2 # Copyright © 2020-2021, Nokia
4 # Licensed under the Apache License, Version 2.0 (the "License");
5 # you may not use this file except in compliance with the License.
6 # You may obtain a copy of the License at
8 # http://www.apache.org/licenses/LICENSE-2.0
10 # Unless required by applicable law or agreed to in writing, software
11 # distributed under the License is distributed on an "AS IS" BASIS,
12 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 # See the License for the specific language governing permissions and
14 # limitations under the License.*/}}
17 # This is a template for requesting a certificate from the cert-manager (https://cert-manager.io).
19 # To request a certificate following steps are to be done:
20 # - create an object 'certificates' in the values.yaml
21 # - create a file templates/certificate.yaml and invoke the function "certManagerCertificate.certificate".
23 # Here is an example of the certificate request for a component:
25 # Directory structure:
31 # To be added in the file certificates.yamll
33 # To be added in the file values.yaml
34 # 1. Minimal version (certificates only in PEM format)
36 # - commonName: component.onap.org
38 # 2. Extended version (with defined own issuer and additional certificate format):
40 # - name: onap-component-certificate
41 # secretName: onap-component-certificate
42 # commonName: component.onap.org
44 # - component.onap.org
46 # group: certmanager.onap.org
48 # name: cmpv2-issuer-for-the-component
58 # Fields 'name', 'secretName' and 'commonName' are mandatory and required to be defined.
59 # Other mandatory fields for the certificate definition do not have to be defined directly,
60 # in that case they will be taken from default values.
62 # Default values are defined in file onap/values.yaml (see-> global.certificate.default)
63 # and can be overriden during onap installation process.
67 {{- define "certManagerCertificate.certificate" -}}
68 {{- $dot := default . .dot -}}
69 {{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}}
71 {{- $certificates := $dot.Values.certificates -}}
72 {{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global }}
74 {{ range $i, $certificate := $certificates }}
75 {{/*# General certifiacate attributes #*/}}
76 {{- $name := include "common.fullname" $dot -}}
77 {{- $certName := default (printf "%s-cert-%d" $name $i) $certificate.name -}}
78 {{- $secretName := default (printf "%s-secret-%d" $name $i) (tpl (default "" $certificate.secretName) $ ) -}}
79 {{- $commonName := (required "'commonName' for Certificate is required." $certificate.commonName) -}}
80 {{- $renewBefore := default $subchartGlobal.certificate.default.renewBefore $certificate.renewBefore -}}
81 {{- $duration := default $subchartGlobal.certificate.default.duration $certificate.duration -}}
82 {{- $namespace := $dot.Release.Namespace -}}
84 {{- $dnsNames := $certificate.dnsNames -}}
85 {{- $ipAddresses := $certificate.ipAddresses -}}
86 {{- $uris := $certificate.uris -}}
87 {{- $emailAddresses := $certificate.emailAddresses -}}
89 {{- $subject := $subchartGlobal.certificate.default.subject -}}
90 {{- if $certificate.subject -}}
91 {{- $subject = $certificate.subject -}}
94 {{- $issuer := $subchartGlobal.certificate.default.issuer -}}
95 {{- if $certificate.issuer -}}
96 {{- $issuer = $certificate.issuer -}}
99 {{ if $certificate.keystore -}}
100 {{- $passwordSecretRef := $certificate.keystore.passwordSecretRef -}}
101 {{- $password := include "common.createPassword" (dict "dot" $dot "uid" $certName) | quote -}}
102 {{- if $passwordSecretRef.create }}
106 name: {{ $passwordSecretRef.name }}
107 namespace: {{ $namespace }}
110 {{ $passwordSecretRef.key }}: {{ $password }}
114 apiVersion: cert-manager.io/v1
117 name: {{ $certName }}
118 namespace: {{ $namespace }}
120 secretName: {{ $secretName }}
121 commonName: {{ $commonName }}
122 renewBefore: {{ $renewBefore }}
124 duration: {{ $duration }}
126 {{- if $certificate.isCA }}
127 isCA: {{ $certificate.isCA }}
129 {{- if $certificate.usages }}
131 {{- range $usage := $certificate.usages }}
137 - {{ $subject.organization }}
139 - {{ $subject.country }}
141 - {{ $subject.locality }}
143 - {{ $subject.province }}
145 - {{ $subject.organizationalUnit }}
148 {{- range $dnsName := $dnsNames }}
152 {{- if $ipAddresses }}
154 {{- range $ipAddress := $ipAddresses }}
160 {{- range $uri := $uris }}
164 {{- if $emailAddresses }}
