feat(helm): support tls on datastore

padok-team · May 20, 2024 · b97853d · b97853d
1 parent 878444f
commit b97853d
Show file tree

Hide file tree

Showing 7 changed files with 109 additions and 6 deletions.
diff --git a/deploy/charts/burrito/templates/config.yaml b/deploy/charts/burrito/templates/config.yaml
@@ -26,6 +26,10 @@ Datastore Authorized Service Accounts
 {{- $server := printf "%s/%s" .Release.Namespace "burrito-server" }}
 {{- $datastoreAuthorizedServiceAccounts = append $datastoreAuthorizedServiceAccounts $server }}
 {{- $_ := set $config.datastore "serviceAccounts" $datastoreAuthorizedServiceAccounts }}
+{{- $_ := set $config.hermitcrab "certificateSecretName" .Values.hermitcrab.tls.certManager.certificate.spec.secretName }}
+{{- $_ := set $config.hermitcrab "enabled" .Values.hermitcrab.enabled }}
+{{- $_ := set $config.datastore "tls" .Values.datastore.tls.certManager.use }}
+
 
 apiVersion: v1
 kind: ConfigMap

diff --git a/deploy/charts/burrito/templates/controllers.yaml b/deploy/charts/burrito/templates/controllers.yaml
@@ -63,6 +63,12 @@ spec:
             - name: burrito-token
               mountPath: /var/run/secrets/token
               readOnly: true
+            {{- if $.Values.datastore.tls.certManager.use }}
+            - name: burrito-ca
+              mountPath: /etc/ssl/certs/burrito-ca.crt
+              subPath: burrito-ca.crt
+              readOnly: true
+            {{- end }}
       {{- with .deployment.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -86,6 +92,14 @@ spec:
                 audience: burrito
                 expirationSeconds: 3600
                 path: burrito
+        {{- if $.Values.datastore.tls.certManager.use }}
+        - name: burrito-ca
+          secret:
+            secretName: {{ $.Values.datastore.tls.certManager.certificate.spec.secretName }}
+            items:
+              - key: ca.crt
+                path: burrito-ca.crt
+        {{- end }}
 {{- if .service.enabled }}
 ---
 apiVersion: v1

diff --git a/deploy/charts/burrito/templates/datastore.yaml b/deploy/charts/burrito/templates/datastore.yaml
@@ -57,6 +57,11 @@ spec:
             - name: burrito-config
               mountPath: /etc/burrito
               readOnly: true
+            {{- if .tls.certManager.use }}
+            - name: burrito-tls
+              mountPath: /etc/burrito/tls
+              readOnly: true
+            {{- end }}
       {{- with .deployment.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -73,6 +78,11 @@ spec:
         - name: burrito-config
           configMap:
             name: burrito-config
+        {{- if .tls.certManager.use }}
+        - name: burrito-datastore-tls
+          secret:
+            secretName: {{ .tls.certManager.certificate.spec.secretName }}
+        {{- end }}
 {{- if .service.enabled }}
 ---
 apiVersion: v1
@@ -118,4 +128,15 @@ subjects:
   - kind: ServiceAccount
     name: burrito-datastore
     namespace: {{ $.Release.Namespace }}
+---
+{{- if .tls.certManager.use }}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: burrito-datastore
+  labels:
+    {{- toYaml .metadata.labels | nindent 4 }}
+spec:
+  {{- toYaml .tls.certManager.certificate.spec | nindent 4 }}
+{{- end }}
 {{- end }}
diff --git a/deploy/charts/burrito/templates/hermitcrab.yaml b/deploy/charts/burrito/templates/hermitcrab.yaml
@@ -89,7 +89,7 @@ spec:
         {{- if .tls.certManager.use }}
         - name: burrito-hermitcrab-tls
           secret:
-            secretName: {{ $.Values.config.burrito.hermitcrab.certificateSecretName }}
+            secretName: {{ .tls.certManager.certificate.spec.secretName }}
         {{- end }}
         {{- if .deployment.extraVolumes }}
         {{- toYaml .deployment.extraVolumes | nindent 8 }}

diff --git a/deploy/charts/burrito/templates/issuer.yaml b/deploy/charts/burrito/templates/issuer.yaml
@@ -0,0 +1,30 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: burrito-selfsigned-issuer
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: burrito-ca
+spec:
+  isCA: true
+  commonName: burrito-ca
+  secretName: burrito-ca
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: burrito-selfsigned-issuer
+    kind: Issuer
+    group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: burrito-ca-issuer
+spec:
+  ca:
+    secretName: burrito-ca
diff --git a/deploy/charts/burrito/templates/server.yaml b/deploy/charts/burrito/templates/server.yaml
@@ -62,6 +62,12 @@ spec:
             - name: burrito-token
               mountPath: /var/run/secrets/token
               readOnly: true
+            {{- if $.Values.datastore.tls.certManager.use }}
+            - name: burrito-ca
+              mountPath: /etc/ssl/certs/burrito-ca.crt
+              subPath: burrito-ca.crt
+              readOnly: true
+            {{- end }}
       {{- with .deployment.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}
@@ -85,6 +91,14 @@ spec:
                 audience: burrito
                 expirationSeconds: 3600
                 path: burrito
+        {{- if $.Values.datastore.tls.certManager.use }}
+        - name: burrito-ca
+          secret:
+            secretName: {{ $.Values.datastore.tls.certManager.certificate.spec.secretName }}
+            items:
+              - key: ca.crt
+                path: burrito-ca.crt
+        {{- end }}
 {{- if .service.enabled }}
 ---
 apiVersion: v1

diff --git a/deploy/charts/burrito/values.yaml b/deploy/charts/burrito/values.yaml
@@ -39,9 +39,6 @@ config:
         # -- Prefer override with the BURRITO_CONTROLLER_GITLABCONFIG_APITOKEN environment variable
         apiToken: ""
         url: ""
-    hermitcrab:
-      enabled: false
-      certificateSecretName: burrito-hermitcrab-tls
 
     datastore:
       serviceAccounts: []
@@ -67,6 +64,7 @@ config:
       sshKnownHostsConfigMapName: burrito-ssh-known-hosts
 
 hermitcrab:
+  enabled: false
   metadata:
     labels:
       app.kubernetes.io/component: hermitcrab
@@ -76,9 +74,16 @@ hermitcrab:
     size: 1Gi
   tls:
     certManager:
-      use: false
+      use: true
       certificate:
-        spec: {}
+        spec:
+          secretName: burrito-hermitcrab-tls
+          commonName: burrito-hermitcrab.burrito-system.svc.cluster.local
+          dnsNames:
+            - burrito-hermitcrab.burrito-system.svc.cluster.local
+          issuerRef:
+            name: burrito-ca-issuer
+            kind: ClusterIssuer
 
   deployment:
     image:
@@ -258,5 +263,20 @@ datastore:
     - name: http
       port: 80
       targetPort: http
+    - name: https
+      port: 443
+      targetPort: http
+  tls:
+    certManager:
+      use: false
+      certificate:
+        spec:
+          secretName: burrito-datastore-tls
+          commonName: burrito-datastore.burrito-system.svc.cluster.local
+          dnsNames:
+            - burrito-datastore.burrito-system.svc.cluster.local
+          issuerRef:
+            name: burrito-ca-issuer
+            kind: ClusterIssuer
 
 tenants: []