Re-enable "feat(tls): Change Issuer to ClusterIssuer""
This reverts commit 8a79d7c51b
.
Reason for revert: resolved bug with cluster issuer versioning
Co-authored-by: Sangeet Gupta <sg774j@att.com>
Change-Id: I047cbfaa5aa9e7285a23e603074429180495557d
This commit is contained in:
parent
42cc7d152b
commit
6ee06562c8
20
ca-clusterissuer/Chart.yaml
Normal file
20
ca-clusterissuer/Chart.yaml
Normal file
@ -0,0 +1,20 @@
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
---
|
||||
apiVersion: v1
|
||||
appVersion: "1.0"
|
||||
description: Certificate Issuer chart for OSH
|
||||
home: https://cert-manager.io/
|
||||
name: ca-clusterissuer
|
||||
version: 0.1.0
|
||||
...
|
18
ca-clusterissuer/requirements.yaml
Normal file
18
ca-clusterissuer/requirements.yaml
Normal file
@ -0,0 +1,18 @@
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
|
||||
---
|
||||
dependencies:
|
||||
- name: helm-toolkit
|
||||
repository: http://localhost:8879/charts
|
||||
version: ">= 0.1.0"
|
||||
...
|
28
ca-clusterissuer/templates/clusterissuer-ca.yaml
Normal file
28
ca-clusterissuer/templates/clusterissuer-ca.yaml
Normal file
@ -0,0 +1,28 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if .Values.manifests.clusterissuer }}
|
||||
{{- $envAll := . }}
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
name: {{ .Values.conf.ca.issuer.name }}
|
||||
labels:
|
||||
{{ tuple $envAll "cert-manager" "clusterissuer" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
|
||||
spec:
|
||||
ca:
|
||||
secretName: {{ .Values.conf.ca.secret.name }}
|
||||
...
|
||||
{{- end }}
|
26
ca-clusterissuer/templates/secret-ca.yaml
Normal file
26
ca-clusterissuer/templates/secret-ca.yaml
Normal file
@ -0,0 +1,26 @@
|
||||
{{/*
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/}}
|
||||
|
||||
{{- if .Values.manifests.secret_ca }}
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ .Values.conf.ca.secret.name }}
|
||||
namespace: {{ .Values.conf.ca.secret.namespace }}
|
||||
data:
|
||||
tls.crt: {{ .Values.conf.ca.secret.crt | default "" | b64enc }}
|
||||
tls.key: {{ .Values.conf.ca.secret.key | default "" | b64enc }}
|
||||
...
|
||||
{{- end }}
|
27
ca-clusterissuer/values.yaml
Normal file
27
ca-clusterissuer/values.yaml
Normal file
@ -0,0 +1,27 @@
|
||||
# Licensed under the Apache License, Version 2.0 (the "License");
|
||||
# you may not use this file except in compliance with the License.
|
||||
# You may obtain a copy of the License at
|
||||
#
|
||||
# http://www.apache.org/licenses/LICENSE-2.0
|
||||
#
|
||||
# Unless required by applicable law or agreed to in writing, software
|
||||
# distributed under the License is distributed on an "AS IS" BASIS,
|
||||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
# See the License for the specific language governing permissions and
|
||||
# limitations under the License.
|
||||
---
|
||||
conf:
|
||||
ca:
|
||||
issuer:
|
||||
name: ca-clusterissuer
|
||||
secret:
|
||||
name: secret-name
|
||||
# Namespace where cert-manager is deployed.
|
||||
namespace: cert-manager
|
||||
crt: null
|
||||
key: null
|
||||
|
||||
manifests:
|
||||
clusterissuer: true
|
||||
secret_ca: true
|
||||
...
|
@ -15,7 +15,7 @@ apiVersion: v1
|
||||
appVersion: v1.0.0
|
||||
description: OpenStack-Helm Helm-Toolkit
|
||||
name: helm-toolkit
|
||||
version: 0.2.4
|
||||
version: 0.2.5
|
||||
home: https://docs.openstack.org/openstack-helm
|
||||
icon: https://www.openstack.org/themes/openstack/images/project-mascots/OpenStack-Helm/OpenStack_Project_OpenStackHelm_vertical.png
|
||||
sources:
|
||||
|
@ -41,6 +41,54 @@ examples:
|
||||
usage: |
|
||||
{{- $opts := dict "envAll" . "service" "dashboard" "type" "internal" -}}
|
||||
{{ $opts | include "helm-toolkit.manifests.certificates" }}
|
||||
return: |
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: keystone-tls-api
|
||||
namespace: NAMESPACE
|
||||
spec:
|
||||
commonName: keystone-api.openstack.svc.cluster.local
|
||||
dnsNames:
|
||||
- cluster.local
|
||||
duration: 2160h
|
||||
issuerRef:
|
||||
name: ca-issuer
|
||||
keySize: 2048
|
||||
organization:
|
||||
- ACME
|
||||
secretName: keystone-tls-api
|
||||
usages:
|
||||
- server auth
|
||||
- client auth
|
||||
|
||||
- values: |
|
||||
cert_manager_version: v0.15.0
|
||||
endpoints:
|
||||
dashboard:
|
||||
host_fqdn_override:
|
||||
default:
|
||||
host: null
|
||||
tls:
|
||||
secretName: keystone-tls-api
|
||||
issuerRef:
|
||||
name: ca-issuer
|
||||
duration: 2160h