166 {{- range $emailAddress := $emailAddresses }}
167 - {{ $emailAddress }}
171 {{- if not (eq $issuer.kind "Issuer" ) }}
172 group: {{ $issuer.group }}
174 kind: {{ $issuer.kind }}
175 name: {{ $issuer.name }}
176 {{- if $certificate.keystore }}
178 {{- range $outputType := $certificate.keystore.outputType }}
179 {{- if eq $outputType "p12" }}
180 {{- $outputType = "pkcs12" }}
185 name: {{ tpl (default "" $certificate.keystore.passwordSecretRef.name) $ }}
186 key: {{ $certificate.keystore.passwordSecretRef.key }}
192 {{/*Using templates below allows read and write access to volume mounted at $mountPath*/}}
194 {{- define "common.certManager.volumeMounts" -}}
195 {{- $dot := default . .dot -}}
196 {{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}}
197 {{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}}
198 {{- range $i, $certificate := $dot.Values.certificates -}}
199 {{- $mountPath := $certificate.mountPath -}}
200 - mountPath: {{ (printf "%s/secret-%d" $mountPath $i) }}
201 name: certmanager-certs-volume-{{ $i }}
202 - mountPath: {{ $mountPath }}
203 name: certmanager-certs-volume-{{ $i }}-dir
207 {{- define "common.certManager.volumes" -}}
208 {{- $dot := default . .dot -}}
209 {{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}}
210 {{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}}
211 {{- $certificates := $dot.Values.certificates -}}
212 {{- range $i, $certificate := $certificates -}}
213 {{- $name := include "common.fullname" $dot -}}
214 {{- $certificatesSecretName := default (printf "%s-secret-%d" $name $i) $certificate.secretName -}}
215 - name: certmanager-certs-volume-{{ $i }}-dir
217 - name: certmanager-certs-volume-{{ $i }}
221 name: {{ $certificatesSecretName }}
229 {{- if $certificate.keystore }}
230 {{- range $outputType := $certificate.keystore.outputType }}
231 - key: keystore.{{ $outputType }}
232 path: keystore.{{ $outputType }}
233 - key: truststore.{{ $outputType }}
234 path: truststore.{{ $outputType }}
237 name: {{ $certificate.keystore.passwordSecretRef.name }}
239 - key: {{ $certificate.keystore.passwordSecretRef.key }}
241 - key: {{ $certificate.keystore.passwordSecretRef.key }}
242 path: truststore.pass
247 {{- define "common.certManager.linkVolumeMounts" -}}
248 {{- $dot := default . .dot -}}
249 {{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}}
250 {{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}}
251 {{- $certificates := $dot.Values.certificates -}}
252 {{- $certsLinkCommand := "" -}}
253 {{- range $i, $certificate := $certificates -}}
254 {{- $destnationPath := (required "'mountPath' for Certificate is required." $certificate.mountPath) -}}
255 {{- $sourcePath := (printf "%s/secret-%d/*" $destnationPath $i) -}}
256 {{- $certsLinkCommand = (printf "ln -s %s %s; %s" $sourcePath $destnationPath $certsLinkCommand) -}}
258 {{ $certsLinkCommand }}
261 {{/*Using templates below allows only read access to volume mounted at $mountPath*/}}
263 {{- define "common.certManager.volumeMountsReadOnly" -}}
264 {{- $dot := default . .dot -}}
265 {{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}}
266 {{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}}
267 {{- range $i, $certificate := $dot.Values.certificates -}}
268 {{- $mountPath := $certificate.mountPath -}}
269 - mountPath: {{ $mountPath }}
270 name: certmanager-certs-volume-{{ $i }}
274 {{- define "common.certManager.volumesReadOnly" -}}
275 {{- $dot := default . .dot -}}
276 {{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}}
277 {{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}}
278 {{- $certificates := $dot.Values.certificates -}}
279 {{- range $i, $certificate := $certificates -}}
280 {{- $name := include "common.fullname" $dot -}}
281 {{- $certificatesSecretName := default (printf "%s-secret-%d" $name $i) $certificate.secretName -}}
282 - name: certmanager-certs-volume-{{ $i }}
286 name: {{ $certificatesSecretName }}
294 {{- if $certificate.keystore }}
295 {{- range $outputType := $certificate.keystore.outputType }}
296 - key: keystore.{{ $outputType }}
297 path: keystore.{{ $outputType }}
298 - key: truststore.{{ $outputType }}
299 path: truststore.{{ $outputType }}
302 name: {{ $certificate.keystore.passwordSecretRef.name }}
304 - key: {{ $certificate.keystore.passwordSecretRef.key }}
306 - key: {{ $certificate.keystore.passwordSecretRef.key }}
307 path: truststore.pass