diff --git a/docs/common-library/values/certificates.md b/docs/common-library/values/certificates.md new file mode 100644 index 0000000000..1492c9ddaa --- /dev/null +++ b/docs/common-library/values/certificates.md @@ -0,0 +1,69 @@ +# Certificates + +## scaleCerts + +- Type: `dict` +- Default: `{}` +- Helm Template: + - certPath: ✅ + - keyPath: ✅ + +Before taking any action, it will check if middleware have populated +the `ixCertificates` list, and that the `id` is included. + +For every item it will create a secret containing +the certificate and the private key. + +Optionally, you can mount certificate, private key or both in the +container as files. + +Examples: + +```yaml +scaleCerts: {} + some_cert_name: + # ID Comes from the definitions on the GUI + id: 1 + # Optional, Override Name + nameOverride: name_override + # Optional, If populated, it will mount the certificate in the container's path + certPath: /some/path/in/the/container/crt.key + # Optional, If populated, it will mount the private key in the container's path + keyPath: /some/path/in/the/container/key.key + # Optional, Allow the use of revoked certs, even if is not allowed globally + useRevoked: false + # Optional, Allow the use of expired certs, even if is not allowed globally + useExpired: false +``` + +## scaleCertsList + +- Type: `list` +- Default: `[]` +- Helm Template: + - certPath: ✅ + - keyPath: ✅ + +Anything that applies to `scaleCerts` applies here too. + +The only difference is that this is a `list` instead of `dict` + +This list can used for Scale GUI as it's easier to build lists. + +Example: + +```yaml +scaleCertsList: [] + - name: some_cert_name + id: 1 + # Optional + nameOverride: name_override + # Optional + certPath: + # Optional + keyPath: + # Optional + useRevoked: false + # Optional + useExpired: false +``` diff --git a/library/common-test/tests/cert/cert_secret_mount_test.yaml b/library/common-test/tests/cert/cert_secret_mount_test.yaml index 59ea6ea3b9..23bacc66e4 100644 --- a/library/common-test/tests/cert/cert_secret_mount_test.yaml +++ b/library/common-test/tests/cert/cert_secret_mount_test.yaml @@ -333,3 +333,56 @@ tests: content: mountPath: /some/path/key.key subPath: tls.key + + - it: should pass with mounted secret both certificate and private key without extra options and paths from tpl + documentIndex: *deploymentDoc + set: + path1: /some/path/crt.key + path2: /some/path/key.key + # Simulating middleware injection + ixCertificates: + "1": + certificate: cert_content + privatekey: some_key + scaleCerts: + cert-name: + id: 1 + cert: + enabled: true + path: "{{ .Values.path1 }}" + key: + enabled: true + path: "{{ .Values.path2 }}" + asserts: + - isKind: + of: Deployment + - matchRegex: + path: spec.template.spec.volumes[0].name + pattern: *patternCert + - equal: + path: spec.template.spec.volumes[0].secret + value: + secretName: RELEASE-NAME-common-test-cert-name-ixcert-1-2 + - matchRegex: + path: spec.template.spec.containers[0].volumeMounts[0].name + pattern: *patternCert + - isSubset: + path: spec.template.spec.containers[0].volumeMounts[0] + content: + mountPath: /some/path/crt.key + subPath: tls.crt + - matchRegex: + path: spec.template.spec.volumes[1].name + pattern: *patternKey + - equal: + path: spec.template.spec.volumes[1].secret + value: + secretName: RELEASE-NAME-common-test-cert-name-ixcert-1-2 + - matchRegex: + path: spec.template.spec.containers[0].volumeMounts[1].name + pattern: *patternKey + - isSubset: + path: spec.template.spec.containers[0].volumeMounts[1] + content: + mountPath: /some/path/key.key + subPath: tls.key diff --git a/library/common/1.0.0/templates/class/_certifcate.tpl b/library/common/1.0.0/templates/class/_certifcate.tpl index fab7b5fc9b..11db755f80 100644 --- a/library/common/1.0.0/templates/class/_certifcate.tpl +++ b/library/common/1.0.0/templates/class/_certifcate.tpl @@ -29,7 +29,7 @@ {{- if $cert.cert.path -}} {{/* Append mountPath and subPath */}} - {{- $_ := set $persistenceDict "mountPath" $cert.cert.path -}} + {{- $_ := set $persistenceDict "mountPath" (tpl $cert.cert.path $root) -}} {{- $_ := set $persistenceDict "subPath" $tlsCrtKey -}} {{/* Append readOnly if defined. Actual content validation will be done when volume(Mount) is created */}} @@ -58,7 +58,7 @@ {{- if $cert.key.path -}} {{/* Append mountPath and subPath */}} - {{- $_ := set $persistenceDict "mountPath" $cert.key.path -}} + {{- $_ := set $persistenceDict "mountPath" (tpl $cert.key.path $root) -}} {{- $_ := set $persistenceDict "subPath" $tlsPrivateKey -}} {{/* Append readOnly if defined. Actual content validation will be done when volume(Mount) is created */}} diff --git a/library/common/1.0.0/values.yaml b/library/common/1.0.0/values.yaml index 5838d8640e..8606f6e3cc 100644 --- a/library/common/1.0.0/values.yaml +++ b/library/common/1.0.0/values.yaml @@ -103,40 +103,27 @@ probes: periodSeconds: 5 failureThreshold: 60 -# Used for SCALE GUI +# Used for SCALE / GUI Focused scaleGPU: {} -# Used for SCALE GUI +# Used for SCALE / GUI Focused externalInterfaces: [] +# Used for SCALE +scaleCerts: {} + +# Used for SCALE / GUI Focused +scaleCertsList: [] + # Injected from middleware ixExternalInterfacesConfiguration: [] # Injected from middleware ixExternalInterfacesConfigurationNames: [] +# Injected from middleware +ixCertificates: [] # - Everything bellow needs documentation -scaleCerts: {} - # some_cert_name: - # # Override Name - # nameOverride: name_override - # # ID Comes from the definitions on the GUI - # id: 1 - # # If populated, it will mount the certificate in the container in this path - # certPath: - # # If populated, it will mount the private key in the container in this path - # keyPath: - # useRevoked: false - # useExpired: false -scaleCertsList: [] - # - name: some_cert_name - # nameOverride: name_override - # id: 1 - # certPath: - # keyPath: - # useRevoked: false - # useExpired: false - global: defaults: # If not defined on the the cert item, assume this