cert updates

library/common-test/tests/cert/cert_test.yaml

@@ -0,0 +1,150 @@
+suite: certificate dict test
+templates:
+  - common.yaml
+tests:
+  - it: should fail with no ixCertificates key
+    set:
+      scaleCerts:
+        cert_name:
+          id: 1
+    asserts:
+      - failedTemplate:
+          errorMessage: Key <ixCertificates> does not exist
+
+  - it: should fail with empty ixCertificates key
+    set:
+      scaleCerts:
+        cert_name:
+          id: 1
+      # Simulating middleware injection
+      ixCertificates: {}
+    asserts:
+      - failedTemplate:
+          errorMessage: Key <ixCertificates> is empty
+
+  - it: should fail with cert that don't exist
+    set:
+      scaleCerts:
+        cert_name:
+          id: 1
+      # Simulating middleware injection
+      ixCertificates:
+        "2":
+          certificate: cert_content
+    asserts:
+      - failedTemplate:
+          errorMessage: Certificate (1) was not found.
+
+  - it: should fail with expired cert
+    set:
+      scaleCerts:
+        cert_name:
+          id: 1
+      # Simulating middleware injection
+      ixCertificates:
+        "1":
+          certificate: cert_content
+          expired: true
+    asserts:
+      - failedTemplate:
+          errorMessage: Certificate (1) is expired
+
+  - it: should fail with revoked cert
+    set:
+      scaleCerts:
+        cert_name:
+          id: 1
+      # Simulating middleware injection
+      ixCertificates:
+        "1":
+          certificate: cert_content
+          revoked: true
+    asserts:
+      - failedTemplate:
+          errorMessage: Certificate (1) has been revoked
+
+  - it: should pass with 1 secret created
+    documentIndex: &secretDoc 0
+    set:
+      scaleCerts:
+        cert_name:
+          id: 1
+      # Simulating middleware injection
+      ixCertificates:
+        "1":
+          certificate: cert_content
+          privatekey: some_key
+    asserts:
+      - isKind:
+          of: Secret
+      - isAPIVersion:
+          of: v1
+      - equal:
+          path: type
+          value: kubernetes.io/tls
+      - equal:
+          path: metadata.name
+          value: RELEASE-NAME-common-test-cert_name-ixcert-1-0
+      - isNotEmpty:
+          path: data.tls\.crt
+      - isNotEmpty:
+          path: data.tls\.key
+
+  - it: should pass with 1 secret created and revision increased
+    documentIndex: *secretDoc
+    release:
+      revision: 1
+    set:
+      scaleCerts:
+        cert_name:
+          id: 1
+      # Simulating middleware injection
+      ixCertificates:
+        "1":
+          certificate: cert_content
+          privatekey: some_key
+    asserts:
+      - isKind:
+          of: Secret
+      - isAPIVersion:
+          of: v1
+      - equal:
+          path: type
+          value: kubernetes.io/tls
+      - equal:
+          path: metadata.name
+          value: RELEASE-NAME-common-test-cert_name-ixcert-1-1
+      - isNotEmpty:
+          path: data.tls\.crt
+      - isNotEmpty:
+          path: data.tls\.key
+
+  - it: should pass with 1 secret created and revision increased and name overriden
+    documentIndex: *secretDoc
+    release:
+      revision: 1
+    set:
+      scaleCerts:
+        cert_name:
+          id: 1
+          nameOverride: name_override
+      # Simulating middleware injection
+      ixCertificates:
+        "1":
+          certificate: cert_content
+          privatekey: some_key
+    asserts:
+      - isKind:
+          of: Secret
+      - isAPIVersion:
+          of: v1
+      - equal:
+          path: type
+          value: kubernetes.io/tls
+      - equal:
+          path: metadata.name
+          value: RELEASE-NAME-common-test-name_override-ixcert-1-1
+      - isNotEmpty:
+          path: data.tls\.crt
+      - isNotEmpty:
+          path: data.tls\.key

library/common/1.0.0/templates/class/_certifcate.tpl

@@ -1,9 +1,35 @@
 {{- define "ix.v1.common.class.certificate" -}}
-  {{- $secretName := .secretName -}}
-  {{- $certID := .certID -}}
+  {{- $cert := .cert -}}
   {{- $root := .root -}}
 
