blob: 4e43f621de73a042f069320f4b2c6f44a73d8c64 [file] [log] [blame]
Piotr Marcinkiewicz59571012021-01-12 17:37:08 +01001{{/*#
2# Copyright © 2020-2021, Nokia
3#
4# Licensed under the Apache License, Version 2.0 (the "License");
5# you may not use this file except in compliance with the License.
6# You may obtain a copy of the License at
7#
8# http://www.apache.org/licenses/LICENSE-2.0
9#
10# Unless required by applicable law or agreed to in writing, software
11# distributed under the License is distributed on an "AS IS" BASIS,
12# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13# See the License for the specific language governing permissions and
14# limitations under the License.*/}}
15
16{{/*
17# This is a template for requesting a certificate from the cert-manager (https://cert-manager.io).
18#
19# To request a certificate following steps are to be done:
20# - create an object 'certificates' in the values.yaml
21# - create a file templates/certificates.yaml and invoke the function "certManagerCertificate.certificate".
22#
23# Here is an example of the certificate request for a component:
24#
25# Directory structure:
26# component
27# templates
28# certifictes.yaml
29# values.yaml
30#
31# To be added in the file certificates.yamll
32#
33# To be added in the file values.yaml
34# 1. Minimal version (certificates only in PEM format)
35# certificates:
36# - commonName: component.onap.org
37#
38# 2. Extended version (with defined own issuer and additional certificate format):
39# certificates:
40# - name: onap-component-certificate
41# secretName: onap-component-certificate
42# commonName: component.onap.org
43# dnsNames:
44# - component.onap.org
45# issuer:
46# group: certmanager.onap.org
47# kind: CMPv2Issuer
48# name: cmpv2-issuer-for-the-component
49# keystore:
50# outputType:
51# - p12
52# - jks
53# passwordSecretRef:
54# name: secret-name
55# key: secret-key
56#
57# Fields 'name', 'secretName' and 'commonName' are mandatory and required to be defined.
58# Other mandatory fields for the certificate definition do not have to be defined directly,
59# in that case they will be taken from default values.
60#
61# Default values are defined in file onap/values.yaml (see-> global.certificate.default)
62# and can be overriden during onap installation process.
63#
64*/}}
65
66{{- define "certManagerCertificate.certificate" -}}
67{{- $dot := default . .dot -}}
68{{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}}
69
70{{- $certificates := $dot.Values.certificates -}}
71{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global }}
72
73{{ range $i, $certificate := $certificates }}
74{{/*# General certifiacate attributes #*/}}
75{{- $name := include "common.fullname" $dot -}}
76{{- $certName := default (printf "%s-cert-%d" $name $i) $certificate.name -}}
77{{- $secretName := default (printf "%s-secret-%d" $name $i) $certificate.secretName -}}
78{{- $commonName := (required "'commonName' for Certificate is required." $certificate.commonName) -}}
79{{- $renewBefore := default $subchartGlobal.certificate.default.renewBefore $certificate.renewBefore -}}
80{{- $duration := default $subchartGlobal.certificate.default.duration $certificate.duration -}}
81{{- $namespace := $dot.Release.Namespace -}}
82{{/*# SAN's #*/}}
83{{- $dnsNames := $certificate.dnsNames -}}
84{{- $ipAddresses := $certificate.ipAddresses -}}
85{{- $uris := $certificate.uris -}}
86{{- $emailAddresses := $certificate.emailAddresses -}}
87{{/*# Subject #*/}}
88{{- $subject := $subchartGlobal.certificate.default.subject -}}
89{{- if $certificate.subject -}}
90{{- $subject = $certificate.subject -}}
91{{- end -}}
92{{/*# Issuer #*/}}
93{{- $issuer := $subchartGlobal.certificate.default.issuer -}}
94{{- if $certificate.issuer -}}
