helm: allow to override the CA cert on a clustermesh peer basis

This commit extends the helm chart to enable overriding the CA certificate of a specific clustermesh peer. This is required in case different CAs are used across the mesh, since it otherwise defaults to the local one. Signed-off-by: Marco Iorio <marco.iorio@isovalent.com>
cilium · Mar 10, 2023 · 46ecd9a · 46ecd9a
1 parent a019680
commit 46ecd9a
Show file tree

Hide file tree

Showing 3 changed files with 3 additions and 1 deletion.
diff --git a/install/kubernetes/cilium/templates/clustermesh-config/clustermesh-secret.yaml b/install/kubernetes/cilium/templates/clustermesh-config/clustermesh-secret.yaml
@@ -10,7 +10,7 @@ data:
   {{ .name }}: {{ include "clustermesh-config-generate-etcd-cfg" (list . $.Values.clustermesh.config.domain) | b64enc }}
   {{- /* The parenthesis around .tls are required, since it can be null: https://stackoverflow.com/a/68807258 */}}
   {{- if and (.tls).cert (.tls).key }}
-  {{ .name }}.etcd-client-ca.crt: {{ $.Values.clustermesh.apiserver.tls.ca.cert }}
+  {{ .name }}.etcd-client-ca.crt: {{ .tls.caCert | default $.Values.clustermesh.apiserver.tls.ca.cert }}
   {{ .name }}.etcd-client.key: {{ .tls.key }}
   {{ .name }}.etcd-client.crt: {{ .tls.cert }}
   {{- end }}

diff --git a/install/kubernetes/cilium/values.yaml b/install/kubernetes/cilium/values.yaml
diff --git a/install/kubernetes/cilium/values.yaml.tmpl b/install/kubernetes/cilium/values.yaml.tmpl
@@ -2290,6 +2290,7 @@ clustermesh:
     #   tls:
     #     cert: ""
     #     key: ""
+    #     caCert: ""
 
   apiserver:
     # -- Clustermesh API server image.