Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

helm: mandate issuer configuration when using cert-manager to generate certificates #24666

Merged
merged 2 commits into from
Apr 6, 2023
Merged

helm: mandate issuer configuration when using cert-manager to generate certificates #24666

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
579bae3
Revert "Modify helm chart: delete validations for certManagerIssuerRef"
giorio94 Mar 31, 2023
d84bc71
Revert "helm: ca issuer"
giorio94 Mar 31, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
4 changes: 2 additions & 2 deletions Documentation/helm-values.rst
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 2 additions & 2 deletions install/kubernetes/cilium/README.md
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

9 changes: 0 additions & 9 deletions install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/_helpers.tpl
View file
Open in desktop

This file was deleted.

2 changes: 1 addition & 1 deletion install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/admin-secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ metadata:
namespace: {{ .Release.Namespace }}
spec:
issuerRef:
{{- include "clustermesh-apiserver-generate-certs.certmanager.issuer" . | nindent 4 }}
{{- toYaml .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef | nindent 4 }}
secretName: clustermesh-apiserver-admin-cert
commonName: {{ include "clustermesh-apiserver-generate-certs.admin-common-name" . }}
dnsNames:
Expand Down
2 changes: 1 addition & 1 deletion install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/client-secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ metadata:
namespace: {{ .Release.Namespace }}
spec:
issuerRef:
{{- include "clustermesh-apiserver-generate-certs.certmanager.issuer" . | nindent 4 }}
{{- toYaml .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef | nindent 4 }}
secretName: clustermesh-apiserver-client-cert
commonName: externalworkload
duration: {{ printf "%dh0m0s" (mul .Values.clustermesh.apiserver.tls.auto.certValidityDuration 24) }}
Expand Down
21 changes: 0 additions & 21 deletions .../cilium/templates/clustermesh-apiserver/tls-certmanager/clustermesh-apiserver-issuer.yaml
View file
Open in desktop

This file was deleted.

2 changes: 1 addition & 1 deletion install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/remote-secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ metadata:
namespace: {{ .Release.Namespace }}
spec:
issuerRef:
{{- include "clustermesh-apiserver-generate-certs.certmanager.issuer" . | nindent 4 }}
{{- toYaml .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef | nindent 4 }}
secretName: clustermesh-apiserver-remote-cert
commonName: {{ include "clustermesh-apiserver-generate-certs.remote-common-name" . }}
duration: {{ printf "%dh0m0s" (mul .Values.clustermesh.apiserver.tls.auto.certValidityDuration 24) }}
Expand Down
2 changes: 1 addition & 1 deletion install/kubernetes/cilium/templates/clustermesh-apiserver/tls-certmanager/server-secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ metadata:
namespace: {{ .Release.Namespace }}
spec:
issuerRef:
{{- include "clustermesh-apiserver-generate-certs.certmanager.issuer" . | nindent 4 }}
{{- toYaml .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef | nindent 4 }}
sayboras marked this conversation as resolved.
Show resolved Hide resolved
secretName: clustermesh-apiserver-server-cert
commonName: clustermesh-apiserver.cilium.io
dnsNames:
Expand Down
9 changes: 0 additions & 9 deletions install/kubernetes/cilium/templates/hubble/tls-certmanager/_helpers.tpl
View file
Open in desktop

This file was deleted.

21 changes: 0 additions & 21 deletions install/kubernetes/cilium/templates/hubble/tls-certmanager/hubble-issuer.yaml
View file
Open in desktop

This file was deleted.