95{{- $issuer = $certificate.issuer -}}
96{{- end -}}
97---
98{{- if $certificate.keystore }}
99 {{- $passwordSecretRef := $certificate.keystore.passwordSecretRef -}}
100 {{- $password := include "common.createPassword" (dict "dot" $dot "uid" $certName) | quote }}
101apiVersion: v1
102kind: Secret
103metadata:
104 name: {{ $passwordSecretRef.name }}
105 namespace: {{ $namespace }}
106type: Opaque
107stringData:
108 {{ $passwordSecretRef.key }}: {{ $password }}
109{{- end }}
110---
111apiVersion: cert-manager.io/v1
112kind: Certificate
113metadata:
114 name: {{ $certName }}
115 namespace: {{ $namespace }}
116spec:
117 secretName: {{ $secretName }}
118 commonName: {{ $commonName }}
119 renewBefore: {{ $renewBefore }}
120 {{- if $duration }}
121 duration: {{ $duration }}
122 {{- end }}
123 subject:
124 organizations:
125 - {{ $subject.organization }}
126 countries:
127 - {{ $subject.country }}
128 localities:
129 - {{ $subject.locality }}
130 provinces:
131 - {{ $subject.province }}
132 organizationalUnits:
133 - {{ $subject.organizationalUnit }}
134 {{- if $dnsNames }}
135 dnsNames:
136 {{- range $dnsName := $dnsNames }}
137 - {{ $dnsName }}
138 {{- end }}
139 {{- end }}
140 {{- if $ipAddresses }}
141 ipAddresses:
142 {{- range $ipAddress := $ipAddresses }}
143 - {{ $ipAddress }}
144 {{- end }}
145 {{- end }}
146 {{- if $uris }}
147 uris:
148 {{- range $uri := $uris }}
149 - {{ $uri }}
150 {{- end }}
151 {{- end }}
152 {{- if $emailAddresses }}
153 emailAddresses:
154 {{- range $emailAddress := $emailAddresses }}
155 - {{ $emailAddress }}
156 {{- end }}
157 {{- end }}
158 issuerRef:
159 group: {{ $issuer.group }}
160 kind: {{ $issuer.kind }}
161 name: {{ $issuer.name }}
162 {{- if $certificate.keystore }}
163 keystores:
164 {{- range $outputType := $certificate.keystore.outputType }}
165 {{- if eq $outputType "p12" }}
166 {{- $outputType = "pkcs12" }}
167 {{- end }}
168 {{ $outputType }}:
169 create: true
170 passwordSecretRef:
171 name: {{ $certificate.keystore.passwordSecretRef.name }}
172 key: {{ $certificate.keystore.passwordSecretRef.key }}
173 {{- end }}
174 {{- end }}
175{{ end }}
176{{- end -}}
177
178{{- define "common.certManager.volumeMounts" -}}
179{{- $dot := default . .dot -}}
180{{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}}
181{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}}
182 {{- range $i, $certificate := $dot.Values.certificates -}}
183 {{- $mountPath := $certificate.mountPath -}}
184- mountPath: {{ $mountPath }}
185 name: certmanager-certs-volume-{{ $i }}
186 {{- end -}}
187{{- end -}}
188
189{{- define "common.certManager.volumes" -}}
190{{- $dot := default . .dot -}}
191{{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}}
192{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}}
193{{- $certificates := $dot.Values.certificates -}}
194 {{- range $i, $certificate := $certificates -}}
195 {{- $name := include "common.fullname" $dot -}}
196 {{- $certificatesSecretName := default (printf "%s-secret-%d" $name $i) $certificate.secretName -}}
197- name: certmanager-certs-volume-{{ $i }}
198 projected:
199 sources:
200 - secret:
201 name: {{ $certificatesSecretName }}
202 {{- if $certificate.keystore }}
203 items:
204 {{- range $outputType := $certificate.keystore.outputType }}
205 - key: keystore.{{ $outputType }}
206 path: keystore.{{ $outputType }}
207 - key: truststore.{{ $outputType }}
208 path: truststore.{{ $outputType }}
209 {{- end }}
210 - secret:
211 name: {{ $certificate.keystore.passwordSecretRef.name }}
212 items:
213 - key: {{ $certificate.keystore.passwordSecretRef.key }}
214 path: keystore.pass
215 - key: {{ $certificate.keystore.passwordSecretRef.key }}
216 path: truststore.pass
217 {{- end }}
218 {{- end -}}
219{{- end -}}