#
# To request a certificate following steps are to be done:
# - create an object 'certificates' in the values.yaml
-# - create a file templates/certificates.yaml and invoke the function "certManagerCertificate.certificate".
+# - create a file templates/certificate.yaml and invoke the function "certManagerCertificate.certificate".
#
# Here is an example of the certificate request for a component:
#
# passwordSecretRef:
# name: secret-name
# key: secret-key
+# create: true
#
# Fields 'name', 'secretName' and 'commonName' are mandatory and required to be defined.
# Other mandatory fields for the certificate definition do not have to be defined directly,
{{/*# General certifiacate attributes #*/}}
{{- $name := include "common.fullname" $dot -}}
{{- $certName := default (printf "%s-cert-%d" $name $i) $certificate.name -}}
-{{- $secretName := default (printf "%s-secret-%d" $name $i) $certificate.secretName -}}
+{{- $secretName := default (printf "%s-secret-%d" $name $i) (tpl (default "" $certificate.secretName) $ ) -}}
{{- $commonName := (required "'commonName' for Certificate is required." $certificate.commonName) -}}
{{- $renewBefore := default $subchartGlobal.certificate.default.renewBefore $certificate.renewBefore -}}
{{- $duration := default $subchartGlobal.certificate.default.duration $certificate.duration -}}
{{- if $certificate.issuer -}}
{{- $issuer = $certificate.issuer -}}
{{- end -}}
----
-{{- if $certificate.keystore }}
+{{/*# Secret #*/}}
+{{ if $certificate.keystore -}}
{{- $passwordSecretRef := $certificate.keystore.passwordSecretRef -}}
- {{- $password := include "common.createPassword" (dict "dot" $dot "uid" $certName) | quote }}
+ {{- $password := include "common.createPassword" (dict "dot" $dot "uid" $certName) | quote -}}
+ {{- if $passwordSecretRef.create }}
apiVersion: v1
kind: Secret
metadata:
type: Opaque
stringData:
{{ $passwordSecretRef.key }}: {{ $password }}
-{{- end }}
+ {{- end }}
+{{ end -}}
---
apiVersion: cert-manager.io/v1
kind: Certificate
{{- if $duration }}
duration: {{ $duration }}
{{- end }}
+ {{- if $certificate.isCA }}
+ isCA: {{ $certificate.isCA }}
+ {{- end }}
+ {{- if $certificate.usages }}
+ usages:
+ {{- range $usage := $certificate.usages }}
+ - {{ $usage }}
+ {{- end }}
+ {{- end }}
subject:
organizations:
- {{ $subject.organization }}
{{- end }}
{{- end }}
issuerRef:
+ {{- if not (eq $issuer.kind "Issuer" ) }}
group: {{ $issuer.group }}
+ {{- end }}
kind: {{ $issuer.kind }}
name: {{ $issuer.name }}
{{- if $certificate.keystore }}
{{ $outputType }}:
create: true
passwordSecretRef:
- name: {{ $certificate.keystore.passwordSecretRef.name }}
+ name: {{ tpl (default "" $certificate.keystore.passwordSecretRef.name) $ }}
key: {{ $certificate.keystore.passwordSecretRef.key }}
{{- end }}
{{- end }}
{{ end }}
{{- end -}}
+{{/*Using templates below allows read and write access to volume mounted at $mountPath*/}}
+
{{- define "common.certManager.volumeMounts" -}}
{{- $dot := default . .dot -}}
{{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}}
{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}}
{{- range $i, $certificate := $dot.Values.certificates -}}
{{- $mountPath := $certificate.mountPath -}}
-- mountPath: {{ $mountPath }}
+- mountPath: {{ (printf "%s/secret-%d" $mountPath $i) }}
name: certmanager-certs-volume-{{ $i }}
+- mountPath: {{ $mountPath }}
+ name: certmanager-certs-volume-{{ $i }}-dir
{{- end -}}
{{- end -}}
{{- $dot := default . .dot -}}
{{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}}
{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}}
+{{- $certificates := $dot.Values.certificates -}}
+ {{- range $i, $certificate := $certificates -}}
+ {{- $name := include "common.fullname" $dot -}}
+ {{- $certificatesSecretName := default (printf "%s-secret-%d" $name $i) $certificate.secretName -}}
+- name: certmanager-certs-volume-{{ $i }}-dir
+ emptyDir: {}
+- name: certmanager-certs-volume-{{ $i }}
+ projected:
+ sources:
+ - secret:
+ name: {{ $certificatesSecretName }}
+ {{- if $certificate.keystore }}
+ items:
+ {{- range $outputType := $certificate.keystore.outputType }}
+ - key: keystore.{{ $outputType }}
+ path: keystore.{{ $outputType }}
+ - key: truststore.{{ $outputType }}
+ path: truststore.{{ $outputType }}
+ {{- end }}
+ - secret:
+ name: {{ $certificate.keystore.passwordSecretRef.name }}
+ items:
+ - key: {{ $certificate.keystore.passwordSecretRef.key }}
+ path: keystore.pass
+ - key: {{ $certificate.keystore.passwordSecretRef.key }}
+ path: truststore.pass
+ {{- end }}
+ {{- end -}}
+{{- end -}}
+
+{{- define "common.certManager.linkVolumeMounts" -}}
+{{- $dot := default . .dot -}}
+{{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}}
+{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}}
+{{- $certificates := $dot.Values.certificates -}}
+{{- $certsLinkCommand := "" -}}
+ {{- range $i, $certificate := $certificates -}}
+ {{- $destnationPath := (required "'mountPath' for Certificate is required." $certificate.mountPath) -}}
+ {{- $sourcePath := (printf "%s/secret-%d/*" $destnationPath $i) -}}
+ {{- $certsLinkCommand = (printf "ln -s %s %s; %s" $sourcePath $destnationPath $certsLinkCommand) -}}
+ {{- end -}}
+{{ $certsLinkCommand }}
+{{- end -}}
+
+{{/*Using templates below allows only read access to volume mounted at $mountPath*/}}
+
+{{- define "common.certManager.volumeMountsReadOnly" -}}
+{{- $dot := default . .dot -}}
+{{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}}
+{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}}
+ {{- range $i, $certificate := $dot.Values.certificates -}}
+ {{- $mountPath := $certificate.mountPath -}}
+- mountPath: {{ $mountPath }}
+ name: certmanager-certs-volume-{{ $i }}
+ {{- end -}}
+{{- end -}}
+
+{{- define "common.certManager.volumesReadOnly" -}}
+{{- $dot := default . .dot -}}
+{{- $initRoot := default $dot.Values.certManagerCertificate .initRoot -}}
+{{- $subchartGlobal := mergeOverwrite (deepCopy $initRoot.global) $dot.Values.global -}}
{{- $certificates := $dot.Values.certificates -}}
{{- range $i, $certificate := $certificates -}}
{{- $name := include "common.fullname" $dot -}}