2 changes: 1 addition & 1 deletion install/kubernetes/cilium/templates/hubble/tls-certmanager/relay-client-secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ metadata:
namespace: {{ .Release.Namespace }}
spec:
issuerRef:
{{- include "hubble-generate-certs.certmanager.issuer" . | nindent 4 }}
{{- toYaml .Values.hubble.tls.auto.certManagerIssuerRef | nindent 4 }}
secretName: hubble-relay-client-certs
commonName: "*.hubble-relay.cilium.io"
dnsNames:
Expand Down
2 changes: 1 addition & 1 deletion install/kubernetes/cilium/templates/hubble/tls-certmanager/relay-server-secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ metadata:
namespace: {{ .Release.Namespace }}
spec:
issuerRef:
{{- include "hubble-generate-certs.certmanager.issuer" . | nindent 4 }}
{{- toYaml .Values.hubble.tls.auto.certManagerIssuerRef | nindent 4 }}
secretName: hubble-relay-server-certs
commonName: "*.hubble-relay.cilium.io"
dnsNames:
Expand Down
2 changes: 1 addition & 1 deletion install/kubernetes/cilium/templates/hubble/tls-certmanager/server-secret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ metadata:
namespace: {{ .Release.Namespace }}
spec:
issuerRef:
{{- include "hubble-generate-certs.certmanager.issuer" . | nindent 4 }}
{{- toYaml .Values.hubble.tls.auto.certManagerIssuerRef | nindent 4 }}
sayboras marked this conversation as resolved.
Show resolved Hide resolved
secretName: hubble-server-certs
commonName: {{ $cn | quote }}
dnsNames:
Expand Down
2 changes: 1 addition & 1 deletion install/kubernetes/cilium/templates/hubble/tls-certmanager/ui-client-certs.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ metadata:
namespace: {{ .Release.Namespace }}
spec:
issuerRef:
{{- include "hubble-generate-certs.certmanager.issuer" . | nindent 4 }}
{{- toYaml .Values.hubble.tls.auto.certManagerIssuerRef | nindent 4 }}
secretName: hubble-ui-client-certs
commonName: "*.hubble-ui.cilium.io"
dnsNames:
Expand Down
12 changes: 12 additions & 0 deletions install/kubernetes/cilium/templates/validate.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,18 @@
{{- end }}
{{- end }}

{{- if and .Values.hubble.enabled .Values.hubble.tls.enabled .Values.hubble.tls.auto.enabled (eq .Values.hubble.tls.auto.method "certmanager") }}
{{- if not .Values.hubble.tls.auto.certManagerIssuerRef }}
{{ fail "Hubble TLS certgen method=certmanager requires that user specifies .Values.hubble.tls.auto.certManagerIssuerRef" }}
{{- end }}
{{- end }}

{{- if and (or .Values.externalWorkloads.enabled .Values.clustermesh.useAPIServer) .Values.clustermesh.apiserver.tls.auto.enabled (eq .Values.clustermesh.apiserver.tls.auto.method "certmanager") }}
{{- if not .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef }}
{{ fail "ClusterMesh TLS certgen method=certmanager requires that user specifies .Values.clustermesh.apiserver.tls.auto.certManagerIssuerRef" }}
{{- end }}
{{- end }}

{{/* validate hubble-ui specific config */}}
{{- if and .Values.hubble.ui.enabled
(ne .Values.hubble.ui.backend.image.tag "latest")
Expand Down
4 changes: 1 addition & 3 deletions install/kubernetes/cilium/values.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

4 changes: 1 addition & 3 deletions install/kubernetes/cilium/values.yaml.tmpl
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -991,7 +991,6 @@ hubble:
# kind: ClusterIssuer
# name: ca-issuer
# -- certmanager issuer used when hubble.tls.auto.method=certmanager.
# If not specified, a CA issuer will be created.
certManagerIssuerRef: {}

# -- Deprecated in favor of tls.ca. To be removed in 1.13.
Expand Down Expand Up @@ -2176,7 +2175,7 @@ nodeinit:
# -- bootstrapFile is the location of the file where the bootstrap timestamp is
# written by the node-init DaemonSet
bootstrapFile: "/tmp/cilium-bootstrap.d/cilium-bootstrap-time"

# -- startup offers way to customize startup nodeinit script (pre and post position)
startup:
preScript: ""
Expand Down Expand Up @@ -2542,7 +2541,6 @@ clustermesh:
# kind: ClusterIssuer
# name: ca-issuer
# -- certmanager issuer used when clustermesh.apiserver.tls.auto.method=certmanager.
# If not specified, a CA issuer will be created.
certManagerIssuerRef: {}
# -- base64 encoded PEM values for the ExternalWorkload CA certificate and private key.
ca:
Expand Down