6ee06562c8
This reverts commit 8a79d7c51bdeec35d12194fe39672036c8bb1a5c. Reason for revert: resolved bug with cluster issuer versioning Co-authored-by: Sangeet Gupta <sg774j@att.com> Change-Id: I047cbfaa5aa9e7285a23e603074429180495557d
161 lines
5.8 KiB
Smarty
161 lines
5.8 KiB
Smarty
{{/*
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/}}
|
|
|
|
{{/*
|
|
abstract: |
|
|
Creates a certificate using jetstack
|
|
examples:
|
|
- values: |
|
|
endpoints:
|
|
dashboard:
|
|
host_fqdn_override:
|
|
default:
|
|
host: null
|
|
tls:
|
|
secretName: keystone-tls-api
|
|
issuerRef:
|
|
name: ca-issuer
|
|
duration: 2160h
|
|
organization:
|
|
- ACME
|
|
commonName: keystone-api.openstack.svc.cluster.local
|
|
keySize: 2048
|
|
usages:
|
|
- server auth
|
|
- client auth
|
|
dnsNames:
|
|
- cluster.local
|
|
issuerRef:
|
|
name: ca-issuer
|
|
usage: |
|
|
{{- $opts := dict "envAll" . "service" "dashboard" "type" "internal" -}}
|
|
{{ $opts | include "helm-toolkit.manifests.certificates" }}
|
|
return: |
|
|
---
|
|
apiVersion: cert-manager.io/v1
|
|
kind: Certificate
|
|
metadata:
|
|
name: keystone-tls-api
|
|
namespace: NAMESPACE
|
|
spec:
|
|
commonName: keystone-api.openstack.svc.cluster.local
|
|
dnsNames:
|
|
- cluster.local
|
|
duration: 2160h
|
|
issuerRef:
|
|
name: ca-issuer
|
|
keySize: 2048
|
|
organization:
|
|
- ACME
|
|
secretName: keystone-tls-api
|
|
usages:
|
|
- server auth
|
|
- client auth
|
|
|
|
- values: |
|
|
cert_manager_version: v0.15.0
|
|
endpoints:
|
|
dashboard:
|
|
host_fqdn_override:
|
|
default:
|
|
host: null
|
|
tls:
|
|
secretName: keystone-tls-api
|
|
issuerRef:
|
|
name: ca-issuer
|
|
duration: 2160h
|
|
organization:
|
|
- ACME
|
|
commonName: keystone-api.openstack.svc.cluster.local
|
|
keySize: 2048
|
|
usages:
|
|
- server auth
|
|
- client auth
|
|
dnsNames:
|
|
- cluster.local
|
|
issuerRef:
|
|
name: ca-issuer
|
|
usage: |
|
|
{{- $opts := dict "envAll" . "service" "dashboard" "type" "internal" -}}
|
|
{{ $opts | include "helm-toolkit.manifests.certificates" }}
|
|
return: |
|
|
---
|
|
apiVersion: cert-manager.io/v1alpha3
|
|
kind: Certificate
|
|
metadata:
|
|
name: keystone-tls-api
|
|
namespace: NAMESPACE
|
|
spec:
|
|
commonName: keystone-api.openstack.svc.cluster.local
|
|
dnsNames:
|
|
- cluster.local
|
|
duration: 2160h
|
|
issuerRef:
|
|
name: ca-issuer
|
|
keySize: 2048
|
|
organization:
|
|
- ACME
|
|
secretName: keystone-tls-api
|
|
usages:
|
|
- server auth
|
|
- client auth
|
|
*/}}
|
|
|
|
{{- define "helm-toolkit.manifests.certificates" -}}
|
|
{{- $envAll := index . "envAll" -}}
|
|
{{- $service := index . "service" -}}
|
|
{{- $type := index . "type" | default "" -}}
|
|
{{- $slice := index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" -}}
|
|
{{/* Put in some sensible default value if one is not provided by values.yaml */}}
|
|
{{/* If a dnsNames list is not in the values.yaml, it can be overridden by a passed-in parameter.
|
|
This allows user to use other HTK method to determine the URI and pass that into this method.*/}}
|
|
{{- if not (hasKey $slice "dnsNames") -}}
|
|
{{- $hostName := tuple $service $type $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" -}}
|
|
{{- $dnsNames := list $hostName (printf "%s.%s" $hostName $envAll.Release.Namespace) (printf "%s.%s.svc.%s" $hostName $envAll.Release.Namespace $envAll.Values.endpoints.cluster_domain_suffix) -}}
|
|
{{- $_ := $dnsNames | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "dnsNames" -}}
|
|
{{- end -}}
|
|
{{/* Default keySize to 4096. This can be overridden. */}}
|
|
{{- if not (hasKey $slice "keySize") -}}
|
|
{{- $_ := ( printf "%d" 4096 | atoi ) | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "keySize" -}}
|
|
{{- end -}}
|
|
{{/* Default keySize to 3 months. Note the min is 720h. This can be overridden. */}}
|
|
{{- if not (hasKey $slice "duration") -}}
|
|
{{- $_ := printf "%s" "2190h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "duration" -}}
|
|
{{- end -}}
|
|
{{/* Default renewBefore to 15 days. This can be overridden. */}}
|
|
{{- if not (hasKey $slice "renewBefore") -}}
|
|
{{- $_ := printf "%s" "360h" | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "renewBefore" -}}
|
|
{{- end -}}
|
|
{{/* Default the usage to server auth and client auth. This can be overridden. */}}
|
|
{{- if not (hasKey $slice "usages") -}}
|
|
{{- $_ := (list "server auth" "client auth") | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "usages" -}}
|
|
{{- end -}}
|
|
{{- $cert_manager_version := "v1.0.0" -}}
|
|
{{- if $envAll.Values.cert_manager_version -}}
|
|
{{- $cert_manager_version = $envAll.Values.cert_manager_version -}}
|
|
{{- end -}}
|
|
---
|
|
{{- if semverCompare "< v1.0.0" $cert_manager_version }}
|
|
apiVersion: cert-manager.io/v1alpha3
|
|
{{- else }}
|
|
apiVersion: cert-manager.io/v1
|
|
{{- end }}
|
|
kind: Certificate
|
|
metadata:
|
|
name: {{ index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "secretName" }}
|
|
namespace: {{ $envAll.Release.Namespace }}
|
|
spec:
|
|
{{ $slice | toYaml | indent 2 }}
|
|
{{- end -}}
|