-  {{- if (include "ix.v1.common.certificate.exists" (dict "root" $root "certID" $certID)) }}
+  {{- if not (hasKey $cert "id") -}}
+    {{- fail (printf "Certificate (%s) has no <id> key" $cert.nameOverride) -}}
+  {{- end -}}
+  {{- $certID := (toString $cert.id) -}}
+
+  {{- if (include "ix.v1.common.certificate.exists" (dict "root" $root "certID" $certID)) -}}
+  {{/* Generate secret name here so we can pass it to persistence if needed */}}
+  {{- $secretName := include "ix.v1.common.names.fullname" $root -}}
+  {{- if $cert.nameOverride -}}
+    {{- $secretName = (printf "%v-%v-%v-%v" $secretName $cert.nameOverride "ixcert" $certID) -}}
+  {{- else -}}
+    {{- $secretName = (printf "%v-%v-%v" $secretName "ixcert" $certID) -}}
+  {{- end -}}
+  {{- $secretName = (printf "%v-%v" $secretName $root.Release.Revision) -}}
+
+  {{- if (hasKey $cert "certPath") -}}
+    {{- if $cert.certPath -}}
+      {{/* FIXME: Create Volume + Volume Mount of the secret to the certPath */}}
+      {{/* Probably append to .Values.persistence? Also make sure to call this spawner before pod creation */}}
+    {{- end -}}
+  {{- end -}}
+
+  {{- if (hasKey $cert "keyPath") -}}
+    {{- if $cert.keyPath -}}
+      {{/* FIXME: Create Volume + Volume Mount of the secret to the certPath */}}
+      {{/* Probably append to .Values.persistence? Also make sure to call this spawner before pod creation */}}
+    {{- end -}}
+  {{- end }}
 ---
 apiVersion: {{ include "ix.v1.common.capabilities.secret.apiVersion" . }}
 kind: Secret
@@ -21,7 +47,7 @@ metadata:
     {{- . | nindent 4 }}
   {{- end }}
 data:
-  tls.crt: {{ include "ix.v1.common.certificate.get" (dict "root" $root "certID" $certID "key" "certificate") | toString | b64enc | quote }}
-  tls.key: {{ include "ix.v1.common.certificate.get" (dict "root" $root "certID" $certID "key" "privatekey") | toString | b64enc | quote }}
+  tls.crt: {{ include "ix.v1.common.certificate.get" (dict "root" $root "cert" $cert "key" "certificate") | toString | b64enc | quote }}
+  tls.key: {{ include "ix.v1.common.certificate.get" (dict "root" $root "cert" $cert "key" "privatekey") | toString | b64enc | quote }}
   {{- end -}}
 {{- end -}}

library/common/1.0.0/templates/lib/certificate/_cert.tpl

@@ -23,21 +23,36 @@ Returns any key (based on the .key value)
 Example keys (certificate, privatekey, expired, revoked)
 */}}
 {{- define "ix.v1.common.certificate.get" -}}
-  {{- $certID := .certID -}}
+  {{- $cert := .cert -}}
   {{- $root := .root -}}
   {{- $key := .key -}}
+  {{- $certID := (toString $cert.id) -}}
+  {{- $useRevoked := $root.Values.global.defaults.useRevokedCerts -}}
+  {{- $useExpired := $root.Values.global.defaults.useExpiredCerts -}}
+
+  {{- if not $key -}}
+    {{- fail "You need to provide a <key> when calling this template (certificate.get)" -}}
+  {{- end -}}
 
   {{- if eq (include "ix.v1.common.certificate.exists" (dict "root" $root "certID" $certID)) "true" -}}
     {{- $certificate := (get $root.Values.ixCertificates (toString $certID)) -}}
 
+    {{- if (hasKey $cert "useRevoked") -}}
+      {{- $useRevoked = $cert.useRevoked -}}
+    {{- end -}}
+
+    {{- if (hasKey $cert "useExpired") -}}
+      {{- $useExpired = $cert.useExpired -}}
+    {{- end -}}
+
     {{- if (hasKey $certificate "revoked") -}}
-      {{- if eq (get $certificate "revoked") true -}}
+      {{- if and (not $useRevoked) (eq (get $certificate "revoked") true) -}}
         {{- fail (printf "Certificate (%s) has been revoked" $certID) -}}
       {{- end -}}
     {{- end -}}
 
     {{- if (hasKey $certificate "expired") -}}
-      {{- if eq (get $certificate "expired") true -}}
+      {{- if and (not $useExpired) (eq (get $certificate "expired") true) -}}
         {{- fail (printf "Certificate (%s) is expired" $certID) -}}
       {{- end -}}
     {{- end -}}
@@ -49,6 +64,6 @@ Example keys (certificate, privatekey, expired, revoked)
     {{- end -}}
 
