Piotr Marcinkiewicz | 5957101 | 2021-01-12 17:37:08 +0100 | [diff] [blame] | 1 | {{/*# |
| 2 | # Copyright © 2020-2021, Nokia |
| 3 | # |
| 4 | # Licensed under the Apache License, Version 2.0 (the "License"); |
| 5 | # you may not use this file except in compliance with the License. |
| 6 | # You may obtain a copy of the License at |
| 7 | # |
| 8 | # http://www.apache.org/licenses/LICENSE-2.0 |
| 9 | # |
| 10 | # Unless required by applicable law or agreed to in writing, software |
| 11 | # distributed under the License is distributed on an "AS IS" BASIS, |
| 12 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 13 | # See the License for the specific language governing permissions and |
| 14 | # limitations under the License.*/}} |
| 15 | |
| 16 | {{/* |
| 17 | # This is a template for requesting a certificate from the cert-manager (https://cert-manager.io). |
| 18 | # |
| 19 | # To request a certificate following steps are to be done: |
| 20 | # - create an object 'certificates' in the values.yaml |
| 21 | # - create a file templates/certificates.yaml and invoke the function "certManagerCertificate.certificate". |
| 22 | # |
| 23 | # Here is an example of the certificate request for a component: |
| 24 | # |
| 25 | # Directory structure: |
| 26 | # component |
| 27 | # templates |
| 28 | # certifictes.yaml |
| 29 | # values.yaml |
| 30 | # |
| 31 | # To be added in the file certificates.yamll |
| 32 | # |
| 33 | # To be added in the file values.yaml |
| 34 | # 1. Minimal version (certificates only in PEM format) |
| 35 | # certificates: |
| 36 | # - commonName: component.onap.org |
| 37 | # |
| 38 | # 2. Extended version (with defined own issuer and additional certificate format): |
| 39 | # certificates: |
| 40 | # - name: onap-component-certificate |
| 41 | # secretName: onap-component-certificate |
| 42 | # commonName: component.onap.org |
| 43 | # dnsNames: |
| 44 | # - component.onap.org |
| 45 | # issuer: |
| 46 | # group: certmanager.onap.org |
| 47 | # kind: CMPv2Issuer |
| 48 | # name: cmpv2-issuer-for-the-component |
| 49 | # keystore: |
| 50 | # outputType: |
| 51 | # - p12 |
| 52 | # - jks |
| 53 | # passwordSecretRef: |
| 54 | # name: secret-name |
| 55 | # key: secret-key |
| 56 | # |
| 57 | # Fields 'name', 'secretName' and 'commonName' are mandatory and required to be defined. |
| 58 | # Other mandatory fields for the certificate definition do not have to be defined directly, |
| 59 | # in that case they will be taken from default values. |
| 60 | # |
| 61 | # Default values are defined in file onap/values.yaml (see-> global.certificate.default) |
| 62 | # and can be overriden during onap installation process. |
| 63 | # |
| 64 | */}} |
| 65 | |
| 66 | {{- define "certManagerCertificate.certificate" -}} |
| 67 | {{- $dot := default . .dot -}} |
| 68 | {{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}} |
| 69 | |
| 70 | {{- $certificates := $dot.Values.certificates -}} |
| 71 | {{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global }} |
| 72 | |
| 73 | {{ range $i, $certificate := $certificates }} |
| 74 | {{/*# General certifiacate attributes #*/}} |
| 75 | {{- $name := include "common.fullname" $dot -}} |
| 76 | {{- $certName := default (printf "%s-cert-%d" $name $i) $certificate.name -}} |
| 77 | {{- $secretName := default (printf "%s-secret-%d" $name $i) $certificate.secretName -}} |
| 78 | {{- $commonName := (required "'commonName' for Certificate is required." $certificate.commonName) -}} |
| 79 | {{- $renewBefore := default $subchartGlobal.certificate.default.renewBefore $certificate.renewBefore -}} |
| 80 | {{- $duration := default $subchartGlobal.certificate.default.duration $certificate.duration -}} |
| 81 | {{- $namespace := $dot.Release.Namespace -}} |
| 82 | {{/*# SAN's #*/}} |
| 83 | {{- $dnsNames := $certificate.dnsNames -}} |
| 84 | {{- $ipAddresses := $certificate.ipAddresses -}} |
| 85 | {{- $uris := $certificate.uris -}} |
| 86 | {{- $emailAddresses := $certificate.emailAddresses -}} |
| 87 | {{/*# Subject #*/}} |
| 88 | {{- $subject := $subchartGlobal.certificate.default.subject -}} |
| 89 | {{- if $certificate.subject -}} |
| 90 | {{- $subject = $certificate.subject -}} |
| 91 | {{- end -}} |
| 92 | {{/*# Issuer #*/}} |
| 93 | {{- $issuer := $subchartGlobal.certificate.default.issuer -}} |
| 94 | {{- if $certificate.issuer -}} |
| 95 | {{- $issuer = $certificate.issuer -}} |
| 96 | {{- end -}} |
| 97 | --- |
