improve: create infra-server-ca secret

infrahq · Jun 29, 2022 · b7b5ecd · b7b5ecd
1 parent 4dfd974
commit b7b5ecd
Show file tree

Hide file tree

Showing 5 changed files with 49 additions and 1 deletion.
diff --git a/Makefile b/Makefile
@@ -12,7 +12,7 @@ test/update:
 	go test ./internal/cmd -test.update-golden
 
 dev:
-	docker build . -t infrahq/infra:dev
+	docker buildx build . -t infrahq/infra:dev
 	kubectl config use-context docker-desktop
 	helm upgrade --install --wait  \
 		--set global.image.pullPolicy=Never \

diff --git a/helm/charts/infra/templates/server/configmap.yaml b/helm/charts/infra/templates/server/configmap.yaml
@@ -36,6 +36,12 @@ data:
 {{- end }}
 {{- end }}
 
+{{- if (not .Values.server.config.tls) }}
+    tls:
+      ca: "/var/run/secrets/infrahq.com/tls-ca/ca.crt"
+      caPrivateKey: "file:/var/run/secrets/infrahq.com/tls-ca/ca.key"
+{{- end }}
+
     providers:
 {{- .Values.server.additionalProviders | default list | concat .Values.server.config.providers | uniq | toYaml | nindent 6 }}
 

diff --git a/helm/charts/infra/templates/server/deployment.yaml b/helm/charts/infra/templates/server/deployment.yaml
@@ -48,6 +48,10 @@ spec:
             - name: conf
               mountPath: /etc/infrahq
               readOnly: true
+{{- if (not .Values.server.config.tls) }}
+            - name: tls-ca
+              mountPath: /var/run/secrets/infrahq.com/tls-ca
+{{- end }}
 {{- if .Values.server.persistence.enabled }}
             - name: data
               mountPath: /var/lib/infrahq/server
@@ -89,6 +93,11 @@ spec:
         - name: conf
           configMap:
             name: {{ include "server.fullname" . }}
+{{- if (not .Values.server.config.tls) }}
+        - name: tls-ca
+          secret:
+            secretName: {{ include "server.fullname" . }}-ca
+{{- end }}
 {{- if .Values.server.persistence.enabled }}
         - name: data
           persistentVolumeClaim:

diff --git a/helm/charts/infra/templates/server/secret.yaml b/helm/charts/infra/templates/server/secret.yaml
@@ -0,0 +1,29 @@
+
+{{- if include "server.enabled" . | eq "true" }}
+{{- if (not .Values.server.config.tls) }}
+{{- $secret := lookup "v1" "Secret" .Release.Namespace (printf "%s-ca" (include "server.fullname" .)) -}}
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "server.fullname" . }}-ca
+  labels:
+{{- include "server.labels" . | nindent 4 }}
+stringData:
+
+{{- if $secret.data }}
+  ca.crt: |
+{{- get $secret.data "ca.crt" | b64dec | nindent 4 }}
+  ca.key: |
+{{- get $secret.data "ca.key" | b64dec | nindent 4 }}
+
+{{- else }}
+{{- $ca := genCA "Infra Server" 3650 }}
+  ca.crt: |
+{{- $ca.Cert | nindent 4 }}
+  ca.key: |
+{{- $ca.Key | nindent 4 }}
+
+{{- end }}{{/* if secret.data */}}
+{{- end }}{{/* if not tls */}}
+{{- end }}{{/* if server.enabled */}}
diff --git a/helm/charts/infra/values.yaml b/helm/charts/infra/values.yaml
@@ -531,6 +531,10 @@ server:
     # - name: [email protected]
     #   password: file:/var/run/secrets/[email protected]
 
+    # TLS configuration for the API server. Defaults to generating a self-signed CA and
+    # generating certificates from that CA.
+    tls: {}
+
 ## Default connector configurations
 connector: