feat: create application chart instead that create openshift artifacts

bcgov · Sep 21, 2021 · 3110966 · 3110966
1 parent 2cdfb38
commit 3110966
Show file tree

Hide file tree

Showing 8 changed files with 67 additions and 72 deletions.
diff --git a/helm/nginx-sidecar-lib/Chart.yaml b/helm/nginx-sidecar-lib/Chart.yaml
@@ -2,6 +2,6 @@ apiVersion: v2
 name: nginx-sidecar-lib
 description: A library helm chart that can be used to inject an nginx sidecar pod to handle SSL termination
 
-type: library
+type: application
 version: 0.1.0
 appVersion: "0.0.1"
diff --git a/helm/nginx-sidecar-lib/templates/_deployment-container.yaml b/helm/nginx-sidecar-lib/templates/_deployment-container.yaml
@@ -1,21 +1,33 @@
 {{- /*
-This template is meant to be injected inside a deployment object, as an additional container
+These template are meant to be injected inside a deployment object, as an additional container
 */}}
 
 {{- define "nginx-sidecar-lib.deployment-container.tpl" -}}
-name: {{ .Chart.Name }}-nginx
-image: "{{ .Values.nginxSidecar.image.repository }}:{{ .Values.nginxSidecar.image.tag }}"
-imagePullPolicy: {{ .Values.nginxSidecar.image.pullPolicy }}
-ports:
-  - containerPort: {{ .Values.nginxSidecar.port }}
-volumeMounts:
-  - name: nginx-configs
-    mountPath: /etc/nginx/conf.d
-  - mountPath: /home/.acme.sh
-    name: acme-home
-  - mountPath: /home/.well-known/acme-challenge
-    name: acme-challenge
+- name: {{ .Chart.Name }}-nginx
+  image: "{{ .Values.nginxSidecar.image.repository }}:{{ .Values.nginxSidecar.image.tag }}"
+  imagePullPolicy: {{ .Values.nginxSidecar.image.pullPolicy }}
+  ports:
+    - containerPort: {{ .Values.nginxSidecar.port }}
+  volumeMounts:
+    - name: nginx-configs
+      mountPath: /etc/nginx/conf.d
+{{ include "nginx-sidecar-lib.deployment-mounts.tpl" . | indent 4 }}
 {{- end -}}
-{{- define "nginx-sidecar-lib.deployment-container" -}}
-{{- include "nginx-sidecar-lib.util.merge" (append . "nginx-sidecar-lib.deployment-container.tpl") -}}
+
+
+{{- define "nginx-sidecar-lib.deployment-mounts.tpl" -}}
+- mountPath: /home/.acme.sh
+  name: acme-home
+- mountPath: /home/.well-known/acme-challenge
+  name: acme-challenge
+{{- end -}}
+
+
+{{- define "nginx-sidecar-lib.deployment-volumes.tpl" -}}
+- name: acme-home
+  persistentVolumeClaim:
+    claimName: {{ template "nginx-sidecar-lib.fullname" . }}-acme-home
+- name: acme-challenge
+  persistentVolumeClaim:
+    claimName: {{ template "nginx-sidecar-lib.fullname" . }}-acme-challenge
 {{- end -}}
diff --git a/...inx-sidecar-lib/templates/_configmap.yaml → ...ginx-sidecar-lib/templates/configmap.yaml b/...inx-sidecar-lib/templates/_configmap.yaml → ...ginx-sidecar-lib/templates/configmap.yaml
@@ -1,4 +1,3 @@
-{{- define "nginx-sidecar-lib.configmap.tpl" -}}
 {{- if .Values.nginxSidecar.enable }}
 apiVersion: v1
 kind: ConfigMap
@@ -27,7 +26,3 @@ data:
       }
     }
 {{- end }}
-{{- end -}}
-{{- define "nginx-sidecar-lib.configmap" -}}
-{{- include "nginx-sidecar-lib.util.merge" (append . "nginx-sidecar-lib.configmap.tpl") -}}
-{{- end -}}
diff --git a/...decar-lib/templates/_cron-acme-issue.yaml → ...idecar-lib/templates/cron-acme-issue.yaml b/...decar-lib/templates/_cron-acme-issue.yaml → ...idecar-lib/templates/cron-acme-issue.yaml
@@ -1,4 +1,10 @@
-{{- define "nginx-sidecar-lib.cron-acme-issue.tpl" -}}
+
+{{- $caServer := "https://acme-v02.api.letsencrypt.org/directory" }}
+
+{{- if .Values.caServerSecret }}
+{{- $secret := (lookup "v1" "Secret" .Release.Namespace .Values.caServerSecret ) }}
+{{- $caServer = (index $secret.data .Values.caServerKey) | b64dec }}
+{{- end -}}
 