|
||||
organization:
|
||||
- ACME
|
||||
commonName: keystone-api.openstack.svc.cluster.local
|
||||
keySize: 2048
|
||||
usages:
|
||||
- server auth
|
||||
- client auth
|
||||
dnsNames:
|
||||
- cluster.local
|
||||
issuerRef:
|
||||
name: ca-issuer
|
||||
usage: |
|
||||
{{- $opts := dict "envAll" . "service" "dashboard" "type" "internal" -}}
|
||||
{{ $opts | include "helm-toolkit.manifests.certificates" }}
|
||||
return: |
|
||||
---
|
||||
apiVersion: cert-manager.io/v1alpha3
|
||||
@ -93,8 +141,16 @@ examples:
|
||||
{{- if not (hasKey $slice "usages") -}}
|
||||
{{- $_ := (list "server auth" "client auth") | set (index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls") "usages" -}}
|
||||
{{- end -}}
|
||||
{{- $cert_manager_version := "v1.0.0" -}}
|
||||
{{- if $envAll.Values.cert_manager_version -}}
|
||||
{{- $cert_manager_version = $envAll.Values.cert_manager_version -}}
|
||||
{{- end -}}
|
||||
---
|
||||
{{- if semverCompare "< v1.0.0" $cert_manager_version }}
|
||||
apiVersion: cert-manager.io/v1alpha3
|
||||
{{- else }}
|
||||
apiVersion: cert-manager.io/v1
|
||||
{{- end }}
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: {{ index $envAll.Values.endpoints $service "host_fqdn_override" "default" "tls" "secretName" }}
|
||||
|
@ -220,6 +220,7 @@ examples:
|
||||
serviceName: barbican-api
|
||||
servicePort: b-api
|
||||
- values: |
|
||||
cert_issuer_type: issuer
|
||||
network:
|
||||
api:
|
||||
ingress:
|
||||
@ -362,7 +363,7 @@ examples:
|
||||
name: ca-issuer
|
||||
kind: ClusterIssuer
|
||||
usage: |
|
||||
{{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer" "certIssuer" "cluster-issuer") -}}
|
||||
{{- include "helm-toolkit.manifests.ingress" ( dict "envAll" . "backendServiceType" "key-manager" "backendPort" "b-api" "endpoint" "public" "certIssuer" "ca-issuer") -}}
|
||||
return: |
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1beta1
|
||||
@ -554,14 +555,14 @@ examples:
|
||||
{{- $backendPort := index . "backendPort" -}}
|
||||
{{- $endpoint := index . "endpoint" | default "public" -}}
|
||||
{{- $certIssuer := index . "certIssuer" | default "" -}}
|
||||
{{- $certIssuerType := index . "certIssuerType" | default "issuer" -}}
|
||||
{{- if and (ne $certIssuerType "issuer") (ne $certIssuerType "cluster-issuer") }}
|
||||
{{- $certIssuerType = "issuer" -}}
|
||||
{{- end }}
|
||||
{{- $ingressName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
|
||||
{{- $backendName := tuple $backendServiceType "internal" $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
|
||||
{{- $hostName := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_short_endpoint_lookup" }}
|
||||
{{- $hostNameFull := tuple $backendServiceType $endpoint $envAll | include "helm-toolkit.endpoints.hostname_fqdn_endpoint_lookup" }}
|
||||
{{- $certIssuerType := "cluster-issuer" -}}
|
||||
{{- if $envAll.Values.cert_issuer_type }}
|
||||
{{- $certIssuerType = $envAll.Values.cert_issuer_type }}
|
||||
{{- end }}
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1beta1
|
||||
kind: Ingress
|
||||
|
@ -15,7 +15,7 @@ apiVersion: v1
|
||||
appVersion: v10.2.31
|
||||
description: OpenStack-Helm MariaDB
|
||||
name: mariadb
|
||||
version: 0.1.7
|
||||
version: 0.1.8
|
||||
home: https://mariadb.com/kb/en/
|
||||
icon: http://badges.mariadb.org/mariadb-badge-180x60.png
|
||||
sources:
|
||||
|
@ -17,7 +17,7 @@ endpoints:
|
||||
secretName: mariadb-tls-direct
|
||||
issuerRef:
|
||||
name: ca-issuer
|
||||
kind: Issuer
|
||||
kind: ClusterIssuer
|
||||
manifests:
|
||||
certificates: true
|
||||
...
|
||||
|
4
releasenotes/notes/ca-clusterissuer.yaml
Normal file
4
releasenotes/notes/ca-clusterissuer.yaml
Normal file
@ -0,0 +1,4 @@
|
||||
---
|
||||
ca-clusterissuer:
|
||||
- 0.1.0 Initial Chart
|
||||
...
|
@ -11,4 +11,5 @@ helm-toolkit:
|
||||
- 0.2.2 Revert Change Issuer to ClusterIssuer
|
||||
- 0.2.3 Allow openstack service list to retry in event of keystone connection issues
|
||||
- 0.2.4 Added detailed FiXME for ks-service script bug and code changes
|
||||
- 0.2.5 Added logic to support cert-manager versioning
|
||||
...
|
||||
|
@ -8,4 +8,5 @@ mariadb:
|
||||
- 0.1.5 Update to container image repo k8s.gcr.io
|
||||
- 0.1.6 Change Issuer to ClusterIssuer
|
||||
- 0.1.7 Revert - Change Issuer to ClusterIssuer
|
||||
- 0.1.8 Change Issuer to ClusterIssuer with logic in place to support cert-manager versioning
|
||||
...
|
||||
|
Loading…
Reference in New Issue
Block a user