diff --git a/charts/enterprise/clusterissuer/Chart.yaml b/charts/enterprise/clusterissuer/Chart.yaml index 25dd8f07af0..d8b31deeab2 100644 --- a/charts/enterprise/clusterissuer/Chart.yaml +++ b/charts/enterprise/clusterissuer/Chart.yaml @@ -10,7 +10,7 @@ keywords: dependencies: - name: common repository: https://library-charts.truecharts.org - version: 14.0.9 + version: 14.1.0 kubeVersion: ">=1.16.0-0" maintainers: - email: info@truecharts.org @@ -21,7 +21,7 @@ sources: - https://github.com/truecharts/charts/tree/master/charts/enterprise/clusterissuer - https://cert-manager.io/ type: application -version: 4.1.4 +version: 4.2.0 annotations: truecharts.org/category: core truecharts.org/SCALE-support: "true" diff --git a/charts/enterprise/clusterissuer/questions.yaml b/charts/enterprise/clusterissuer/questions.yaml index 2ae5abf1af0..e0a2c8266ea 100644 --- a/charts/enterprise/clusterissuer/questions.yaml +++ b/charts/enterprise/clusterissuer/questions.yaml @@ -329,6 +329,53 @@ questions: valid_chars: '^[a-z]+(-?[a-z]){0,63}-?[a-z]+$' default: "selfsigned" + - variable: clusterCertificates + group: App Configuration + label: Cluster Wide Certificates (Experimental) + description: "Creates certificates for use within the entire cluster. Can be used to create wildcard certificates." + schema: + additional_attrs: true + type: dict + attrs: + - variable: certificates + label: Cluster Certificates + schema: + type: list + default: [] + items: + - variable: enabled + label: Enabled + schema: + type: boolean + default: true + - variable: name + label: Certificate Name + schema: + type: string + required: true + default: "" + - variable: certificateIssuer + label: Cert-Manager clusterIssuer + description: "One of the Cert-Manager clusterIssuers defined above" + schema: + type: string + required: true + valid_chars: '^[a-z]+(-?[a-z]){0,63}-?[a-z]+$' + default: "selfsigned" + - variable: hosts + label: Certificate Hosts + description: "NOTE: Creation of wildcard certificates with an ACME issuer requires a DNSO1 solver to be set up." + schema: + type: list + default: [] + items: + - variable: host + label: Host + schema: + type: string + default: "" + required: true + - variable: customMetrics group: Metrics label: Prometheus Metrics diff --git a/charts/enterprise/clusterissuer/templates/clusterissuer/_clusterCertificates.tpl b/charts/enterprise/clusterissuer/templates/clusterissuer/_clusterCertificates.tpl new file mode 100644 index 00000000000..ef3da9464e5 --- /dev/null +++ b/charts/enterprise/clusterissuer/templates/clusterissuer/_clusterCertificates.tpl @@ -0,0 +1,36 @@ +{{- define "certmanager.clusterissuer.clusterCertificates" -}} + {{- if .Values.clusterCertificates -}} + {{- $certs := dict -}} + {{- $secretTemplates := dict -}} + {{- $certNamespace := (include "tc.v1.common.lib.metadata.namespace" (dict "rootCtx" $ "objectData" $certs "caller" "ClusterCertificates")) -}} + {{- $replicationNamespaces := ".*" -}} + {{- if .Values.clusterCertificates.replicationNamespaces -}} + {{- $replicationNamespaces = .Values.clusterCertificates.replicationNamespaces -}} + {{- else if .Values.ixChartContext -}} + {{- $replicationNamespaces = "ix-.*" -}} + {{- end -}} + {{- $reflectorAnnotations := (dict + "reflector.v1.k8s.emberstack.com/reflection-allowed" "true" + "reflector.v1.k8s.emberstack.com/reflection-auto-enabled" "true" + "reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces" (printf "%v,%v" $certNamespace $replicationNamespaces) + "reflector.v1.k8s.emberstack.com/reflection-auto-namespaces" $replicationNamespaces ) -}} + {{- $certAnnotations := (mustMerge ($reflectorAnnotations) (include "tc.v1.common.lib.metadata.allAnnotations" $ | fromYaml)) -}} + + {{- $_ := set $secretTemplates "annotations" $certAnnotations -}} + + {{- range .Values.clusterCertificates.certificates -}} + {{- $_ := set $certs .name dict -}} + {{- $currentCert := (index $certs (.name)) -}} + {{- $_ := set $currentCert "enabled" .enabled -}} + {{- $_ := set $currentCert "nameOverride" .name -}} + {{- $_ := set $currentCert "hosts" .hosts -}} + {{- $_ := set $currentCert "certificateIssuer" .certificateIssuer -}} + {{- $_ := set $currentCert "secretTemplate" $secretTemplates -}} + {{- end -}} + + {{- $_ := set .Values "cert" $certs -}} + {{/* Render the ClusterWide Certificate(s) */}} + {{- include "tc.v1.common.spawner.certificate" . | nindent 0 -}} + {{- end -}} +{{- end -}} + diff --git a/charts/enterprise/clusterissuer/templates/common.yaml b/charts/enterprise/clusterissuer/templates/common.yaml index 874f41f5c4e..8d713d12f0f 100644 --- a/charts/enterprise/clusterissuer/templates/common.yaml +++ b/charts/enterprise/clusterissuer/templates/common.yaml @@ -7,3 +7,8 @@ {{- include "certmanager.clusterissuer.acme" . }} {{- include "certmanager.clusterissuer.selfsigned" . }} {{- include "certmanager.clusterissuer.ca" . }} + +{{/* Must be called after the initial loader.apply template, + because it overrides .Values.cert in order to generate + the additional cluster-wide certificates */}} +{{- include "certmanager.clusterissuer.clusterCertificates" . }} diff --git a/charts/enterprise/clusterissuer/values.yaml b/charts/enterprise/clusterissuer/values.yaml index 51f5c994b2e..70218d5c15a 100644 --- a/charts/enterprise/clusterissuer/values.yaml +++ b/charts/enterprise/clusterissuer/values.yaml @@ -94,3 +94,15 @@ clusterIssuer: # fulldomain: "" # subdomain: "" # allowFrom: [] + +clusterCertificates: + # Namespaces in which the certificates must be available + # Accepts comma-separated regex expressions + # replicationNamespaces: 'ix-.*' + certificates: [] + # - name: mycert + # enabled: true + # certificateIssuer: selfsigned + # hosts: + # - my.domain.com + # - '*.my.domain.com'