Implement TLS certificate generation
Also, use `local` volume
This commit is contained in:
parent
bcfbc3d253
commit
116fde0983
|
|
@ -60,3 +60,35 @@ Create the name of the service account to use
|
|||
{{- default "default" .Values.serviceAccount.name }}
|
||||
{{- end }}
|
||||
{{- end }}
|
||||
|
||||
{{/*
|
||||
Return true if a TLS secret should be created
|
||||
*/}}
|
||||
{{- define "exam.createTlsSecret" -}}
|
||||
{{- if and .Values.tls.enabled (not .Values.tls.certificatesSecret) -}}
|
||||
{{- true -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Get namespace
|
||||
*/}}
|
||||
{{- define "exam.namespace" -}}
|
||||
{{- default .Release.Namespace .Values.namespaceOverride | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Search already generated TLS secret
|
||||
*/}}
|
||||
{{- define "exam.lookup" -}}
|
||||
{{- $value := "" -}}
|
||||
{{- $secretData := (lookup "v1" "Secret" (include "exam.namespace" .context) .secret).data -}}
|
||||
{{- if and $secretData (hasKey $secretData .key) -}}
|
||||
{{- $value = index $secretData .key -}}
|
||||
{{- else if .defaultValue -}}
|
||||
{{- $value = .defaultValue | toString | b64enc -}}
|
||||
{{- end -}}
|
||||
{{- if $value -}}
|
||||
{{- printf "%s" $value -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
|
@ -24,7 +24,7 @@ spec:
|
|||
{{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
|
||||
ingressClassName: {{ .Values.ingress.className }}
|
||||
{{- end }}
|
||||
{{- if .Values.ingress.tls }}
|
||||
{{- if and (include "exam.createTlsSecret" . ) .Values.ingress.tls }}
|
||||
tls:
|
||||
{{- range .Values.ingress.tls }}
|
||||
- hosts:
|
||||
|
|
|
|||
|
|
@ -9,4 +9,25 @@ data:
|
|||
| b64enc | quote }}
|
||||
username: {{ required "secrets.username is required" .Values.secrets.username
|
||||
| b64enc | quote }}
|
||||
type: Opaque
|
||||
type: Opaque
|
||||
---
|
||||
{{- if (include "exam.createTlsSecret" . ) }}
|
||||
{{- $secretName := printf "%s-crt" (include "exam.fullname" .) }}
|
||||
{{- $ca := genCA "ingress-ca" 365 }}
|
||||
{{- $fullname := "kube-exam.local" }}
|
||||
{{- $cert := genSignedCert $fullname nil nil 365 $ca }}
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: {{ $secretName }}
|
||||
labels:
|
||||
{{- include "exam.labels" . | nindent 4 }}
|
||||
annotations:
|
||||
"helm.sh/hook": "pre-install"
|
||||
"helm.sh/hook-delete-policy": "before-hook-creation"
|
||||
type: kubernetes.io/tls
|
||||
data:
|
||||
tls.crt: {{ include "exam.lookup" (dict "secret" $secretName "key" "tls.crt" "defaultValue" $cert.Cert "context" $) }}
|
||||
tls.key: {{ include "exam.lookup" (dict "secret" $secretName "key" "tls.key" "defaultValue" $cert.Key "context" $) }}
|
||||
ca.crt: {{ include "exam.lookup" (dict "secret" $secretName "key" "ca.crt" "defaultValue" $ca.Cert "context" $) }}
|
||||
{{- end }}
|
||||
|
|
@ -9,12 +9,20 @@ spec:
|
|||
accessModes:
|
||||
- ReadWriteOnce
|
||||
capacity:
|
||||
storage: 1Gi
|
||||
hostPath:
|
||||
path: /tmp/minikube/postgres
|
||||
storage: {{ .Values.pvc.request | quote }}
|
||||
local:
|
||||
path: /var/lib/minikube
|
||||
persistentVolumeReclaimPolicy: Retain
|
||||
storageClassName: manual
|
||||
storageClassName: local-storage
|
||||
volumeMode: Filesystem
|
||||
nodeAffinity:
|
||||
required:
|
||||
nodeSelectorTerms:
|
||||
- matchExpressions:
|
||||
- key: kubernetes.io/hostname
|
||||
operator: In
|
||||
values:
|
||||
- minikube
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
|
|
@ -29,4 +37,4 @@ spec:
|
|||
resources:
|
||||
requests:
|
||||
storage: {{ .Values.pvc.request | quote }}
|
||||
storageClassName: {{ .Values.pvc.class | quote }}
|
||||
storageClassName: local-storage
|
||||
|
|
@ -5,12 +5,15 @@ serviceAccount:
|
|||
annotations: {}
|
||||
name: ""
|
||||
|
||||
tls:
|
||||
enabled: true
|
||||
|
||||
ingress:
|
||||
ssl: false
|
||||
ssl: true
|
||||
className: ""
|
||||
annotations:
|
||||
nginx.ingress.kubernetes.io/rewrite-target: /$2
|
||||
nginx.ingress.kubernetes.io/ssl-redirect: "false"
|
||||
nginx.ingress.kubernetes.io/ssl-redirect: "true"
|
||||
nginx.ingress.kubernetes.io/use-regex: "true"
|
||||
hosts:
|
||||
- host: kube-exam.local
|
||||
|
|
@ -23,10 +26,10 @@ ingress:
|
|||
pathType: ImplementationSpecific
|
||||
name: "api"
|
||||
port: 5000
|
||||
tls: []
|
||||
# - secretName: chart-example-tls
|
||||
# hosts:
|
||||
# - chart-example.local
|
||||
tls:
|
||||
- secretName: exam-crt
|
||||
hosts:
|
||||
- kube-exam.local
|
||||
|
||||
resources: {}
|
||||
|
||||
|
|
@ -62,7 +65,7 @@ secrets:
|
|||
username: "password1234"
|
||||
|
||||
pvc:
|
||||
class: manual
|
||||
class: local-storage
|
||||
request: 1Gi
|
||||
|
||||
deployments:
|
||||
|
|
@ -98,6 +101,9 @@ deployments:
|
|||
nonsecrets:
|
||||
pgdata: /var/lib/postgresql/data/pgdata
|
||||
postgresDb: db
|
||||
secrets:
|
||||
postgres-password: password
|
||||
postgres-user: username
|
||||
image:
|
||||
repository: db
|
||||
tag: 13.3
|
||||
|
|
|
|||
Loading…
Reference in New Issue