 
 apiVersion: batch/v1beta1
@@ -42,28 +48,13 @@ spec:
                 - -c
                 - |
                   set -euxo pipefail;
-                  if [ ! -f /root/.acme.sh/{{ .Values.route.host }}/{{ .Values.route.host }}.cer ]; then
-                    echo "Getting a new cert from Let's Encrypt for {{ .Values.route.host }}";
+                  if [ ! -f /root/.acme.sh/{{ .Values.certTargetHost }}/{{ .Values.certTargetHost }}.cer ]; then
+                    echo "Getting a new cert from Let's Encrypt for {{ .Values.certTargetHost }}";
                     git clone --branch 2.8.6 https://github.com/acmesh-official/acme.sh.git /root/acme.sh;
                     cd /root/acme.sh;
-                    ./acme.sh install --force;
+                    ./acme.sh install --force --server {{ $caServer }} -m {{ .Values.caAccountEmail }} ;
                     . "/root/.acme.sh/acme.sh.env";
-                    ./acme.sh --issue -d {{ .Values.route.host }} -w /root;
+                    ./acme.sh --issue -d {{ .Values.certTargetHost }} -w /root --server {{ $caServer }} -m {{ .Values.caAccountEmail }} --days {{.Values.renewalDays}};
                   fi;
-              volumeMounts:
-                - mountPath: /root/.acme.sh
-                  name: acme-home
-                - mountPath: /root/.well-known/acme-challenge
-                  name: acme-challenge
-          volumes:
-            - name: acme-home
-              persistentVolumeClaim:
-                claimName: {{ template "nginx-sidecar-lib.fullname" . }}-acme-home
-            - name: acme-challenge
-              persistentVolumeClaim:
-                claimName: {{ template "nginx-sidecar-lib.fullname" . }}-acme-challenge
-
-{{- end -}}
-{{- define "nginx-sidecar-lib.cron-acme-issue" -}}
-{{- include "nginx-sidecar-lib.util.merge" (append . "nginx-sidecar-lib.cron-acme-issue.tpl") -}}
-{{- end -}}
+              volumeMounts: {{ include "nginx-sidecar-lib.deployment-mounts.tpl" . | nindent 16 }}
+          volumes: {{- include "nginx-sidecar-lib.deployment-volumes.tpl" . | nindent 12 }}
diff --git a/...car-lib/templates/_cron-acme-renewal.yaml → ...ecar-lib/templates/cron-acme-renewal.yaml b/...car-lib/templates/_cron-acme-renewal.yaml → ...ecar-lib/templates/cron-acme-renewal.yaml
@@ -1,4 +1,9 @@
-{{- define "nginx-sidecar-lib.cron-acme-renewal.tpl" -}}
+{{- $caServer := "https://acme-v02.api.letsencrypt.org/directory" }}
+
+{{- if .Values.caServerSecret }}
+{{- $secret := (lookup "v1" "Secret" .Release.Namespace .Values.caServerSecret ) }}
+{{- $caServer = (index $secret.data .Values.caServerKey) | b64dec }}
+{{- end -}}
 