   {{- else -}}
-    {{- fail (printf "Certificate (%s) did not found." $certID) -}}
+    {{- fail (printf "Certificate (%s) was not found." $certID) -}}
   {{- end -}}
 {{- end -}}

library/common/1.0.0/templates/spawner/_certificate.tpl

@@ -7,44 +7,27 @@ instead of creating a secret it will return you the value
 of that key (if exists)
 */}}
 {{- define "ix.v1.common.spawner.certificate" -}}
-  {{- $key := (default "" .key) -}}
   {{- $root := . -}}
 
   {{- range $name, $cert := .Values.scaleCerts -}}
-    {{- if not (hasKey $cert "id") -}}
-      {{- fail (printf "Certificate (%s) has no <id> key" $name) -}}
-    {{- end -}}
-    {{- $certID := (toString $cert.id) -}}
+    {{- include "ix.v1.common.certificate.process" (dict "cert" $cert "name" $name "root" $root) -}}
+  {{- end -}}
 
-    {{/* Default to $name if there is not a nameOverride given */}}
-    {{- if not $cert.nameOverride -}}
-      {{- $_ := set $cert "nameOverride" $name -}}
-    {{- end -}}
-
-    {{/* Generate secret name here so we can pass it to persistence if needed */}}
-    {{- $secretName := include "ix.v1.common.names.fullname" $root -}}
-    {{- if $cert.nameOverride -}}
-      {{- $secretName = (printf "%v-%v-%v-%v" $secretName $cert.nameOverride "ixcert" $certID) -}}
-    {{- else -}}
-      {{- $secretName = (printf "%v-%v-%v" $secretName "ixcert" $certID) -}}
-    {{- end -}}
-    {{- $secretName = (printf "%v-%v" $secretName $root.Release.Revision) -}}
-
-    {{/* Create the secret */}}
-    {{- include "ix.v1.common.class.certificate" (dict "root" $root "certID" $certID "secretName" $secretName) -}}
-
-    {{- if (hasKey $cert "certPath") -}}
-      {{- if $cert.certPath -}}
-        {{/* FIXME: Create Volume + Volume Mount of the secret to the certPath */}}
-        {{/* Probably append to .Values.persistence? Also make sure to call this spawner before pod creation */}}
-      {{- end -}}
-    {{- end -}}
-
-    {{- if (hasKey $cert "keyPath") -}}
-      {{- if $cert.keyPath -}}
-        {{/* FIXME: Create Volume + Volume Mount of the secret to the certPath */}}
-        {{/* Probably append to .Values.persistence? Also make sure to call this spawner before pod creation */}}
-      {{- end -}}
-    {{- end -}}
+  {{- range $id, $cert := .Values.scaleCertsList -}}
+    {{- include "ix.v1.common.certificate.process" (dict "cert" $cert "name" (required "Name is required in scaleCertList" $cert.name) "root" $root) -}}
   {{- end -}}
 {{- end -}}
+
+{{- define "ix.v1.common.certificate.process" -}}
+  {{- $name := .name -}}
+  {{- $cert := .cert -}}
+  {{- $root := .root -}}
+
+  {{/* Default to $name if there is not a nameOverride given */}}
+  {{- if not $cert.nameOverride -}}
+    {{- $_ := set $cert "nameOverride" $name -}}
+  {{- end -}}
+
+  {{/* Create the secret */}}
+  {{- include "ix.v1.common.class.certificate" (dict "cert" $cert "root" $root) -}}
+{{- end -}}

library/common/1.0.0/values.yaml

@@ -117,9 +117,32 @@ ixExternalInterfacesConfigurationNames: []
 # - Everything bellow needs documentation
 
 scaleCerts: {}
+  # some_cert_name:
+  #   # Override Name
+  #   nameOverride: name_override
+  #   # ID Comes from the definitions on the GUI
+  #   id: 1
+  #   # If populated, it will mount the certificate in the container in this path
+  #   certPath:
+  #   # If populated, it will mount the private key in the container in this path
+  #   keyPath:
+  #   useRevoked: false
+  #   useExpired: false
+scaleCertsList: []
+  # - name: some_cert_name
+  #   nameOverride: name_override
+  #   id: 1
+  #   certPath:
+  #   keyPath:
+  #   useRevoked: false
+  #   useExpired: false
 
 global:
   defaults:
+    # If not defined on the the cert item, assume this
+    useRevokedCerts: false
+    # If not defined on the the cert item, assume this
+    useExpiredCerts: false
     # If no restart Policy is defined, assume this
     defaultRestartPolicy: Always
     # If no probe Type is defined, assume this