cert docs

docs/common-library/values/certificates.md

@@ -0,0 +1,69 @@
+# Certificates
+
+## scaleCerts
+
+- Type: `dict`
+- Default: `{}`
+- Helm Template:
+  - certPath: ✅
+  - keyPath: ✅
+
+Before taking any action, it will check if middleware have populated
+the `ixCertificates` list, and that the `id` is included.
+
+For every item it will create a secret containing
+the certificate and the private key.
+
+Optionally, you can mount certificate, private key or both in the
+container as files.
+
+Examples:
+
+```yaml
+scaleCerts: {}
+  some_cert_name:
+    # ID Comes from the definitions on the GUI
+    id: 1
+    # Optional, Override Name
+    nameOverride: name_override
+    # Optional, If populated, it will mount the certificate in the container's path
+    certPath: /some/path/in/the/container/crt.key
+    # Optional, If populated, it will mount the private key in the container's path
+    keyPath: /some/path/in/the/container/key.key
+    # Optional, Allow the use of revoked certs, even if is not allowed globally
+    useRevoked: false
+    # Optional, Allow the use of expired certs, even if is not allowed globally
+    useExpired: false
+```
+
+## scaleCertsList
+
+- Type: `list`
+- Default: `[]`
+- Helm Template:
+  - certPath: ✅
+  - keyPath: ✅
+
+Anything that applies to `scaleCerts` applies here too.
+
+The only difference is that this is a `list` instead of `dict`
+
+This list can used for Scale GUI as it's easier to build lists.
+
+Example:
+
+```yaml
+scaleCertsList: []
+  - name: some_cert_name
+    id: 1
+    # Optional
+    nameOverride: name_override
+    # Optional
+    certPath:
+    # Optional
+    keyPath:
+    # Optional
+    useRevoked: false
+    # Optional
+    useExpired: false
+```

library/common-test/tests/cert/cert_secret_mount_test.yaml

@@ -333,3 +333,56 @@ tests:
           content:
             mountPath: /some/path/key.key
             subPath: tls.key
+
+  - it: should pass with mounted secret both certificate and private key without extra options and paths from tpl
+    documentIndex: *deploymentDoc
+    set:
+      path1: /some/path/crt.key
+      path2: /some/path/key.key
+      # Simulating middleware injection
+      ixCertificates:
+        "1":
+          certificate: cert_content
+          privatekey: some_key
+      scaleCerts:
+        cert-name:
+          id: 1
+          cert:
+            enabled: true
+            path: "{{ .Values.path1 }}"
+          key:
+            enabled: true
+            path: "{{ .Values.path2 }}"
+    asserts:
+      - isKind:
+          of: Deployment
+      - matchRegex:
+          path: spec.template.spec.volumes[0].name
+          pattern: *patternCert
+      - equal:
+          path: spec.template.spec.volumes[0].secret
+          value:
+            secretName: RELEASE-NAME-common-test-cert-name-ixcert-1-2
+      - matchRegex:
+          path: spec.template.spec.containers[0].volumeMounts[0].name
+          pattern: *patternCert
+      - isSubset:
+          path: spec.template.spec.containers[0].volumeMounts[0]
+          content:
+            mountPath: /some/path/crt.key
+            subPath: tls.crt
+      - matchRegex:
+          path: spec.template.spec.volumes[1].name
+          pattern: *patternKey
+      - equal:
+          path: spec.template.spec.volumes[1].secret
+          value:
+            secretName: RELEASE-NAME-common-test-cert-name-ixcert-1-2
+      - matchRegex:
+          path: spec.template.spec.containers[0].volumeMounts[1].name
+          pattern: *patternKey
+      - isSubset:
+          path: spec.template.spec.containers[0].volumeMounts[1]
+          content:
+            mountPath: /some/path/key.key
+            subPath: tls.key

library/common/1.0.0/templates/class/_certifcate.tpl

@@ -29,7 +29,7 @@
       {{- if $cert.cert.path -}}
 
         {{/* Append mountPath and subPath */}}
-        {{- $_ := set $persistenceDict "mountPath" $cert.cert.path -}}
+        {{- $_ := set $persistenceDict "mountPath" (tpl $cert.cert.path $root) -}}
         {{- $_ := set $persistenceDict "subPath" $tlsCrtKey -}}
 
         {{/* Append readOnly if defined. Actual content validation will be done when volume(Mount) is created  */}}
@@ -58,7 +58,7 @@
       {{- if $cert.key.path -}}
 
         {{/* Append mountPath and subPath */}}
-        {{- $_ := set $persistenceDict "mountPath" $cert.key.path -}}
+        {{- $_ := set $persistenceDict "mountPath" (tpl $cert.key.path $root) -}}
         {{- $_ := set $persistenceDict "subPath" $tlsPrivateKey -}}
 
         {{/* Append readOnly if defined. Actual content validation will be done when volume(Mount) is created */}}

library/common/1.0.0/values.yaml

@@ -103,40 +103,27 @@ probes:
       periodSeconds: 5
       failureThreshold: 60
 
-# Used for SCALE GUI
+# Used for SCALE / GUI Focused
 scaleGPU: {}
 
-# Used for SCALE GUI
+# Used for SCALE / GUI Focused
 externalInterfaces: []
 
+# Used for SCALE
+scaleCerts: {}
+
+# Used for SCALE / GUI Focused
+scaleCertsList: []
+
 # Injected from middleware
 ixExternalInterfacesConfiguration: []
 # Injected from middleware
 ixExternalInterfacesConfigurationNames: []
+# Injected from middleware
+ixCertificates: []
 
 # - Everything bellow needs documentation
 
-scaleCerts: {}
-  # some_cert_name:
-  #   # Override Name
-  #   nameOverride: name_override
-  #   # ID Comes from the definitions on the GUI
-  #   id: 1
-  #   # If populated, it will mount the certificate in the container in this path
-  #   certPath:
-  #   # If populated, it will mount the private key in the container in this path
-  #   keyPath:
-  #   useRevoked: false
-  #   useExpired: false
-scaleCertsList: []
-  # - name: some_cert_name
-  #   nameOverride: name_override
-  #   id: 1
-  #   certPath:
-  #   keyPath:
-  #   useRevoked: false
-  #   useExpired: false
-
 global:
   defaults:
     # If not defined on the the cert item, assume this