:
+{{ tuple $envAll "cert-manager" "clusterissuer" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
+spec:
+  ca:
+    secretName: {{ .Values.conf.ca.secret.name }}
+...
+{{- end }}

ca-clusterissuer/templates/secret-ca.yaml

@@ -0,0 +1,26 @@
+{{/*
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+   http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if .Values.manifests.secret_ca }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Values.conf.ca.secret.name }}
+  namespace: {{ .Values.conf.ca.secret.namespace }}
+data:
+  tls.crt: {{ .Values.conf.ca.secret.crt | default "" | b64enc }}
+  tls.key: {{ .Values.conf.ca.secret.key | default "" | b64enc }}
+...
+{{- end }}

ca-clusterissuer/values.yaml

@@ -0,0 +1,27 @@
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+---
+conf:
+  ca:
+    issuer:
+      name: ca-clusterissuer
+    secret:
+      name: secret-name
+      # Namespace where cert-manager is deployed.
+      namespace: cert-manager
+      crt: null
+      key: null
+
+manifests:
+  clusterissuer: true
+  secret_ca: true
+...

helm-toolkit/Chart.yaml

@@ -15,7 +15,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Helm-Toolkit
 name: helm-toolkit
-version: 0.2.4
+version: 0.2.5
 home: https://docs.openstack.org/openstack-helm
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png
 sources:

helm-toolkit/templates/manifests/_certificates.tpl

@@ -41,6 +41,54 @@ examples:
     usage: |
       {{- $opts := dict "envAll" . "service" "dashboard" "type" "internal" -}}
       {{ $opts | include "helm-toolkit.manifests.certificates" }}
+    return: |
+      ---
+      apiVersion: cert-manager.io/v1
+      kind: Certificate
+      metadata:
+        name: keystone-tls-api
+        namespace: NAMESPACE
+      spec:
+        commonName: keystone-api.openstack.svc.cluster.local
+        dnsNames:
+        - cluster.local
+        duration: 2160h
+        issuerRef:
+          name: ca-issuer
+        keySize: 2048
+        organization:
+        - ACME
+        secretName: keystone-tls-api
+        usages:
+        - server auth
+        - client auth
+
+  - values: |
+      cert_manager_version: v0.15.0
+      endpoints:
+        dashboard:
+          host_fqdn_override:
+            default:
+              host: null
+              tls:
+                secretName: keystone-tls-api
+                issuerRef:
+                  name: ca-issuer
+                  duration: 2160h
+                  organization:
+                    - ACME
+                  commonName: keystone-api.openstack.svc.cluster.local
+                  keySize: 2048
+                  usages:
+                    - server auth
+                    - client auth
+                  dnsNames:
+                    - cluster.local
+                  issuerRef:
+                    name: ca-issuer
+    usage: |
+      {{- $opts := dict "envAll" . "service" "dashboard" "type" "internal" -}}
+      {{ $opts | include "helm-toolkit.manifests.certificates" }}
     return: |
       ---
       apiVersion: cert-manager.io/v1alpha3
@@ -93,8 +141,16 @@ examples:
 {{- if not (hasKey $slice "usages") -}}
 {{- $_ := (list "server auth" "client auth") | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "usages" -}}
 {{- end -}}
+{{- $cert_manager_version := "v1.0.0" -}}
+{{- if $envAll.Values.cert_manager_version -}}
+{{- $cert_manager_version = $envAll.Values.cert_manager_version -}}
+{{- end -}}
 ---
+{{- if semverCompare "< v1.0.0"  $cert_manager_version }}
 apiVersion: cert-manager.io/v1alpha3
+{{- else }}
+apiVersion: cert-manager.io/v1
+{{- end }}
 kind: Certificate
 metadata:
   name: {{ index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "secretName" }}

helm-toolkit/templates/manifests/_ingress.tpl

@@ -220,6 +220,7 @@ examples:
                     serviceName: barbican-api
                     servicePort: b-api
   - values: |
+      cert_issuer_type: issuer
       network:
         api:
           ingress:
@@ -362,7 +363,7 @@ examples:
                 name: ca-issuer
                 kind: ClusterIssuer
     usage: |
-      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer" "certIssuer" "cluster-issuer") -}}
+      {{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer") -}}
     return: |
       ---
       apiVersion: networking.k8s.io/v1beta1
@@ -554,14 +555,14 @@ examples:
 {{- $backendPort := index . "backendPort" -}}
 {{- $endpoint := index . "endpoint" | default "public" -}}
 {{- $certIssuer := index . "certIssuer" | default "" -}}
-{{- $certIssuerType := index . "certIssuerType" | default "issuer" -}}
-{{- if and (ne $certIssuerType "issuer") (ne $certIssuerType "cluster-issuer") }}
-{{- $certIssuerType = "issuer" -}}
-{{- end }}
 {{- $ingressName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
 {{- $backendName := tuple $backendServiceType "internal" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
 {{- $hostName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
 {{- $hostNameFull := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
+{{- $certIssuerType := "cluster-issuer" -}}
+{{- if $envAll.Values.cert_issuer_type }}
+{{- $certIssuerType = $envAll.Values.cert_issuer_type }}
+{{- end }}
 ---
 apiVersion: networking.k8s.io/v1beta1
 kind: Ingress

mariadb/Chart.yaml

@@ -15,7 +15,7 @@ apiVersion: v1
 appVersion: v10.2.31
 description: OpenStack-Helm MariaDB
 name: mariadb
-version: 0.1.7
+version: 0.1.8
 home: https://mariadb.com/kb/en/
 icon: http://badges.mariadb.org/mariadb-badge-180x60.png
 sources:

mariadb/values_overrides/tls.yaml

@@ -17,7 +17,7 @@ endpoints:
           secretName: mariadb-tls-direct
           issuerRef:
             name: ca-issuer
-            kind: Issuer
+            kind: ClusterIssuer
 manifests:
   certificates: true
 ...

releasenotes/notes/ca-clusterissuer.yaml

@@ -0,0 +1,4 @@
+---
+ca-clusterissuer:
+  - 0.1.0 Initial Chart
+...

releasenotes/notes/helm-toolkit.yaml

@@ -11,4 +11,5 @@ helm-toolkit:
   - 0.2.2 Revert Change Issuer to ClusterIssuer
   - 0.2.3 Allow openstack service list to retry in event of keystone connection issues
   - 0.2.4 Added detailed FiXME for ks-service script bug and code changes
+  - 0.2.5 Added logic to support cert-manager versioning
 ...

releasenotes/notes/mariadb.yaml

@@ -8,4 +8,5 @@ mariadb:
   - 0.1.5 Update to container image repo k8s.gcr.io
   - 0.1.6 Change Issuer to ClusterIssuer
   - 0.1.7 Revert - Change Issuer to ClusterIssuer
+  - 0.1.8 Change Issuer to ClusterIssuer with logic in place to support cert-manager versioning
 ...