From 8d63f54481aa04167a51ae05c8b98a55d3a4af27 Mon Sep 17 00:00:00 2001 From: Daniel Nephin Date: Wed, 29 Jun 2022 17:00:21 -0400 Subject: [PATCH] improve: create infra-server-ca secret --- Makefile | 2 +- .../infra/templates/server/configmap.yaml | 6 ++++ .../infra/templates/server/deployment.yaml | 9 ++++++ .../charts/infra/templates/server/secret.yaml | 29 +++++++++++++++++++ helm/charts/infra/values.yaml | 4 +++ 5 files changed, 49 insertions(+), 1 deletion(-) create mode 100644 helm/charts/infra/templates/server/secret.yaml diff --git a/Makefile b/Makefile index a877dd6076..bf342ad77d 100644 --- a/Makefile +++ b/Makefile @@ -12,7 +12,7 @@ test/update: go test ./internal/cmd -test.update-golden dev: - docker build . -t infrahq/infra:dev + docker buildx build . -t infrahq/infra:dev kubectl config use-context docker-desktop helm upgrade --install --wait \ --set global.image.pullPolicy=Never \ diff --git a/helm/charts/infra/templates/server/configmap.yaml b/helm/charts/infra/templates/server/configmap.yaml index 5efec29757..bf5723be5c 100644 --- a/helm/charts/infra/templates/server/configmap.yaml +++ b/helm/charts/infra/templates/server/configmap.yaml @@ -36,6 +36,12 @@ data: {{- end }} {{- end }} +{{- if (not .Values.server.config.tls) }} + tls: + ca: "/var/run/secrets/infrahq.com/tls-ca/ca.crt" + caPrivateKey: "file:/var/run/secrets/infrahq.com/tls-ca/ca.key" +{{- end }} + providers: {{- .Values.server.additionalProviders | default list | concat .Values.server.config.providers | uniq | toYaml | nindent 6 }} diff --git a/helm/charts/infra/templates/server/deployment.yaml b/helm/charts/infra/templates/server/deployment.yaml index 1c95a7ee48..5f418864e3 100644 --- a/helm/charts/infra/templates/server/deployment.yaml +++ b/helm/charts/infra/templates/server/deployment.yaml @@ -48,6 +48,10 @@ spec: - name: conf mountPath: /etc/infrahq readOnly: true +{{- if (not .Values.server.config.tls) }} + - name: tls-ca + mountPath: /var/run/secrets/infrahq.com/tls-ca +{{- end }} {{- if .Values.server.persistence.enabled }} - name: data mountPath: /var/lib/infrahq/server @@ -89,6 +93,11 @@ spec: - name: conf configMap: name: {{ include "server.fullname" . }} +{{- if (not .Values.server.config.tls) }} + - name: tls-ca + secret: + secretName: {{ include "server.fullname" . }}-ca +{{- end }} {{- if .Values.server.persistence.enabled }} - name: data persistentVolumeClaim: diff --git a/helm/charts/infra/templates/server/secret.yaml b/helm/charts/infra/templates/server/secret.yaml new file mode 100644 index 0000000000..d27756ad19 --- /dev/null +++ b/helm/charts/infra/templates/server/secret.yaml @@ -0,0 +1,29 @@ + +{{- if include "server.enabled" . | eq "true" }} +{{- if (not .Values.server.config.tls) }} + +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "server.fullname" . }}-ca + labels: +{{- include "server.labels" . | nindent 4 }} +data: + +{{- $secret := lookup "v1" "Secret" .Release.Namespace (printf "%s-ca" (include "server.fullname" .)) -}} +{{- if $secret.data }} + ca.crt: | +{{- get $secret.data "ca.crt" | nindent 4 }} + ca.key: | +{{- get $secret.data "ca.key" | nindent 4 }} + +{{- else }} +{{- $ca := genCA "Infra Server" 3650 }} + ca.crt: | +{{- $ca.Cert | b64enc | nindent 4 }} + ca.key: | +{{- $ca.Key | b64enc | nindent 4 }} + +{{- end }}{{/* if secret.data */}} +{{- end }}{{/* if not tls */}} +{{- end }}{{/* if server.enabled */}} diff --git a/helm/charts/infra/values.yaml b/helm/charts/infra/values.yaml index 7c032fa888..837de7a9e4 100644 --- a/helm/charts/infra/values.yaml +++ b/helm/charts/infra/values.yaml @@ -531,6 +531,10 @@ server: # - name: dev@example.com # password: file:/var/run/secrets/dev@example.com + # TLS configuration for the API server. Defaults to generating a self-signed CA and + # generating certificates from that CA. + tls: {} + ## Default connector configurations connector: