slococo-uni
/
kube-exam
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Implement TLS certificate generation 

Also, use `local` volume
This commit is contained in:
Santiago Lo Coco 2023-11-16 13:39:45 -03:00
parent bcfbc3d253
commit 116fde0983
5 changed files with 81 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
helm/templates/_helpers.tpl
View File

@ -60,3 +60,35 @@ Create the name of the service account to use
{{- default "default" .Values.serviceAccount.name }} {{- default "default" .Values.serviceAccount.name }}
{{- end }} {{- end }}
{{- end }} {{- end }}
{{/*
Return true if a TLS secret should be created
*/}}
{{- define "exam.createTlsSecret" -}}
{{- if and .Values.tls.enabled (not .Values.tls.certificatesSecret) -}}
{{- true -}}
{{- end -}}
{{- end -}}
{{/*
Get namespace
*/}}
{{- define "exam.namespace" -}}
{{- default .Release.Namespace .Values.namespaceOverride | trunc 63 | trimSuffix "-" -}}
{{- end -}}
{{/*
Search already generated TLS secret
*/}}
{{- define "exam.lookup" -}}
{{- $value := "" -}}
{{- $secretData := (lookup "v1" "Secret" (include "exam.namespace" .context) .secret).data -}}
{{- if and $secretData (hasKey $secretData .key) -}}
{{- $value = index $secretData .key -}}
{{- else if .defaultValue -}}
{{- $value = .defaultValue | toString | b64enc -}}
{{- end -}}
{{- if $value -}}
{{- printf "%s" $value -}}
{{- end -}}
{{- end -}}

2
helm/templates/ingress.yaml
View File

@ -24,7 +24,7 @@ spec:
{{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }} {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
ingressClassName: {{ .Values.ingress.className }} ingressClassName: {{ .Values.ingress.className }}
{{- end }} {{- end }}
{{- if .Values.ingress.tls }} {{- if and (include "exam.createTlsSecret" . ) .Values.ingress.tls }}
tls: tls:
{{- range .Values.ingress.tls }} {{- range .Values.ingress.tls }}
- hosts: - hosts:

21
helm/templates/secrets.yaml
View File

@ -10,3 +10,24 @@ data:
username: {{ required "secrets.username is required" .Values.secrets.username username: {{ required "secrets.username is required" .Values.secrets.username
| b64enc | quote }} | b64enc | quote }}
type: Opaque type: Opaque
---
{{- if (include "exam.createTlsSecret" . ) }}
{{- $secretName := printf "%s-crt" (include "exam.fullname" .) }}
{{- $ca := genCA "ingress-ca" 365 }}
{{- $fullname := "kube-exam.local" }}
{{- $cert := genSignedCert $fullname nil nil 365 $ca }}
apiVersion: v1
kind: Secret
metadata:
name: {{ $secretName }}
labels:
{{- include "exam.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": "pre-install"
"helm.sh/hook-delete-policy": "before-hook-creation"
type: kubernetes.io/tls
data:
tls.crt: {{ include "exam.lookup" (dict "secret" $secretName "key" "tls.crt" "defaultValue" $cert.Cert "context" $) }}
tls.key: {{ include "exam.lookup" (dict "secret" $secretName "key" "tls.key" "defaultValue" $cert.Key "context" $) }}
ca.crt: {{ include "exam.lookup" (dict "secret" $secretName "key" "ca.crt" "defaultValue" $ca.Cert "context" $) }}
{{- end }}

18
helm/templates/volume.yaml
View File

@ -9,12 +9,20 @@ spec:
accessModes: accessModes:
- ReadWriteOnce - ReadWriteOnce
capacity: capacity:
storage: 1Gi storage: {{ .Values.pvc.request | quote }}
hostPath: local:
path: /tmp/minikube/postgres path: /var/lib/minikube
persistentVolumeReclaimPolicy: Retain persistentVolumeReclaimPolicy: Retain
storageClassName: manual storageClassName: local-storage
volumeMode: Filesystem volumeMode: Filesystem
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- minikube
--- ---
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
@ -29,4 +37,4 @@ spec:
resources: resources:
requests: requests:
storage: {{ .Values.pvc.request | quote }} storage: {{ .Values.pvc.request | quote }}
storageClassName: {{ .Values.pvc.class | quote }} storageClassName: local-storage

20
helm/values.yaml
View File

@ -5,12 +5,15 @@ serviceAccount:
annotations: {} annotations: {}
name: "" name: ""
tls:
enabled: true
ingress: ingress:
ssl: false ssl: true
className: "" className: ""
annotations: annotations:
nginx.ingress.kubernetes.io/rewrite-target: /$2 nginx.ingress.kubernetes.io/rewrite-target: /$2
nginx.ingress.kubernetes.io/ssl-redirect: "false" nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/use-regex: "true" nginx.ingress.kubernetes.io/use-regex: "true"
hosts: hosts:
- host: kube-exam.local - host: kube-exam.local
@ -23,10 +26,10 @@ ingress:
pathType: ImplementationSpecific pathType: ImplementationSpecific
name: "api" name: "api"
port: 5000 port: 5000
tls: [] tls:
# - secretName: chart-example-tls - secretName: exam-crt
# hosts: hosts:
# - chart-example.local - kube-exam.local
resources: {} resources: {}
@ -62,7 +65,7 @@ secrets:
username: "password1234" username: "password1234"
pvc: pvc:
class: manual class: local-storage
request: 1Gi request: 1Gi
deployments: deployments:
@ -98,6 +101,9 @@ deployments:
nonsecrets: nonsecrets:
pgdata: /var/lib/postgresql/data/pgdata pgdata: /var/lib/postgresql/data/pgdata
postgresDb: db postgresDb: db
secrets:
postgres-password: password
postgres-user: username
image: image:
repository: db repository: db
tag: 13.3 tag: 13.3