| 98 | {{- if $certificate.keystore }} |
| 99 | {{- $passwordSecretRef := $certificate.keystore.passwordSecretRef -}} |
| 100 | {{- $password := include "common.createPassword" (dict "dot" $dot "uid" $certName) | quote }} |
| 101 | apiVersion: v1 |
| 102 | kind: Secret |
| 103 | metadata: |
| 104 | name: {{ $passwordSecretRef.name }} |
| 105 | namespace: {{ $namespace }} |
| 106 | type: Opaque |
| 107 | stringData: |
| 108 | {{ $passwordSecretRef.key }}: {{ $password }} |
| 109 | {{- end }} |
| 110 | --- |
| 111 | apiVersion: cert-manager.io/v1 |
| 112 | kind: Certificate |
| 113 | metadata: |
| 114 | name: {{ $certName }} |
| 115 | namespace: {{ $namespace }} |
| 116 | spec: |
| 117 | secretName: {{ $secretName }} |
| 118 | commonName: {{ $commonName }} |
| 119 | renewBefore: {{ $renewBefore }} |
| 120 | {{- if $duration }} |
| 121 | duration: {{ $duration }} |
| 122 | {{- end }} |
| 123 | subject: |
| 124 | organizations: |
| 125 | - {{ $subject.organization }} |
| 126 | countries: |
| 127 | - {{ $subject.country }} |
| 128 | localities: |
| 129 | - {{ $subject.locality }} |
| 130 | provinces: |
| 131 | - {{ $subject.province }} |
| 132 | organizationalUnits: |
| 133 | - {{ $subject.organizationalUnit }} |
| 134 | {{- if $dnsNames }} |
| 135 | dnsNames: |
| 136 | {{- range $dnsName := $dnsNames }} |
| 137 | - {{ $dnsName }} |
| 138 | {{- end }} |
| 139 | {{- end }} |
| 140 | {{- if $ipAddresses }} |
| 141 | ipAddresses: |
| 142 | {{- range $ipAddress := $ipAddresses }} |
| 143 | - {{ $ipAddress }} |
| 144 | {{- end }} |
| 145 | {{- end }} |
| 146 | {{- if $uris }} |
| 147 | uris: |
| 148 | {{- range $uri := $uris }} |
| 149 | - {{ $uri }} |
| 150 | {{- end }} |
| 151 | {{- end }} |
| 152 | {{- if $emailAddresses }} |
| 153 | emailAddresses: |
| 154 | {{- range $emailAddress := $emailAddresses }} |
| 155 | - {{ $emailAddress }} |
| 156 | {{- end }} |
| 157 | {{- end }} |
| 158 | issuerRef: |
| 159 | group: {{ $issuer.group }} |
| 160 | kind: {{ $issuer.kind }} |
| 161 | name: {{ $issuer.name }} |
| 162 | {{- if $certificate.keystore }} |
| 163 | keystores: |
| 164 | {{- range $outputType := $certificate.keystore.outputType }} |
| 165 | {{- if eq $outputType "p12" }} |
| 166 | {{- $outputType = "pkcs12" }} |
| 167 | {{- end }} |
| 168 | {{ $outputType }}: |
| 169 | create: true |
| 170 | passwordSecretRef: |
| 171 | name: {{ $certificate.keystore.passwordSecretRef.name }} |
| 172 | key: {{ $certificate.keystore.passwordSecretRef.key }} |
| 173 | {{- end }} |
| 174 | {{- end }} |
| 175 | {{ end }} |
| 176 | {{- end -}} |
| 177 | |
| 178 | {{- define "common.certManager.volumeMounts" -}} |
| 179 | {{- $dot := default . .dot -}} |
| 180 | {{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}} |
| 181 | {{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} |
| 182 | {{- range $i, $certificate := $dot.Values.certificates -}} |
| 183 | {{- $mountPath := $certificate.mountPath -}} |
| 184 | - mountPath: {{ $mountPath }} |
| 185 | name: certmanager-certs-volume-{{ $i }} |
| 186 | {{- end -}} |
| 187 | {{- end -}} |
| 188 | |
| 189 | {{- define "common.certManager.volumes" -}} |
| 190 | {{- $dot := default . .dot -}} |
| 191 | {{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}} |
| 192 | {{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}} |
| 193 | {{- $certificates := $dot.Values.certificates -}} |
| 194 | {{- range $i, $certificate := $certificates -}} |
| 195 | {{- $name := include "common.fullname" $dot -}} |
| 196 | {{- $certificatesSecretName := default (printf "%s-secret-%d" $name $i) $certificate.secretName -}} |
| 197 | - name: certmanager-certs-volume-{{ $i }} |
| 198 | projected: |
| 199 | sources: |
| 200 | - secret: |
| 201 | name: {{ $certificatesSecretName }} |
| 202 | {{- if $certificate.keystore }} |
| 203 | items: |
| 204 | {{- range $outputType := $certificate.keystore.outputType }} |
| 205 | - key: keystore.{{ $outputType }} |
| 206 | path: keystore.{{ $outputType }} |
| 207 | - key: truststore.{{ $outputType }} |
| 208 | path: truststore.{{ $outputType }} |
| 209 | {{- end }} |
| 210 | - secret: |
| 211 | name: {{ $certificate.keystore.passwordSecretRef.name }} |
| 212 | items: |
| 213 | - key: {{ $certificate.keystore.passwordSecretRef.key }} |
| 214 | path: keystore.pass |
| 215 | - key: {{ $certificate.keystore.passwordSecretRef.key }} |
| 216 | path: truststore.pass |
| 217 | {{- end }} |
| 218 | {{- end -}} |
| 219 | {{- end -}} |