 apiVersion: batch/v1beta1
 kind: CronJob
@@ -43,21 +48,6 @@ spec:
                 - |
                   set -euxo pipefail;
                   # renews the certificate if needed
-                  /root/.acme.sh/acme.sh --cron --home /root/.acme.sh
-              volumeMounts:
-                - mountPath: /root/.acme.sh
-                  name: acme-home
-                - mountPath: /root/.well-known/acme-challenge
-                  name: acme-challenge
-          volumes:
-            - name: acme-home
-              persistentVolumeClaim:
-                claimName: {{ template "nginx-sidecar-lib.fullname" . }}-acme-home
-            - name: acme-challenge
-              persistentVolumeClaim:
-                claimName: {{ template "nginx-sidecar-lib.fullname" . }}-acme-challenge
-
-{{- end -}}
-{{- define "nginx-sidecar-lib.cron-acme-renewal" -}}
-{{- include "nginx-sidecar-lib.util.merge" (append . "nginx-sidecar-lib.cron-acme-renewal.tpl") -}}
-{{- end -}}
+                  /root/.acme.sh/acme.sh --cron --home /root/.acme.sh --server {{ $caServer }} --days {{.Values.metabase.nginxSidecar.renewalDays}};
+              volumeMounts: {{ include "nginx-sidecar-lib.deployment-mounts.tpl" . | nindent 16 }}
+          volumes: {{ include "nginx-sidecar-lib.deployment-volumes.tpl" . | nindent 12 }}
diff --git a/...ar-lib/templates/_pvc-acme-challenge.yaml → ...car-lib/templates/pvc-acme-challenge.yaml b/...ar-lib/templates/_pvc-acme-challenge.yaml → ...car-lib/templates/pvc-acme-challenge.yaml
@@ -1,4 +1,3 @@
-{{- define "nginx-sidecar-lib.pvc-acme-challenge.tpl" -}}
 {{- if .Values.nginxSidecar.enable }}
 apiVersion: v1
 kind: PersistentVolumeClaim
@@ -14,7 +13,3 @@ spec:
       storage: 25Mi
   storageClassName: {{ .Values.nginxSidecar.storageClassName }}
 {{- end }}
-{{- end -}}
-{{- define "nginx-sidecar-lib.pvc-acme-challenge" -}}
-{{- include "nginx-sidecar-lib.util.merge" (append . "nginx-sidecar-lib.pvc-acme-challenge.tpl") -}}
-{{- end -}}
diff --git a/...sidecar-lib/templates/_pvc-acme-home.yaml → ...-sidecar-lib/templates/pvc-acme-home.yaml b/...sidecar-lib/templates/_pvc-acme-home.yaml → ...-sidecar-lib/templates/pvc-acme-home.yaml
@@ -1,4 +1,4 @@
-{{- define "nginx-sidecar-lib.pvc-acme-home.tpl" -}}
+
 {{- if .Values.nginxSidecar.enable }}
 apiVersion: v1
 kind: PersistentVolumeClaim
@@ -14,7 +14,3 @@ spec:
       storage: 50Mi
   storageClassName: {{ .Values.nginxSidecar.storageClassName }}
 {{- end }}
-{{- end -}}
-{{- define "nginx-sidecar-lib.pvc-acme-home" -}}
-{{- include "nginx-sidecar-lib.util.merge" (append . "nginx-sidecar-lib.pvc-acme-home.tpl") -}}
-{{- end -}}
diff --git a/helm/nginx-sidecar-lib/values.yaml b/helm/nginx-sidecar-lib/values.yaml
@@ -0,0 +1,16 @@
+enable: false
+image:
+  repository: gcr.io/ggl-cas-storage/cas-nginx
+  tag: latest
+  pullPolicy: Always
+# set to false to deploy the application with an insecure route,
+# and issue an SSL certificate using acme.sh
+sslTermination: true
+# If provided, the acme issue/renewal scripts will use a custom server
+# Otherwise it defaults to Let's Encrypt
+caServerSecret: ~ #pragma: allowlist secret
+caServerKey: ~
+caAccountEmail: ggircs@gov.bc.ca
+storageClassName: netapp-file-standard
+renewalDays: 60
+certTargetHost: "example-climate-action-secretariat.gov.bc.ca"