feat: Add ability to mount server ssl cert from secret (#199)

* feat: Add ability to mount server ssl cert from secret * fix lint * bump --------- Co-authored-by: Elio Bischof <elio@zitadel.com>
zitadel · May 6, 2024 · 8831017 · 8831017
1 parent 0d1e6f2
commit 8831017
Show file tree

Hide file tree

Showing 4 changed files with 22 additions and 13 deletions.
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -24,8 +24,7 @@ jobs:
         name: Install Helm (The Chart Testing CLI Depends On It)
         uses: 'azure/setup-helm@v3.5'
         with:
-          version: '${{ matrix.helm-version }}'
-          token: ${{ secrets.GITHUB_TOKEN }}
+          version: latest
 
       - id: 'set-up-python'
         name: Install Python (The Chart Testing CLI Depends On It)
@@ -47,16 +46,7 @@ jobs:
             echo "changed=true" >> $GITHUB_OUTPUT
           fi
 
-      - name: Get Changed Test Relevant Files
-        id: 'list-changed-test'
-        uses: tj-actions/changed-files@v42
-        with:
-          files: |
-            go.mod
-            go.sum
-            charts/zitadel/acceptance/**
-
       - id: 'lint'
         name: Lint The Chart
         run: 'ct lint --target-branch ${{ github.event.repository.default_branch }}'
-        if: steps.list-changed.outputs.changed == 'true' || steps.list-changed-test.outputs.any_changed == 'true'
+        if: steps.list-changed.outputs.changed == 'true'
diff --git a/charts/zitadel/Chart.yaml b/charts/zitadel/Chart.yaml
@@ -3,7 +3,7 @@ name: zitadel
 description: A Helm chart for ZITADEL
 type: application
 appVersion: "v2.49.1"
-version: 7.12.1
+version: 7.13.0
 kubeVersion: ">= 1.21.0-0"
 icon: https://zitadel.com/zitadel-logo-dark.svg
 maintainers:

diff --git a/charts/zitadel/templates/deployment.yaml b/charts/zitadel/templates/deployment.yaml
@@ -79,6 +79,12 @@ spec:
             - name: ZITADEL_DATABASE_{{ $dbEnv }}_USER_SSL_KEY
               value: /.secrets/db-ssl-user-crt/tls.key
             {{- end }}
+            {{- if .Values.zitadel.serverSslCrtSecret }}
+            - name: ZITADEL_TLS_CERTPATH
+              value: /.secrets/server-ssl-crt/tls.crt
+            - name: ZITADEL_TLS_KEYPATH
+              value: /.secrets/server-ssl-crt/tls.key
+            {{- end }}
             {{- if .Values.zitadel.selfSignedCert.enabled }}
             - name: ZITADEL_TLS_CERTPATH
               value: /etc/tls/tls.crt
@@ -163,6 +169,7 @@ spec:
               (include "zitadel.makecpcommand" (dict "value" .Values.zitadel.configSecretName "path" "/zitadel-secret-config-yaml/" ))
               (include "zitadel.makecpcommand" (dict "value" (or .Values.zitadel.dbSslCaCrt .Values.zitadel.dbSslCaCrtSecret) "path" "/db-ssl-ca-crt/" ))
               (include "zitadel.makecpcommand" (dict "value" .Values.zitadel.dbSslUserCrtSecret "path" "/db-ssl-user-crt/" ))
+              (include "zitadel.makecpcommand" (dict "value" .Values.zitadel.serverSslCrtSecret "path" "/server-ssl-crt/" ))
               )) }} chown -R 1000:1000 /chowned-secrets/ && find /chowned-secrets/ -type f -exec chmod 400 -- {} + "
           command:
           - sh
@@ -189,6 +196,10 @@ spec:
           - name: db-ssl-user-crt
             mountPath: /db-ssl-user-crt
           {{- end }}
+          {{- if .Values.zitadel.serverSslCrtSecret }}
+          - name: server-ssl-crt
+            mountPath: /server-ssl-crt
+          {{- end }}
           securityContext:
             runAsNonRoot: false
             runAsUser: 0
@@ -246,6 +257,11 @@ spec:
         secret:
           secretName: {{ .Values.zitadel.dbSslUserCrtSecret }}
       {{- end }}
+      {{- if .Values.zitadel.serverSslCrtSecret }}
+      - name: server-ssl-crt
+        secret:
+          secretName: {{ .Values.zitadel.serverSslCrtSecret }}
+      {{- end }}
       - name: chowned-secrets
         emptyDir: {}
       {{- if .Values.zitadel.selfSignedCert.enabled }}

diff --git a/charts/zitadel/values.yaml b/charts/zitadel/values.yaml
@@ -53,6 +53,9 @@ zitadel:
   # The db users secret containing the client certificate and key at tls.crt and tls.key needed for establishing secure database connections
   dbSslUserCrtSecret: ""
 
+  # The Secret containing the certificate at key tls.crt and tls.key for listening on HTTPS
+  serverSslCrtSecret: ""
+
   # Generate a self-signed certificate using an init container
   # This will also mount the generated files to /etc/tls/ so that you can reference them in the pod.
   # E.G. KeyPath: /etc/tls/tls.key CertPath: /etc/tls/tls.crt